###### CiYi "YCY" Yu Malware Researcher Aragorn Tseng


-----

###### Malware Researcher!

 CiYi "YCY" Yu
 Aragorn Tseng

 Malware Analysis Malware analysis Campaign Tracking Incident response 1P 2P


-----

### AGENDA

###### Adversary Profile: HUAPI ✚
 Malware Profile: DBGPRINT ✚
 Evolution of DBGPRINT ✚
 In-Depth Analysis of DBGPRINT ✚

 Detection Warfare ✚
 Remediation & Detection ✚


-----

##### Adversary Profile: HUAPI

u
###### Alias BlackTech

u
###### Since 2007

u
###### Malware:

u
###### TSCOOKIE

u
###### KIVARS

u
###### CAPGELD

u
###### DBGPRINT


-----

##### Malware Profile: DBGPRINT

u
###### Alias Waterbear

u
###### Since at least 2009

u
###### DLL export name “DbgPrint”

u
###### Acted as second stage

u
###### Advanced malware design

u
###### Adopt shellcode stager

u
###### Able to load the plugins


-----

##### Malware Profile: DBGPRINT


###### Government Education


###### Think Tank


###### Finance Technology Healthcare


-----

#### Evolution of DBGPRINT


-----

##### Version Changes in the Wild

###### 0.13 0.17 0.1.0


###### 1


###### 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

 Discovery time in the wild
 b.0.1


###### 0.14


###### 0.1.n 0.2b



###### • Listen port


-----

##### Access Payload


###### EXE


###### EXE


###### EXE


###### DLL


###### DLL


###### DLL
 Stager Payload Stager Payload
 Stager Payload Stager Payload

 Inside EXE Inside DLL Standalone payload Double DLL Sideloading


###### Stager Payload


###### Stager Payload


-----

##### RC4 Key of Payload


###### mov al, byte ptr [ecx] mov dl, al shr dl, 3 shl al, 5 or dl, al mov byte ptr [ecx], dl inc ecx dec esi jnz short 100010CD


###### C:\Program Files\NVIDIA Corporation\Display\ nvwss.ptn\x00


###### Miss You! printupg.PNF

|01|03|FF|89|
|---|---|---|---|
|13|72|D1|0A|
|40|C0|21|BB|


###### XOR / Shift Random 16 bytes File path String + File name


-----

#### In-Depth Analysis of DBGPRINT


-----

##### Execution Procedure


###### DBGPRINT Controller

 ❶ Ask for DLL implant ❷ Wait for connection


###### Payload


-----

##### Inside DBGPRINT Stager

###### Check PEB!IsDebugged Test connection

 Relocate
 Generate session keys
 function table

 DBGPRINT Stager


###### In some version

 Fail Drop connection


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager

|Col1|Server challenge|
|---|---|
||58 88 dc e1 84 f7|
|18 b2 50 8f 04 40 19 eb 47 a1||


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### Inside DBGPRINT Stager

###### DBGPRINT Controller DBGPRINT Stager


-----

##### DBGPRINT Implant


###### u File transfer / management

|Command code|Capability|
|---|---|
|2|Enumerate disk drives|
|3|List files|
|4|Upload file to C2 server|
|5|Download file from C2 server|
|6|Rename file|
|7|Create folder|
|8|Delete file|
|10|Execute file|
|11|Move file|
|12|NtSetInformationFile|


-----

##### DBGPRINT Implant

###### u Windows management / Screenshot

|Command code|Capability|
|---|---|
|807|Enumerate Windows|
|808|Hide Windows|
|809|Show Windows|
|810|Close Windows|
|811|Minimize Windows|
|812|Maximize Windows|
|814|Screenshot|
|815|Set screenshot event signaled|


-----

##### DBGPRINT Implant

###### u Remote desktop connection

 u Process / Network connection / Service management

|Command code|Capability|
|---|---|
|816|Remote desktop|
|817|Enumerate process|
|818|Terminate process|
|820|List network connection status|
|821|Abort a network connection|
|822|Enumerate services|
|827|Manipulate service|


-----

##### DBGPRINT Implant

###### u Remote shell / Registry management

|Command code|Capability|
|---|---|
|1006|Start remote shell|
|1007|Exit remote shell|
|1008|Obtain remote shell PID|
|2011|Enumerate registry|
|2013|Create registry key|
|2014|Set registry key|
|2015|Delete registry key|
|2016|Delete registry value|


-----

#### Detection Warfare


-----

##### Eliminate Patterns


###### 1213141516...... èê..0.1......... ....Mutex....... ....login.narlla b.com........... ................ ................ ................ ................ ................ ............P.». ................ abcdefghijklmno.
 ./e.Oó{-cÓF5Dz.ä


###### F.P...M...~...H1 ....b.0.1....... ....M........... ................ ................ ................ ................ ................ ................ ................ ................ ................ ........abcdefgh ijklmno../e.O.{

###### }8ºýáÈÒ߶î3ù.¿R– ¸...0.24........ .... ........... ....ÎÏÑÍÏÑÎÎÈÑÎÎ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿ©a.. ................ ................ ........q.ßä®;©ò Õ=uÌÓ.Wrê„.|žÚ„.
 Space (0x20)


###### Mutex


###### M


-----

##### Eliminate Patterns


###### F.P...M...~...H1 ....b.0.1....... ....M........... ................ ................ ................ ................ ................ ................ ................ ................ ................ ........abcdefgh
 ijklmno../e.O�{- cF5...........V. Listen port ....%hM]........


###### 1213141516...... è...0.1......... ....Mutex....... ....usr.narllab. com............. ................ ................ ................ ................ ................ ............».P. ................ abcdefghijklmno. ./e.Oó{-cÓF5Dz.ä


###### ´Þ‹·CV•Ô©.²´w;Ôó
 ¸...0.17........ .... ........... ....ÎÏÑÇÑÉÑÌÍÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿP... ................ ................ ........¸ñî®.¥îù


###### Plain text


###### XOR with 0xff


-----

##### x64 Version


-----

###### y g

H.\$.H.l$.H.t$ WATAUAVAWH..0.....XH..!.....H......H......QPH1......XI. ....!....P...ko....I_....GqI..@.U...#b7.;...-K(4q..)..%.."......... .Z
.u...I..C...M).L..PH..ATY.H1..........%h...X.(.eH.`.......PA\A..$=.... ..O. C.U:<w....{.a.....N{.C...qgB.._.z......q....-N.a.b....s.7..&..s.#
t.u..I......I....XYH..H...H...u...x...H..H........E1.E1.H....N........ cO.31c.d.~......[w"S.-......V..`P...U..z....._#..VF.....U.`..&.A-/.}..
H..(...H........E1.E1.H......|......E1.L......L..h...1.H......H.D$PH.. ......"90...U..O.a1miH.Yr0E.4......Y.0=!...).!..O8.Hd..Y......mq......
vH.........(...I..H........1.9+v3L.L$PL..(...A.M.L........I..$H..tY..I j..v>...z..........gA0%...g@'.3..|'.|...&......qk...qy1.q..8l...(77"l.
...I...A..;+r...H......r..q...H....H....p...H..H..I..H........A..H..H. .}.......d.X.7tF....]...,....l..........?4-.....}.+G+'........d. .....
...P...H....h...H.\$XH.l$`H.t$hH..0A_A^A]A\_.H.\$.WH.. 3.H..H..H;.t<D. ...f}....t.q.D...N.....Y.a-.........q...6......m.K..W.[{ygZ.<).y......
C.H.L$@.D$8..D$9..D$:..D$;........D.8H..0D.?.D.?0D..H...|.H.\$0H.. _.H 8L...N4dx......cc...........^..Z{..3.".a.u.|D..eK..,....@..........p..
.\$.UVWH..@D......H......H......H........H........D......H......H..... .m.[.......kZ.|.<1.._W.Z{.)..kt.t.O.Y_.Z{.).....<1..I..Z{.).qkt.t.y...
.......u.H........H...H.........D......H..8...H........H..H....8...D.. C.zH....y...I....Z3.l....]3.jB......./.".5.0.C.|...../.".tt.y.Y..Z{.).
....H..8...H..................D......H..@...H........L.L$`L.D$hH..H... .kt.t.!{......).....<13..s[[{H..V.u.<y=....Z3.m.F.u.<};.....?l.gZ.<)..
.@...D......H..@...H..............A...D......H......H........D.D$`H.T$ !.......z..j<).q.C.._...].ykt........Z?.%..jt....B......5..jt..u.#.|.~
hH........D......H......H..H........H........D.D$`H.L$h3.......D...... ..)...l.<1..I3.Z{.)..kt.t.y.E/+..I./.......C.._._(...N....!.......j..j
H.. ...H........A.....H..H.... ...D......H.. ...H..H........H..tv3.A.. <)...C.._......j5.41.C.|....]..kt.x.1..........j<).y=.1`|[{H..<....p.C
...H........D......H..0...H......L._.H.G.H.L$(H..L.\$ H.D$0H.|$8...... ......]..ht.x.1..........j</...C..Y.o./h."........]._h...ND..M.{1`|[{H
L.L$ L..H..H....0...D......H..0...H........3.A.....H....8...H.L$h3.A.. ...NT......._......j0)...C.._.KI./...]...C.....H"/.".i...A....7l...+..
.....8...H........H........H.\$p.....H..@_^].@SH.. H..H.........H..D.. .1..Y..Z{.)...t.<1....C.yH.gZ6P..0.C..W.;..r.@SH.. H..H.........H..D..
....H..p...H........L..I..A..p...H.C.H.K.3.A.......8...L.[.H..A....... ....H..p...H........L..I..A..p...H.C.H.K.3.A.......8...L.[.H..A.......
....H.. [.H.\$.H.l$.H.t$.WATAUH..p...D......H..X...H......H..3.......D ....H.. [...m.K.~.~k.+[.r#.hp..O..^{H..P.u.<y=....Z3..'.jt.....1d|[{H.
.g.L..$P...A..H....X...D......H..X...H........D.G.H.T$@E3.H...........Only the wait-for-connection function is left..z8/...A......)...,.<1..M..Z{.)..kt.t.}.]_.Z{./h."...q.p.._...Z-.j.Z.
u.3..F...D......H......H........H.T$@H........D......H......H......... D.p...Y{H..Rnv.<y=.V..Z3.i.B.u.<y;.......1..jt....A......./.".i...B..T
|$D&r...l$DH.T$HE3.D.E.H...........t.D......H..`...H.........U.L..$P.. &_..]ge...u......H.....<)..%............J=1..Ed.[{H......=1.......l.-.
.H.L$E..`...D......H..`...H........A.MZ..fD9\$E..A........H.L$ M...... j</p...]..Z{.).9kt.t.%#......].ykt.}.......B..j..5]....F.\........U.2c

..........k..+.@...@...H.T.@......D......H..X...H........L..$`...H.L$ .4._....,...........U.....n4]...C.._..I./....=1..E<+..I./....\2.C.z.~[
A....X...D......H..X...H..........h...D......H..P.....H..i.<.........H .)...,.<1..M..Z{.)..kt.t.}.]_.Z{.1G.jt...VB......./...........P.....j<
.T$@A.....H....P...D......H..P...H........H.T$FH.L$0A.....M..D.d$@D.l$ /h...v..Z{.)...$.<1..M..Z{.)..kt.t.}.]_.Z{./{.,</p...s..Z{.).....|u>/.


###### Before self-modifying After self-modifying


-----

##### Double DLL Sideloading

###### (White) Benign EXE (Gray) Malicious DLL (Black) Malicious DLL


-----

##### Anti ”SecurityProduct”


###### Malicious DLL


###### Actor


###### DBGPRINT Payload 2


-----

# Questions?


###### ycy@teamt5.org aragorn@teamt5.org


-----