Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Summary
Description
This CISA submission included one unique file. This file is a malicious loader that contains an embedded executable. This embedded executable is a Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems.
For a downloadable copy of IOCs, see: MAR-10382580.r2.v1.WHITE_stix
Submitted Files (1)
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f (ilasvc.exe)
IPs (1)
151.106.30.120
Findings
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
Tags
remote-access-trojantrojan
Details
Name |
ilasvc.exe |
Size |
1056768 bytes |
Type |
PE32+ executable (GUI) x86-64, for MS Windows |
MD5 |
05d38bc82d362dd57190e3cb397f807d |
SHA1 |
52b04d348adf7e42e7c7d6c2ec9aabbcaba07188 |
SHA256 |
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f |
SHA512 |
d03894ad9ce7a5f0e58a5e6385926263507f2571e3cbe60fce1ed5463a77152a7779d8b494ee7a6ff4986de19c0a92cbcc8dae5697d69dc196c474723ee553ef |
ssdeep |
24576:mStdBO8/kIH46+jHd3JURkxXH3rg9fNJa9y5xmDYzgLu8b7oCK:mST2+qXHbg91Ja9y5MOgL3K |
Entropy |
7.599564 |
Antivirus
ESET |
a variant of Win64/Injector.HA.gen trojan |
IKARUS |
Trojan.Win64.Injector |
YARA Rules
- rule CISA_10382580_03 : loader
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10382580"
Date = "2022-05-02"
Last_Modified = "20220602_1200"
Actor = "n/a"
Category = "Loader"
Family = "n/a"
Description = "Detects loader samples"
MD5_1 = "3764a0f1762a294f662f3bf86bac776f"
SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab"
MD5_2 = "21fa1a043460c14709ef425ce24da4fd"
SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16"
MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e"
SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751"
MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de"
SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b"
MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77"
SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0"
MD5_6 = "05d38bc82d362dd57190e3cb397f807d"
SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f"
strings:
$s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
$s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
$s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
$s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
condition:
all of them
}
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2020-04-30 19:43:57-04:00 |
Import Hash |
99197f3296550481a848ea8d4e097487 |
Company Name |
Sysinternals - www.sysinternals.com |
File Description |
Flush cached data to disk. |
Internal Name |
Sync |
Legal Copyright |
Copyright (C) 2016 Mark Russinovich |
Original Filename |
Sync.exe |
Product Name |
Sysinternals Sync |
Product Version |
2.2 |
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
a917582fc3e796bb1d43bfce05c0cfb3 |
header |
1024 |
3.105665 |
5fbd29958a5484173910cb06dcfc4e9e |
.text |
310784 |
6.453454 |
34b6e6a847957ef90ef9460e0f8dd3d0 |
.rdata |
98304 |
5.168254 |
e32c1166142d325350f6e6443db43144 |
.data |
3584 |
2.609738 |
ffc4ab2046acad015eba98898e975ad5 |
.pdata |
18432 |
5.804487 |
502485fa11633b4eb9eaef15fcb482a5 |
.rsrc |
622080 |
7.975998 |
69687e4a3ffbefbe782d13637ce8605a |
.reloc |
2560 |
4.913641 |
Relationships
4cd7efdb1a... |
Connected_To |
151.106.30.120 |
Description
This malware is a 64-bit Windows loader that contains an embedded encrypted malicious executable. During runtime, this embedded executable is decrypted and loaded into memory, never touching the system's hard disk. The encrypted executable is similar in functionality to the file 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, described in report MAR-10382580.r1.v1. The malware embedded within this loader attempts to communicate with the hard-coded C2 Internet Protocol (IP) address 151[.]106[.]30[.]120. This malware provides a vast array of C2 capabilities including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system's desktop. Many of the structures utilized to implement the C2 capabilities in this malware appear to be derived from the same source code as 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, however this malware utilizes much more complex obfuscation to hinder the analysis of its code structures. This malware also utilizes a more complex encryption algorithm to secure its network communications.
The malware embedded within this binary utilizes a secure strings scheme based on a rotating XOR cipher (Figure 7). The strings are partially decrypted and listed below with their corresponding approximate memory address locations during runtime -- assuming a base address of 0x260000.
--Begin Decoded Strings--
('0x264e32', 'RegQueryValueExl')
('0x264f58', 'RegQueryValueEx\\')
('0x265325', 'GetCurrentProcessId')
('0x265bc9', 'GetEnvironmentVariableW')
('0x265cc1', 'ShellExecuteExW')
('0x268b20', 'GetAdaptersInfo')
('0x268c49', 'GetAdaptersInfo')
('0x26a77c', 'EnumDependentServicesW')
('0x26a98b', 'EnumDependentServi')
('0x26abb9', 'ControlService')
('0x26ad5b', 'QueryServiceStatus')
('0x26af62', 'CloseServiceHandle')
('0x26c3ed', 'GetComputerNameW')
('0x277621', 'GetEnvironmentVariableW')
('0x27856f', 'GetLogicalDriveStringsW')
('0x2788e5', 'GetVolumeInformationW')
('0x278f87', 'FindFirstFileW')
('0x27a3f3', 'GetSystemDirectoryW')
('0x27bf04', 'SetFilePointerEx')
('0x27d125', 'RemoveDirectoryW')
('0x27daa7', 'FindFirstFileW')
('0x284074', 'GetClipboardData')
('0x2850d4', 'GetForegroundWindow')
('0x28513d', 'GetDesktopWindow')
('0x28b443', 'GetProcessHeap')
('0x28b533', 'CoInitializeEx')
('0x28b655', 'StartServiceCtrlDispatch')
('0x28cd63', 'GetModuleFileNameW')
('0x2636f3', 'UnkownError')
('0x2649f3', "Display''''")
('0x264ab0', 'RegOpenKeyExW')
('0x264af0', 'ADVAPI32.dll')
('0x264ca0', 'RegEnumKeyExW')
('0x264ce0', 'ADVAPI32.dll')
('0x264d80', 'RegOpenKeyExW')
('0x264dc0', 'ADVAPI32.dll')
('0x264e90', 'ADVAPI32.dll')
('0x264fb0', 'ADVAPI32.dll')
('0x265160', 'RegCloseKey')
('0x2651b0', 'ADVAPI32.dll')
('0x265390', 'KERNEL32.dll')
('0x265c30', 'KERNEL32.dll')
('0x265d20', 'SHELL32.dll')
('0x266950', 'GetVersionExW')
('0x266990', 'KERNEL32.dll')
('0x266b63', 'CurrentMajorVersionNum')
('0x266c33', 'CurrentMajorVersionNum')
('0x268b80', 'IPHLPAPI.dll')
('0x268c03', 'KERNEL32.dll')
('0x268ca0', 'IPHLPAPI.dll')
('0x26a710', 'GetTickCount')
('0x26a750', 'KERNEL32.dll')
('0x26a7b8', 'EnumDepende')
('0x26a7f3', 'Advapi32.dll')
('0x26a872', 'GetLastError')
('0x26a8b0', 'KERNEL32.dll')
('0x26a940', 'KERNEL32.dll')
('0x26aa17', 'Advapi32.dll')
('0x26aafb', 'OpenServiceW')
('0x26ab4b', 'Advapi32.dll')
('0x26ac33', 'Advapi32.dll')
('0x26acd4', 'Sleep')
('0x26ad24', 'KERNEL32.dll')
('0x26adea', 'Advapi32.dll')
('0x26aeaa', 'GetTickCount')
('0x26af03', 'KERNEL32.dll')
('0x26afdb', 'Advapi32.dll')
('0x26c2e0', 'GetUserNameW')
('0x26c320', 'Advapi32.dll')
('0x26c450', 'KERNEL32.dll')
('0x26cad0', 'KERNEL32.dll')
('0x273220', 'closesocket')
('0x274a90', 'getsockname')
('0x275280', 'getsockname')
('0x276583', 'Erroroccurswhiles')
('0x276714', 'NoTabsinclient.')
('0x2769e3', 'NoTabsinclient.')
('0x276b60', 'KERNEL32.dll')
('0x277690', 'KERNEL32.dll')
('0x2785e0', 'KERNEL32.dll')
('0x2786d3', 'ErroroccursinGetL')
('0x278950', 'KERNEL32.dll')
('0x2789e0', 'GetDriveTypeW')
('0x278a20', 'KERNEL3')
('0x278f10', 'PathCombineW')
('0x278f50', 'SHLWAPI.dll')
('0x278fa4', 'FindFirstFile')
('0x278fe0', 'KERNEL32.dll')
('0x279120', 'PathCombineW')
('0x279160', 'SHLWAPI.dll')
('0x2791c1', 'CreateFileW')
('0x279200', 'KERNEL32.dll')
('0x279280', 'GetFileTime')
('0x2792c0', 'KERNEL32.dll')
('0x279320', 'CloseHandle')
('0x279360', 'KERNEL32.dll')
('0x2796a0', 'FindNextFileW')
('0x2796e0', 'KERNEL32.dll')
('0x2797b3', 'Cannotaccesstofold')
('0x27a460', 'KERNEL32.dll')
('0x27a4e3', 'kernel32.dll')
('0x27a540', 'PathCombineW')
('0x27a580', 'SHLWAPI.dll')
('0x27a5e0', 'CreateFileW')
('0x27a620', 'KERNEL32.dll')
('0x27a692', 'GetFileTime')
('0x27a6d0', 'KERNEL32.dll')
('0x27a730', 'CloseHandle')
('0x27a770', 'KERNEL32.dll')
('0x27acf0', 'CreateFileW')
('0x27ad30', 'KERNEL32.dll')
('0x27ade0', 'GetFileTime')
('0x27ae20', 'KERNEL32.dll')
('0x27af80', 'GetLastError')
('0x27afc0', 'KERNEL32.dll')
('0x27b430', 'GetLastError')
('0x27b470', 'KERNEL32.dll')
('0x27b932', 'CreateFileW')
('0x27b970', 'KERNEL32.dll')
('0x27b9f0', 'GetLastError')
('0x27ba30', 'KERNEL32.dll')
('0x27bf60', 'KERNEL32.dll')
('0x27c000', 'KERNEL32.dll')
('0x27c080', 'KERNEL32.dll')
('0x27c1b0', 'CloseHandle')
('0x27c1f0', 'KERNEL32.dll')
('0x27c270', 'GetLastError')
('0x27c2b0', 'KERNEL32.dll')
('0x27c3c3', 'Nodescriptorfound.')
('0x27c860', 'KERNEL32.dll')
('0x27c950', 'CloseHandle')
('0x27c990', 'KERNEL32.dll')
('0x27c9f0', 'GetLastError')
('0x27ca30', 'KERNEL32.dll')
('0x27cb00', 'CloseHandle')
('0x27cb40', 'KERNEL32.dll')
('0x27cdc0', 'CloseHandle')
('0x27ce00', 'KERNEL32.dll')
('0x27d180', 'KERNEL32.dll')
('0x27d1f0', 'DeleteFileW')
('0x27d230', 'KERNEL32.dll')
('0x27d290', 'GetLastError')
('0x27d2d0', 'KERNEL32.dll')
('0x27d3e3', 'Deletesuccessed.')
('0x2c3743', 'Deletepayloadcorrupt')
('0x27da30', 'PathCombineW')
('0x27da70', 'SHLWAPI.dll')
('0x27dac4', 'FindFirstFile')
('0x27db00', 'KERNEL32.dll')
('0x27dc20', 'PathCombineW')
('0x27dc60', 'SHLWAPI.dll')
('0x27ded1', 'FindNex2@\x04@%@')
('0x27df10', 'KERNEL32.dll')
('0x284030', 'OpenClipboard')
('0x284110', 'Kernel32.dll')
('0x2841b3', '<CTRL+V>')
('0x284253', '</CTRL+V>')
('0x284fe3', 'Composition')
('0x285073', 'Sfwr\\irsf\\i')
('0x28507c', 'otaeMcootW')
('0x285484', 'Monitor%d[%d*%d]')
('0x28b280', 'DeleteObject')
('0x28b400', 'KERNEL32.dll')
('0x28b4a0', 'KERNEL32.dll')
('0x28b6d0', 'Advapi32.dll')
('0x28cdc0', 'KERNEL32.dll')
('0x28d230', 'ExitProcess')
('0x28d270', 'KERNEL32.dll')
('0x28d3b0', 'GetTempPathW')
('0x28d3f0', 'KERNEL32.dll')
('0x28d4a0', 'PathCombineW')
('0x28d4e0', 'SHLWAPI.dll')
--End Decoded Strings--
Screenshots
Figure 1 - This screenshot illustrates the malware sending an initial block of data to its hard-coded C2 server. As with the malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1, this malware's initial outbound block contains a chunk of random data and the unicode string "hello".
Figure 2 - This screenshot illustrates the malware's hard-coded cryptographic key it utilizes to encrypt and decrypt its network communications traffic via the algorithm in Figure 4.
Figure 3 - This screenshot illustrates the data returned to the remote operator if they simply reply to the malware's initial "hello" packet with their own "hello" packet. This data block contains the compromised system's MAC address, IP address, OS version, processor type, as well as other system specific information. The cryptographic algorithm illustrated in Figure 4 will be utilized to encrypt this data before it is sent to the remote C2 server.
Figure 4 - This screenshot illustrates code extracted from this malware's primary cryptographic function. This algorithm will be utilized to encrypt and decrypt all network traffic exchanged between this implant and its remote operator. Although the malware does communicate over port 443, this algorithm is utilized rather than SSL. Static analysis indicates a hard-coded 16 byte key is utilized to encrypt and decrypt network traffic. That key can be observed in Figure 2.
Figure 5 - This screenshot illustrates the names of various classes utilized by this implant. The class VK1AlgorithmEngine contains the function which is utilized to encrypt and decrypt this malware's network traffic (Figure 4). Notably, the previously analyzed sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 utilizes a different class to implement its network traffic encryption. That sample's cryptographic class name is VSimpleXorAlgorithmEngine. This explains why the samples, while structurally and functionally very similar, utilize a different algorithm to secure their network communications.
Figure 6 - This screenshot illustrates several malicious classes this malware utilizes. The class VFeatureCmd provides the function which implements the malware's reverse shell capability -- providing the remote hacker direct access to a Windows command shell. The class VFeatureKeylogger provides advanced key logging capabilities. Static analysis indicates the VFeatureSocks and VFeatureTunnel classes implement the malware's TCP proxying capability. And the VFeatureScreen class provides functions which allow the remote operator to monitor victim user's desktop / GUI sessions. These same classes are utilized in malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1.
Figure 7 - This malware sample contains many encoded strings. As illustrated in this screenshot, many of the strings are encoded using an XOR cipher utilizing a single-byte key. A different XOR single-byte key will be used to decode each string.
Figure 8 - his screenshot illustrates a misspelling with the word "modifing" in the malware's source code. This same misspelling can be observed in the plugin embedded within malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1. This piece of information may be useful for attribution purposes.
151.106.30.120
Tags
command-and-control
Ports
Whois
% Abuse contact for '151.106.30.0 - 151.106.30.255' is 'pivps.com@gmail.com'
inetnum: 151.106.30.0 - 151.106.30.255
netname: VELIANET-FR-PINETLLC
descr: Pi NET, LLC
country: FR
org: ORG-PNL20-RIPE
admin-c: PNL16-RIPE
tech-c: PNL16-RIPE
status: LEGACY
remarks: ticket.velia.net 110128
notify: hostmaster@velia.net
mnt-by: FGK-MNT
created: 2018-04-24T19:17:51Z
last-modified: 2018-04-24T19:17:51Z
source: RIPE
organisation: ORG-PNL20-RIPE
org-name: Pi NET, LLC
org-type: OTHER
address: No 74, Tang Thiet Giap, Co Nhue
address: Tu Liem
address: 100000 Hanoi
address: Viet Nam
phone: +84 977471775
e-mail: pivps.com@gmail.com
admin-c: PNL16-RIPE
tech-c: PNL16-RIPE
abuse-c: PNL16-RIPE
mnt-ref: FGK-MNT
mnt-by: FGK-MNT
created: 2017-09-07T11:08:29Z
last-modified: 2017-09-07T11:08:29Z
source: RIPE
role: Pi NET, LLC
address: No 74, Tang Thiet Giap, Co Nhue
address: Tu Liem
address: 100000 Hanoi
address: Viet Nam
phone: +84 977471775
e-mail: pivps.com@gmail.com
nic-hdl: PNL16-RIPE
mnt-by: FGK-MNT
created: 2017-09-07T11:08:29Z
last-modified: 2017-09-07T11:08:29Z
source: RIPE
abuse-mailbox: pivps.com@gmail.com
route: 151.106.0.0/19
descr: velia.net
origin: AS29066
notify: hostmaster@velia.net
mnt-by: FGK-MNT
created: 2017-11-03T11:55:17Z
last-modified: 2017-11-03T11:55:17Z
source: RIPE
Relationships
151.106.30.120 |
Connected_From |
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f |
Description
This IP address is the hard-coded C2 the malware communicates with over port 443.
Relationship Summary
4cd7efdb1a... |
Connected_To |
151.106.30.120 |
151.106.30.120 |
Connected_From |
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f |
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".
Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.
|