Jump to content
Nytro

Soraya: The Worst of Both Worlds

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Soraya: The Worst of Both Worlds

A FortiGuard Labs Technical Analysis

Introduction

Soraya is the first of its kind, a hybrid piece of malware combining popular form grabbing techniques seen

in Zeus and memory parsing techniques seen in Dexter and JackPOS.

In this report, we join Junior AV Analyst Hong Kei Chan in describing Soraya’s installation then analyzing the

two defining elements of Soraya – form grabbing and memory parsing. We will also review the command-

and-control (C&C) communication protocol in detail by exploring the features found in Soraya’s control

panel.

Installation

Many of the samples received by FortiGuard Labs have been packed with custom packing algorithms,

where a 24KB UPX-compressed image is mapped back to the original base address and then executed.

Soraya does not import any functions, so it utilizes a common technique where the base address of

kernel32.dll is retrieved from the Process Environment Block (PEB) structure before resolving the

address of the target API using values that have been hashed from the API names.

The addresses of the following APIs are retrieved using this custom algorithm:

Fortinet | High Performance Network Security, Enterprise and Data-Center Firewall

Solution Brief : Two-Factor Authentication

LoadLibrary

GetProcAddress

VirtualProtect

ZwCreateSection

ZwMapViewofSection

RtlMoveMemory

CreateRemoteThread

GetModuleHandleW

CreateToolHelp32Snapshot

Process32First

Process32Next

OpenProcess

isWow64Process

ExitProcess

After getting the handle of its target processes, it uses ZwCreateSection, ZwMapViewofSection,

RtlMoveMemory, and CreateRemoteThread to inject itself into a number of system processes

including explorer.exe to begin its malicious functions.

Download: http://www.fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...