Cat-Phishing Hackers for Fun and Profit

On June 14th, 2017, a new variant of ZXShell appears to have been uploaded from the Marmara region of Turkey. The Trojan itself is well known and contained x32 and x64 rootkits. This blog describes the functionality of ZXShell, as well as the associate rootkits. The Trojan source code is available here.

Metadata
File Name:   5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16.dll

File Size: 950368 bytes

MD5:         7d31919503f3570d46e410919993b034

SHA1:         e036c49c79fccb2378c3db6eefb3073d3aeaa3f1

PE Time:   0x549A82E1 [Wed Dec 24 09:09:53 2014 UTC]

Sections (7):

Name       Entropy     MD5

.text          6.62           163c64599d79322c596724b07b8b1c3e

.rdata       6.05           882510633f1de7ca620f954d9d938b2b

.data        7.32            a4d961e6ca1372e2db7394a9a9f313af

.zh0         6.65           18c2f27a8641da65a8936242bbce2ac7

.zh1          7.82           c7fd2160012526aa7708d5a3784cd929

.reloc       6.73           cebfde9dc81a4587832ef23054c66282

.rsrc        4.1              174d54af2191173b9759cd8a003f9194

With the malware analysis having been documented, as well as the source code being freely available, we can get to the fun part. Using a lab environment with RSA NetWitness® Packets and RSA NetWitness Endpoint installed, we allowed the malware to entrench and install the rootkit driver.

Figure 1 Malware Entrenchment

Figure 2 Rootkit Driver Filesystem and Network Hooks

The malware immediately resolved to domain api7.mcafee.01o[.]us – which resolves to 103.224.81[.]159 – and was first seen June 15th, 2017. There are about 40 other suspicious-looking domains in that IP. The TCP and UDP beaconing were typical of ZXShell, cycling between ports 25, 443, 80, 53 and 21.

Figure 3 ZXShell beaconing

Left to beacon overnight, we checked in the next morning and found that an actor had visited the site (as they had administrative control of the malware). Using the RSA NetWitness platform as a forensics tool, provides a clear record of what took place. The actor began with traditional reconnaissance of the machine their Trojan landed on: executing whoami, ipconfig, netstat and the ver command.

Figure 4 Simple Reconnaissance of Machine

For unknown reasons, the ZXShell main menu is transmitted in clear-text to the actor, which allows us to view them typing in commands for the Trojan.

Figure 5 Plaintext Command Listing for ZXShell

After dropping a compressed CAB archive and expanding it, the actor used ZXShell to create a named pipe running the uncompressed file, which was a password dumper. The pcap timestamps appear to be a few minutes off, but as this was a long TCP session the session start is registered in the time field.

Figure 6 Password Dumper

Metadata
File Name: makecab.cab.exe

File Size: 157184 bytes

MD5:         338d602ec60d0ea06cf4262f482286de

SHA1:         5cba488b0d3338b77cbe78a25077c7155e980540

PE Time:   0x548871BE [Wed Dec 10 16:15:58 2014 UTC]

Sections (6):

Name     Entropy   MD5

.text     6.36       34e7ba8238c64368bc14977c5ade240c

.rdata   4.39       2791758f6832c0a01c87c19137fb5bf7

.data     2.18       3ff9e4160b1b6215060db85f84390778

.pdata   4.92       6a38e85b4d71fc06f1ccc221f54b3f50

.rsrc     5.18       6e4e0c4894943dff286673de86c60c8f

.reloc   3.52       8df2a0bc3d8d683ff3d07386e22650c7

Figure 7 Clear-Text Output from RSA NetWitness Packets

The actor moved on to verifying the rootkit was working properly (by looking for the TCP connection with the netstat piped through the find command), dropping and executing the same malware DLL with rundll32.exe. This was followed by executing the ShellMainThread named export.

Figure 8 Verification and Additional Malware

Apparently the actor had seen enough and decided we weren’t a target as the actor used the ZXShell Uninstall built-in command and, attempted to remove the Trojan. (We wonder what gave it away, the superhero username or the awful password [P@ssw0rd]?)

Figure 9 Attempt #1 to Uninstall ZXShell

The output from the malware console stated the removal was a success. Most malware control panels list machines actively connected to the command and control server (C2), much like RSA NetWitness Endpoint. This uninstall failed, so the console likely alerted the operator that this machine was still connected. The actor then spent 15 minutes repeatedly issuing the uninstall command. When that failed, they connected to the machine via the built-in RDP client of the Trojan. We can detect this behavior with both RSA NetWitness Packets and RSA NetWitness Endpoint. In RSA NetWitness Endpoint we see the process smss.exe, the session manager process, create winlogon.exe which then creates LogonUI.exe. This is the sequence we expect to see when any user logs onto a Windows operating system-based PC interactively. We can tell its RDP because svchost.exe creates rdpclip.exe, which handles the terminal services clipboard functionality. This is the process that synchronizes the clipboards of the local and remote session so a user can copy/paste text or files via a remote session. The actor then opens the task manager, explorer.exe will be the parent of any newly created applications, and even does a traceroute to google.com before leaving the machine alone for roughly an hour. The actor then attempts to manually delete the file, but is again stopped by their own rootkit.

Figure 10 #Fail

Figure 11 A Very Confused Threat Actor

Figure 12 RDP Tunneled Over HTTP

The actor made many attempts to uninstall the Trojan via the ZXShell menu many times while on my network, at one point dropping the same malware with a different name in an attempt to uninstall the original Trojan. Each time being defeated by the rootkit, which reroutes any request to the entrenched malware either to tcpip.sys or ntfs.sys, core Windows drivers for filesystem management and networking.

The term APT gets thrown around a lot, these days. Was this malware advanced? Yes and no, it’s certainly a full featured Remote Access Trojan (RAT), but given its high detection rate on VirusTotal and the plaintext communications it’s easy to detect. The rootkit loaded into memory hid the activities from applications running on the host, but RSA NetWitness Endpoint sits at the same layer, Ring 0. Unsigned kernel drivers are a rarity with modern Windows OS’, so when we find one it warrants investigation. The advanced aspect of this Trojan is exactly what would lead to its discovery with a good endpoint detection and response tool such as RSA NetWitness Endpoint. So, while this malware could be considered advanced, the actor behind the malware certainly was not.5