Phobos Ransomware found to be using DLL Side Loading

 In one of our recent IR case, we found Phobos ransomware being executed using DLL sideloading technique. The threat actors (TA) used a legitimate signed binary WiseTurbo.exe from Lespeed Technology Co., Ltd to perform sideloading of NlogExt.dll. WiseTurbo.exe imports sqlite3.dll, the TA modified the sqlite3.dll’s import table to include an entry for NlogExt.dll with single export function NlogGetInterface.

Thus the initial installer when executed, unpacks all the files onto %TEMP%\Tech tool store\, and executes WiseTurbo.exe, thus loading sqlite3.dll which in turn loads NlogExt.dll in memory and executes the DLLMain. NlogExt.dll on loading, reads the file “CM” which is present in the same directory and contains a shellcode, onto memory. The shellcode eventually leads to the decoding of a PE file in memory and transfers the execution to its Entry point. The PE file allocates a new heap area and unpacks the final Phobos ransomware in memory and executes it. Detailed analysis is given below. Analysis MD5: AAA058858261D7C0E73FA1B8264A9A3D (setup.exe) Setup.exe (file recovered from the victim machine) is an installer file, which on execution, unpacks all the files into %TEMP%\Tech tool store\ along with shellcode file “CM”, modified sqlite3.dll, NlogExt.dll and Wiseturbo.exe which is the signed binary from Lespeed Technology Co., Ltd., along with other files which are clean. Figure 1: Files dropped on executing setup.exe The image below shows the difference between modified and original sqlite3.dll. The TA have modified the import section to load NlogExt.dll. Figure 2: Import table diff between original and modified sqlite3.dll Once all the files have been unpacked, wiseturbo.exe is executed. Since wiseturbo.exe imports from sqlite3.dll it loads it from the unpacked directory, further now that modified sqlite3.dll is loaded, it loads the DLL NlogExt.dll in memory, thus executing the DLLMain of NlogExt.dll. Figure 3: NlogExt.dll observed loading after sqlite3.dll in Procmon In the DLLMain, a new thread is created to execute the export function NlogGetInterface, it reads the file “CM” from the current directory and maps it into memory. The ‘CM’ file contains a shellcode and an encrypted PE file. The base at which the dll is mapped is saved at offset 0x4b08b from the start of mapped memory. Next it creates a new heap memory to copy just the shellcode which is present at offset 0x4a697 of size 0xA3C bytes. The execution is transferred to shellcode by abusing the windows callback feature, the malware calls EnumWindowsStationsW with a pointer to shellcode as first argument. Figure 4: Executing shellcode using callback function The shellcode copies an encoded PE from the CM File from offset 0x4be9c and decodes it in memory, which is the Phobos crypter. Figure 5: Phobos crypter PE decoded in memory Once the PE file is decoded, the shellcode maps it section by section into the memory and transfers the execution to its Entrypoint. Figure 6: Execution transfer from shellcode to decode PE Once the execution is transferred to the Phobos crypter, we can dump the final payload by setting a breakpoint on VirtualAlloc and VirtualProtect. As shown in Figure 7, there are 3 calls made to decrypt the final PE file completely into our memory, Memory protection constants are modified accordingly and execution is transferred to the final Phobos Ransomware. The encrypted files were tagged with the extension ‘.devos’. Figure 7: Crypter decrypting Phobos ransomware in memory We at K7 Labs provide detection against latest threats and also for this Phobos Ransomware. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard their devices. IoCs File Name Hash Detection Name Installer (setup.exe) AAA058858261D7C0E73FA1B8264A9A3D Riskware ( 00584baa1 ) Shellcode Loader (NlogExt.dll) 1A75878DEA8F5580C25E0B9F1C734949 Trojan ( 0059e68e1 ) Phobos Crypter 25674F5426C59051960F0D00F06F0B77 Riskware ( 0040eff71 ) Phobos Ransomware 9DE437C0A1F9E633186F5F631D32AF8A Trojan ( 0001140e1 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

Comments

Post a Comment

Popular posts from this blog

AMOS (MacOS Stealer)

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...
Read more

CVE-2023-21716: A new Office Exploit

Image
 In Feb-2023, Microsoft (MS) patched a vulnerability in Microsoft Word which, if successfully exploited, could allow an attacker to execute remote code without authentication on victims’ machines. This vulnerability has been assigned CVE-2023–21716 and has a CVSS score of 9.8, making it a critical issue. This vulnerability impacted MS word and the Outlook Preview Pane as well. Microsoft along with the patch released a work around for the vulnerability but did not release details about the vulnerability. While we were analysing to identify what was patched, on 06-March, the researcher who reported the bug released a PoC on Twitter . In this blog, we will be taking a look at some internals of CVE-2023–21716. So far there is no evidence to suggest exploitation of this vulnerability in the wild. Rich Text Format (RTF) is a document file format published by Microsoft. It uses control words to define various sections and properties of the document. CVE-2023–21716 exists in the way MS Wo...
Read more

MuddyWater Back with DarkBit

  Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . Figure 3 – Shortcut File cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ran...
Read more