Bublik, CyberGate, and Game of Thrones
The Dell SonicWall Threats Research Team recently encountered a family of .NET malware that eventually drops a CyberGate remote access trojan. While it is unclear what the initial vector of infection is, it appears that the malware attempts to pass itself off as an Adobe installer, and even goes so far as to drop and execute a legitimate copy of the Adobe Bootstrapper. This seems like an effective decoy because the Bootstrapper will always encounter an error due to missing installation files before directing the user to the official Adobe site for a support download.
Indicators of Compromise
In this instance, the malware has the hardcoded ID of 04W47BG81GO688, so multiple mutexes and file paths include this string as seen below.
Mutex Indicators
Creates mutex: Sessions1BaseNamedObjects�4W47BG81GO688
Creates mutex: Sessions1BaseNamedObjects�4W47BG81GO688[USERNAME]15
Creates mutex: Sessions1BaseNamedObjectsxXx_key_xXx
Creates mutex: Sessions1BaseNamedObjects�4W47BG81GO688_SAIR
Creates mutex: Sessions1BaseNamedObjects�4W47BG81GO688_RESTART
File Indicators
Creates: %APPDATA%LocalTemppMfL.exe
Creates: %APPDATA%LocalTempBISy.exe
Creates: %APPDATA%winini.exe
Creates: %APPDATA%LocalTempPDApp.log
Creates: %APPDATA%LocalTempcvtres.exe
Creates: %APPDATA%Roaming945109AB
Creates: %APPDATA%Roaming945109ABak.tmp
Creates: %APPDATA%Roaming[USERNAME]-wchelper.dll
Creates: %APPDATA%LocalTemp[USERNAME]7
Creates: %APPDATA%LocalTemp[USERNAME]8
Creates: C:WindowsUpdatevbc.exe
Creates: %APPDATA%LocalTemp[USERNAME]2.txt
Registry Indicators
Creates key: HKLMsoftwaremicrosoftactive setupinstalled components{odks44qa-12l5-c1lw-tgc7-2430ij2b12a6}StubPath
Network Indicators
DNS query: laki.no-ip.org
DNS response: laki.no-ip.org ⇒ 176.14.66.219
Connects to: 176.14.66.219:3333
Infection Cycle
.NET Stage Analysis
The .NET stage of the malware has two sub-stages and the malicious payloads come in two flavors that we will refer to as dropper and infector modules.
The dropper modules have some obfuscation techniques that, while simple, caught our attention due in part to the Game of Thrones references used to contain the payloads for later stages. Game of Thrones names and the acronym “GOT” are used as resource names to store the files, and searches shows that this family has been operating with the same Game of Thrones concealment technique for some time.
The infector module is the same across both .NET sub-stages, and provides several functions to infect a target machine as well as some stealthiness. Among the functions shown above are the BotKill() function that will erase all traces of the malware from a machine (and may delete some unexpected files as well), and the Fap() function that performs process injection, PEB patching, and is responsible for the dummy files created on disk.
One slightly more sophisticated technique that seems to be used throughout the stages of this infection are dummy files written to disk. The implementation of this technique in the .NET stage of the infection is prone to cause errors in environments where certain versions of the .NET framework are not available, though this behavior could be an effect of targeting a particular platform. While the malware does write a file to disk for each of the payloads, it uses cvtres.exe from the .NET Framework to create fake files for all but the primary payload of the next stage. The rest of the files are unpacked and executed in memory.
Delphi Stage Analysis
Relative to the .NET binaries encountered, the Delphi stage contains a great deal of complexity. The authors of CyberGate make a number of attempts to stymie analysis with anti-debugging techniques and checks for a variety of sandbox and analysis environments as seen below.
CyberGate is a full featured trojan providing remote access and information stealing capabilities, hunting for passwords saved in browsers, chat services, and various network applications.
Although we did not see much in the way of network communication from this infection cycle, the CyberGate component does call out to laki.no-ip.org on port 3333. The only response seen during execution is shown below.
Summary
Overall, the purpose of this malware is to gain a persistent infection on a target machine, while gathering any available user credentials from web browsers or other communications software. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signatures:
- GAV: Rogue.KDZ_4
- GAV: Bublik.GOT
- GAV: Bublik.RUN
- GAV: Spatet.T_8
- GAV: Avenger.gen
- GAV: CyberGate.A_2
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
