unpacking analysis of spying procedures for attacks on vietnamese airports and other organizations

Posted by barello at 2020-04-14

According to the espionage program capture samples we received from the previous invasion of Vietnam's organizations, the invasion involves the attack on two major airports in Vietnam at the end of July, and the malware used in the attack is used to steal 400000 member information of Vietnam Airlines.

The attack payload used in these intrusions is a korplug rat variant disguised as the antivirus software McAfee. This paper describes the process of extracting the final attack load from the hidden software.

1 Analysis Sample

884d46c01c762ad6ddd2759fd921bf71   – McAfee.exe

c52464e9df8b3d08fc612a0f11fe53b2     - McUtil.dll(shellcode loader)

28f151ae7f673c0cf369150e0d44e415    – (shellcode)

321a2f0abe47977d5c8663bd7a7c7d28  -  unpacked payload (DLL)

Execution process:

McAfee.exe -> McUtil.dll -> -> payload (DLL)

2 spyware package

This program is a very interesting modular package. It is disguised as McAfee antivirus software as a whole:

Its signature information is displayed as McAfee's original valid signing certificate:

This signing certificate is not fake, of course, because mcafee.exe is indeed a legal program, but it is bound with a malicious DLL DLL DLL file, which is used by attackers to hijack programs.

The McAfee program used in the attack is an old version program (compiled in 2008). After testing, the current version of McAfee program does not have such abuse potential.

3 behavior analysis

After successful implantation, the program is hidden in the victim system. After analysis, it is found that the malicious code injected into the normal process of the system, svchost.exe, which will run when the program body starts. It can be found from the details of the current process of svchost.exe that its process image directory contains the malicious program directory.

BOT threads generated by malicious programs enumerate the local address space from low to high to detect other hosts in the LAN:

At the same time, we also try to communicate with the remote C & C address (air. Dscvn. ORG). In our analysis and test, the C & C address has failed:

4 unpacking analysis

Before the final function of the malicious program, it contains multi-layer carriers. Exe files and DLL files are normal. The key malicious function is to include the external bundle files of encrypted shellcode, while the hidden DLL files of the core spy process are hidden in shellcode.

Shellcode load

In order to achieve the purpose of anti debugging analysis, it is very tricky for attackers to confuse the way of loading payloads. Once mcafee.exe is executed, the malicious program will load the dynamic library file named mcutil.dll in the system startup directory. Because the system does not check the integrity of the whole malicious program, the executing program can load any DLL file:

Mcutil.dll is used to deploy the next stage file: To avoid analyzing trace, mcutil.dll does not release the file directly, but uses the patch mode to call mcafee.exe to read and load. The following figure shows the relevant code fragment of writing hook loader to memory:

The following is the program call code after the patch. The first two actions jump to the command of mcutil.dll address directly:

The body of mcutil.dll contains the patch function, and it is called dynamically, so the hook program will execute immediately after the loading call returns.

The external file called by the hook program is visible:

When a write to memory is performed, a JNZ jump occurs:

Extract payload

The shellcode of the malicious program is mixed up in a complex way:

The emphasis is not on this, but on the unpacker and loader of the malicious program. The loader compresses the following contents into a buffer:

After that, the contents are remapped block by block, and additional memory is allocated for them. In addition, during remapping the initial PE file to the virtual image, a similar situation can be seen. In fact, the unpacked content after decompilation is a PE executable program with deformed header, in which the original value "MZ" of PE program is replaced by the separator XV:

The EXE file was restored by refactoring the file header:

The file is parsed into a normal PE file 321a2f0abe47977d5c8663bd7a7c7d28. Although the program name section is not named, all contents are valid:

The file feature represents a payload in the form of a DLL. Since the file does not have any export list, its original name is unknown. Looking at the import part of the load below, we can confirm that it is the final attack load, which loads and calls many network communication functions. For example:

During the behavior analysis of the program, we also found the code to perform IP scanning of LAN host.

In order to allow the attack payload to execute secretly, the attacker checks the execution sequence of all call parts. The following is the hard coded name of the main call part:

5 Summary

This malicious program uses McAfee program to hijack DLL files and run malicious code. In order to avoid detection, it also confuses all parts of the modules. A single file module does not have malicious behavior, nor can it be killed by antivirus software. Only after all parts are executed comprehensively can it play malicious behavior function.

This type of malicious program, whose exe or DLL file is only used to load shellcode, does not contain malicious code. Although users are more cautious about running PE files, this time, it may be more unlucky.


Contents of notification of Vietnam cert organization to Vietnam Airlines attacked by hackers

Similar attacks in 2013

Korplug rat attacks on Afghanistan and Tajikistan

Analysis of korplug rat on black hat

About nanhaishu apt

*Translated by: clouds, compiled by: Malwarebytes, no reprint without permission