Last year, the security industry was plagued by a series of APT reports, which included the “Nitro Attack”. The backdoor used here is known as PoisonIvy or BKDR_POISON. Its builder is available online. Security vendors have then taken measures to counter this threat to help customers battle against similar infections in the future. However, a recent discovery of the downloader’s stealth mechanism proved that the fight is not yet over.
We thought that there was nothing much to see when we looked at the downloader’s sample at first glance. It’s a VB-compiled executable file which does nothing but perform an HTTP GET request to an HTML page.
When accessed using via a browser it looks like a harmless web page until you decode it.
As pointed out by Microsoft, this downloader turns out to be different from others. Instead of downloading another binary to execute, it merely executes the downloaded code in the harmless-looking file’s context. To do this, the malware converts it to functional code, then executes it via DllFunctionCall.
The executed shellcode is actually a variant of the BKDR_POISON malware family which was used in a number of targeted attacks last year.
A Brief Background on BKDR_POISON
Also known as PoisonIvy, the BKDR_POISON family has been rampant for years. This could be attributed to the fact that its builder is easy to use and is freely available for download from their website. Its auto-start mechanism, as well as the mutex and file names of the malware copy is configurable via the builder, so each generated sample does not necessarily have exactly the same behaviors.
Its backdoor functionalities include keylogging, monitoring audio/video, capturing screenshots, managing processes and services, accessing or uploading files, and many more. In other words, it basically gives the person on the client side full access of the infected system.
Integrating BKDR_POISON with another malware is easy, since the backdoor’s builder gives the user an option to generate the shellcode instead of an entire executable file.
In the case of the downloader we mentioned above, once it executes BKDR_POISON’s shellcode, it inherits the backdoor’s behaviors as a result.
As opposed to downloaded binary files that can be detected and analyzed independently, a shellcode needs to be analyzed with the executable file which inherits its behaviors. If security researchers don’t get the right pair of shellcode and executable (e.g., if the executable file is hidden or encrypted), then the shellcode might be left undetected.
According to Threat Research Manager Jamz Yaneza, another difference between the two files is the way they are executed. “The Poison Ivy builder outputs either: a Windows executable binary, or a Windows shellcode. The only difference between the two outputs is that the shellcode version needs to be injected directly into memory using a separate process (ex. via an exploit) versus having it activated using the regular file execution flow of a full binary file.”
He also added that “because shellcode does not require a full file download, it can instead be used directly in an attack, and can even sport some of the usual obfuscation tricks used in a full executable format such as encryption — all of this in memory and bypassing many of the more traditional file-based scanners.”
BKDR_POISON Poses A Bigger Risk In the Future
Here’s what we know so far about the downloader:
- It accesses a plain text file from a certain URL which contains shellcode. This is then converted by the downloader to become a functional code
- Shellcode is NOT saved
- Trojan downloader executes the malicious code
Here’s what we know about BKDR_POISON:
- It is easy to integrate with other threats
- It has backdoor functionalities that have been used in targeted attacks in the past
With the downloader’s dynamic behaviors and the fact that it is still currently in its simple version, cybercriminals may still improve on it and turn it into something more problematic. Mixing it with BKDR_POISON, which we know is notorious for being related to targeted attacks, could pose challenges for the security researchers’ side. Here are some of the possible scenarios which could make this combination a noteworthy threat:
Scenario 1: If HTML is encrypted or shellcode is hidden in pictures, such as in steganography. From a threat analyst point-of-view, a security researcher might find the URL as unnecessary as it only points to a picture. By not blocking the said URL, users are left unprotected. In fact, steganography was actually already used by TDL4.
Simply encrypting the shellcode itself may give this malware a greater chance of making analysis harder. If the decryption routine is placed in the downloader, then a security researcher will not be able to analyze the shellcode without a copy of the downloader.
This technique is already being done by cybercriminals in ZBOT. ZBOT’s configuration files are encrypted and can only be analyzed properly if done so with its corresponding binary file.
Scenario 2: Server side checks user IP address or location which returns different payloads depending on the location. In a situation that an infected user is in China and the malware analyst is from the US, they could end up getting different shellcodes. The analysis would not match with infection, making it difficult to clean a system if the user and analyst yields two types of infection chains. For example, if they see that the malware is accessing the URL via Trend Micro’s IP, the malware may not reveal its actual payload.
Scenario 3: The customer is already infected, but the related URL becomes inaccessible. The threat analyst may end up having no idea what really happened since the shellcode is no longer available. This type of downloader may keep us in the dark.
Surely, there are still ways to get around these routines, but doing so may not be easy. The fact that the downloaded binary is NOT saved as a physical file makes it even more challenging. However, using technology such as reputation and cloud can definitely help remedy this situation. Trend Micro users are protected via the Smart Protection Network™ with Web Reputation Technology which blocks malicious URLs. File Reputation Technology detects the related malicious file BKDR_POISONDLD.A