Lucene search

Ryan MurphyCARBONBLACK:B16171F3AA4A3A162027FA8750C9D202

HistoryJan 26, 2018 - 5:46 p.m.

Threat Analysis: Pylot (Travle) Malware Family

2018-01-2617:46:11

Ryan Murphy

www.carbonblack.com

314

0.96 High

EPSS

Percentile

99.5%

JSON

The Pylot (or Travle) malware family appears to be an evolution of the NetTravler malware family (which has been linked to attackers out of China by numerous sources). Over the last year a variant has been observed as a secondary payload often used in conjunction with malicious carrier files (typically MS Office or Rich Text Format (RTF) documents).

The Pylot malware has been observed being installed via shellcode from known CVEs in Office products as well as by malware loaders (or first stage malware variants, specifically the CMStar malware family). In late 2017 samples of the Pylot family were submitted, by customers, to the Carbon Black Threat Analysis Unit (TAU) as part of ongoing investigation. Analysis details were provided to the submitting organizations and detection capabilities were provided in the Carbon Black User Exchange.

After external request, Carbon Black is making the analysis (and associated signatures and scripts) available in this blog to assist any researchers or practitioners that may be investigating this malware family.

Technical Analysis

The following table list the metadata for the files that were a were analyzed for the first scenario.

RTF Carrier File

SHA256

79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3

Revision time

11/20/15 1:45

Author

HCL

Number of pages

Creation time

11/20/15 1:45

Number of words

Version

Operator

HCL

Pylot Sample 1

File Name : Pylot_sample.dll

File Size : 208,154 bytes

MD5 : f456d82e4815ce381d6d1bf23322aca6

SHA1 : 2535558d28b5431e41fd8e1eb88dbc099d74a7c5

SHA256 : 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6

Fuzzy : 3072:zPNKts9RnF3Xo+T/pJbiFLxfZubTHPKorZShP/UB+zvkpdISZQM4ED:x9RlXo+LPmLQbTHPpZSlUBy+IM4ED

Compiled Time : Wed Jan 27 13:18:46 2016 UTC

PE Sections (5) : Name Size MD5

.text 147,968 5b3872364e2efbb4e83966ea9c2f48b9

.rdata 35,840 c17dec1fc11e3134c03a993f3509699a

.data 4,608 100820dd666d8eeca7c7ff43ab9552b8

.rsrc 5,120 8c96d665232c7e447ac6131b479a0af6

.reloc 20,992 439f3ea4d036d3aab2d23e675dcd8e13

+ 0x34a00 0 d41d8cd98f00b204e9800998ecf8427e None

Original DLL : pilot.dll

DLL Exports (1) : Ordinal Name

1 MSOHost

Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Table 1: File Metadata

Carrier File Scenario 1

The RTF document that is listed in the table above attempts to exploit an older CVE (cve-2014-1761), to ultimately execute shell code. The image below is a screen shot of the RTF document. The area highlighted in red, is the list override exploit, that is referenced in the above CVE link. The data highlighted in yellow is the shellcode and encoded payload. Even though the shellcode is obfuscated, there are still some stings present, that are used by the shellcode to create and entrench the file on an infected system (which are highlighted in green).

Figure 1: RTF visualization

Shellcode

The shellcode, as it is written in the RTF file, is obfuscated to lessen the likelihood of detection and make analysis more difficult. The shellcode will perform a couple of basic commands to clear registers that will be utilized, and a portion of its data (0x325 bytes) is XORed with the value 0x9E (highlighted in red in the image below). Once this is complete it will continue with the execution flow.

Figure 2: Decoding Routine

The shellcode is a straightforward loader which will ultimately decode the payload, and write the file to disk. The shellcode will also entrench the malicious payload in a typical location used by malware for entrenchment (Software\Microsoft\Windows\CurrentVersion\Run), before using rundll32.exe to initially execute the binary.

The shellcode uses a name hashing function (a common technique in shell code), where the code will first locate the process environment block (PEB) from the thread information block (TIB), which is highlighted in red below. This is used to locate the list of loaded modules (doubly-linked). The shellcode will then take each entry and normalize the string name, by making all of the characters in the module name uppercase (highlighted in green). The characters of the module name are then rotated right by 13 and added together, and then compared to a hard coded value for Kernel32.dll (highlighted in blue). Once the target module is located in memory it can be called with the appropriate arguments.

Figure 3: Name hashing function

The snippet of python code below can be used with a list of common module names to determine the string values of the hardcode values used with this variant.

def ror(val, r_bits, max_bits):

out = ((val & (2max_bits-1)) >> r_bits % max_bits) | (val << (max_bits-(r_bits % max_bits)) & (2max_bits-1))

return out

def hash_string(proc_name):

name_hash = 0

for x in proc_name:

x = ord(x)

if x >= 97: #0x61

x = x - 32 #normalize to uppercase

back = ror(name_hash, 13, 32) #ROR 0x0D

name_hash = back + x & 0xFFFFFFFF # add that value to original char

return name_hash

Table 2:Python implementation of name hashing algorithm

In this sample the malicious payload will be written to disk as comctl32.dll, and the shellcode will utilize rundll32.exe to execute the payload calling the MSOHost export. The malware will then run and communicate with a hard coded C2 that is contained inside the configuration block that is characteristic for the Pylot family. A python script was written to parse a pylot variant executable and extract the relevant configuration information. The script is attached to this post. An example of the output can be seen in the table below. The previous analysis by Kaspersky Labs, detailed the overall functionality of pylot family.

[!] Resource Located

Name: RAW_DATA

[+]Decoding Configuration…

Primary C2 : young.aviodyoung.com

Secondary C2 : Not Used

URL Path 1 : /vgs/wksur.py

URL Path 2 : Not Used

C2 Port 1 : Not Used

C2 Port 2 : 80

Campaign ID : xcvwerx

Sample ID : qTyx0736R

Primary RC4 key : MTzXBLRfWOpcjsKZGUbS

Secondary RC4 key : MTzXBLRfWOpcjsKZGUbS

Beacon Timer : 60000 milliseconds

Table 3: Pylot configuration output

Carrier File Scenario 2

The following table list the metadata for the initial carrier file that was analyzed for the second scenario.

RTF Carrier File

SHA256

6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786

Revision time

2016-11-08 08:47:00

Author

Shaimenova

Company

parliament

Number of pages

Creation time

2016-11-08 08:47:00

Number of words

1586

Version

Operator

AutoBVT

CMStar Sample 1 Loader

File Name : CMStar_sample.exe

File Size : 77,824 bytes

MD5 : 7ce99c26ee05efb81c3a123152ccce5e

SHA1 : 3be63458fe1298b0ebf36e019a895519fd96fb22

SHA256 : 928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d

Fuzzy : 1536:nPLpKSgx0fEYLwOAXhENg7Ofp15yUxBix1Y:PLE0fEYL/KVaryNY

Compiled Time : Thu Oct 20 07:00:38 2016 UTC

PE Sections (4) : Name Size MD5

.text 12,288 b0001edc7a3ebc2cb52944a7aa61293d

.rdata 4,096 a1ffda038f8171993651bed5f7547b96

.data 4,096 3eae055efca4b7f380118d3320dcde5f

.rsrc 53,248 880b916c741d16b6f46f58c1107cca7d

Magic : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Table 4: RTF and CMStar metadata

The carrier file for this scenario is also a RTF document and will attempt to exploit cve-2015-1641. If successfully exploited the shellcode will decode a malicious payload (which is encoded using the same method as in the first scenario. This executable is then written to disk, and is a CMStar variant loader (listed in the table above). This loader will extract a resource that is named 12358, and decode the file (XOR 0x30), before writing it to disk. The loader will then execute rundll32.exe, calling the MSOProtect export of the CMStar variant. The metadata for the CMStar payload is listed in the table below.

CMStar Sample 1 Payload

File Name : Resource_decoded.dll

File Size : 50,688 bytes

MD5 : cc018500132a811e1f7d4d54763f6ab1

SHA1 : dd048ab61a8591ce4d14e9bc5a7b34e6996501f0

SHA256 : fab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201

Fuzzy : 768:5WPPGyX/nibX/44zMLiuTXVR4Gcfd25hH1fzQMo6llRc:nyXPiL9uTXVR2d25XFl

Compiled Time : Wed Oct 12 12:45:10 2016 UTC

PE Sections (4) : Name Size MD5

.text 29,184 5a823113d6e3589d38f093615598217b

.rdata 4,096 028c81fb15600d1cdf89637bc899eaa3

.data 12,288 8c92626431fbf58dd4357f8e18124c72

.reloc 4,096 a22b36f23cde94d421b40566d6cf36e1

Original DLL : UpdateService.tmp

DLL Exports (1) : Ordinal Name

1 MSOProtect

Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Table 5: CMStar payload metadata

The CMStar malware will decode some basic configuration information, necessary to communicate with the C2. The decoding function will copy hard coded strings into memory, and then for each character of the encoded string, subtract a hard code value and the counter value (which is increased for each character).

The snippet of python code below can be to decode the CMStar related configuration strings. In the example below the “encoded_string” variable a is a list containing the values of one of encoded strings (r€}H>?BBKBKGEIQSIMTT), which when decoded is the primary C2.

encoded_string = [0x72,0x7F,0x80,0x7D,0x48,0x3E,0x3F,0x42,0x42,0x4B,0x42,0x4B,0x47,0x45,0x49,0x51,0x53,0x49,0x4D,0x54,0x54]

#http://108.61.189[.]176

i = 0

out = "

for x in a:

out = out + chr(x - i - 10)

i = i + 1

print out

Table 6: CMStar Configuration script

Once the strings are decoded the CMStar malware will beacon to http://108.61.189[.]176 and request the file a554L8iVaSIDKYO.dat (hardcoded name). This file is an obfuscated Pylot variant. The image below is an overview of the a554L8iVaSIDKYO.dat file contents, as it would appear when downloaded.

The dword highlighted in red is a header marker. The next three dword values are all stored as little endian and are used in decoding the payload data which is highlighted in purple.

Figure 4: Encoded Pylot overview

The obfuscated file is bloated compared to the actual size of the embedded payload. The encoding technique uses a dword of bytes to store 1 byte of actual data. To decode the data, a dword value is read into memory (the first dword 0x33 is 51 decimal) from the data section (highlighted in purple). The second dword value (highlighted in green) is used as the starting seed value (0x01 is 1 decimal). The third dword (highlighted in blue) is used as the number of rounds to perform the modification loop (0x03EB is 1003 decimal). The fourth dword (highlighted in yellow) is used as a modulo value in the modification loop (0x5BD is 1469 decimal). To decode the first byte of data the following python snippet replicates the decoding function.

start = 51 #dword value from data area

output = 1 #dword seed value

For x in range(1003): #dword round value

Output = (output * start) % 1469 #dword modulo value

print chr(output)

#This results in “M” or the first character in an MZ header

Table 7: Python implementation of decoding function

The table below list the metadata for the fully decoded Pylot payload. The CMStar malware will then execute rundll32.exe calling the MSOProtect export to run the Pylot sample.

Pylot Sample 2

File Name : Pylot_sample_2.dll

File Size : 180,736 bytes

MD5 : d5c679df69751936d0fa380f2e4bf017

SHA1 : 2488d05f619124ef56a802407745579a02d0d36e

SHA256 : c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a

Fuzzy : 3072:F0KN9+4oQQh/gspsXTrzh+lYHUUd5U5+:f9+4oRHEJk95+

Compiled Time : Mon Nov 07 03:10:36 2016 UTC

PE Sections (5) : Name Size MD5

.text 124,416 ed3027599e9cffb50c4dcbdc01582fc1

.rdata 33,792 a1d51a7f4cddb3189168f0b3b09047fd

.data 4,608 36ed52fc43b3ae5cb504a8976c8e5d02

.rsrc 5,120 ab29ae998157877652d20952075c1bd2

.reloc 11,776 05e1f820b39bbe58d609e0b2a3f78905

Original DLL : pilot.dll

DLL Exports (1) : Ordinal Name

1 MSOProtect

Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Table 7: Pylot metadata

The configuration information for the above Pylot sample is listed in the table below.

Pylot Sample 2 Configuration Data

[!] Resource Located

Name: RAW_DATA

[+]Decoding Configuration…

Primary C2 : pgbkrrq3434.com

Secondary C2 : Not Used

URL Path 1 : /iow/qlmbn.py

URL Path 2 : Not Used

C2 Port 1 : Not Used

C2 Port 2 : 80

Campaign ID : uuqigas

Sample ID : fGAka0109

Primary RC4 key : BBidRotnqQpHfpRTi8cR

Secondary RC4 key : BBidRotnqQpHfpRTi8cR

Beacon Timer : 60000 milliseconds

Table 8: Pylot sample 2 configuration

IOCs

Yara Signature

Yara Signature

rule pylot_payload_2017_Q4 : TAU pylot

{

meta:

author = “CarbonBlack TAU” //JMyers

date = “2017-Nov-7”

description = “Designed to catch pylot payload”

rule_version = 1

yara_version = “3.6.0”

TLP = “Green”

exemplar_hashes = “c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a, 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6”

strings:

$s1 = “FindResource”

$s2 = “LoadResource”

$s3 = “RAW_DATA” wide

$s4 = “KB178495.DAT” wide

$s5 = “KB887209” wide

$s6 = “KB287640” wide

$s7 = “.decompress” wide

condition:

all of them

}