Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to realize the analysis of new variants of Winnti Group. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Winnti Group's new modular backdoor PipeMon was discovered in February 2020. Its main targets are multiplayer online games and video companies in South Korea and Taiwan, where malware can launch attacks on the supply chain. Attackers can plant Trojans in issued games, or attack game servers and use game currencies to gain economic benefits. Winnti Group has been active since 2012, targeting supply chain attacks in the software industry. Recently, ESET researchers also discovered its attacks on several universities in Hong Kong.

Technical analysis

Two variants of PipeMon have been found in the target company, and the first phase of PipeMon includes launching a password-protected executable embedded in .rsrc. The startup program writes RARSFX to setup0.exe under the auto-generated directory, provides the password through parameters, and executes RARSFX using CreateProcess, as shown below:

Setup0.exe-p * | T/PMR {| T2 ^ LWJ *

The password for each sample is different, and then extract the contents of the RARSFX into% TMP%\ RarSFX0:

CrLnc.dat-encryption payload

Duser.dll-UAC bypass

Osksupport.dll-UAC bypass

PrintDialog.dll-malware initialization

PrintDialog.exe-loads the legal Windows file for PrintDialog.dll

Setup.dll-install dll

Setup.exe-main program

If the folder name conflicts, the number at the end of the RarSFX0 string is incremented until there is no conflict. After the file is extracted, the setup.exe executes without parameters and loads the setup.dll using LoadLibraryA. After loading, setup.dll will check parameters such as'- XRV n', which varies from operation mode to operation mode. The supported parameters and their corresponding behaviors are shown in Table 1.

RARSFX executes setup.exe without arguments, checking to see if it runs with privileges. If not, further determine whether the Windows version is lower than Windows 7 build 7601, and if the conditions are met, token impersonation will be used to obtain permissions. Otherwise, it will try to use different UAC bypass technologies to install the payload into one of the following:

C:\ Windows\ System32\ spool\ prtprocs\ x64\ DEment.dll

C:\ Windows\ System32\ spool\ prtprocs\ x64\ EntAppsvc.dll

C:\ Windows\ System32\ spool\ prtprocs\ x64\ Interactive.dll

Instead of randomly selecting the location of the malicious DLL, the setup.dll registers the DLL loader as an alternate printer by setting the following registry values:

HKLM\ SYSTEM\ ControlSet001\ Control\ Print\ Environments\ Windows x64\ Print Processors\ PrintFiiterPipelineSvc\ Driver = "DEment.dll"

HKLM\ SYSTEM\ CurrentControlSet\ Control\ Print\ Environments\ Windows x64\ Print Processors\ lltdsvc1\ Driver = "EntAppsvc.dll"

Note the spelling errors in PrintFiiterPipelineSvc (since any name can be used, it does not affect the installation of the print processor).

After registering the print processor, PipeMon restarts the print spooling service (spoolsv.exe) and loads the malicious printing process. The Print Spooler service starts each time the PC starts, ensuring the persistence of the malicious program. Depending on the installer, CrLnc.dat is written to the following location in the registry:

HKLM\ SOFTWARE\ Microsoft\ Print\ Components\ DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8

HKLM\ SOFTWARE\ Microsoft\ Print\ Components\ A66F35-4164-45FF-9CB4-69ACAA10E52D

The entire PipeMon execution process is shown in the following figure:

PipeMon

PipeMon is a modular backdoor, each module is a DLL, can export IntelLoader functions, using reflection loading technology to load. Each module has different functions, as shown in Table 2.

The loader responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll, which is located in the print processor directory. These modules are stored in the same location in an encrypted manner, named as follows:

Banner.bmp

Certificate.cert

License.hwp

JSONDIU7c9djE

D8JNCKS0DJE

B0SDFUWEkNCj.logN

.hwp is an extension used by Korean word processors and is very popular in Korea. The module is encrypted by ringing *, and the decryption key 'Com! 123Qasdz' is hard-coded in each module. Win32CmDll.dll decrypts and injects ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting and injecting the Communication module, while the GuardClient module ensures that the Communication module is running and reloads if necessary. The following figure outlines how PipeMon works.

Win32CmDll.dll first attempts to inject ManagerMain and GuardClient modules into a process with one of the following names: lsass.exe,wininit.exe or lsm.exe. If it fails, it attempts to inject one of the registered Windows service processes, but does not include a process named spoolsv.exe,ekrn.exe (ESET), avp.exe (Kaspersky), or dllhost.exe. If all operations fail, it will try the process taskhost.exe,taskhostw.exe or explorer.exe.

Other modules can be loaded on demand using special commands, but none of them have been found yet. Modules communicate through named pipes, and the communication channels between each module use two named pipes, one for sending and one for receiving.

Received a% CNC_DEFINED% string from the Cobb C server, and the variable% B64timestamp% is a base64-encoded timestamp:

The communication module is responsible for managing the communication between the Cellular C server and other modules through the pipeline, and its Cellular address is hard-coded in the ManagerMain module. The communication protocol is based on TLS of TCP and is handled by HP-Socket library. All messages are Rencrypted * using a hard-coded key. If the transmission is greater than or equal to 4KB, it is first compressed using zlib.

To start communication with the ClearC server, first send a beacon message containing the following information:

OS version

Physical addresses of connected network adapters concatenated with% B64times%

Victim's local IP address

Backdoor version/campaign ID; we've observed the following values

"1.1.1.4beat"

"1.1.1.4Bata"

"1.1.1.5"

Victim computer name

The supported commands are as follows:

The attacker also used an updated version of PipeMon, which was replaced by a simple XOR with 0x75E8EEAF as the key, deleted all hard-coded strings, and named the inter-module communication pipeline with random values. Only the main loader is stored on disk as a file, and the updated modules are described in the following table:

There has been a change in the format of ClearC communication:

The backdoor configuration is encrypted and embedded in the loader DLL.

Both the PipeMon module and the installer use the same signature, and the certificate may have been stolen by the Winnti organization in the previous attack.

The above is how to realize the new variant analysis of Winnti Group, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.