Jump to content

Rootkit?


Recommended Posts

Also, this thing was floating around in the Chinese "wild" for over a year? Per VT:

Quote

History

Relevant dates related to the file being studied.
 
Creation Time 2017-02-28 06:00:26
First Submission 2018-06-23 02:31:28
 
Edited by itman
Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform? 

Regards, P.R.

Link to comment
Share on other sites

Microsoft ids it as Trojan:Win32/Tiggre!rfn. This malware is indeed classified as a PUA per this article: https://www.pcrisk.com/removal-guides/12616-trojan-win32tiggrerfn-virus .

Also I see no reason why a PUA could not exhibit rootkit behavior e.g. s5Mark. So we might be in a "chicken or the egg" scenario here. One thing that is common in this type of malware is it is bundled in free crapware usually and needs to be installed to be functional. 

Edited by itman
Link to comment
Share on other sites

6 hours ago, Peter Randziak said:

Hello guys,

I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform? 

Regards, P.R.

Hi I've sent you a message with the link to the sample, thanks

Link to comment
Share on other sites

18 hours ago, itman said:

Is this bugger always bundled in another software installer or can it be stand alone downloaded? 

I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit ?

Link to comment
Share on other sites

5 hours ago, 0xDEADBEEF said:

I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit 

In the recent incident I posted here: https://forum.eset.com/topic/15967-does-eset-detect-s5mark-as-uapua-or-malware/ , the attack involved an installer with s5Mark adware along with a malicious kernel mode device driver that was validly signed with a stolen certificate. Hence the "rootkit" connotation in these incidents.

Link to comment
Share on other sites

23 hours ago, Daedalus said:

If you have the file, you can use the following website to see what it does:

https://www.hybrid-analysis.com/

Cool, I have the analysis report attached here:

https://www.hybrid-analysis.com/sample/ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6/5b47ac647ca3e10e8b151f68

https://www.hybrid-analysis.com/sample/1b6c9775414e8206bada248c461f2ac62af17e68bafef8391c1716879ab3e83f/5b47b0c07ca3e145ff6dff53

Now ESET detect it as dropper btw.

Link to comment
Share on other sites

5 hours ago, 0xDEADBEEF said:

I  am posting below screen shots of Mitre's process activity indicators from the above analyses. Orange = suspicious and red = malicious. Mitre.org maintains a web site that is updated with various malware techniques. Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe. I also assume it  factors existing VirusTotal AV detections in rendering its final process malicious status:

1.exe -Malicious

Mitre-1-exe.thumb.png.fc823c96c5244637862483865fa9faac.png

2.exe - Malicious

Mitre-2-exe.thumb.png.06246f534dbae4b25426eb70b3ec2e19.png

Clearly, 2.exe is the more malicious of the pair. Also, do note both malware samples use of RDP if its available. -EDIT- 2.exe spawns 1.exe as a child process indicating most of 2.exe's malicious is attributable to this relationship.

Finally, note the following analysis extract. Perhaps this is where the "rootkit" connection came from. I see no driver creation activities from either malware sample. 

Quote

Opens the Kernel Security Device Driver (KsecDD) of Windows 

details
"<Input Sample>" opened "\Device\KsecDD"
"MorphVOXPro4_Install-1.exe" opened "\Device\KsecDD"
"1.exe" opened "\Device\KsecDD"
"setup.exe" opened "\Device\KsecDD"
"mscorsvw.exe" opened "\Device\KsecDD"
"VSSVC.exe" opened "\Device\KsecDD"
source
API Call
 
Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe

They are using their own in-house kernel logging sandbox... Current version of cuckoo is too easy for sandbox evasion

Is MITRE ATT&CK a sandbox service? The visualization seems pretty nice and more behaviors of these two samples get unrolled

Link to comment
Share on other sites

It is also questionable if this attack would have succeeded on Win 10 1607+. It is going after lsass.exe to escalate itself to System level which it would need to access the kernel mode KsecDD driver. Lsass.exe starting with Win10 1607 runs as Protected Process - Light. This should have prevented the malware from gaining access to lsass.exe. That is unless the malware employed a PPL bypass which do exist. One would need to do a thorough code examination for that. If so employed, this would indeed make this a very interesting malware sample.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...