Bladabindi C2通信分析——发送到以base64编码的远程服务器。 获取有关C：驱动器的信息，尤其是卷序列号。 收集了所有必要的信息后，该示例将生成一个字符串，其中包含以base64编码的数据，并具有以下结构： “ ll” + HacKed22_VolumeSerialNumber +计算机名+用户名+ LastWriteTimeOfSampleinTemp...

Bladabindi IDA里反编译成这鸟样了。

需专门的.net反编译工具。

参考：https://blog.csdn.net/kongwei521/article/details/54927689

 

Bladabindi Remains A Constant Threat By Using Dynamic DNS Services

By Lilia Elena Gonzalez Medina | November 30, 2016

The Fortinet research team has been developing a industrial-grade analysis system that allows us to concentrate information from samples collected from a variety of sources. Using this tool, we recently started to see the recurrence of URLs from the domains hopto.org and myftp.biz. In most cases, each sample was connected to a unique URL in one of the domains, although we also found some samples that connected to the same URL. 

Figure 1. Examples of the domains and samples collected by the team’s FortiGuard analysis system

This threat, also known as njRAT, is detected as MSIL/Bladabindi.U!tr or MSIL/Agent.LI!tr by the Fortinet AntiVirus service. If installed, the user’s private data is compromised because of the malware’s capability to provide the malicious actor with unauthorized access to the infected computer in order to collect different kinds of information, such as: screenshots, words typed (which often include usernames, passwords, websites, documents, etc.),running processes, pictures taken with the webcam, etc.

Threat Description

This malware family uses the .NET framework. And this sample in particular has two important classes called kl and OK.

kl

This class uses the functions GetAsyncKeyState, GetKeyboardLayout, GetKeyboardState, GetWindowThreadProcessId, MapVirtualKey and ToUnicodeEx to capture keystrokes.

OK

This class contains the other functionalities of the RAT. The important activities are summarized below:

• Makes the following modifications to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\050ed846adcc1b8729af0a70a0fefe4d: “”C:\Users\\AppData\Local\Temp\server.exe” ..”

HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\[kl]: “”

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\050ed846adcc1b8729af0a70a0fefe4d: “”C:\Users\\AppData\Local\Temp\server.exe” ..”

HKCU\di: “!”

The string “050ed846adcc1b8729af0a70a0fefe4d” is hardcoded in the sample.

Besides storing the keylogger logs, the sub registry key HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ also contains malicious executables loaded from the sample as binary data. 

Figure 2. Malicious executables stored in Windows Registry

 

如果安装了该软件，则该用户的私人数据将受到损害，因为该恶意软件能够为恶意行为者提供对受感染计算机的未经授权的访问权，以收集各种信息，例如：屏幕截图，键入的单词（通常包括用户名，密码，网站，文档等），运行过程，使用网络摄像头拍摄的照片等。

All those samples are, of course, detected by the Fortinet AntiVirus service:

2681e81bb4c4b3e6338ce2a456fb93a7 Detected as MSIL/Bladabindi.U!tr

8e78a69ca187088abbea70727d268e90 Detected as MSIL/Bladabindi.U!tr

b88ece4c04f706c9717bbe6fbda49ed2 Detected as W32/Agent.CPGR!tr

c4d7f8abbf369dc795fc7f2fdad65003 Detected as MSIL/Bladabindi.U!tr

The strings in b88ece4c04f706c9717bbe6fbda49ed2 reference No-IP’s Dynamic Update Client (DUC) that automatically updates the IP address if it changes, but also contain lines like “SELECT * FROM moz_logins” to obtain Firefox’s stored credentials. 

Figure 3. Part of a malicious executable stored as data

• Creates the mutex 050ed846adcc1b8729af0a70a0fefe4d. If the mutex already exists, the sample calls ProjectData.EndApp to close all related files and stop the process.
• Checks whether a file called server.exe already exists in C:\Users\\AppData\Local\Temp\. If it exists, the sample deletes it. Otherwise, the file is created and executed. The file server.exe is a copy of the sample.
• Creates an environment variable called “SEE_MASK_NOZONECHECKS” and sets its value to 1.
• Creates a rule to allow the process server.exe on the Windows firewall.

Figure 4. Command used by the sample to create a firewall rule

• Copies server.exe in the Startup folder.
• Checks the value of HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\[kl] because the keylogger stores what it captures in this registry key, to later send to its C&C.

Figure 5. Example of the keylogging functionality

• Uses GetWindowText to copy the text of the active window's title bar to later send to the remote server coded in base64.
• Gets information about the C: drive, particularly the volume serial number.
• When all the necessary information has been collected, the sample generates a string with the data coded in base64, and with this structure:

 “ll” + HacKed22_VolumeSerialNumber + ComputerName + Username + LastWriteTimeOfSampleinTemp + OSandServicePack + Architecture + Camera(Yes/No) + 0.7d (PossiblyTheMalwareVersion) + .. + ActiveWindowName + ActiveWindowName…

This stolen information is sent to the malicious URL in hopto.org or myftp.biz domain using port 1177, 5552, or 5112, depending on the sample. The traffic can be detected by Fortinet IPS signature Bladabindi.Botnet.

使用GetWindowText复制活动窗口标题栏的文本，以便以后发送到以base64编码的远程服务器。
获取有关C：驱动器的信息，尤其是卷序列号。
收集了所有必要的信息后，该示例将生成一个字符串，其中包含以base64编码的数据，并具有以下结构：

“ ll” + HacKed22_VolumeSerialNumber +计算机名+用户名+ LastWriteTimeOfSampleinTemp + OSandServicePack +体系结构+摄像机（是/否）+ 0.7d（可能是恶意软件版本）+ .. + ActiveWindowName + ActiveWindowName…

根据示例，使用端口1177、5552或5112将此偷来的信息发送到hopto.org或myftp.biz域中的恶意URL。流量可以通过Fortinet IPS签名Bladabindi.Botnet进行检测。

Figure 6. Fragment of the coded data sent to the C&C

Here are some examples of the decoded windows names:

Temp: VGVtcAA=

Roaming: Um9hbWluZwA=

Regshot 1.9.0 x86 Unicode: UmVnc2hvdCAxLjkuMCB4ODYgVW5pY29kZQA=

Local: TG9jYWwA

Process Monitor Filter: UHJvY2VzcyBNb25pdG9yIEZpbHRlcgA=

Applying Event Filter: QXBwbHlpbmcgRXZlbnQgRmlsdGVyAA==

Event Properties: RXZlbnQgUHJvcGVydGllcwA=

Create dump of server.exe: Q3JlYXRlIGR1bXAgb2Ygc2VydmVyLmV4ZQA=

• Uses the function capGetDriverDescriptionA to find out if the infected computer has a webcam installed.
• Deletes the keys and files related to the infection.
• It also includes functions to decompress zip files and obtain MD5 hashes.
• The sample responds to the commands sent from its C&C. The following table explains some of them:

kl	Sends the data collected by the keylogger.
prof + “~”	Adds a value to the subkey HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\
prof + “!”	Adds a value to the subkey HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ Sends data to the C&C.
prof + “@”	Deletes the specified registry key.
rn	Downloads a file and executes it.
ret	Obtains the collected passwords.
CAP	Takes screenshot, saves it as JPEG, and sends it to its C&C.
un + “~”	Deletes the registry keys, the file server.exe in the Startup folder and the firewall rule to allow it.
Un + “!”	Ends current process.
Un + “@”	Ends current process and starts a new one.
Up	Downloads file from a remote server and executes it. Afterwards it deletes the registry keys and the files related to the infection. This command is used for updates.
Ex	Obtains information about the running processes, the services, and the active connections.
CH	Opens a chat window so that the C&C can communicate with the infected computer.

A fragment of the decompiled code for the “CAP” command to take screenshots can be seen below. It basically uses CopyFromScreen to copy the screen’s pixels to the bitmap through a graphic object. 

Figure 7. Fragment of code to take screenshots

C&C interface

When active, the domain prosa15.myftp.biz is used by the sample to connect to its C&C through port 1177. To simulate the RAT behavior in a controlled environment, a sample of njRAT was downloaded and installed. Once the sample connected to the C&C, the panel displayed information such as its IP address, its computer name, country, whether a webcam was installed, the active window, and a small screenshot. 

Figure 8. njRAT’s administration panel

The picture below shows part of the data collected by the keylogger. Not only does it record the pressed keys, but it also specifies the window in which the words were written.

Figure 9. Keylogger window

As mentioned above, the malware is also capable of collecting active processes, services, and connections, accessing the registry keys, and executing commands with a remote shell. 

处于活动状态时，该示例使用域prosa15.myftp.biz通过端口1177连接到其C＆C。要在受控环境中模拟RAT行为，请下载并安装njRAT的示例。一旦样本连接到C＆C，面板就会显示信息，例如IP地址，计算机名称，国家/地区，是否已安装网络摄像头，活动窗口和小屏幕截图。

Figure 10. Other capabilities of the RAT

Statistics

Both hopto.org and myftp.biz domains are available, amongst various other options, from the dynamic DNS provider called No-IP.  The use of this service guarantees that an infected PC will be able to maintain communication with its C&C even if it changes the IP address.

From September 12 to November 16, our FortiGuard analysis system collected 194 samples connecting to hopto.org or myftp.biz. 

Out of those, 166 were related to Bladabindi samples and the rest to different threats, which indicates that the use of dynamic DNS providers could now be more common amongst malware writers.

Although it is common for this malware family to report to its C&C using port 1177, the information gathered reveals that ports 5552 and 5112 are also now being used. 

Finally, the next chart shows the number of samples collected by our FortiGuard analysis system from September 12 to November 16. 

Conclusion

The Bladabindi malware family continues to be one of the most popular threats because of how easy it is to download. In fact, there are plenty of videos and websites available that provide detailed tutorials of how to use it. One proof of its ease of use is the fact that many of the collected samples hadn’t been submitted to Virus Total at the time of the analysis. Furthermore, the samples we examined use dynamic DNS services that make it hard to monitor and keep track of the domains and the IP addresses used.