{"id":114,"date":"2019-04-02T09:50:29","date_gmt":"2019-04-02T07:50:29","guid":{"rendered":"https:\/\/192.168.10.2\/blog\/?p=114"},"modified":"2019-05-16T12:40:22","modified_gmt":"2019-05-16T10:40:22","slug":"orangeworm-group-kwampirs-analysis-update","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/orangeworm-group-kwampirs-analysis-update\/","title":{"rendered":"ORANGEWORM GROUP \u2013 KWAMPIRS ANALYSIS UPDATE"},"content":{"rendered":"\n

The OrangeWorm group was named and described by the Symantec Company in different blog entries [1]<\/a> [2]<\/a>. We would highlight from these entries that it is a group that has been operational since 2015 and is focused on attacking the health<\/strong>, pharmaceutical, technological, manufacturing and logistics sectors. The sector most affected is healthcare<\/strong> as described by Symantec.<\/p>\n\n\n\n

Based on this information, Lab52 has carried out an in-depth study of\n the Kwampirs tool (OrangeWorm\u2019s main tool) used by this group.<\/p>\n\n\n\n

Next, the RAT (Remote Administration Tool) in Dll format and the main binary or orchestrator of the infection will be analyzed.<\/p>\n\n\n\n

Technical analysis of Kwampirs Dropper<\/h3>\n\n\n\n

Within its arsenal, OrangeWorm has a RAT in DLL format whose \nexecution and lateral movement is carried out by an executable together \nwith the one that composes the threat known as Kwampirs.<\/p>\n\n\n\n

Regarding the executable, which we will call \u201cKwampirs Dropper\u201d \ninitially highlight its resources, among which are two images with \ncorrupt sections. One of which consists of the DLL with RAT capabilities\n encrypted with an XOR key that in each execution extracts, decrypts and\n executes:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

This threat has a first execution block, in charge of decrypting all \nthe text strings that it will use and which are encrypted in its \u201c.data\u201d\n section with a relatively obfuscated XOR algorithm in order to make \ndetection and decryption difficult. After deciphering its strings, it \nextracts the creation and modification dates from User32.dll and \ncollects information about the operating system it is on. From this \npoint, its logic can be divided into 4 different paths, depending on the\n number of parameters, which provide different functionalities for each \nstage of infection of the threat.<\/p>\n\n\n\n

In order to provide the greatest clarity to this report, the order of\n description of the 4 possible ways of execution of the Kwampirs dropper\n will follow that of an infection of this threat, instead of the number \nof parameters incrementally:<\/p>\n\n\n\n

Execution with a parameter<\/strong><\/p>\n\n\n\n

The logic that contains the section of code that is executed when it \nreceives a single parameter, is that of a hypothetical installation of \nthe threat, manually, or through a dropper.<\/p>\n\n\n\n

It should be noted that this section is completely dependent on \nhaving administrator privileges, and in case of not having them, in many\n points of the execution jumps directly to the end of the logic, thus \nending its execution.<\/p>\n\n\n\n

First, check the existence of the file \u201cC:\\Windows\\inf\\IE11.PNF\u201d, its\n size (66Bytes) and if it has enough privileges to access it.
\nIf it detects that it already exists (which would indicate that the \ncomputer is already infected) or that it does not have enough privileges\n (which would prevent it from performing the rest of the logic) it ends \nthe execution. If it does not exist and has sufficient privileges, it \ncreates the persistence service.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

This service generates it with a hardcoded name and data in the \nstrings that it has decrypted at the beginning of its execution, and \nemphasizes that it points to an executable with the name it has at that \nmoment, but in %System32% even though it has not been observed that it \ncopies itself to that route at any time. This implies that along with \nbeing run with administrator privileges, it also requires having been \ninstalled on that route by other means.<\/p>\n\n\n\n

After creating the service, it starts it, this time without any \nparameter, which gives way to another execution path within its logic.
\nFinally, it creates the file called ie11.PNF in which it writes 66 random bytes:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

In the previous capture, you can see how it creates a buffer of \n66Bytes, which it fills with random bytes, and passes it as a parameter \nto a function that we have called \u201cCreateFileWith2tmp\u201d along with a \nstring, which in this case contains \u201cC:\\Windows\\inf\\ie11.PNF\u201d.<\/p>\n\n\n\n

The function \u201cCreateFileWith2tmp\u201d uses it constantly for the creation\n of each one of the files related to this threat, and is in charge of \ngenerating two temporary files, in one it stores the first Byte of the \nbuffer it receives as the second parameter, in the second file it stores\n the rest of the buffer, after which, it executes the following command \nto concatenate the content of both, and store it in a new file with the \nname that it has received as the third parameter.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After generating this file, it finishes its execution, having started\n another instance of its own, as a service, and without parameters.<\/p>\n\n\n\n

Execution without parameters<\/strong><\/p>\n\n\n\n

When the threat starts without parameters, after its first string \ndecryption block and collection of system information, it makes a call \nto the Microsoft API \u201cStartServiceCtrlDispatcherW\u201d responsible for \ninitiating the logic of a Windows service, after which it ends. \nTherefore, if it is not started as a service, it is not able to perform \nany action.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

If it is loaded as a service, after a first execution of its binary \nwith a parameter, for example, the API \u201cStartServiceCtrlDispatcherW\u201d \npasses the execution flow of the application to a function of the \nbinary.<\/p>\n\n\n\n

This function consists in a first verification of the existence and \ncapacity of access to the file \u201cC:\\Windows\\inf\\mtmndkb32.PNF\u201d if it \nfinds a recent and accessible version of this one, it continues its \nnormal execution, in case of not finding it or having problems of access\n to it, it goes through the processes in search of the copies of itself \nthat it generates to run with 2 and 3 parameters, and in search of its \nmodules to finish these processes and later, to eliminate these \nexecutables, as a cleanup.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Regardless of whether it finds the PNF file or not, it enters an \ninfinite \u201cwhile (! 0)\u201d loop, which is in charge of keeping its module in\n DLL format running and maintaining a copy of itself, running with two \nparameters, which is in charge of the lateral movement by SMB of the \nthreat.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The infinite loop, first, looks for instances of its module in DLL \nformat in execution, in case of not finding it, it calls a function that\n takes charge of extracting from its resources the image mentioned at \nthe beginning of the report, trimming the corrupt section, decrypting it\n with an XOR key of 16Bytes, using the following algorithm:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

and store the result in System32 with one of the following names with extension \u201c.dll\u201d:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Once you have the module on disk, run it through Microsoft executable \u201crundll32.exe\u201d passing the following parameters:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

It then calls a function whose sole purpose is to call a one-minute \n\u201cSleep\u201d 20 times, causing his execution to pause for a period of 20 \nminutes.<\/p>\n\n\n\n

After 20 minutes, it makes a call to a function that if it does not \nfind an instance of itself running with 2 parameters, it makes a copy of\n its own binary with one of the following names:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

And it executes it with two parameters using the Microsoft API \nCreateProcessAsUserW, which allows it to add the token of the current \nuser as the creator of the process, so that the process is executed in \nits session:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

After this, it performs a Sleep with a random value between 1 and 3 \nminutes, and repeats the same execution flow, thus ensuring that both \nits module in DLL format and its replica running with two parameters are\n kept running.<\/p>\n\n\n\n

At this point, we are running the process of the main Kwampirs \ndropper, loaded as System by the persistence service, an instance of \nrundll32, also as System generated by the process itself without \nparameters, and a second instance of the executable, this time with the \ncredentials of the user who has logged in, thanks to the use of the \n\u201cCreateProcessAsUserW\u201d API for its creation:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Execution with 2 parameters<\/strong><\/p>\n\n\n\n

When the threat is executed with two parameters, after its first \nstring decryption block and collection of system information, it goes \ndirectly to a function in charge of scanning private IPs, which it tries\n to access by SMB in order to check its access and infection capacity.<\/p>\n\n\n\n

To do this, it first generates a Thread, which through the Microsoft \nAPI \u201cGetTcpTable\u201d obtains the list of IPv4 connections of the system, \nfrom which it filters all those that are through ports 445 and 138, so \nit is able to isolate those related to SMB traffic, afterwards it tries \nto infect these IPs directly.<\/p>\n\n\n\n

To make sure it does not miss any computer to which the user has \naccess, but which is not found on the table, the main thread of the \nthreat scans the entire subnet of the computer, trying to infect all its\n possible IP addresses.<\/p>\n\n\n\n

When the main Thread finishes scanning the computer\u2019s subnet. It \nenters a last zone of code, which generates random private \u201c\/ 24\u201d \nsubnets and scans them completely, in order to try to access subnets \ndifferent from that of the infected computer, but accessible by it.<\/p>\n\n\n\n

Each of the IP addresses generated by these three subnet scan \napproaches is passed to a function that attempts to infect them by \ntrying to access any of the following units via SMB:<\/p>\n\n\n\n