Gh0stnet now spreads as a fileless malware

By

The SonicWall Capture Labs Threat Research team recently observed a new version of Gh0stNet backdoor spreading with the file less technique, which is using PowerShell script for initial execution. This version of Gh0stNet is using new commands for communication.

Infection Cycle:

Upon execution the script spawns powershell.exe to perform malicious activities.

Fig1. Trojan uses owershell.exe to download and register itself as a startup item

Figure 1 shows the script will download a Base64 encoded data from a pastebin.com address. It then decodes and unzips the data to get the next level PowerShell script. The second stage PowerShell script is shown in the figure below:

Fig2. Base64 Encoded shellcode

After decoding the Base64 encoded shellcode, it calls “Inject-LocalShellcode” function to inject shellcode into the running instance of PowerShell as shown in the figure below:

Fig3. Powershell Shellcode injection

The injected shellcode contains code to unpack the embedded UPX packed file (without headers) and execute the unpacked code. Figure 4 below shows the UPX packed file that is present in the injected shellcode.

Fig4. Embedded UPX packed file

When the UPX unpacked code executes, it first decodes the Config string using a custom Base64 decoding key as shown below:

Fig5. Decrypting the config URL using a custom key

Visiting the URL shows a seemingly encoded information.

Fig6. Some encoded data shown on the page of the decoded URL

Figure 7 below shows that the malware searches for the marker “x=” in the response received from the URL post request. Once the marker is found, it decodes the string followed by marker to get the second stage Command and control server.

Fig7. Decoded response from the URL

After this the backdoor starts the communication with the command and control server by sending the following request:

Fig8.Scote_connection|hwid = [customid _from_created_cpuid]

It then creates a thread that will listen on the incoming commands from the command and control server.

The following are the commands sent from the remote server:

  • scote_info_ipconfig
  • scote_info_systeminfo
  • scote_drop
  • scote_upgrade
  • scote_upgrade_internal

Below are the functionality details for each command:

  • scote_info_ipconfig:
  • In response to this command the backdoor will collect the IP configuration information by executing “cmd.exe /C ipconfig” command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: “command=scote_info_ipconfig|buffer=[Encrypted IP Config].”
    The figure below shows that response packet.

    Fig9.Sample response to scote_info_ipconfig command

  • scote_info_systeminfo:
  • In response to this command the backdoor will collect the system information by excuting “cmd.exe /C systeminfo” command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: “command=scote_info_systeminfo|buffer=[Encrypted System Info].”

    The figure below shows that response packet:

    Fig10.Sample response to scote_info_systeminfo command

  • scote_drop
  • The backdoor will terminate after receiving this command.

  • scote_upgrade
  • After receiving this command the backdoor will inject the code in “svchost.exe” and “explorer.exe” and will terminate itself. Before code injection, the backdoor installs a hook for “ntdll. ZwDelayExecution” to evade analysis and perform code injection through the hooked function as shown below:

    Fig11.Code injection through another hooked function

SonicWALL Capture Labs provides protection against this threat with the following signature:

  • GAV: Ghostnet.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.