## Bvp47 #### Technical Details Report II ----- # Table of Contents **1. Executive Summary** **2. Attack Scene Restoration of suctionchar_agent** Attack Scene Scene Restoration **3. Technical Details of suctionchar_agent** File Information Sample Correlation Technical Analysis **4. Technical Details of dewdrop version 3.x** Initialization of BPF Covert Communication Process Data Processing of BPF Covert Communication Sample Correlation **5. Technical Details of Bvp47_loader** Character Encryption Function Payload-Related Encryption Methods Payload Decryption Process Initialization and Kernel Module Loading of Bvp Engine A Bypass Method for Self-Deletion Hash-Based API Function Call A Part of Shellcode **6. Conclusion** **7. Reference** 1 2 2 3 7 7 8 9 18 18 21 24 26 27 31 36 43 52 52 56 58 59 ----- ### 1. Executive Summary In report " Bvp47 – A Top-tier Backdoor of US NSA Equation Group " (Reference 1), Bvp47 is like a huge shell or compressed package, containing a total of 18 fragments. Pangu Labs gives attribution analysis and description of some technical details, such as BPF covert tunneling. However, there are still some other modules worth in-depth analysis. Those modules can either perform functions together as part of Bvp47 or be used independently. In a forensic to Solaris system of one critical infrastructure in 2015, Pangu Lab extracted another sample, which survived independently on the Solaris platform and seemed to be closely related to Bvp47. After analyzing the leaked information, we confirmed that the content of the sample file was same to Suctionchar_Agent which was leaked from The Shadow Brokers. When executed with dewdrops, incision and other modules, it can easily steal password of target system, when user is executing commands like ssh, passwd, sudo. The file stored stolen passwords in target system also requires private key of RSA algorithm for decryption. The process of tracking Bvp47 is more like exploring a puzzle under fog. This report will further illustrate parts of working method and execution logic of Bvp47, a top-tier backdoor platform, through analysis of Suctionchar_Agent, Dewdrop, and Bvp47_loader. ----- ### 2. Attack Scene Restoration of suctionchar_agent ##### Attack Scene After repeated attempts and tracking of the execution process, Pangu Lab roughly restored attack scene of suctionchar_agent combining with other components, as shown in following figure: 1. The sum module running in the kernel layer will assist suctionchar_agent to steal account passwords from processes such as PASSWD, TELNET, and SU; 2. The stolen credentials will be synchronized to suctionchar_agent running on Ring3; 3. suctionchar_agent will save the stolen credentials to hidden directory of "/var/tmp/.xxxxxxxx"; 4. Attacker remotely sends trigger packet, that runs ish callback, to the BPF filter at the kernel layer; 5. The BPF filter captures the featured packet and transmits it to dewdrop in Ring3; 6. Dewdrop decrypts the data packet to obtain the ish callback command, and forwards it to incision program; ----- 7. The incision program actively executes callback command to contact C&C server, and the attacker uses ish to obtain the password file; 8. The attacker decrypts the password file with RSA private key and then obtains stolen passwords ##### Scene Restoration 1. Run the tipoff command-line program. The list of command options is as follow: ----- 2. The summary of key options is as follow: **Option Category** Trigger Protocol TCP Flags Firewall Bypass Application Protocol Backdoor Feature 1 Backdoor Feature 2 Configurations of Multiple Protocols 3. Support obtaining remote shell in UDP protocol |Option Category Trigger Protocol TCP Flags Firewall Bypass Application Protocol Backdoor Feature 1 Backdoor Feature 2 Configurations of Multiple Protocols|Feature Support TCP、UDP、ICMP syn、fin、ack、rst、push、urg PIX or others;Bypass firewall and ACL by default Protocols like SMTP、SIP、DNS Execute file remotely View in remote shell Configure flags of SMTP、DNS、TCP| |---|---| ----- 4. The UDP packet is as follow: 5. Hidden processes and files can be listed in the obtained shell ----- 6. The encrypted files in the "/var/tmp/" directory are as follows 7. Use suctionchar_decode to decrypt the encrypted files in the "/var/tmp/" directory: ----- ### 3. Technical Details of suctionchar_agent ##### File Information In on-site environment, we extracted one program in Solaris Sparc architecture. After comparing it with the leaked Shadow Brokers data, we confirmed the connection. The file related information is as follows: ###### Sample Information Summary: Filename unknown MD5 a633c1ce5a4730dafa8623a62927791f File Size (bytes) 47,144 The Shadow Brokers Package Name suctionchar_agents.tar.bz2 Original File Name suctionchar_agent__v__3.3.7.9_sparc-sun-solaris2.9 Steal passwords from SSH, TELNET, FTP, PASSWD, Feature SU、RSH、LOGIN、CSH CPU Architecture SPARC Hidden Path 2 /var/tmp/.xxxxxxxxxxxx The CPU adaptation architecture of the sample obtained at the on-site environment is SPARC. Through correlation and attribution analysis, we found that the sample is one of the files leaked by The Shadow Brokers, namely suctionchar_agent__v__3.3.7.9_sparc-sun-solaris2.9. However, good decompiler targeting SPARC architecture is not available currently. Since there are homologous binary programs suitable for multiple platforms in the leaked file package, we refer one sample with the same function of the x86 architecture for analysis. The specific file information of the x86 architecture is as follows: |Sample Information Summary:|Col2| |---|---| |Filename|unknown| |MD5|a633c1ce5a4730dafa8623a62927791f| |File Size (bytes)|47,144| |The Shadow Brokers Package Name|suctionchar_agents.tar.bz2| |Original File Name|suctionchar_agent__v__3.3.7.9_sparc-sun-solaris2.9| |Feature|Steal passwords from SSH, TELNET, FTP, PASSWD, SU、RSH、LOGIN、CSH| |CPU Architecture|SPARC| |Hidden Path 2|/var/tmp/.xxxxxxxxxxxx| ----- ###### Sample Information Summary: Filename suctionchar_agent__v__2.0.28.2_x86-linux-centos-5.1 MD5 4a5b7a9c5d41dbe61c669ed4cf2975e5 File Size (bytes) 31,649 The Shadow Brokers Package Name suctionchar_agents.tar.bz2 Original File Name suctionchar_agent__v__2.0.28.2_x86-linux-centos-5.1 Steal passwords from SSH, TELNET, FTP, PASSWD, Feature SU、RSH、LOGIN、CSH CPU Architecture X86 Bvp47 Corresponding Slice 0x0E Hidden Path 2 /var/tmp/.xxxxxxxxxxxx ##### Sample Correlation According to the obtained sample "suctionchar", the corresponding original file was found in the file leaked by The Shadow Brokers as "linux/bin/suctionchar_agents.tar.bz2/suctionchar_agent__v__3.3.7.9 _sparc-sun-solaris2.9". The compressed package also includes multiple versions of suctionchar files for serveral platforms, dating back to 2007: |Sample Information Summary:|Col2| |---|---| |Filename|suctionchar_agent__v__2.0.28.2_x86-linux-centos-5.1| |MD5|4a5b7a9c5d41dbe61c669ed4cf2975e5| |File Size (bytes)|31,649| |The Shadow Brokers Package Name|suctionchar_agents.tar.bz2| |Original File Name|suctionchar_agent__v__2.0.28.2_x86-linux-centos-5.1| |Feature|Steal passwords from SSH, TELNET, FTP, PASSWD, SU、RSH、LOGIN、CSH| |CPU Architecture|X86| |Bvp47 Corresponding Slice|0x0E| |Hidden Path 2|/var/tmp/.xxxxxxxxxxxx| ----- ##### Technical Analysis ###### String Decryption As shown in the figure below, string encryption is also the 0x47 function encryption described in Bvp47: ----- The list of decrypted strings is as follow: The relevant decryption script is as follow: ----- ###### Function Module Design The file "Linux\etc\opscript.txt" has a description of suctionchar’s function. It steals account and password in programs such as SSH, TELNET, FTP, PASSWD, SU, RSH, LOGIN, and CSH. The suctionchar_agent program is just an application layer agent, which communicates with the associated kernel module to obtain the required information and encrypts it and writes it to a file. The kernel module sum file (not included in The Shadow Brokers Leaks) can be loaded by the modload program. After the kernel module is successfully loaded, the dropped files will be deleted to prevent the content from being restored: ----- The suctionchar_agent file has a default configuration, and also support external configuration file. The file formats mainly are XML format of version 3.x and above and the earlier conf format. XML format of versions above 3.x ("Linux\bin\suctionchar_configure.xml"): ----- “Linux\doc\old\etc\suctionchar.sample.filter.conf” : suctionchar_configure will generate the "dc9cb44a723d0e75201d933159834173" file, which is used by the agent: ----- ###### Thread of Collecting Password In the suctionchar_agent, there is a separate thread that communicates with the kernel module sum to obtain the account password and write it to the /var/tmp/ folder, that is, inside the sub_8049EF0 function: ----- Callback function sub_8049A00: ###### File Path Generation Algorithm for Saving Password The generation algorithm of the hidden file "/var/tmp/.e33ff11cb8e3b4ff/a0b973925e397d9acd80e85e2ea a6e60/d5373a146ff9f200a2376054dde25677" is described in the function get_hidden_path_0804BDF0: ----- The restored code is roughly as follows: ----- ###### Private Key of suctionchar_decode As described in the scene, the file "/var/tmp/.e33ff11cb8e3b4ff/a0b973925e397d9acd80e85e2eaa6e60/d 5373a146ff9f200a2376054dde25677" can be decrypted by the "linux\bin\suctionchar_decode" program, and the encryption algorithm needs to use the RSA private key to decrypt the RC6 symmetric key. file. Like the private key in Dewdrops, this RSA private key can also support the association between the backdoor and The Shadow Brokers leaked data package. ----- ### 4. Technical Details of dewdrop version 3.x The Dewdrop module undertakes the most important hidden backdoor function, that is, the BPF filtering function. This chapter mainly discusses the implementation process corresponding to the BPF engine communication. ##### Initialization of BPF Covert Communication Process 1. The initialization of BPF covert backdoor starts from function _554a7941; 2. sec_bpf_init returns the structure of bpf_program ----- 3. The specific values of the stru_8008300 structure are as follows 4. The structures of bpf_program and bpf_insn are as follows ----- 5. The code disassembled by bpf is as follows ----- 6. The pseudo code of actual runtime BPF is as follow. The payload data that matches this rule will be captured and sent to next process; ##### Data Processing of BPF Covert Communication After matching the capture rules of BPF, the packet will be sent to next process. 1. In the function sec_f_9b510b03, dewdrop uses the select model to process the corresponding data packets; ----- 2. sec_f_6a42f4c9_allinone executes the pseudo code as follows ----- 3. The decryption of the payload packet starts in sec_decode_packet, which involves a deformed RSA decryption algorithm. ----- ##### Data Format and Encryption Algorithm of BPF Covert Communication 1. The payload packet format of the dewrops v3 is as follow: 2. The payload packet process for dewdrop in tipoff is as follow ----- 3. RSA data encryption in the payload packet ----- ### 5. Technical Details of Bvp47_loader The entry function diagram of the loader module is as follows, which involves following operations: 1. Check if the runtime environment is normal; 2. Read the payload at the end of the file; 3. Map and verify the payload; 4. Decrypt the payload, if necessary; 5. Decompress the payload, if necessary; 6. Load the kernel module; 7. Call notification to hide the ELF file header of the kernel module; 8. Fork executes the dewrops module backdoor; 9. Fork executes the backdoor of the suctionschar_agent module; ----- ##### Character Encryption Function In the sample analysis, the first thing need to deal with is a series of string encryption functions, a total of 8. 1. XOR 0x47 function type 1: 2. XOR 0x47 function type 2: ----- 3. Variable order encryption function: 4. XOR 0x47 function type 3: ----- 5. XOR 0x47 type 4: 6. XOR 0x47 ----- 7. Encryption function 8. XOR 0x47 function type 5 ----- ##### Payload-Related Encryption Methods There are five main decryption methods for the payload to be loaded. **Method 1** ----- **Method 2** ----- **Method 3** ----- **Method 4** ----- **Method 5** ----- ##### Payload Decryption Process As shown in the main process of the main function, the payload parsing process is a relatively complex loop body process, and it is accompanied by many encryption confrontations. Map and Load: ----- Parsing Process: ----- The decompression process involved: linux_gzip function: ----- linux_gzip_inflate_fixed function: linux_gzip_inflate_dynamic function: ----- linux_gzip_inflate_codes function: linux_gzip_fill_buf function: ----- linux_gzip_huft_build function: The abstracted pseudo code in C language code is as follows (not fully covered): The known payload file formats are as follows: ----- In the running process, the sample will directly try to load the so-type file during the above Decode callback process: After trying to load, it will try to patch the plt of the ELF file format: ----- ##### Initialization and Kernel Module Loading of Bvp Engine The decryption and loading of the kernel module will also be executed in the main process, which will go through following steps: 1. Decrypt the payload package; 2. Initialize the Bvp engine and adapt to the corresponding kernel version structure; 3. Start trying to load the ko module, which is mainly used for hiding processes, files, networks, etc.; Details are as follows: 1. Try to decrypt the ko payload; ----- 2. Bvp overall processing function; The corresponding pseudo code: ----- 3. Initialization function serial_bvp of Bvp engine ----- The corresponding pseudo code: ----- 4. serial_bvp process ----- 5. Load the first module qmr ----- 6. Verify the distribution: 7. This release corresponds to the version in TSB: ----- 8. Check 2: ----- 9. Parameter verification 1 when the kernel module is loaded: 10. Parameter verification 2 when kernel module 2 is loaded: ----- 11. Finally start loading the kernel modules: ##### A Bypass Method for Self-Deletion There are two calls to the unlink function in the main function. During the actual debugging process, the process can be violently modified to bypass the self-deletion of unlink: ##### Hash-Based API Function Call During the running process of Bvp47, a API function lookup table based on Hash value will be made. ----- 1. The Hash table looks like following; ----- 2. Attempt to initialize in the sub_804C2E0 function 3. Further initialization in serial_bind_0x7bbf2c88_ function ----- Pseudo C code: ----- ##### A Part of Shellcode There are some incomplete encrypted ELF files in the loader module. After decryption, there are several codes in the form of shellcode. 1. The corresponding ELF header format is defined as follows 2. Several pieces of shellcode in the middle will jump to each other ----- 3. A total of 6 pieces of shellcode ----- ### 6. Conclusion Although the function implementation of the Suctionchar_Agent module is relatively simple, combining Bvp47_loader and Dewdrop, we can conclude that Bvp47 has a good architectural capability in design, and attackers can flexibly combine other functional modules to achieve attack targets and reduce exposed surface of malicious code as much as possible. Although the NSA-sourced attack activities are highly secretive, through the analysis of forensic materials within the scope of our own data and the in-depth mining of open source data, we still hope to complete our puzzle and get a glimpse of the operation methods of the top international hacker teams. ----- ### 7. Reference ###### 1. Bvp47 – A Top-tier Backdoor of US NSA Equation Group https://www.pangulab.cn/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/ 2. The Shadow Brokers: x0rz-EQGRP https://github.com/x0rz/EQGRP/blob/master/Linux/up/suctionchar_agents.tar.bz2 3. jtcriswell/bpfa https://github.com/jtcriswell/bpfa 4. bpf-asm-explained https://github.com/Igalia/pflua/blob/master/doc/technical/bpf-asm-explained.md 5. cloudflare/bpftools https://github.com/cloudflare/bpftools -----