Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

When Tackling LATENTBOT Look at the Big Picture, Not Just Individual Functions

malware (1)
Hex_Thirds
January 31, 2016 / Russell Nolen

One of the most unique capabilities of LATENTBOT, a relatively new piece of memory-resident malware, is its ability to operate in memory and not on disk. This sounds like something that keeps IR teams up at night, but there is no reason to panic. Let’s take a closer look at LATENTBOT’s forensic footprints.

Memory-only malware can pose a significant threat and is something that information security professionals should be able to handle. In the case of LATENTBOT, we should take a look at some of its static attributes, and how it loads itself into memory.

When looking at our sample, let’s take a look at the files details in CFF Explorer:

exe-details.PNG

This is not the stealthiest set of descriptors for a file I have ever seen. Inside of Carbon Black, we can issue the following queries to find this specific (MD5 hash: af15076a22576f270af0111b93fe6e03) process:

  • product_name:L4WFYURvmkt
  • company_name:iPD4NeO
  • legal_copyright:”Copyright (C) 2005-2014 Qh8tnb PTaRjJOa6JY”
  • legal_copyright:”Copyright (C) 2005-2014 Qh8tnb PTaRjJOa6JY” or  company_name:iPD4NeO or  product_name:L4WFYURvmkt

When the malware is executed on a system it is actually quite loud. It does things like:

  • Create large binary blobs in the registry:

google-registry.png

  • Add strange file system artifacts, this sample has the directory and executable name hard coded into it and not dynamically generated:

latent-rename-file.png

  • Execute odd child processes:

The process execution is the most interesting piece of LATENTBOT. The process execution mechanism is what the bot utilizes for getting code into memory. LATENTBOT utilizes the following process, hollowing techniques on the processes to place code into their memory and execute it:

  1. Start a process in a suspended state utilizing the CreateProcess API utilizing the CREATE_SUSPENDED in the fdwCreate parameter.
  2. Unmaps (hollows out) the code in memory to the suspended process (utilizes the API NTUnmapViewOfSection.)
  3. Allocates memory for the code to be used in the hollow area of the suspended process (in this case the malware utilizes NtAllocateVirtualMemory with the new area in memory marked as executable.)
  4. Writes its custom code into the newly allocated memory using the WriteProcessMemory API
  5. Prepares the registers for fully starting the new process. To prepare the registers, the malware uses the NtSetContextThread API.
  6. Once everything is ready, the malware calls NtResumeThread to allow the suspended process to start. When the API CreateProcess is utilized with the CREATE_SUSPENDED flag, the OS places a halt on the main thread of the process, the NtResumeThread starts the suspended main thread of the newly spawned process.

Below are a few images of what the process hollowing looks like in Cuckoo Sandbox:

process_start_suspended_state.png

resume-thread.png

write-process-memory.png

Cuckoo even has a signature for this type of behavior as seen below:

cuckoo-signatures.png

Our analysis leads us to this conclusion: While LATENTBOT contains advanced methods of obfuscating what it is currently doing, we should take a larger look at all of its pieces that allow it to get to this point in execution. Process hollowing is not a new technique. It has been documented in various books and blog posts since 2011.

Utilizing a Carbon Black query we can search for this sample’s behavior.

Adding data to the Google update section of the registry:

  • regmod:*\software\google\update\network”

We can watch for an xml file being renamed to an executable with this one:

  • filemod:AppData\Roaming\*.xml AND filemod:AppData\Roaming\*.exe -digsig_publisher:”Microsoft Corporation”
    • Caveat: This will remove processes such as cmd.exe that have this type of behavior. This query can be highly dependent upon your environment.
    • For hunting purposes you can run the query without the
      -digsig_publisher:”Microsoft Corporation” option.

Watching for the strange process execution we can look utilize the following query:

  • (childproc_name:svchost.exe or childproc_name:regasm.exe or childproc_name:cvtres.exe)  digsig_result:”Unsigned”

LATENTBOT’s ability to obfuscate operations in memory is important to note and to watch out for, but it is important to look at the malware as a whole vs. its individual functions when evaluating it as a threat. Holistic visibility is critical for both detection and retrospection.

TAGS: bit9 / Carbon Black / fireeye / LATENTBOT / malware / memory malware / research

Related Posts