TR-23 Analysis - NetWiredRC malware

Overview

CIRCL analyzed a malware sample which was only sporadically detected by just a handful antivirus engines, based on heuristic detection. CIRCL analyzed the entire command structure of the malware and was able to attribute this specific malware to the malware NetWiredRC. The malware is a feature-rich Remote Access Tool, and compared to the identified predecessors, this specific version even implements more features.

Pre-Analysis

Sample A

Hashes:

Type of Hash Hash
MD5 37e922093d8a837b250e72cc87a664cd
SHA1 c4d06a2fc80bffbc6a64f92f95ffee02f92c6bb9
SHA-256 3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62

VirusTotal results for sample A

Engine Result
McAfee Artemis!37E922093D8A
TrendMicro-HouseCall TROJ_GEN.F47V0407
Comodo TrojWare.Win32.Amtar.JEI
McAfee-GW-Edition Artemis!37E922093D8A
ESET-NOD32 Win32/Spy.Agent.NYU
Ikarus Backdoor:Signed.Agent
AVG BackDoor.Agent.AWYR
Scanned: 2014-04-07 - 49 scans - 7 detections  

Signature check for sample A

Verified Signed
Signers Avira Operations GmbH & Co. KG
  VeriSign Class 3 Code Signing 2010 CA
  VeriSign Class 3 Public Primary Certification Authority - G5
Signing date 10:52 AM 6/25/2012
Publisher Avira Operations GmbH & Co. KG
Description Avira Notification Tool
Product Avira Free Antivirus
Version 12.3.0.34
File version 12.3.0.34

Import table

  • KERNEL32.dll
  • USER32.dll
  • GDI32.dll
  • ADVAPI32.dll
  • SHELL32.dll
  • COMCTL32.dll
  • SHLWAPI.dll
  • ole32.dll
  • OLEAUT32.dll
  • VERSION.dll

Sections

Sections attributes in the file reveal a first hint on the maliciousness of the file: the .text section is writable and thus allows self-modifying code:

SECTION 1 (.text   ):
                virtual size                  : 000314DA ( 201946.)
                virtual address               : 00001000
                section size                  : 00031600 ( 202240.)
                offset to raw data for section: 00000400
                offset to relocation          : 00000000
                offset to line numbers        : 00000000
                number of relocation entries  : 0
                number of line number entries : 0
                alignment                     : 0 byte(s)
                Flags E0000020:
                  text only
                  Executable
                  Readable
                  Writable
SECTION 2 (.rdata  ):
                virtual size                  : 0000E238 (  57912.)
                virtual address               : 00033000
                section size                  : 0000E400 (  58368.)
                offset to raw data for section: 00031A00
                offset to relocation          : 00000000
                offset to line numbers        : 00000000
                number of relocation entries  : 0
                number of line number entries : 0
                alignment                     : 0 byte(s)
                Flags 40000040:
                  data only
                  Readable
SECTION 3 (.data   ):
                virtual size                  : 00003A5C (  14940.)
                virtual address               : 00042000
                section size                  : 00002200 (   8704.)
                offset to raw data for section: 0003FE00
                offset to relocation          : 00000000
                offset to line numbers        : 00000000
                number of relocation entries  : 0
                number of line number entries : 0
                alignment                     : 0 byte(s)
                Flags C0000040:
                  data only
                  Readable
                  Writable
SECTION 4 (.rsrc   ):
                virtual size                  : 000064D0 (  25808.)
                virtual address               : 00046000
                section size                  : 00006600 (  26112.)
                offset to raw data for section: 00042000
                offset to relocation          : 00000000
                offset to line numbers        : 00000000
                number of relocation entries  : 0
                number of line number entries : 0
                alignment                     : 0 byte(s)
                Flags 40000040:
                  data only
                  Readable

Debugging Sample A

We’re not going into detail about all the obfuscation layers and extraction routines sample A is using, but briefly outline the concept. After an anti-emulation stage, stage 2 decrypts the final malware, using the key 0x5A4C4D4D4C4D, which in ASCII is ZLMMLM.

Stage 2 (xor):

.text:0040227A xor:                                    
.text:0040227A                 lodsb
.text:0040227B                 xor     al, [ebx+edx]
.text:0040227E                 inc     edx
.text:0040227F                 jmp     short loc_40229B
.text:00402281 loc_402281:                             
.text:00402281                 stosb
.text:00402282                 mov     eax, edx
.text:00402284                 xor     edx, edx
.text:00402286                 mov     ebp, 6
.text:0040228B
.text:0040228B loc_40228B:                             
.text:0040228B                 div     ebp
.text:0040228D                 loop    xor
.text:0040228F                 mov     eax, ebx
.text:00402291                 add     esp, 6
.text:00402294                 pop     ebx
.text:00402295                 pop     esi
.text:00402296                 pop     edi
.text:00402297                 pop     ebp
.text:00402298                 push    eax
.text:00402299                 jmp     short loc_4022A8
.text:0040229B ; ---------------------------------------
.text:0040229B
.text:0040229B loc_40229B:                             
.text:0040229B                 test    edx, edx
.text:0040229D                 jnz     short loc_402281
...
.text:004022A8                 call    $+5
.text:004022AD                 pop     ebp

From the memory segment the code has been decrypted to, it is being written back to the .text section. Additional libraries are being loaded:

  • C:\WINDOWS\system32\crypt32.dll
  • C:\WINDOWS\system32\msasn1.dll
  • C:\WINDOWS\system32\winmm.dll
  • C:\WINDOWS\system32\ws2_32.dll
  • C:\WINDOWS\system32\ws2help.dll

Finally, the instruction pointer is pointing back to the .text section at 0x00401FEC, which is the original entry point of this malware.

This binary has been isolated, extracted and named sample B:

Sample B

Hashes:

Type of Hash Hash
MD5 759545ab2edad3149174e263d6c81dce
SHA1 2182ff6537f38a4e8c273316484c2c84872633d0
SHA-256 34d88b04956cbed54190823c94753b0dc6d8c19339d22153127293433b398cf1

VirusTotal results for sample B

VirusTotal result for hash: 759545ab2edad3149174e263d6c81dce -> Hash was not found on VirusTotal.

Signature check for sample B

File is not signed.

Analysis

Upon start, sample B, the actual malware, initializes memory, sets up Winsock by calling WSAStartup and decrypts the following strings:

String Use
VM Vmware check? Not used
37.252.120.122:3360 Communication channel
- literally as “-“
Password literally as this string
HostId-%Rand% format string for identifier file
mJhcimNA Name of mutex
%AppData%\Microsoft\Crypto\Office.exe Filename when made persistent
Office Registry key
- literally as “-“
%AppData%\Microsoft\Crypto\Logs\  
105 ?
001 ?

Then it starts to communicate with the Command and Control server, waiting for commands.

The commands are listed in the following table.

All commands have return codes. In case of success, the return code corresponds to command code. If the command fails, usually the return code is the incremented command code.

Command switch:

The following table shows the commands of the malware. If there is an interesting return code, it is mentioned with (r):

Code Command
1 (r) heartbeat (send back return code 1)
2 (r) socket created
3 (r) registered
4 (r) setting password failed
5 set password, identifier and fetch computer information (user, computername, windows version)
6 create process from local file or fetch from URL first and create process
7 create process from local file and exit (hMutex = CreateMutexA(0, 1, “mJhcimNA”))
8 (r) failed to create process
9 stop running threads, cleanup, exit
A stop running threads, cleanup, sleep
B stop running threads, delete autostart registry keys, cleanup, exit
C add identifier (.Identifier) file
D threaded: get file over HTTP and execute
E fetch and send logical drives and types
10 locate and send file with time, attributes and size
12 find file
13 (r) file information
14 unset tid for 0x12
14 (r) file not found (?)
15 send file
16 write into file
17 close file (see 0x1F)
18 copy file
19 execute file
1A move file
1B delete file
1C create directory
1D file copy
1E create directory or send file to server
1F close file (see 0x17)
20 start remote shell
21 write into WritePipe
22 reset tid for remote shell
22 (r) terminated remote shell
23 (r) failed to start remote shell
24 collect client information and configuration
25 (r) failed to get client information and configuration
26 get logged on users
26 (r) send logged on users
27 (r) failed to send logged on users
28 get detailed process information
29 (r) failed to get detailed process information
2A terminate process
2B enumerate windows
2B (r) send windows
2C make window visible, invisible or show text
2D get file over HTTP and execute
2E (r) HTTP connect failed
2F set keyboard event “keyup”
30 set keyboard event $event
31 set mouse button press
32 set cursor position
33 take screenshot and send
35 (r) failed to take screenshot
36 locate and send file from log directory with time, attributes and size
38 check if log file exists
39 delete logfile
3A read key log file and send
3C (r) failed to read key log file
3D fetch and send stored credentials, history and certificates from common browsers
3E fetch and send stored credentials, history and certificates from common browsers
3F fetch and send chat (Windows Live and/or Pidgin) credentials
40 fetch and send chat (Windows Live and/or Pidgin) credentials
41 fetch and send mail (Outlook and/or Thunderbird) credentials and certificates
42 fetch and send mail (Outlook and/or Thunderbird) credentials and certificates
43 socks_proxy
44 get audio devices and formats
44 (r) audio devices and formats
45 (r) failed to get audio devices
46 start audio recording
47 (r) error during recording
48 stop audio recording
49 find file get md5
4C unset tid for find file get md5 (0x49)

Network

Communication is performed via TCP/IP. First, the client registers itself at the server by sending

41 00 00 00 03 (...) 

to the server, which in return replies with

41 00 00 00 05 (...)

There is a hearbeat communication going on by sending

01 00 00 00 02

to the remote site.

Outgoing communication can be detected by Network Intrusion Detection systems in order to detect compromised machines. Suricata rules are included in this report.

IOCs

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value:Office
    • data:%AppData%\Microsoft\Crypto\Office.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
    • value:-
    • data:%AppData%\Microsoft\Crypto\Office.exe
  • Mutex name “mJhcimNA”
  • %AppData%\Microsoft\Crypto\Logs\
    • logfile per day, format DD-MM-YYYY (without extension)
  • %AppData%\Microsoft\Crypto\Office.exe
  • %AppData%\Microsoft\Crypto\Office.exe.Identifier
  • IP 37.252.120.122
  • TCP port 3360

A MISP XML file is available if you want to import the indicators into MISP or any other threat indicators sharing platform.

NIDS

The following Suricata rule can be used to detect heartbeat and registration messages from a compromised client to the C&C server. The rules have only been tested mildly against live traffic and may produce a bunch of false positives. While keeping this fact in mind, you could limit the destination to the IP address and port given in this report. On the downside, you will lose the ability to track server/port changes the attacker may apply.

alert tcp $HOME_NET any -> $EXTERNAL_NET any ( \
    msg:"NetWiredRC heartbeat"; \
    pkt_data; \
    content:"|01 00 00 00 02|"; \
    offset:0; \
    depth:10; \
    reference:url,https://www.circl.lu/pub/tr-23/; \
    sid:70023;\ 
    rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( \
    msg:"NetWiredRC registration"; \
    pkt_data; content:"|41 00 00 00 03|"; \
    offset:0; \
    depth:10; \
    reference:url,https://www.circl.lu/pub/tr-23/; \
    sid:70123;\
    rev:1;)
  • Similarity by network connection (same IP:PORT), strings
    • MD5: 4af801e0de96814e9095bf78be790003
    • SHA1: b2beb80f0b1ed9b1ccbb9ae765b68d6db432a532
    • Attribution: Backdoor:Win32/NetWiredRC.B
  • Similarity by network connection (same IP:PORT)
    • MD5: 1d2f110f37c43a05407e8295d75a1974
    • SHA1: d199349a3811c508ca620195327123600e1d9392
  • By name NetWiredRC
    • http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/NetWiredRC.B#tab=2
    • MD5: 1e279c58a4156ef2ae1ff55a4bc3aaf6
    • SHA1: 40e8e3b5fce0cd551106ccb86fc83a0ca03c9349
    • Quick analysis: previous version of this malware
      • missing features: SOCKS, audio recording, find file by MD5

Decrypting NetWire C2 traffic

NetWire uses a proprietary protocol with encryption by default (AES-256-OFB). The Palto Alto Network threat intelligence team did a report on how to decrypt the traffic (as long as you know the key or you extracted it from the malware). The NetWiredDC Decoder is available on GitHub.

Recommendations

  • CIRCL recommends to review the IOCs of this report and compare them with servers in the infrastructure of your organization which produce log files including proxies, A/V and system logs.

  • In the case you have an infection, we recommend to capture the network traffic with the full payload as soon as possible. You might be able to decrypt the traffic later on.

  • Isolate the machine infected. Acquire memory (especially to get a malware sample and a potential encryption key) and disk. Reinstall the system after the forensic acquisition.

Server intel

The server (37.252.120.122) used for this campaign is hosted at

inetnum:        37.252.120.0 - 37.252.120.255
netname:        TILAA
descr:          Tilaa
descr:          This space is statically assigned
country:        NL
admin-c:        TLRL-RIPE
tech-c:         TLRL-RIPE
status:         ASSIGNED PA
mnt-by:         TILAA-MNT
source:         RIPE # Filtered

role:           Tilaa admin role
address:        Februariplein 14
address:        1011MT Amsterdam
address:        The Netherlands
abuse-mailbox:  abuse@tilaa.net
admin-c:        TLDK-RIPE
admin-c:        TLGV-RIPE
admin-c:        TLRK-RIPE
tech-c:         TLDK-RIPE
tech-c:         TLGV-RIPE
tech-c:         TLRK-RIPE
nic-hdl:        TLRL-RIPE
mnt-by:         TILAA-MNT
source:         RIPE # Filtered

% Information related to '37.252.120.0/21AS196752'

route:          37.252.120.0/21
descr:          Routed by Tilaa
origin:         AS196752
mnt-by:         TILAA-MNT
source:         RIPE # Filtered

and reveals several open ports:

3360/tcp  open  unknown
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
OS fingerprint not ideal because: Host distance (11 network hops) is greater than five
Aggressive OS guesses: Microsoft Windows Server 2008 SP1 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=6.40%E=4%D=4/23%OT=3360%CT=1%CU=32387%PV=N%DS=11%DC=I%G=N%TM=5357A5F8%P=x86_64-apple-darwin13.1.0)
SEQ(SP=104%GCD=1%ISR=10C%TI=I%TS=7)
OPS(O1=M5ACNW8ST11%O2=M5ACNW8ST11%O3=M5ACNW8NNT11%O4=M5ACNW8ST11%O5=M5ACNW8ST11%O6=M5ACST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%T=80%W=2000%O=M5ACNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=N)
T7(R=N)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=I%RUCK=0%RUD=G)
IE(R=N)

Uptime guess: 54.768 days (since Thu Feb 27 18:11:41 2014)

Ports might be used for several purposes/campaigns. Probing the ports gives the following result:

  • 3360/tcp - C&C port for this campaign
  • 3389/tcp - no reaction to crafted requests
  • 5985/tcp - HTTP port
  • 47001/tcp - HTTP port
  • 49152/tcp - no reaction to crafted requests
  • 49153/tcp - no reaction to crafted requests
  • 49154/tcp - no reaction to crafted requests
  • 49155/tcp - no reaction to crafted requests
  • 49158/tcp - no reaction to crafted requests
  • 49159/tcp - no reaction to crafted requests
  • 49160/tcp - no reaction to crafted requests

The ports not reacting to crafted requests might be used for different campaigns for the same malware or for different versions of the malware family or even for other malware. We were not able to find a different sample of the malware that connects to a different port.

Starting of Friday 25 April, the C&C port is not active as the ISP took the appropriate action.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Acknowledgment

CIRCL thanks CERT Société Générale for sharing Sample A.

Revision

  • Version 1.1 November 26, 2014 Decrypting NetWire C2 Traffic reference added
  • Version 1.0 April 25, 2014 C&C (for the known TCP port) is no more active
  • Version 0.9 April 23, 2014 Initial version (TLP:WHITE)