Steam - Rust Trainer, DGA & Miner Found

October 4, 2019

Overview:

SonicWall Capture Labs Threat Research Team, recently found a unique Domain Generation Algorithm (DGA) inside a uniquely named file called “Rust Trainer.exe” the sample goes along with the Steam, PC Game called “(RUST)”. The file is deceptively named for use in cheating and creating hacks for the online multiplayer game. However, once executed the file only starts the infection. Injection starts in “svchost.exe”, after injection the sample will start creating domains on the fly. The domain generation algorithm involved in this sample will generate 172 Million Domains. The sample has the ability to look for and install new Coin Mining Software along with an array of other abilities.

Objective of the game:

The only aim in Rust is to survive.

To do this you will need to overcome struggles such as hunger, thirst and cold. Build a fire. Build a shelter. Kill animals for meat. Protect yourself from other players, and kill them for meat. Create alliances with other players and form a town.

Do whatever it takes to survive.

The developers describe the content like this:

This Game may contain content not appropriate for all ages, or may not be appropriate for viewing at work: Nudity or Sexual Content, Frequent Violence or Gore, General Mature Content

Sample Static Information:

Anti-Debugging Techniques Used:

Process Checking – This sample will locate many different processes used in the reverse engineering process. If one of the items is found, it will terminate and delete that process. Along with remove all files associated with that process.

Anti-Debug Cluster – This cluster of Anti-Debugging tricks is absurd. However, it works quite well. To bypass it you will need to have the proper plugins and edit a few areas of the process execution to bypass it. Once bypassed, you can enter into the DGA starting routine.

Standard XOR, TLS Encryption & Decryption:

TLS functions are used inside the Cryptor to decrypt the first quarter of the PE Binary. Once decrypted it will check the associated program directory for a file named “old_filename.exe” If the file is found the Cryptor will go to stage 2 and decrypt the rest of the file. A trick that can be used here would be to put a break point on “CreateProcessA” then follow inside a second debugger for the stage 2 decryption. Once you reach stage 2 you can start analysis of the malware.

OEP Byte Structure:
Original:
C1 78 15 37 91 21 A1 B0 94 F0 98 21

1st decryption:
55 89 E5 C6 05 D0 51 41 00 01 68 D0

2nd decryption:
55 89 E5 53 B8 10 33 45 00 50 E8 51

Understanding the DGA:

Domain generation algorithms are seen in various families of malware. They normally generate large numbers of domain names. Usually, only a handful of domains or one domain are active at a time. This connect back feature allows connections back to their command and control server and/or bot master themselves. Here we see (www.) being added to the random domain generated from the mersenne twister pseudo-random number generator described below and after its generation it adds (.com) to it’s string completing the domain name generation:

Domain Character Generation:

Our character arrays length is: 0x3Eh or 62d, the first element is not indexed and it’s only use is for the length of the array.
>iHRYg79zJXaGw1CF5K0d3vZobhAlx6StUBnjOIMpe2yVuPr4sL8DqmQTkEcWNf
The mersenne twister algorithms output will be used as an index into this character array.

Pseudo Random Number Generator Information:

Generating good random numbers in software is a complex topic. Software-based random number generators can never generate truly random numbers and are therefore called pseudo-random number generators because they rely on mathematical formulas to give the impression of randomness. The pseudo-random generator in this file is known and called by the Mersenne Twister algorithm. This algorithm has been around since 1997. The implementation of the pseudo-random number generator (PRNG)MT19937, is called the Mersenne Twister it was given it’s name because it has a period of 2^19937 – 1, which is a Mersenne Prime number. Also, it’s the size in bits of the Twister’s engine internal state.

Range Distribution, is from 0x00 to 0x3E:

Mersenne Twister Initialization:

Mersenne Twister Twist Function:

Seed Generation:

You need to initialize the random number generator above. This is also called seeding the random number generator. Most default applications of seeding use the current system time as a seed. This file uses “GetTickCount” which is defined as: (Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This function will also wrap around back to zero after 49.7 days have past and start the counting again up to 49.7 days).

You need to make sure that you use a good quality seed for your software-based random number generator. If you initialize the random number generator with the same seed every time, you will create the same sequence of random numbers every time. This is why the seed is usually the current system time. The malware author wants unique random numbers.

Get Seed:

Domains Generated By Algorithm Above:

Using the (n choose r algorithm) to figure out all combinations of indexes into the character array we get a total of 107,518,933,731 index combinations or possible domain names. However, if we divide that by 625 we get the amount of seed values possible from the use of (mersenne twister algorithm and GetTickCount) which is a total of 172,030,293.97. About 172 million possible seed values. Meaning, the algorithm above can only generate one domain name per seed value. That would be 172 million total domains possible if my math is correct. A quick 50 domains are below:

www.yIGntVEPMH.com
www.MGtoYca5Mc.com
www.f0VrN4HH6A.com
www.HL3aPxMS3Y.com
www.wsJjcWQQYi.com
www.QS41X9DIxP.com
www.pNMfQfCMcc.com
www.VWG3uvAFJ5.com
www.xuOEZYTq59.com
www.cO4FBGST1R.com
www.oP3S64bPio.com
www.m6tdbpSTqx.com
www.Mku7nd9aSV.com
www.ba68B1FWwi.com
www.wu8wZ0WHFw.com
www.mXuLDj22ZO.com
www.7lR8sv2HQz.com
www.XIvUqahVFC.com
www.O34IJTfFR3.com
www.9JCjV8tO20.com
www.ObWas8qSis.com
www.WXtFl7etTS.com
www.nFl3bgOHQi.com
www.RDuJLlThUt.com
www.JKY80bY34O.com
www.L1ECJ8EqTy.com
www.nFabIyFbU1.com
www.tLuxaXTSmY.com
www.C8BmA1rt9B.com
www.aR2jHV5Iug.com
www.bU53t9Fvpn.com
www.n3D2ett5DN.com
www.Nc3YLZ5nJA.com
www.qIWoeTCg4A.com
www.N3kVqjPXhz.com
www.vSSYJhcCH0.com
www.KXIOLfXc25.com
www.mPKrYCjfMC.com
www.9rVoNSyQxj.com
www.MyCgdkNVSO.com
www.dqi0XrnSTS.com
www.LYgzgyT2pi.com
www.SRbXhfgCyW.com
www.i9l8ExEEzi.com
www.646C1ofLE2.com
www.Bi3R8QqOMo.com
www.VKE5kAXBig.com
www.8hRjtIsupm.com
www.YgCYcX8iux.com
www.enJZpDk1yv.com

Coin Mining:

Other Related Strings:


Process Injection:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Rust.DGA