It’s rare when the Cylance Threat Guidance team comes across a freshly compiled piece of malicious code that we struggle to place into a known malware family. We recently found such a sample after CylancePROTECT® quarantined a threat in the System32 directory on a customer endpoint. The location of the file, the recent compile date, and the lack of similar files on known malware repositories combined to flag this sample as something we should take a deeper look at. Let’s get to it.
Our sample is a 32-bit DLL compiled from C++ that exports only a single anonymous function. The code is conveniently unobfuscated and without any anti-VM or anti-debug tricks. The data, as we’ll see later, is another story. When run via its exported function, the sample performs a straight call back to the IP address 22.214.171.124. No DNS lookups needed here.
At the time of our testing, the Korean address was only returning TCP reset packets, so we decided to connect our malware to a fake server. Doing this allowed us to view a HTTP POST over port 443 (Figure 1). Note the Host portion of the header is bogus and does not correspond to the command and control (C2) address. We’ll see later the entire HTTP header is hardcoded as a single string and only the POST data changes. After the POST and lacking an interesting response, the malware exits with no notable changes to the OS.
Figure 1: HTTP POST Over Port 443
Ok, so nothing too strange so far. Let’s check out the code.
On to the Code
The first thing our exported function does is call an initialization function that sets up two scrambled buffers that will be used later by the main encode/decode function. This initialization code (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog