Shulou(Shulou.com)06/02 Report--

This article introduces the sample analysis of Orcus remote control Trojan horse based on SYLK file. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

0x01 background

Recently, Antivirus lab found an example of using symbolic link files (SYLK files) to spread the attack samples of remote control Orcus remote control Trojans. Hackers use SYLK files as the initial attack vector to load powershell and then load Orcus remote control Trojans in SYLK documents. For most users, SYLK file is very strange. SYLK file is a kind of Microsoft data file, which is loaded by Excel program by default. Using SYLK file as the initial attack carrier can evade the detection and killing of security software to a large extent. To the publication of this article, the sample has not been checked and killed by major security manufacturers except Tencent PC Manager.

The typical attack scenarios of hackers using this sample are as follows: phishing attacks on target users with kill-free SYLK malicious documents as attachments to induce users to execute and then control their computer systems; using puddle attacks, SYLK malicious documents are replaced by download links of user trust sites, waiting for users to actively download and execute.

The attack flow of the entire sample is shown below.

In this attack, there are two values of concern:

1. Most security manufacturers have the function of format parsing for common documents such as doc and xls in their antivirus engines, but they do not pay enough attention to the uncommon document structure types (such as the SYLK document structure in this case) and do not realize the parsing function module for such documents, which leads to the malicious code in this kind of documents can not be correctly identified and killed by the antivirus engine.

two。 From the sample compilation timestamp, the loader sample was completed on March 22, 2018, and the Orcus remote control Trojan sample was generated on March 24, 2018. The sample time is relatively new. Hackers have recently tried this kind of kill-free method, and the number of malicious samples using this method may increase to a certain extent in the future.

Therefore, this paper will make a detailed analysis of this kind of samples for the security community to share, jointly improve the security ability, and protect the computer security of individuals, enterprises, agencies and other users.

0x02 sample Analysis 2.1 SYLK File

The original sample file name is Knowl. SLK. SLK suffix is the SYLK file suffix. Symbolic links (SYLK) are a file format of Microsoft that is commonly used to exchange data between applications, especially spreadsheets. The suffix of the SYLK file is .slk. The file in this format consists of displayable ANSI characters, and even if the application that created the SYLK file supports the UNICODE,SYLK file, it will be encoded in ANSI in the system.

When you open the file using 010edit, it appears as follows:

The ID;PWXL;N;E on the first line declares the document format, and the lines that begin with P indicate different styles. In the case of office installation, the SYLK file is opened by default by the EXCEL program.

When turned on by default, EXCEL will pop up the following security prompt, and if the user clicks disable at this time, it can also be protected from the threat of attack.

When the user clicks enable, the OFFICE software will prompt the "remote data inaccessible" dialog box and click the Yes button only if the data is trusted to prevent legitimate applications from being maliciously exploited by viruses.

After clicking the Yes button again, the malicious powershell will be executed, and after that, the machine will be completely controlled by the hacker without user interaction.

The process tree at run time is as follows:

Looking at the original SYLK file, you can see the malicious code on 153 lines:

The meaning of the 153lines of code is to load the DDE in the cell using a formula, and to load the powershell execution using "\..\ Windows\ System32\ cmd.exe". The commands executed are:

Analyze the downloaded Formules.exe

2.2 Formules.exe analysis

Formules.exe acts as a confusion shell. Formules.exe is written in .NET, and the effect of code confusion in dnspy is as follows:

The Formules.exe resource holds 114 images from which Formules.exe will eventually decode the PE data. The screenshot of the resource is as follows:

After Formules.exe decodes its own code in memory, when dump comes out, you can see the restored code. As can be seen from the restored code, after the Resources decoding resource is called in the Main function, the Form1 execution is called, the close method of Form1 is directly called in the initialization of Form1, and the decoded Multi.exe execution is really loaded in the close method of Form1. Multi.exe itself is a loaderPe program, which is used to load the final remote control Trojan.

From the code level of the process described above, the Main function calls Application.Run (new Form1 ()).

Resources.Class9.smethod_1 is called in the Load method of Form1, and Resources.Class9.smethod_1 calls the close method of Form1.

In the close method of Form1, use Invoke to call the entry point of the decoded Multi.exe (loader program) (where my Invoke function and the EntryPoint function have been artificially renamed).

The function of Form1.smethod_1 function is to decode Multi.exe. The code screenshot is as follows:

2.3 Multi.exe-loader

The Multi.exe compilation timestamp is March 22, 2018, and the sample has only recently begun to be built.

The function of Multi.exe is PELoader. Multi.exe decodes the name of the function needed to load PE through AES and then gets the address of the function. After passing the CREATE_SUSPENDED parameter to create a suspended process using CreateProcess, GetThreadContext gets the CONTEXT of the suspended process, and finally uses SetThreadContext to set the context of the thread. The EIP is set to the entrance of the PE to be loaded, and ResumeThread resumes thread execution to achieve the function of loading PE.

Multi.exe uses the AES algorithm to decrypt the configuration string:

The corresponding configuration information is as follows

Option value InstallTRUEInstall.Folder0x0000000BInstall.KeySoftware\ Microsoft\ Windows\ CurrentVersion\ RunOnceInstall.ValueNamepitsuvxlikkInstall.FileNameprinting.exeInstall.StartupFolderTRUENotifyFALSEOptions.CompressFALSEOptions.CheckVMFALSEOptions.CheckSandboxFALSEsOptions.DelayTime0x00000019Options.MonitorPackageFALSEOptions.MonitorRegistryFALSEOptions.MonitorSelfFALSEOptions.HostIndex0x00000000Files.MainOrcus.exe file content Files.Count0Options.MeltFALSEMeltFileNameName of the melted file

The most critical configuration item is Files.Main, which indicates the PE file to be loaded in memory.

When Multi.exe loads PE, the code to get the address of the function is as follows:

Code that writes the PE file to the zombie process

The PE file specified by Files.Main here is the Orcus remote control Trojan. Save the Orcus and leave it for the following analysis.

2.4 remote Control Trojan-Orcus.exe

The compilation timestamp of the Orcus.exe file shows March 24, 2018, two days later than the compilation time of Multi.exe (2018.03.22).

Orcus is a commercial remote control software, which sells for $40. It has been continuously updated and maintained since 2016. The latest official version is 1.9.1. In addition to the basic functions of remote control Trojans, Orcus's biggest product highlight is that it can load custom plug-ins developed by users and attackers can execute C # and VB.net code on remote computers in real time.

Orcus currently has five plug-ins in its official plug-in library, including plug-ins to increase file volume to prevent cloud detection, protection using key processes in the system, and plug-ins that force blue screens after processes are killed.

For the official Orcus remote control software, when the remote control terminal is running, there will be the following operational risk tips, and the Orcus of the official website is also under review. The software is remote management software, not a remote control Trojan horse. However, when the Orcus detected by Tencent Antivirus lab is used as a Trojan horse, the following dialog box will not appear.

Screenshots of the basic functional codes of remote control software, such as remote process management, file management, registry management, service management, network connection management, are as follows:

The functions of the conventional remote control Trojans will no longer be described. This paper will briefly introduce the unique functions of the remote control software combined with the author's understanding.

Prank function

The software integrates the prank function, which can play mosquito sound, tornado sound, ghost cry and so on on the victim machine.

World map function

The software integrates the world map function, which can show the geographical location of each victim on the map.

At the same time, the statistical function also gives the online statistics within a specified period of time in the form of a chart.

Remote source code directly executes the function

The software has the function of direct execution of remote source code, and currently supports the direct execution of Visual C #, VB NET and Batch scripts. As shown in the following figure, the selected C# code will be executed directly on the victim machine.

Dynamic debugging shows that the online address of the remote control Trojan horse is: d***r.com:9**0. The screenshot of debugging is as follows:

0x03 summary

Since the DDE technology was proposed, Tencent Antivirus lab has continued to follow up, successively publishing "using DDE phishing documents to spread blackmail virus event Analysis", "Office DDEAUTO Technical Analysis report", "infiltration without opening Macro: using DDE to execute commands in Office documents" and other articles to analyze this kind of technology. The attack samples also use DDE technology. But it is a little different from the previous ways of using it: the previous DDE technology is used in .doc documents and .xls documents, while this time DDE technology is used in .slk documents. And it is this simple change that has led to a lot of collective loss of voice.

For the attack samples mentioned above, the following security recommendations are given:

1. Improve the user's awareness of network security. For the above samples, if the user can choose not to be allowed to execute in time during the two confirmations, the attack process can be blocked. Failure to open files sent by strangers can block attacks as quickly as possible.

2. It is recommended that users check whether there is any suspicious ClearC address in their network as soon as possible. Once a terminal host is found to have initiated a request for connection to the above remote control ClearC address, it is very likely that it has been occupied.

Three. Users are advised to install terminal security products such as Tencent PC Manager. Keep terminal security products up-to-date to achieve effective protection.

Four. the advanced threat detection system can be deployed at the enterprise boundary, and the advanced threat detection system has been able to block and alarm the threat.

On the SYLK file based on the dissemination of Orcus remote control Trojan sample analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.