¿Le preocupan los recientes CVE de PAN-OS y otros cortafuegos/VPN? Aproveche hoy mismo la oferta especial de Zscaler

Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Suscríbase
Investigación de seguridad

Introducing DevOpt: A Multifunctional Backdoor Arsenal

SHATAK JAIN, MEGHRAJ NANDANWAR
abril 18, 2023 - 12 Min de lectura

Summary

In recent years, malware attacks have become increasingly sophisticated, and attackers are always finding new ways to exploit vulnerabilities and steal sensitive data. To stay ahead of these threats, security researchers must constantly monitor the landscape and identify new threats as they emerge. In this article, we'll take a closer look at the findings of a recent study conducted by Zscaler's ThreatLabz team, which uncovered a new backdoor built using Free Pascal that has the ability to steal data from infected systems. We'll explore the techniques used by this malware, as well as the tactics employed by cybercriminals to entice users into downloading malicious payloads. By understanding these threats, we can take steps to protect ourselves and our systems from the dangers of malware attacks.

Introduction

Zscaler ThreatLabz has recently unearthed a new backdoor called 'Devopt'. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development. In this blog post, we will delve into the specifics of this new backdoor and its workings. Additionally, we will offer tips on how to safeguard yourself against such attacks.

Key Takeaways

  • Zscaler ThreatLabz uncovered a new backdoor and named it DevOpt based on the name of the persistence malware
  • Discovered on a Russian website promising monetary rewards, victims are lured into downloading malicious payloads containing DevOpt malware
  • The malware is currently still in development and is receiving continous improvement updates designed to make it a more potent and effective tool for attackers and threat for defenders
  • DevOpt has advanced capabilities to function as a keylogger, stealer, grabber, and a clipper along with persistence mechanisms.

Campaign

While on the hunt for new malware, the ThreatLabz research team at Zscaler came across a newly discovered backdoor that was created using Free Pascal. This backdoor is particularly dangerous as it has the ability to steal data from infected systems.

Zscaler's ThreatLabz research team remains vigilant in tracking new malware threats. During a recent investigation, we discovered a backdoor that uses Free Pascal and is capable of stealing data from infected systems. Additionally, we came across a Russian website where users were offered financial rewards for completing a task that unwittingly involved downloading malware. Further analysis revealed that the downloaded malware had an archive icon, giving the impression of a compressed file and luring users into double-clicking it, which then executed the malware. This discovery underscores the lengths to which cybercriminals will go to lure users into downloading malicious payloads, using tactics such as offering financial incentives. It's worth noting that the malware's downloading URL pattern generally follows this structure: wdfiles-download[.]siteme[.]org/arxiv[digit].exe.

Fig 1. - Russian Website(Translated to english) enticing users into downloading malicious payloads.

Fig 1. - Russian Website(Translated to english) enticing users into downloading malicious payloads.

Technical Analysis

Two versions of the backdoor have been discovered in the development stage. The first version, which lacks obfuscation to hide its strings, is roughly 20 MB in size and contains a Graphic User Interface not found in the newer variant, which is approximately 2 MB in size. The second version uses encoded integer-based strings for its functionality.

The older version uses plain text HTTP protocol, while the newer variant searches for OpenSSH DLLs in the infected system to establish encrypted HTTPS connections to its command and control. To establish network connections, the backdoor requires several DLLs: libcrypto-1_1.dll, libeay32.dll, libssl-1_1.dll, libssl32.dll, and ssleay32.dll. If the malware is unable to locate these DLLs, it becomes inactive and will not infect the system further.

 

Encoded String

Decoded Strings

Description

5494-4756-7544-6970-9430-8282-9348-9430-7544

C:\\Users\\

String to access infected system Users Directory 

7544-5576-8282-9430-8774-9512-9102-9184-7544

\\Desktop\\

String to access infected system Desktop Directory 

7544-5576-9102-8118-9594-8938-8282-9020-9512-9430-7544

\\Documents\\

String to access infected system Documents Directory 

7544-5576-9102-9758-9020-8856-9102-7954-8200-9430-7544

\\Downloads\\

String to access Infected system Downloads Directory 

8200-8282-9676-9102-9184-9512-3444-3772-8282-9840-8282

devopt*.exe

Create a copy of itself in the Startup folder with devopt(random 2 digit).exe name. 

7544-7134-8610-9020-8774-8282-9922-6068-8282-9512-3772-8610-9020-8610

\\WinkeyJet.ini

Create configuration file with WinkeyJet.ini name.

8528-9512-9512-9184-9430-4756-3854-3854-8938-9676-8200-3690-8774-3690-9512-9594-8856-7954-3772-9430-8610-9512-8282-8938-8282-3772-9102-9348-8446-3854

https[:]//mvd-k-tula[.]siteme[.]org/

Command and Control domain.

7544-5330-9184-9184-5576-7954-9512-7954-7544-6724-9102-7954-8938-8610-9020-8446-7544-6314-8610-8118-9348-9102-9430-9102-8364-9512-7544-7134-8610-9020-8200-9102-9758-9430-7544-6806-9512-7954-9348-9512-2624-6314-8282-9020-9594-7544-6560-9348-9102-8446-9348-7954-8938-9430-7544-6806-9512-7954-9348-9512-9594-9184-7544

\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\

Startup directory path.

6314-9102-10004-8610-8856-8856-7954-3854-4346-3772-3936-2624-3280-7134-8610-9020-8200-9102-9758-9430-2624-6396-6888-2624-4428-3772-4100-4838-2624-9348-9676-4756-4018-3936-4264-3772-3936-3362-2624-5822-8282-8118-8774-9102-3854-4100-3936-4018-3936-3936-4018-3936-4018-2624-5740-8610-9348-8282-8364-9102-9840-3854-4018-3936-4264-3772-3936

Mozilla/5.0 (Windows NT 6.2; rv:104.0) Gecko/20100101 Firefox/104.0

User Agent used for network requests.

8856-8610-9430-9512-8282-9020-8282-9348-3772-9184-8528-9184

listener.php

Send collected data as listener.php

 

The earlier version of the backdoor required user interaction by clicking on the Extract button, whereas newer versions run silently in the background without any need for user interaction.

Fig 2. - Earlier version of malware requiring user interaction

Fig 2. - Earlier version of malware requiring user interaction

Based on the aforementioned observation, it can be concluded that the Threat Actor is adding more features to the backdoor and making it stealthier.

Additional Analysis

After analyzing the malware, our observations revealed that it contains numerous capabilities. The following functionalities were observed:

 

Persistence

Persistence refers to a malware's capability to remain active on a system even after a reboot or shutdown. This can be achieved by adding entries to the Windows Registry or by creating scheduled tasks. Once a malware establishes persistence, it can continue to operate in the background and carry out malicious activities undetected by the user.

Upon closer observation, researchers noticed that the malware replicated itself in the Startup folder, enabling it to initiate automatically whenever the computer is powered on. Further observations of different versions revealed that it duplicates itself with a name devopt[random 2 digits].exe under the following path: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. 
 

Fig 3. - Persistence mechanism

Fig 3. - Persistence mechanism

 

Clipper

A clipper malware is created to pilfer confidential data from victims. Once it is installed on a victim's device, it can record the clipboard data, which can potentially be used to steal other sensitive information like login credentials, credit card numbers, or other financial data.

Researchers noticed that the malware generates a file called 'clippa.dan' in the C:\User\[User] directory, which logs all the information copied to the clipboard.

Fig 4. - Clipper logging data from the system

Fig 4. - Clipper logging data from the system

 

Stealer

A stealer malware is created to pilfer sensitive information, such as login credentials, credit card details, and other personal data. Once it is installed on a victim's device, it can monitor the user's activity and steal sensitive information.

The malware generates two files, namely 'cdck.bin' and 'bdck.bin,' in the C:\User\[User] directory, which steal the credentials, cookies, history, and version information of the two specific browsers, respectively.

  1. Chrome browser data collected from infected system: 
  • [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies]
  • [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\History]
  • [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Login Data]
  • [C:\Users\User\AppData\Local\Google\Chrome\User Data\Last Version]

 

      2. Yandex data collected from infected system: 

  • [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies]
  • [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\History]
  • [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Ya Passman Data]
  • [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Ya Autofill Data]

 

Keylogger

Keylogger malware is specifically designed to capture every keystroke made by a user on their device. This can be used to steal sensitive information like login credentials, credit card details, and other personal data.

In this case, the malware creates a file named ‘Kebba.dan’ in the C:\User\[User] directory to log the keystrokes of the user.

Fig 5. - Keylogger logging keystrokes

Fig 5. - Keylogger logging keystrokes

 

Grabber

Fig 6. - Grabber enumerating the Directories for stealing file contents

Fig 6. - Grabber enumerating the Directories for stealing file contents

Grabber malware is created to illicitly obtain files and other data from an infected device. It targets text, Word, Excel, and RTF files stored in the Document, Download, or Desktop directories, and saves the stolen data in a file named “grb.bin” located at C:\User\[User] directory.

Fig 7. - Grabber File contents stealing data

Fig 7. - Grabber File contents stealing data 

 

Dropped text file 

In previous versions of this backdoor, researchers observed that it drops a file called ‘unpacked.dt’ in the ‘data’ folder of the current directory. This file is likely designed to confuse malware analysts because it appears to be an encoded malicious payload, but in reality, it contains randomly generated alphanumeric strings. In newer versions of the backdoor, a similar file named ‘0.txt’ is dropped in the current directory, which contains random strings that are hardcoded into the malware itself.

Fig 8. - Generating random alphanumeric strings for unpacked.dt file

Fig 8. - Generating random alphanumeric strings for unpacked.dt file

 

Configuration File

The researchers noted the presence of a configuration file named "Winkeyjet.ini" that was dropped in the Users directory. This file contains information about the compromised system, such as the name of the operating system, a unique Device_ID, and the version number (Version) that represents the major version information of the compromised system. Additionally, the file includes the malware's hardcoded own version (OwnVer). The configuration file also specifies the Command and Control (CnC) server, which is responsible for providing instructions to the malware once it has been successfully installed.

Fig 9. - Configuration file generated recording the device and version information

Fig 9. - Configuration file generated recording the device and version information 


Additional investigation has uncovered that certain malwares that are still in the early stages of development are displaying a message box that contains the text "putin Xyilo", which is a slogan that ridicules Russian President Vladimir Putin.

Fig 10. - Msgbox displayed in underdeveloped versions of malware

Fig 10. - Msgbox displayed in underdeveloped versions of malware

Network Communication

Establishing a connection with the Command and Control (CnC) starts with the malware sending a "create" request. Upon recognizing the request, the CnC responds with a "200 OK" message.

After establishing the connection, the malware sends a command request to the CnC, which in turn responds with a SYNC command. Upon receiving the SYNC command, the malware executes the given command and sends a "SYNCRONIZED" response back to the CnC to indicate successful completion.

Fig 11. - Network communication steps

Fig 11. - Network communication steps 

Commands

Below are the encoded string commands used by the observed malware:

 

Encoded String

Decoded Strings

Description

6806-7298-6396-5494

SYNC

Command to check connection between CnC and Malware. We observed in some variants malware send the ‘SYNCRONIZED’ response along with the version of the malware.

5576-5986-6724

DIR

Command to collect file information of the given directory. It can collect file name, directory name, size and modified date. 

6560-6970-6888

PUT

Command to write collected information in file. It will give the response ‘HAD WRITTEN’ if the file is already present else ‘NOT WRITTEN’.

6724-5658-5330-5576

READ

Command to read collected information from stored files and send data to CnC.

5658-7216-5658-5494

EXEC

To execute commands sent from CnC and after successful execution it sends ‘EXECUTED’ response.  

5576-6724-6232-6806

DRLS

Command to collect Drive information (HDD, CDROM, RAMDISK, Network and Removable) of the infected system. 

6560-6724-6232-6806

PRLS

Command to collect the Process list of infected systems.

 

The previous version of the malware did not include the DRLS and PRLS commands for gathering drive and process information, respectively.

Conclusion

Based on the observations made during the malware analysis, it is evident that the malware in question is a sophisticated and multifunctional threat. The malware is capable of performing various malicious activities such as stealing confidential information, logging keystrokes, stealing files, and establishing persistent access to the victim's system.

It is also evident that the threat actor behind the malware is continuously improving the malware by adding new features, making it stealthier, and using various techniques to evade detection. The malware uses encoded strings for its commands and drops files with misleading names to deceive malware analysts.

Furthermore, the malware communicates with a Command and Control server to receive instructions and send stolen data. The server's IP address and other details are hardcoded into the malware.

Overall, the findings highlight the need for robust security measures to protect against advanced and evolving malware threats. It also emphasizes the importance of regular updates and security patches to mitigate the risks associated with these threats.

As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. The discovery of this new backdoor is a testament to the ever-changing tactics of attackers and underscores the importance of ongoing monitoring and research. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing their findings with the wider community. It is essential to stay informed and take necessary precautions to safeguard against malware attacks. Remember to keep your software up-to-date, use strong passwords, and be wary of suspicious emails or messages.

Zscaler Sandbox Coverage

Zscaler's multilayered cloud security platform detects indicators, as shown below:

Fig 12. - DevOpt Backdoor Zscaler sandbox report

Fig 12. - DevOpt Backdoor Zscaler sandbox report

 

The following threat names are detected by Zscaler's multilayered cloud security platform for identifying malicious payloads:

MITRE ATT&CK Techniques

 

Tactic

Technique ID

Technique Name

Execution 

T1129

Shared Modules

Defense Evasion

T1027

Obfuscated Files or Information

Persistence

T1037.005

T1547.001

 

Startup Items

Registry Run Keys / Startup Folder

Discovery

T1057

T1082

T1083

Process Discovery

System Information Discovery

File and Directory Discovery

Collection

T1005

T1115

 

Data from Local System

Clipboard Data

Credential Access

T1003

T1555.003

T1539  

T1056.001

OS Credential Dumping

Credentials from Web Browsers

Steal Web Session Cookie

Keylogging

Command and Control

T1095 

T1071

Non-Application Layer Protocol

Application Layer Protocol

Indicators Of Compromise (IOCs)

 

db14d40d780853f80b93e21e92617680

94df2e4aa0f432ef992893d7b994ce84

Old Variant

391c894616dd0e8b372b801cbbc0a790

e42198e7c0647238b999a2b2133daac2

New Variant

mvd-k-tula[.]siteme[.]org

mvd-k-tula[.]ru

Command and Control Domain

wdfiles-download[.]siteme[.]org/arxiv5.exe

Malicious Source Url used for distribution

form submtited
Gracias por leer

¿Este post ha sido útil?

dots pattern

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Al enviar el formulario, acepta nuestra política de privacidad.