The Pylot (or Travle) malware family appears to be an evolution of the NetTravler malware family (which has been linked to attackers out of China by numerous sources). Over the last year a variant has been observed as a secondary payload often used in conjunction with malicious carrier files (typically MS Office or Rich Text Format (RTF) documents).
The Pylot malware has been observed being installed via shellcode from known CVEs in Office products as well as by malware loaders (or first stage malware variants, specifically the CMStar malware family). In late 2017 samples of the Pylot family were submitted, by customers, to the Carbon Black Threat Analysis Unit (TAU) as part of ongoing investigation. Analysis details were provided to the submitting organizations and detection capabilities were provided in the Carbon Black User Exchange.
After external request, Carbon Black is making the analysis (and associated signatures and scripts) available in this blog to assist any researchers or practitioners that may be investigating this malware family.
The following table list the metadata for the files that were a were analyzed for the first scenario.
RTF Carrier File
SHA256
|
79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3
Revision time
|
11/20/15 1:45
Author
|
HCL
Number of pages
|
1
Creation time
|
11/20/15 1:45
Number of words
|
2
Version
|
1
Operator
|
HCL
Pylot Sample 1
File Name : Pylot_sample.dll
File Size : 208,154 bytes
MD5 : f456d82e4815ce381d6d1bf23322aca6
SHA1 : 2535558d28b5431e41fd8e1eb88dbc099d74a7c5
SHA256 : 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6
Fuzzy : 3072:zPNKts9RnF3Xo+T/pJbiFLxfZubTHPKorZShP/UB+zvkpdISZQM4ED:x9RlXo+LPmLQbTHPpZSlUBy+IM4ED
Compiled Time : Wed Jan 27 13:18:46 2016 UTC
PE Sections (5) : Name Size MD5
.text 147,968 5b3872364e2efbb4e83966ea9c2f48b9
.rdata 35,840 c17dec1fc11e3134c03a993f3509699a
.data 4,608 100820dd666d8eeca7c7ff43ab9552b8
.rsrc 5,120 8c96d665232c7e447ac6131b479a0af6
.reloc 20,992 439f3ea4d036d3aab2d23e675dcd8e13
+ 0x34a00 0 d41d8cd98f00b204e9800998ecf8427e None
Original DLL : pilot.dll
DLL Exports (1) : Ordinal Name
1 MSOHost
Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Table 1: File Metadata
The RTF document that is listed in the table above attempts to exploit an older CVE (cve-2014-1761), to ultimately execute shell code. The image below is a screen shot of the RTF document. The area highlighted in red, is the list override exploit, that is referenced in the above CVE link. The data highlighted in yellow is the shellcode and encoded payload. Even though the shellcode is obfuscated, there are still some stings present, that are used by the shellcode to create and entrench the file on an infected system (which are highlighted in green).
The shellcode, as it is written in the RTF file, is obfuscated to lessen the likelihood of detection and make analysis more difficult. The shellcode will perform a couple of basic commands to clear registers that will be utilized, and a portion of its data (0x325 bytes) is XORed with the value 0x9E (highlighted in red in the image below). Once this is complete it will continue with the execution flow.
The shellcode is a straightforward loader which will ultimately decode the payload, and write the file to disk. The shellcode will also entrench the malicious payload in a typical location used by malware for entrenchment (Software\Microsoft\Windows\CurrentVersion\Run), before using rundll32.exe to initially execute the binary.
The shellcode uses a name hashing function (a common technique in shell code), where the code will first locate the process environment block (PEB) from the thread information block (TIB), which is highlighted in red below. This is used to locate the list of loaded modules (doubly-linked). The shellcode will then take each entry and normalize the string name, by making all of the characters in the module name uppercase (highlighted in green). The characters of the module name are then rotated right by 13 and added together, and then compared to a hard coded value for Kernel32.dll (highlighted in blue). Once the target module is located in memory it can be called with the appropriate arguments.
Figure 3: Name hashing function
The snippet of python code below can be used with a list of common module names to determine the string values of the hardcode values used with this variant.
def ror(val, r_bits, max_bits):
out = ((val & (2max_bits-1)) >> r_bits % max_bits) | (val << (max_bits-(r_bits % max_bits)) & (2max_bits-1))
return out
def hash_string(proc_name):
name_hash = 0
for x in proc_name:
x = ord(x)
if x >= 97: #0x61
x = x - 32 #normalize to uppercase
back = ror(name_hash, 13, 32) #ROR 0x0D
name_hash = back + x & 0xFFFFFFFF # add that value to original char
return name_hash
Table 2:Python implementation of name hashing algorithm
In this sample the malicious payload will be written to disk as comctl32.dll, and the shellcode will utilize rundll32.exe to execute the payload calling the MSOHost export. The malware will then run and communicate with a hard coded C2 that is contained inside the configuration block that is characteristic for the Pylot family. A python script was written to parse a pylot variant executable and extract the relevant configuration information. The script is attached to this post. An example of the output can be seen in the table below. The previous analysis by Kaspersky Labs, detailed the overall functionality of pylot family.
[!] Resource Located
Name: RAW_DATA
[+]Decoding Configuration…
Primary C2 : young.aviodyoung.com
Secondary C2 : Not Used
URL Path 1 : /vgs/wksur.py
URL Path 2 : Not Used
C2 Port 1 : Not Used
C2 Port 2 : 80
Campaign ID : xcvwerx
Sample ID : qTyx0736R
Primary RC4 key : MTzXBLRfWOpcjsKZGUbS
Secondary RC4 key : MTzXBLRfWOpcjsKZGUbS
Beacon Timer : 60000 milliseconds
Table 3: Pylot configuration output
The following table list the metadata for the initial carrier file that was analyzed for the second scenario.
RTF Carrier File
SHA256
|
6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786
Revision time
|
2016-11-08 08:47:00
Author
|
Shaimenova
Company
|
parliament
Number of pages
|
9
Creation time
|
2016-11-08 08:47:00
Number of words
|
1586
Version
|
2
Operator
|
AutoBVT
CMStar Sample 1 Loader
File Name : CMStar_sample.exe
File Size : 77,824 bytes
MD5 : 7ce99c26ee05efb81c3a123152ccce5e
SHA1 : 3be63458fe1298b0ebf36e019a895519fd96fb22
SHA256 : 928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d
Fuzzy : 1536:nPLpKSgx0fEYLwOAXhENg7Ofp15yUxBix1Y:PLE0fEYL/KVaryNY
Compiled Time : Thu Oct 20 07:00:38 2016 UTC
PE Sections (4) : Name Size MD5
.text 12,288 b0001edc7a3ebc2cb52944a7aa61293d
.rdata 4,096 a1ffda038f8171993651bed5f7547b96
.data 4,096 3eae055efca4b7f380118d3320dcde5f
.rsrc 53,248 880b916c741d16b6f46f58c1107cca7d
Magic : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Table 4: RTF and CMStar metadata
The carrier file for this scenario is also a RTF document and will attempt to exploit cve-2015-1641. If successfully exploited the shellcode will decode a malicious payload (which is encoded using the same method as in the first scenario. This executable is then written to disk, and is a CMStar variant loader (listed in the table above). This loader will extract a resource that is named 12358, and decode the file (XOR 0x30), before writing it to disk. The loader will then execute rundll32.exe, calling the MSOProtect export of the CMStar variant. The metadata for the CMStar payload is listed in the table below.
CMStar Sample 1 Payload
File Name : Resource_decoded.dll
File Size : 50,688 bytes
MD5 : cc018500132a811e1f7d4d54763f6ab1
SHA1 : dd048ab61a8591ce4d14e9bc5a7b34e6996501f0
SHA256 : fab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201
Fuzzy : 768:5WPPGyX/nibX/44zMLiuTXVR4Gcfd25hH1fzQMo6llRc:nyXPiL9uTXVR2d25XFl
Compiled Time : Wed Oct 12 12:45:10 2016 UTC
PE Sections (4) : Name Size MD5
.text 29,184 5a823113d6e3589d38f093615598217b
.rdata 4,096 028c81fb15600d1cdf89637bc899eaa3
.data 12,288 8c92626431fbf58dd4357f8e18124c72
.reloc 4,096 a22b36f23cde94d421b40566d6cf36e1
Original DLL : UpdateService.tmp
DLL Exports (1) : Ordinal Name
1 MSOProtect
Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Table 5: CMStar payload metadata
The CMStar malware will decode some basic configuration information, necessary to communicate with the C2. The decoding function will copy hard coded strings into memory, and then for each character of the encoded string, subtract a hard code value and the counter value (which is increased for each character).
The snippet of python code below can be to decode the CMStar related configuration strings. In the example below the “encoded_string” variable a is a list containing the values of one of encoded strings (r€}H>?BBKBKGEIQSIMTT), which when decoded is the primary C2.
encoded_string = [0x72,0x7F,0x80,0x7D,0x48,0x3E,0x3F,0x42,0x42,0x4B,0x42,0x4B,0x47,0x45,0x49,0x51,0x53,0x49,0x4D,0x54,0x54]
#http://108.61.189[.]176
i = 0
out = "
for x in a:
out = out + chr(x - i - 10)
i = i + 1
print out
Table 6: CMStar Configuration script
Once the strings are decoded the CMStar malware will beacon to http://108.61.189[.]176 and request the file a554L8iVaSIDKYO.dat (hardcoded name). This file is an obfuscated Pylot variant. The image below is an overview of the a554L8iVaSIDKYO.dat file contents, as it would appear when downloaded.
The dword highlighted in red is a header marker. The next three dword values are all stored as little endian and are used in decoding the payload data which is highlighted in purple.
Figure 4: Encoded Pylot overview
The obfuscated file is bloated compared to the actual size of the embedded payload. The encoding technique uses a dword of bytes to store 1 byte of actual data. To decode the data, a dword value is read into memory (the first dword 0x33 is 51 decimal) from the data section (highlighted in purple). The second dword value (highlighted in green) is used as the starting seed value (0x01 is 1 decimal). The third dword (highlighted in blue) is used as the number of rounds to perform the modification loop (0x03EB is 1003 decimal). The fourth dword (highlighted in yellow) is used as a modulo value in the modification loop (0x5BD is 1469 decimal). To decode the first byte of data the following python snippet replicates the decoding function.
start = 51 #dword value from data area
output = 1 #dword seed value
For x in range(1003): #dword round value
Output = (output * start) % 1469 #dword modulo value
print chr(output)
#This results in “M” or the first character in an MZ header
Table 7: Python implementation of decoding function
The table below list the metadata for the fully decoded Pylot payload. The CMStar malware will then execute rundll32.exe calling the MSOProtect export to run the Pylot sample.
Pylot Sample 2
File Name : Pylot_sample_2.dll
File Size : 180,736 bytes
MD5 : d5c679df69751936d0fa380f2e4bf017
SHA1 : 2488d05f619124ef56a802407745579a02d0d36e
SHA256 : c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a
Fuzzy : 3072:F0KN9+4oQQh/gspsXTrzh+lYHUUd5U5+:f9+4oRHEJk95+
Compiled Time : Mon Nov 07 03:10:36 2016 UTC
PE Sections (5) : Name Size MD5
.text 124,416 ed3027599e9cffb50c4dcbdc01582fc1
.rdata 33,792 a1d51a7f4cddb3189168f0b3b09047fd
.data 4,608 36ed52fc43b3ae5cb504a8976c8e5d02
.rsrc 5,120 ab29ae998157877652d20952075c1bd2
.reloc 11,776 05e1f820b39bbe58d609e0b2a3f78905
Original DLL : pilot.dll
DLL Exports (1) : Ordinal Name
1 MSOProtect
Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Table 7: Pylot metadata
The configuration information for the above Pylot sample is listed in the table below.
Pylot Sample 2 Configuration Data
[!] Resource Located
Name: RAW_DATA
[+]Decoding Configuration…
Primary C2 : pgbkrrq3434.com
Secondary C2 : Not Used
URL Path 1 : /iow/qlmbn.py
URL Path 2 : Not Used
C2 Port 1 : Not Used
C2 Port 2 : 80
Campaign ID : uuqigas
Sample ID : fGAka0109
Primary RC4 key : BBidRotnqQpHfpRTi8cR
Secondary RC4 key : BBidRotnqQpHfpRTi8cR
Beacon Timer : 60000 milliseconds
Table 8: Pylot sample 2 configuration
Yara Signature
rule pylot_payload_2017_Q4 : TAU pylot
{
meta:
author = “CarbonBlack TAU” //JMyers
date = “2017-Nov-7”
description = “Designed to catch pylot payload”
rule_version = 1
yara_version = “3.6.0”
TLP = “Green”
exemplar_hashes = “c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a, 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6”
strings:
$s1 = “FindResource”
$s2 = “LoadResource”
$s3 = “RAW_DATA” wide
$s4 = “KB178495.DAT” wide
$s5 = “KB887209” wide
$s6 = “KB287640” wide
$s7 = “.decompress” wide
condition:
all of them
}
Indicator
|
Type
|
Context
—|—|—
79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3
|
SHA256
|
RTF Carrier File
0d06925ce5d306e94fac4cbbbf67362a
|
MD5
1d01a78ccfc4b646b46082a7135f6ac5b364010ba0ca10d0ba94b9e48dce8350
|
SHA256
|
Pylot Sample 1
f456d82e4815ce381d6d1bf23322aca6
|
MD5
young.aviodyoung[.]com
|
URL
|
Pylot Sample 1 C2
6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786
|
SHA256
|
RTF Carrier File
9381a0ef7039409b7354ff9bbd754283
|
MD5
928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d
|
SHA256
|
CMStar Loader
7ce99c26ee05efb81c3a123152ccce5e
|
MD5
fab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201
|
SHA256
|
CMStar Sample
cc018500132a811e1f7d4d54763f6ab1
|
MD5
108.61.189[.]176
|
URL
|
CMStar C2
c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a
|
SHA256
|
Pylot Sample 2
d5c679df69751936d0fa380f2e4bf017
|
MD5
|
URL
|
Pylot Sample 2 C2
The post Threat Analysis: Pylot (Travle) Malware Family appeared first on Carbon Black.