Jump to content

Recommended Posts

Posted

9PVpKVW.jpg

Malware downloader using some anti-forensics (doesn't work), UAC bypass method (uacme concept #10) and seems full of specific code for various AV's behaviour detection systems. According to VT there is no meaningful name to it from AV, yet. Loader comes probably from script-kiddie who previously worked on ransomware(s). Nick name "Phobos".

Reviewed by damagelab -> https://damagelab.org/index.php?showtopic=25839 (site unavailable at the moment of post).

Except uac bypass so far there is nothing interesting in this loader. Malware injects itself into copy of explorer.exe and by using IFileOperation autoelevation (trigger UAC set on max) copies bthudtask.exe to system32\setup folder. Next it makes a copy of system dll newdev.dll, patches it with shellcode (EPO + new section) and again with IFileOperation (triggering UAC 2nd time) copies this dll into system32\setup. Next loader start bthudtask.exe with ShellExecuteEx. As result there happening classical dll hijacking and since bthudtask.exe autoelevated, malware stored inside patched newdev.dll will be running on High IL. This autoelevation method abuses way of whitelisting MS did with UAC, where it doesn't control full path to autoelevated application (while they actually must be all hardcoded) nor controlling application specific dlls loading path (even if application inside system32 you must control it too) allowing attacker do all required manipulations inside Windows folder, preparing things for successful dll hijacking.

After successful elevation you will see hit-parade of spawning processes - two copies of explorer.exe for example or svchost.exe if something went wrong. That circus not suspicious at all, sarcasm. There was an interesting overview of successful/failed autoelevations in damagelab post. Statistic data show that most of people (in targeted countries) sit under default UAC settings (or with UAC turned off) even on Windows 8.1.

Please don't be shy and submit sample to as many AV companies as you can.

VT dropper

https://www.virustotal.com/en/file/903d299b366ef1ba11538924dd57811aff80b8b91123889b872a098639a8effa/analysis/1431575696/

VT loader part

https://www.virustotal.com/en/file/ad3ba3bcd64aa9670389bedebe328c6874c96f2dea6ec2abb41b8c7537dc3d8d/analysis/1431574970/

Sample courtesy of vaber and R136a1

Dropper and patched by shellcode newdev.dll in attach.

Download

Pass:

malware

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...