The SonicWall Capture Labs Threat Research team recently observed a new version of Gh0stNet backdoor spreading with the file less technique, which is using PowerShell script for initial execution. This version of Gh0stNet is using new commands for communication.
Upon execution the script spawns powershell.exe to perform malicious activities.
Fig1. Trojan uses owershell.exe to download and register itself as a startup item
Figure 1 shows the script will download a Base64 encoded data from a pastebin.com address. It then decodes and unzips the data to get the next level PowerShell script. The second stage PowerShell script is shown in the figure below:
Fig2. Base64 Encoded shellcode
After decoding the Base64 encoded shellcode, it calls “Inject-LocalShellcode” function to inject shellcode into the running instance of PowerShell as shown in the figure below:
Fig3. Powershell Shellcode injection
The injected shellcode contains code to unpack the embedded UPX packed file (without headers) and execute the unpacked code. Figure 4 below shows the UPX packed file that is present in the injected shellcode.
Fig4. Embedded UPX packed file
When the UPX unpacked code executes, it first decodes the Config string using a custom Base64 decoding key as shown below:
Fig5. Decrypting the config URL using a custom key
Visiting the URL shows a seemingly encoded information.
Fig6. Some encoded data shown on the page of the decoded URL
Figure 7 below shows that the malware searches for the marker “x=” in the response received from the URL post request. Once the marker is found, it decodes the string followed by marker to get the second stage Command and control server.
Fig7. Decoded response from the URL
After this the backdoor starts the communication with the command and control server by sending the following request:
Fig8.Scote_connection|hwid = [customid _from_created_cpuid]
It then creates a thread that will listen on the incoming commands from the command and control server.
The following are the commands sent from the remote server:
Below are the functionality details for each command:
- In response to this command the backdoor will collect the IP configuration information by executing “cmd.exe /C ipconfig” command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: “command=scote_info_ipconfig|buffer=[Encrypted IP Config].”
- The figure below shows that response packet.
Fig9.Sample response to scote_info_ipconfig command
- In response to this command the backdoor will collect the system information by excuting “cmd.exe /C systeminfo” command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: “command=scote_info_systeminfo|buffer=[Encrypted System Info].”
- The figure below shows that response packet:
Fig10.Sample response to scote_info_systeminfo command
- The backdoor will terminate after receiving this command.
- After receiving this command the backdoor will inject the code in “svchost.exe” and “explorer.exe” and will terminate itself. Before code injection, the backdoor installs a hook for “ntdll. ZwDelayExecution” to evade analysis and perform code injection through the hooked function as shown below:
Fig11.Code injection through another hooked function
SonicWALL Capture Labs provides protection against this threat with the following signature:
- GAV: Ghostnet.A (Trojan)