In this article, I will discuss various tools that I have found during the past few months and which I believe are from the same author as the ZeroAccess malware. It is also possible that the source code of the bot was sold after the “takedown” in 2013 and someone is now trying to make profit from it. This would at least make sense if we consider the behavior of the latest version of the ZeroAccess botnet (v3) which looks like it was only setup for testing purposes.
The collected samples are mostly test tools and could but be attributed due to some unique coding characteristics of ZeroAccess author. At first, the author _heavily_ relies on native system functions instead of high-level API functions in their user mode applications. Secondly, the author only uses Zw* function prefix and never the Nt* prefix. The combination of these two characteristics alone dramatically narrows down possible candidates in sample databases nowadays. Moreover, some of the tools make use of shellcode and the author has a unique technique to resolve string addresses. Additionally, we have found some samples with PDB path strings and other strings which overlap between the tools. Finally, many of the tools which contain other embedded files are stored always inside RCDATA section.
Thanks to EP_X0FF for help on the technical part.
UAC demo tool
In October last year, I stumbled across a small tool which obviously was created to advertise an UAC bypass method. At first glance, the method looked similar to the one used by H1N1 loader released at the beginning of 2015. Also, the compilation timestamp dated 20. August 2015 which indicated the tool was maybe created by the author of H1N1 loader. But after a closer look at the code it turned out it’s not exactly the same technique.
After the discovery of the new ZeroAccess botnet (v3) at the beginning of this year, also a sample of this bot was found which dated back to December 2014. After analyzing the sample, we can say for sure that the UAC demo tool is based on the ZeroAccess source code or was coded by its author. The code and the payload dll are identical, only the compilation timestamp of the payload differs.
But for whom was this demo tool created? Was it sold in an underground forum or shared in private? A few days ago, I have found a variant of Cryptodefense which dates back to 26. October 2015 according to the compilation timestamp. This sample uses the exact same method advertised in the demo tool, even the payload dll has the same compilation timestamp. Although, it is possible that the creator of the demo tool itself is the person behind this Cryptodefense variant, it seems very unlikely. The code of this Cryptodefense malware is different and by far not as advanced as any of the ZeroAccess tools.
UAC demo tool: https://www.virustotal.com/en/file/1597 ... /analysis/
Cryptodefense variant: https://www.virustotal.com/en/file/3c36 ... /analysis/
Custom LPE exploit (CVE-2015-1701)
This a test tool which exploits a vulnerability in win32k.sys kernel driver known as CVE-2015-1701 to gain system privileges. Probably, the author was inspired by the reverse engineered open source code from EP_X0FF. We can see the typical ZeroAccess way to alter the execution flow by registering an vectored exception handler and setting a hardware breakpoint on a specific function. When this function is then called, the exception handler jumps in and continues the execution. In the case of this exploit a hardware breakpoint is set on KiUserExceptionDispatcher which afterwards is internally called by CreateWindowEx function.
What is also important in association with the other tools is the PDB path left in the executable:
“d:\ZZZ\release\ui.pdb”
Custom LPE exploit (CVE-2015-1701): https://www.virustotal.com/en/file/1f8c ... /analysis/
ZeroAccess test dropper
This is an early version of the encrypted PNG dropper used to spread ZeroAccess v3. The difference between this early and the final version of the dropper is that it does not use XOR encryption and the file inside is only a test dll that poses as legit Windows file mshtmlmedia.dll. The test dll uses the same method as the final ZeroAccess v3 malware to load itself as legit Windows file comres.dll and calls its entry point.
What is also important in association with the other tools is the PDB path left in the test dll:
“d:\ZZZ\release\mshtmlmedia.pdb”
ZeroAccess test dropper: https://www.virustotal.com/en/file/9e98 ... c4fd23a04/
Injection test tool
This is a cross-platform (x86/x64) injection test tool realized as an x86 executable. It has two dlls stored inside the RCDATA section, one for each platform. The respective dll gets injected into the notepad.exe process which has to be started before. The injection of the x64 dll from the x86 process on a x64 Windows (Wow64) is done via the so called Heaven’s Gate. The injection process is done via obfuscated API calls that map the sections manually into the target and then doing the loader job. This type of injection is one of the more stealthy variants, since the injected dll does not appear in the loaded library lists.
Injection test tool: https://www.virustotal.com/en/file/9f36 ... a328779da/
Password encrypted file
This is kind of a self-extracting executable which contains the encrypted content inside the PE resource section, but without any compression. After the executable gets started a dialog box appears and a password has to be entered. Internally, a MD5 hash of the password is created which then gets used as the decryption key for the stream cipher known as Rabbit. Unfortunately, what is inside the file remains unknown, unless you know the correct password.
What is also important in association with the other tools are two Unicode strings inside the binary:
“This 32-bit app can not run on 64-bit Windows”
“Use 64-bit version!”
Password encrypted file: https://www.virustotal.com/en/file/c061 ... bb4f06e5c/
Dll list tool
This is a non-malicious tool with the purpose to list all processes along with their loaded dlls. I have found two samples of which one is self-signed with the name “max black”. Again, we can see the heavy use of native system functions with Zw* prefix and similar coding style as ZeroAccess malware.
What is also important in association with the other tools are two Unicode strings inside the binary:
“32-bit DllList can not run on 64-bit Windows”
“Use 64-bit version!”
Dll list tools: https://www.virustotal.com/en/file/7d3f ... 390315db1/
https://www.virustotal.com/en/file/d377 ... bb269e9a7/
That’s it! If you think you have found any other tools by this author, do not hesitate to post the file. Also, if you want to help us to find the password of the encrypted file, you are encouraged to do so. :)
The collected samples are mostly test tools and could but be attributed due to some unique coding characteristics of ZeroAccess author. At first, the author _heavily_ relies on native system functions instead of high-level API functions in their user mode applications. Secondly, the author only uses Zw* function prefix and never the Nt* prefix. The combination of these two characteristics alone dramatically narrows down possible candidates in sample databases nowadays. Moreover, some of the tools make use of shellcode and the author has a unique technique to resolve string addresses. Additionally, we have found some samples with PDB path strings and other strings which overlap between the tools. Finally, many of the tools which contain other embedded files are stored always inside RCDATA section.
Thanks to EP_X0FF for help on the technical part.
UAC demo tool
In October last year, I stumbled across a small tool which obviously was created to advertise an UAC bypass method. At first glance, the method looked similar to the one used by H1N1 loader released at the beginning of 2015. Also, the compilation timestamp dated 20. August 2015 which indicated the tool was maybe created by the author of H1N1 loader. But after a closer look at the code it turned out it’s not exactly the same technique.
After the discovery of the new ZeroAccess botnet (v3) at the beginning of this year, also a sample of this bot was found which dated back to December 2014. After analyzing the sample, we can say for sure that the UAC demo tool is based on the ZeroAccess source code or was coded by its author. The code and the payload dll are identical, only the compilation timestamp of the payload differs.
But for whom was this demo tool created? Was it sold in an underground forum or shared in private? A few days ago, I have found a variant of Cryptodefense which dates back to 26. October 2015 according to the compilation timestamp. This sample uses the exact same method advertised in the demo tool, even the payload dll has the same compilation timestamp. Although, it is possible that the creator of the demo tool itself is the person behind this Cryptodefense variant, it seems very unlikely. The code of this Cryptodefense malware is different and by far not as advanced as any of the ZeroAccess tools.
UAC demo tool: https://www.virustotal.com/en/file/1597 ... /analysis/
Cryptodefense variant: https://www.virustotal.com/en/file/3c36 ... /analysis/
Custom LPE exploit (CVE-2015-1701)
This a test tool which exploits a vulnerability in win32k.sys kernel driver known as CVE-2015-1701 to gain system privileges. Probably, the author was inspired by the reverse engineered open source code from EP_X0FF. We can see the typical ZeroAccess way to alter the execution flow by registering an vectored exception handler and setting a hardware breakpoint on a specific function. When this function is then called, the exception handler jumps in and continues the execution. In the case of this exploit a hardware breakpoint is set on KiUserExceptionDispatcher which afterwards is internally called by CreateWindowEx function.
What is also important in association with the other tools is the PDB path left in the executable:
“d:\ZZZ\release\ui.pdb”
Custom LPE exploit (CVE-2015-1701): https://www.virustotal.com/en/file/1f8c ... /analysis/
ZeroAccess test dropper
This is an early version of the encrypted PNG dropper used to spread ZeroAccess v3. The difference between this early and the final version of the dropper is that it does not use XOR encryption and the file inside is only a test dll that poses as legit Windows file mshtmlmedia.dll. The test dll uses the same method as the final ZeroAccess v3 malware to load itself as legit Windows file comres.dll and calls its entry point.
What is also important in association with the other tools is the PDB path left in the test dll:
“d:\ZZZ\release\mshtmlmedia.pdb”
ZeroAccess test dropper: https://www.virustotal.com/en/file/9e98 ... c4fd23a04/
Injection test tool
This is a cross-platform (x86/x64) injection test tool realized as an x86 executable. It has two dlls stored inside the RCDATA section, one for each platform. The respective dll gets injected into the notepad.exe process which has to be started before. The injection of the x64 dll from the x86 process on a x64 Windows (Wow64) is done via the so called Heaven’s Gate. The injection process is done via obfuscated API calls that map the sections manually into the target and then doing the loader job. This type of injection is one of the more stealthy variants, since the injected dll does not appear in the loaded library lists.
Injection test tool: https://www.virustotal.com/en/file/9f36 ... a328779da/
Password encrypted file
This is kind of a self-extracting executable which contains the encrypted content inside the PE resource section, but without any compression. After the executable gets started a dialog box appears and a password has to be entered. Internally, a MD5 hash of the password is created which then gets used as the decryption key for the stream cipher known as Rabbit. Unfortunately, what is inside the file remains unknown, unless you know the correct password.
What is also important in association with the other tools are two Unicode strings inside the binary:
“This 32-bit app can not run on 64-bit Windows”
“Use 64-bit version!”
Password encrypted file: https://www.virustotal.com/en/file/c061 ... bb4f06e5c/
Dll list tool
This is a non-malicious tool with the purpose to list all processes along with their loaded dlls. I have found two samples of which one is self-signed with the name “max black”. Again, we can see the heavy use of native system functions with Zw* prefix and similar coding style as ZeroAccess malware.
What is also important in association with the other tools are two Unicode strings inside the binary:
“32-bit DllList can not run on 64-bit Windows”
“Use 64-bit version!”
Dll list tools: https://www.virustotal.com/en/file/7d3f ... 390315db1/
https://www.virustotal.com/en/file/d377 ... bb269e9a7/
That’s it! If you think you have found any other tools by this author, do not hesitate to post the file. Also, if you want to help us to find the password of the encrypted file, you are encouraged to do so. :)
Attachments
PW: infected
(158.42 KiB) Downloaded 131 times
(158.42 KiB) Downloaded 131 times
PW: infected
(1.24 MiB) Downloaded 117 times
(1.24 MiB) Downloaded 117 times
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com