Reversing and decrypting communications of apt malware

1. Monnappa KA – Info Security Investigator

2. The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the
organization in which I am currently working.
However in no circumstances neither I or Cysinfo is
responsible for any damage or loss caused due to use or misuse
of the information presented here

3. Monnappa K A
 Member of Cysinfo
 Info Security Investigator @ Cisco
 Focus on Threat Intelligence
 Reverse Engineering, Malware Analysis, Memory Forensics
 Email: monnappa22@gmail.com
 Twitter: @monnappa22
 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

4.  APT Malware - Etumbot
 Etumbot Cyber Espionage Campaign
 Demo 1 – Sandbox Analysis of Etumbot dropper
 Demo 2 – Reverse Engineering the Communications of Etumbot Backdoor
 Demo 3 – Decrypting the Communications of Etumbot Backdoor
 References

5.  Used in APT/Cyber espionage/targeted attacks
 Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team)
 Sent to targets via spear phishing email
 Targeted government organizations in Taiwan and Japan
 Drops decoy documents of interest to Taiwanese and Japanese population
 Also referred to as Exploz, Specfix and RIPTIDE
 Ref link1: http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
 Ref link2: http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-
favorite-apt-group-2.html

8. Etumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a
registry entry so that Etumbot backdoor can persist on the system

9. Etumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns

10. In the first communication pattern the malware receives response from the C2 server. The response looks like an
encoded string

11. In the second communication pattern the malware sends a request, which looks like a request to download an image
file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns,
lets reverse engineer the Etumbot backdoor

13. Etumbot Backdoor calls the below function. This function implements the First Communication pattern, this function
calls multiple functions as shown in the call graph below

14. The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)

15. Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the
malware is going to request in the http request.

16. Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the
backdoor.

17. Etumbot backdoor receives the encoded response from the C2 using the below API

18. Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content
and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be
deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.

19. Etumbot Backdoor calls the below function. This function implements the Second Communication pattern, this
function calls multiple functions as shown in the call graph below

20. Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the
RC4 function (with the RC4 key retrieved from the first communication).

21. The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below
screenshot shows the RC4 encrypted system information

22. The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below

23. The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.

24. The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below

25. The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request
pattern.

26. Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is
sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that
RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the
communications.

28. Below screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then
decodes it and extracts the RC4 key

29. Below screenshot shows the encoded response from C2 server. This encoded response is given to the script which
decoded and extracted the RC4 key

30. Below screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first
communication

31. Below screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted
output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was
run (in this case sandbox machine)

32. a) ARBOR Networks Report on Etumbot
http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/
b) FireEye’s Blog post
http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-
2.html