Tencent Computer Butler · 2016/01/28 12:14
0 x00 background
The latest cyber attack on Ukraine’s airport comes on the heels of an attack on the country’s electricity system. The main culprit is BlackEnergy. Who is BlackEnergy? Why do you have such powers? BlackEnergy was a piece of malware that first appeared in 2007 and later spawned offsets aimed specifically at Ukrainian government agencies. BlackEnergy is not a new type of malware, but it is notable that it is still at the forefront.
0x01 Attack Description
Here’s a brief description of BlackEnergy’s attack. An XLS document can be easily distributed by mail and contains macro code that dropper a vba_macro.exe, which dropper two things. The.dat file is a DLL, and the shortcut in the boot directory is to run the DLL export function numbered 1 using rundll32.
After rundll32 pulls up the malicious DLL, it starts the Internet Explorer process using an extransed-com process, and then uses the Internet Explorer process to connect to the remote server and download the malicious software components. Then through the installation of drivers and APC injection, malicious code is executed in the system module, communication with the remote server, and corresponding attacks are executed according to the instructions of the remote server and the malicious programs pulled down.
0x02 Sample hazard
A macro virus intrudes into a system, leaving a backdoor, and subsequent attack components wipe out critical system files, making the computer unable to work properly and achieve the purpose of destruction.
0x03 Key Analysis
1. Fontcache. DATA file analysis
FONTACACHE.DATA is released from the previous vba_macro.exe file. FONTACACHE.DATA is a DLL file that is run with this command. C:\WINDOWS\system32\rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\ fontcache. DAT”,#1 you can see that the function exported by the DLL with serial number 1 is called. The following figure shows the table of exported functions.
After running, the virtualAlloc function and copy instructions are shucked, and another DLL, temporarily called primarydll, is written to address 0x10010000.
The program will eventually execute to the entry of primaryDLL, and the entry code of PrimaryDLL will execute the sub_100122B6() function to view the code of this function.
A set of IE registrie-related values is set, and a thread is started. View the thread function address.
Three functions are used to register the RPC service and enable listening. So the infected computer can accept the hacker’s control. Further down, the sample will operate on the ntuser.log file. Then it comes to a while True.
In the loop, the sub_10012740() function is called. Statically analyzing the function, you can see that after the sample constructs the fields associated with the HTTP request, it launches IE with CoCreateInstance to download the executable file. Specific url is: http://5.149.254.114/Microsoft/Update/KC074913.php (failure)
2. Driver analysis of XXx. sys
The actual run time of the malicious sample is to create a driver file with a random name, which is replaced here with xxx.sys. Because the drive shell is mainly analyzed by dynamic debugging. The context of svchost’s process is first entered in order to map the allocated memory to ring3’s address space.
After the APC is initialized, you can see in the figure below that the NormalRoutine for KeInitializeApc is set to 0x00C453cc
Insert the APC you just initialized
Svchost Execution to 0x00c453cc
Looking back at the address, you can see that this is actually a PE
Offset 0x53cc is the entry point for this DLL
So far you can see that XXx. sys writes its own DLL to the svchost address space and then makes its own code run by inserting apC.
3. Killdisk sample analysis
By copying itself to a Windows directory on your system disk and renaming it svchost.exe, BlackEnergy’s authors really like Svchost.
The virus creates a Service called Microsoft Defender Service and uses that name to trick users into looking like a normal system security Service. Start the virus copies itself to the Svchost.exe file in the Windows directory. The start command line is svchost.exe-service.
Copy the code to the Windows directory:
Create service code:
The service is created and started successfully.
Adjust the process token, promote the process permission, so that the virus program has shutdown and modify the system directory file permission.
Execute the virus service function:
Open PhysicalDrive0 on the main hard drive, clear all data of the first 2560 sectors of the hard drive, destroy the hard drive MBR and file distribution table and other core data for system startup.
Open the primary hard drive:
Starting from the MBR sector, the loop is executed 256 times to clear 256 sectors:
The above operations were performed for 10 times in total, with 10*256 data for 2560 sectors
Start from the root directory to traverse the specified type of files in the disk directory, and create multiple threads to clear all the contents of the specified type of files.
List of file types that viruses mainly clean:
Create a new thread and start traversing the file:
Scan all files of the specified type:
Open the file and fill it all with 0:
WriteFileZeroByte function
End lsass.exe and wininit.exe, record logs, and run shutdown to restart the PC. The MBR and file allocation table are damaged, and the system crashes after restart
End the lsass.exe process:
Terminate wininit.exe:
Run shutdown to restart the system
Because key files of the system are deleted, the system cannot work properly after the restart. The entire attack process is complete.
0x04 Defensive Thinking
If all of our defense strategies were to block MD5 in the cloud, add static features to antivirus engines, and block known remote server IP addresses or urls on IDS, IPS and other systems, then our security products would be vulnerable to the next attack like BlackEnergy’s.
In the case of XLS, the first step in the attack, a simple macro virus can do the trick even without using Office 0Day. Dynamic analysis is more appropriate than static scanning for this entry point defense. For macro script encryption samples, constantly changing encryption algorithms cause too much interference to static scanning, while dynamic analysis technology is not afraid of encryption deformation and other countermeasures.
This is the result of an analysis of XLS files from the source of the attack by the Hubble File Analysis System (habo.qq.com/).
This is Hubble’s analysis of the first Dropper file, vba_macro.exe.
This is Hubble’s analysis of a sample of disguised WordPad drivers released and loaded.
This is Hubble’s analysis of the KillDisk malicious sample
Sample shell and data encryption have become a required course for hackers and Trojan authors. In this case, traditional static scanning is more and more difficult to carry the banner of system protection alone. Dynamic behavior analysis is likely to be an alternative solution, even if asynchronous analysis is adopted for user experience reasons, it can provide important assistance for threat perception and threat intelligence extraction.
Hubble dynamic analysis system is still a work in progress, but in the near future, similar dynamic analysis system is likely to become an important part of the enterprise security protection system.