by RSS He Xu  |  Feb 23, 2015  |  Filed in: Security Research

Recently, we found a simple malicious downloader that downloads a fake PDF file.  Unlike a normal malicious loader that integrates the PE Loader code into its binary, this loader has stripped this part and has turned to fetching it online.

Our FortiGuard Labs Threat Intelligence system can detect the traffic of this downloader, which we are detecting as W32/Upatre.FT!tr, efficiently aiding in the analysis of this malware.

Registering Online

Once executed, the loader grabs the local victim’s system information, generates them into a URI, and connects to a server (Figure 1). It is a simple one-way registration as there is no feedback from the server.

Figure 1.  Registration traffic.

In the real example above, the string AVA{Removed}5 is the victim’s computer name, and the 51-SP: is the system version.

Downloading the Fake PDF

The loader downloads its final payload that has a .pdf suffix (Figure 2). However, the contents of this file are not in PDF format.

Figure 2. Downloading the fake PDF file.

The loader uses the embedded key 0x74E7E1C8 to decrypt the fake PDF. After the decryption, the loader checks the double word value at offset 0x12 if it is the same as the whole fake PDF length.  It then checks another double word value at offset 4 if it is the same as its hardcoded signature 0x2E0F1567 (Figure 3).

Figure 3. Decrypted fake PDF file.

If both match, the loader directs a call to the code of the cloud loader (Figure 4), whose offset is indicated just after the signature at offset 8 (Figure 3).

Figure 4. Calling the code of the cloud loader.

In the codes above, esi contains the starting offset of the decrypted PDF file in Figure 3. The call eax code directs execution to the actual cloud loader.

Figure 5. Cloud loader code.

The cloud loader references the same import structure as the original bot file, so we can easily see that the value in the structure offset 0x1134 is the API address of RtlDecompressBuffer. After this API call, the final payload - a malicious PE file - will show up. The cloud loader then uses a tiny trick to check for the ‘MZ’ header signature (Figure 5).

The final payload is not constant.  At the time of this analysis, we have found that the malware has downloaded different malware, such as W32/Battdil.I!tr and W32/Kryptik.CWIM!tr.


Why has this malware removed its loader code from its binary and just fetches it online? We think that this mechanism is done to help reduce the original bot’s size, as well as to help the malware author add more features into its cloud loader much more quickly in the future.

Our FortiGuard Labs Threat Intelligence system will continually monitor its activity according to its multiple detecting mechanisms and should respond when more updates of the cloud loader are released.

by RSS He Xu  |  Feb 23, 2015  |  Filed in: Security Research