Shulou(Shulou.com)06/02 Report--

This article is about how to use PNG pixel hidden PE code to analyze new PNG Dropper samples, the editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

We will introduce you to the PNG Dropper malware developed and used by Turla. In August 2017, the long-silent PNG Dropper returned to public view, and at the time it was mainly used to spread Snake, but recently researchers detected a PNG Dropper sample carrying a new type of Payload, which NCC Group researchers also named RegRunnerSvc.

PNG Dropper

Carbon Black's research team has done a very detailed analysis of the PNG Dropper component before, but let's briefly review how it works.

The purpose of Dropper is to load and run a PE file hidden in multiple PNG files. The figure above shows the resource data of Dropper, and we can see that there are multiple code data resource entries marked with the word "PNG". Each of these resources is a valid PNG file, but when you open it, you see only some color pixels:

PNG uses Microsoft's GDI+ library to load, and as we can see in the following figure, the code calls LockBits to read pixel data from the PNG file. Each byte of pixel data represents the RGB value of each pixel. After encoding each RGB value, we can get the byte data of the PE file.

Each PNG resource is enumerated, the pixel data is extracted and eventually spliced, and the resulting complete PE file is stored in memory. Next, Dropper needs to manually load the PE text, and then execute the entry function of the PE file:

RegRunnerSvc

PNG Dropper uses its PNG resources to decode and run RegRunnerSvc, while the purpose of RegRunnerSvc is to extract encrypted Payload from the registry, load it into memory, and then run it. The following figure shows the entry point of RegRunnerSvc. Here we can see that the code calls StartServiceCtrlDispatcher and the target service name is WerFaultSvc (which is also responsible for persistent infection of malware). It is obvious that the attacker wants the malicious service to disguise as a legitimate Windows error reporting service.

After the service setting function is executed, you need to find the target data in the registry. In general, the registry path is saved in a string in the code, but PNG Dropper is not, because it uses the RegEnumKeyExA and RegEnumValueA functions to enumerate registry keys-values.

The data in the registry contains the data needed to encrypt the Payload and decrypt it. Although it does not contain the decryption key, it contains the information needed to generate the decryption key, and some of the data is encrypted using Microsoft's CNG library function (NCrypt*). The first phase of Dropper will generate the decryption key and store it in the system default key store, where "MicrosoftSoftware Key Storage Provider" is used. If the first phase of Dropper is unsuccessful, the key will not be generated and stored, so the decryption function will exit. The following is the binary data structure of the decrypted data:

After the Header decryption is successful, we can proceed to the second stage of decryption. The primary Payload uses the AES algorithm for encryption. First, the code passes a piece of registry data to the BCryptGenerateSymmetricKey function, and the AES decryption key is created successfully. After the key is generated, the decryption property is set successfully, and Payload can be decrypted successfully. Next, the code detects the decrypted Payload to ensure the validity of the PE file. If the test passes, the file will be loaded and the entry point will be called.

Summary

In this article, we analyze the new PNG Dropper used by the Turla organization. The organization is also working with RegRunnerSvc, a new component, to carry out attacks. RegRunnerSvc can extract and encrypt PE files from the registry, decrypt and run them. Visually, the organization is inspired by undocumented malware, such as Poweliks and Kovter, and their goal is to leave as little evidence of attack as possible in code files.

In addition, we have also developed a special tool to extract Payload from PNG Dropper, and open source it, interested students can download to learn: [download address].

Yara rules rule turla_png_dropper {meta: author = "Ben Humphrey" description = "Detects the PNGDropper used by the Turla group" sha256 = "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27" strings: $api0 = "GdiplusStartup" $api1 = "GdipAlloc" $api2 = "GdipCreateBitmapFromStreamICM" $api3 = "GdipBitmapLockBits" $api4 = "GdipGetImageWidth" $api5 = "GdipGetImageHeight" $api6 = "GdiplusShutdown" $code32 = {8B 46 3C / mov eax [esi+3Ch] B9 0B 01 00 00 / / mov ecx, 10Bh 66 39 4C 30 18 / / cmp [eax+esi+18h], cx 8B 44 30 28 / / mov eax, [eax+esi+28h] 6A 00 / / push 0 B9 AF BE AD DE / / mov ecx 0DEADBEAFh 51 / / push ecx 51 / / push ecx 03 C6 / / add eax Esi 56 / / push esi FF D0 / / call eax} $code64 = {48 63 43 3C / / movsxdrax, dword ptr [rbx+3Ch] B9 0B 01 00 / / mov ecx, 10Bh BA AF BE AD DE / / mov edx 0DEADBEAFh 66 39 4C 18 18 / / cmp [rax+rbx+18h], cx 8B 44 18 28 / / mov eax, [rax+rbx+28h] 45 33 C9 / / xor r9d, r9d 44 8B C2 / / mov r8d, edx 48 8B CB / / mov rcx, rbx 48 03 C3 / / add rax Rbx FF D0 / / call rax} condition: (uint16 (0) = = 0x5A4D anduint16 (uint32 (0x3c)) = = 0x4550) and all of ($api*) and 1 of ($code*)} rule turla_png_reg_enum_payload {meta: author = "BenHumphrey" description = "Payloadthat has most recently been dropped by theTurlaPNG Dropper "shas256 =" fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3 "strings: $crypt00 =" Microsoft SoftwareKey Storage Provider "wide $crypt01 =" ChainingModeCBC "wide $crypt02 =" AES "wide condition: (uint16 (0) = = 0x5A4D anduint16 (uint32 (0x3c)) = = 0x4550) and pe.imports (" advapi32.dll " "StartServiceCtrlDispatcherA") and pe.imports ("advapi32.dll", "RegEnumValueA") and pe.imports ("advapi32.dll", "RegEnumKeyExA") and pe.imports ("ncrypt.dll", "NCryptOpenStorageProvider") and pe.imports ("ncrypt.dll", "NCryptEnumKeys") and pe.imports ("ncrypt.dll", "NCryptOpenKey") and pe.imports ("ncrypt.dll" "NCryptDecrypt") and pe.imports ("ncrypt.dll", "BCryptGenerateSymmetricKey") and pe.imports ("ncrypt.dll", "BCryptGetProperty") and pe.imports ("ncrypt.dll", "BCryptDecrypt") and pe.imports ("ncrypt.dll", "BCryptEncrypt") and all of them} intrusion threat indicator

Sample analysis:

1. 6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27 (PNG Dropper) 2, fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3 (Payload obtained from PNG dropper)

Services:

1. WerFaultSvc above is how to use PNG pixel hidden PE code to analyze new PNG Dropper samples. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.