WinntiPolymorphism
TakahiroHaruyama
Symantec
WhoamI?
• TakahiroHaruyama(@cci_forensics)
• ReverseEngineeratSymantec
– ManagedAdversaryandThreatIntelligence(MATI)
• https://www.symantec.com/services/cyber-security-services/
deepsight-intelligence/adversary
• Speaker– BlackHatBriefingsUSA/EU/Asia,SANSDFIRSummit,
CEIC,DFRWSEU,SECURE,FIRST,RSAConferenceJP,
etc…
2
Motivation
• WinntiismalwareusedbyChinesethreatactorfor
cybercrimeandcyberespionagesince2009
• KasperskyandNovettapublishedgoodwhitepapers
aboutWinnti[1][2]
• Winntiisstillactiveandchanging
– Variantswhosebehaviorisdifferentfrompastreports
– Targetsexceptgameandpharmaceuticalindustries
• I’dliketofillthegaps3
Agenda
• WinntiComponentsandBinaries
• GettingTargetInformationfromWinnti
Samples
• Wrap-up
4
WinntiComponentsandBinaries
5
WinntiExecutionFlow
6
Dropper Engine
2. run 3. load& run
Servicewithconfig
Workerwithconfig(encrypted)
1. drop
5. load
memory-resident or omitted
4. decrypt& run
rootkitdriversC2server
6. connect to C2
NewFindings
7
Dropper Engine
othermalwarefamily
2. run 3. load& run
Servicewithconfig
Workerwithconfig(encrypted)
1. drop
5. load
decrypt & run(rare samples only)
memory-resident or omitted
or file
clientmalware?onothermachines
4. decrypt& run
rootkitdriversC2server
6. connect to C2
connectedthroughcovert
channel
SMTPsupported
DropperComponent
• extractothercomponentsfrominlineDES-protectedblob
– thedroppedcomponentsare
• serviceandworker
• additionallyenginewithothermalwarefamily(butthatisrare)
– thepasswordispassedfromcommandlineargument
– Somesamplesadddropper’sconfigurationintotheoverlaysofthe
components
• runservicecomponent
– /rundll32.exe"%s",\w+%s/
– theexportfunctionnameoftenchanges
• Install,DlgProc,gzopen_r,Init,sql_init,sqlite3_backup_deinit,etc...
8
ServiceComponent
• loadenginecomponentfrominlineblob
– thevaluesinPEheaderareeliminated
• e.g.,MZ/PEsignatures,machinearchitecture,
NumberOfRvaAndSizes,etc...
• callengine’sexportfunctions– somevariantsusetheAPIhashes
• e.g.,0x0C148B03="Install”,0x3013465F="DeleteF"
9
EngineComponent • memory-resident
– somesamplesaresavedasfileswiththesame
encryptionofworkercomponent
• exportfunctionnames
– Install,DeleteF,andWorkmain
• trytobypassUACdialogthencreateservice
• decrypt/runworkercomponent
– PEheadervalueseliminated,1bytexor&nibbleswap
10
WorkerComponent
• exportfunctionnames
– work_start,work_end
• pluginmanagement
– thepluginsarecachedondiskormemory-resident
• supportedC2protocols
– TCP=header+LZMA-compressedpayload
– HTTP,HTTPS=zlib-compressedpayloadasPOSTdata
– SMTP11
SMTPWorkerComponent
• SomeworkercomponentssupportSMTP
– theconfigcontainsemailaddressesandmoreobfuscated
(incrementalxor+dwordxor)
• Publiccodeisreused
– TheoldcodelookscopiedfromPRC-basedMandarin-language
programmingandcodesharingforum[3]
• Thehard-codedsenderemailandpasswordare"[email protected]"and
"test123456”
– ThenewcodelookssimilartotheonedistributedinCodeProject[4]
• STARTTLSisnewlysupportedtoencrypttheSMTPtraffic
12
SMTPWorkerComponent(Cont.)
fordecryptingeachmember
QQMail[5]accountisused
forsending
recipientemailaddresses
13
VSECVariant[6] • TwomaindifferencescomparedwithNovettavariant
[2]
– noenginecomponent
• servicecomponentdirectlycallsworkercomponent
– worker’sexportfunctionnameis“DllUnregisterServer”
• takesimmediatevaluesaccordingtothefunctions
– e.g.,0x201401=deletefile,0x201402=dll/codeinjection,0x201404=runinlinemainDLL
• recentlymoreactivethanNovettavariant?
14
VSECVariant(Cont.)
• uniquepersistence
– SomesamplesmodifyIAT
oflegitimatewindowsdlls
toloadservicecomponent
– thetargetdllnameis
includedinthe
configuration
• e.g.,wbemcomn.dll,
loadperf.dll
worker
infected
Windowsdll
service
15
WinntiasaLoader
• Someenginecomponents
embedsothermalware
familylikeGh0stand
PlugX
– theconfigurationisencryptedbyWinntiand
themalwarealgorithm
– theconfigmembersare
themalwarespecific+
Winntistrings
Winnti-relatedmembers 16
RelatedKernelDrivers
• Kernelrootkitdriversareincludedinworker
components
– hidingTCPconnections
• ThesamedriverisalsousedbyDerusbi[7]
– makingcovertchannelswithotherclientmachines
• ThebehaviorissimilartoWFPcalloutdriverofDerusbi
servervariant[8]buttheimplementationisdifferent
17
RelatedKernelDrivers(Cont.)
• TherootkithooksTCPIPNetworkDeviceInterfaceSpecification
(NDIS)protocolhandlers
– interceptsincomingTCPpacketsthenforwardtoworkerDLL
WorkerDLLwithconfig
therootkitdriver(DKOMused,names/pathsnullfied)
NDIS_OPEN_BLOCK
IRP_MJ_DEVICE_CONTROLReceiveNetBufferLists and ProtSendNetBufferListsComplete
NDIS_PROTOCOL_BLOCK
BindAdapterHandlerEx and NetPnPEventHandler
\\Device\\NullClient
Malware
(0) install hooks
(1) sendpacket
(2) save TCP & special format
packets
install hooks againeverytime net config
changes
packetbuffers
TCPIP protocol handlers
(3) read & write to user buffer
dword 1 dword 3dword 2 dword 4dword2 !=0 && dword4 == (dword1 ^ dword3) << 0x10
The packet header
18
RelatedAttackTools
• bootkitfoundbyKasperskywhentrackingWinntiactivity[9]
• “skeletonkey”topatchonavictim'sADdomaincontrollers[10]
• custompassworddumptool(exeordll)
– SomesamplesareprotectedbyVMProtectoruniquexororAES
– thesameAPIhashcalculationalgorithmused(functionname=“main_exp”)
• PEloader
– decryptandrunafilespecifiedbythecommandlineargument
• *((_BYTE*)buf_for_cmdline_file+offset)^=7*offset+90;
19
GettingTargetInformationfromWinntiSamples
fromKasperskyblog[11]
20
TwoSourcesabouttheTargets
• campaignIDfromconfigurationdata
– targetorganization/countryname
• stolencertificatefromrootkitdrivers
– already-compromisedtargetname
• Icheckedover170Winntisamples
– Whichindustryistargetedbytheactor,exceptgame
andpharmaones?
21
ExtractionStrategy
• regularlycollectsamplesfromVT/Symcbyusingdetectionnameoryara
rules
• trytocracktheDESpasswordifthesampleisdroppercomponent
– orjustdecrypttheconfigifpossible
• runconfig/workerdecoderforservice/workercomponents
– campaignIDsareincludedinworkerratherthanservice
• extractdriversfromworkercomponentsthencheckthecertificates
• excludethefollowinginformation
– notidentifiablecampaignID(e.g.,“a1031066”,“taka1100”)
– already-knowninformationbypublicblogs/papers
22
ExtractionStrategy(Cont.)
• automation
– config/workerdecoder(stand-alone)
• decryptconfigdataandworkercomponentifdetected
• additionallydecryptforPlugXloaderorSMTPworkervariants
– dropperpasswordbruteforcescript(IDAPythonorstand-alone)
campaignID
23
ExtractionStrategy(Cont.)
• double-checkcampaignIDsbyusingVTsubmissionmetadata
– thecompanyhasitsHQorbranchofficeinthesubmittedcountry/
city?
• e.g.,theIDmeans2possiblecompaniesindifferentindustries
– Thesubmissioncityhelpstoidentifythecompany
VTsubmissionmetadatadecryptedconfig 24
ResultaboutCampaignID
• only27%samplescontainedconfigs!
– Mostofthemareservicecomponents
• servicecomponentsusuallycontainsjustpathinformation
– difficulttocollectdropper/workercomponentsby
detectionname
• Yararetro-huntcansearchsampleswithinonly3weeks
• 19uniquecampaignIDsfound
– 12IDswereidentifiableandnotopen
25
ResultaboutCampaignID(Cont.)1stseenyearfromVTmetadata
submissioncountry/cityfromVTmetadata
Industry
2014 Russia/Moscow InternetInformationProvider?(typo)
2015 China/Shenzhen University?(notsure)
2015 SouthKorea/Seongnam-si Game
2015 SouthKorea/Seongnam-si Game
2015 SouthKorea/Seongnam-si Game
2016 Japan/Chiyoda Chemicals
2016 Vietnam/Hanoi InternetInformationProvider,E-
commerce,Game
2016 SouthKorea/Seoul InvestmentManagementFirm
2016 SouthKorea/Seongnam-si Anti-VirusSoftware
2016 USA/Bellevue Game
2016 Australia/Adelaide IT,Electronics
2016 USA/Milpitas Telecommunications 26
ResultaboutCertificate
• 12uniquecertificatesfoundbutmostofthemareknownin
[1][12]
• 4certificatesarenotopen– OneofthemissignedbyanelectronicscompanyinTaiwan
– Theothersarecertificatesofchinesecompanies
• "GuangxiNanningShengtai'anE-BusinessDevelopmentCO.LTD",
"BEIJINGKUNLUNONLINENETWORKTECHCO.,LTD","�优���传��责���"
– I’mnotsureiftheywerestolenornot
• Oneisaprimarydistributorofunwantedsoftware?[13]
27
Wrap-up
28
Wrap-up
• Winntimalwareispolymorphic,but
– Thevariantsandtoolshavecommoncodes
• e.g.,config/binaryencryption,APIhashcalculation
– SomedriverimplementationsareidenticalorsimilartoDerusbi’sones
• TodayWinntithreatactor(s?)targetsatchemical,e-commerce,
investmentmanagementfirm,electronicsand
telecommunicationscompanies
– Gamecompaniesarestilltargeted
• Symantectelemetryshowstheyarejustalittlebitoftargets!
29
Reference 1. http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-
game-130410.pdf
2. https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
3. http://blog.csdn.net/lishuhuakai/article/details/27852009
4. http://www.codeproject.com/Articles/28806/SMTP-Client
5. https://en.mail.qq.com/ 6. http://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html
7. https://assets.documentcloud.org/documents/2084641/crowdstrike-deep-panda-report.pdf
8. https://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf
9. https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/
10. https://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet
11. https://securelist.com/blog/incidents/70991/games-are-over/
12. http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
13. https://www.herdprotect.com/signer-guangxi-nanning-shengtaian-e-business-development-
coltd-1eb0f4d821e239ba81b3d10e61b7615b.aspx
30
Top Related