Malware Analysis Of The Poor by Xavier Mertens

let's start again okay welcome everybody to my talk uh I know it's always difficult when you have two talks in parallels to select the right one uh I hope that you will enjoy it um I think it's the second time that I present this talk nothing brand new but I I like it because I I hope that you'll be a high opener for you so the idea here the maybe the most important sentence on this slide so the introduction is without ISM code flute many people think that when we do reverse engineering uh people see a lot of assembly a lot of deeper girl disassembers there are a lot of code and so on but I will show you today that you

can do reverse injuring of malware malicious piece of code without any assembly it's just by using simple tools I bought myself to the classic slides so my name is Xavier coming from Belgium where I'm freelance uh one of my favorite job is to hunt bad guys for my customers and also doing my free time because I'm a Sans internet storm Central Handler so I hope that you know the internet Storm Center this is the famous uh Diaries and the podcast made by Unis every morning I'm also a science instructor so I'm teaching reverse engineering that's what I'm talking about malware today I'm also the co-organizer of the Brooklyn degree conference in Belgium and outside this

because I need to decompress from time to time to do something else to get rid of it computers I'm a big fan of mountain biking so I try to want to do mountain biking every week if you want to follow me I'm pretty active on Twitter so you will Follow the yellow uh Blowfish with the Belgium Blowfish like this I use the same avatar on all the social networks so Mastered on Twitter LinkedIn and so on so as I said when we mentioned reverse engineering what people think they think about this very nice screenshot of guidra a lot of code and usually people are a little bit afraid because whoa assembly for example when I'm teaching

Frost 610 on day two the day two is fully dedicated to assembly and people are always scared because I don't know assembly I'm I don't like registers and it's all memory addressing just the wonderful stack and so on so that's the the idea that people have about reverse engineering reality is this what people do in many organizations today they just drop the malware in the sandbox they close their fingers and I hope that they will get some results sometimes it works sometimes it does not and of course when I started to analyze some uh some samples I do this too I will not lose my time to start to fire debugger and to do some high level stuff

if the sandbox does a great job and the malware is detected as a Asian Tesla lucky whatever you want okay it gets closed you don't have to go uh deeper there are two worlds uh in reverse engineering so when people play with malware the first one is the when when you do malware reversing River engineering you expect to do this some people are lucky because they work for very big vendors I will not mention names these vendors they have one goal noise to generate some noise so what's it mean they have a bunch of people when they found a new sample they invest a lot of time to analyze the malware and besides this they do inter very

important stuff they find the name a logo they register a domain name and then they produce some peppers they privilege the findings so the goal is to make some noise I'm also involved with some some of my customers they also do that so they have teams and they do reverse engineering because they are busy in a very sensitive domains very sensitive activities and they would like to be sure that when they have their they detect a new malware we do reverse in the range and we go as as possible to understand the magic behind this but otherwise in your probably most of the companies that's what you do when you have a new sample you only have

a few hours maximum to analyze it and if I say a few hours you're already lucky because most of the time it's only a few just straight to the point what the manual try to do can you extract some iocs share the iocs with other teams case closed so the idea is to identify it we try to identify it you will fail I fail to most of the time you share iocs and then you repeat the job that's what we do day after day when you have to analyze the malware regarding a quick introduction because I'm malware so some people think yeah we found a very interesting P far and executable on a computer but computers

will never be infected magically you never have a malware dropping magical on the computer it must be infected so you have always an infection path so during the patient zero there is some mistake in the configuration there is some open RDP ports for example but usually you have SMTP HTTP you have a phishing email some exploit kit weak credentials that are used so VPN accessible RDP servers and so on and basically you have always this kind of story you have a compromise account for example they are for sale so you have a multi-tier approach uh on the the black market so some people they sell credentials or you would like to uh infect this company Hive screenshots for

you it works perfectly because I have a VPN on RTP as I said and so on this credentials are both by another group and this group performs the attack so they do the remote access they implement the malware so there is a back door and they sell the remote access of course they increase the price and finally you have a third group what they do they bought this remote access and they Implement for example ransomware that's the classic approach that you have to install multiple uh teams every teams does some business they sell it they get some money the price increase and so on and so until you have the rent somewhere and then the company the victim has to pay a

lot of money regarding the new transport mechanism uh because attackers they always try to renew the attps uh what does it mean by you as Defenders you know that you have this this techniques and I like to compare the security like Vision I was in I was in Milan uh so the city of fashion a few weeks ago and it's like I like to say it's like fashion because in fashion for example in 2023 the the main color for all closers will be all the old people will be dressed in red the next year it will be blue the next year it will be green black and a few years after red blue will be back on stage

it's exactly the same in malware for example think about the Excel fossil we had rental things a very interesting talk about Excel this morning it was mentioned Excel for macros xl4 Macross I used for years but young people the newcomers they know VBA they don't know Excel format controls so what happened a certain point attackers start again to push samples using excel4 macros because at Defenders they pay less attention to them they don't know the technique at all or what is an Excel for who knows Excel form across in the room raise your hand yeah that's the proof by the just perfect evidence so they try to renew their ttps all the time and beginning of

this year so it was already in January but we saw a new type of attack based on Microsoft One Note five so Microsoft OneNote is not known by a lot of people but when you install Microsoft Office the complete Suite you get Excel word Power Point Outlook but you have a lot of small tools aside this big programs and all of them is OneNote one note is just a tool to take top notes the name says everything and attackers they found a new way to Pro to deploy malicious content because people they trust OneNote they don't know what node and the good point is OneNote even if you don't use it it's installed on your

computer so if you double click on the OneNote file it will open Microsoft Wonderland and so on and so on so when it was disclosed in January uh what we did at the International Center of course we tried to investigate this and I found a very interesting OneNote file so what I did of course yeah fresh meat so I put my hand on the file I start to investigate this and then this talk is a recap I will show you what I did because at this time there were no specific tools uh I will show you what I did manually to investigate this file this time we the attackers they decided to Target OneNote files but the question

is we can already ask ourselves who's next because if you have a look at the Microsoft registry and you have a look at all the file extensions that are known by uh by windows we can guess that in the coming weeks coming months they will use the noticeable type of file for example we got a lot of dot ISO files or ezo files because when you double click on the ease of file on Windows it will be mounted and in this file in this image you will get a VBA a piece of JavaScript and so on so what will be the next one I don't know I don't have a crystal ball I can't tell you but I'm

sure that we have we will have new uh attack using abusing order extension in the in the coming months so uh regarding notes this is the node that I received so I I found one because I haven't so but one of my favorite playgrounds is very total and I found so one of my Yahoo they reported this and I found this wonderful OneNote file so when you open it so I I did it in the sandbox I had one note installed and you have a blank document with only one button click to view the document guess what people they click program exist between the keyboard and the share you know it works so they click and this

that will trigger a malicious script that will do something else something else something else and I will show you different steps and uh at the end what happened so of course this uh this file I presume I don't know I don't have the con the complete context I presume it was part of a phishing attempt it's always like this you get a nice email and the attacker asks you to open this wonderful document there is there are interesting information open it you will see it will be very famous funny guess what I don't know but it's part of a fishing attack I don't have the context in this this time I just had the file so probably

the the the phishing attempts they click on the blue button and you will have some magic so that's what I did because if you ask me to do something I will do it so I open the file I had a look and the first thing that was really funny is that if you move the blue button it's just an icon you have below three small icons so basically the three script were hidden behind the blue button to just drag and drop and you will see this of course never do this on corporate computer it has been done in a sandbox in a safe environment in my lab and so on and what you have is

besides this you have some interesting links like because everything so you were high on Windows and instead of HTTP https FTP and so on you can have OneNote colon slash slash the path that you see here is my malware zoo at home so it's not the normal one because it has been updated when I open the document and what you have here is an HTA file to HCA file so it's an HTML application it's a file which is interpreted by Microsoft Windows on all your windows computers if you double click on an HTA file it will all try to open the file and most of them does not content like HTML but also contain scripts and this scripts will do

something interesting let's have a look at this the first thing when I when I started to investigate this I said but there is something strange have a look at my screen the file was called 10 question marks eno.hta so this is this is on the Linux system then the result was so I did a file temp question mark eno.hea and I got this

text sector blah blah blah you see everything is reversed so basically the com you see the question mark in the file it's a specific Unicode character 202e which is right which means right to left over right so it inverted the strings so basically on liners when you have this well good luck probably I don't know why it's a guess but probably it has been done by the attacker to defeat stupid security controls if you have regular Expressions Yahoo stuff like this you try to verify to extract all the attachments and you try to see the fight it's a stupid trick but it works to make the life uh of the the reverse ninja remote difficult or to

bypass stupid security control so that's the first trick there was a specific Unicode character inside the file name uh uh of course when I did this there was no tool available so I had to open the file by the one Note 5 by myself so once again don't do this on the corporate computer but probably you know DJ Stevens famous name in the security uh landscape so DDA is a first it's a big friend of mine I know him for years he's also based in Belgium he's also a Sunset and Storm Center Handler and DJ as a philosophy these guys honestly this guy is crazy if he find the right tool he will write the tool himself

so basically what he did and it was released a few days after I did this manually it just contacted me so hope that hey by the way I created onedump.py probably you know zip dump XML dump oily dump all the wonderful tools that Gigi wrote and he wrote onedump.py so what I did manually no you can do this automatically using these two Wonder dot py you specify the name and it will tell you so it's always the same philosophy indeed this tool you will get the PNG files and so on and here you see the first byte starting from the street number two which are the bracket exclamation point so that's my HTA file uh honestly I don't know if the file has

been released I have a copy because yeah DDA share a lot of stuff with me but when I wrote the slides I wrote them a few weeks ago I think that the tool was not yet public but I'm sure it will it will become available for everybody soon um of course this HTA contains a VBA macro and that's the magic of Microsoft because it's an HTA file but Microsoft has a lot of scripting capabilities you can have so HCA JavaScript VBA VBS and so on and this HTA file contains a wonderful VB macro if you know VBA macro you will you can read it by yourself it's pretty easy to understand what it does it execute two commands two power

shells this power shell will invoke will download to URLs so the first one you download from WWE one not one note egm.com another OneNote file and the second Powershell will download a window.bat and then it will execute it what's the magic behind this the first Power shell which is just a decoy it will download a new OneNote file and you will open it and this one is absolutely not malicious it's a simple agenda like this but the ID is to make the user confident that yeah okay I click on the blue button and I know I got a new node which is my daily schedule empty so what yeah but the second power shell he downloaded a bad file

so let's have a look at the bot file uh the bad fire was really nice because the obfuscation was not complicated very you will see very easy to turn to understand but I like it because it show you the power of the bat file a lot of people they tell they think that yes a Microsoft so the cmd.xa or a bad file is a dumb command interpreter it's a dump shell when you compare a bash to a cmd.xa you think yeah it's it's for 20 30 years maybe I don't know a lot of time but you can do press you can perform crazy stuff with uh in the bad file for example you can create a lot of

environment variable and that's what you have you have the set GP zp equals set so what's it mean instead of having said something when you define a new environment you will obfuscate all the rest of the code so what's it mean we will set you see GP zp will be replaced here and for every line we will create environment variables that contains every time two letters and of course what we have what we have done we have here a concatenation of all the environment variables created and we will reconstruct the code that will be executed it's not very complicated but if you if you read this your human eye you will cry because whoa I don't

understand anything what's the magic behind this well if you if you practice if you practice reversing your range and you have a look at such kind of script it's very piece of cake to uh to understand but when you open this for the first time well I'm lost what happens so we have a concatenation of commands and when you deophisicate this that's the wonderful code that you get so you have another bunch of Powershell code and you see here another trick also that this one note is honestly stupid because there is no not a lot of magic and so on but the ideas is it's interesting how the attacker tries to defeat the classic security tools for example probably a

lot of you know six months so you can detect when you have an Excel sheet an Excel process starting a macro and you have a power shell the parent process is word or Excel it's definitely really suspicious so the trick here the the attacker it copy for yourself to windows.bat.exe so and basically then it calls the window but dot exam is the Powershell script so if you list the processes on the system you will not see powershell.exe but you will see windows.exe something like this which looks less suspicious uh what we can see in this kind of Powershell script it's also a very common Powershell script I will show you some interesting information first suspicious strengths have been reversed

you'll see that you you have uh here a classic one read or read all text which has been reversed you have here from base64 string from basis for string so it's a classic technique to make your life more difficult and defeat Yahoo's regular expression so the classics to beat secret control that you can Implement that's the first thing what we have also we see that we have encryption in place because we have system.security.cryptography.iis manager and you see below that you have Cipher mode CBC pkcs 7 and so on and so on and you have here the wonderful the wonderful key another a bunch of Basics if also probably the AV and the uh the key has been also basic or encoded so we

have encryption we have the power shell that has been renamed we have um the reverse of interesting interesting strings what we have also yes an extra bonus the payload is compressed yeah if you can reduce the size of your payload and you can also uh obfuscate it uh uh a bit better why not but where is this payload so if you read this uh this this production what we have so we have so this is a new bug file which replays version.xa with windows.band.texa then we spawn a Powershell and we have some code we see that we extract a payload from somewhere the payload has been encrypted it has been zipped and we have the classic reflection assembly data

join blah blah blah and we have the wonderful entry point blabber info so if you read this probably the next payload will be the Shell Code or will be the executable that will do the magic but raise it that's the question let's continue then so we are here another payload that is loaded raise the payload anybody has an ID if you read this just read the very first line of the script and if you have an idea where the payload could be uh stalled raise your hand just take 15-20 seconds anybody so yeah [Music] assembly so it's probably downloading it no it's it's no no no it's in the file itself because you have this

so what we do this this wonderful uh remember that we have here read all text so what's it mean we have we downloaded we so I will explain carefully we downloaded window dot but you remember this when we executed the HTA we don't know that a OneNote file and a window.bat the window.bats what we do we read all the texts inside a variable and then what we do for each line of this file we search for if the line starts with colon colon space if the line starts with column column space we read the line we remove the column column space and we add it to this variable so basically the payload is encoded in the string and that's what

you have you have the column column space and all the vertices are very long line which contains the payload so the payload is inside the file it's also a classic trick very very easy and this file of course I know it but it's a P5 and the P file then will be loaded and will be executed so have a look we are already at stage five so you see that you have a lot of script called in another script another script notification and so on and so on and what I did right now I just use this I did this using the text editor I loaded the file my text it all and tried to do

some I review the code and to do the reverse engineering stuff once you have this cyber Chef to the rescue probably a lot of new a lot of you know cyber Chef I really like the tool I use it daily really really powerful and uh why we have to use uh cyber Chef because the payload that we have in the file has been compressed and encrypted remember this it was in the Powershell script so what we have to do but we have just to write a simple recipe the first one is we decode the base64 then we decrypt it with with the key and the IV that we have in the script so we'll go back so that's the information

that we have here well sorry uh what is it here my my key and the IV I even don't have to decode them because cyber Chef will do the job automatically you can specify that the the data that you're passing base is in in base64 and then you have to unzip because you have also compression and you find the wonderful MZ the MZ header so we have a brand new executable file yeah what do we do from now uh uh no you can find your debugger you can find your your disassembly if you want but I will not go so deep because that my goal was to show you how to access interest information just to give

you an ID the P file is still a known on VT and uh you can see I checked yesterday so yesterday I didn't know to say I searched for this shot 256 on VT it's unknown but the fan is not very many shoes is not a very very nasty malware first it's a.net binary and when you have to address the.net binary don't load it in the disassembler in a deeper grandson because it's a mess to debug there is a very nice tool that you can use for this purpose is dnspy dnspy is really great because it will disassemble.net executable and we you will find everything really a great tool so what I did but I just loaded my DNS file and I

did my job as usual I search for interesting strings and iPhone for example once again everything is encrypted so all the interesting strings in this binary have been encrypted using AIS you have an example here you have a call to this wonderful very nice function dot load Library so what we do we load the library ntdl.tll then we get proc address and this is encoded so basically the what how to translate to translate this in English in words we try to get the address of a specific API call but this API call has been encrypted using AIS so we will not disclose the capabilities of the malware when you analyze the malware the first thing that you can try to do is to have

a look at the API calls use the malware by the malware because it will give you very nice ins if you see that you have open internet a you know that the malware will try to connect somewhere on a server stuff like that so by obfuscating all the interesting API calls we have a nice notification technique and why this technique of load library and get proc address is used because it's a way to reduce the import stable you know that if you don't know in a B file you have what we call the eat the import symbol which lists the API calls used by the malware because this e80 is built when you link the

program of course if you have a look at this e80 using static analysis tool without running the malware you can spot interesting activities it will read this file it will try to read some some search from the registry to encryption connect to the Internet so what do the attackers they reduce the size of this eat by using this technique the get proc address and load library and the EIT will be smaller so you will not guess a lot you will not guess easily what the model try to do and every time you have this wonderful tdb blah blah function code you have it here where is it tdb here for example it's a function that will do the AIS

decryption of all the interesting strings so what's about this malware well as I said it's not very very dangerous it's just a new a new rat remote access tool from the async family and just for your information that's the address of the C2 server so once the malware is running it will try to contact this wonderful ddns.net hostname and uh basically it's a remote access tool so it means that you have one step inside the victim's computer keylogger taking screenshots and so on and so on thank you so as I said no assembly nothing just simple tools any questions yes [Music]

prepare to do that here just directly on here no ivms virtual machines so basically I you I have two two virtual machines a Windows one because for example is a tool that run on Windows uh when you need to investigate to one note five it's better to do it on the Windows environment and besides I have a remnants distribution so remnix is a Linux distribution but oriented to fully reverse engineering malware and basically the two are interconnected so when my windows needs to access some DNS resources internet and so on it sends everything to My remix and My remix acts as a proxy I can do full packet capture many in the middle and it talks to the

to the wild internet if I can see so I'm using virtual machines basically yeah yes [Music] not every day but it's a very common technique so it's classic techniques yes but I don't see this every day you have to know that in many many malware uh remains very basic and they do always the same techniques and so on so uh if you don't work in a very sensitive environment when you could be targeted by very nasty attackers group most of the time it's really really easy what you see today is a lot of net binaries for example it's pretty common but you can see the Dallas dlls side loading so I will not discuss about this

because it's another topic it's not it's not here but yeah I I see I see that from time to time yes I saw another yes you mentioned uh yes um [Music] I I didn't try to to to go so deep uh because from for me the the as I said you have two types of reverse Engineers you have the guy doing the reversing from A to Z because I have to produce a pepper with a nice logo a nice domain name and so on but if you if you do reverse engineering in the normal in a normal company your goal is to get your hands on this because you identify the malware uh you if you can get interesting iocs

you know how to clean computers and you can also communicate for example if I have this wonderful uh host name what I do I call the guy responsible from the DNS and I say guys can you tell me how many computers reserved this hostname and based on this you know if you have one computer affected in the company or if you have five thousand for example and then you can if you block this using Venus firewall you you don't clean the computer remains infected but at least you cut the communication with the C2 server and you are safer between codes no more question yes yes [Music] uh because for two reasons first I found interesting piece of code Indian spy

because you can reduce the as I said malware families or Mario developers they it's like a developer they don't prevent the win so they share code they share functions and so on so be basically if you have a look at different malware just by having a look at the code if they use the code in this way or you have this function you can put a name on the on the model right the one x4.dls.net I found it finally I found it using two ways so first I found it easily because that's what I said that's maybe the most interesting slide this one because what I did I was so Random already in my sandbox and I saw

that it was communicating to to this hostname the easy way stupid way but if it works and also then when I analyze the code in the end spot I found it also in the Inspire of course yeah but if this works I will not lose my time yeah another one otherwise we wrap up okay thank you very much once again