System Administrator finds a suspicious dll running named as “COM APPLICATION SUPPORT.DLL” and raises a security concern.
We started the analysis by loading the file to check for any known packers. The output of the tool suggested against any such packers as shown below.
Loading the file in IDA we could see that all the functions were encrypted revealing no information about the behavior of the code. We were able to identify the following functions relevant to the DLL.
We were able to identify the function which has encrypting the binary and hence evading the AV’s for stealth operation on the system. The function in concern is shown below
def decrypt(leng, loc, key): t1 = key t2 = key t3 = key t4 = key out = '' for i in range(leng): t1 = (t1 - (t1 << 0x3) - 0x3)&0xffffffff t2 = (t2 - (t2 << 0x5) - 0x5)&0xffffffff t3 = (t3 + (t3 << 0x7) + 0x7)&0xffffffff t4 = (t4 + (t4 << 0x9) + 0x9)&0xffffffff c = chr(Byte(loc) ^ ((t1 & 0xff) + (t2 & 0xff) + (t3 & 0xff) + (t4 & 0xff))&0xff) #unicode if ord(c) != 0: out = out + str(c) loc = loc + 1 return out func = 0x10006ab0 callers = list(CodeRefsTo(func, 1)) for i in range(len(callers)): neg = 0 if Byte(callers[i] - 0x03) != 0x8D: neg = 3 key = Dword(callers[i] - 0x0E - neg) size = Byte(callers[i] - 0x09 - neg) data = Dword(callers[i] - 0x07 - neg) dec = decrypt(size, data, key) print "%X %s" % (callers[i], dec) #MakeComm(callers[i] - 0x08 - neg, dec)
We were then able to understand the operations that were being performed by the DLL.
The DLL could be run using one of 4 commands.
• Rundll32.exe malware.dll PteGa 0
o Persistent Install of Malware and Run
• Rundll32.exe malware.dll PteGa 1
o Persistent Install of Malware And Exit
• Rundll32.exe malware.dll PteGa 2
o Run Keylogger (%WINDIR%/SYSTEM32/intel.dat)
• Rundll32.exe malware.dll PteGa 3
o Control Other Threads on the System
The DLL has capabilities to adjust to different operating systems from XP-Windows8 and Server editions as well. It uses different methods to bypass UAC or gain privileges for persistence on the installed system.
Multiple malicious functions were found, some of the critical being
o Starts network sniffer on the machine.
o Used to create a remote shell on the server granting complete control of machine.
o A telnet server to send in commands.
During the dynamic analysis we found the server connected to a web server to seek for updates as shown below
The domain webmailserver.homelinux.com now resolves to 127.0.0.1. Which indicates an inactive state of the Command and Control Server.
A POST request of the following format was being sent to the server.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
This malicious binary is a variant of the DESTROY RAT (Remote Administration Tool). The malware seems to have been deployed in other APT attacks mostly on the Industrial Sector. It offers a lot of functionality to the attacker some of which were shown in the above analysis.