Fernando Domínguez

Goal

Analyze code re-use in binaries to attribute unknown samples to families / threat actors. To do this we can obtain the list of functions in an executable and hash each function's opcodes using a fuzzy hash algorithm (kind of what Diaphora does). For the fuzzy hashing I will be using ssdeep, and for the opcode extraction r2 (and r2pipe).

Data preparation

First, we need some data to work on (hashes + samples). I will be using a QuantLoader sample set, as it is a rather simple malware.

With that in mind, we need to identify some landmark functions in a Quant

On the most recent phishing attacks, PowerShell is usually employed to load and execute position-independant shellcode via a macro-enabled Office document.

So, in order to know what actions are being carried away the truly interesting part here is the shellcode being executed. However, to slow down analysis or lower detection, shellcode is usually encoded, being shikata ga nai the most used encoder (for the samples I have observed at least).

Shikata ga nai

Shikata ga nai is a polymorphic encoder based on a decoder stub. The decoder stub XORs the encoded bytes with an incremental key. Having an incremental key

I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a well-known trusted domain while it actualy sends the request to an attacker-controlled server. This can be done as the HTTP Host header is not actually used for routing, but rather for virtual hosting purposes, as the docs say. This makes the HTTP request look like it's headed to a trusted

Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.

Preface

Loki is a credential harvester bot sold in Russian underground forums and black markets.

Goal

For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly analyze malicious behavior.

Analysis

Initial triage

File hashes for the sample I'll be using:

MD5: 09D2E274F1F50AB81105A3A6B9BE34CF
SHA-1: 04AD370BFE1A0AFA273568EE18F8C14BD8E612DC
SHA-256: D7AAAFB88B91A937D1EF8BCAA97F88A13545364269F510A95DAB4A72B68A4313

The sample has a pretty low detection ratio (8/58) as of now (29/03/2017) on VirusTotal.

TrID report:

Win32 Executable Delphi generic (37.4%)
Windows screen saver (34.

Goal

In this entry we will have a look at the Bendis maldoc. Bendis is a fairly unknown and simple maldoc that has a dropper functionality. It's only purpose is being a gateway for more mature malware.

Word document

We are confronted yet again with a Word document which includes macros.

File hashes:

MD5: 3e77ad5e07c65aeeb7a3b2e268eb102b
SHA1: 73f35866e29959a2397303fb3ec0c0b7e74226f3
SHA256: fdda128f909cbfb549a6a342cfb71e09dfbc695d799dbfd80d95b42e82fc1e9c
ssdeep1536:OXxUzn9/biXPK2NSy7DL3WBWZn+9cHYRJ5SEbbXr7eLTFxXw:USYSy49rRLbbO7

If we try to open the VBA debugger we will see heavily obfuscated code, even strings are obfuscated. A quick look reveals that there is a module called XoGrrJy that has many calls to CallByName so