Bublik, CyberGate, and Game of Thrones

May 2, 2014

The Dell SonicWall Threats Research Team recently encountered a family of .NET malware that eventually drops a CyberGate remote access trojan. While it is unclear what the initial vector of infection is, it appears that the malware attempts to pass itself off as an Adobe installer, and even goes so far as to drop and execute a legitimate copy of the Adobe Bootstrapper. This seems like an effective decoy because the Bootstrapper will always encounter an error due to missing installation files before directing the user to the official Adobe site for a support download.
Adobe Installer Error

Indicators of Compromise

In this instance, the malware has the hardcoded ID of 04W47BG81GO688, so multiple mutexes and file paths include this string as seen below.

Mutex Indicators
    Creates mutex: Sessions1BaseNamedObjects4W47BG81GO688
    Creates mutex: Sessions1BaseNamedObjects4W47BG81GO688[USERNAME]15
    Creates mutex: Sessions1BaseNamedObjectsxXx_key_xXx
    Creates mutex: Sessions1BaseNamedObjects4W47BG81GO688_SAIR
    Creates mutex: Sessions1BaseNamedObjects4W47BG81GO688_RESTART

File Indicators
    Creates: %APPDATA%LocalTemppMfL.exe
    Creates: %APPDATA%LocalTempBISy.exe
    Creates: %APPDATA%winini.exe
    Creates: %APPDATA%LocalTempPDApp.log
    Creates: %APPDATA%LocalTempcvtres.exe
    Creates: %APPDATA%Roaming945109AB
    Creates: %APPDATA%Roaming945109ABak.tmp
    Creates: %APPDATA%Roaming[USERNAME]-wchelper.dll
    Creates: %APPDATA%LocalTemp[USERNAME]7
    Creates: %APPDATA%LocalTemp[USERNAME]8
    Creates: C:WindowsUpdatevbc.exe
    Creates: %APPDATA%LocalTemp[USERNAME]2.txt

Registry Indicators

    Creates key: HKLMsoftwaremicrosoftactive setupinstalled components{odks44qa-12l5-c1lw-tgc7-2430ij2b12a6}StubPath
Network Indicators
    DNS query: laki.no-ip.org
    DNS response: laki.no-ip.org ⇒ 176.14.66.219
    Connects to: 176.14.66.219:3333

Infection Cycle

Infection Flow

.NET Stage Analysis

The .NET stage of the malware has two sub-stages and the malicious payloads come in two flavors that we will refer to as dropper and infector modules.
The dropper modules have some obfuscation techniques that, while simple, caught our attention due in part to the Game of Thrones references used to contain the payloads for later stages. Game of Thrones names and the acronym "GOT" are used as resource names to store the files, and searches shows that this family has been operating with the same Game of Thrones concealment technique for some time.

Functions from the Infector module

The infector module is the same across both .NET sub-stages, and provides several functions to infect a target machine as well as some stealthiness. Among the functions shown above are the BotKill() function that will erase all traces of the malware from a machine (and may delete some unexpected files as well), and the Fap() function that performs process injection, PEB patching, and is responsible for the dummy files created on disk.

One slightly more sophisticated technique that seems to be used throughout the stages of this infection are dummy files written to disk. The implementation of this technique in the .NET stage of the infection is prone to cause errors in environments where certain versions of the .NET framework are not available, though this behavior could be an effect of targeting a particular platform. While the malware does write a file to disk for each of the payloads, it uses cvtres.exe from the .NET Framework to create fake files for all but the primary payload of the next stage. The rest of the files are unpacked and executed in memory.

File copy function to create the dummy files

Delphi Stage Analysis
Relative to the .NET binaries encountered, the Delphi stage contains a great deal of complexity. The authors of CyberGate make a number of attempts to stymie analysis with anti-debugging techniques and checks for a variety of sandbox and analysis environments as seen below.

Anti analysis functions in CyberGate

CyberGate is a full featured trojan providing remote access and information stealing capabilities, hunting for passwords saved in browsers, chat services, and various network applications.

Although we did not see much in the way of network communication from this infection cycle, the CyberGate component does call out to laki.no-ip.org on port 3333. The only response seen during execution is shown below.

CyberGate CnC Response

Summary
Overall, the purpose of this malware is to gain a persistent infection on a target machine, while gathering any available user credentials from web browsers or other communications software. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signatures:
  • GAV: Rogue.KDZ_4
  • GAV: Bublik.GOT
  • GAV: Bublik.RUN
  • GAV: Spatet.T_8
  • GAV: Avenger.gen
  • GAV: CyberGate.A_2