DropperXSW.A: Registry only malware (April 23rd, 2015)

The Dell SonicWALL Research team received an interesting malware. After the initial install the malware has no disk presence and uses an unique method to stay resident on the system using only registry keys. Along with its ability to hide the malicious registry keys, this malware is highly resistant towards antivirus detection.

On execution the malware unpacks itself in memory, creates a registry key and copies its binary image onto the value of the key.

The malware then copies its image into another process address space and executes from there, this technique is called Process hallowing or Dynamic Forking. In order to this, it starts svchost.exe in suspended mode:

After this it directly calls SYSENTER with the appropriate system call number to avoid monitoring by security software. The sequence followed to achieve Process Hallowing.

• 0x32 – NtCreateSection
• 0x6C – NtMapViewofSection
• 0x10B – NtUnmapViewof Section
• 0x19 – NtReleaseKeyedEvent
• 0x55 – NtGetContextThread
• 0xD5 – NtSetContextThread
• 0xCE – NtResumeProcess
• 0x101 – NtTerminateProcess

Now running in the process space of svchost.exe, it deletes the original installer. It sets inline hooks on the below mentioned API’s in order to conceal its presence on the machine

• NtEnumerateKey
• NtQuerySystemInformation
• NtEnumerateValueKey
• RtlPctoFileHeader

AutoStart registry key created by the malware to stay resident:

Run Entry: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

This key contains a script to read another registry key created by the malware using the following code: ('WScript.Shell').RegRead('HKCU\Software\ xsw\loader'))

HKEY_CURRENT_USERSoftwarexsw

Contains two value keys:

BinaryImage32 : Contains the malware file
Loader : Contains 3 Components
• Base64 encoded clean copy of the files mshta.exe and dynwrapx.dll
• Base64 encoded manifest’s for both the files
• Shell code which is responsible for reading the contents of BinaryImage32, invoking svchost.exe in suspended mode and copying the bytes into its memory and run it from there (Process Hallowing).

The malware also adds itself in the compatible applications list of Terminal Server:

It makes DNS queries for :

• terracematch.org
• versatilegreenwood.net

Conects to the site:

• 95.143.198.50

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• DropperXSW.A (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.