## Catching the silent whisper: Understanding the Derusbi family tree ##### Micky Pun, Eric Leung, Neo Tan ###### Virus Bulletin 2015 ----- ####  What is Derusbi  Background  Variants of Derusbi  Technical Analysis ----- # What is Derusbi ----- ####  DLL  Remote Access Trojan  Relies on other malware to load or plant on a system  Resides on a system by imitating legitimate software DLLs (OfficeUt32.dll, Office32.dll, Update.dll…etc) during static file header scanning  Limited amount of samples (The number of samples since 2008 till today are still in the hundreds) ----- # Background ----- ####  Timeline  2008 – Earliest sample with compile time Aug 3, 2008 » (md5: 338e4deb0be7769ef2c9d7080fb56154) ####  2011 – Mitsubishi Heavy Industries hack (discovered Oct, 2011) » (md5: 1cd7835b9ac253a72f8cd94405100d62) (Ref: [ixoxiブログ)( compile time Apr 15,2011 )](https://ixoxi.wordpress.com/2011/10/16/%E4%B8%89%E8%8F%B1%E9%87%8D%E5%B7%A5%E3%82%B5%E3%82%A4%E3%83%90%E3%83%BC%E6%94%BB%E6%92%83-%E3%82%B9%E3%83%91%E3%82%A4%E3%82%A6%E3%82%A7%E3%82%A2%E3%83%BB%E3%82%A6%E3%82%A4%E3%83%AB%E3%82%B9-derusbi/) ####  2014 – CareFirst BlueCross BlueShield hack (by the work of Sakula) ###### »Revealed In May 2015 »1.1 millions customer information breached »Actual took place at June 2014 (Ref: CareFirstAnswers) ####  2015 – Anthem hack (by the work of Sakula) ###### »Revealed in Mar 2015 »78.8 million people information breached (Ref : AnthemFacts ) »Data is stolen around Dec 2014 (Ref: AnthemFacts ) »Part of the Deep Panda Campaign ----- ###### 1. Attachment in Collected from Deep Panda(2014) and spear-phishing email Anthem Breach (2014) or drive-by download ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ###### 2. Sakula unpacks Shyape (downloader) Collected from Deep Panda(2014) and Anthem Breach (2014) ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ###### 3a. Derusbi DLL is downloaded and ran Collected from Deep Panda(2014) and as service Anthem Breach (2014) ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ###### 3b. Infoadmin.dll Collected from Deep Panda(2014) and and sqlsrv32.dll Anthem Breach (2014) ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ###### 3c. TXPFProxy.dll Collected from Deep Panda(2014) and (possible relative Anthem Breach (2014) of infoadmin.dll and sqlsrv32.dll) ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ###### Sakula, Shyape, Derusbi shares Collected from Deep Panda(2014) and the same stolen Anthem Breach (2014) Digital Signature ### Remote DTOPTOOLZ Sakula Co. Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ###### Shyape and Derusbi both uses similar traffic Collected from Deep Panda(2014) and pattern to say covert Anthem Breach (2014) ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ----- ###### Share the similar Collected from Deep Panda(2014) and constructing Anthem Breach (2014) method for identifier ### Remote Sakula Administration Tool #### Shyape ### TXPFProxy.dll ###### Sample with ### Derusbi DLL ###### compilation dated Collected from Mitsubishi at 2012 Hack(2011) and ShellCrew Campaign(2013) ----- ----- # Variants of Derusbi ----- ----- ----- ----- ----- ----- ####  Some notes: ###### »64-bit version first seen in 2011 – somewhat rare »Newer samples don’t necessarily use the newest version of a specific class »Much more features in samples from 2013/2014 versus 2008 ----- # Technical Analysis ----- ####  DllEntryPoint ###### »Initialization »Calls regsvr32.exe »If sample is packed, unpack the export functions ####  DllRegisterServer ###### »Persistence Management ####  DllUnregisterServer ###### »Invoke Payload/BDSocket Thread ####  ServiceMain ###### »Main code »Contains the Payload/BDSocket Thread ----- # Technical Analysis ##### Persistence Management ----- ###### DLLEntryPoint Invoke by sysprep.exe Invoke via regsvr32.exe Invoke by starting a service via svchost.exe DllRegisterServer Invoke via regsvr32.exe /s /u Service control dispatcher creates a new thread to execute DllUnRegisterServer ServiceMain Directly calls Payload ----- ####  Decrypt and store built-in configuration at ###### »Key: HK_Local_Machine\Software\Microsoft\RPC »Subkey: Security »Data: xor(not(one-byte key))[Decrypted Configuration] ####  Backup the current file to %SystemFolder% with filename ###### »[hardcoded-prefix]{randomstring}.[hardcoded-extension] ####  Store the persistent DLL path in ###### »Key: HK_LOCAL_MACHINE\System\CurrentControlSet\Service\ {Persistent Service Name}\Parameter »Subkey: ServiceDLL ----- ##### Persistent service name Beacon URL File path where the Derusbi client is stored on the computer under a different name ----- ----- ####  If McAfee's anti-virus service is detected, it would not use regsvr32.exe to invoke the DllUnregisterServer export function  It will copy of regsvr32.exe to update.exe, run update.exe and then invoke the DllUnregisterServer export function ----- |Key: HK_LM\Software\Microsoft\RPC Sub Key: Security|xor(not(one-byte key))[Decrypted Configuration] Persistent Service Identifier Name| |---|---| |Key: HK_LM\Software\Microsoft\Windows NT\Current Version\Svchost\ Sub Key: netsvcs|Persistent Service Service Service Service Name Name Name Name| |---|---| |Key: HK_LM\System\CurrentControlSet\Service\Persistent Service Name\Parameter Sub Key: ServiceDll|Path to Derusbi DLL at %systemRoot%| |---|---| ###### Key: HK_LM\Software\Microsoft\RPC xor(not(one-byte key))[Decrypted Configuration] Sub Key: Security Persistent Service Identifier Name Key: HK_LM\Software\Microsoft\Windows Persistent Service Service Service NT\Current Version\Svchost\ Service Name Name Name Sub Key: netsvcs Name Key: HK_LM\System\CurrentControlSet\Service\Persistent Path to Derusbi DLL Service Name\Parameter at %systemRoot% Sub Key: ServiceDll ----- # Technical Analysis ##### Payload ----- ####  Main Thread ###### Decrypt Run Load Elevate Start 2[nd] and Load Original Config Privileges Thread Driver Service • SeDebugPrivilege • SeLoadDriverPrivilege • SeShutdownPrivilege • SeTcbPrivilege ----- ####  Main Thread ###### Decrypt Run Load Elevate Start 2[nd] and Load Original Config Privileges Thread Driver Service ####  Not all samples contain an embedded driver  XOR-encrypted, with 4-byte key  Conditions for decrypting and loading driver ###### »360’s ZhuDongFangYu.exe must not be running (optional) »The username of the current process must be “system” ----- ####  Main Thread ###### Decrypt Run Load Elevate Start 2[nd] and Load Original Config Privileges Thread Driver Service ####  Example Drivers: ###### »Keylogger »USB/Disk infector »Network hooking driver ----- ####  Derusbi Sample (MD5: 92d18d1ca7e66539873be7f5366b04d1)  Iterate all directories on the disk  Drop Derusbi when service DLLs found  Create autorun.inf to auto-register Derusbi when the infected drive is connected to a computer ----- ####  Main Thread ###### Decrypt Run Load Elevate Start 2[nd] and Load Original Config Privileges Thread Driver Service ####  Second Thread ###### Wait and Process Setup Connection to Load Config C&C Commands until C&C Shutdown ----- # Technical Analysis ##### Built-in modules ----- ####  Written in C++  RTTI information! ###### »Thanks to IDA ClassInformer plugin ####  Unfortunately, some 2014 samples uses updated classes ----- ####  INTERNAL_CMD  PCC_BASEMOD  PCC_CMD  PCC_FILE  PCC_MISC  PCC_PROXY  PCC_SYS ----- ####  All command classes are child classes of abstract class PCC_BASEMOD ----- ####  PCC_BASEMOD  INTERNAL_CMD  Novetta, 2014 describes some of these functions for an older Derusbi sample ----- ####  There is also a default handler ###### »packet_type/class_id: 100h ####  Some of its functions: ###### »Terminate current connection (deprecated) »Cleanup data stored in the different modules »Backup configuration to registry, set current file to be deleted on reboot, terminate current process immediately »Terminate after current jobs »Install a new DLL ----- ####  INTERNAL_CMD (supersedes PCC_CMD class) ###### »2011 – Present  Some samples from 2012 do not have this class though »Class ID: 5 »Interactive shell commands »Has help/? functions!!! »Common OS operations (v1.1)  cd, dir, md, rd, del, copy, ren, type, start »Additional commands in v1.2  runas  reboot [-f]  shutdown [-f]  clearlog  wget [httpurl] ----- ####  PCC_MISC ###### »2011 – Present »Most samples have this class »Class ID: 10 »Mixture of numerical and text commands »Command IDs:  ID=1: save attached file to temp dir and load as DLL. Can remember up to 16 files.  ID=2: delete temp file. Attached filename must correspond to one of the 16 saved from command ID 1 ----- ####  PCC_MISC ###### »2011 – Present »Most samples have this class »Class ID: 10 »Mixture of numerical and text commands »Text commands:  “pstore”: steals password information from IE and firefox and send to C2  “keylog": send keylog info to C2  “info”: gathers system information and send to C2 » OS name and build number » Network adapter info » IE version » Proxy server info » AV info (Norton, 360, Kaspersky, Trend Micro, ESET, Avira) ----- ####  PCC_SYS ###### »2008 – Present »Almost all samples have this class »Class ID: 4 (80h in older samples) »4 types of numerical commands  Processes-related: enumerate and kill processes  Services-related: enumerate, start, stop, delete services  Registry-related: enumerate, create/delete keys, set/delete/replace values  Screenshot command »Each type contains its own command IDs ----- ####  PCC_FILE ###### »2008 – Present »Almost all samples have this class »Class ID: 8 (84h in older samples) »Numerical commands  Cleanup  Enumerate all drives  Find/rename/delete/copy/move file  Save a file to system  Recursively enumerate directory  Start new process  Recursively enumerate all drives ----- ####  Old code, just packed ###### »Class structure and functions from 2011/2012 »Compatibility/on-going attack? ####  New version ###### »Same payload delivery »Updated built-in classes ----- ####  Still written in C++  No RTTI information  Updated/rewritten classes ###### »Custom code for creating new() objects »New is_this_data_for_me() virtual function »Dynamically decrypt embedded helper DLL during class initialization  Inject helper DLL into explorer.exe in class command handler function  Communicate with helper DLL using pipes »Removed duplicate functionality in modules ----- ####  Command IDs changed  No more verbose commands  No interactive shell  PCC_SYS, PCC_FILE, default_handler functionality still there  Identify newer OS like Win8 (but no Win 8.1 or 10)  Processor architecture detection(x86, x64, IA64, ARM) ----- # Conclusion ----- ####  Samples circulating between vendors ###### »Limited number of samples »Delayed discovery »Corrupt files ####  To improve detection ###### »Class/modular structure »IPS »Sakula/Shyape ----- ####  Modular  Fully-featured for stealth and espionage  Targeted attacks  Operations could take up to 2 years ----- # Any questions? ##### {mpun, ericleung, ntan}@fortinet.com ----- -----