My last post got a very positive response which is great, I actually had an interesting talk with the author who graciously gave me a license to analyse the remote administration tool. The user proceeded to tell me any licenses who use the tool maliciously will be banned, and the primary purpose is for system administration (Internet Cafe etc.). Note: Class names and method names are translated from de4dot character deobfuscation.
The cracked version has a lot of broken features and is partly deobfuscated in the first place, this gives AV’s and defence providers a positive as it’s much easier to detect. The original version has some normal tricks to start off with, involving LZMA and XOR. But first, from the builds that I’ve seen Imminent has some static methods which allow us to know that this is Imminent. It gives us a hello message. Other methods have their characters obfuscated in the <module> but notice has a “Hello”.
Imminent has 3 resources which will be used for unpacking, a combination of LZMA and XOR are used as I said. A interesting algorithm popped up again which I talked about in the last article. I didn’t deobfuscate the characters this time so it looks a little crazy but it’s essentially the same thing.
This operation is used before it decompresses a resource file using LZMA. The key is different to the other one I stated in my earlier article. The key this time is !!@@##$$%%^^&&**(())__++ this brings a obfuscated binary which can have it’s characters substituted in de4dot much like the original binary. Extracting the config for the particular build is a little bit challenging and involves <Module>.byte_0 which is commonly referenced through the assembly. The image does not show all the methods that use byte_0.
A large amount of unsigned integers are used which I suspect are used towards the configuration. They drastically change in each build, and config decryption has many methods in amongst one another. It is assigned with the use of smethod_29, this method is where it tranforms unsigned integers into a readable config. The main method inside smethod_29 is method_4, which after being run shows us the config in all it’s glory. Incidently this also used as well for an executable which will look at in a moment.
We can see a lot of things in the config such as the host, startup entries and mutex. One of the interesting things we should look for while conducting an analysis is the build settings and version. The build settings are nicely formatted together making it easy to read and the version is very obvious to see, the above image is 4.2.
The assembly that also uses smethod_29 references all the dll’s IM needs for more of it’s advanced operations. Calls to an injector, lzloader, video and client plugin are within the resources of a decrypted binary after using smethod_29.
One protection mechanism the RAT makes is to ensure the process is made critical, if the process is to be terminated, denial of termination is made or a blue screen arrives to the user. The blue screen would like something like this, and would occur straight after the termination of the process.
The components for this are in “class10” which import some API’s to achieve this operation in c#, it’s not a new technique and can be found in a lot of RAT’s to keep it unkillable. dll’s imported are kernel32.dll for getCurrentProcess, advapi32.dll for GetKernelObjectSecurity and SetKernelObjectSecurity also ntdll for NtSetInformationProcess. NtSetInformationProcess is an undocumented function in Windows and can be used to make the process appear as critical. Any executable downloaded from the internet using this API should not be run until further analysis.
Imminent Monitor is easily identifiable as it spits out some simple unique strings. It has a vast amount of functionality such as torrenting, reverse proxy, remote desktop, keylogger and so on. Imminent prints this out to itself, because of the amount of items saying ready, we can create a signature to say if all of these strings are in memory, it is more than likely malware and is Imminent. We can also use this strings to identify what class is what function. I would advise sysadmins and malware researchers to use these strings for YARA rules and such, they are unique and have quite a large amount of them, “Ready” strings.
If you wish to be protected from IM cracked or original, it is by far hard. I’d like to thank @MalwareHunterTeam for the swathe of samples recieved which allowed me to see the malware from a much broader picture. It seems looking into RAT’s this year has been fairly successful and I hope it continues.