Malware Functionality - Malware Behaviour

Table of Contents

1. Notes
   1. Downloaders and Launchers
   2. Backdoors
      1. Reverse shell
      2. RATs
      3. Botnets
   3. Credential Stealers
      1. GINA Interception
      2. Hash Dumping
      3. Keystroke Logging
   4. Persistence Mechanisms
      1. Windows Registry
         1. AppInit_DLLs
         2. Winlogon Notify
         3. SvcHost DLLs
      2. Trojanized System Binaries
      3. DLL Load-Order Hijacking
   5. Privilege Escalation
   6. Covering Its Tracks—User-Mode Rootkits
      1. IAT Hooking
      2. Inline Hooking
2. Labs
   1. Lab 1
   2. Lab 2
   3. Lab 3

Notes

Downloaders and Launchers

Downloaders simply download another piece of malware from the Internet and execute it on the local system. They commonly use the Windows API URLDownloadtoFileA, followed by a call to WinExec to download and execute new malware.

A launcher (also known as a loader) is any executable that installs malware for immediate or future covert execution. Launchers often contain the malware that they are designed to load.

Backdoors

A backdoor is a type of malware that provides an attacker with remote access to a victim’s machine. Backdoors are the most commonly found type of malware, and they often implement a full set of capabilities, that’s why attackers typically don’t need to download additional malware.

Reverse shell

The basic method involves a call to CreateProcess and the manipulation of the STARTUPINFO structure that is passed to CreateProcess. Once the socket is created and a connection is established, the socket is then tied to the standard streams (standard input, standard output, and standard error) for cmd.exe. CreateProcess obviously runs cmd.exe with its window suppressed.

The multithreaded version of a Windows reverse shell involves the creation of a socket, two pipes, and two threads (so look for API calls to CreateThread and CreatePipe). CreatePipe can be used to tie together read and write ends to a pipe. The CreateProcess method can be used to tie the standard streams to pipes instead of directly to the sockets. After CreateProcess is called, the malware will spawn two threads: one for reading from the stdin pipe and writing to the socket, and the other for reading the socket and writing to the stdout pipe.

RATs

A remote administration tool (RAT) is used to remotely manage a computer or computers. RATs are often used in targeted attacks with specific goals, such as stealing information or moving laterally across a network. The structure is the following: the server is running on a victim host implanted with malware and the client is running remotely as the command and control unit operated by the attacker.

Botnets

A botnet is a collection of compromised hosts, known as zombies, that are controlled by a single entity, usually through the use of a server known as a botnet controller. The goal of a botnet is to compromise as many hosts as possible in order to create a large network of zombies that the botnet uses to spread additional malware or spam, or perform a distributed denial-of-service (DDoS) attack.

💡 RATs are used in targeted attacks (they are controlled on a per-victim basis). Botnets are used in mass attacks (all bots at once).

Credential Stealers

GINA Interception

On Windows XP, Microsoft’s Graphical Identification and Authentication (GINA) interception is a technique that malware uses to steal user credentials. The GINA system was intended to allow legitimate third parties to customize the logon process. Malware authors take advantage of this third-party support to load their credential stealers with a Man-in-the-middle (MiTM) attack.

Hash Dumping

Dumping Windows hashes is a popular way for malware to access system credentials. Attackers try to grab these hashes in order to crack them offline or to use them in a pass-the-hash attack. A pass-the-hash attack uses LM and NTLM hashes to authenticate to a remote host (using NTLM authentication) without needing to decrypt or crack the hashes to obtain the plaintext password to log in.

Pwdump and the Pass-the-Hash (PSH) Toolkit are freely available packages that provide hash dumping.

Keystroke Logging

There are kernel-based keyloggers and user-based keyloggers. The former are obviously more difficult to detect. They can be in the form of keyboard drivers inside a rootkit. User-based keyloggers are divided in those that implement hooking and those that use polling. Hooking keyloggers:

• They typically use the SetWindowsHookEx function.

Polling keyloggers:

• They typically use the GetAsyncKeyState and GetForegroundWindow functions.
• The GetAsyncKeyState function identifies whether a key is pressed or depressed, and whether the key was pressed after the most recent call to GetAsyncKeyState. The GetForegroundWindow function identifies the foreground window—the one that has focus—which tells the keylogger which application is being used for keyboard entry.

Persistence Mechanisms

Windows Registry

AppInit_DLLs

Malware authors can gain persistence for their DLLs though a special registry location called AppInit_DLL. AppInit_DLLs are loaded into every process that loads User32.dll, and a simple insertion into the registry will make AppInit_DLLs persistent. The Windows Registry key involved in this type of achieving persistence is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Winlogon Notify

Malware authors can hook malware to a particular Winlogon event, such as logon, logoff, startup, shutdown, and lock screen. The registry entry consists of the Notify value in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

SvcHost DLLs

To identify this technique, monitor the Windows registry using dynamic analysis, or look for service functions such as CreateServiceA in the disassembly. If malware is modifying the following registry keys, you’ll know that it’s using this persistence technique. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceName

All svchost.exe DLLs contain a Parameters key with a ServiceDLL value, which the malware author sets to the location of the malicious DLL.

Trojanized System Binaries

A system binary is typically modified by patching the entry function so that it jumps to the malicious code. The patch overwrites the very beginning of the function or some other code that is not required for the trojanized DLL to operate properly. The malicious code is added to an empty section of the binary, so that it will not impact normal operation. After the code loads the malware, it jumps back to the original DLL code.

DLL Load-Order Hijacking

This technique aims to place malicious DLLs before legitimate DLLs just by using the OS DLL load design. For the sake of example, if the legitimate DLL is not included in KnownDLLs, any binary that loads it will try to check the current working directory before /System32. This means that if a malicious DLL is placed on the CWD, it will have preference before the legitimate one.

Privilege Escalation

Processes run by a user don’t have free access to everything, and can’t, for instance, call functions like TerminateProcess or CreateRemoteThread on remote processes. One way that malware gains access to such functions is by setting the access token’s rights to enable SeDebugPrivilege. Granting SeDebugPrivilege to anyone is essentially equivalent to giving them LocalSystem account access.

The access token is obtained using a call to OpenProcessToken. It follows a call to LookupPrivilegeValueA. Then, AdjustTokenPrivileges is called.

Covering Its Tracks—User-Mode Rootkits

IAT Hooking

Inline Hooking

Inline hooking overwrites the API function code contained in the imported DLLs, so it must wait until the DLL is loaded to begin executing. IAT hooking simply modifies the pointers, but inline hooking changes the actual function code.

Labs

Lab 1

1. What does the malware drop to disk?

In the following picture we can observe the imports and strings. Something that stands out is the call to msgina32.dll and the path HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL. It can be an indicator that we are dealing with GINA interception.

Concerning basic dynamic analysis, we have detected that the malware creates and writes content to a file called msgina32.dll, located in the same directory where the sample is located.

2. How does the malware achieve persistence?

The malware achieves persistence through the Windows Registry. It adds a new value to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL.

3. How does the malware steal user credentials?

msgina32.dll calls to the real functions in msgina.dll unless WlxLoggedOutSAS which passes the credential information to the legitimate DLL but at the same time takes the information and calls another function labeled as Log_to_file, which contains the name of file in charge of storing the data, msutil32.sys.

WlxLoggedOutSAS	Log_to_file

4. What does the malware do with stolen credentials?

All successful user logons are logged to %SystemRoot%\system32\msutil32.sys. The log includes the username, domain and password.

5. How can you use this malware to get user credentials from your test environment?

After rebooting the machine and login again, you can observe that the msutil32.sys file has logged your credentials.

Lab 2

1. What are the exports for this DLL malware?

With PE Viewer we can observe the exports for the DLL. It contains only one export function called “installer”.

2. What happens after you attempt to install this malware using rundll32.exe?

When we run the following command C:\>rundll32.exe Lab11-02.dll, installer we do not observe too much activity. However, if we take a look at the ouput of Regshot, we observe the following thing:

If we recall the Persistence mechanisms that were mentioned in the Notes of this Chapter, AppInit_DLLs was one of them. The DLL that is loaded is present when looking at the strings of the DLL.

3. Where must Lab11-02.ini reside in order for the malware to install properly?

The .ini file must be located at C:\Windows\System32.

4. How is this malware installed for persistence?

As it was mentioned before: “AppInit_DLLs are loaded into every process that loads User32.dll, and a simple insertion into the registry will make AppInit_DLLs persistent.” It copies itself to the file spooolvxx32.dll, located in C:\Windows\System32.

5. What user-space rootkit technique does this malware employ?

It attacks to wsock32.dll, particularly the send function.

6. What does the hooking code do?

It checks if the email is an outbound email and adds another recipient after loading it from Lab11-02.ini.

7. Which process(es) does this malware attack and why?

It attacks thebat.exe, outlook.exe and msimn.exe. These processes are related to the Microsoft Windows email application.

8. What is the significance of the .ini file?

The .ini file contains the encoded email account. If we debug spooolvxx32.dll file, and we set a breakpoint after the file has been read, we can observe that the EAX register contains the actual email address.

Lab 3

1. What interesting analysis leads can you discover using basic static analysis?

In the following tables we can observe the strings and imports of the malware sample.

Strings .exe file	Imports .exe file

Strings .dll file	Imports .dll file

If we recall Keystroke Logging section, the DLL imports suspicious functions such as GetAsyncKeyState and GetForegroundWindow. This might be an indicator of a polling keylogger.

2. What happens when you run this malware?

The .exe file launches a command line window that says “Content Indexing Service”, but it is closed quickly. The next image shows that the content from Lab11-03.dll is copied into inet_epar32.dll, which is located at C:\Windows\System32.

Regshot shows the different actions performed over the registry

Although the tools have not captured any activity linked to kernel64x.dll (it appeared in the strings of the DLL), if we inspect it, we can observe how it tracks the activity of the user.

3. How does Lab11-03.exe persistently install Lab11-03.dll?

It trojanizes the indexing service by changing the entry-point. It redirects the execution to run shellcode, which loads the DLL.

4. Which Windows system file does the malware infect?

The cisvc.exe file.

5. What does Lab11-03.dll do?

It is a polling keylogger.

6. Where does the malware store the data it collects?

It stores the data at the kernel64x.dll file.