Pierluigi Paganini February 12, 2019

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.

Introduction

In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

1. firefox.exe
2. SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
3. SOFTWARE\Mozilla\Mozilla Firefox
4. SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
5. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
6. %appdata%\Mozilla\Firefox\Profiles\
7. MozillaFireFox
8. CurrentVersion
9. Install_Directory
10. nss3.dll
11. thunderbird.exe
12. SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
13. SOFTWARE\Mozilla\Mozilla Thunderbird
14. SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
15. %appdata%\Thunderbird\Profiles\
16. ThunderBird
17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
18. SELECT fieldname, value FROM moz_formhistory
19. NSS_Init
20. PK11_GetInternalKeySlot
21. PK11_Authenticate
22. PK11SDR_Decrypt
23. NSS_Shutdown
24. PK11_FreeSlot
25. logins.json
26. logins
27. hostname
28. timesUsed
29. encryptedUsername
30. encryptedPassword
31. cookies.sqlite
32. formhistory.sqlite
33. %LOCALAPPDATA%\Google\Chrome\User Data\
34. %LOCALAPPDATA%\Google\Chrome SxS\User Data\
35. %LOCALAPPDATA%\Xpom\User Data\
36. %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
37. %LOCALAPPDATA%\Comodo\Dragon\User Data\
38. %LOCALAPPDATA%\Amigo\User Data\
39. %LOCALAPPDATA%\Orbitum\User Data\
40. %LOCALAPPDATA%\Bromium\User Data\
41. %LOCALAPPDATA%\Chromium\User Data\
42. %LOCALAPPDATA%\Nichrome\User Data\
43. %LOCALAPPDATA%\RockMelt\User Data\
44. %LOCALAPPDATA%\360Browser\Browser\User Data\
45. %LOCALAPPDATA%\Vivaldi\User Data\
46. %APPDATA%\Opera Software\
47. %LOCALAPPDATA%\Go!\User Data\
48. %LOCALAPPDATA%\Sputnik\Sputnik\User Data\
49. %LOCALAPPDATA%\Kometa\User Data\
50. %LOCALAPPDATA%\uCozMedia\Uran\User Data\
51. %LOCALAPPDATA%\QIP Surf\User Data\
52. %LOCALAPPDATA%\Epic Privacy Browser\User Data\
53. %APPDATA%\brave\
54. %LOCALAPPDATA%\CocCoc\Browser\User Data\
55. %LOCALAPPDATA%\CentBrowser\User Data\
56. %LOCALAPPDATA%\7Star\7Star\User Data\
57. %LOCALAPPDATA%\Elements Browser\User Data\
58. %LOCALAPPDATA%\TorBro\Profile\
59. %LOCALAPPDATA%\Suhba\User Data\
60. %LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
61. %LOCALAPPDATA%\Rafotech\Mustang\User Data\
62. %LOCALAPPDATA%\Superbird\User Data\
63. %LOCALAPPDATA%\Chedot\User Data\
64. %LOCALAPPDATA%\Torch\User Data\
65. GoogleChrome
66. GoogleChrome64
67. InternetMailRu
68. YandexBrowser
69. ComodoDragon
70. Amigo
71. Orbitum
72. Bromium
73. Chromium
74. Nichrome
75. RockMelt
76. 360Browser
77. Vivaldi
78. Opera
79. GoBrowser
80. Sputnik
81. Kometa
82. Uran
83. QIPSurf
84. Epic
85. Brave
86. CocCoc
87. CentBrowser
88. 7Star
89. ElementsBrowser
90. TorBro
91. Suhba
92. SaferBrowser
93. Mustang
94. Superbird
95. Chedot
96. Torch
97. Login Data
98. Web Data
99. SELECT origin_url, username_value, password_value FROM logins
100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
102. SELECT name, value FROM autofill
103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
104. %APPDATA%\Microsoft\Windows\Cookies\
105. %APPDATA%\Microsoft\Windows\Cookies\Low\
106. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
107. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
108. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
109. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
110. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
111. InternetExplorer
112. InternetExplorerLow
113. InternetExplorerINetCache
114. MicrosoftEdge_AC_INetCookies
115. MicrosoftEdge_AC_001
116. MicrosoftEdge_AC_002
117. MicrosoftEdge_AC
118. Software\Microsoft\Internet Explorer
119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
120. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
121. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
122. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
123. POP3
124. IMAP
125. SMTP
126. HTTP
127. %appdata%\Waterfox\Profiles\
128. Waterfox
129. %appdata%\Comodo\IceDragon\Profiles\
130. IceDragon
131. %appdata%\8pecxstudios\Cyberfox\Profiles\
132. Cyberfox
133. sqlite3_open
134. sqlite3_close
135. sqlite3_prepare_v2
136. sqlite3_step
137. sqlite3_column_text
138. sqlite3_column_bytes
139. sqlite3_finalize
140. %APPDATA%\filezilla\recentservers.xml
141. <RecentServers>
142. </RecentServers>
143. <Server>
144. </Server>
145. <Host>
146. </Host>
147. <Port>
148. </Port>
149. <User>
150. </User>
151. <Pass>
152. </Pass>
153. <Pass encoding=”base64″>
154. FileZilla
155. ole32.dll
156. CLSIDFromString
157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
159. vaultcli.dll
160. VaultOpenVault
161. VaultEnumerateItems
162. VaultGetItem
163. MicrosoftEdge
164. Browsers\AutoComplete
165. CookieList.txt
166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
167. %appdata%\Moonchild Productions\Pale Moon\Profiles\
168. PaleMoon
169. %appdata%\Electrum\wallets\
170. \Electrum
171. %appdata%\Electrum-LTC\wallets\
172. \Electrum-LTC
173. %appdata%\ElectrumG\wallets\
174. \ElectrumG
175. %appdata%\Electrum-btcp\wallets\
176. \Electrum-btcp
177. %APPDATA%\Ethereum\keystore\
178. \Ethereum
179. %APPDATA%\Exodus\
180. \Exodus
181. \Exodus Eden
182. *.json,*.seco
183. %APPDATA%\Jaxx\Local Storage\
184. \Jaxx\Local Storage\
185. %APPDATA%\MultiBitHD\
186. \MultiBitHD
187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
188. .wallet
189. wallets\.wallet
190. wallet.dat
191. wallets\wallet.dat
192. electrum.dat
193. wallets\electrum.dat
194. Software\monero-project\monero-core
195. wallet_path
196. Bitcoin\Bitcoin-Qt
197. BitcoinGold\BitcoinGold-Qt
198. BitCore\BitCore-Qt
199. Litecoin\Litecoin-Qt
200. BitcoinABC\BitcoinABC-Qt
201. %APPDATA%\Exodus Eden\
202. %Appdata%\Psi+\profiles\
203. %Appdata%\Psi\profiles\
204. <roster-cache>
205. </roster-cache>
206. <jid type=”QString”>
207. <password type=”QString”>
208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

[adrotate banner=”5″] [adrotate banner=”13″]