Skip to main content

SMA: Sharpshooter Payload



Article by Vishal Thakur

This is a SMA of the payload used in the SharpShooter campaign.
The sample shows code-reuse from the Lazarus malware family but full attribution is hard to determine at this time.
The focus of this article is on the networking C2i.

Following is the complete URI for the first connection:


000007FEFA6ABA48 | 4C 8B DC                 | mov r11,rsp                             |
000007FEFA6ABA4B | 53                       | push rbx                                |
000007FEFA6ABA4C | 55                       | push rbp                                |
000007FEFA6ABA4D | 56                       | push rsi                                |
000007FEFA6ABA4E | 57                       | push rdi                                |
000007FEFA6ABA4F | 41 54                    | push r12                                |
000007FEFA6ABA51 | 41 55                    | push r13                                |
000007FEFA6ABA53 | 41 56                    | push r14                                |
000007FEFA6ABA55 | 41 57                    | push r15                                |
000007FEFA6ABA57 | 48 81 EC 88 01 00 00     | sub rsp,188                             |
000007FEFA6ABA5E | 48 8B 05 5B 8B 05 00     | mov rax,qword ptr ds:[7FEFA7045C0]      |
000007FEFA6ABA65 | 48 33 C4                 | xor rax,rsp                             |
000007FEFA6ABA68 | 48 89 84 24 70 01 00 00  | mov qword ptr ss:[rsp+170],rax          |
000007FEFA6ABA70 | 49 83 A3 78 FF FF FF 00  | and qword ptr ds:[r11-88],0             |
000007FEFA6ABA78 | 41 83 63 80 00           | and dword ptr ds:[r11-80],0             |
000007FEFA6ABA7D | 8B DA                    | mov ebx,edx                             |
000007FEFA6ABA7F | 33 D2                    | xor edx,edx                             |
000007FEFA6ABA81 | 41 8B F0                 | mov esi,r8d                             |
000007FEFA6ABA84 | 4C 8B F1                 | mov r14,rcx                             | rcx:L"https://www.kingkoil.com.sg/board.php"
000007FEFA6ABA87 | 44 8D 42 24              | lea r8d,dword ptr ds:[rdx+24]           |



Here's a view from the stack.
















The request:


000007FEFA6B4C03 | 41 83 BB 1C 01 00 00 02  | cmp dword ptr ds:[r11+11C],2            | r11+11C:L"tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us;q=0.8;q=0.6,en-us;q=0.4,en;q=0.2\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 384\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n"


POST req with the path:


The second connection:

POST req with the path:

UserAgent used:
Complete URI:
Third connection:

The request:
Sample: 37b04dcdcfdcaa885df0f392524db7ae7b73806ad8a8e76fbc6a2df4db064e71McAfee report: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/


Labels:

Comments

Post a Comment

Popular posts from this blog

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+...
Post a Comment
Read more

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll a...
Post a Comment
Read more

Trickbot — a concise treatise

Post-execution scope of impact and threatscape details of a sophisticated malware First Edition, April 2019 Vishal Thakur Introduction S ince its initial release, Trickbot has been an advanced, modular malware, built on complex, well-written code and backed by continuous improvement and on-going development. The modular structure of the code is the most important part of this malware. Other than giving it a clearly defined and segmented flow, it allows the authors to have the ability to add new modules with new purposes to the existing malware, which they have been doing regularly throughout the history of the malware. Trickbot is a beautiful piece of code, used for malicious purposes. Technical analysis of this malware has been published throughout its existence in the wild and there are some good, detailed publishings that are available on the internet that go into great technical details regarding the inner workings of the code and flow of Trickbot. Here’s one of my earl...
Post a Comment
Read more