Author Topic: Travle aka PYLOT backdoor hits Russian-speaking targets  (Read 57 times)

0 Members and 1 Guest are viewing this topic.

Offline Scarlett

  • Updates Moderator
  • *
  • Posts: 22998
Travle aka PYLOT backdoor hits Russian-speaking targets
« Reply #1 on: December 19, 2017, 11:15:18 AM »
Travle aka PYLOT backdoor hits Russian-speaking targets
19 December 2017, 11:00 am



At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware. So, with this intelligence ready we are sharing our findings in this blog to supplement Palo Alto’s research with additional details.

Technical Details

MD5

SIZE

LINKER

COMPILED ON

7643335D06BAEC5A14C95A393592EA3F

164352

11.0

2016-10-14 06:21:07

The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.

First of all, we detected numerous malicious documents being used in spear-phishing attacks with file names suggesting Russian-speaking targets with executables maintained in encrypted form:



This encryption method has been well known for a long time – it was first used in exploit documents to conceal Enfal, then we discovered this backdoor – Travle. Later documents with such encryption started maintaining another one APT family – Microcin. Travle C2 domains often overlap with those of Enfal. In regard to NetTraveler, at some point Enfal samples started using the same encryption method for maintaining the C2 URL as was used in NetTraveler:

Enfal sample with NetTraveler-like C2 string encryption

So, clearly these backdoors – Enfal, NetTraveler, Travle and Microcin – are all related to each other and are believed to have Chinese-speaking origins. And after finding the string “Travel path failed!” we believe that the Travle backdoor could be intended as a successor to the NetTraveler malware.

The malware starts by initializing the following variables:

%TEMP%\KB287640\ – local malware drop-zone

%TEMP%\KB887209\ – plugins storage

\~KB178495.DAT – configuration file path

Surprisingly, these paths remain the same in all samples of this family. If no configuration file is found, Travle reads the default settings from its resource “RAW_DATA“. Settings are maintained in an encrypted form. Here is the code for decryption:

for (i = size – 1; i > 1; –i)

buf ^=  buf[i – 2]

The storage format for the configuration block is as follows:

  Offset

Size

Value

0

0x81

C2 domain

0x102

0x81

C2 URL path

0x204

2

C2 port (not used)

0x206

0xB

not used

0x21C

0xB

Sample ID

0x232

0x401

Bot’s first RC4 key

0xA34

0x401

Bot’s second RC4 key

0x1238

2

not used

The described sample maintains the following configuration data:

Field

Value

C2 domain

remember123321.com

C2 URL path

/zzw/ash.py

Sample ID

MjdfS0584

1st RC4 key

mffAFe4bgaadbAzpoYRf

2nd RC4 key

mffAFe4bgaadbAzpoYRf

The Travle backdoor starts its communication with the C2 by sending gathered information about the target operating system in an HTTP POST request to a URL built using the C2 domain and the path specified in the settings. The information sent includes the following data:

UserID – based on the computer name and IP-address

Computer name

Keyboard layout

OS version

IP-addresses

MAC-address

Once the C2 receives the first packet, it responds with a block of data containing the following information:

URL path for receiving commands

URL path for reporting on command execution results

URL path for downloading files from C2

URL path for uploading files to C2

C2 second RC4 key

C2 first RC4 key

C2 ID

After this packet has been received, Travle waits for additional commands from the server.

Communication encryption

The ciphering algorithm depends on the type of transmitted object. There are three possible variants:

Data

Data is ciphered with Base64

The resulting string is appended to the header with a size of 0x58 bytes

The resulting buffer is ciphered by RC4 with the C2 first RC4 key

The resulting buffer is ciphered with Base64

List of strings

Each line is ciphered by RC4 with the C2 second RC4 key

The resulting buffer is ciphered with Base64

All the previously Base64-ciphered strings are merged in one delimited with \r\n”

The resulting string is appended to the header with a size of 0x54 bytes

The resulting buffer is ciphered by RC4 with the C2 first RC4 key

The resulting buffer is ciphered with Base64

File

Compressed with LZO

The resulting archive is ciphered with the C2 second RC4 key

Messages format

The header for the transmitted data is as follows:

Offset (bytes)

Size (bytes)

Description

0

0x14

Random set of bytes

0x14

4

Data type / Command ordinal

0x18

4

NULL / Command ID

0x1C

4

Size of data

0x20

0x14

Sample ID

0x34

0x24

User ID

0x58

Size of data

Data

The file is transferred to the C2 in a POST request as a multipart content type with boundary “kdncia987231875123nnm“. All samples of Travle we have discovered use this value.

Message types – from bot to C2

The command ID is specified at offset 0x18 in the header.

Technical messages are as follows:

ID

Description

Data content

1

Information about OS

Information about OS

2

Request for the first command

NULL

3

Request for the list of commands

NULL

4

Command is successfully executed

Information about command execution or the name of transmitted file

5

Command execution failed

Information about an error

Operational messages are as follows:

ID

Description

Data content

1

Bot sends the list of files in the requested directory

The list of files

11

Bot sends the content of the requested file

The content of the file

Message types – from C2 to bot

In case of bot sending POST request C2 responses with data of following format:

ID

Description

Data content

0

Information about C2

The list of C2 parameters

1

Commands

The list of commands

Bot also may send GET request for retrieving a specific file from the server. In this case, C2 responses with the requested file.

General communication between bot and C2

Interaction with C2 includes two stages:

1st (automatic – carried out with no operator actions). It consists of:

Sending information about the OS

Receiving information about C2

Sending a request for the first command

Receiving the command with ordinal 1 and first argument “*”

Sending the request for the next command

2nd (carried out by operators). It consists of:

Sending commands to the bot

Sending files to the bot

Sending results of the executed commands to the C2

Commands – general bot functionality

Ordinal

Arguments

Action

Scan File System

1

Path

In case of “Path” is not “*”, the bot collects the list of files and folders in the specified directory with creation date between specified values and files with an “Encrypted” attribute.

If the “Path” is “*”, the search for files and folders is done in complete file system.

In any case, the search is recursive.

Minimum date

Maximum date

Run Process

2

Path to the batch or executable file

The bot executes specified batch file or application with passed arguments.

Command line arguments

File Presence Test

4

File name

The bot examines if specified file exists.

Delete File

3

File name

File deletion.

Rename File

5

Old file name

File renaming.

New file name

Move File

6

Old path

File moving.

New path

Create New Config

7

Content of the new configuration

The bot creates the file with new configuration.

Process File With Batch

48

Batch script

The bot sends GET request to the C2 for downloading a file specified in one command argument. Batch script received in another command argument is saved in the file and executed with a parameter – file name of the downloaded file.

File path

Run Batch

49

Batch script

The bot receives a BAT-file and executes it.

Download File

16

File path

The bot sends a GET request for downloading a file. The file is saved with the specified name and location.

Upload File

17

File path

The bot sends the content of a requested file in a POST message.

Download And Run Plugin

32

Plugin name

The bot sends a GET request for downloading Plugin (DLL). Plugin is saved in the file system and launched with the use of the LoadLibrary API function.

Plugin argument

Unload Plugin

33

Plugin name

The bot unloads a plugin library from memory.

Delete Plugin

34

Plugin name

The bot unloads a plugin from memory and deletes the plugin file.

Load And Run Plugin

35

Plugin name

The bot loads a plugin in memory with a specified parameter.

Plugin argument

Plugins

Unfortunately, we have been unable to receive plugins from any C2 found in examined Travle samples, but after analyzing the code of Travle we can briefly describe how they are handled.

Plugins are handled with the use of commands 32-35. From all the analyzed Travle samples, we found out that not every Travle sample is able to work with plugins.

Each plugin DLL is saved in a file and loaded with the use of the LoadLibrary API function. The DLL should export three functions: GetPluginInfo, Starting and FreeMemory. These functions are invoked one-by-one at the plugin DLL loading stage. When Travle has to unload the plugin DLL it calls the FreeLibrary API function.

In all analyzed Travle samples, plugins are saved in the same location: %TEMP%\KB887209\.

Conclusion

The actor or actors responsible for the Travle attack has been active during the last few years, apparently not worried about being tracked by AV companies. Usually, modifications and new additions to their arsenal are discovered and detected quite quickly. Still, the fact that they didn´t really need to change their TTPs during all these years seems to suggest that they don´t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks.

We detect Travle samples with the following verdicts:

Trojan.Win32.Tpyn.*

Trojan.Win32.TravNet.*

Trojan-Spy.Win32.TravNet.*

HEUR:Trojan.Win32.Generic

HEUR:Trojan.Win32.TravNet.gen

HEUR:Backdoor.Win32.NetTraveler.gen

More information about the Travle APT is available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com



Source: Securelist - Information about Viruses, Hackers and Spam

>> To obtain the full Kaspersky Lab Securelist article, click the link in the first post line <<

 


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2018 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by DSTM & PseFrank

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques



Smokey's also provides free fully qualified Log / Malware Analysis & Removal Help and System Health Checks