Funky Malware Formats

Transcript

1. View Slide

2. INTRODUCTION
   What is this talk about?
   • Custom PE loaders are typical in malware nowadays
   • How common are custom formats?
   • We set out to answer this very question
   • Much like searching for new forms of life
   • We bring you some of our findings in this talk
   • But before so…
   

   View Slide

3. ABOUT US
   Meet the special agents
   Mark
   Lechtik
   Aleksandra
   Doniec
   @_marklech_
   Check Point Research
   @hasherezade
   Malwarebytes
   

   View Slide

4. View Slide

5. HIDDEN BEE
   

   View Slide

6. • Distributed by Underminer EK
   • Chinese miner
   • High and low-level elements: including a bootkit
   • We will focus on the high-level part: loaders in custom format
   HIDDEN BEE
   Profile
   

   View Slide

7. 23 JULY 2018
   MALWAREBYTES SLACK CHANNEL
   HIDDEN BEE
   Story
   

   View Slide

8. • bin/i386/core.sdb
   bin/i386/core.sdb
   52he3kf2g2rr6l5s1as2u0198k.wasm
   glfw.wasm
   HIDDEN BEE
   Story
   

   View Slide

9. ?
   This is not how the WASM file looks like...
   ?
   HIDDEN BEE
   Story
   

   View Slide

10. ?
    UFO…
    UNIDENTIFIED FILE OBJECT FOUND
    HIDDEN BEE
    Story
    

    View Slide

11. • We don’t have: the initial loader
    • We have: 2 files with a consistent format
    • Let’s try to analyze the headers and guess what each field means
    • Let’s write our own loader
    HIDDEN BEE
    Story
    

    View Slide

12. typedef struct {
    WORD func_count;
    char name;
    } t_dll_name;
    ntdll.dll
    HIDDEN BEE
    Imports
    0x13
    0x18
    

    View Slide

13. 0x0d827481
    0x60
    HIDDEN BEE
    IAT
    

    View Slide

14. DWORD checksum(char *func_name)
    {
    DWORD result = 0x1505;
    while ( *func_name )
    result = *func_name++ + 33 * result;
    return result;
    }
    0x60
    0x0d827481
    ntdll.dll
    HIDDEN BEE
    IAT
    0x13
    

    View Slide

15. DWORD checksum(char *func_name)
    {
    DWORD result = 0x1505;
    while ( *func_name )
    result = *func_name++ + 33 * result;
    return result;
    }
    0x0d827481
    778b81e0
    0x0d827481 = checksum("memchr")
    GetProcAddress(mod, "memchr") 778b81e0
    HMODULE mod = LoadLibraryA("ntdll");
    HIDDEN BEE
    IAT
    0x60
    ntdll.dll
    0x13
    

    View Slide

16. 0x60
    0x0d827481
    0x13
    HIDDEN BEE
    IAT
    ntdll.dll
    0x13
    

    View Slide

17. 0x2a62
    HIDDEN BEE
    Entry Point
    

    View Slide

18. 0x509c
    HIDDEN BEE
    File Size
    .
    .
    .
    

    View Slide

19. offset
    (0x4D78)
    size
    (0x0324)
    0x0324
    0x0284
    HIDDEN BEE
    Relocations
    0x0284: field to be relocated
    

    View Slide

20. https://github.com/hasherezade/bee_parser
    HIDDEN BEE
    Profile
    

    View Slide

21. OCEAN LOTUS
    

    View Slide

22. • Known as a Vietnamese APT32 group
    • Distributed mainly by phishing and waterholing attacks
    • Payloads of various types, often composed of multiple files
    OCEAN LOTUS
    Profile
    

    View Slide

23. 49a2505d54c83a65bb4d
    716a27438ed8f065c709
    OCEAN LOTUS
    Sample
    *sample provided by
    @MinhTrietPT
    

    View Slide

24. The Alien Files
    What is this mysterious „blob”?
    Both files seem to be in the same
    format... But what are they really?
    SPORDER.cab
    It doesn’t look like a CAB format!
    SPORDER.blob
    OCEAN LOTUS
    

    View Slide

25. SPORDER.cab
    SPORDER.blob
    XOR key?
    OCEAN LOTUS
    The Alien Files
    

    View Slide

26. SPORDER.cab
    SPORDER.blob
    OCEAN LOTUS
    The Alien Files
    

    View Slide

27. SPORDER.cab
    manifestVersion="1.0">
    
    
    
    uiAccess="false">
    
    
    
    We can find artefacts indicating that
    this format was converted from a PE
    file
    OCEAN LOTUS
    The Alien Files
    

    View Slide

28. SPORDER.cab
    OCEAN LOTUS
    The Alien Files
    

    View Slide

29. SPORDER.blob
    Sections:
    • not in the same order as typical PE
    • virtual format same as raw
    • custom headers - stripped in the virtual
    format
    OCEAN LOTUS
    The Alien Files
    

    View Slide

30. Raw format
    Header 1
    The executable part
    (shuffled sections, converted
    from a PE file)
    Header 2
    Padding
    The executable part
    (shuffled sections, converted
    from a PE file)
    Loaded imports
    Virtual format
    OCEAN LOTUS
    The Alien Files
    

    View Slide

31. SPORDER.dll
    sporder.exe
    SPORDER.cab
    SPORDER.blob
    hp6000.dll
    OCEAN LOTUS
    The Alien Files
    The loader
    All executables are used as a loading chain
    

    View Slide

32. We are lucky: we have the loader
    Let’s just look inside and see how it works!
    hp6000.dll
    One loading
    function for both:
    confirmed
    consistent format
    OCEAN LOTUS
    Approach
    

    View Slide

33. Header 1: before the executable part
    val + 0x2000 size of executable area
    XOR
    OCEAN LOTUS
    Format Details
    Allocation of executable area:
    Key[1] Key[0]
    

    View Slide

34. Header 2: after the executable part
    val * 8 + 0x400 space for loading imports
    OCEAN LOTUS
    Format Details
    Allocation of imports area:
    

    View Slide

35. Relocations?
    Imports?
    Exports?
    Entry Point?
    All together?
    Header 2: after the executable part
    OCEAN LOTUS
    Format Details
    What do we have here?
    

    View Slide

36. Header 2: records
    OCEAN LOTUS
    Format Details
    Type 1: Relocation
    

    View Slide

37. Relocation Field
    (0x3cab5)
    Header 2: records
    typedef struct {
    DWORD reloc_field;
    } reloc_t;
    Type
    (1)
    OCEAN LOTUS
    Format Details
    Type 1: Relocation
    

    View Slide

38. Header 2: records
    Type 2: Entry Point/Export
    OCEAN LOTUS
    Format Details
    

    View Slide

39. Header 2: records
    typedef struct {
    DWORD count;
    DWORD func_rva;
    DWORD name_rva;
    } entry_point_t;
    OCEAN LOTUS
    Format Details
    Type 2: Entry Point/Export
    Count (1) Function
    RVA
    (0x4900)
    Name RVA
    (0x10ad9f)
    IsValidLinkInfo
    Type (2)
    

    View Slide

40. Header 2: records
    Type 3: Import
    OCEAN LOTUS
    Format Details
    

    View Slide

41. Header 2: records
    typedef struct
    {
    DWORD type;
    DWORD dll_rva;
    DWORD func_rva;
    DWORD iat_rva;
    } import_t;
    OCEAN LOTUS
    Format Details
    Type 3: Import
    Type
    (3) IAT
    RVA
    (0x1000)
    Import
    By Name
    (2)
    DLL
    RVA
    (0x10a8c8)
    Function
    RVA
    (0x10a8aa)
    RegOpenKeyExW
    ADAVAPI32.DLL
    

    View Slide

42. OCEAN LOTUS
    Format Details
    Header 2: records
    Type 3: Import
    

    View Slide

43. View Slide

44. GOZI
    PE Like never seen before
    

    View Slide

45. GOZI
    PE Like never seen before
    Overview
    • A popular banking Trojan
    • Also known as: ISFB, Ursnif
    • Source code has been leaked and reused across multiple variants
    • We are going to discuss Gozi version 3
    • Paper by Maciek Kotowicz’s (@maciekkotowicz):
    https://lokalhost.pl/txt/isfbv3.pdf
    

    View Slide

46. GOZI
    Unpacking atypical payload
    Added Header
    PE-sieve unpacks malware by dumping the payload from memory.
    But unpacking Gozi v3 turned a bit problematic...
    

    View Slide

47. • In the dumped PE, we are still missing:
    • The Entry Point
    • Imports
    • Exports
    • Relocations
    • Let’s see how this PE looks in the memory, before it is
    mapped to the virtual format...
    GOZI
    

    View Slide

48. GOZI
    PE Like never seen before
    Load Sequence
    EXE
    EXE
    1st stage
    loader
    2nd stage
    loader
    ?
    

    View Slide

49. GOZI
    PE Like never seen before
    Modified Format
    Modified DOS Header
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Modified Data Directories
    Modified PE Header
    Modified
    Headers
    Original
    PE Fields
    

    View Slide

50. GOZI
    PE Like never seen before
    Modified Format
    Modified DOS Header
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Modified Data Directories
    Modified PE Header
    

    View Slide

51. GOZI
    PE Like never seen before
    Magic
    Checksum
    NT Header Offset
    Image Size
    Modified Format
    Magic
    NT Header Offset
    “PX” = Portable Xecutable?
    Modified PE Size
    Modified DOS Header
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Modified Data Directories
    Modified PE Header
    Nt Header Size
    Example:
    Pointer to the original PE header
    Original NT Headers
    0x958
    

    View Slide

52. GOZI
    PE Like never seen before
    Modified DOS Header
    Modified Format
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Import Directory
    Header
    Export Directory
    Header
    Import Address
    Table Header
    Security Directory
    Header
    Unknown Directory
    Header
    Modified Data Directories
    Relocation Directory
    Header
    Modified PE Header
    Entry Point
    Machine
    ID
    Sections
    Count
    Original Format
    

    View Slide

53. GOZI
    PE Like never seen before
    Modified DOS Header
    Modified Format
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Import Directory
    Header
    Export Directory
    Header
    Import Address
    Table Header
    Security Directory
    Header
    Unknown Directory
    Header
    Modified Data Directories
    Relocation Directory
    Header
    Modified PE Header
    Entry Point
    Machine
    ID
    Sections
    Count
    Original Format
    Modified
    Directory
    Headers
    • PX format contains only subset of the PE format directory
    headers
    • Order of appearance of directory headers is different
    

    View Slide

54. GOZI
    PE Like never seen before
    Original RVA
    Current RVA
    Modified DOS Header
    Modified Format
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Size
    Import Directory
    Header
    Export Directory
    Header
    Import Address
    Table Header
    Security Directory
    Header
    Unknown Directory
    Header
    Modified Data Directories
    Relocation Directory
    Header
    Modified PE Header
    Original RVA
    Size
    Current RVA
    Entry Point
    Machine
    ID
    Sections
    Count
    Entry Point
    Machine
    ID
    Sections
    Count
    Example:
    RVA of directory in original PE (0xBD10)
    Size of directory (0x41)
    RVA in PX format (0x3B0)
    IMAGE_FILE_MACHINE_I386
    

    View Slide

55. GOZI
    PE Like never seen before
    • Attempt to revive the PE format with a new “flavor”
    • To recover the original PE, we need to dump the PX
    format, and use the converter
    https://github.com/hasherezade/funky_malware_parsers/
    tree/master/isfb_parser
    EXE
    PX
    

    View Slide

56. BACKSWAP
    BMP with a twist
    Overview
    • Banking malware revealed by ESET at May 2018
    • Known to target banks in Poland, Spain and Czech Republic
    • Derivative of the Tinba banking malware
    • Known to use innovative techniques to avoid detection
    • Comes in an executable that diverts execution to a weird blob
    

    View Slide

57. BACKSWAP
    BMP with a twist
    Bitmap Header
    Pixel Data
    File Header
    BMP format outline
    

    View Slide

58. BACKSWAP
    BMP with a twist
    File Header
    signature size padding data start
    ‘B’‘M’ 00 00 00 00 76 00 00 00
    FF004000
    

    View Slide

59. BACKSWAP
    BMP with a twist
    File Header
    signature size padding data start
    ‘B’ 00 00 00 00 76 00 00 00
    FF004000
    ‘M’
    It is possible to modify the size
    field so that it will represent a
    jump instruction!
    

    View Slide

60. DE
    54
    E9
    42 4D
    BACKSWAP
    BMP with a twist
    File Header
    signature size padding data start
    INC
    EDX
    DEC
    EBP
    00 00 00 00 76 00 00 00
    00
    00
    JMP offset
    It is possible to modify the size
    field so that it will represent a
    jump instruction!
    

    View Slide

61. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    resolve
    decode
    Function
    Address
    Hash
    Function
    Address
    Hash
    Function
    Address
    Hash
    Function
    Address
    Hash
    Function
    Address
    Hash
    Bitmap Header
    Pixel Data
    File Header
    jump
    Malware format outline
    

    View Slide

62. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    Bitmap Header
    Pixel Data
    File Header
    When we try to visualize the BMP, we realize it’s a polyglot
    polyglot
    binary represented by
    several formats,
    depending on how you
    look at it
    @angealbertini
    

    View Slide

63. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    Bitmap Header
    Pixel Data
    File Header
    Malware Payload
    

    View Slide

64. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    Bitmap Header
    Pixel Data
    File Header
    Malware Payload
    Eric
    Cartmen
    

    View Slide

65. View Slide

66. ALIENS AMONG US
    Binary Format you Never Heard of
    • Typical format in AIX
    • IBM proprietary Unix OS
    • AIX is Deployed on various platforms, usually as a server
    • Example: Payment Switch Servers
    • Transaction processing and routing decisions
    Auxiliary Header
    File Header
    .text
    .bss
    Section Raw Data
    Section Headers
    .text relocations
    .loader relocations
    Relocation data
    …
    XCOFF
    (Extended Common Object File Format)
    .data
    .loader
    Line Number Info
    Symbol Table
    String Table
    

    View Slide

67. ALIENS AMONG US
    Operation Fast Cash
    Payment Switch Server
    Payment Switch
    Application
    Injected
    XCOFF
    Implant
    XCOFF
    Malware
    Hooks
    (send, recv)
    Install
    Compare
    Request
    Response
    applist.dat
    Encrypted list of attacker controlled
    Primary Account Numbers
    Fraudulent
    Cash Withdrawal
    Attempt
    Courtesy of Lazarus
    Money Mule Credit Card
    Very nice analysis
    of the XCOFF malware
    by Frank Boldewin
    (@r3c0nst)!
    

    View Slide

68. View Slide

69. FINAL NOTES
    Funky formats are a spectrum
    

    View Slide

70. FINAL NOTES
    Funky formats are a spectrum
    

    View Slide

71. FINAL NOTES
    Custom formats make static detection problematic....
    

    View Slide

72. FINAL NOTES
    What does it take to make a custom format?
    What do we need to make code run?
    • Imports
    • Relocation
    If you can make a custom PE loader, you can take a step forward and make
    a custom format loader
    

    View Slide

73. THANK YOU
    Questions?
    Mark
    Lechtik
    Aleksandra
    Doniec
    @_marklech_
    @hasherezade
    

    View Slide

74. APPENDIX
    • Malware analysis of Hidden Bee’s custom format, by Aleksandra
    (@hasherezade):
    • https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-
    custom-format-hidden-bee-elements/
    • Paper by Maciek Kotowicz’s (@maciekkotowicz) on Gozi custom format:
    https://lokalhost.pl/txt/isfbv3.pdf
    • Backswap publication by Itay Cohen (@megabeets_):
    • https://research.checkpoint.com/the-evolution-of-backswap/
    • Analysis of Lazarus XCOFF malware (Operation Fast Cash) by Frank
    Boldewin:
    • https://github.com/fboldewin/FastCashMalwareDissected/blob/master/Operation
    %20Fast%20Cash%20-
    %20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.
    pdf
    • Github repository with tools for analyzing the discussed formats:
    https://github.com/hasherezade/funky_malware_parsers
    

    View Slide