Technical Analysis of Second Stage Payload

cnc_landing

The 2nd stage payload is an NSIS compiled sample as seen on previous Buhtrap samples. This is one way Buhtrap is trying to evade AV detection by disguising as an installer. NSIS is an open source software widely used in installers. Recently, we are seeing a trend where ransomware are adapting this method as the case with Locky and Cerber.

The sample is also digitally signed with a valid digital certificate and also contains file properties and versions.

file_prop

 

Installation

Inside the NSIS package is a 7zip password protected archive. This is where all its components are stored. With this, a command line 7zip tool is also included in the package to unzip the component files. The password is hardcoded on the NSIS script and the password is different from other Buhtrap samples we have seen. For this sample, the password is “p2DP9ENv5bK”. It also modifies the timestamp of the file using a custom file utility FileTouch.exe which is basically similar to the touch utility in Linux

Below are snippets of the NSIS script that we extracted:

 

nsis_2

 

We executed the file on our box but we found that it did not do anything. Inspecting the NSIS script reveals that it is checking if the system language is Russian via GetSystemDefaultLangID.

 

nsis_1

 

We hooked this API and forced the malware to think we are in a Russian system.

 

hook_getsystemdefault

After-which, the following commands and processes were monitored:

attrib  -h -s -r “C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno”

7za.exe  x -p2DP9ENv5bK install.dat dev2055.tmp -aoa

7za.exe  x -p2DP9ENv5bK dev2055.tmp -aoa -o8992023.tmp

7za.exe  x -p2DP9ENv5bK install.dat FileTouch.exe -aoa

C:\Users\Administrator\AppData\Roaming\Microsoft\Zerno\zerno.exe

 

As shown above, the malware components are extracted into  “%AppData%\Microsoft\Zerno”. Then zerno.exe was executed. The Zerno folder has the following files:

zerno_folder

From these files, only the files zerno.exe and msvcr71.dll are malicious. The other files are benign files which are part of Notepad++ software. This is an attempt to obscure its malicious behavior as it tries to pretend to be a legitimate Notepad++ installer. 

For persistence, it creates a shortcut link in the start-up folder that will launch zerno.exe at every startup.

zerno_startup

 

What Does this Malware Do?

The main executable is zerno.exe and interestingly its only job is to launch the msvcr71.dll library which performs all the malicious behavior.

Msvcr71.dll

This is where all the malicious routines are compiled. This is a trojan-spyware which has the following functions:

  • Keylogger
  • Get System Info
  • Read Smart Card Info
  • Downloader

Keylogger

The keylogger thread creates an invisible window procedure and retrieves and handles the messages. It logs this information into “uninstall.log” located in %temp% folder. 

uninstall_sample2

The following snapshot illustrates how it implemented the keylogger routine.

 

keylogger

 

Smart Card Reader

One of its interesting payloads is to read smart card information. It lists available smart card readers and their status by using “WinSCard.dll” APIs:

 

winscard

 

It does not actually read what is in the smart card only determine their status. It logs all these information in “uninstall.log”

 

Downloader

It is also capable of downloading additional malware from its CnC server. Another interesting feature of this malware is that it is capable of diskless loading by checking on the response from the server. The first 2 bytes are checked, If the downloaded file starts with ‘MZ’ (0x5A4D), it writes the file into %temp% folder and executes it. If the response starts with “LD” (0x444c), it will only load the malware into the memory.

 

detectedmz

 

Diskless Loading

diskless_loading

 

CnC server

It communicates with its CnC server “quotedb.info” via HTTP Post. All communication we observed is encrypted.

 

capture

State of Buhtrap Operation

 

As stated in our previous blog, the IP of rozhlas.site is 50.7.86.243. We looked into the domain history of this IP and found some interesting information about the current state of Buhtrap.

 

Domain

Last Resolved

getadobe.org

5/10/2016

chromelabs.org

5/13/2016

adobelabs.org

5/14/2016

canvaslabs.org

5/22/2016

57569b378f3fb.archive.getadobe.org

6/7/2016

chrome.services

7/2/2016

get.adobelabs.org

7/2/2016

safechrome.services

7/11/2016

www.safechrome.services

7/28/2016

cdn.lidovky.site

8/9/2016

rozhlas.site

8/17/2016

getcanvas.org

9/14/2016

medioca-room02.org

9/28/2016

 

From the history of the domains, it appears they have used this IP from May to September, 2016. But it’s very possible that they are still using the same IP for their operation. If we look into the details of each domain, we can find presence of multiple samples, although with different behavior, but appears related to Buhtrap operation. For instance, 5 samples that were downloaded from getadobe.org differ in behavior from the sample we described in this blog. Those samples are detected by Kaspersky as “Trojan.Win32.Karamanak”, which is also their detection for the sample in this blog.

As seen on the domains, they are also using domain names related to Chrome, Adobe or popular graphics software as a way to stay low.

Chromelabs.org

Using this domain the actors started using CVE-2016-0189 as their method of infection. In fact, they used the same binary exploits found in the github repository of offensive security. The following are the files downloaded in this domain:

 

  • http://chromelabs.org/data/shell32/51d2a95ddc.dll
  • http://chromelabs.org/a3b4x62.exe
  • http://chromelabs.org/blog/dsfsdhdh.vbs
  • http://chromelabs.org/news/dsfsdhdh.exe
  • http://chromelabs.org/track/automate.js

 

Adobelabs.org

 

A similar NSIS compiled payload was downloaded on this domain.

 

 

Also, the following files appearing as installers connects to this domain

Md5

Filename

signer

2530a11c4fa57fd3f9cdc30c8fd40878

Shockwave_setup.exe

LLC LVIV IT!

ead9344c8022e0479ebe272472d6197a

chrome_update_win.exe

Bit-Trejd

fda920b3d72728f6a89672e07a900c70

chrome_update.exe

LLC LVIV IT!

e5f01322da2b6cda707a8135c7320b79

shockwave_setup_winax.exe

Bit-Trejd

 

Getcanvas.org

 

The samples we have seen from getcanvas.org are the same samples we found on rozhlas.site

 

Conclusion

 

It appears based on this research that the actors are using patterns in their attack and they are as follows:

  • Using digitally signed malware
  • Using NSIS and hiding their components in a password protected archive
  • Using domains that are similar to popular softwares, eg. adobe, chrome
  • Constantly changing their CnC domain but using the same IP

 

It is also evident that the actors are still very active. They are clever enough not to infect systems that are not their target which allows them to stay under the radar for as long as possible. These Tactics Techniques and Procedures are the hallmark of Advanced Persistent Threats groups.

 

Analysis by Dhruval Gandhi & Paul Kimayong.