Dissecting Botnet - Kuluoz/Asprox Backdoor: Trojan

About the Malware Family

This malware belongs to the Trojan Botnet – Kuluoz/Asprox backdoor. This malware backdoor is generally spread through mass spam emails and relies upon the victim to activate the malware

About the sample

This sample imitates a word document and upon execution, it adds itself to the start-up item for persistence and hollows into the svchost for evasion. This sample collects the username, SID, windows installation date and converts it into a MD5 hash. This hash is the unique ID for this bot and is used as an identifier for the botnet C2 server. The content sent by this sample to the C2C server is an xml encapsulation with various information such as hash-ID, presence of analysis tools or sandbox strings, report if this sample is running from removable drive, time stamp, bot version, status of last command and OS version. The C2C server appears to be running through a proxy nginx server and replies with commands task types such as long sleep, download, and run a kuluoz module, download-install-run an exe file, remove kuluoz module from the system, update registry keys and update kuluoz

Static File Analysis

The file was found with the magic byte “4D 5A”, therefore indicating that it’s a PE executable file format

The entropy based on DetectItEasy suggests that the .data section is packed

The section[0] .text is not packed based on clear text opcode

The section[1] .data is packed with unknown data encoding and unknown packer

The section[2] .rsrc and the section[3] .reloc contains data that is neither opcode nor a known encoding, but the entropy indicates that it is not packed. We can see the data is not completely random, nor looks like an obfuscation technique

Based on sigcheck, the sample appears to be unsigned

The sample appears to be performing thumbnail faking to armor. It is faking itself to be a word document

Static String Analysis

The string “kErnel32” is suspicious as it indicates the potential for armoring. The NVIDIA Ethernet Driver is suspicious since it indicates the sample’s intent to either tamper, leverage or use it as an alibi for evasion

The word “Deutschland” appears in the .rsrc section

Detonating the Sample

Immediately after execution, an error screen pops up saying the codec is not supported. The icon and the text appear to be having lower pixel count, potentially indicating a fake error to evade user suspicion

An unknown executable with similar thumbnail was dropped by the original executable

Task manager did not immediately show any suspicious processes, but a new Startup item was added – the same executable that was dropped previously. For this to happen, the registry must be changed too

The executable did add itself to the registry – confirming its ability for persistence

Dynamic Analysis: BIOC Extraction

The sample was found to be recursively calling the NtAllocateVirtualMemory() and NtProtectVirtualMemory() API’s indicating that its allocating and changing permission to execute on the remote process

A new mutant was created by the sample with values “2GVWNQJz1” and “Local\SM0:8392:168:WilStaging_02”

The sample was found to be accessing multiple registry keys and value. Some notable ones are keys of svchost, SafeBoot options etc,.

A create process API was called with process ID 8760 – svchost.exe

Write virtual memory was found to the process ID 8760, indicating that memory content of svchost is modified

Base address - 0x325000 = 0x11e8 which points to the PEB of the svchost. This activity suggests possible active armoring and evasion techniques

A section is being created and its view is being mapped to the original sample (PID 8392) and the svchost (PID 8760)

After copying the malicious code to the view inside the sample’s executable space, it is being actively copied over to the memory space of the svchost. And after that, the view is being unmapped from the original sample, the thread is resumed for the svchost, and the sample’s process is terminated. The base address for the view in the svc host is “0x110000”

The resultant of the view is visible in the svchost’s memory section. Therefore, this sample has successfully performed process hollowing

Dynamic String Analysis: IOC Extraction

This error code is an evasion technique, used to evade user suspicion

The http regex strings are used by the botnet for C2C communication

The xml request format used by the sample where each component holds information that is being sent to the C2C server

The sample scans the environment for analysis tools names includes in the xml <src></src> to send to the C2C

Every time this sample attempts to communicate with the C2C server, it enumerates the keys found in HKEY_CURRENT_USER, decrypts the values and compare it to “You Fag!!!!!”. If it matches, the data after the string “You Fag!!!!!” is translated as an in_addr structure

This is the RSA public key certificate used to encrypt data before sending it over a secure shell

Threat Intelligence

It appears that the C2C server is being encoded in a reverse domain name, where the IP is 142.4.60.242 – Virus Total has flagged as malicious with various community confirmations. Multiple IP address has been found with the help of Process monitor

A majority of the proxy for C2C matches with process monitor -  where it leads to a direct match with Kuluoz botnet – Win.Worm.Kuluoz-9959792-0

Feel free to reach out for IDAPro analysis of this sample and additional cases.