WinntiPolymorphism

TakahiroHaruyama

Symantec

WhoamI?

•  TakahiroHaruyama(@cci_forensics)

•  ReverseEngineeratSymantec

– ManagedAdversaryandThreatIntelligence(MATI)

•  https://www.symantec.com/services/cyber-security-services/

deepsight-intelligence/adversary

•  Speaker–  BlackHatBriefingsUSA/EU/Asia,SANSDFIRSummit,

CEIC,DFRWSEU,SECURE,FIRST,RSAConferenceJP,

etc…

2

Motivation

•  WinntiismalwareusedbyChinesethreatactorfor

cybercrimeandcyberespionagesince2009

•  KasperskyandNovettapublishedgoodwhitepapers

aboutWinnti[1][2]

•  Winntiisstillactiveandchanging

–  Variantswhosebehaviorisdifferentfrompastreports

–  Targetsexceptgameandpharmaceuticalindustries

•  I’dliketofillthegaps3

Agenda

•  WinntiComponentsandBinaries

•  GettingTargetInformationfromWinnti

Samples

•  Wrap-up

4

WinntiComponentsandBinaries

5

WinntiExecutionFlow

6

Dropper Engine

2. run 3. load& run

Servicewithconfig

Workerwithconfig(encrypted)

1. drop

5. load

memory-resident or omitted

4. decrypt& run

rootkitdriversC2server

6. connect to C2

NewFindings

7

Dropper Engine

othermalwarefamily

2. run 3. load& run

Servicewithconfig

Workerwithconfig(encrypted)

1. drop

5. load

decrypt & run(rare samples only)

memory-resident or omitted

or file

clientmalware?onothermachines

4. decrypt& run

rootkitdriversC2server

6. connect to C2

connectedthroughcovert

channel

SMTPsupported

DropperComponent

•  extractothercomponentsfrominlineDES-protectedblob

–  thedroppedcomponentsare

•  serviceandworker

•  additionallyenginewithothermalwarefamily(butthatisrare)

–  thepasswordispassedfromcommandlineargument

–  Somesamplesadddropper’sconfigurationintotheoverlaysofthe

components

•  runservicecomponent

–  /rundll32.exe"%s",\w+%s/

–  theexportfunctionnameoftenchanges

•  Install,DlgProc,gzopen_r,Init,sql_init,sqlite3_backup_deinit,etc...

8

ServiceComponent

•  loadenginecomponentfrominlineblob

–  thevaluesinPEheaderareeliminated

•  e.g.,MZ/PEsignatures,machinearchitecture,

NumberOfRvaAndSizes,etc...

•  callengine’sexportfunctions–  somevariantsusetheAPIhashes

•  e.g.,0x0C148B03="Install”,0x3013465F="DeleteF"

9

EngineComponent •  memory-resident

–  somesamplesaresavedasfileswiththesame

encryptionofworkercomponent

•  exportfunctionnames

–  Install,DeleteF,andWorkmain

•  trytobypassUACdialogthencreateservice

•  decrypt/runworkercomponent

–  PEheadervalueseliminated,1bytexor&nibbleswap

10

WorkerComponent

•  exportfunctionnames

–  work_start,work_end

•  pluginmanagement

–  thepluginsarecachedondiskormemory-resident

•  supportedC2protocols

–  TCP=header+LZMA-compressedpayload

–  HTTP,HTTPS=zlib-compressedpayloadasPOSTdata

–  SMTP11

SMTPWorkerComponent

•  SomeworkercomponentssupportSMTP

–  theconfigcontainsemailaddressesandmoreobfuscated

(incrementalxor+dwordxor)

•  Publiccodeisreused

–  TheoldcodelookscopiedfromPRC-basedMandarin-language

programmingandcodesharingforum[3]

•  Thehard-codedsenderemailandpasswordare"attach_111@sina.com"and

"test123456”

–  ThenewcodelookssimilartotheonedistributedinCodeProject[4]

•  STARTTLSisnewlysupportedtoencrypttheSMTPtraffic

12

SMTPWorkerComponent(Cont.)

fordecryptingeachmember

QQMail[5]accountisused

forsending

recipientemailaddresses

13

VSECVariant[6] •  TwomaindifferencescomparedwithNovettavariant

[2]

–  noenginecomponent

•  servicecomponentdirectlycallsworkercomponent

–  worker’sexportfunctionnameis“DllUnregisterServer”

•  takesimmediatevaluesaccordingtothefunctions

–  e.g.,0x201401=deletefile,0x201402=dll/codeinjection,0x201404=runinlinemainDLL

•  recentlymoreactivethanNovettavariant?

14

VSECVariant(Cont.)

•  uniquepersistence

–  SomesamplesmodifyIAT

oflegitimatewindowsdlls

toloadservicecomponent

–  thetargetdllnameis

includedinthe

configuration

•  e.g.,wbemcomn.dll,

loadperf.dll

worker

infected

Windowsdll

service

15

WinntiasaLoader

•  Someenginecomponents

embedsothermalware

familylikeGh0stand

PlugX

–  theconfigurationisencryptedbyWinntiand

themalwarealgorithm

–  theconfigmembersare

themalwarespecific+

Winntistrings

Winnti-relatedmembers 16

RelatedKernelDrivers

•  Kernelrootkitdriversareincludedinworker

components

–  hidingTCPconnections

•  ThesamedriverisalsousedbyDerusbi[7]

– makingcovertchannelswithotherclientmachines

•  ThebehaviorissimilartoWFPcalloutdriverofDerusbi

servervariant[8]buttheimplementationisdifferent

17

RelatedKernelDrivers(Cont.)

•  TherootkithooksTCPIPNetworkDeviceInterfaceSpecification

(NDIS)protocolhandlers

–  interceptsincomingTCPpacketsthenforwardtoworkerDLL

WorkerDLLwithconfig

therootkitdriver(DKOMused,names/pathsnullfied)

NDIS_OPEN_BLOCK

IRP_MJ_DEVICE_CONTROLReceiveNetBufferLists and ProtSendNetBufferListsComplete

NDIS_PROTOCOL_BLOCK

BindAdapterHandlerEx and NetPnPEventHandler

\\Device\\NullClient

Malware

(0) install hooks

(1) sendpacket

(2) save TCP & special format

packets

install hooks againeverytime net config

changes

packetbuffers

TCPIP protocol handlers

(3) read & write to user buffer

dword 1 dword 3dword 2 dword 4dword2 !=0 && dword4 == (dword1 ^ dword3) << 0x10

The packet header

18

RelatedAttackTools

•  bootkitfoundbyKasperskywhentrackingWinntiactivity[9]

•  “skeletonkey”topatchonavictim'sADdomaincontrollers[10]

•  custompassworddumptool(exeordll)

–  SomesamplesareprotectedbyVMProtectoruniquexororAES

–  thesameAPIhashcalculationalgorithmused(functionname=“main_exp”)

•  PEloader

–  decryptandrunafilespecifiedbythecommandlineargument

•  *((_BYTE*)buf_for_cmdline_file+offset)^=7*offset+90;

19

GettingTargetInformationfromWinntiSamples

fromKasperskyblog[11]

20

TwoSourcesabouttheTargets

•  campaignIDfromconfigurationdata

–  targetorganization/countryname

•  stolencertificatefromrootkitdrivers

–  already-compromisedtargetname

•  Icheckedover170Winntisamples

– Whichindustryistargetedbytheactor,exceptgame

andpharmaones?

21

ExtractionStrategy

•  regularlycollectsamplesfromVT/Symcbyusingdetectionnameoryara

rules

•  trytocracktheDESpasswordifthesampleisdroppercomponent

–  orjustdecrypttheconfigifpossible

•  runconfig/workerdecoderforservice/workercomponents

–  campaignIDsareincludedinworkerratherthanservice

•  extractdriversfromworkercomponentsthencheckthecertificates

•  excludethefollowinginformation

–  notidentifiablecampaignID(e.g.,“a1031066”,“taka1100”)

–  already-knowninformationbypublicblogs/papers

22

ExtractionStrategy(Cont.)

•  automation

–  config/workerdecoder(stand-alone)

•  decryptconfigdataandworkercomponentifdetected

•  additionallydecryptforPlugXloaderorSMTPworkervariants

–  dropperpasswordbruteforcescript(IDAPythonorstand-alone)

campaignID

23

ExtractionStrategy(Cont.)

•  double-checkcampaignIDsbyusingVTsubmissionmetadata

–  thecompanyhasitsHQorbranchofficeinthesubmittedcountry/

city?

•  e.g.,theIDmeans2possiblecompaniesindifferentindustries

–  Thesubmissioncityhelpstoidentifythecompany

VTsubmissionmetadatadecryptedconfig 24

ResultaboutCampaignID

•  only27%samplescontainedconfigs!

– Mostofthemareservicecomponents

•  servicecomponentsusuallycontainsjustpathinformation

–  difficulttocollectdropper/workercomponentsby

detectionname

•  Yararetro-huntcansearchsampleswithinonly3weeks

•  19uniquecampaignIDsfound

–  12IDswereidentifiableandnotopen

25

ResultaboutCampaignID(Cont.)1stseenyearfromVTmetadata

submissioncountry/cityfromVTmetadata

Industry

2014 Russia/Moscow InternetInformationProvider?(typo)

2015 China/Shenzhen University?(notsure)

2015 SouthKorea/Seongnam-si Game

2015 SouthKorea/Seongnam-si Game

2015 SouthKorea/Seongnam-si Game

2016 Japan/Chiyoda Chemicals

2016 Vietnam/Hanoi InternetInformationProvider,E-

commerce,Game

2016 SouthKorea/Seoul InvestmentManagementFirm

2016 SouthKorea/Seongnam-si Anti-VirusSoftware

2016 USA/Bellevue Game

2016 Australia/Adelaide IT,Electronics

2016 USA/Milpitas Telecommunications 26

ResultaboutCertificate

•  12uniquecertificatesfoundbutmostofthemareknownin

[1][12]

•  4certificatesarenotopen–  OneofthemissignedbyanelectronicscompanyinTaiwan

–  Theothersarecertificatesofchinesecompanies

•  "GuangxiNanningShengtai'anE-BusinessDevelopmentCO.LTD",

"BEIJINGKUNLUNONLINENETWORKTECHCO.,LTD","�优���传��责���"

–  I’mnotsureiftheywerestolenornot

•  Oneisaprimarydistributorofunwantedsoftware?[13]

27

Wrap-up

28

Wrap-up

•  Winntimalwareispolymorphic,but

–  Thevariantsandtoolshavecommoncodes

•  e.g.,config/binaryencryption,APIhashcalculation

–  SomedriverimplementationsareidenticalorsimilartoDerusbi’sones

•  TodayWinntithreatactor(s?)targetsatchemical,e-commerce,

investmentmanagementfirm,electronicsand

telecommunicationscompanies

–  Gamecompaniesarestilltargeted

•  Symantectelemetryshowstheyarejustalittlebitoftargets!

29

Reference 1.  http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-

game-130410.pdf

2.  https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

3.  http://blog.csdn.net/lishuhuakai/article/details/27852009

4.  http://www.codeproject.com/Articles/28806/SMTP-Client

5.  https://en.mail.qq.com/ 6.  http://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html

7.  https://assets.documentcloud.org/documents/2084641/crowdstrike-deep-panda-report.pdf

8.  https://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf

9.  https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/

10.  https://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet

11.  https://securelist.com/blog/incidents/70991/games-are-over/

12.  http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family

13.  https://www.herdprotect.com/signer-guangxi-nanning-shengtaian-e-business-development-

coltd-1eb0f4d821e239ba81b3d10e61b7615b.aspx

30