SentinelOne (July 12, 2016)
This sample was written in a manner to evade static and behavioral detection. Many anti-sandboxing techniques are utilized. Analysts relying solely on sandbox solutions such as GFI and Joe Sandbox to analyze this malware will miss full functionality of the sample.
Two known exploits (CVE-2014-4113 and CVE-2015-1701) were found in the sample, as well as one UAC bypass.
The sample appears to be targeting facilities that not only have software security in place, but physical security as well. ZKTeco (http://www.zkteco.com/) is a global manufacturer of access control systems including facial recognition, fingerprint scanners, and RFID. If the sample is run on a workstation with ZKTeco's ZKAccess software installed, the process will prematurely terminate. These systems would be heavily scrutinized by their administrators, and an infection on one of these machines would likely not go unnoticed.
Two hard coded MAC addresses are checked for by the sample. A MAC address is unique 6-byte number that is burned into the chips of all network cards. The sample will prematurely terminate if the machine it is running on has one of these two MAC addresses.
Use of low-level API (Nt* and Rtl*) and direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall)
were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author. Many of these low-level APIs and system calls are undocumented/under-documented and can change between different versions of Windows. To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also reverse-engineered portions of the Windows operating system.
The final payload collects recon from the infected machine and reports back to its C2 server over HTTP.
Post made by
No comments:
Post a Comment