Malware Analysis VOL 02 : Unveiling ninja techniques in persistence strategies

EXECUTIVE SUMMARY

The analyzed malware showcases sophisticated tactics aimed at targeting both Windows Media Management and smart card systems, indicating potential implications for a diverse array of industries, with a particular focus on financial institutions. This adaptability is underscored by the malware’s dynamic adjustment of persistence mechanisms in response to system configurations. Through strategic manipulation of registries and service creation, the malware establishes a formidable presence within critical system components, bolstering its capacity for covert operation.

To effectively mitigate this threat, organizations must implement comprehensive cybersecurity measures, including routine system monitoring and proactive defense strategies tailored to the malware’s targeting preferences. Additionally, collaborative efforts among industry stakeholders are crucial for staying abreast of emerging threats and sharing intelligence to enhance collective resilience. By adhering to best practices for cyber hygiene and fostering a culture of security awareness, organizations can effectively counter evolving threats like the analyzed malware and safeguard critical assets from compromise.

NORTH KOREAN – IN

MEMORY OPERATIONS

UNVEILING NINJA TECHNIQUES IN PERSISTENCE STRATEGIES

OVERVIEW

This particular malware instance has been associated with a North Korean Advanced Persistent Threat (APT) group. Classified as a dropper, its primary function is to facilitate the deployment of a secondary payload onto the victim’s machine. In this case, the dropper is engineered to deliver a self-propagating SMB (Server Message Block) worm, indicative of the sophisticated tactics employed by the threat actor. Such malware instances underscore the persistent and evolving nature of cyber threats originating from nation-state actors, necessitating heightened vigilance and robust cybersecurity measures to mitigate potential risks effectively.

Utilizing Schtasks.exe presents an avenue for creating services within the Windows operating system. However, the creation of such services requires administrative privileges, necessitating an initial escalation of privileges by the malware. This strategic approach underscores the sophisticated nature of the malware’s persistence mechanism, as it seeks to elevate privileges to establish a foothold within the compromised system. By exploiting vulnerabilities and employing privilege escalation techniques, the malware aims to bypass security barriers and establish a lasting presence, posing a significant threat to system integrity and data security. Understanding and mitigating such tactics is imperative for cybersecurity professionals to effectively defend against advanced threats and safeguard critical assets.

TECHNICAL ANALYSIS

Through meticulous triage of an infected victim’s machine, the analyst successfully acquired a sample of this malware. This proactive approach underscores the analyst’s commitment to thorough investigation and rapid response in identifying and containing security incidents. By obtaining a sample of the malware, the analyst gains valuable insights into its behavior and functionality, enabling further analysis and the development of effective mitigation strategies. This incident highlights the importance of robust incident response procedures and continuous monitoring practices in detecting and responding to emerging cyber threats.

The malware’s entry point initiates with a conventional entry point, followed by a call to the `DialogFunc` argument from the `DialogBoxParamA` function. This strategic choice in code execution indicates a deliberate approach by the malware to leverage Windows API functions for its operation. By invoking `DialogBoxParamA`, the malware potentially aims to present a dialog box to the user interface, disguising its malicious activities under the guise of legitimate user interaction. This sophisticated tactic underscores the malware’s intent to evade detection and exploit user trust, emphasizing the importance of thorough analysis and proactive defense measures in mitigating its impact.

The analyst conducted a thorough decompilation of the specified function, confirming the accuracy of the earlier assertion. This validation underscores the rigorous methodology employed in the analysis, ensuring the integrity of conclusions regarding the malware’s actions. By corroborating initial findings through detailed code examination, the analyst strengthens comprehension of the malware’s operational patterns and functionalities. Such meticulous validation bolsters the credibility of the analysis outcomes, aiding in the formulation of effective mitigation strategies against the identified threat.

Upon selecting the `DialogFunc`, the analyst navigated to a section containing the disassembly of the DialogBox functions. Within this context, only one subroutine was accessible to the analyst. However, upon accessing this subroutine, it became apparent that it redirected to an entirely distinct set of subroutines and functionalities. This observation suggests a layered and obfuscated structure within the malware’s codebase, with redirection serving as a mechanism to conceal deeper layers of functionality.

Upon entering the subroutine, the analyst encountered functions associated with the Windows Service Manager. This discovery indicates the malware’s involvement in activities related to service management within the Windows environment. Such functions suggest a strategic focus on manipulating system services, potentially for persistence, privilege escalation, or other malicious activities. Understanding the malware’s interaction with core system components like the Service Manager is essential for comprehending its operational scope and potential impact on compromised systems.

The strings presented above are unencrypted, indicating a lack of concealment measures. Given that this data is structured as a stack, it should be interpreted from bottom to top. Notably, the utilization of the `OpenSCManager` function facilitates the opening of the Service Manager in the Windows operating system. Subsequently, the DLLs shown above are used to create a service within the system. This strategic sequence of actions suggests an orchestrated attempt by the malware to manipulate system services, potentially for the purposes of persistence, privilege escalation, or other malicious endeavors. Understanding the precise functionalities and interactions involved is critical in assessing the severity of the threat and formulating effective mitigation strategies.

Examining the WINAPI structure through Microsoft documentation, the analyst gains in-depth insights into the architecture and functionality of Windows APIs. This methodical review offers a thorough understanding of available functions, their parameters, and their intended usage within the Windows environment. By consulting authoritative sources like Microsoft documentation, cybersecurity experts can adeptly navigate the complexities of Windows API calls, facilitating more informed analyses of malicious code and proactive defense measures against cyber threats.

The function arguments mentioned above are discernible within the disassembled code. This observation underscores the meticulous examination of code structures undertaken by analysts, enabling them to identify and interpret critical parameters and their corresponding functions. By scrutinizing the disassembled code, cybersecurity professionals gain valuable insights into the interactions and behaviors of the analyzed software or malware. This process aids in deciphering the functionality and intent behind various code segments.

The provided image illustrates a conditional jump operation, indicating the malware’s process of opening a service using the `OpenServiceA` WINAPI function and creating a service named `Rpcss` by establishing a handle to the Service Control Manager (SCManager). This sequence suggests that if the malware successfully locates and accesses the `OpenSCManager`, it proceeds with the subsequent steps to create the specified service. Such insights gleaned from code analysis offer valuable understanding into the malware’s operational logic and potential objectives, aiding cybersecurity analysts in devising effective strategies to mitigate its impact on compromised systems.

In this instance, the code features another conditional jump operation. If the malware successfully opens and creates the service, it proceeds to close the handle established earlier using the `CloseServiceHandle` function. Notably, the function `SCardPrv` within this context is associated with smart cards, as evidenced by its utilization as the service name. This observation underscores malware’s potential involvement in activities related to smart-card services. Analyzing such details within the code provides cybersecurity analysts with valuable insights into the malware’s specific functionalities and potential objectives. This nuanced understanding facilitates the development of targeted mitigation strategies to counteract the threat effectively.

The image above illustrates a series of combinational jumps within the code. Upon investigation, the analyst discovered that if the service fails to open, the malware proceeds to query its status using the `QueryServiceStatus` WINAPI function. Subsequently, upon identifying the status, it engages in a comparison function involving the current service status represented by `ServiceStatus.dwCurrentState`. Initially, the significance of the value “4” was unclear. To clarify, the analyst generated pseudocode and consulted the ENUMS of the value. As this pertains to service status, the analyst confirmed that the value corresponds to “SERVICE_RUNNING” in the enum list. This systematic approach underscores the rigorous examination of code structures undertaken by analysts to comprehend the malware’s actions accurately. Such insights contribute to a thorough understanding of the threat landscape, facilitating the development of effective mitigation strategies.

Following the service status verification and handle closure, the analyst observed the malware actively seeking a particular resource. This entails verifying the size of the resource file and subsequently creating a file utilizing the `CreateFileA` WINAPI function. Subsequently, the malware proceeds to copy the resource into the allocated buffer, employing the `memcpy` function. This sequence of actions indicates a strategic attempt by malware to acquire and manipulate specific resources within the compromised system. Such observations underscore the malware’s advanced capabilities and highlight the necessity for thorough analysis to discern its intended objectives and potential impact on the system.

Upon scrolling through the pseudocode, the analyst identified the entry point or the pivotal moment where the malware establishes persistence within the system. This critical juncture commences with the creation of a service utilizing the `CreateServiceA` WINAPI function. This strategic maneuver underscores the malware’s intent to maintain a lasting presence within the compromised system, a fundamental aspect of its malicious objectives. By creating a service, the malware ensures its ability to execute autonomously and evade detection, thereby exacerbating the potential risks posed to system integrity and data security. Understanding and mitigating such persistence mechanisms is crucial in effectively combating advanced cyber threats and safeguarding organizational assets.

The service named `Wmmvsvc` is not only identified by this designation but is also accompanied by the descriptive label “Windows Media Management Driver Extensions.” This comprehensive description sheds light on the intended functionality or purpose of the service within the system. Such clarity in service nomenclature and description provides valuable contextual information for cybersecurity analysts, aiding in the understanding of the malware’s targeting preferences and potential impact on system operations. This meticulous documentation underscores the need for thorough examination of all elements associated with the malware, enabling comprehensive threat assessment and informed decision-making in devising mitigation strategies.

Within the newly identified function, one of the arguments referenced is `aSystemrootSyst_1`. This parameter is instrumental in the execution of the `Windows Media Management` service through the `svchost.exe` process. Such insight into the function’s arguments sheds light on the underlying mechanisms employed by the malware to interact with system processes and services. Understanding these intricate details is essential for cybersecurity analysts, as it facilitates the comprehension of the malware’s behavior and aids in the formulation of targeted mitigation strategies to counteract its impact on compromised systems.

The subsequent notable function identified is referred to as `ChangeServiceConfig2A`, which serves the purpose of altering the configuration of the malware during its execution. This function enables dynamic adjustments to be made to the malware’s operational parameters, potentially allowing for adaptation to changing circumstances or the implementation of additional functionalities. The ability to modify configurations in real-time underscores the malware’s sophistication and agility, presenting challenges for detection and mitigation efforts. Consequently, comprehending the intricacies of this function is paramount for cybersecurity analysts, as it provides insights into the malware’s capabilities and facilitates the development of effective countermeasures to mitigate its impact on affected systems.

 

” A handle to the service. This handle is returned by the `OpenService` or `CreateService` function and must have the SERVICE_CHANGE_CONFIG access right”

 – MSDN-

In the depicted image, the malware initiates the process of accessing a registry hive located at `SYSTEM\CurrentControlSet\Services\Wmmvsvc` utilizing the `RegOpenKeyExA` WINAPI function. Upon successful access to this registry hive, the malware proceeds to create a registry key by assigning a handle to the key. This strategic manipulation of the Windows registry underscores the malware’s intent to establish persistence and manipulate system configurations to ensure its continued operation. Understanding these registry interactions is crucial for cybersecurity analysts, as they provide valuable insights into the malware’s persistence mechanisms and potential avenues for mitigation.

The malware proceeds to set a registry key value named `ServiceDLL`, directing it to the path of the dropped DLL file. This strategic action indicates the malware’s intent to establish a linkage between the registry key and the DLL file, potentially facilitating its execution and integration into the compromised system. Such manipulation of registry values underscores the malware’s sophisticated persistence mechanisms and highlights its ability to manipulate system configurations for its own malicious purposes. Understanding these registry modifications is essential for cybersecurity analysts, as it provides critical insights into the malware’s behavior and aids in the development of effective mitigation strategies.

SECOND TYPE PERSISTENCE FILE An intriguing characteristic of this malware lies in its utilization of two distinct types of files to create services, tailored to specific system components. The first type of file is designed to target the Windows Media Manager, while the second type is intended for systems incorporating smart card functionalities. This dual-file approach underscores the malware’s adaptability and sophistication, as it tailors its tactics to exploit vulnerabilities or functionalities inherent to different system components. Such versatility in targeting disparate system elements poses challenges for detection and mitigation efforts, highlighting the need for comprehensive cybersecurity measures to safeguard against evolving threats of this nature.

This pivotal jump condition represents a critical juncture in the persistence section of the malware. In the event of unsuccessful file creation, the malware dynamically shifts its strategy to establish a smart card persistence mechanism. This adaptive behavior underscores the malware’s resilience and determination to maintain a foothold within the compromised system. By diversifying its persistence tactics, the malware enhances its chances of evading detection and maintaining long-term access. Understanding and mitigating such adaptive strategies is imperative for cybersecurity professionals in effectively countering the threat posed by this malware.

Similar to the functionality employed for the Windows Media Management Service, this section of the malware utilizes the `OpenSCManagerA` WINAPI to access the Service Control Manager and modify the malware’s configuration. However, a notable distinction in this function lies in the inclusion of `DisplayName` and `BinaryPathName` parameters. These additions indicate the malware’s intention to customize the display name and executable path associated with the created service. This nuanced adjustment underscores the malware’s adaptability and sophistication in tailoring its persistence mechanisms to specific system components. Understanding these intricacies is essential for cybersecurity analysts, as it provides valuable insights into the malware’s capabilities and facilitates the development of targeted mitigation strategies.

This segment of the malware appears to leverage the SmartCard Protector service. This choice of target suggests a deliberate focus on exploiting security features related to smart card functionalities within the compromised system. By targeting such a service, the malware may seek to manipulate or bypass authentication mechanisms associated with smart card authentication, potentially compromising system integrity and data confidentiality. Understanding the malware’s utilization of the SmartCard Protector service is crucial for cybersecurity analysts, as it provides insights into the specific avenues of attack employed by the threat actor and informs the development of effective mitigation strategies tailored to this aspect of the malware’s behavior.

The discovery of these strings within specific parameter offsets suggests a potential targeting of financial institutions by the malware. Given that such organizations commonly utilize smart card readers as part of their security infrastructure, the presence of strings related to smart card functionalities hints at the malware’s tailored focus on compromising systems within the financial sector. This targeted approach underscores the threat actor’s strategic objectives and highlights the potential severity of the threat posed to financial institutions’ security and operations. Understanding the malware’s targeting preferences is critical for cybersecurity analysts, as it enables the implementation of proactive measures to protect against specific threats and vulnerabilities inherent to the financial sector.

Subsequently, the malware proceeds to establish the service by depositing the smartcard DLL into the `SVCHOST` registry Hive. This strategic maneuver underscores the malware’s intent to embed itself within the system’s core processes, leveraging the `SVCHOST` registry Hive as a pivotal point for execution. By infiltrating this critical system component, the malware enhances its ability to operate stealthily and persistently, posing a formidable challenge to detection and mitigation efforts. Understanding this deployment tactic is crucial for cybersecurity analysts, as it provides valuable insights into the malware’s persistence mechanisms and facilitates the development of effective countermeasures to mitigate its impact on compromised systems.

CONCLUSION

In conclusion, the analysis of the malware discussed reveals a sophisticated threat targeting both Windows Media Management and smart card systems, suggesting a potentially broad scope of targeted industries, including financial institutions. The malware exhibits adaptive behavior, dynamically adjusting its persistence mechanisms based on system configurations. By leveraging registry manipulation and service creation, the malware establishes a foothold within critical system components, posing significant risks to system integrity and data security. To mitigate this threat effectively, organizations must employ comprehensive cybersecurity measures, including regular system monitoring, threat intelligence integration, and proactive defense strategies tailored to the malware’s targeting preferences. Additionally, collaboration among industry stakeholders and adherence to best practices for cyber hygiene are essential to effectively combatting evolving threats of this nature.

~ Author : Nathaneal Meththananda ~

Share this post :