Recently, AhnLab SEcurity intelligence Center (ASEC) confirmed the distribution of Rhadamanthys malware disguised as a groupware installation program. The attacker created a fake site similar to the real site and used the advertising function of the search engine to expose it to users and distribute it. The distribution of malware using the advertising function of search engines was recently reported on the ASEC blog ‘“No, it wasn’t here?” This was discussed in ‘Spreading malware by abusing Google’s advertising tracking function’ [1] .
The malware uses an indirect syscall technique to avoid detection by security solution products. User mode hooking used by anti-virus and analysis programs can be bypassed through indirect syscall.
Figure 1. Call flow comparison
Generally, when calling the ReadFile() API from an executable file, the kernel32.dll, kernelbase.dll, and ntdll.dll modules are called internally in order, and the necessary arguments and 0x6, the system call number of NtReadFile, are stored in the register to call the syscall. do.
In the general native API call process as above, the stub code and system call number are stored in a register in ntdll and then a syscall is called. On the other hand, in the indirect syscall technique used in the Rhadamanthys malware, the stub code and system call number are directly stored in a register, and then the syscall is called from the ntdll memory area by branching to the address where the syscall instruction is located in the ntdll.dll area.
The Rhadamanthys malware directly reads c:\windows\system32\ntdll.dll, a normal Windows file, and maps the unhooked ntdll.dll to memory. To avoid detection, using ntdll.dll mapped directly to memory, the necessary stub code and system call number are stored directly in the register and branched to the syscall address of the actual loaded ntdll module.
The malware evades detection using the above method and injects dialer.exe in the %system32% path, which is a normal Windows system program. The injection target process confirmed through malicious code distributed in a similar form is as follows.
- %system32%\dialer.exe
- %system32%\openwith.exe
- %system32%\dllhost.exe
- %system32%\rundll32.exe
The injected process is re-injected into the normal program in the “C:\Program Files\Windows Media Player\” path and executed. The confirmed injection target program names are as follows.
Injection target program
● C:\Program Files\Windows Media Player\wmpshare.exe
● C:\Program Files\Windows Media Player\wmpnscfg.exe
The Rhadamanthys malware ultimately performs infostealer actions that steal user information from the PC.
[MDS product detection]
AhnLab MDS detects this type of malicious code with the diagnostic name “Injection/MDP.Event.M10231” in a sandbox environment.
Attackers sometimes spread malware through phishing emails or fake sites disguised as normal sites. When malicious code is distributed like this, it is easy for users to execute the malicious code without suspicion, and in the case of Infostealer malicious code in particular, it is difficult for users to even recognize the fact that they have been infected.
Ahnlab MDS, a sandbox-based file analysis solution, analyzes actions that occur after executing files in a virtual environment. Not only known malicious codes, but also unknown malicious codes created by the attacker in APT attacks ultimately perform information theft actions during the execution process. AhnLab MDS detects such information theft activities, allowing administrators to recognize attacks and block the attacker’s next attack in advance.
[IOC]
[MD5]
9437c89a5f9a51a4ff6d6076083fa6c9
[C2]
147.124.220[.]237:8123
[File Diagnosis]
Trojan/Win.Malware-gen.R637934 (2024.03.08.00)
[Behavior Diagnosis]
Injection/MDP.Event.M10231
Source : https://asec.ahnlab.com/ko/63412/
MITRE TTP :
Initial Access (TA0001):
- Drive-by Compromise (T1189): The attacker creates a fake site similar to a legitimate site and uses the search engine’s advertising function to expose users to the malicious site.
Execution (TA0002):
- User Execution (T1204): Users are tricked into executing the malware by visiting the fake site and downloading the disguised groupware installation program.
Defense Evasion (TA0005):
- Obfuscated Files or Information (T1027): The indirect syscall technique can be considered a form of obfuscation, as it hides the true intent of the system calls from security monitoring tools.
- Process Injection (T1055): By branching to the syscall address in the ntdll.dll area, the malware may inject code into a legitimate process, thereby evading detection.
- Process Injection (T1055): The malware injects malicious code into legitimate Windows system programs such as dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe.
- Masquerading (T1036): The malware disguises itself as a legitimate groupware installation program and injects its payload into normal programs in the “C:\Program Files\Windows Media Player” path.
Persistence (TA0003):
- Create or Modify System Process (T1543): The malware establishes persistence by utilizing SystemV or SystemD startup scripts and injecting its code into system processes.
Collection (TA0009):
- Input Capture (T1056): As an infostealer, Rhadamanthys malware is likely to capture user input, including credentials and other sensitive information.
Command and Control (TA0011):
- Commonly Used Port (T1043): The malware communicates with its C2 server using a commonly used port (8123).
- Standard Application Layer Protocol (T1071): The malware communicates with its C2 server over TCP or UDP.
Indicator Removal on Host (TA0005):
- File Deletion (T1070.004): The malware may delete files or modify timestamps to avoid detection.
Exfiltration (TA0010):
- Data Encrypted (T1022): Stolen data may be encrypted before being exfiltrated to the C2 server.