A few weeks ago, we received a file that was being spread as an attachment in a spear phishing email. The sample, which we are detecting as W32/Byanga.A!tr, turns out to be a dropper for a bot which, if active in an organization’s system, has the capability to perform malicious activities that can be very damaging to the targeted organization.
This post discusses what this particular malware can do.
The dropper used a Chinese file name, which translates to “Upcoming Events Schedule”. It also uses a Microsoft Word icon in an effort to fool the user into thinking that it is just a Word document.
Figure 1. Word document icon.
After double-clicking this file, an actual Word document is opened.
Figure 2. Opened Word document.
Unbeknownst to an ordinary user, another file is dropped. The file, named wuau.exe, is dropped into the user’s Temporary folder and is then executed.
This dropped file, also detected as W32/Byanga.A!tr, is the main bot file. The next section will discuss its capabilities.
The main malicious codes and strings of the bot are encrypted in its .data section. These encrypted bytes are organized into blocks, as shown below.
Figure 3. Three of the the bot’s encrypted code blocks in the .data section.
When the bot is executed, it first allocates memory by calling the VirtualAlloc API. It then copies its encrypted code into the newly allocated memory block by block in reverse order (the last block is placed at the beginning of the memory).
It enters a decryption routine, which partially decrypts the bytes in the allocated memory. It then directs execution to the newly allocated memory via a CALL EBP.
Figure 4. Using CALL EBP to go to the newly allocated memory.
After going to the newly allocated memory, we find that the first part of the code is a call to another decryption routine that decrypts the rest of the bot’s code.
Figure 5. Decrypting its codes. The codes being decrypted are located just below the decryption routine.
The decryption routine in Figure 5 is the same one used by the bot in encrypting and decrypting its network traffic.
Once it is decrypted, the bot proceeds to find the addresses of the APIs that it needs. It hides its API strings by using the now well-known malware method of using hash values instead of actual API names.
Instead of pushing its parameters explicitly into the stack, the bot instead makes a CALL to a function, which automatically pushes the address of the next instruction (which is its actual parameter) into the stack.
Figure 6. Parameters are pushed to the stack via a CALL instruction.
As we can see in Figure 6, this messes with disassemblers, making it a little bit more difficult to do a static code analysis. This technique is extensively used all throughout the bot’s code.
After finding the addresses of its APIs and then pushing them into the stack, the bot proceeds to communicate with its C&C server.
The bot has two C&C servers that are hardcoded in its body:
It communicates to one of these two servers via POST requests over port 80, and its network traffic is encrypted and decrypted using the the subroutine shown in Figure 5.
Once connected to the C&C server, the bot first sends some information about the infected system in the following format:
It is interesting to note that this sample has the string “testVersion” (hardcoded in the bot’s body) as the bot version, which can make one wonder whether a “real” version will be released sometime.
As mentioned earlier, this string is first encrypted with the subroutine in Figure 5 before being sent to the C&C server.
The bot then waits for further commands.
C&C Server Commands
The following are the commands that the bot uses.
- ‘C’ : get the following information from the infected system.
- Proxy server information read from the following registry entry:
ProxyServer = [Server Name]
- Contents of the CSIDL_RECENT, CSIDL_DESKTOPDIRECTORY, and CSIDL_PERSONAL folders.
The bot enumerates all the files in these folders along with information on each of the files. It sends each file information in the following format:
- Software that are installed in the system, based on the keys found in the following registry entry:
- ‘A’ : convert string received from the C&C server into an integer.
- ‘L’ : enumerate drives or files.
- If this command is not followed by a string, it gets the list of logical drives in the system, as well as their drive types. The information is sent back to the server in the following format:
An example is:
- If this command is followed by a string, the bot assumes that this string is a folder name. It then enumerates all the files in the indicated folder, along with information on each of the file (same as the file information obtained by the ‘C’ command).
- ‘E’ : create process.
The command line to be executed is sent by the C&C server. Once the process is run, the bot reads the process output then sends this output back to the server.
- ‘P’ : create or update file.
When sending this command, the C&C server includes the file name and expected file size of the file that it wants to update. If the file does not exist, or if the file size is different from what the server indicated, the bot proceeds to create the file and write the data that it receives from the server.
- ‘G’ : read file.
The bot reads the contents of the file indicated by the C&C server, and sends the data back to the server. Files with sizes above 0x80000000 bytes are not read.
- ‘D’ : delete file.
This deletes the file that is indicated by the C&C server. The bot then sends the result of whether it was successful or not back to the server.
As we can see from the bot commands in the previous section, this bot is capable of stealing potentially sensitive information from its victim. If left undetected, it can give the attacker power to cause considerable damage to the organization that it is targeting.
As the hacking incidents that made the headlines in 2014 can attest, targeted attacks are becoming increasingly common. Organizations should therefore assume that they will be targeted and make sure that they have a security strategy in place.