Unveiling the Hidden Threat: Malware Disguised as Trusted Downloads
The SonicWall Capture Labs threat research team has observed and analyzed a new malware which is distributed along with legitimate software such as Advanced Port Scanner. The malware has the ability to download and execute additional malware payload, as well as receive and execute commands from a remote command and control server.
This malware comes bundled with a legitimate software such as the Advanced Port Scanner. One of the bundled components is a malicious dll named, ssleay32.dll, which is a commonly used library for open source projects such as OpenSSL and Qt.
Upon execution of the main Setup.exe, it loads the malicious packed DLL (ssleay32.dll) into memory.
Dll code is obfuscated with fake API calls:
Once DLL get loaded into memory, it decodes Base64 encoded shellcode on to Heap and start execution from heap. Shellcode contains the encrypted downloader module which is later decrypted using Tiny Encryption Algorithm.
Malware uses API hashing for resolving the API addresses. Library names and API names are stored as CRC32 hash and they are resolved at runtime:
After the decryption of the downloader module, malware injects it into newly created suspended process “explorer.exe”. Malware uses Process Hollowing technique to inject downloader module in “explorer.exe”:
Command and Control (C2) Server communication:
At this point, the downloader starts its execution by sending Get request to the C2 Server:
Downloader prepares Get c2 request with domain “chap-domain[.]com” which is hardcoded in binary. Malware configuration is encrypted using RC4 algorithm which is decrypted at runtime. Malware uses three different RC4 keys for each different operation. RC4 keys are stored in “.data” section of binary. Malware uses an implementation of Mersenne Twister Random Number Generator (MTRNG) to generate random values for the query string “%s?a=%s&id=%s”.
Snapshot of CyberChef Tool shows the decryption of Malware configuration using RC4 Algorithm:
Get Request sent to C2:
C2 Response Decrypted:
Downloader uses open source RapidJSON C++ library to parse C2 response.
C2 response contains various commands and options to carry out further execution
"postback": "true", <-- Response Back is True
"geo": "IN", <-- Geo Location
"powershell": "false", <-- PowerShell Commands to execute
"postback_url": "post-make.com", <-- Domain to send another Get Request
"postback_path": "c4fel7k.php?cnv_id=" <-- URL Path
At the time of analysis c2 server did not respond with other available commands.
Malware has capabilities to download file and execute it from URL sent by c2 server.
Below code snippet shows the ability to download file from URL and save into temporary path:
Below code snippet shows the execution of downloaded file as a new process:
Following code snippet shows the execution of PowerShell commands received from C2:
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):