HackDig : Dig high-quality web security articles for hacker

There’s no place like ::1 – Malware for the masses

2015-10-19 22:50

Analyzing malware samples provided by customers usually leads to interesting results. Recently, an HP customer downloaded something via Microsoft Internet Explorer and provided the sample analyzed in this blog. In some cases, analysis of these types of samples provides insight into previously unknown and sophisticated malware. Then there is this case, which turned out to be an excellent example of point-and-click “hacking.”

 

Our analysis of this sample showed it to be the Babylon remote access tool (RAT) – not be confused with the Babylon toolbar, which many consider malware. In this instance, Babylon provides an easily accessible botnet/RAT with a Command and Control (C2) panel and executable builder. A single standalone executable controls all infected hosts, builds and configures new executables for subsequent infection, and updates existing infections. The program allows attackers to add packing or anti-analysis features to the sample by simply checking a box and clicking ‘build’. In other words, this ease-of-use significantly increases the number of threat actors that defenders need guard against.

 

The sample investigated appeared to be a test RAT client. At least, that’s the theory that makes the most sense. The author of this sample seems to have built the sample for testing and mistakenly used the wrong RAT client for the live attack. Alternatively, it is also possible that the actor behind this sample does not understand the basics of networking. Given the details of the sample, the author could be so unsophisticated they believed it to be a valid tool for use on a target (after testing the RAT client on localhost), and intentionally used it. The default parameters in the builder are for a connection to localhost:20000 and localhost:21000, meaning the RAT client would never report back to a remote attacker.

 

Under normal conditions, the Babylon RAT allows an attacker to control a remote system without the authorization or consent of the target. The Babylon RAT provides access to the target system’s webcam, remote desktop, offline and live keyloggers, system information, remote command shell and additional capabilities covered below.  When used properly, it completely owns a target system.

 

Let’s step through the details of the analysis. The original sample, packed using UPX, was easily unpacked using ‘upx –d’, allowing for static analysis using Hex-Rays IDA Pro.

 

Static analysis showed that there was one call to ‘connect’ and a few calls to ‘GetAddrInfoW’. Typically these would lead to the C2 being used by the sample. However, a little reversing led to a roadblock wherein the sample’s configuration is encrypted and embedded in the sample itself. The easiest method of decrypting this was to debug into the decryption function and look at the resulting plaintext. This was the first indication that ‘localhost’ was the target C2 as shown in figure 1.

 

Babylon_Fig1.jpg

Figure 1: Target C2 is localhost

 

Debugging into the unpacked sample presented another odd issue in that there seemed to be hardcoded JMP addresses in the sample. UPX must load JMP addresses into a specific memory space. As seen in Figure 2 below, running the unpacked version resulted in a memory read exception every time. Running the packed version worked fine, which meant it was time to debug into the packed version.

 

 Babylon_Fig2.jpg

Figure 2: Access violation in unpacked version

 

This also led back to the C2! Something did not make sense here -- why would the author use a RAT client that connects back to localhost? To determine whether something was missed, let’s follow the decrypted config, specifically the hostname, through to the ‘GetAddrInfoW’ and determine if it’s actually connecting out to localhost and not being used for something else.

 

Debugging down to the ‘GetAddrInfoW’ call went as expected, except that for some unknown reason IDA disassembled the code incorrectly when debugging, handling the ‘call’ as an ‘add’.

 

Babylon_Fig3.jpg

Figure 3: Target is still localhost

 

Regardless, viewing the stack to see the parameters passed to the DNS resolution call revealed ‘localhost’ (Figure 3). Perhaps this actually is trying to communicate with localhost. Luckily, in the process of researching Babylon to see if anyone else had performed a deep analysis, I came across the C2 panel (Figure 4). I was able to run the C2 panel and watch as the client connected back to localhost on port 2000, thus proving nothing was missed earlier in my investigation.

 

Babylon_Fig4.jpg

Figure 4: C2 panel – client connecting to localhost on port 20000

 

RAT Capabilities

Had the RAT client actually been built correctly and used to infect a target host, there are quite a few different options available to the attacker. The simplicity of the control UI puts the ability to control thousands of infected machines into just about anyone’s hands.

 

System (Figure 5)

Remote File Explorer – Browse the remote file system

Download/Execute – Download and execute a file on the remote system

Process Manager – View running processes

System Information – Reconnaissance of target system information

Remote CMD – Execute remote commands in the cmd shell

Hosts Editor – Edit the remote systems HOSTS file

 

Power

Shut down – Shut down the remote system

Restart – Restart the remote system

Sleep – Put the remote system to sleep

Hibernate – Put the remote system into hibernation mode

Log off – Log off the current user

 

 Babylon_Fig5.jpg

Figure 5: RAT Capabilities - System

 

Surveillance (Figure 6)

Remote Desktop – Watch the remote desktop

Remote Webcam – Watch the remote webcam

Offline Keylogger – Store keystrokes and recover them later

Real-Time Keylogger – Watch keystrokes as they happen

Password Recovery – Extract stored credentials in Chrome and Firefox

 

Babylon_Fig6.jpg

Figure 6: RAT Capabilities - Surveillance

 

Networking

Stress Testing – Initiate DOS on remote system

Reverse SOCKS – Setup remote SOCKS proxy

Chat – Start an interactive chat window with the current user; user cannot close chat window

 

Clients

Refresh – Restart the currently running process

Uninstall – Remove the infection from the target system

Update – Update the client version on the target system

Send to All – Send a command to all infected systems

 

Using the System Information pane in the control panel revealed detailed information on the infected system (figure 7)

 

Babylon_Fig7.jpg

Figure 7: System Information pane of an infected system

 

The RAT also includes chat capabilities. Figure 8 demonstrates the chat functionality between hacker and user, which could be used by the attacker for extortion.

 

Babylon_Fig8.jpg

Figure 8: Chat functionality

 

Builder/C2 Panel

The builder panel allows for the command of all infected systems and provides the tool for building new Babylon RAT client executables with different settings.

 

The builder includes options for packing, hiding a process, anti-VM, and changing the mutex name, which generates a new UUID.

 

 Babylon_Fig9.jpg

Figure 9: Builder panel for configuring new Babylon executables

 

In addition to tracking callbacks from remote infections, the C2 panel also tracks any SOCKS proxies that are active, and stores any recovered passwords from Chrome and Firefox. Note the IP address of ::1 in the first column. This is localhost in IPv6 parlance, similar to 127.0.0.1 in IPv4.

 

Babylon_Fig10.jpg

Figure 10: Callbacks on main panel

 

The main panel page shows all callbacks (Figure 10), sortable by IP, port, country, status, username, OS, Active Window, idle time, uptime, and client version.

 

Indicators of Compromise

Mutexes are campaign independent and are likely unique for each actor. The UUID on this sample was:

                10f3f6c3-0ba1-4358-8055-1a42c1e358e1 (Figure 11)

 

Babylon_Fig11.jpg

Figure 11: Mutex

 

The MD5 for this sample is:

MD5: a497ff5a3d10d45a9e54f3801bbe235a

 

However, this information is largely irrelevant as this sample will likely never be detected in the wild. Additionally, a changed C2 would change the hash of the sample.

 

While the packed sample did not reveal any interesting strings, the unpacked sample showed the following:

String: ClipBoard.txt

String: cvtres.exe

String: csc.exe

String: vbc.exe

String: Downloading File...

String: Updating...

String: Update Failed...

String: Update Failed [OpenProcess]...

String: DoS Active...

String: DoS Already Active...

String: DoS Not Active

String: DoS Stopped

String: File Downloaded and Executed

String: File Download and Execution Failed...

String: Babylon RAT Client

String: A Babylon RAT client is currently running on this PC. Close this window to end the client

 

Conclusion

In the end, we’ll never really know if this sample was a test client mistakely released or a would-be attacker confused by localhost. Either way, the anaylsis shows the Babylon RAT can be easily created and controlled by an unsophisticated threat actor. Even with a fully functional sample, the attacker would still need to convince a user with administrative privileges to run the program – another reminder that users should never do day-to-day tasks as admin.

 

The movement toward easily used tools mirrors the progression to ease-of-use computer programs. A couple of decades ago, computers required a level of training and skills that are no longer necessary for even the youngest users in the present era. As offensive hacking activities and tools become more wide-spread and accessible for general users, it becomes critical for enterprises to implement a strong defensive strategy. This will not eradicate the spread of malicious attacks, however it will help to weed out the less sophisticated attacks.

 

Read:2437 | Comments:0 | Tags:No Tag

“There’s no place like ::1 – Malware for the masses”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud