Background: Open Directory and Threat Intelligence
An open directory is a vulnerability that occurs when file access permissions are not properly configured on a Web server. This makes files and directories that should be confidential accessible to anyone, even without authentication.
In the context of threat intelligence, open directories assume crucial importance. Threat actors, i.e., hackers, place malware and tools inside web servers so that they can later access them or simply have a public folder to the Internet conveniently accessible.
Threat actors often create virtual servers and place files inside, without necessarily having to exploit third-party server vulnerabilities, thus simplifying and speeding up operations.
Malware Analysis and Reverse Engineering
Analysis of malware found in open directories is an important threat intelligence activity. Through malware analysis, analysts can:
- Understanding malware behavior: identifying the type, what kind of actions it performs, and the threat actors’ intended purpose.
- Identify vulnerabilities exploited by malware: this allows patches to be developed and mitigate the risk of future attacks.
- Attributing the attack to a specific group of threat actors: the techniques used in the malware can be traced to specific groups, providing useful information for investigation and law enforcement.
Reverse engineering is a fundamental technique for malware analysis. It allows disassembling the binary code of the malware and partially reconstructing its source code, making it more understandable to analysts.
Anticipating threats
Analysis of malware found in open directories, combined with reverse engineering, can help:
- Identifying new malware variants: threat actors frequently modify the code of their malware to evade security systems. Analysis of new variants allows defenses to be updated in a timely manner.
- Predicting the future moves of threat actors: by understanding their tactics and techniques, it is possible to anticipate their attacks and put in place appropriate protection measures.
Analysis: sample selection
During search activities by Cyberoo’s threat intelligence team, an open directory containing several files with suspicious names was recently found.
Figure 1 – Files contained in the open directory
Analysts from Cyberoo’s IR team analyzed all the files contained in the directory and found that several files are linked to each other.
For the writing of this paper, 3 similar files with similar size and creation date but having different hashes were chosen. The 3 files are as follows:
- Nzewxakqtk.exe
- Nvokcuobkn.exe
- Pparetcoju.exe
At the time of analysis, the files are detected by Microsoft Defender:
Figure 2 – Detection of Microsoft Defender
Reverse Engineering
From an initial analysis, the samples were written in C# with the .NET framework, are highly obfuscated, and use decryption and hash table algorithms.
Figure 3 – Anomalies found in files using the Malcat tool
Since the files were compiled in .NET, the dnSpy tool was used to reverse engineer and debug the code.
Figure 4 – Files opened with DnSpy and all nearly identical to each other
For ease of reading, single-file analyses are given in the paper, all samples being identical to each other except for C2s.
Before performing the static analysis, the files were executed and through the use of some tools, the activities performed by the malware were tracked.
Figure 5 – Traffic capture during malware execution
Figure 6 – Some of the strings found in the memory of the malicious process
From the images above, it can be seen that the malware attempts to resolve the cdn.discordapp[.]com address, commonly used by users of the Discord communication platform and also exploited by cyber criminals to distribute malicious files.
From analysis by Cyberoo’s IR team and threat intelligence sources, it is indeed common to use this platform as a source of distribution.
Figure 7 – Initial function of malware
From the static analysis, it is possible to see that the developers have implemented several functions to encrypt the text and obfuscate the code.
In the function in Figure 7, the malware creates an http request to download a remote file. To speed up and simplify analysis, the code was run in a debugging session:
Figure 8 – Remote host of the first call
Figure 9 – Parameters passed in the first call
Initially, the malware makes a call to the site in figure 8, passing a POST request with the parameters in figure 9. The usefulness of such a call is unclear, considering that www.example[.]com is a generic site and always returns an error, as it cannot handle the call with those parameters.
Malware functionality does not depend on that call, so it is probably performed to somehow throw off analysis. Next, the real address containing the second stage of the malware is called:
Figure 10 – Code section with call to CDN Discord
Figure 11 – C2 on Discord
The malware then calls the Discord server to attempt to retrieve the content created on the platform but upon analysis the content was removed.
Below is the evidence by capturing the call to the Discord server:
Figure 12 – Discord server call and response
Since the files hosted on Discord are no longer available, the 3 samples in question are disarmed and harmless, considering that the only activities performed are to download and execute the next stage.
The 3 files are then categorized as downloaders/loaders. Reverse engineering analyses were suspended and work continued in the area of research and threat intelligence.
Threat Intelligence activities
During the day-to-day work of the IR team, but especially during the analysis of malicious samples and reverse engineering, threat intelligence is critical, as it can help speed up analysis and enrich the results found.
Research teams use a variety of techniques, tools, and public and private platforms to search and find information, correlate it with each other, and thus complete analyses that would otherwise be less useful. By searching VirusTotal for the hash of the analyzed sample, further analysis was possible.
Figure 13 – VirusTotal analysis
The malware had been previously uploaded (a few hours earlier), probably by other analysts to verify its content and perform an initial analysis.
The most interesting thing was to discover that a few hours before the Cyberoo IR team’s analysis, the next stage files were most likely still present on Discord, as analysis on VirusTotal detected activity compatible with the “BitRAT” RAT:
Figure 14 – Configuration of BitRAT and its C2
The IP in question, flagged as malicious, is BitRAT’s C2.
Figure 15 – C2 BitRAT
Proceeding with the IP analysis, it was possible to retrieve the list of some of the executables communicating with that C2:
Figure 16 – List of malicious executables that have communicated with C2
Among the files in figure 15 you can see that there are several files in the list in figure 1, those within the open directory, such as the stub.exe file.
Figure 17 – Connection by stub.exe file to C2
Figure 18 – Family identification using the YARA tool and rule BitRAT
Dynamic analysis confirms that C2 is indeed called by the stub.exe file.
Once we get to this point, we could proceed with the analysis and reverse engineering of the sample or, as in our case, since the file is identified as BitRAT, we already know that it is known and has been analyzed many times.
Through Threat Intelligence articles and sources, it is possible to learn more about such a RAT (Remote Access Tool) and understand how it works, what features it has, and how it is exploited by threat actors.
Conclusion
Analysis of malware found in open directories is a major threat intelligence activity. Through code analysis and reverse engineering, analysts can gain crucial information to counter threats and protect infrastructure.
IOC
SHA1 of the 3 sample .net and malware BitRAT:
Nzewxakqtk.exe 9ad29b0652b419df2840526002f2c9ae483c0f48
Nvokcuobkn.exe 5c20b6cf56287c18566e50b0249e6cd9285f3ca3
Pparetcoju.exe f718a2f84876b63d98106478b298600fab739778
Stub.exe (BitRAT) b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d
C2 BitRAT: 103.153.182[.]247
C2 downloader: cdn.discordapp.com
Distribution server/Open directory: 94.242.61[.]211
