Remote administration tools are used often in many attacks, from entry points to APT attacks to the teenager in the bedroom, it is still a popular class of malware used today to infect systems. Nanocore has had many owners since it’s inception and has had many alterations and changes put upon it, when the cracked version of Nanocore was released it provided many criminals the ability to use the tool for free. Many now utilise the cracked version as its openly available, free and fairly powerful in features. The most popular cracked version, although there are many variants, is the “Alcatraz” crack, which was produced by a prominent reverse engineer. This crack is using the version 18.104.22.168, which is fairly old compared to how many revisions Nanocore has since had. There has been much research on Nanocore due to it being used in attacks, one such research is from ‘Kevin’, who in 2014 talked about “decoding” the config of Nanocore. The cracked version uses this old way of holding configuration and so is trivial to extract, later versions have implemented different ways of retrieving configuration.
I was recently browsing on Hybrid Analysis and decided to take poke at this sample, what made me interested in it was the call of “certutil.exe”. I was browsing the various subroutines when I find a fairly long subroutine which had some obvious indicators to deobfuscating strings, the repeated use of a ‘key’ was one clue I saw. I call this a ‘banker’ as I used that as a search term from Hyrbid Analysis, I have yet to confirm this is used to target a user logging into a bank. We could use dynamic analysis to figure out every single string but this would be laborious in logging every return compared to copying the string table and working from there. The sample also seems to have various anti-analysis techniques implemented within it, although not in this case, it can sometimes be best to compartmentalise and be realistic about what is the best option in getting information on the sample.
We push four arguements to our calls, these are the length of the input string we wish to deobfuscate, the input string offset, the length of the key and the offset to our key. I’m using key loosely because the individual characters are used as a key, key pool would be more an appropriate term. It is fairly small function which sometimes isn’t the case with malware, it is an obvious for loop as we are looping and producing a comparison in the early stages to check whether the length of our inputString has been reached or not. We set a char pointer for one of our characters in the key pool, dependent on EDX and iterate through these by the length of the key string. It is modulated in every iteration, which is fairly common in cryptographic algorithms, so that it wraps back around to potentially have any length of input. We also get a single character from our input string in preperation for the main operation, every character from our input string is treated seperately and has its own iteration.
We then use a famous XOR operation to manipulate the value that we return. Quite common to see this used in malware samples and is fairly trivial to rewrite code to deobfuscate such strings, but we have an interesting choice from the developers in which most of the strings also include complete junk which we do not want to return when deobfuscating our string, this may be used to defeat automatic methods of malware detection. By XOR’ing the values with the initial string, you will get exceptions to the code. The string has every number from 1-9 but we need to also include 0 when we try to reproduce our string deobfuscation as well due to modulation, this is something static analysis may not of clocked. If we print our strings without exception handling we get results like this.
The actual subroutine where this all gets called from is rather wasteful, instead of implementing some sort of loop towards an array of these strings we are instead presented with a long branch of code which repeatedly calls the same function with a seperate input string. This leads to IDA having a very scary looking function, but in fact, is very simplistic, and could be shortened considerably.
I have decided to use Python as I am very comfortable with it at the moment and the script I produce can be implemented into an IDA script. Reproducing the values that IDA had provided, appending the 0, and ensuring when we hit an exception to return the string, the deobfuscation worked. I confirmed that the deobfuscation worked with strings that had hit an exception by live debugging the sample and replacing the origin of the EIP. Here I was able to give a comparison of the compared results in which I saw the junk characters were ignored. The finished result was produced by copying all the string table lines into a text file, removing parts of it that were not relevant and then feeding this by reading it from the Python script. The end result was sucessful.
Reading an article from The Gurdian today I discover that Google finally plans to lower results from what are deemed as pirate or illegal (https://www.theguardian.com/technology/2017/feb/20/google-and-bing-to-demote-piracy-websites). It is obviously quite late and even in the article a spokesman says it is ‘no silver bullet’. The aim for this is to make it harder for users to find pirate material, but in recent years we see that blocking sites has no ill effect to piracy.
When The Pirate Bay was blocked from UK internet service providers most thought that this would be the end of the matter, these people were evidently not familiar with technology. Later on, multiple mirrors were provided by various anonymous identities across the internet to facilitate access to the site. It is now a cat and mouse game which is theoretically infinite. An unlimited amount of domains, refreshed IP’s means that it is possible to provide others access to such a site, unless the media industry are able to block access to the torrenting site everywhere. It’s shown in a study, whether some agree or not, that blocking the site didn’t increase sales anyway (https://torrentfreak.com/pirate-bay-block-doesnt-boost-sales-research-shows-150604/)
The music industry in the 90’s received a rude awakening by the internet when consumers started to pirate music on a mass scale, only recently providing alternatives to their traditional model of single sales. Ownership has been replaced by renting with services such as Spotify which enable a user to stream music but not actually own it for a monthly fee. An academic study still states that streaming isn’t stopping piracy (http://www.sciencedirect.com/science/article/pii/S0969698916301849), had the music industry been too slow in implementing a suitable model for consumers to use rather than piracy? If we look at the premier league, they have kept the same format of subscription for quite a while, only NOWTV (a match-by-match purchase alternative) was started four years ago. This is in contrast with Kodi which has been developed since 2004 and is the source of a lot of piracy to everyday consumers, to which people purchase a ‘Kodi Box’, a familiar Android system which has apps enabling people to watch various content. There is correlation to sticking to a model by the music industry with the sport entertainment industry, although ofcourse, you cannot ‘own’ sport entertainment. What is interesting to note, is how slow industries are to react to piracy in an effective way, with most simply opting to fight fire with fire in my opinion.
Social media has a big part in information distribution in regards to piracy, it is also much harder to cut down on. Examples of this can be a YouTube tutorial on bypassing the block, Facebook users having a conversation or on Twitter where a link is shared. The most technological minded users on these sites use their knowledge and pass it down, simplified albeit, to non-technological audience to continue pirating. Multiple tech savvy users also produce websites linking football streams, they are then shared on multiple platforms like Twitter, Reddit and Facebook. This has left the entertainment industry with a still very large and hard issue, how can it be stopped? Blanket censorship on live streams sites is implausible, if it isn’t Twitter, Facebook or YouTube an alternative would be developed.
The word monopoly can mean different things to people, some see it as a positive, dominating in business and getting as much profit as possible compared to competitors. Others would see a monopoly as an ugly word pushing prices up because of the market share a particular company has on a product, becoming more powerful and relentlessly attacking independent small businesses. The TV channels in the UK that cover The Premier League, arguably the biggest league in the world, have been consistently rising the prices of subscription fees to their services (http://www.mirror.co.uk/money/sky-prices-going-up-march-9658301)(http://www.independent.co.uk/news/business/news/subscription-costs-to-rise-after-skys-42bn-bet-on-football-rights-10121473.html)(http://www.wired.co.uk/article/bt-broadband-bt-sport-price-increases). This is mostly to stay competitive as the premier leagues TV rights increase by 71% (http://www.bbc.co.uk/news/business-31379128).
Looking into Google trends we can see an interesting trend, when searching for ‘Sky Sports’ in Google Trends we can see a slight decline in interest overall as the graph depicts, this is because sport content has become available easily on the internet, alternative providers, be they illegal or legal.
The related queries for Sky Sports show the rise of piracy online with the big providers showing one query being ‘cricfree sky sports’ and ‘wiziwig’. Wiziwig was subsequently shutdown in 2015 (http://www.independent.co.uk/voices/comment/the-premier-league-has-shut-down-wiziwig-but-it-cant-keep-the-pirates-at-bay-for-ever-9959136.html) but alternatives with similar names cropped up early one, this is similar to what happened when Silk Road was shutdown (http://www.theverge.com/2013/10/4/4799770/drug-dealers-set-up-mini-silk-roads-after-federal-bust) and Pirate Bay (discluding mirrors in arguement)(https://www.extremetech.com/extreme/195936-the-pirate-bay-revived-by-rival-isohunt-while-figures-show-no-decline-in-piracy-after-shutdown).
Looking at Google Trends for the term ‘Kodi Box’ show us a very interesting picture. From late 2014, Kodi begins it’s appearance in Google search terms and begins to rise. It has had slight decline but seems to have steady growth and is only one alternative in sport piracy, a hub for providers like cricfree and others a like.
Cricfree holds a range of different coverage of sports, but has a main audience of Football. It’s Administrators are competent and well versed in censorship circumvention and is by far the biggest source to find football via Flash streaming online at this moment of time. Cricfree’s trend peak was around March-April 2016, similar to Kodi’s Trend which was set to a 100 on Googles scale. The correlation to the services rise can be in my view down to the announcement from media outlets on further price rises to services, most, published in March to April 2016. (http://www.moneysavingexpert.com/news/protect/2016/03/customers-could-pay-72-extra-a-year-for-sky, http://www.express.co.uk/life-style/science-technology/655242/Sky-TV-Subscription-UK-Prices-Increase-June, http://www.mirror.co.uk/money/sky-tv-hiking-prices-again-7600479, http://www.telegraph.co.uk/bills-and-utilities/tv/how-to-avoid-sky-price-hikes/, https://recombu.com/digital/article/sky-price-rises-june-2016-sport-movies-bundles-increases).
Google Trends show that people still use Google so this policy is a step in the right direction? Well if we look at social media to quantify the popularity, we can see that information is distributed in many ways. We cannot resolve by censoring as there are too many sources, it depicts that we cannot always rely on technological solutions for technological problems. From 116 posts about ‘cricfree’ on Twitter which 99 users posted, 101,528 people were reached (I’ve used Keyhole.co for these statistics). A YouTube video which was showing users how to get BT Sport and Sky Sports for free on Android/IOS devices has 54,000 views in a year. In various Football Team Subreddits which some have 50,000+ members outline how to watch the game for free using Kodi and other equipment in a one time cost. Facebook’s video platform is exploited often to show premier league games, although shutdown often, appear once again soon after the former is closed. So why is football piracy becoming so popular?
Football is undoubtedly the UK’s most popular sport and it has always been popular with the working class as one study states ‘atleast from the 1890s on’ (http://www.pages.drexel.edu/~rosenl/sports%20Folder/Sport%20and%20the%20Working%20Classes.pdf). Due to the huge media coverage of Football overall all around the world, ticket prices around the country have increased to a hefty sum, football stadiums have seen a gentrification from 90’s-00’s and with clubs starting to build new stadiums, it does not seem to be stopping (https://www.netbet.co.uk/blog/2017/01/23/football-money-gentrification-football/). With it becoming harder to pay for tickets in Premier League clubs and the price of subscription going up by TV companies, there is very little needed to explain why many are moving to piracy to watch games. Frustrated and angry by the franchise, many have little sympathy on content being pirated.
Most pirate sites vary in sophistication, many may steal or scrape links from other providers but streams must come from somewhere. There many parts to football piracy eco-system where content is delivered from flash, HTML5, acestream or other P2P technologies. Cricfree use Akaima media content delivery for some livestreams, although diversify the live stream sources to other operators as well, presumably copyright holders are fairly active in take down requests. These streams have blurred out corners to avoid forensic analysis on the subscriber (http://tech.thaivisa.com/this-is-bad-news-if-you-stream-premier-league-football-or-tv-broadcasts-online/18204/) and show that even media content distributors are unaware pirates are using their platform. With P2P technologies, soon developers will create an application that is intelligent, unable to be taken down and able to find HD or quality streams. Looking at popcorn time it was so popular due to the ability of it being like Netflix, Kodi apps are quite close to this, but consistency, quality and resistance to take down are features still lacking in many.
How could pirates make revenue to pay for their equipment and risk of getting caught? Overlay advertising within a stream during half time and in corners of the screen which are not too much of an annoyance to the user would be one. Cheaper subscriptions than “legal” providers is another path many are taking, namely the infamous Acestream streamer named bloodzeed. It is very plausible that a capable network of technologists and criminals can provide the world with a world beating sport streaming service which could topple big sport TV entertainment channels. Pushing Google results further is not the solution, the change of business for its target consumer. Learning from history, technology is able to circumvent and barriers that organisations may put up, including technical solutions like CISCO’s protection system (http://tech.thaivisa.com/this-is-bad-news-if-you-stream-premier-league-football-or-tv-broadcasts-online/18204/).
Many people already welcome sport streaming as they see legal products as too expensive. If a service prevails which is resistant to take down and provides HD content, the UK people will not be calling for it to be taken down, rather rejoice, as sport entertainment monopolists fall as they fail to engage sport fans. This cannot be solved by technology.
I notified the WordPress Team upon a non-critical cryptographic flaw in their multi-site feature which can provide an attacker a vector for impersonation in certain special circumstances. It sounds like a very good vulnerability when I state impersonation but it’s non-critical, I will explain further in the article. WordPress multi-site allows you to take manage multiple blogs (with different domains) in one place. This can be attractive to businesses with multiple installations of wordpress, it can also segment multiple teams that you may be managing which is helpful. The vulnerability was reported on 26th September in which they replied on the 28th. This research was for my job at insinia in which I was looking at possible attack vectors in a default installation of WordPress. I discovered many things on WordPress but have decided first to simply talk about the flaw that I found for simplicity and making things less cluttered.
This year has been remarkable for computer security in many ways, while I could list all of the security breaches we were notified upon this year, I think everyone in the security industry cannot disagree mirai was the most noteable for 2016. Covered heavily by major news outlets  due to some of the botnets power, we can now discuss how routers and kettles can destroy the world. There is a larger talking to point why routers, cameras and other ‘smart’ connected devices are poorly made in terms of security which in my opinion can be lack of skilled workforce across the globe, rise of consumerism and the requirement to have produced something on budget. But one thing is for certain, we should be employing more in security, we have left it too late and we must start catching up in 2017.
More often now, box ticking in computer security is no longer an option. We can look at many attacks against large companies like TalkTalk or Tesco which were done in different ways, although Tescos hack is still under speculation. TalkTalk last year produced an embarassing bit of news, they were hit with an SQL injection. When I first heard this I thought it was a joke, especially as it was from the main part of talktalks site and not an obscure location. The only way this could of happened is simply having the bare minimum with security regulation, simply ticking boxes which are usually wide in definition and accepting the rest as risk appetite. In April 2015, I discussed the lack of TLS/SSL within what I will now say is TalkTalk’s communication between it’s customers routers, which could lead to a classic man-in-the-middle attacks (Article). This year mirai attackers decided to utilise the protocol to take over routers in which again, some TalkTalk customers recieved issues. The actual TR-069 protocol that is up-to-date is fairly feature filled with security, although I haven’t extensively researched the protocol. With little to no authentication, certain botnet operators had power we rarely see many have, done in a fairly trivial way which is the most worrying thought. The lack of employed security people doing “background” research (What I call it) in security is astonishing, many technologies that are open source are occassionally reviewed in security because it’s not seen as beneficial to companies that use it. Heartbleed produced in 2014, a reason for why background research is needed. An open source project had a buffer underflow, in a security context, a fairly trivial (again) error. In 2017, I would like to see more companies allowing research to security researchers for more abstract areas like OpenSSL, Mozilla asked Cure53 to analyse cURL, a popular tool used by many in many different circumstances. They found a large amount of vulnerabilties that potentially keeps many companies around the world safe from possible security attacks.
Currently research like this is left to enthusiasts or security analysts who love their job who wish to do more work in the evening (crazy people right?) :). Companies around the world must understand that they should extend their assets to third parties aswell, be it third party alliances which you share information or assets to or a open source library. Many in risk management would see it as acceptable in their risk appetite to simply leave the third party to produce their own security standards (box ticking probably). Cooperation and transparency sound like buzzwords when it comes down to many subjects, but security is so important to every countries economy and well being of individuals that I see it that companies cooperate and be transparent with their research in security, many already do. Transparency in findings allow for others to patch security vulnerabilities and understand attacks they may have recieved recently. Holding back vital technical details does not help anyone except an attacker, this assumes I must admit, that all companies are competent and vigilant with their security, which is not always the case.
A final category I find interesting this year is the recruitment strategies that many companies are employing, I interact with many people with different backgrounds and see two sides of the story. The hard problem in finding the right candidate and the confused pontential candidate who wants to know where to find security jobs. Security recruitment cannot be like other normal recruitment, many talented individuals are not on classic tools like LinkedIn. Recruiters for security must understand where ‘hackers’ are, how to know if someone is struggling with basics and have the ability to know a hacker when you see one. Candidates need to be more open, social and energtic. Hard for security researchers I know, but is a must. Candidates should start a blog, release research, find things you like, produce points of passion and release content regularly. In 2016 I saw a complete disconnect between the two, a potential candidate for a security job, and owners of businesses and security recruiters requiring people with expertise. Some major rules that I go on.
Many achievements have been made in 2016 in regards to security, one is wide adoption in TLS/SSL and further understanding and media attention on encryption overall. Moving into 2017, hopefully we can try and get basic authentication implemented in most manufacturers products protocols.
So the major credit is first to be given to MalwareHunterTeam who initially found this and also analysed it. I will be giving a few more insights that I found interesting in relation to this piece of ransomware. It looks like it was first discovered on the 19th of August and doesn’t look to be very advanced. The sample is obfuscated using Dotfuscator Evaluation which is advertised well in the sample. It is incidentally illegal for them to use it on software on general release, but I’m sure they don’t care about that. This is pretty trivially deobfuscated thanks to de4dot.
It starts a background worker ready to generate it’s key and start encrypting files. From what I see it generates the intilisation vector on the client using RNGCryptoServiceProvider length is set as 16 for cryptographic convention on IV’s to do with the later algorithm. The IV is sent as the parameter ‘public key’ which is confusing because we will be using symmetric cryptography, not public key. The request is sent to a statically set host which is downloadfiles.comuf.com , you may have seen comuf.com and think why they have done this. For all of you who don’t know, comuf.com is a 000webhost domain for free hosting. That’s right, this ransomware is not only not using DGA or multiple hosts but is using a free one.
It also sends with a statically set in the sample user agent, I’m thinking it’s used as a protection system for people sending random requests. Although a client can obviously change their user agent at any time. Sent as a POST, it checks if the request comes back with a status code code of OK (200). And seperates the request body with linefeeds, from the analysis I have done the array turns out to be the key when encrypting files later on.
The ransomware then goes through disks and filters to remove CDROM, NoRootDirectory and Unknown Drives (Ref) it then moves on to finding the files, it will use like most ransomware a list of extensions which are mostly picture, database, archive, office extensions to encrypt for speed. It will not encrypt files in the C:\\Windows folder. It also checks if it contains “bg” in it’s name, if it does it will not encrypt. This is so they don’t encrypt the wallpaper they will use which is called bg.jpg
After encrypting through every file it sees fit it will send a request to complete.php with some basic information such as the IV , name of the machine, operating system, processor, what drives were found and sizes. It also saves the IV on the machine which is saved in the Downloads/Pokemon folder. If we understood the variant of ransomware and the host was up decrypting files would be very easy. I think the author is confusing how public key crypto works, the key is still derived from the intial request and so attempting to use the IV and key in a public key crypto way is not a great idea.
Lastly it will set the Desktop background to bg.jpg and start Pokemon.exe it also has Pokemon music in it’s resources and is played when executed. This piece of ransomware was interestingly targeted towards Pokemon users obviously trying to get on something that is current and popular for people to download and execute. The actual malware itself was bad in many ways which is good from a defense perspective, the attacker does not seem to be sophisticated. The worrying thing about this is that you do not have to be too sophisticated in coding or hacking to produce something that may make small businesses or individuals pay up.
I was notified of a recent sample which has been dubbed as a “reborn” version of Hawkeye Keylogger. The developer in question repeatedly shows poor understanding of web application security and lacks any real innovation in keylogger malware. Despite this many decide to purchase this malware for many reasons. Many different users have taken on the project of ‘Hawkeye’, the latest is a malware developer who created the quite laughable ‘iSpy’ software.
Hash – SHA256 :
While I’ve been looking further and further into remote administration tools I decided to step back for a moment and look it from a general point of view. I’ve been focusing on three RAT’s at the moment; Imminent Monitor, Nanocore and Luminosity Link. These are advertised on a US forum and discussed on english speaking forums, although distributed around the world, the main audience for these are western developed countries.
I looked into YouTube and made some queries, I set the queries to be filtered to a month so I know what’s recent. Some of videos relating to the RATs were not relevant to the software in question, but I can’t filter out all of it. It should be looked at a general point of view, and most of the discrepancies were from the small portions of the research, which we won’t be focusing on. The idea for looking into what’s being discussed on YouTube is that it gives some insight onto trends. For example, PoisonIvy, a very dated RAT isn’t discussed too much on YouTube anymore with just 88 counts of videos in the past month. While njRAT is the clear leader of what is being discussed on YouTube, the content uploaded is usually from eastern countries like Syria, Egypt and Turkey (not exclusively).
The amount of video content in March 2016
NjRAT – 1,560
darkcomet – 771
blackshades – 22
netwire – 3
luminositylink – 11
nanocore – 48
babylon rat – 393
cybergate – 133
xtreme rat – 379
poison ivy – 81
bozok – 8
A large portion of these videos are in Arabic, and give some insight into other countries around the world and what is relevant to them. It is noteable that many of the videos uploaded from eastern countries point to Facebook profiles or Skype contacts that provide further information about the individual, some of these obviously won’t be sophisticated attackers. As well as corporate security I am also interested in individual’s security and so this is still relevant, many videos uploaded about RATs leak out information about the uploadee or the clients they hold. For example an Arabic video explaining njRAT surfaced on YouTube on the 21st March, he first explains about a VPN and goes through various steps to finally created a dynamic host. lala123.no-ip.biz, correlating IP is 22.214.171.124 which is the VPN’s IP (Hostname: 33-153-255-141.dynip.ipjetable.net).
Further on into the video we find that he uses the NO-IP client and spills some of his previous names his used with NO-IP, one of them being MAF12.no-ip.biz, this correlates to a different IP (126.96.36.199) which is owned by an Algerian telecom. While we can’t make too many assumptions, the probability of that being his IP is quite high. We can learn other things about malicious software from YouTube as well, although RATs are more commonly shown than other forms. There are ofcourse many other streams of information available on the internet, some more accurate and concise.
I can take a few things from this information. Attackers are still using very outdated, broken, ill-featured software and is distributed widely for further usage, especially in eastern countries. Remote administration tools trickle down if they are free but are rarely used if they are ‘premium’ RATs, even if they are cracked. Even though remote exploits have been found for Darkcomet, users still persist in keeping Darkcomet alive, most likely because it’s well known for being free.
There are ofcourse exceptions and maybe even contradictions from the statements I’ve made, but researching on YouTube is an essential threat intelligence tool in my eyes as attackers become older and remember the tools they’ve used before. YouTube is a platform where users can learn about such tools without breaking through the barriers of forums or extensive searches.
That’s all from me, thanks for looking.
My last post got a very positive response which is great, I actually had an interesting talk with the author who graciously gave me a license to analyse the remote administration tool. The user proceeded to tell me any licenses who use the tool maliciously will be banned, and the primary purpose is for system administration (Internet Cafe etc.). Note: Class names and method names are translated from de4dot character deobfuscation.
The cracked version has a lot of broken features and is partly deobfuscated in the first place, this gives AV’s and defence providers a positive as it’s much easier to detect. The original version has some normal tricks to start off with, involving LZMA and XOR. But first, from the builds that I’ve seen Imminent has some static methods which allow us to know that this is Imminent. It gives us a hello message. Other methods have their characters obfuscated in the <module> but notice has a “Hello”.
Imminent has 3 resources which will be used for unpacking, a combination of LZMA and XOR are used as I said. A interesting algorithm popped up again which I talked about in the last article. I didn’t deobfuscate the characters this time so it looks a little crazy but it’s essentially the same thing.
This operation is used before it decompresses a resource file using LZMA. The key is different to the other one I stated in my earlier article. The key this time is !!@@##$$%%^^&&**(())__++ this brings a obfuscated binary which can have it’s characters substituted in de4dot much like the original binary. Extracting the config for the particular build is a little bit challenging and involves <Module>.byte_0 which is commonly referenced through the assembly. The image does not show all the methods that use byte_0.
A large amount of unsigned integers are used which I suspect are used towards the configuration. They drastically change in each build, and config decryption has many methods in amongst one another. It is assigned with the use of smethod_29, this method is where it tranforms unsigned integers into a readable config. The main method inside smethod_29 is method_4, which after being run shows us the config in all it’s glory. Incidently this also used as well for an executable which will look at in a moment.
We can see a lot of things in the config such as the host, startup entries and mutex. One of the interesting things we should look for while conducting an analysis is the build settings and version. The build settings are nicely formatted together making it easy to read and the version is very obvious to see, the above image is 4.2.
The assembly that also uses smethod_29 references all the dll’s IM needs for more of it’s advanced operations. Calls to an injector, lzloader, video and client plugin are within the resources of a decrypted binary after using smethod_29.
One protection mechanism the RAT makes is to ensure the process is made critical, if the process is to be terminated, denial of termination is made or a blue screen arrives to the user. The blue screen would like something like this, and would occur straight after the termination of the process.
The components for this are in “class10” which import some API’s to achieve this operation in c#, it’s not a new technique and can be found in a lot of RAT’s to keep it unkillable. dll’s imported are kernel32.dll for getCurrentProcess, advapi32.dll for GetKernelObjectSecurity and SetKernelObjectSecurity also ntdll for NtSetInformationProcess. NtSetInformationProcess is an undocumented function in Windows and can be used to make the process appear as critical. Any executable downloaded from the internet using this API should not be run until further analysis.
Imminent Monitor is easily identifiable as it spits out some simple unique strings. It has a vast amount of functionality such as torrenting, reverse proxy, remote desktop, keylogger and so on. Imminent prints this out to itself, because of the amount of items saying ready, we can create a signature to say if all of these strings are in memory, it is more than likely malware and is Imminent. We can also use this strings to identify what class is what function. I would advise sysadmins and malware researchers to use these strings for YARA rules and such, they are unique and have quite a large amount of them, “Ready” strings.
If you wish to be protected from IM cracked or original, it is by far hard. I’d like to thank @MalwareHunterTeam for the swathe of samples recieved which allowed me to see the malware from a much broader picture. It seems looking into RAT’s this year has been fairly successful and I hope it continues.
As I stated in this video I’m going to be focusing much more on RAT analysis. My reasons are given in the second portion of the video for anyone who is interested. I decided to look at a fairly popular RAT called ‘Imminent Monitor’. I downloaded the cracked version which many should note as this may differ from the original in some ways, I’ve tried to only include things which I’m sure are wrong with the original as well. There is something positive about analysing cracked malware, as the majority of criminals probably don’t want to pay for RAT’s.
Darkcomet RAT is still actively used today even though it is no longer developed and has been proven to have exploits in this. With this in mind, this version of cracked software will most likely distribute around the internet and be used more than the paid version due to it simply being free. I thought I was going to have a fairly long wait to find how to extract the config out of the RAT but it was really as easy as 1-2-3. Literally looking at the first classes constructor.
One of the first threat indicators I can provide to malware guys is that Imminent RAT creates a folder which is always the same, it is quite unique. It creates a directory called “Imminent” in the application data of the current user. This does not hold the executable but instead holds information to be sent over to the client. Like logs.
The binary uses cases to make it harder for researchers to make out whats going. Imminent uses a XOR like function but to what I see isn’t exactly XOR. I’m thinking of creating a deobfuscator for this sort of code later on, but for now I solved it manually, which wasn’t particularly challenging. The more I look at it the more it looks like XOR, but I’m terrible at checking these things so I’m just going to call it XOR-like.
This XOR like functions is used to encrypt logs and other parts included in the “Imminent” application data. I successfully tested my algorithm against the original and got the same result, this was also verified by breakpointing the function to where it was encrypting to make sure the plain text was the same.
With the same algorithm we can decrypt logs that Imminent creates. It does it by a format of month/day/year, showing the author could be American origin. An interesting thing about the use of what looks to be XOR is the key provided for the operation, the developer decided to use “sampleKey”. Or did he? A person who doesn’t copy and paste an algo usually chooses a different key than sampleKey, infact someone who does copy and paste an algorithm usually changes the key.
byte path = System.Text.Encoding.UTF8.GetBytes(“C:\\Documents and Settings\\L!NK\\Local Settings\\Application Data\\Startup Folder Name\\MyFile.exe”);
byte pass = System.Text.Encoding.UTF8.GetBytes(“sampleKey”);
byte ax = xorlike(path, pass);
public static byte xorlike(byte byte_1, byte byte_2)
int num = 11;
int num5 = 13;
int num3 = 257;
int num6 = byte_2.Length – 1;
for (int num7 = 0; num7 <= num6; num7++)
num3 += num3 % (int)(byte_2[num7] + 1);
int num4 = byte_1.Length – 1;
for (int num2 = 0; num2 <= num4; num2++)
num3 = (int)byte_2[num2 % byte_2.Length] + num3;
num = (num3 + 5) * (num & 255) + (num >> 8);
num5 = (num3 + 7) * (num5 & 255) + (num5 >> 8);
num3 = (num << 8) + num5 & 255;
byte_1[num2] ^= (byte)num3;
result = byte_1;
I’ve decided to show an example of it’s operation. You can use this for any defense against Imminent if you choose to make one. The code is obviously deciding to encrypt the startup path and saved in the Imminent folder as “Path.dat”, a rough location of a user is also saved “Geo.dat”, which uses a site called iptrackeronline.com to longitude, lattitude, city and finally country.
I discovered a file which deals with processes, I’m not sure at the moment, if its the file updater, download and execute or persistence. I’m more leaning towards it being a process watchdog but have many things to explore. I discovered it here:
The file was written in C++ which is interesting as most .NET malware doesn’t drop anything like C++, turns out to be a dll which I assume is injected for persistence, although as I say I don’t want to rule out anything yet.
I couldn’t debug in Immunity properly because I use an XP machine with some of the C++ redistributables not installed. This file required GetModuleHandleEx which was provided in 2011 from my research, but I might be wrong.
I’m not going to show a lot of IDA, but it checks for a debugger, creates a thread, opens processes and creates them too. It is also uniquely identifiable because of some of the strings that are given. That is indeed a md5 hash which is “killswitch” in plain text.
You can see that correctly, the file is also FUD and still is as I write this article 3 days later.
I was starting to test out how I could break Imminent Monitor as well and found that the RAT does not like showing files when a file is out of its format, I named a file in the keylogger file “ao” and entered a small amount of data. It proceeded to not show any of the keylogging files that were available to it. This is it in a broken state.
The task manager disabler functionality that Imminent provides is also quite bad. It simply executes the task manager and makes it invisible. Not exactly to rootkit standards, but I guess does the trick to the average joe?
In the cracked version the process protection is broken or non-existant, I am able to kill the process with ease. I am to do more research on Imminent Monitor, it’s been fun to look at so far and I haven’t looked through all of it because of time constraints in my life. What I have provided is some threat indicators for AV’s so that this RAT can be removed from peoples computers with ease, even if crypted. The static path declaration provides an opportunity to remove this RAT from most machines.
I’ve been looking more at how Imminent can be broken remotely, I’ve had a few sucesses with random things, but must look at them in more depth before I decide to release them publicly. A reminder for anyone reading this, if you have an original build that isn’t from a cracked client, I would like to have it so please contact me.
Thanks for looking.