Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

RedKit Payload - Binary Fun

Before I jump into this blog post, I'd like to point out some interesting developments with the RedKit exploit kit. Specifically, the authors changed the color!

9586_618fbdb2-cd82-4d8c-8039-1c8110d2e53e

Anyways, my coworker Arseny Levin was nice enough to supply me with a sample executable from this recently discovered exploit kit. This executable was the payload component that gets dropped on the victim's machine in the event that an exploit was successful in this particular instance. As the exploit kit can be purchased by anyone, the attackers may upload any executable, or piece of code they wish.

A post published at 'Malwares don't need Coffee' (see this link) reveals the FAQ that was released with the exploit kit. Please do not navigate to any of the links referenced in the FAQ unless you are running in a sandboxed environment, as these links may contain malicious elements. The following excerpt appears inside the FAQ:

Не подскажете — где криптануть EXE-файл (DLL-файл)?

Мы рекомендуем крипт-сервис http://livefreeteam.ru/ (жаба: LiveFreeTeam@jabber.ru).

Roughly translates to the following:

Do not tell - where kriptanut EXE-file (DLL-file)?

We recommend that the crypts service http://livefreeteam.ru/ (Toad: LiveFreeTeam@jabber.ru).

It is likely that this service was utilized to obfuscate the malware we will be analyzing, thus explaining the obfuscation we shall witness. While we cannot be certain, it is typical for clients to follow the advice given to them by the exploit kit authors.

So let's begin…

The file is named 'setup.exe' to avoid suspicion, and is configured with a shield icon (likely to immitate some form of protection software, such as anti-virus).

11737_c79e1684-6046-4997-abdd-8465f016e9f8

Digging into the file, we quickly discover that some form of packing and/or crypting is taking place. Again, it is likely the result of the crypting service mentioned above. Some clues to this include the small number of functions being loaded in the imports table, along with this wonderful blob of data that is placed in the middle of the executable.

8806_3b3678fd-1c70-4584-9d09-1a99f692dbf5

9021_46a82773-3026-44f3-8ae7-c83f38ec89be

Static analysis proves to be little help in this situation, as there are a large number of functions being daisy-chained together. Instead, we'll move to dynamic analysis to get a better understanding of what is going on. I should point out that static analysis is not impossible, but in order to save on time in this particular instance, dynamic analysis will provide more 'bang for our buck'. Once we get through a lot of, for lack of a better word, garbage, we come to the following:

9039_4796225b-c7ac-4a3c-bc4b-a211b6b1e642

One thing that is completely whacky about the image above is the use of the hFile argument. According to MSDN, this parameter is reserved for future use and must be Null. Clearly something else is happening here, so let's dig in further.

We begin by seeing three values (6AC, 6AC, and 40001) being pushed on the process's stack.

10552_8f28c709-b294-46b9-bd2d-318e9e7c6f6d

The process proceeds to move 861C95C6 to the EAX register. Once this is complete, the value of 7A239A86 is added to 861C95C6, and the resulting value is pushed to the stack. We see this value is pointing to the kernel32.HeapCreate function. Once this occurs, the malware subtracts 2 from the recently pushed kernel32.HeapCreate value. This results in a value of 7C812C54.

8229_1da38a70-5b6a-4eca-bbca-2e1a7c75ee4e
10026_77aeeb4f-8981-4320-870c-be6e958e83e3

If we inspect this location in memory, we can see that the HeapCreate function is prepended with NOPs, or 'No Operation'. In layman's terms, these opcodes do nothing.

12666_f3403744-ff42-49a0-bee9-9f978ac8c8fb

Next we witness the malware move the previous 7C812C54 value to the memory location EAX is pointing to. In other words, we're not copying 7C812C54 to EAX, but instead copying that value to 0040300C. We can see this below. The value is reversed due to the endianness.

10566_8fb15d52-ed67-4e92-8b93-0a6ef02644be

Finally, we see a call to, what Ollydbg believes is, LoadLibrary.

8641_331d52fc-6e8c-489e-8b17-8c464235e8ee

However, we discovered earlier that 7C812C54 is actually pointing to kernel32.HeapCreate minus 2. As we continue to follow the flow of execution, we reach the call to RtlHeapCreate, with the following arguments:

RtlHeapCreate(00041001, 00000000, 00001000, 000006AC, 00000000, 00000000)

12260_e22d57f5-9dd1-453f-a79c-18ed10523be4

From the Microsoft documentation, we discover that by setting a null value for the 2nd argument, we're allocating system memory for the heap from the process's virtual address space.

We see this space allocated in memory below:

10987_a2ff6d33-15e2-43c3-9c73-9d335a8ce8a0

As we continue to debug the setup.exe executable, we see the blob of data from earlier is de-obfuscated and written to memory in the space previously allocated:

8390_270f5a3e-1519-4e42-a7e4-917ec673384f

The executable then proceeds to call this block of code at 009D0000:

7646_01df18e9-4a5d-42cf-b47a-370ed9ffc9d1

This is where the real purpose of the executable is revealed. We see the un-obfuscated code immediately begin loading functions from a number of libraries. The malware then takes the code that was previously copied in memory, and makes a copy of that elsewhere, after it allocates space using the VirtualAlloc() function:

8008_12be805c-44b2-45ef-b33a-b81703f31c10

Resulting memory block:

9244_4fb45ebc-22d5-45ab-964b-14ce069a64f1

After this is performed, the malware's flow of execution continues in the context of this new space in memory. We then continue on, and discover that the malware attempts to download a 'newm001.exe' file from one of two domains.

9207_4e521124-7d9b-4c59-92bc-8b3baf934ca5

Please note the shortened header in the above PCAP, which often can provide clues to the malicious nature of the request. In the event that setup.exe cannot find the malware from the first domain, it will sleep for 10 minutes before attempting to download it from the other domain. This process repeats until successful. Once the malware is successful in downloading the executable, it writes it to the victim's TEMP directory as an ambiguous name (in this case 'temp54.exe'), before executing it in the context of setup.exe.

11044_a5ba8035-adeb-44e4-b860-e36f9a6e3c52

At this point, the second stage of the payload is executed.

12655_f2cb38cb-7a34-411d-a35e-d2b9045622ba

As we continue to analyze the newly downloaded executable, we quickly realize that the same method of obfuscation is utilized that we saw in setup.exe. Unlike setup.exe, this malware extracts a UPX-packed executable into memory, and proceeds to execute this file. I shall not go terribly in-depth into this sample, as it is a well-known executable that has been seen many times before. An example variant of this file can be found here, at ThreatExpert. A good method of identification is the creation of the following registry keys:

  • HKEY_CURRENT_USER\Software\Amd\DBID
  • HKEY_CURRENT_USER\Software\Amd\DB
  • HKEY_CURRENT_USER\Software\Amd\DB2
  • HKEY_CURRENT_USER\Software\Amd\DB3

Some highlights for this malware include:

  • Searching victim for passwords in well-known software packages
  • Looking for bitcoin wallets
  • Sniffing traffic for unencrypted data (SMTP, Telnet, FTP, etc.)

At this point we've achieved a good grasp on both what the malware is doing, as well as the methods in use for obfuscation. While this is just an example of what the RedKit (Or shall we just start calling it Chameleon?) exploit kit is capable of delivering, I hope it provides some insight for any readers as to the capabilities, and the dangers, users face on a daily basis.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo