detailed technical analysis of "dark cloud" bootkit trojan

Posted by tzul at 2020-03-15

*The relevant loopholes involved in this article have been reported to the manufacturer and repaired. This article is only for technical research and discussion. It is strictly prohibited to use them for illegal purposes, otherwise, all the consequences will be borne by yourself.

Introduction to "dark cloud" Trojan:

"Dark cloud" is one of the most complex Trojans so far, infecting millions of computers. Dark cloud Trojans use many complex and novel technologies to realize long-term lurking in users' computer systems. It uses bootkit technology to directly infect the boot area of the disk. Even if the hard disk is reinstalled and formatted after infection, it cannot be removed.

The Trojan uses many innovative technologies, with the following features:

First, it has a very high concealment. It can protect the infected MBR by hook disk driver, prevent it from being detected and cleared by security software, and use object hijacking technology to avoid manual detection by security personnel. So far, almost all security software can not detect and kill the Trojan horse.

Second, the use of cloud thinking in dark cloud Trojans: Trojans are hidden in the 30 sectors at the front end of the disk with lightweight body. These resident and system codes do not have the function of traditional Trojans. The function of these codes is only to download other function codes to the executing server (cloud) and directly execute them in memory. These function modules are hidden modules every time they are powered on Download from the cloud. Therefore, the Trojan is small in size and has strong cloud control.

Third, the communication mode between ring 3 and ring 0: Microsoft's Orthodox communication mode is to create a driving device with ring 0 code, and the ring 3 code can realize mutual communication by opening the device created by ring 0. The common way of communication used by Trojans is to hook the specified API function in ring0, while the dark cloud trojan is realized by registering callback.

Fourth, the operating system is fully compatible: a bootkit is compatible with X86 and x64 operating systems at the same time, and can be compatible with XP, win7 and other current mainstream operating system versions, so the scope of influence is very wide. In the aspect of promoting profits, the Trojan horse is also a mainstream channel of promoting profits - promoting small websites, promoting mobile applications, promoting games, large websites and promoting IDs.

Fifth, effective anti killing software: the main body of the Trojan runs in the kernel and starts earlier than all the security software, so most of the security software can not intercept and detect the malicious behavior of the Trojan. Trojans can directly terminate some security software processes in the kernel and insert APC into any security software process for execution. The inserted APC code will close the handle of the file monitoring device of the security software, which will lead to the failure of the file monitoring of the security software and greatly reduce the probability of being detected.

Figure 1. Startup flow chart of dark cloud Trojan horse (divided into four modules according to red, purple, green and black)

Figure 2. Functional division diagram of dark cloud Trojan module

1、 Resident computer module (MBR) behavior


After the computer is powered on, the infected disk MBR obtains the control of the CPU at the first time. Its function is to load the Trojan horse body of sector 3-63 of the disk into the memory for decryption and execution. After the Trojan horse body obtains the execution, it obtains the second execution opportunity by hooking int 15 interrupt, and then reads the backup MBR in sector 2 to boot the system normally.

When the system boots, it will query the memory information through int 15 interrupt. At this time, the Trojan with No. 15 interrupt can get the CPU control right for the second time. After obtaining the control right, the Trojan hooks the biloadimageex function, calls the original No. 15 interrupt and returns the control right to the system to continue booting.

When the system boot code calls biloadimageex to load toskrnl.exe, the Trojan gets the control right for the third time. After obtaining the control right, the Trojan performs the hooking operation again. The location of the hooking is the entry point of toskrnl.exe, and then gives the control right to the system to continue to boot.

When entering the windows kernel after booting, the Trojan code linked to the entry point of toskrnl obtains the CPU control for the fourth time. At this time, the Trojan has really entered the windows kernel. After obtaining the control, it allocates a piece of memory space, copies the main function code of the Trojan kernel into the allocated space, and makes the main function code possible by creating a pssetcreatethreadnotifyroutine callback Execution. So far, the loading process of Trojan from MBR to Windows kernel has been completed.

The main function code of Trojan horse mainly realizes the following three functions:

1. Hijacking disk drive to hide and protect the infected MBR;

2. Insert APC into a svchost process of RING3;

3. Receive the RING3 return by setting the registry callback.

Insert into the svchost code only realizes one simple function: judge the type of operating system, download the corresponding addata.dat module from the cloud to the local, decrypt the execution, and hard code the URL of the cloud module in shellcode.

Figure 3. Bootkit startup process

Code details:

Comparison of MBR (black) and original MBR (red) after infection

2、 Cloud module one (addata. DAT) behavior


This module is the first module configured for the cloud of Trojan horse. It has a fixed format and is encrypted in a simple circular shift way. The data structure of the decrypted module is as follows:

Data structure after decryption of cloud module 1

The first four bytes of the module are marked "code", which is only used for data validity verification. After the verification is successful, shellcode directly executes the following shellcode. The function of shellcode is to load addata.dll in memory and finally execute it from its entry point.

The main function of addata.dll is the downloader. Its specific behavior still depends on the cloud configuration. After running, the configuration file will be downloaded from the cloud first. The URL of the configuration file is:, which is hard coded in the file. After downloading, the configuration file is parsed. The configuration file determines whether the functions in the code are executed and the specific parameter information. The functions that can be realized and the actual configuration file information are shown in the following table:

Code details:

1. Hard coded profile URL information in addata.dll

2. Set the code of browser home page

3. The downloaded files can be processed differently (loadlibrary, CreateProcess, loading to the kernel for execution). Here is another interesting code: delefilea ("I'm really messy "), the author is in a mess. It's really complicated!

4. Shellcode is substituted into the kernel through ntsetinformationkey (the kernel registers cmpcallback)

3、 Cloud module two (jmdm. DB) behavior


This module is the second module configured for the Trojan cloud. It is downloaded by the cloud module one and then transferred to the kernel for execution. It has relatively complex encryption algorithm for encryption. The first 0 × 32 bytes of the file is the decryption key. The data structure of the decryption module is as follows:

Data structure after decryption of cloud module 2

Because this trojan is compatible with both 32-bit and 64 bit operating systems, this module contains two versions. The kernel module will execute the corresponding shellcode according to the type of operating system, because the two sets of code functions are completely consistent. The following only analyzes the x86 part.

This module is first passed into the kernel by ntsetinformationkey, and is executed by kernel module from kernel shellcode. The functions of kernel shellcode are as follows:

1) End the specified killing process, including kxetray.exe, kxescore.exe, and qqpctray.exe. Because the process of the housekeeper is protected by the object hook, it will not be killed.

2) Traversal process. If the process name is one of the following, the shell code of the application layer at the end is inserted into the process in the form of APC. After inserting a process, the traversal process will exit and no other processes will be inserted. The specific process list is as follows: 360tray.exe, 360safe.exe, 360sd.exe, 360rp.exe, zhudongfangyu.exe, qqpcrtp.exe, ksafesvc.exe, ksafetray.exe, baidusdtray.exe, baiduantray.exe, badduansvc.exe, baiduhips.exe, baiduprotect.exe, wscntfy.exe, spoolsv.exe, alg.exe. The above process names are hard coded in shellcode.

The application layer shellcode is inserted into the specified process and executed. Its function is to dynamically load the jmdm.dll file in memory and jump to its entry point for execution.

The main function of jmdm.dll is still the downloader. Its code is more than 60% similar to addata.dll, which can be determined to be modified from the same source code. Its specific behavior still depends on the cloud configuration. After running, the configuration file will be downloaded from the cloud first. The URL of the configuration file is:, which is hard coded in the file. After downloading, the configuration file is parsed. The configuration file determines whether the functions in the code are executed and the specific parameter information. The functions that can be realized and the actual configuration file information are shown in the following table:

After the execution of the above actions, Trojan horses will wait for the downloaded inst.exe and update.exe to re create a new host process after running, and then call ExitProcess to exit the original host process.

Code details:

1. Call zwterminateprocess to end the security software processes kxetray.exe, kxescore.exe, and qqpctray.exe. Because the Butler's processes are protected by object hooks, they will not be killed.

2. Traverse the process to see if the process is in the hard coded process list. If so, insert APC, find a process and jump out of the loop, that is, insert APC into only one process

3. Insert the specific code of APC

4. Close the device handle named \ \ device \ \ qutmipc, etc., and hard code the name string in the file

5. The URL of the configuration file is hard coded in the file

6. Download the specified URL file to local, load or run

4、 Behavior of profit promotion part of Trojan horse (inst.exe, update. Exe)


The ultimate goal of the Trojan horse is only to make profits, while inst.exe and update.exe, which are the PE files landing on the ground, are the modules that can really make the author get rich profits, and also the Trojan horse begins to perform real malicious behaviors.

After inst.exe runs, it releases a shortcut named "Beauty video chat" on the desktop, which points to and brings a promotion ID to realize the profit of the promotion website. Inst.exe will also release two DLLs, xnfbase.dll and thpro32.dll, to the% appdata% directory, and load them by registering services.

The function of xnfbase.dll is LSP hijacking. When users browse, and other websites with browser, they can add promotion ID at the end of the website to realize profit. The function of thpro32.dll is to delete the LSP of the designated provider in the system, and prevent other Trojans or security software from modifying the promotion ID again through LSP.

After update.exe runs, two svchost.exe puppet processes will be created, and the decrypted function modules will be injected into two processes respectively. One is responsible for the installation and promotion of apps to Android phones, and the other is to upload shared files to QQ groups with keywords such as "private server" to promote the profits of private server games.

Trojans make profits through various promotions

Code details:

1. When users visit and other websites with browser, add promotion ID for them to realize promotion profit

2. Create a beauty video chat shortcut on the desktop, promote the website

3. Constantly check whether there is LSP module, delete if there is one, and protect your promotion ID from being modified

4. Upload private service game to QQ group with designated name for promotion of private service game

[article / Tencent computer manager (enterprise account), reprint please indicate that it is from freebuf hacker and geek (freebuf. Com))