$30 off During Our Annual Pro Sale. View Details »

Funky Malware Formats

Funky Malware Formats

hasherezade

April 10, 2019
Tweet

More Decks by hasherezade

Other Decks in Programming

Transcript

  1. View Slide

  2. INTRODUCTION
    What is this talk about?
    • Custom PE loaders are typical in malware nowadays
    • How common are custom formats?
    • We set out to answer this very question
    • Much like searching for new forms of life
    • We bring you some of our findings in this talk
    • But before so…

    View Slide

  3. ABOUT US
    Meet the special agents
    Mark
    Lechtik
    Aleksandra
    Doniec
    @_marklech_
    Check Point Research
    @hasherezade
    Malwarebytes

    View Slide

  4. View Slide

  5. HIDDEN BEE

    View Slide

  6. • Distributed by Underminer EK
    • Chinese miner
    • High and low-level elements: including a bootkit
    • We will focus on the high-level part: loaders in custom format
    HIDDEN BEE
    Profile

    View Slide

  7. 23 JULY 2018
    MALWAREBYTES SLACK CHANNEL
    HIDDEN BEE
    Story

    View Slide

  8. • bin/i386/core.sdb
    bin/i386/core.sdb
    52he3kf2g2rr6l5s1as2u0198k.wasm
    glfw.wasm
    HIDDEN BEE
    Story

    View Slide

  9. ?
    This is not how the WASM file looks like...
    ?
    HIDDEN BEE
    Story

    View Slide

  10. ?
    UFO…
    UNIDENTIFIED FILE OBJECT FOUND
    HIDDEN BEE
    Story

    View Slide

  11. • We don’t have: the initial loader
    • We have: 2 files with a consistent format
    • Let’s try to analyze the headers and guess what each field means
    • Let’s write our own loader
    HIDDEN BEE
    Story

    View Slide

  12. typedef struct {
    WORD func_count;
    char name;
    } t_dll_name;
    ntdll.dll
    HIDDEN BEE
    Imports
    0x13
    0x18

    View Slide

  13. 0x0d827481
    0x60
    HIDDEN BEE
    IAT

    View Slide

  14. DWORD checksum(char *func_name)
    {
    DWORD result = 0x1505;
    while ( *func_name )
    result = *func_name++ + 33 * result;
    return result;
    }
    0x60
    0x0d827481
    ntdll.dll
    HIDDEN BEE
    IAT
    0x13

    View Slide

  15. DWORD checksum(char *func_name)
    {
    DWORD result = 0x1505;
    while ( *func_name )
    result = *func_name++ + 33 * result;
    return result;
    }
    0x0d827481
    778b81e0
    0x0d827481 = checksum("memchr")
    GetProcAddress(mod, "memchr") 778b81e0
    HMODULE mod = LoadLibraryA("ntdll");
    HIDDEN BEE
    IAT
    0x60
    ntdll.dll
    0x13

    View Slide

  16. 0x60
    0x0d827481
    0x13
    HIDDEN BEE
    IAT
    ntdll.dll
    0x13

    View Slide

  17. 0x2a62
    HIDDEN BEE
    Entry Point

    View Slide

  18. 0x509c
    HIDDEN BEE
    File Size
    .
    .
    .

    View Slide

  19. offset
    (0x4D78)
    size
    (0x0324)
    0x0324
    0x0284
    HIDDEN BEE
    Relocations
    0x0284: field to be relocated

    View Slide

  20. https://github.com/hasherezade/bee_parser
    HIDDEN BEE
    Profile

    View Slide

  21. OCEAN LOTUS

    View Slide

  22. • Known as a Vietnamese APT32 group
    • Distributed mainly by phishing and waterholing attacks
    • Payloads of various types, often composed of multiple files
    OCEAN LOTUS
    Profile

    View Slide

  23. 49a2505d54c83a65bb4d
    716a27438ed8f065c709
    OCEAN LOTUS
    Sample
    *sample provided by
    @MinhTrietPT

    View Slide

  24. The Alien Files
    What is this mysterious „blob”?
    Both files seem to be in the same
    format... But what are they really?
    SPORDER.cab
    It doesn’t look like a CAB format!
    SPORDER.blob
    OCEAN LOTUS

    View Slide

  25. SPORDER.cab
    SPORDER.blob
    XOR key?
    OCEAN LOTUS
    The Alien Files

    View Slide

  26. SPORDER.cab
    SPORDER.blob
    OCEAN LOTUS
    The Alien Files

    View Slide

  27. SPORDER.cab
    manifestVersion="1.0">



    uiAccess="false">



    We can find artefacts indicating that
    this format was converted from a PE
    file
    OCEAN LOTUS
    The Alien Files

    View Slide

  28. SPORDER.cab
    OCEAN LOTUS
    The Alien Files

    View Slide

  29. SPORDER.blob
    Sections:
    • not in the same order as typical PE
    • virtual format same as raw
    • custom headers - stripped in the virtual
    format
    OCEAN LOTUS
    The Alien Files

    View Slide

  30. Raw format
    Header 1
    The executable part
    (shuffled sections, converted
    from a PE file)
    Header 2
    Padding
    The executable part
    (shuffled sections, converted
    from a PE file)
    Loaded imports
    Virtual format
    OCEAN LOTUS
    The Alien Files

    View Slide

  31. SPORDER.dll
    sporder.exe
    SPORDER.cab
    SPORDER.blob
    hp6000.dll
    OCEAN LOTUS
    The Alien Files
    The loader
    All executables are used as a loading chain

    View Slide

  32. We are lucky: we have the loader
    Let’s just look inside and see how it works!
    hp6000.dll
    One loading
    function for both:
    confirmed
    consistent format
    OCEAN LOTUS
    Approach

    View Slide

  33. Header 1: before the executable part
    val + 0x2000 size of executable area
    XOR
    OCEAN LOTUS
    Format Details
    Allocation of executable area:
    Key[1] Key[0]

    View Slide

  34. Header 2: after the executable part
    val * 8 + 0x400 space for loading imports
    OCEAN LOTUS
    Format Details
    Allocation of imports area:

    View Slide

  35. Relocations?
    Imports?
    Exports?
    Entry Point?
    All together?
    Header 2: after the executable part
    OCEAN LOTUS
    Format Details
    What do we have here?

    View Slide

  36. Header 2: records
    OCEAN LOTUS
    Format Details
    Type 1: Relocation

    View Slide

  37. Relocation Field
    (0x3cab5)
    Header 2: records
    typedef struct {
    DWORD reloc_field;
    } reloc_t;
    Type
    (1)
    OCEAN LOTUS
    Format Details
    Type 1: Relocation

    View Slide

  38. Header 2: records
    Type 2: Entry Point/Export
    OCEAN LOTUS
    Format Details

    View Slide

  39. Header 2: records
    typedef struct {
    DWORD count;
    DWORD func_rva;
    DWORD name_rva;
    } entry_point_t;
    OCEAN LOTUS
    Format Details
    Type 2: Entry Point/Export
    Count (1) Function
    RVA
    (0x4900)
    Name RVA
    (0x10ad9f)
    IsValidLinkInfo
    Type (2)

    View Slide

  40. Header 2: records
    Type 3: Import
    OCEAN LOTUS
    Format Details

    View Slide

  41. Header 2: records
    typedef struct
    {
    DWORD type;
    DWORD dll_rva;
    DWORD func_rva;
    DWORD iat_rva;
    } import_t;
    OCEAN LOTUS
    Format Details
    Type 3: Import
    Type
    (3) IAT
    RVA
    (0x1000)
    Import
    By Name
    (2)
    DLL
    RVA
    (0x10a8c8)
    Function
    RVA
    (0x10a8aa)
    RegOpenKeyExW
    ADAVAPI32.DLL

    View Slide

  42. OCEAN LOTUS
    Format Details
    Header 2: records
    Type 3: Import

    View Slide

  43. View Slide

  44. GOZI
    PE Like never seen before

    View Slide

  45. GOZI
    PE Like never seen before
    Overview
    • A popular banking Trojan
    • Also known as: ISFB, Ursnif
    • Source code has been leaked and reused across multiple variants
    • We are going to discuss Gozi version 3
    • Paper by Maciek Kotowicz’s (@maciekkotowicz):
    https://lokalhost.pl/txt/isfbv3.pdf

    View Slide

  46. GOZI
    Unpacking atypical payload
    Added Header
    PE-sieve unpacks malware by dumping the payload from memory.
    But unpacking Gozi v3 turned a bit problematic...

    View Slide

  47. • In the dumped PE, we are still missing:
    • The Entry Point
    • Imports
    • Exports
    • Relocations
    • Let’s see how this PE looks in the memory, before it is
    mapped to the virtual format...
    GOZI

    View Slide

  48. GOZI
    PE Like never seen before
    Load Sequence
    EXE
    EXE
    1st stage
    loader
    2nd stage
    loader
    ?

    View Slide

  49. GOZI
    PE Like never seen before
    Modified Format
    Modified DOS Header
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Modified Data Directories
    Modified PE Header
    Modified
    Headers
    Original
    PE Fields

    View Slide

  50. GOZI
    PE Like never seen before
    Modified Format
    Modified DOS Header
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Modified Data Directories
    Modified PE Header

    View Slide

  51. GOZI
    PE Like never seen before
    Magic
    Checksum
    NT Header Offset
    Image Size
    Modified Format
    Magic
    NT Header Offset
    “PX” = Portable Xecutable?
    Modified PE Size
    Modified DOS Header
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Modified Data Directories
    Modified PE Header
    Nt Header Size
    Example:
    Pointer to the original PE header
    Original NT Headers
    0x958

    View Slide

  52. GOZI
    PE Like never seen before
    Modified DOS Header
    Modified Format
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Import Directory
    Header
    Export Directory
    Header
    Import Address
    Table Header
    Security Directory
    Header
    Unknown Directory
    Header
    Modified Data Directories
    Relocation Directory
    Header
    Modified PE Header
    Entry Point
    Machine
    ID
    Sections
    Count
    Original Format

    View Slide

  53. GOZI
    PE Like never seen before
    Modified DOS Header
    Modified Format
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Import Directory
    Header
    Export Directory
    Header
    Import Address
    Table Header
    Security Directory
    Header
    Unknown Directory
    Header
    Modified Data Directories
    Relocation Directory
    Header
    Modified PE Header
    Entry Point
    Machine
    ID
    Sections
    Count
    Original Format
    Modified
    Directory
    Headers
    • PX format contains only subset of the PE format directory
    headers
    • Order of appearance of directory headers is different

    View Slide

  54. GOZI
    PE Like never seen before
    Original RVA
    Current RVA
    Modified DOS Header
    Modified Format
    Modified Section Table
    Original Sections
    Original NT Headers
    Original Section Table
    Size
    Import Directory
    Header
    Export Directory
    Header
    Import Address
    Table Header
    Security Directory
    Header
    Unknown Directory
    Header
    Modified Data Directories
    Relocation Directory
    Header
    Modified PE Header
    Original RVA
    Size
    Current RVA
    Entry Point
    Machine
    ID
    Sections
    Count
    Entry Point
    Machine
    ID
    Sections
    Count
    Example:
    RVA of directory in original PE (0xBD10)
    Size of directory (0x41)
    RVA in PX format (0x3B0)
    IMAGE_FILE_MACHINE_I386

    View Slide

  55. GOZI
    PE Like never seen before
    • Attempt to revive the PE format with a new “flavor”
    • To recover the original PE, we need to dump the PX
    format, and use the converter
    https://github.com/hasherezade/funky_malware_parsers/
    tree/master/isfb_parser
    EXE
    PX

    View Slide

  56. BACKSWAP
    BMP with a twist
    Overview
    • Banking malware revealed by ESET at May 2018
    • Known to target banks in Poland, Spain and Czech Republic
    • Derivative of the Tinba banking malware
    • Known to use innovative techniques to avoid detection
    • Comes in an executable that diverts execution to a weird blob

    View Slide

  57. BACKSWAP
    BMP with a twist
    Bitmap Header
    Pixel Data
    File Header
    BMP format outline

    View Slide

  58. BACKSWAP
    BMP with a twist
    File Header
    signature size padding data start
    ‘B’‘M’ 00 00 00 00 76 00 00 00
    FF004000

    View Slide

  59. BACKSWAP
    BMP with a twist
    File Header
    signature size padding data start
    ‘B’ 00 00 00 00 76 00 00 00
    FF004000
    ‘M’
    It is possible to modify the size
    field so that it will represent a
    jump instruction!

    View Slide

  60. DE
    54
    E9
    42 4D
    BACKSWAP
    BMP with a twist
    File Header
    signature size padding data start
    INC
    EDX
    DEC
    EBP
    00 00 00 00 76 00 00 00
    00
    00
    JMP offset
    It is possible to modify the size
    field so that it will represent a
    jump instruction!

    View Slide

  61. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    resolve
    decode
    Function
    Address
    Hash
    Function
    Address
    Hash
    Function
    Address
    Hash
    Function
    Address
    Hash
    Function
    Address
    Hash
    Bitmap Header
    Pixel Data
    File Header
    jump
    Malware format outline

    View Slide

  62. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    Bitmap Header
    Pixel Data
    File Header
    When we try to visualize the BMP, we realize it’s a polyglot
    polyglot
    binary represented by
    several formats,
    depending on how you
    look at it
    @angealbertini

    View Slide

  63. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    Bitmap Header
    Pixel Data
    File Header
    Malware Payload

    View Slide

  64. BACKSWAP
    BMP with a twist
    Loader
    Code section
    Custom import table
    Bitmap Header
    Pixel Data
    File Header
    Malware Payload
    Eric
    Cartmen

    View Slide

  65. View Slide

  66. ALIENS AMONG US
    Binary Format you Never Heard of
    • Typical format in AIX
    • IBM proprietary Unix OS
    • AIX is Deployed on various platforms, usually as a server
    • Example: Payment Switch Servers
    • Transaction processing and routing decisions
    Auxiliary Header
    File Header
    .text
    .bss
    Section Raw Data
    Section Headers
    .text relocations
    .loader relocations
    Relocation data

    XCOFF
    (Extended Common Object File Format)
    .data
    .loader
    Line Number Info
    Symbol Table
    String Table

    View Slide

  67. ALIENS AMONG US
    Operation Fast Cash
    Payment Switch Server
    Payment Switch
    Application
    Injected
    XCOFF
    Implant
    XCOFF
    Malware
    Hooks
    (send, recv)
    Install
    Compare
    Request
    Response
    applist.dat
    Encrypted list of attacker controlled
    Primary Account Numbers
    Fraudulent
    Cash Withdrawal
    Attempt
    Courtesy of Lazarus
    Money Mule Credit Card
    Very nice analysis
    of the XCOFF malware
    by Frank Boldewin
    (@r3c0nst)!

    View Slide

  68. View Slide

  69. FINAL NOTES
    Funky formats are a spectrum

    View Slide

  70. FINAL NOTES
    Funky formats are a spectrum

    View Slide

  71. FINAL NOTES
    Custom formats make static detection problematic....

    View Slide

  72. FINAL NOTES
    What does it take to make a custom format?
    What do we need to make code run?
    • Imports
    • Relocation
    If you can make a custom PE loader, you can take a step forward and make
    a custom format loader

    View Slide

  73. THANK YOU
    Questions?
    Mark
    Lechtik
    Aleksandra
    Doniec
    @_marklech_
    @hasherezade

    View Slide

  74. APPENDIX
    • Malware analysis of Hidden Bee’s custom format, by Aleksandra
    (@hasherezade):
    • https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-
    custom-format-hidden-bee-elements/
    • Paper by Maciek Kotowicz’s (@maciekkotowicz) on Gozi custom format:
    https://lokalhost.pl/txt/isfbv3.pdf
    • Backswap publication by Itay Cohen (@megabeets_):
    • https://research.checkpoint.com/the-evolution-of-backswap/
    • Analysis of Lazarus XCOFF malware (Operation Fast Cash) by Frank
    Boldewin:
    • https://github.com/fboldewin/FastCashMalwareDissected/blob/master/Operation
    %20Fast%20Cash%20-
    %20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.
    pdf
    • Github repository with tools for analyzing the discussed formats:
    https://github.com/hasherezade/funky_malware_parsers

    View Slide