Article by Vishal Thakur
The sample shows code-reuse from the Lazarus malware family but full attribution is hard to determine at this time.
The focus of this article is on the networking C2i.
Following is the complete URI for the first connection:
000007FEFA6ABA48
| 4C 8B DC | mov
r11,rsp |
000007FEFA6ABA4B
| 53 | push
rbx |
000007FEFA6ABA4C
| 55 | push
rbp |
000007FEFA6ABA4D
| 56 | push
rsi |
000007FEFA6ABA4E
| 57 | push
rdi |
000007FEFA6ABA4F
| 41 54 | push
r12 |
000007FEFA6ABA51
| 41 55 | push
r13 |
000007FEFA6ABA53
| 41 56 | push
r14 |
000007FEFA6ABA55
| 41 57 | push
r15 |
000007FEFA6ABA57
| 48 81 EC 88 01 00 00 | sub
rsp,188 |
000007FEFA6ABA5E
| 48 8B 05 5B 8B 05 00 | mov
rax,qword ptr ds:[7FEFA7045C0] |
000007FEFA6ABA65
| 48 33 C4 | xor
rax,rsp |
000007FEFA6ABA68
| 48 89 84 24 70 01 00 00 | mov qword
ptr ss:[rsp+170],rax |
000007FEFA6ABA70
| 49 83 A3 78 FF FF FF 00 | and qword ptr
ds:[r11-88],0 |
000007FEFA6ABA78
| 41 83 63 80 00 | and dword
ptr ds:[r11-80],0 |
000007FEFA6ABA7D
| 8B DA | mov
ebx,edx |
000007FEFA6ABA7F
| 33 D2 | xor
edx,edx |
000007FEFA6ABA81
| 41 8B F0 | mov
esi,r8d |
000007FEFA6ABA84
| 4C 8B F1 | mov
r14,rcx |
rcx:L"https://www.kingkoil.com.sg/board.php"
000007FEFA6ABA87
| 44 8D 42 24 | lea
r8d,dword ptr ds:[rdx+24] |
Here's a view from the stack.
The request:
000007FEFA6B4C03
| 41 83 BB 1C 01 00 00 02 | cmp dword
ptr ds:[r11+11C],2 |
r11+11C:L"tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language:
en-us;q=0.8;q=0.6,en-us;q=0.4,en;q=0.2\r\nContent-Type:
application/x-www-form-urlencoded\r\nContent-Length: 384\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\n"
POST req with the path:
UserAgent used:
Complete URI:
Third connection:
The request:
Sample: 37b04dcdcfdcaa885df0f392524db7ae7b73806ad8a8e76fbc6a2df4db064e71McAfee report: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/
Comments
Post a Comment