SlideShare uma empresa Scribd logo

Reverse engineering malware

Transferir como PPTX, PDF
C
Cysinfo Cyber Security Community

Reverse engineering malware

Tecnologia
1 de 33
Monnappa K A  Member of Cysinfo  Info Security Investigator @ Cisco  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Blog: http://malware-unplugged.blogspot.in  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
 APT Malware - Etumbot  Etumbot Cyber Espionage Campaign  Demo 1 – Sandbox Analysis of Etumbot dropper  Demo 2 – Reverse Engineering the Communications of Etumbot Backdoor  Demo 3 – Decrypting the Communications of Etumbot Backdoor  References
 Used in APT/Cyber espionage/targeted attacks  Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team)  Sent to targets via spear phishing email  Targeted government organizations in Taiwan and Japan  Drops decoy documents of interest to Taiwanese and Japanese population  Also referred to as Exploz, Specfix and RIPTIDE
Etumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a registry entry so that Etumbot backdoor can persist on the system
Etumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns
In the first communication pattern the malware receives response from the C2 server. The response looks like an encoded string
In the second communication pattern the malware sends a request, which looks like a request to download an image file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns, lets reverse engineer the Etumbot backdoor
Etumbot Backdoor calls the below function. This function implements the First Communication pattern, this function calls multiple functions as shown in the call graph below
The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)
Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the malware is going to request in the http request.
Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the backdoor.
Etumbot backdoor receives the encoded response from the C2 using the below API
Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.
Etumbot Backdoor calls the below function. This function implements the Second Communication pattern, this function calls multiple functions as shown in the call graph below
Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the RC4 function (with the RC4 key retrieved from the first communication).
The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below screenshot shows the RC4 encrypted system information
The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below
The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.
The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below
The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request pattern.
Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the communications.
Below screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then decodes it and extracts the RC4 key
Below screenshot shows the encoded response from C2 server. This encoded response is given to the script which decoded and extracted the RC4 key
Below screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first communication
Below screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was run (in this case sandbox machine)
a) ARBOR Networks Report on Etumbot http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ b) FireEye’s Blog post http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group- 2.html
Reverse engineering malware
Reverse engineering malware

Recomendados

Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
Rootkit
RootkitRootkit
Rootkittech2click
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingDEEPIKA WALIA
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security FundamentalsApurv Singh Gautam
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Intruders
IntrudersIntruders
Intruderstechn
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 

Recomendados

Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
 
Rootkit
RootkitRootkit
Rootkittech2click
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingDEEPIKA WALIA
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security FundamentalsApurv Singh Gautam
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
Intruders
IntrudersIntruders
Intruderstechn
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cyber security
Cyber securityCyber security
Cyber securitySajid Hasan
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityJyothishmathi Institute of Technology and Science Karimnagar
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Cyber security
Cyber securityCyber security
Cyber securityDr. Kishor Nikam
 
Intruders
IntrudersIntruders
IntrudersDr.Florence Dayana
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptxANIKETKUMARSHARMA3
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber CrimesCyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber CrimesGyanmanjari Institute Of Technology
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems Naveen Jakhar, I.T.S
 
ElGamal Encryption Algoritham.pptx
ElGamal Encryption Algoritham.pptxElGamal Encryption Algoritham.pptx
ElGamal Encryption Algoritham.pptxIndian Institute of information technology Una
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research PaperPankaj Jha
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
kernel/vm@okinawa 2014
kernel/vm@okinawa 2014kernel/vm@okinawa 2014
kernel/vm@okinawa 2014y0t4
 
CTFというハッカーイベント+α
CTFというハッカーイベント+αCTFというハッカーイベント+α
CTFというハッカーイベント+αYuichi Nagayama
 

Mais conteúdo relacionado

Mais procurados

Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptxANIKETKUMARSHARMA3
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber CrimesCyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber CrimesGyanmanjari Institute Of Technology
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research PaperPankaj Jha
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 

Mais procurados (20)

Cyber security
Cyber securityCyber security
Cyber security
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Cyber security
Cyber securityCyber security
Cyber security
 
Intruders
IntrudersIntruders
Intruders
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber CrimesCyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
Cyber Security - Unit - 4 - Introduction to Cyber Crime and law Cyber Crimes
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems
 
ElGamal Encryption Algoritham.pptx
ElGamal Encryption Algoritham.pptxElGamal Encryption Algoritham.pptx
ElGamal Encryption Algoritham.pptx
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research Paper
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 

Destaque

kernel/vm@okinawa 2014
kernel/vm@okinawa 2014kernel/vm@okinawa 2014
kernel/vm@okinawa 2014y0t4
 
CTFというハッカーイベント+α
CTFというハッカーイベント+αCTFというハッカーイベント+α
CTFというハッカーイベント+αYuichi Nagayama
 
kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorkyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorPacSecJP
 
Inside Srl - Emilio Luchetta
Inside Srl - Emilio LuchettaInside Srl - Emilio Luchetta
Inside Srl - Emilio Luchettabnioceanoblu
 
A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...
A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...
A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...Ruy De Queiroz
 
intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)
intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)
intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)Andrea Maggipinto [+1k]
 
Verizon Data Breach Investigation Report
Verizon Data Breach Investigation ReportVerizon Data Breach Investigation Report
Verizon Data Breach Investigation Reportxband
 
Attacchi e difese: l'esperienza del CSI Piemonte
Attacchi e difese: l'esperienza del CSI PiemonteAttacchi e difese: l'esperienza del CSI Piemonte
Attacchi e difese: l'esperienza del CSI PiemonteCSI Piemonte
 
Smau Milano 2016 - Marco Bozzetti, Aipsi
Smau Milano 2016 - Marco Bozzetti, AipsiSmau Milano 2016 - Marco Bozzetti, Aipsi
Smau Milano 2016 - Marco Bozzetti, AipsiSMAU
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...Gianni Amato
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guidesecurityxploded
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidCysinfo Cyber Security Community
 
Ht seminar uniten-cyber security threat landscape
Ht seminar uniten-cyber security threat landscapeHt seminar uniten-cyber security threat landscape
Ht seminar uniten-cyber security threat landscapeHaris Tahir
 

Destaque (20)

kernel/vm@okinawa 2014
kernel/vm@okinawa 2014kernel/vm@okinawa 2014
kernel/vm@okinawa 2014
 
CTFというハッカーイベント+α
CTFというハッカーイベント+αCTFというハッカーイベント+α
CTFというハッカーイベント+α
 
kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorkyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terror
 
Trojan di stato
Trojan di statoTrojan di stato
Trojan di stato
 
Inside Srl - Emilio Luchetta
Inside Srl - Emilio LuchettaInside Srl - Emilio Luchetta
Inside Srl - Emilio Luchetta
 
VLADIMIR KRYSHEVYCH
VLADIMIR KRYSHEVYCHVLADIMIR KRYSHEVYCH
VLADIMIR KRYSHEVYCH
 
A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...
A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...
A Reconfiguração do Jornalismo Investigativo e a Influência do Hacktivismo, d...
 
intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)
intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)
intervento CONFAPI 27.10.2016 - Avv.Maggipinto (estratto)
 
Verizon Data Breach Investigation Report
Verizon Data Breach Investigation ReportVerizon Data Breach Investigation Report
Verizon Data Breach Investigation Report
 
Attacchi e difese: l'esperienza del CSI Piemonte
Attacchi e difese: l'esperienza del CSI PiemonteAttacchi e difese: l'esperienza del CSI Piemonte
Attacchi e difese: l'esperienza del CSI Piemonte
 
Smau Milano 2016 - Marco Bozzetti, Aipsi
Smau Milano 2016 - Marco Bozzetti, AipsiSmau Milano 2016 - Marco Bozzetti, Aipsi
Smau Milano 2016 - Marco Bozzetti, Aipsi
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Espionage (m)
Espionage (m)Espionage (m)
Espionage (m)
 
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Case study: Malware propagation models for undergraduate engineering students
Case study: Malware propagation models for undergraduate engineering studentsCase study: Malware propagation models for undergraduate engineering students
Case study: Malware propagation models for undergraduate engineering students
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Ht seminar uniten-cyber security threat landscape
Ht seminar uniten-cyber security threat landscapeHt seminar uniten-cyber security threat landscape
Ht seminar uniten-cyber security threat landscape
 

Semelhante a Reverse engineering malware

Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malwaresecurityxploded
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded
 
Module 10 (session hijacking)
Module 10 (session hijacking)Module 10 (session hijacking)
Module 10 (session hijacking)Wail Hassan
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSystem 021
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingVi Tính Hoàng Nam
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Module 6 (trojans and backdoors)
Module 6 (trojans and backdoors)Module 6 (trojans and backdoors)
Module 6 (trojans and backdoors)Wail Hassan
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 

Semelhante a Reverse engineering malware (20)

Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
 
Module 10 (session hijacking)
Module 10 (session hijacking)Module 10 (session hijacking)
Module 10 (session hijacking)
 
Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware Kuba
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Stagefright (1)
Stagefright (1)Stagefright (1)
Stagefright (1)
 
Module 6 (trojans and backdoors)
Module 6 (trojans and backdoors)Module 6 (trojans and backdoors)
Module 6 (trojans and backdoors)
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Kali linux and hacking
Kali linux and hackingKali linux and hacking
Kali linux and hacking
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 

Mais de Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

Mais de Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muraleeDynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Reverse engineering malware

  • 1.
  • 2. Monnappa K A  Member of Cysinfo  Info Security Investigator @ Cisco  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Blog: http://malware-unplugged.blogspot.in  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • 3.  APT Malware - Etumbot  Etumbot Cyber Espionage Campaign  Demo 1 – Sandbox Analysis of Etumbot dropper  Demo 2 – Reverse Engineering the Communications of Etumbot Backdoor  Demo 3 – Decrypting the Communications of Etumbot Backdoor  References
  • 4.  Used in APT/Cyber espionage/targeted attacks  Associated with Chinese cyber espionage group (Numbered Panda, APT12, Calc team)  Sent to targets via spear phishing email  Targeted government organizations in Taiwan and Japan  Drops decoy documents of interest to Taiwanese and Japanese population  Also referred to as Exploz, Specfix and RIPTIDE
  • 5.
  • 6.
  • 7. Etumbot dropper (5340.exe) drops another file winlogdate.exe (which is Etumbot backdoor). The malware also adds a registry entry so that Etumbot backdoor can persist on the system
  • 8. Etumbot Backdoor (winlogdate.exe) connects to the C2 server with two communication patterns
  • 9. In the first communication pattern the malware receives response from the C2 server. The response looks like an encoded string
  • 10. In the second communication pattern the malware sends a request, which looks like a request to download an image file (.jpg), but the string before .jpg looks like an encrypted string. In order understand these communication patterns, lets reverse engineer the Etumbot backdoor
  • 11.
  • 12. Etumbot Backdoor calls the below function. This function implements the First Communication pattern, this function calls multiple functions as shown in the call graph below
  • 13. The malware uses below API call to open an http session with the C2 Server (wwap.publiclol.com)
  • 14. Etumbot Backdoor uses below API call to create an http handle and the below screenshot shows the object the malware is going to request in the http request.
  • 15. Etumbot Backdoor uses below API call to send the request and the C2 server sends an encoded response to the backdoor.
  • 16. Etumbot backdoor receives the encoded response from the C2 using the below API
  • 17. Etumbot backdoor passes the received content to the custom base64 algorithm which decodes the received content and extracts the RC4 key starting at offset 8. This RC4 key is used to encrypt subsequent communications. It can be deduced that the first communication pattern is used by the malware to receive the RC4 key from the attackers.
  • 18. Etumbot Backdoor calls the below function. This function implements the Second Communication pattern, this function calls multiple functions as shown in the call graph below
  • 19. Etumbot Backdoor collects the system information (hostname, username, ip and proxy details) and passes it to the RC4 function (with the RC4 key retrieved from the first communication).
  • 20. The collected system information is encrypted with RC4 key which was retrieved from the first communication. Below screenshot shows the RC4 encrypted system information
  • 21. The RC4 encrypted system information is then passed to the custom base64 encoding function as shown below
  • 22. The RC4 encrypted system information is then encoded with custom base64 encoding algorithm as shown below.
  • 23. The base64 encoded string is then concatenated with /image/ and .jpg to form a final string as shown below
  • 24. The malware connects to the C2 server (wwap.publiclol.com) using the concatenated string as the http request pattern.
  • 25. Malware sends the http request as shown below. As you can see from packet capture the encrypted system information is sent to the attackers this way. Now we know how malware decodes the RC4 key from first communication and how that RC4 key is used to encrypt subsequent communications. We can write decryptors to extract the RC4 key and to decrypt the communications.
  • 26.
  • 27. Below screenshot shows the python script (get_key.py) which takes encoded response from C2 server as input, then decodes it and extracts the RC4 key
  • 28. Below screenshot shows the encoded response from C2 server. This encoded response is given to the script which decoded and extracted the RC4 key
  • 29. Below screenshot shows the script to decrypt subsequent communications using the RC4 key obtained from first communication
  • 30. Below screenshot shows the encrypted string. The script takes the encrypted string and decrypts it. The decrypted output is the information (hostname, username, ip, proxy details) collected from the system, where the malware was run (in this case sandbox machine)
  • 31. a) ARBOR Networks Report on Etumbot http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ b) FireEye’s Blog post http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group- 2.html