Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use AutoIT script to release DarkComet backdoor, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Overview of 0 × 1

Recently, Tencent Royal View threat Intelligence Center monitored a security incident in which CVE-2017-11882 vulnerability documents were indirectly spread by email to attack practitioners in the business industry. different from the previously released "Business letter" incident, the tactics used by the attacker changed: the AutoIT program was used to bypass the detection and killing of the security software, and the backdoor program was the DarkComet remote control Trojan. And the relevant sample download server is built on the Amazon cloud service, so that the border device will not be able to directly intercept the server domain name / IP and further bypass the security check.

In this incident, the attacker first directed the phishing email to the victims of the trade-related industry. Once the victim opened the attachment in the mail, he would load a malicious OLE object (CVE-2017-11882 vulnerability document) to the remote server, then download a self-extracting program, and first extract the relevant files to a temporary directory after the decompression program was run. Then execute the confused au3 script file through the autoit3 program, decrypt a DarkComet backdoor program through the au3 script file, and then load the backdoor program in the way of a puppet process to achieve the purpose of controlling the victim's machine. The general attack flow is shown in the following figure:

0 × 2 sample analysis

MD5: 3ABAEED8930DD4C511340A882A05E79A

Capture the EML sample and open it as follows:

Save the email attachment to get the Document Copy.docx (MD5: 7A861F4F39AAA85C7547F7521544ED58) file, which is a document embedded with malicious OLE objects. After the document is opened, another vulnerability document is loaded from the remote server through the OLE object loading mechanism:

Https [:] / / s3.amazonaws [.] com/rewqqq/SM.doc

After downloading and analyzing the target document, we can see that the SM.doc document is a malicious document that exploits the CVE-2017-11882 vulnerability. When the document is opened, the remote hta script is executed through a vulnerability:

Https [:] / / s3.amazonaws [.] com/rewqqq/awss.hta

The awss.hta script is responsible for https [:] / / s3.amazonaws [.] com/rewqqq/wizzy.exe from the remote server

Download a backdoor Trojan and save it to c:/windows/temp/shell.exe, then execute the backdoor program.

By viewing the file information through the tool, you can see that the file is a self-extracting program packaged by WinRAR.

When you open the file with WinRAR, you can see that the following command is executed after the file is executed:

Taa.exe xtb=ldp

Here, for analysis, we can use the decompression tool to decompress, and get the following files after decompression:

Taa.exe is a normally signed AutoIT script interpreter program that is used to execute au3 scripts

The xtb=ldp file is an au3 script file, and you can see that a large number of useless comments have been added to the script. In this way, the author prevents anti-soft detection of this malicious script.

Test results of xtb=ldp script on VT:

In order to fight against the software, the author adds a large number of invalid comments to the script, which seriously affects our reading of the script. In order to facilitate the analysis of the function of the script, we simply deal with the script. The key code snippets of the processed script are as follows:

By debugging the script, you can know that after the script runs, it first detects the existence of an avastui.exe process on the current host, and if so, sleeps for 20 seconds before continuing to execute. The script reads the fgx.mp3 file under the current directory, reads the contents of the sData and esData fields, then decrypts the data, saves the decrypted data to the current directory, and the file name is a randomly generated five-digit string, and then uses the autoit3 program to execute the decrypted file. We opened the decrypted file and found that it was a new au3 script file.

The sData and esData fields in the fgx.mp3 file are as follows:

Part of the decrypted new au3 script (this time the file is called BAKBS) is as follows:

To make it easier to read the script, we make a few modifications and comments to the script. By reading the script code, we can see that the script mainly implements the following functions:

1. Virtual machine detection

two。 Sandbox detection

3. Disable UAC

4. Disable Task Manager

5. Self-booting

6. Download and execute updates

7. Execute local script

8. Decrypt and release the backdoor Trojan

The following is some of the functional code of the modified script.

Core function code snippet:

Virtual machine detection code:

Sandbox detection code:

Disable the UAC code:

Disable the Task Manager code:

Power on self-starting code:

Download and execute the code:

Decrypt and execute the backdoor Trojan:

Execute the program specified in the configuration file:

When executing the backdoor program and the target program, first copy a white signature program (in this case, RegSvcs.exe or Firefox.exe), and then inject the target process into the white process in a zombie process to achieve hidden purposes:

Next let's take a look at the decrypted backdoor Trojan program mentioned above.

The program is shelled by UPX:

After shelling, the file information is as follows:

The program is a foreign remote control software, the early authors released it free of charge on the Internet. Because the software supports so many functions, it is loved by attackers after its release and is widely used in cyber attacks. based on this situation, the author stopped the project in 2012 due to legal issues. Although the author no longer updates, there are still a large number of attackers using this tool to carry out network attacks.

The following is the configuration interface of DarkComet remote control, you can see that the software supports many functions and supports flexible configuration, including data theft, keyboard recording, video / sound surveillance, desktop monitoring, system control and so on.

By debugging the remote control Trojan by OD, you can see that the sample will read the "DCDATA" resource in the resource area after running, and then decrypt it. After decryption, the configuration information is as follows:

# BEGIN DARKCOMET DATA-MUTEX= {DCMIN_MUTEX-B6DQQC7} SID= {KAYANA} NETDATA= {obyterry.hopto.org:1990} GENCODE= {HMgiLefV9w0m} OFFLINEK= {1} # EOF DARKCOMET DATA--

From the decrypted information, we can know that the control server address used by the attacker is: obyterry.hopto.org:1990

The following is a code snippet for the backdoor program to perform related functions:

Through the backdoor program, the attacker can easily monitor all the actions of the victim's host, including keyboard input, desktop operations, host files, etc., if the victim's computer has a camera and other devices, the attacker can also monitor the victim's every move through the camera and microphone. According to the data of Tencent threat Intelligence Center, most of the victims are trade-related practitioners. Once these people are attacked, it is easy to leak the company's core information and pose a great threat to the company. Therefore, we would like to remind the broad masses of users that unfamiliar emails must be treated with caution.

On how to use the AutoIT script to release DarkComet backdoor to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.