{"id":2549,"date":"2024-02-19T08:47:33","date_gmt":"2024-02-19T07:47:33","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2549"},"modified":"2024-02-29T15:08:49","modified_gmt":"2024-02-29T14:08:49","slug":"pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor\/","title":{"rendered":"Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)"},"content":{"rendered":"\n

Turla is an APT group allegedly linked to the intelligence service FSB (Federal Security Service) from the Russian Federation. This threat actor is specifically in the Center 16 unit, which carries out the collection of radio-electronic intelligence on communications facilities. Moreover, the Center 16 is in charge of intercepting, decrypting and processing the electronic message and the technical operation of compromising foreign targets.  <\/p>\n\n\n\n

Turla\u2019s activity dates back as far as 2004. This actor often carries out exploitation campaigns against organizations from the former Soviet Union countries. Turla usually targets organizations from several sectors as: governments, research centers, embassies, energy, telecommunications and pharmaceutical among other sectors. <\/p>\n\n\n\n

This research has resulted in a set of samples which have been found in VirusTotal during early 2024. Below is a timeline of the publicly known samples. <\/p>\n\n\n\n

\"\"
Samples timeline<\/figcaption><\/figure><\/div>\n\n\n\n

In particular, in this article, one of the samples used in one of the latest campaigns (sample #6). This investigation reveals how Turla is using a new wrapper of Kazuar as part of their infection chain<\/strong>. The most prominent aspects of the analysis leading to the extraction of Kazuar and the peculiarities of the identified sample compared to others previously seen in the field are detailed below. <\/p>\n\n\n\n

Infection Chain<\/h1>\n\n\n\n

As will be detailed later, the attack is quite targeted, so it is possible that the actors have deposited this piece of malware on the computer after a previous infection. <\/p>\n\n\n\n

In order to hide the malware, the actors make use of the Sideload DLL technique, spoofing legitimate libraries related to “SkyTel<\/strong>“, “NVIDIA GeForce Experience<\/strong>“, “vncutil<\/strong>” or “ASUS<\/strong>“. <\/p>\n\n\n\n

\"\"
Pelmeni Wrapper’s structure<\/figcaption><\/figure><\/div>\n\n\n\n

As a result, when the legitimate application is executed, the malicious Dll (We’ve dubbed it Pelmeni Wrapper<\/strong>) is loaded  and the infection continues. The resulting infection chain would be as follows :<\/p>\n\n\n\n

\"\"
Infection chain<\/figcaption><\/figure><\/div>\n\n\n\n

For the analysis we will use the most recent sample we have found in public sources, where it has up to 39 detections.<\/p>\n\n\n\n

LaunchGFExperienceLOC.dll<\/strong><\/td>15f5e4808549ff67a79f84e23659da912ebbc1dc7c7b100c12b72384a27e412a<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"
Pelmeni Wrapper’s detections<\/figcaption><\/figure><\/div>\n\n\n\n

The DLL does not provide much information since most of its content is encrypted. The most interesting thing is the name of its exported functions  that appear to be randomly generated.<\/p>\n\n\n\n

\"\"
Pelmeni Wrapper’s exports<\/figcaption><\/figure><\/div>\n\n\n\n

Pelmeni Wrapper (Wrapper DLL)<\/h1>\n\n\n\n

Through the analysis of LaunchGFExperienceLOC.dll, we see at the EntryPoint, 3 main functions that will guide the program. <\/p>\n\n\n\n

\"\"
Pelmeni Wrapper’s entry point<\/figcaption><\/figure><\/div>\n\n\n\n

The first function “PrintLog<\/strong>” is in charge of creating a file in the %TEMP%<\/strong> folder that prints what it is doing. This file has a random name and extension, decoded using an XOR algorithm. <\/p>\n\n\n\n

\"\"
XOR decryption function<\/figcaption><\/figure><\/div>\n\n\n\n

At this point it would print “DLL_PROCESS_ATTACH” because the executable has  loaded the DLL. <\/p>\n\n\n\n

\"\"
Pelmeni Wrapper’s log file<\/figcaption><\/figure><\/div>\n\n\n\n

The next EntryPoint function is “LoadFunction<\/strong>” which is responsible for executing one of the exported DLL functions. <\/p>\n\n\n\n

\"\"
“LoadFunction” function<\/figcaption><\/figure><\/div>\n\n\n\n

To decrypt the function name, the malware uses a hash generated by the victim’s “ComputerName” xored by a constant. The algorithm used to hash the computer name is Jenkins’ one_at_a_time<\/a>. This hash will be used as a seed in the pseudorandom number generator algorithm ranqd1<\/strong>. The generated values will be used to decrypt the function name. <\/p>\n\n\n\n

\"\"
Jenkin’s one_at_a_time algorithm<\/figcaption><\/figure><\/div>\n\n\n\n

The execution continues with the “Wvoouo<\/strong>” method that goes through all the threads of the running process and suspends them, except for the current thread. After this, Pelmeni prints “After CSPT” in the log, which could be a reference to “Check Suspend Threads”. <\/p>\n\n\n\n

\"\"
“Wvoouo” function managing threads<\/figcaption><\/figure><\/div>\n\n\n\n

After this the program executes “LoadFunctions<\/strong>” which loads and executes 3 functions as before.<\/p>\n\n\n\n

\"\"
Load 3 new functions<\/figcaption><\/figure><\/div>\n\n\n\n

In the first function “Gcqiprj<\/strong>” we can see how, by means of CreateThread(), it creates a thread that will continue with the execution of the wrapper.  <\/p>\n\n\n\n

\"\"
“Gcqiprj” function creating thread<\/figcaption><\/figure><\/div>\n\n\n\n

However, instead of executing that part of the code, it saves its address (0x703C1785) to later redirect the execution flow to it.<\/p>\n\n\n\n

\"\"
“Gcqiprj” function saving execution address<\/figcaption><\/figure><\/div>\n\n\n\n

The next function \u201dUrjhmeuo<\/strong>\u201d accesses the contents of that address (0x703C1785<\/strong>) and copies the entire contents to another memory space, which it will execute. In addition, it adds the instruction “push eax<\/strong>” (0x50 x56) at the beginning to keep the state of the stack correctly. of the stack. <\/p>\n\n\n\n

\"\"
\u201cUrjhmeuo\u201d function copying memory to make it executable<\/figcaption><\/figure><\/div>\n\n\n\n

The last function \u201cRgdpeyg<\/strong>\u201d traces the execution stack to find the “LoadLibrary” function and load the new address, to completely change the execution flow. Finally, Pelmeni prints in the log file “After EFD” which could stand for “Execution Flow Deviation”. <\/p>\n\n\n\n

\"\"
\u201cRgdpeyg\u201d function redirecting the execution \ufb02ow<\/figcaption><\/figure><\/div>\n\n\n\n

At this point, the malware will execute the thread it had previously prepared. This thread will decrypt a .NET assembly and execute it from memory. Additionally, while Pelmeni runs .NET in the background, it checks the connection by making requests to Google.<\/p>\n\n\n\n

\"\"
dotNET binary execution thread<\/figcaption><\/figure><\/div>\n\n\n\n

As seen the attack is totally targeted, as if the malware is executed on an other machine, it will not be able to continue the infection. Fortunately, the algorithm used to to decrypt the payload and the one used to decrypt the exports is the same, which makes it vulnerable to brute force attacks.<\/p>\n\n\n\n

The following section describes the analysis of the .NET binary extracted.<\/p>\n\n\n\n

Kazuar (DotNET)<\/h1>\n\n\n\n

Analyzing the code, we observe that it is obfuscated and encrypted. The algorithm used is a substitution algorithm reminiscent of the one used by Kazuar<\/strong> (Turla backdoor)<\/strong>. The hypothesis is con\ufb01rmed when comparing our sample with the sample analyzed in the Unit42 article<\/a>.<\/p>\n\n\n\n

\"\"
CaesarCipher implementation<\/figcaption><\/figure><\/div>\n\n\n\n

Kazuar is a mutiplatform trojan used by Turla and discovered in 2017<\/strong>, it is often seen in infections targeting specific objectives, with the sample tailored to the targeted entity.<\/p>\n\n\n\n

Considering the Unit42 article, in this case the backdoor shows two differences detailed bellow:<\/p>\n\n\n\n

  • New protocol used for exfiltration<\/li>
  • Different log’s folder<\/li><\/ul>\n\n\n\n

    Exfiltration methods<\/h2>\n\n\n\n

    Up to now, it was publicly known that Kazuar supports 5 protocols for exfiltration. The version of Kazuar described here allows the exfiltration of data using socket<\/strong>.<\/p>\n\n\n\n

    \"\"
    Exfiltration protocols<\/figcaption><\/figure><\/div>\n\n\n\n
    \"\"
    Socket protocol<\/figcaption><\/figure><\/div>\n\n\n\n

    Based on this, it wouldn’t be unreasonable to think that other variations of this sample might also include additional protocols.<\/p>\n\n\n\n

    Log’s folder<\/h2>\n\n\n\n

    Another variation in this sample compared to previous reports is the directory used for logs, as shown in the following image.<\/p>\n\n\n\n

    \"\"
    Kazuar’s log file<\/figcaption><\/figure><\/div>\n\n\n\n

    However, this should be considered a minor variation that could be seen in other samples.<\/p>\n\n\n\n

    Conclusions<\/h1>\n\n\n\n

    This article analyzes a new sample used in Turla campaigns. The sample employs a wrapper that we’ve nicknamed Pelmeni, and deploys the Kazuar malware, with some peculiarities different from those seen in previous articles about this type of sample.<\/p>\n\n\n\n

    There are samples of the malware available in public sources, although their content is encrypted, which can hinder identification. In the case at hand, the differences of this new threat are shown, and indicators of compromise are provided to aid in its possible detection.<\/p>\n\n\n\n

    Additionally, in the IOCs summary, the IOCs values highlighted during this post are included. But, also, the hashes for the samples used in the “samples timeline” are provided.<\/p>\n\n\n\n

    IOCs<\/h1>\n\n\n\n

    Sample #6 [13\/02\/2024]<\/h2>\n\n\n\n
    LaunchGFExperienceLOC<\/strong>.dll <\/strong>(Pelmeni Wrapper)<\/td>15f5e4808549ff67a79f84e23659da912ebbc1dc7c7b100c12b72384a27e412a   <\/td><\/tr>
    Relapsed.exe<\/strong>
    (Kazuar)<\/td>    		7ae9768b79a6b75f814a1b7afaf841b1a4b7ba803b3d806823e81d24a84fd078   <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    Pelmeni Wrapper’s log file<\/strong><\/td>%TEMP%\\dbtesdnni.wic <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Kazuar folder<\/strong>s<\/h3>\n\n\n\n
    C:\\\\ProgramData\\\\utils\\\\drivers\\\\data<\/td><\/tr>
    C:\\\\ProgramData\\\\inp\\\\test<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Sample #5 [28\/01\/2024]<\/h2>\n\n\n\n
    asio.dll <\/strong><\/strong>(Pelmeni Wrapper)<\/td>cccd6327dd5beee19cc3744b40f954c84ab016564b896c257f6871043a21cf0a <\/td><\/tr>
    Sobroutine.exe<\/strong> <\/strong>(Kazuar)<\/td>6559d6cb2976334776ded3e7f8ce781c0e6fbaa69edbb0f16b902d06b5d8d8d9 <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    <\/p>\n\n\n\n

    Pelmeni Wrapper’s log file<\/strong><\/td>%TEMP%\\iiuiajmujrca.zso <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Sample #4 [27\/01\/2024]<\/h2>\n\n\n\n
    vncutilLOC.dll <\/strong>(Pelmeni Wrapper)<\/td>2164d54c415b48e906ad972a14d45c82af7cab814c6cf11729a994249690ed97  <\/td><\/tr>
    Humanity.exe<\/strong> (Kazuar)<\/td>564b2a3083e55933e4ce68b87c5e268c88d58f7ab41839e5a6e0c728a58e9cf2   <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    Pelmeni Wrapper’s log file<\/strong><\/td>%TEMP%\\ktynlijyog.dyg <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Sample #3 [27\/01\/2024]<\/h2>\n\n\n\n
    SkyTelLOC.dll <\/strong>(Pelmeni Wrapper)<\/td>00256c7fd9a36c6a4805c467b15b3a72dbac2e6dbd12abe7d768f20ce6c8f09f  <\/td><\/tr>
    Inroad.exe<\/strong> (Kazuar)<\/td>1a3cc19345737bc76bcf61005ad6afeeea78540bddc627db052cede7a4c0d8e5  <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    Pelmeni Wrapper’s log file<\/strong><\/td>%TEMP%\\oayvonjwivaq.vjg <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Sample #2 [27\/01\/2024]<\/h2>\n\n\n\n
    vncutilLOC.dll <\/strong>(Pelmeni Wrapper)<\/td>ebf10222bdd19bd8f14b7e94694c1534d4fe1d1047034aee7ffe9492cad4a92f <\/td><\/tr>
    Denigrating.exe<\/strong> (Kazuar)<\/td>c91891c297971f46c470ea3b1934e5fb76f683776ba3edcdc1afe4f5398fc016 <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    Pelmeni Wrapper’s log file<\/strong><\/td>%TEMP%\\jecvxqyvdbri.olc <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Sample #1 [23\/01\/2024]<\/h2>\n\n\n\n
    vncutilLOC.dll <\/strong>(Pelmeni Wrapper)<\/td>9b97e740b65bc609210f095cd9407c990a9f71f580f001ea07300228c5256d62 <\/td><\/tr>
    Arches.exe<\/strong> (Kazuar)<\/td>0e8cedf69e0708f77b8d8c7c9b96bf9386f0ec66c48b973bfa9718915ed260e9 <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    Pelmeni Wrapper’s log file<\/strong><\/td>%TEMP%\\wcijgmcpyn.ctl <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    C2<\/h2>\n\n\n\n
    hxxps:\/\/altavista[.]rs\/wp-includes\/ID3\/PerceptionSimulation\/ <\/td><\/tr>
    hxxps:\/\/m6front.sam-maintenance[.]com\/wp-includes\/customize\/assembly\/ <\/td><\/tr>
    hxxps:\/\/bibliotecaunicef[.]uy\/catalog\/notices\/tags\/ <\/td><\/tr>
    wss:\/\/127.0.0.1:20089\/Test<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

    Turla is an APT group allegedly linked to the intelligence service FSB (Federal Security Service) from the Russian Federation. This threat actor is specifically in the Center 16 unit, which carries out the collection of radio-electronic intelligence on communications facilities. Moreover, the Center 16 is in charge of intercepting, decrypting and processing the electronic message […]<\/p>\n","protected":false},"author":20,"featured_media":2695,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21,1],"tags":[79,75,78,73,77],"class_list":{"0":"post-2549","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"category-uncategorised","9":"tag-backdoor","10":"tag-kazuar","11":"tag-pelmeni-wrapper","12":"tag-trula","13":"tag-wrapper","14":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2024\/02\/turlita-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2024\/02\/turlita-600x600.png","author_info":{"display_name":"Er1c_C","author_link":"https:\/\/lab52.io\/blog\/author\/er1c_c\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2549"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2549"}],"version-history":[{"count":52,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2549\/revisions"}],"predecessor-version":[{"id":2697,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2549\/revisions\/2697"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2695"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}