I recently obtained a PoisonIvy sample which uses a legitimate application in an effort to stay under the radar.

In this case, the PoisonIvy variant detected as BKDR_POISON.BTA (named as newdev.dll) took advantage of a technique known as a DLL preloading attack (aka binary planting) instead of exploiting previously known techniques. The malware was located in the same folder as the legitimate application, vnetlib.exe (VMware Network Install Library Executable). Executing vnetlib.exe automatically loads BKDR_POISON.BTA instead of the legitimate newdev.dll, or Add Hardware Device Library located in the %System% folder. Once the malware loads, it creates a registry entry which enables automatic execution of vnetlib.exe at every startup. BKDR_POISON.BTA then launches a hidden web browser process (iexplore.exe) into which it injects its code. The said code contains its backdoor routines which aids in bypassing firewalls.

We also observed that the number of export functions of BKDR_POISON.BTA differ from the number of export functions of the legitimate newdev.dll. This is probably because BKDR_POISON.BTA only needed to export the function that vnetlib.exe imports.

Figure 1. Exported functions of BKDR_POISON.BTA newdev.dll (L) versus the legitimate newdev.dll (R)

Figure 2. Functions vnetlib.exe imported from newdev.dll

A New Technique? Not Really.

The usage of DLL preloading, per se, is not new. This technique is known to be utilized by PlugX, which is why its usage by PoisonIvy is notable.

In our previous post we concluded that the cybercriminals behind PoisonIvy and PlugX campaigns are somehow related. This might mean that the cybercriminals are gearing toward using the DLL preloading technique for future variants. They might have observed that using the DLL for the PlugX successfully kept their malicious activities hidden.

There was a previous instance where PoisonIvy samples used the DLL preloading aka binary planting technique. The sample arrived as an attached archived file in spear phishing emails sent to a Japanese organization. The archived file’s content is a normal document file and a DLL file named imeshare.dll, detected by Trend Micro as BKDR_POISON.DMI (Note that there is a legitimate DLL named imeshare.dll located in the %System% folder). Opening the normal document file will trigger BKDR_POISON.DMI to load via DLL preloading.

Since PoisonIvy is stable and have been in the wild for several years, it’s highly likely that they decided reuse the DLL preloading technique in their campaigns but simply changed its infection vector to avoid detection. Though these efforts to evade anti-malware scanning are not in itself groundbreaking, this development in PoisonIvy supports our prediction that conventional malware threats will only gradually evolve, with few, if any; new threats and attacks that will become more sophisticated in terms of deployment.

Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes Poison Ivy (BKDR_POISON) and PlugX (BKDR_PLUGX and TROJ_PLUGX) variants.

Last year, we reported about PlugX a breed of Remote Access Trojan (RAT) used in certain high-profile APT campaigns. We also noted some of its noteworthy techniques, which include its capability to hide its malicious codes by decrypting and loading a backdoor “executable file” directly into memory, without the need to drop the actual “executable file”.

Recently, we uncovered a RAT using the same technique. The new sample detected by Trend Micro as BKDR_RARSTONE.A is similar (but not) PlugX, as it directly loads a backdoor “file” in memory without dropping any “file”. However, as we proceeded with our analysis, we found that BKDR_RARSTONE has some tricks of its own.

We obtained the sample through a spear phishing email that contains a specially-crafted .DOC file (detected as TROJ_ARTIEF.NTZ). This Trojan drops and executes BKDR_RARSTONE.A, which in turn drops the following files:

• %System%\ymsgr_tray.exe – copy of BKDR_RARSTONE.A
• %Application Data%\profile.dat – blob file containing malware routines

BKDR_RARSTONE.A then executes the dropped copy ymsgr_tray.exe. This backdoor then opens a hidden Internet Explorer process, in which it injects the codes contained in profile.dat.

As with PlugX, the injected code decrypts itself in memory. Once decrypted it “downloads” a .DLL file from its C&C server and again loads it in the memory space of the hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system, but instead directly loaded in memory, making file-based detection ineffective.

Typical of a backdoor, BKDR_RARSTONE.A connects to specific sites and can perform several routines, which include enumerating files and directories, downloading, executing, and uploading files, and updating itself and its configuration.

Worth noting among its backdoor routine is its ability to get installer properties from Uninstall Registry Key entries. It does this to get hold of information about the installed applications in the affected system, as well as to know how to uninstall certain applications. This can be handy in silently uninstalling applications, which may interfere with the backdoor’s routine, e.g. anti-malware software and the likes.

Another interesting feature of this backdoor is the communication method it uses, specifically SSL. This use of SSL has a two-fold advantage: it guarantees that communication between the C&C and infected system is encrypted, at the same time it blends in with normal traffic.

Read the rest of this entry »

In our previous post, we reported about new breed of Remote Access Tool (RAT) called PlugX, which was used in targeted attacks using Poison Ivy. At first glance, this RAT appears to be a simple tool with limited remote access capabilities. However, further analysis of PlugX reveals that it might be keeping more tricks up its sleeves.

In a typical attack, PlugX usually comes with the three file components, namely:

• A legitimate file
• A malicious DLL that is loaded by the legitimate file
• A binary file that contains the malicious codes loaded by the DLL.

The attack starts with a phishing email containing a malicious attachment, usually an archived, bundled or specially crafted document that exploits either a vulnerability in Adobe Acrobat Reader or Microsoft Office (in particular CVE-2010-3333). In this example, it arrives via a specially crafted document (detected as TROJ_ARTIEF.LWO). The said Trojan drops and executed BKDR_PLUGX.SME that drops the following files:

• All Users’ %User Profile%\Gf\NvSmart.exe – a legitimate NVIDIA file (NVIDIA Smart Maximise Helper Host)
• All Users’ %User Profile%\Gf\NvSmartMax.dll – BKDR_PLUGX.BUT
• All Users’ %User Profile%\Gf\boot.ldr – TROJ_PLUGX.SME

Notice that the malware drops the file NvSmart.exe, which is a known legitimate NVIDIA file.

Looking at the NvSmart.exe’s import table, we can observe that it imports three functions from NvSmartMax.dll. Normally, it would load a legitimate NvSmartMax.dll. But if a malicious version of this DLL file is located in the same directory, it would load this version instead.

The malicious NvSmartMax.dll then loads boot.ldr found in the same directory. The said file contains the malicious code used by NvSmartMax.dll.

Digging deeper at what the loaded code does, we can see that it first decrypts itself to form what seems to be an “executable file” in its memory space. All the backdoor modules can be found in this “executable file”.

However, the loaded code does not drop this decrypted “executable file”. Instead, it injects the codes to the legitimate process svchost.exe, possibly to avoid detection. After it has injected its code to svchost.exe, it then terminates the initially executed NvSmart.exe.

Our analysis of the decrypted executable file shows that this threat is designed and filled with several backdoor modules. These modules are organized to perform tasks unique to the module. We uncovered the following modules from the malware:

Similar to our initial PlugX post, we observed that it drops a debug log file in % All Users Profiel%\SxS\bug.log. This file contains error codes that the malware author can use to improve PlugX. For example, if the malware couldn’t access certain files or folders, it would create a log of this incident. Using this debug log as reference, the malware author can then modify future versions of PlugX to access these files or folders. The author could even use this log to know how it can avoid detection or being disabled. Thus, this file may be crucial in creating more effective versions of PlugX tools in the future.

Trend Micro users are protected by the Smart Protection Network™. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX). Web reputation and email reputation services blocks access to the said C&C and related email respectively. Trend Micro Deep Security users are protected from this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

Trend Micro will continue to monitor PlugX’s development and the campaign behind it.