Novel Malicious code evasion method for AI/ML based detection
The SonicWall Capture Labs Threat Research team has observed Remcos RAT (Remote Access Trojan) being distributed by adding malicious code in existing open-source software. This appears to be an attempt to evade Security products which are based on Machine Learning / Artificial Intelligence as most of the machine code will be same to that of the clean application code. The malicious code also has anti-sandboxing and anti-emulation features added to it. This further helps in evading Security products.
Binary Comparison with clean application
In the malware sample that we have analyzed, we noticed that the legitimate code was taken from TightVNC Software, which is free and Open-Source remote desktop software that lets you access and control a computer over the network. The source is available on the website downloads page. Below image is the comparison of the analyzed sample against a clean TightVNC viewer (2.8.81) application, which shows approximately 90% of the code is similar in both these files.
Fig1: Binary comparison the sample with the clean binary (TightVNC viewer.exe)
Malicious code Analysis
On analyzing the malware sample binary code, it is observed that a malicious function, which has code to load required DLLs (kernel32.dll, wininet.dll, etc.,) to download additional payloads, has been added to the legitimate source code before compilation. The malicious code is placed in such a way that it gets executed always and exits with an error message if it encounters any failure in the checks (filename not matching, download failing etc.,)
Fig-2: Left side is the original clean code and right side is the decompiled code from the malware
Below is the image which shows that the malicious function is exclusively available in the sample only.
Fig-3: Showing that malicious code does not have a matching function in clean binary
Infection Cycle
The malware code is obfuscated, and it uses anti-emulation and anti-sandbox techniques to evade detection in a controlled environment. The malware terminates the execution by displaying an error message while executed in the controlled environment:
Fig4: Code displays error message in controlled environment
Anti-Sandboxing feature
The malware retrieves its own executable file name and calculates a checksum value by adding each alphabet’s ascii value in the filename. If the checksum value is either 0x7AE or 0x718 then malware continues execution otherwise the malware terminates itself. The corresponding filename for the checksum value 0x7AE is “patchSvc_beta_v2.exe” and filename length must be 0x14. The filename length for checksum value 0x718 must be 0x12. Below is the code to calculate the checksum and filename length:
Fig5: Code calculates and compares checksum of its own executable
Anti-Emulation feature
The malware downloads a PNG image file from Unified Resource Locator (URL) h[t][t]ps://www.pleumeurbodou.com/squelettes/img/port.png by setting user agent value as “spirochete” to the web request:
Fig6: Code downloads a PNG image from an URL
Initial 0x20 bytes from the downloaded PNG image file are used to decrypt the API name “InitOnceExecuteOnce”. The malware retrieves the address of API “InitOnceExecuteOnce” using GetProcAddress and invokes this API by passing argument of the next executable module of the malware. Because the API name is dynamically decrypted using the downloaded image file bytes, this acts as an anti-emulation / anti-analysis feature when the URL is not serving any data or is unreachable.
Fig7: Code decrypts an API name using downloaded data
Next the malware resolves the address and invokes the “VirtualProtect” API by the same manner, it used to execute the “InitOnceExecuteOnce” API. The malware modifies the memory protection to PAGE_EXECUTE_READWRITE to decrypt the next layer code using a hardcoded key and again modifies the memory protection to PAGE_EXECUTE_READ before transferring control to the decrypted code:
Fig8: Code decrypts next layer malicious code
Next the malware drops ASUS software component files into “%APPDATA%\TaskWordpad_test” along with malicious DLL file “AsIO.dll.” The malware executes the “atkexComSvc.exe” which loads malicious DLL file “AsIO.dll” and further executes and injects Remcos malware into explorer.exe:
Fig9: Code does create process for a dropped file
Fig10: Process execution sequence
Remcos is a well-known Remote Access Trojan (RAT) which collects various information from the victim’s machine including executable’s name, computer name, Windows version, RAM information and key logs etc., The malware keeps the Remcos data into registry entry “HCU\Software\Rmc-OPX7KW.” Please refer here for detailed analysis of Remcos RAT.
Fig11: Remcos data stored in the registry entry
The malware keeps the keylogging information into file “C:\ProgramData\remcos\logs.dat” and sends the stolen data to the C&C server “retghrtgwtrgtg.bounceme.net”:
Fig12: File stores keystrokes information
Detection by Security Products
For the first few initial days when the sample was submitted to VirusTotal, it can be observed that there were virtually no detections, which only slowly improved over time. This shows that malware can evade ML/AI based security products during the initial days of propagation by hiding inside a legitimate application code.
Fig13: detections on VirusTotal over time
This threat is detected by SonicWALL Capture ATP with RTDMI.
IOCs
SHA256:
- 6e07b6ef7a182f367f596cbe4baa148336fa7e7592166ce51e483db81221e220
Network Connections:
- h[t][t]ps://www.pleumeurbodou.com/squelettes/img/port.png
- h[t][t]ps://i.imgur.com/vUptouc.png
- retghrtgwtrgtg.bounceme.net
User Agent:
- spirochete