ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger

Recommendations

Info

ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger Figure 12: SqmApi.dll generates pop-up and initiates network connection Figure 13: Execution of SqmApi.dll results in the loading and execution of the file plgus_res.dll. Figure 14: Debugger illuminates the use of CreateProcessA to load plgus_res.dll 18 Proprietary and Confidential Information of Arbor Networks, Inc.
ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger Plgus_res.dll is actually a Trochilus RAT installation package created using the Nullsoft Installer (NSIS) format. Extracting the contents of plgus_res.dll with a specific version of 7zip (7z beta 9.38 in this case – later versions did not properly extract every file) allows all of the files to be viewed, including the NSIS installation script itself, created by 7zip as [NSIS].nsi. Shell.dll and data.dat are both obfuscated files. Shell.dll is not an obvious PE file, having been obfuscated via an encoding scheme. Figure 15: Files extracted from plgus_res.dll by 7zip reveal additional staging Once the package file plgus_res.dll is properly decrypted, injected into memory and executed, the malware generates an outbound connection over TCP/25. Figure 16: Trochilus RAT outbound connection - obfuscated It is interesting to note that the first portion of binary data being sent from the compromised machine contains the hex value 0x7e. Following this, a data packet containing 0x7e bytes is sent. In the screenshot observed above, the network destination was no longer online. Therefore, traffic was redirected to a simulated network in order to capture packets. This malware attempted to evade sandbox analysis on several occasions, and was therefore coaxed to run manually. The malicious code injects into services.exe. The volatility memory forensics framework malfind © Copyright 2015 Arbor Networks, Inc. All rights reserved. 19
Page 1 and 2: ASERT Threat Intelligence Report -
Page 17: ASERT Threat Intelligence Report -

ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger

Create successful ePaper yourself

Delete template?

Save as template?