New Golang Trojan Installs Certificate for Comms Evasion
Overview
This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others.
Technical Analysis
The sample is detected as a Golang 64-bit executable with a WinAuth certificate. The timestamp has been tampered with, as it shows a creation date of December 31, 1969.
Figure 1: Sample detection with Detect It Easy
The certificate listed is issued from ‘RUNNINGWITHSCISSORS LTD’ but does not have an issuer signatory.
Figure 2: There is no signer, email or creation date with this certificate
Looking at the sample, one section included is non-standard, .symtab; this section is associated with ELF/Linux files and should not be on a Windows executable.
Figure 3: This is a Linux file-type section and would not be accessed by normal means
Because of the way Golang compiles binaries, the program had to have the gopcln table reconstructed in order to see the inner workings of the file.
Figure 4: Malware functions in cleartext
Once done, there are several items of note. Newly renamed functions list out the primary methods of . The strings show a pattern that looks to be used to send system information to the attacker – this is confirmed later. This pattern contains information for a system UUID, remote IP, username, hostname, Windows version, process ID, process name and architecture.
Figure 5: There is an ASCII pattern for information that may be sent to the attacker
Next, the packages reveal that the author is using public GitHub applications from the following repositories to generate and save screenshots:
- https://github.com/kbinani/screenshot
- https://github.com/lxn/win
- https://github.com/fogleman/gg
- https://github.com/golang/freetype
Figure 6: These GitHub packages are public and are not malicious on their own
During runtime, the malware will start by querying main system information using process injection via VirtualAlloc and running WMIC. The following two commands are run first:
- ‘SELECT UUID FROM Win32_ComputerSystemProduct’
- C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Next, these registry keys are queried for the Windows version and hostname:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
When attempting to control/open WMIC, the sample looked in the following locations, as well as trying to find a file with an unusual name:
- C:\Users\user\Desktop
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
- C:\Windows
C:\Windows\system32 - C:\Windows\Wbem\
Figure 7: Sample of locations WMIC is searched for along with an unusual file
Once WMIC has been launched, both the main executable and WMIC will load, or attempt to load, the following DLLs:
Apphelp.dll
Cryptbase.dll
Winmm.dll
Powrprof.dll
Umpdc.dll
Userenv.dll
Profapi.dll
Netapi32.dll
Wkscli.dll
Netutils.dll
Samcli.dll
Samlib.dll
Iphlpapi.dll
Dhcpcsvc6.dll
Dhcpcsvc.dll
Dnsapi.dll
Mswsock.dll
Rasadhlp.dll
Fwpuclnt.dll
Msasn1.dll
Cryptsp.dll
Rsaenh.dll
Gpapi.dll
Framedynos.dll
Sspicli.dll
Kernel.appcore.dll
Wbemcomm.dll
Msxml6.dll
Urlmon.dll
Iertutil.dll
Srvcli.dll
Uxtheme.dll
Vcruntime140.dll
Vcruntime140_1.dll
Amsi.dll
Vbscript.dll
sxs.dll
The majority of these were not used during testing, which means that they may be used after initial contact is made with the C2 for further data collection or additional malware utilities.
Figure 8: Sample listing of DLLs searched for by the trojan
When the sample reaches out on the network, it attempts to get an IP using ‘ip-api.com/json’ and to make initial contact with the C2 at ‘https://daily-mashriq[.]org/goyxdrkhjilchyigflztv’ using a ping.
Once those steps are complete, the malware installs a new root certificate by overriding data in the following registry key using ‘CertGetCertificateChain’:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8
Figure 9: Previous data being overwritten by the new certificate
Although the main functions go into detail about screenshots, there are also API calls in memory for tracking other Windows events. These are monitored with SetWindowsHookExW and TrackMouseEvent. Screenshots are created using the GitHub packages previously mentioned.
Figures 10, 11: Code showing that the ‘kbinani’ takes the screenshot, then ‘fogleman’ saves it.
Network connection to ‘daily-mashriq[.]org’ is attempted with the previously discovered pattern containing information encoded with chacha20 and sent using User-Agent “AGCYRNRWWWFZZSWWFWDYDCVDN”:
Figure 12: Encoded information sent to the C2
However, after the initial message has attempted to POST, subsequent messages only include the UID and are sent every seven seconds.
Figure 13: Repeated POSTS only contain the UID
The following ports are also bound for listening: 49708-49711, 49720-49730, and 49733-49750.
As of this writing, it appears that the domain has been blocked by (CHECK THIS).
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the following signature:
- MalAgent.Go.Trojan
IOCs
- 8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301
- https://daily-mashriq.org/goyxdrkhjilchyigflztv
- http://ip-api.com/json/
