AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Yara rules for APT1/Comment Crew malware arsenal

February 20th, 2013 | Posted by jaime.blasco in APT | Attacks | Forensics | Malware - (Comments Off)

I’m sure all of you have heard about Mandiant’s APT1 report published yesterday. As many of you probably know we have been tracking and exposing this group for a long time as well as other individuals and companies in the security industry. A couple of examples are:

Win32/Coswid

Unveiling a spearphishing campaign and possible ramifications

During the last few years we have been producing content that we have used to track and detect Comment Crew’s artifacts such as Snort rules, Yara rules and IOCs. We have decided to publish some of this content and we’ve completed our information with the great intel Mandiant published.  The first package we are releasing is a set of 81 Yara rules that will help malware analysts and incident responders to detect, classify and track the malware arsenal used by Comment Crew.

Some of these rules have been built to specifically detect Comment Crew’s tools and others are more generic.

You can download the rules from here.

How can I use the rules?

The easiest way to use this content is installing Yara (http://code.google.com/p/yara-project/). Once installed you can use the cmd tool yara to  detect and classify files in your dataset. Example:

$ ../yara-1.6/yara apt1-2.yara files/
APT1_WEBC2_CLOVER files//01114c2b1212524c550bbae7b2bf9750aba70c7c98e2fda13970e05768d644cf
EclipseSunCloudRAT files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_TARSIP_ECLIPSE files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_WEBC2_Y21K files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_CSON files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_b64_cnc_commands files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_Y21K files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
APT1_b64_cnc_commands files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
STARSYPOUND_APT1 files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_SY files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_WARP files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_points files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_readynewcmd files//0963ba541d56b9805713aa13d955b91f6bb875318698ba6119d5944d68c45afb
HACKSFASE2_APT1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
ccrewSSLBack1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
APT1_WEBC2_YAHOO files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_uagent_iphone85 files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_letusgo files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_WEBC2_QBP files//0c8ad4824264dd09b3be02f462f968729bf7339438bf5fa69af9ca995353f6df
APT1_WEBC2_GREENCAT files//0e829513658a891006163ccbf24efc292e42cc291af85b957c1603733f0c99d4

On the other hand there are several projects and products that support Yara as a format. Here are some examples:

- JSUnpack

- Virustotal VTMIS

- Volatility, example of using the Yara plugin in Volatility

- Fireeye

We’ve reviewed the rules to minimize false positives but please send us your feedback and we will improve the Yara rules with that information.

Here is the complete list of Yara rules released:

LIGHTDART_APT1
AURIGA_APT1
AURIGA_driver_APT1
BANGAT_APT1
BISCUIT_GREENCAT_APT1
BOUNCER_APT1
BOUNCER_DLL_APT1
CALENDAR_APT1
COMBOS_APT1
DAIRY_APT1
GLOOXMAIL_APT1
GOGGLES_APT1
HACKSFASE1_APT1
HACKSFASE2_APT1
KURTON_APT1
LONGRUN_APT1
MACROMAIL_APT1
MANITSME_APT1
MINIASP_APT1
NEWSREELS_APT1
SEASALT_APT1
STARSYPOUND_APT1
SWORD_APT1
thequickbrow_APT1
TABMSGSQL_APT1
CCREWBACK1
TrojanCookies_CCREW
GEN_CCREW1
Elise
EclipseSunCloudRAT
MoonProject
ccrewDownloader1
ccrewDownloader2
ccrewMiniasp
ccrewSSLBack2
ccrewSSLBack3
ccrewSSLBack1
ccrewDownloader3
ccrewQAZ
metaxcd
MiniASP
DownloaderPossibleCCrew
APT1_MAPIGET
APT1_LIGHTBOLT
APT1_GETMAIL
APT1_GDOCUPLOAD
APT1_WEBC2_Y21K
APT1_WEBC2_YAHOO
APT1_WEBC2_UGX
APT1_WEBC2_TOCK
APT1_WEBC2_TABLE
APT1_WEBC2_RAVE
APT1_WEBC2_QBP
APT1_WEBC2_KT3
APT1_WEBC2_HEAD
APT1_WEBC2_GREENCAT
APT1_WEBC2_DIV
APT1_WEBC2_CSON
APT1_WEBC2_CLOVER
APT1_WEBC2_BOLID
APT1_WEBC2_ADSPACE
APT1_WEBC2_AUSOV
APT1_WARP
APT1_TARSIP_ECLIPSE
APT1_TARSIP_MOON
APT1_aspnetreport
APT1_Revird_svc
APT1_letusgo
APT1_dbg_mess
APT1_known_malicious_RARSilent

Update (02/22/2013): We have improved the ruleset, update to the latest version!

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

Your malware shall not fool us with those anti analysis tricks

November 5th, 2012 | Posted by Alberto Ortega in Forensics | General | Malware - (2 Comments)

It is well known that a big amount of malware samples are aware of the execution environment. This means that a malware sample can change his behavior if it detects that the running environment is unwanted.

There are resources, public source code, and even programs that detail how to bypass automatic malware analysis systems and make things awkward for malware researchers. Of course, these resources are quite useful for both researchers and malware developers.

We are going to take a look at some of these tricks, all found in real malware samples.

Also, just as they do, we have developed some yara signatures to detect these tricks that could be useful to differently process or classify these malware samples.

We could classify anti analysis tricks in three big groups:

- Anti Virtual Machine, that tries to detect if the execution environment is a known VM or emulator.
- Anti Debugging, that tries to detect if the program is running under the surveillance of a debugger.
- Anti Sandbox, that tries to detect known sandboxing products.

It is not unusual to find all kind of tricks in just one malware sample. For example, we can take a look at the sample 9255c75de8fbc20ee67f427397e1ef82:

Quickly we can find that it is looking for sbiedll.dll (to detect Sandboxie) and dbghelp.dll

It also opens the registry key HKLM\SYSTEM\ControlSet001\Services\Disk\Enum with value 0 to read the ID of the hard disk in the machine:

Then it is compared with these three strings (VIRTUAL, VMWARE, VBOX):

Finally, it opens the registry key HKLM\Software\Microsoft\Windows\CurrentVersion with value ProductId:

And checks it against these three known MS Windows products ID from different commercial sandboxes:

If we take a look at another sample (36527d5954bf3b2af60e6efa6398ccff), we will discover a canonical function to check this:

It checks the MS Windows product ID and if it is “76487-644-3177037-23510″, the function will return 1. Else, it will return 0. It also has the same function prototype to check keys “55274-640-2673064-23950″ and “76487-337-8429955-22614″.

This sample also uses MS Windows system functions to detect debugging.

It loads the function handler for IsDebuggerPresent using the function GetProcAddress() from kernel32.dll. Hey wait! And why not use IsDebuggerPresent() directly? Because it is noisy and easily detectable.

If it can not load the function or the function returns 0 (debugger not present), it will return 0. Else, it will return nonzero.

It also looks for files (SyserDbgMsg / SyserBoot) and (SICE / NTICE) using this function:

This trick is to detect both SyserDebugger and SoftICE debuggers.

As we said, we have published a ruleset of yara signatures to detect AntiVM, AntiDebugger and AntiSandbox procedures in malware samples. You can grab it in our GitHub repository here.

Alberto Ortega

More Posts

, , , , , ,

Georbot Botnet – A cyber espionage campaign against Georgian Government

October 31st, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Forensics | IP Reputation | Malware | News | OTX | Snort - (Comments Off)

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s. The report also says the purpose of the malware was “Collecting Sensitive, Confidential Information about Georgian and American Security Documents” and it establishes a connection with Russian Official Security Agencies.

In this blog post we will offer a brief about the infection vectors as well as the malware behavior and we will share some IOC’s and signatures to detect the presence of the malware in your systems.

Infection method

To compromise the victims, the attackers placed javascript code or iframes into websites leading to exploit code.

The compromised website includes Georgian Government servers like ema.gov.ge. Other examples are:

- ema.gov.ge

- 31.214.140.214

- 178.32.91.70

- georgiaonline.xp3.biz

- 31.31.75.63

173.212.192.83

An example of a malicious javascript is as follow:

 

 

 

 

 

The malicious javascript present in frame.js/frame.php includes code that exploits several vulnerabilities including CVE-2010-0842,   CVE-2006-3730, MS06-057 and some Java exploits.

Examples of exploit codes found:

178.32.91.70 [/] modules[/]docs[/]newexp[.]jar https://www.virustotal.com/file/9bf88bf15ffa6888ec2a3bd9e8dc6d13b650f1122ca69cface9ccf777c32e259/analysis/

178.32.91.70 [/] modules[/]docs[/]Java-2010-0842[.]jar

https://www.virustotal.com/file/7a900cc7616cfbf2ca17350c436af2490621550ded3e29325dc31149db50c63d/analysis/

 

 

 

 

 

 

 

 

Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server.

The malware uses a custom packer to evade security security products. It also uses obfuscation to hide both the configuration values and the API calls.

The malware uses byte substraction operations to hide the strings including the configuration values:

 

 

 

 

 

 

 

 

 

 

 

After deobfuscation:

 

 

 

 

 

 

 

 

 

 

 

We can use the following Yara rule to detect the obfuscated binary:

rule GeorBotBinary
{
strings:
$a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}

condition:
all of them
}

Based on the deofuscated strings we can also write a Yara rule to detect the presence of the malware in memory:

rule GeorBotMemory
{
strings:
$a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
$b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
$c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
condition:
$a and ($b or $c)
}

We use both the registry key used to maintain persistence and the executable name that the malware creates on the system (in version >=5 of the malware those values are stored on wide strings).

If we have a memory image of a system we can use Volatility to look for processes matching our Yara rule:

$ python vol.py -f /Users/jaime/tmp/geor.img yarascan -y GeorBotMemory.yara
Volatile Systems Volatility Framework 2.1_alpha

Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004055b3 53 4f 46 54 57 41 52 45 5c 00 4d 69 63 72 6f 73 SOFTWARE\.Micros
0x004055c3 6f 66 74 5c 00 57 69 6e 64 6f 77 73 5c 43 75 72 oft\.Windows\Cur
0x004055d3 72 65 6e 74 56 65 72 73 69 6f 6e 5c 00 52 75 6e rentVersion\.Run
0x004055e3 00 55 53 42 53 45 52 56 00 2e 64 6f 63 00 2e 78 .USBSERV..doc..x
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059a6 73 79 73 74 65 6d 33 32 5c 75 73 62 73 65 72 76 system32\usbserv
0x004059b6 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 53 5c .exe.C:\WINDOWS\
0x004059c6 73 79 73 74 65 6d 33 32 5c 75 73 62 63 6c 69 65 system32\usbclie
0x004059d6 6e 74 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 nt.exe.C:\WINDOW
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059ae 5c 75 73 62 73 65 72 76 2e 65 78 65 00 43 3a 5c \usbserv.exe.C:\
0x004059be 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 WINDOWS\system32
0x004059ce 5c 75 73 62 63 6c 69 65 6e 74 2e 65 78 65 00 43 \usbclient.exe.C
0x004059de 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d :\WINDOWS\system

Network traffic

The malware uses HTTP to communicate with the C&C server. It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while. In early versions the update version was requested from /modules/docs/upload/calc.exe on the C&C server.

 

 

 

 

 

In newer versions the malware performs a request to /calc.php and the server sends base64 encode content (it can be done using content from different servers at the same time).

 

 

 

 

 

 

 

When the malware starts it sends the following request to the C&C:

 

 

 

 

 

Every minute it sends the following HTTP request to the C&C to ask for instructions:

 

 

 

 

In newer versions the parameter “cam” was also introduced that tells the C&C whether the infected system has a webcam.

/index312.php?ver=5.1&cam=0&p=cert123&id=401acd00

You can use the following snort to detect the presence of this malware in your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot requesting update”; flow: to_server,established; content:”/modules/docs/upload/calc.exe”; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot initial checkin”; flow: to_server,established; content:”POST”; http_method; nocase; content:”.php?ver=”; http_uri; content:”&p=cert123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot checkin”; flow: to_server,established; content:”.php?ver=”; http_uri; content:”&p=bot123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;)

Emerging Threats Pro has coverage for previous versions (see “ETPRO TROJAN TDSS.xcn”) but the rules I posted will work with newer versions of the malware as well.

Based on the behavior of the malware we wrote this OpenIOC rule:

 

 

 

 

 

 

You can download all the content from this blog post on the following url:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/malware_analysis/Georbot

Happy Halloween!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , , ,