Funky malware format found in Ocean Lotus sample

Recently, at the SAS conference I talked about “Funky malware formats”—atypical executable formats used by malware that are only loaded by proprietary loaders. Malware authors use these formats, such as a custom format that is not recognized as an executable by AV scanners, in order to make static detection more difficult.

Using atypical formats may also slow down the analysis process because the file can’t be parsed out of the box by typical tools. Instead, we need to write custom loaders in order to analyze them freely.

[2-Pack] iPhone X XS XR XS Max Privacy Anti-Spy Tempered Glass Screen Protector

$5.45
End Date: Monday Oct-21-2019 3:29:19 PDT
Buy It Now for only: $5.45
Buy It Now | Add to watch list

[2-Pack] iPhone X XS XR XS Max Privacy Anti-Spy Tempered Glass Screen Protector

$2.25
End Date: Monday Oct-21-2019 3:29:19 PDT
Buy It Now for only: $2.25
Buy It Now | Add to watch list

Last year, we described one such format in a post about Hidden Bee. This time, we want to introduce you to a malware we discussed at the SANS Conference: Ocean Lotus, also known as APT 32, a threat group associated with Vietnam.

Sample

49a2505d54c83a65bb4d716a27438ed8f065c709 – the main executable

Special thanks to Minh-Triet Pham Tran for providing the material.

Overview

The sample comes with two elements—BLOB and CAB—that are both executables in the same unknown format. The custom format is achieved by conversion from PE format. (There are some artifacts that indicate it manifests in a way typical for PE files.) However, the header is fully custom, and the way of loading it has no resemblance with PE. Some of the information from the typical PE (for example, layout sections) is not preserved: sections are shuffled.

Origin

This sample is from June 10, 2017, from the following email:

Content of the phishing email, along with its attachmentThe title “Sổ tay vấn đề pháp lý cho các nhà hoạt động nhân quyền” translates to: “Handbook of legal issues for human rights activists.” It’s a subject line for a spear phishing campaign targeting Vietnamese activists.

The malicious sample was delivered as an attachment to the email: a zipped executable. The icon tried to imitate a PDF (FoxitPDF reader).

An executable with FoxitFDF iconBehavioral analysis

After being run, the sample copies itself into %TEMP%, unpacks, and launches the decoy PDF.

The main executable and the decoy copied to the Temp folderWhile the user is busy reading the launched document, the dropper unpacks the real payload. It is dropped into C:ProgramDataMicrosoft Help:

All the elements of the malware unpackedThe dropper executable is deleted afterwards.

The malware manages to bypass UAC at default level. We can see the application sporder.exe running with elevated privileges.Persistence is provided by a simple Run key, leading to the dropped script:

Added run key (view from Sysinternals Autoruns)The interesting factor is that the sample has an “expiry date” after which the installer no longer runs.

Internals

The main executable sporder.exe is packed with UPX. It imports the DLL SPORDER.dll:

Import table of SPORDER.exe (view from PE-bear)SPORDER.dll imports another of the dropped DLLs, hp6000.dll:

Import table of SPORDER.exe (view from PE-bear)The key malware functionality is, however, not provided by any of the dropped PE files. They are just used as loaders.

As it turns out, the core is hidden in two unknown files: BLOB and CAB.

Custom formats

The files with extensions BLOB and CAB are obfuscated with XOR. After decoding them, we notice some readable strings of code. However, none of them are valid PE files, and we cannot find any of the typical headers.

BLOB

The BLOB file is obfuscated by XOR. We can see the repeating pattern and use it as an XOR key:

SPORDER.blob (original version), the repeating pattern is selected As a result, we get the following clear version: 2e68afae82c1c299e886ab0b6b185658

BLOB’s header:

The BLOB file looks like a processed PE file, however, its sections appear to be in swapped order. The first section seems to be .data, instead of .text.

We can see visible artifacts from the BZIP library and C++ standard library.

CAB

The CAB file is obfuscated with XOR in a similar way, but with a different key:

When we apply the key, we get an analogical clear version: b3f9a8adf0929b2a37db7b396d231110

This sample also has a custom header, which does not resemble the PE header. However, we found sections inside that are typical for PE files, for example, a manifest.






Click here for best antivirus and antispyware software

Powered by WPeMatico