CFC REPORT SPHINX MOTH
1WLUwDt
1WLUwDt
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CFC</strong> <strong>REPORT</strong>: <strong>SPHINX</strong> <strong>MOTH</strong><br />
2.3. “CUDACRT.DLL” (MD5: D91ED1715DE8EDDD5244565926ED2899)<br />
“Cudacrt.dll” – a tool for persistence and backdoor control<br />
This DLL was attached to “lsass.exe”, and was responsible for the execution of the binary “iastor32.exe” (SSH client) for<br />
communication.<br />
One interesting function of this DLL is its ability to deobfuscate the registry entries (under “SOFTWARE\SsoAuth\Service”).<br />
Again, we are dealing with a simple single-byte “XOR”. This time, deobfuscation was even easier, as the key was “0x01”.<br />
2.4. “KERBEROS32.DLL” (MD5 : FD4C881DF95B67EE2F07ADAD0DCA9C98)<br />
“Kerberos32.dll” – the attackers’ toolset for lateral movements and hiding capabilities<br />
This DLL was also loaded into “lsass.exe”, as the one above, but gave the attackers more control. For example, as already stated<br />
in the Symantec report, it was able to dump the hashes in memory, clean logs, start or stop logs or reboot. The “Kerberos*.dll”<br />
commands are listed in Appendix 4.3.<br />
To interact with this backdoor, a named pipe was created on the host (“\\.\lsassp” in our samples) and the traffic was then obfuscated<br />
with an “XOR” key (see below). We provided a Powershell that can be run (with SCCM for example) to detect if hosts are compromised<br />
on a corporate environment. See Appendix 4.4 for details.<br />
The “XOR” key for traffic was as follows: “\x24\x75\x60\xCA\x94\x40\xA8\x23\xCD\x55\xCE\x66\xCE\x63\x9b\x8E”<br />
The backdoor supported an impressive number of OS:<br />
• Windows 2000<br />
• Windows XP<br />
• Windows 2003<br />
• Windows Vista<br />
• Windows 2008<br />
• Windows 7<br />
• Windows 2008R2<br />
• Windows 8<br />
• Windows 2012<br />
• Windows 8.1<br />
• Windows 2012R2<br />
Cybersecurity unit of Kudelski Group<br />
11<br />
www.kudelskisecurity.com<br />
request@kudelskisecurity.com