Acronym: M is for Malware

A malware researcher known as Antelox recently tweeted about an unknown malware sample that caught our eye. Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This post takes a look at our analysis of Acronym thus far.

Samples

The sample tweeted about is available on VirusTotal. While searching for it in ASERT’s malware zoo we discovered that it was being dropped by another sample, also on VirusTotal.

Naming

Acronym comes from a couple of strings in the samples. The first is a debugging string left in the dropper:

C:\Users\user\Documents\Visual Studio 2012\Projects\acronym\BIN\Update.pdb

The second string is from the dropped executable and uses an abbreviation of “acronym”:

http://%s:%s/acr/update.php

Timestamps

There are multiple timestamps in the samples indicating that this sample was active starting around February 2017. The compilation dates for the dropper and dropped executable are:

  • 2017-02-17 13:18:25
  • 2017-02-16 09:48:30

In addition, in the dropped component, there are references to a “group” and a “ver” that contain date strings:

  • Feb01
  • 19.02.2017

Dropper Component

The operation of the dropper is fairly straightforward. It starts by killing any processes named “wmpnetwk.exe” with the following command:

taskkill /f /im wmpnetwk.exe

Next, it creates a temporary filename where the name will start with a “HH” and ends with a “.tmp” and then moves the following file to it:

C:\Documents and Settings\Admin\Application Data\Windows Media Player\wmpnetwk.exe

It finishes by writing the dropped executable to the wmpnetwk.exe file path and executing it.

Bot Component

Acronym starts off by setting up persistence. Depending on the Windows version, it will do this by either using the typical Registry Run method or by adding a new task into the Task Scheduler.

To prevent multiple copies of itself from running, it creates and checks the following mutex:

sjd8anSice8h_sdnm9232

After the bot has been initialized, it will start phoning home to its command and control servers (C2s). It will iterate through six possible IP/port pairs. In the analyzed sample the six pairs were composed of two IPs and three ports:

  • 85.143.166.244:8080
  • 85.143.166.244:443
  • 85.143.166.244:80
  • 62.76.47.198:8080
  • 62.76.47.198:443
  • 62.76.47.198:80

Each IP will be formatted into a URL using the following template:

http://%s:%s/acr/update.php

An example phone home request looks like this:

The POST data consists of one name/value pair where the name is five random alphanumeric characters (xrlfR in this example). The encrypted value is wrapped up in multiple layers:

  • URL encoded
  • Base64 encoded
  • DES encrypted with hardcoded key and initialization vector (IV)
  • Bzip2 compressed

It can be unwrapped with the following Python snippet:

import base64
import bz2
import urlparse
from Crypto.Cipher import DES

post_value = "TZUiUOgnyLaS8o21zJj%2B6G6kSqgMapnq4wsg4SBPgAO7yMNwB%2BykANZ0s33INSTe%0D%0Ans8Y4ZU/jZOqW1OsBORW5LvgcET6hwTnSoNxVmvb0syfWdVAoL%2BUvA5XEkkHQLHI%0D%0Aly1/uwyfL9eIgav/AfmQfrzDvTLDy0H%2BeWUhyIyHzCY%3D%0D%0A"

unquoted = urlparse.unquote(post_value)
no_b64 = base64.b64decode(unquoted)
des = DES.new("\xf1\x0e\x25\x7c\x6b\xce\x0d\x34", DES.MODE_CBC, "\x01\x02\x03\x04\x05\x06\x07\x08")
no_des = des.decrypt(no_b64)
plain = bz2.decompress(no_des)

Once unwrapped it contains the following query string of name/value pairs.

3LWuJ=f43b28526bbb230d&3LWuJ=Feb01&3LWuJ=19.02.2017&5.1.2600_x32&ADMIN-B2619D2D3&yyamq=?

The names are again random 5 alphanumeric characters, but some of the names are used more than once (possible bug). The values can be broken up into the following:

  • f43b28526bbb230d – bot UID
  • Feb01 – group
  • 19.02.2017 – ver
  • 5.1.2600_x32 – Windows version and architecture
  • ADMIN-B2619D2D3 – computer name
  • ? – random data (possible bug)

Another possible bug is that the Windows version and computer name fields are missing a name field.

The bot UID is the first 16 characters of a MD5 hex digest of a string consisting of the computer name and ProcessorNameString from the Registry. “group” and “ver” are both hardcoded strings and likely refer to a campaign ID and version of the malware.

At the time of writing the C2s weren’t responding so we don’t have a good visual of what a response looks like. The response data is encrypted with DES and can be decrypted using the same key and IV as above. The data maps to commands and command data.

There are three built-in commands:

  • Take a screenshot
  • Download and execute
  • Run a plugin

The plugin command is worth a closer look. It basically loads a DLL received from the C2 and looks for a “Scan” and/or “Plug” export function. If it finds a “Scan” export it will execute it and send the results to the C2. If it finds a “Plug” export it will start a new thread and execute the function with the following string as an argument:

uid=%s&group=%s&ver=%s

“uid”, “group”, and “ver” are filled in with the same values as in the phone home. As noted above, the C2s were down during this research so we were unable to analyze any plugins.

Possible Link to Win32/Potao Malware Family

Pivoting on the “Scan” and “Plug” plugin functionality led to a possible connection to the Win32/Potao malware family. As described in ESET’s “Operation Potao Express: Analysis of a cyber-espionage toolkit” paper, “Potao is another example of targeted espionage malware, a so-called APT…” that they’ve been tracking since 2011. With a campaign history going back multiple years, it is possible that Acronym is a new addition to the Potao gang’s “cyber-espionage toolkit”. In addition to the plugin code overlap, there is also some similarity in the way the malware uses

  • IPs with ports 8080, 443, and 80
  • Shared C2 network: 62.76.x.x
  • Temporary filenames starting with “HH”

On the other hand though, there is a lot of functionality missing in Acronym that was documented in Win32/Potao. Some examples:

  • No decoy document used in the dropper
  • Dropper doesn’t stored the dropped executable compressed
  • Doesn’t inject into any processes
  • Doesn’t drop a DLL, but an EXE
  • No string encryption
  • No RSA key exchange
  • No AES encryption
  • No XML data exchange
  • Different system information query string
  • No Windows API hashing

There are also at least three components that looked to be copy and pasted from code examples on the Internet:

  • HTTP communications
  • DES encryption and key
  • Screenshot functionality

So it is just as likely that the plugin functionality was copy and pasted from some other source and not connected to Win32/Potao and their campaign.

Conclusion

As usual with new malware it is too soon to assess how active and widespread this new family will become, but it does have a potential link to a long running malware campaign known as Operation Potao Express that makes it worth watching.

Comments are closed.