TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader

RAT Cyber Attack

In September 2019, Proofpoint researchers observed a prolific threat actor, TA505, sending email campaigns that attempt to deliver and install Get2, a new downloader. Get2 was in turn observed downloading FlawedGrace, FlawedAmmyy, Snatch, and SDBbot (a new RAT) as secondary payloads.

In this blog post, Proofpoint will detail the tactics, techniques, and procedures (TTPs) associated with these latest campaigns and provide a detailed analysis of Get2 downloader and SDBbot RAT.

These new developments are a continuation of a pattern where, since 2018, Proofpoint researchers observed numerous threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payloads.

TA505 has been at the forefront of this trend, which began with the distribution of a new backdoor “ServHelper” in November 2018, and a new downloader malware, AndroMut earlier this year.

Since September 9 2019, Proofpoint researchers started observing TA505 using Get2 as their initial downloader (still at the time of this publication). At first, it downloaded traditional payloads including FlawedAmmyy and FlawedGrace. However on October 7 Proofpoint researchers observed Get2 downloading the new RAT, SDBbot.

In addition to the new malware, these campaigns have continued to innovate in other aspects:

● TA505 remains a serious contender for the top positions in the volumes of emails distributed (most days tens or hundreds of thousands of messages, but sometimes pushing pushing into millions).
● TA505 continues to focus on targeting financial institutions alternating with more widely-targeted campaigns going after other verticals.
● New geographical targeting includes Greece, Germany, and Georgia.
● New Microsoft Office macros are used specifically with the Get2 downloader.

What’s new/cool

● New downloader, Get2, written in C++
● New remote access Trojan, SDBbot, written in C++
● New geographical targeting includes Greece, Germany, and Georgia
● New Microsoft Office macros are used specifically with the Get2 downloader
Implications
● Throughout 2018, Proofpoint researchers observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload.
● In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named “ServHelper”.
● In June 2019, TA505 followed this with AndroMut, which Proofpoint researchers observed distributing the FlawedAmmy RAT.
● Finally, in September 2019, Proofpoint researchers observed TA505 attempting to deliver email campaigns that install Get2. Get2 is a new downloader distributing, among other payloads, SDBbot (October), a new RAT malware. Get2 and SDBbot are net new discoveries.
● TA505 remains a serious contender for the top positions in the volumes of emails distributed (most days tens or hundreds of thousands of messages, but sometimes pushing into millions).
● TA505 continues to focus on targeting financial institutions alternating with more widely-targeted campaigns going after other verticals.
● TA505 is now targeting Greece, Germany, and Georgia.

Geo targeting
● Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, US, Canada, Germany, and others

A selected chronology of TA505 malspam campaigns

Figure 1: A selected chronology of TA505 malspam campaigns culminating with Get2 and SDBbot in September and October of 2019.

Below are the details of several notable malicious email campaigns.

September 9, 2019

On September 9 Proofpoint researchers observed tens of thousands of emails attempting to deliver Microsoft Excel attachments with English and Greek lures. These emails targeted financial institutions in Greece (a new country target for TA505), Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries. The emails used the following example subjects and attachment names:

  • Subject “HPE INV-02 – Invoice and documents” and attachment “hpe_s_hp-inv_02.xls”
  • Subject “Need to Apply” and attachment “dc123456.xls”
  • Subject “Παραστατικό” (translated from Greek: “Document”) and attachment “business cloud invoice no142 09-09-2019.xls”
  • Subject “ΣΤΕΛΙΟΣ ΠΡΟΤΙΜΟΛΟΓΙΟ” (translated from Greek: “EXECUTIVE SUMMARY”) and attachment “προτιμολογιο.xls”

This was the first campaign where the new downloader Get2 was observed. However in Proofpoint’s testing, the later stage payloads were not observed at the time.

Example email delivering a malicious Microsoft Excel spreadsheet

Figure 2: Example email delivering a malicious Microsoft Excel spreadsheet with with an embedded Get2 payload.

Example Microsoft Excel attachment using Greek language and targeting Greece.

Figure 3: Example Microsoft Excel attachment using Greek language and targeting Greece.

September 20, 2019
On September 20 we observed hundreds of thousands of emails attempting to deliver Microsoft Excel and .ISO attachments with English and French lures. These emails targeted companies from different verticals in the United States and Canada. The emails used following example subjects and attachment names:

  • Subject “Reçu de paiement (facture 12345)” and attachment “facture_no_432478_v2.xls”
  • Subject “Account opening form” and attachment “formulaire_01234.iso” (ISO contains an Excel file such as “0920_0123456..xls”)

In this campaign, Proofpoint researchers again observed installation and execution of Get2 which in turn downloaded FlawedGrace.

Email delivering an ISO attachment in a French-language email targeting Canada.

Figure 4: Email delivering an ISO attachment in a French-language email targeting Canada.

Microsoft Excel attachment using French language and targeting Canada.

Figure 5: Microsoft Excel attachment using French language and targeting Canada.

October 7, 2019

On October 7, instead of directly attached malicious Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request.xls”. This campaign only used English language and targeted companies from various industries primarily in the United States. The emails used following example subjects:

  • Subject ‘Admin shared “request.xls” with you’ where email contained a Bitly URL

In this campaign Proofpoint researchers observed the execution of Get2, which downloaded SDBbot for the first time.

Example email with a Bit.ly URL

Figure 6: Example email with a Bit.ly URL leading to a landing page that links to download of malicious document; this uses stolen branding to increase the legitimacy of the shared file lure.

Dropbox-themed landing page

Figure 7: Dropbox-themed landing page with a lure asking users to click a button that links to the malicious document.

Microsoft Excel spreadsheet with embedded Get2 downloader

Figure 8: Microsoft Excel spreadsheet with embedded Get2 downloader luring the user to open the document and enable macros.

Microsoft Excel Document Analysis

In addition to TA505’s use of  new malware, it should be noted that the new Get2 loader works in conjunction with a new Microsoft Excel macro. Get2 is embedded into the Microsoft Excel file as an object, which can be found as an image icon by scrolling through the document. It is extracted by the macro using the following logic (note that this is an analysis of the September 9 macro and incremental changes were introduced since):

  • The original Microsoft Excel spreadsheet is copied into the %TEMP% directory
  • The embedded object “xl\embeddings\oleObject1.bin” inside the Excel is copied into the %TEMP% directory
  • The DLL inside oleObject1.bin is extracted and copied into %APPDATA% by the “ReadAndWriteExtractedBinFile” function
  • DLL is loaded with LoadLibraryA
  • DLL’s exported function, such as “Get2”, is run by the macro

An excerpt of the VBA code from the Microsoft Excel file that performs some of this is shown below. This code appears to be in part borrowed from a Stack Overflow article (except it works to extract a file starting with the “MZ” header instead of “PDF”).

Visual Basic macro code sample

Figure 9: Visual Basic macro code sample from the malicious Microsoft Excel spreadsheet used in conjunction with the Get2 downloader.

Get2 Downloader

Get2 is a new downloader malware written in C++ and used in recent TA505 campaigns. The name is derived from the DLL export name used in the initial sample that was analyzed. Successive campaigns used different export names such as Amway, Hadno, Seven, and Wakeup.

The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server (Figure 9):

Example Get2 C&C request

Figure 10: Example Get2 C&C request

The POST data contains the following URL-encoded parameters:

  • D – Computer name
  • U – Username
  • OS – Windows version
  • PR – Pipe-delimited process list

Figures 11 and 12 depict some example responses from the C&C server:

example responses from the C&C server

Figure 11: Example Get2 C&C response

Example Get2 C&C response

Figure 12: Example Get2 C&C response

The C&C response data is pipe-delimited and each section contains a payload URL and an optional argument delimited by a semicolon.

In earlier observed versions of Get2, it’s payloads were executables run with the argument passed on the command line. In later samples, authors included additional code to check the argument for “RD86” and “RD64” (possibly short for “run DLL”). RD86 indicated the payload was a DLL to be injected and loaded. The system was also scheduled to reboot a random amount of time later (more on the reboot in the SDBbot section below). At the time of research, the RD64 code path had not been implemented, but will likely be similar to RD86 for 64-bit DLLs.

SDBbot Remote Access Trojan

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.

Installer Component

The installer stores the RAT component in the registry and establishes persistence for the loader component. In the analyzed sample, the installer was named “SdbInstallerDll[.]dll”. Most of its important strings and data were XOR-encoded with a hardcoded 128-byte key.

A registry value is created at “\SOFTWARE\Microsoft\<random 3 characters subkey>[random 1 character value name]” in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER depending on user privileges. A binary blob is stored at the value and has the following structure:

  • Copyright notice (“Copyright (C) Microsoft Corporation.”)
  • Loader shellcode (stored as a function in the installer)
  • String consisting of “<random 3 characters from registry subkey>0INIT”
  • Compressed RAT payload (stored in “.data1” PE section of the installer)

If the bot is running with a regular user privilege, persistence is established using the registry “Run” method. The loader DLL component is written to “%APPDATA%\mswinload[.]dll” and a “mswinload” value is added to the “Run” key to execute ordinal #1 of the DLL with rundll32[.]exe.

If the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. The loader DLL component is written to “%SYSTEM%\mswinload0[.]dll” and added to the “VerifierDlls” value for “winlogon[.]exe”.

If the bot is running as admin on Windows XP or 7, persistence is established using application shimming [1]. It uses a method very similar to the one described by FireEye in their blog post “To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence” [3]. A shim database (SDB) is created (Figure 13) to patch services[.]exe with the loader code and then installed with sdbinst[.]exe:

Example shim database created by SDBbot

Figure 13: Example shim database (SDB) created by SDBbot

All three of the persistence mechanisms require a reboot  to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.

Loader Component

In the registry-based persistence mechanisms, a separate loader DLL is used to execute the RAT payload. In the analyzed sample, the loader was named “RegCodeLoader[.]dll” and saved to disk as “mswinload[.]dll” or “mswinload0[.]dll”. The application shimming-based persistence doesn’t use a separate DLL, but the code it patches into services[.]exe is similar in functionality. In both cases the random registry key and value name is patched into the loader code.

The loader component reads the binary blob stored in the registry and starts executing the loader shellcode stored there. The shellcode decompresses the RAT payload then loads and executes the DLL.

RAT Component

In the analyzed sample the RAT component was named “BotDLL[.]dll”. It has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

SDBbot stores its C&Cs in a plaintext string or file (“ip.txt”). It uses a plaintext protocol over TCP port 443.

After the malware sends system information, the C&C server responds with a command DWORD. Depending on the command, the C&C server then sends additional arguments. Some of the commands (mostly the shell and video related ones) make use of 48-byte data structures to store various data. There are other commands which create, delete, and query the status of these data structures, so it is defined in Figure 14:

48-byte data structure

Figure 14: 48-byte data structure used by some of the commands

The available commands are:

  • 2 – Get subcommand from C&C:
    • “cmd” – Start a cmd[.]exe shell
    • “shutdown_pc” – Shutdown
    • “reboot” – Reboot
    • “sleep utc” – Set sleep time
    • “video online” – Get existing or create new video data structure
    • “video stop” – Set a “stop” event in video data structure
    • “rdpwrap install” – This command enables RDP in the registry, but despite its name does not install the RDP Wrapper [4]
    • “rdpwrap uninstall” – If RDP Wrapper [4] was installed, uninstall it
    • “portforward” – Setup a proxy between a target host and port and the C&C
    • “run” – Execute command via cmd[.]exe, but don’t send output to the C&C
    • “runreflective” – Download DLL from C&C, inject it into a freshly created rundll32[.]exe, and reflectively load it
    • “keep_bot_online on” – Sets a flag and sleep timeout
    • “keep_bot_online off” – Turns off a flag sets sleep timeout to zero
  • 4 – Send number, type, and index of data structures
  • 5 – If shell or video recording is enabled, send shell output or screenshots to the C&C
  • 11 – Send number, index, and tag of command shell data structures
  • 12 – Write a command to a shell
  • 13 / 32 – Create a new, empty data structure and send its index to the C&C
  • 14 – Clean up and remove existing data structure
  • 15 – Write file
  • 23 – Get drive information or directory listing
  • 24 – Read file
  • 25 – Create directory
  • 26 – Delete file
  • 27 – Clean up and remove all data structures
  • 31 – Exact functionality is unclear. It writes a file using two data structures: one associated with the file and other used for reading data from the C&C

Conclusion

TA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with their campaigns through the end of 2017 and 2018. Over the last two years, Proofpoint researchers have observed TA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans. With this recently observed October 2019 push by TA505 with attacks on a wide range of verticals and regions, the actor’s usual “follow the money” behavioral pattern remains consistent. The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019.

References

[1] https://attack.mitre.org/techniques/T1138/

[2] https://attack.mitre.org/techniques/T1060/

[3] https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

[4] https://github.com/stascorp/rdpwrap

ET and ETPRO Suricata/Snort Signatures
2028642 || ET TROJAN Possible Win32/Get2 Downloader Activity
2838412 || ETPRO TROJAN Win32/Get2 Downloader C&C Checkin
2025408 || ET TROJAN Win32/FlawedAmmyy RAT C&C Checkin
2026773 || ET TROJAN FlawedGrace CnC Activity
2838808 || ETPRO TROJAN Win32/SDBbot C&C Checkin

0 Comments