Deciphering Infostealers From Static Analysis to Automated IOC Extraction

[Music] cool uh thank you everyone for staying with us all the day and uh now we have sadia bashir visa she is malware researcher senior malware researcher at dblix and today she will be discussing i i would say this is actually continuity to the what ahmad and saying hassan has discussed with us you know how you track the all the malware predictors and how you do the intuition analysis as well so she will be discussing more in detail deciphering infostillers from static analysis to automated ioc extraction as well and i think it she will answer a lot of questions what uh people are asking in discord as well what is static analysis and how you

do automatic expression as well so hand over to you sadia assam alaikum everybody hello everyone uh this is sadia bashir uh i've been working as senior malware researcher at e-brakes for last for past three years and i'm here today to discuss my insights into intern for steelers uh i've been analyzing in past few months so the outline goes first i will uh give a short background about infostealers what they are why are they so in the boom nowadays and how do they work today's target is uh with our infosteeler i'll be discussing its uh behavior and then i'll be digging it down with ida pro and i'll reverse engineer uh statically reverse engineer it later uh

and finally i'll uh try to show the how automation works with it and uh yes what what uh ida python for automation and how it will be applied on malware so i'll be uh presenting in the native language um targeting pakistani audience for what infostealers are so it's basically a trojan that is designed to steal sensitive and confidential user data to make money its motive is to make money uh supply chain is sold as malware as a service on underground hacking forums malware research malware authors sell it on underground forums and uh when it it has infected the system and it sends stolen data back to back to sea to server that stolen data is again sold to deep dark web

web uh for example partnered in marketing botnet markets and hacking forums etc later it's it's distributed by phishing campaigns uh spam emails advertising or even exploit kits and software exploits uh software bundle packages or keygens can also be used to distribute it it's targeting target information if they use they steal data like from different uh installed applications on victim machine for example auth uh to for which is used for 2f authentication uh telegram it can steal discord credentials vpns it can target ftp clients gaming engines and it steals all the data stored in browsers whatever browser is installed it uses uh mach user's machine even its steel they can steal uh your social media account

information uh if uh like facebook twitter etc and if any uh advertisement data related store is can be stolen from there uh it can also steal credit card information cryptocurrency wallets and uh personally identifiable information consequences are uh obviously it's a privacy violation uh if your credit card data is stolen then uh your account can be compromised and money can could be stolen from there if your email id is compromised it can be used to send spam emails and if uh ssh accounts accountants compromises can be used as proxy in various cyber attacks by cyber criminals uh what with our infostealer is and what are its uh specifications uh it is a c plus plus uh it's written in c plus plus

and is active since uh uh october 2018 it's sold as uh malware is a service in underground hiking forums and uh storyline logs are widely traded in deep dark web distributed as spam email crack version commercial software and keysight programs it's flexible in its operations that is it means that it um it can uh it can have multiple modules based upon the c to based upon the configuration it downloads from c to server so it's that's why it's flexible in this operation and it is first uh to grab information on 2fa software and tor browsers uh it usually is comes packed with an unknown loader to prevent analysis malware it's what the sample i'm discussing today

uh is first contains encrypted strings which are first decrypted and uh it then it loads required libraries resolve uh api calls dynamically it uh performs uh some environment and emulation checks and then grabs uh configuration from c to server and collects uh collects logs and uh tries to exfiltrate data and then uh finally it removes itself uh we'll know uh hands-on will not reverse it in uh ida pro i'll i have opened it up this this is a uh example here okay unpacked is coming already uh as unpacking process is a bit hectic so i've already unpacked it and i've loaded it uh first i'll check uh the process of i'll take it a bit statically

we can see uh there are some base64 encoded strings there are many basics before encoded strings so i uh assume basically foreign

so if i uh base64 decode it though i can seek with a plain text in him it means it's using some sort of encryption algorithm so i'll first i'll first try to search what algorithm it's using

main method main method or routine central orient

this routine is possibly decrypting and decoding base64 encoded strings and it also seemed to contain this this string which seems to be a key and this is a domain and later [Music] this routine seems to be performing decoding why is that so because it is if i decompile it we can see this is taking base64 encoded string as uh as an argument if i go if i go back

[Music] so this uh if i decompile it i can see it's taking a1 is the parameter there are few routines that are processing this parameter this routine seems to be performing it's just normal string related operations these both of these routines are maybe it's it's copying this uh this was the key this was the key it's copying it in it's copying it into this variable or and this is the encrypted string which is being copied here let me see what is this doing it's also taking the s encrypted string so if i look into this variable this routine it seems to be performing some bit shifting so based upon this loop and and these it seems it's performing some 64

recording as base 64 is being converted back from 6 to 8 it might scheme coding so uh i'll rename it as the base64 decode so if we have a base64 default string now and now

um according this this this is taking the length off of the string string length length

these are again some string related tasks it's converting back to static variables in this this routine here is seems to be performing some again some permutation and decryption this this thing is performing xo encryption and in these for loops are performing in permutation so this basically uh algorithm identify algorithms

for decryption perform correct okay uh permutation perform whole year is made kind of initializing or performing permutation on an array and then later it's again performing some uh operation on same array and it's generating a constant key or processing key and a1 a1 is the first parameter uh increment string so uh i'll rename this routine as rc for decrypt

basic routines identify curly these are some of the basic routines [Music] this whole wrapper decryption routine is performing it seems to be decrypting hundreds hundreds of strings seems to be processing hundreds of strings next i'll check what the routine next is used for it's uh it all depends upon the in strings that are being decrypted in previous routine so let's go one by one for us uh take down currently and then i'll confirm year routine uh it's reading fs basically it's reading a thread environment block which contains a pointer to processing process

your kernel 32 basically this this routine is performing uh finding kernel 32 library load it in the process

[Music]

seems to be a complex routine i'll decompile it

foreign

export libraries uh uh data directories and then it will uh iterate over export directories export directories score

so i'll rename it as

parse kernel 32 dll okay okay uh this is my assumption i'll i'll try to [Music]

here

this is 07 okay

she

so this is our

that is it actually processing strings and how its processes strings

this is the gate sticking key so you happy domain and then it's uh this is first string which is

it is returning the plain text which is this system.txt assumption algorithms is it actually rc4 or not let me let me confirm my algorithm i'll copy this key from here

into this key here

0.561 b64

this is decrypting it but uh yes like in 2k uh it's uh accept language are you yes http header where i said clinically

here

this is so my assumption regarding rc4 algorithm is correct this is uh confirmed algorithm or base64 decode basically for exactly questions

i'll get into this routine the second routine this one i'll open it record

foreign

[Music]

[Music]

addressed

which

[Music]

addresses or strings or urls etc automatically extractor automation automation we can quickly

configuration basically uh is just uh what is the c2 server ip addresses ip

[Music]

[Music] um

these are just random variable names which are

so we'll just quickly uh i just quickly go through my ida script and then i'll run it on multiple funds

rc for

is

uh

this portion is i think uh performing all of this stuff and this portion later it's performing api resolve yeah voila uh if it resolved so uh i'll just uh open it up in spam algorithm

water this is load library this thing is get block address

so uh now if i run my ida script on this

string sensor duplicator excuse me so it has renamed all of the strings and calls if i go to the previous routine main routine we can see all of the decrypted strings there there are other

[Music]

to address this is fine press file delete right these these are all api calls which are being used across the binding

this is using [Music]

later it's performing some checks to uh verify user key machine pick

then it will move further to perform basically the grabbing

[Music] um

specific operations

uh

[Music]

version

so this was all related to the automation thank you any questions

do we have any questions

hmm

i can run this script on other similar files as well obviously foreign

it has different domain than previous one so that's it from my side if you have any questions please let me know

sorry we have a couple of questions uh so first of all the question is what is the best tool they should be using for this type of analysis they should use ida or they should use gidra as far as i've seen i think um

and next question which is asking can we hide ads file in the game abs file and then malware in it uh can you please repeat your question can you can we hide ads file in again ads file and then malware in it don't know what is ads file uh [Music] this is not related to this presentation but yeah looks like it's a generic question actually yeah that is generic question and that depends upon malware authoring exactly exactly next question and last question i would say what are the payloads used in this malware to avoid any detection like the deception techniques have they used any deception techniques uh deception techniques is my i've already told i've used unpacked

sample to analyze because mera focus the mirror focus automation static analysis example packing itself is a deception technique uh or um nd analysis it's it is used as an anti-analysis technique and later uh strings and strings our strings are decrypted apis are decrypted we don't know again um basically foreign

so these are all anti-analysis techniques cool thank you so much uh that was a good topic i would say that was actually continue to do what emma then say that someone was doing i think that's more like hands-on session for the team and for the you know the discord members as well thank you for your time and effort you put in you're preparing the presentation and delivering the presentation as well