Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In early February, the eSentire Threat Response Unit (TRU) identified a malicious backdoor disguised as Synaptics.exe (MD5: 54efba3a1e800e0a0cccddc7950476c646935d28), which was detected and quarantined by eSentire MDR. Synaptics (Synaptics Pointing Device Driver) is a software that enables the functionality of touchpads on laptops and other devices.
The backdoor, known as “XRed,” has been in existence since at least 2019. This article highlights the identification of the XRed backdoor, its delivery using trojanized software, and notable persistence and propagation capabilities.
While doing additional research on the backdoor, we found a Twitter post from 2020 by The DFIR Report mentioning the backdoor, attributing it to njRAT (Figure 1). Considering that njRAT is written in C#, we decided to look further to confirm the accuracy.
Upon further investigation, it was determined that the malicious binary we received originated from a file named “Windows InstantView.exe”. Although the file itself could not be retrieved from the host system, we identified several similar samples on VirusTotal.
Windows InstantView.exe is developed by SiliconMotion (the company that specializes in creating NAND flash controllers for SSDs and various solid-state storage devices) and comes with some USB docks.
Interestingly enough, we found a review on Amazon on one of the USB-C hub products being sold, as shown in Figure 2. The user reported that the binary was flagged by Symantec AV with W32.Zorex and Backdoor.Graybird signatures.
We found a malicious sample named “Windows InstantView.exe” (MD5: 8fe9734738d9851113a7ac5f8f484d29) on VirusTotal with the mentioned signature (Figure 3).
The trojanized “Windows InstantView.exe” is not signed and has “Synaptics Pointing Device Driver” for Product and Description names (Figure 4).
The legitimate binary is signed by Silicon Motion, as shown in Figure 5.
Upon executing the trojanized binary, it downloads the legitimate copy of InstantView.exe from siliconmotion[.]com and launches it as a decoy (Figures 6-7).
The trojanized version of Windows InstantView.exe drops Synaptics.exe payload under C:ProgramDataSynaptics that we have mentioned earlier. The folder was hidden to ensure stealthiness (Figure 7).
The payload is embedded within the trojanized binary. The persistence is achieved via the Registry Run Key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) with the value name “Synaptics Pointing Device Driver” and value data “C:ProgramDataSynapticsSynaptics.exe”.
Let’s look at Synaptics.exe binary, which is the XRed backdoor. The binary will terminate if the mutex “Synaptics2X” is found, which means only one instance of the binary can be run (Figure 8).
The payload contains the functionality to retrieve additional payload from the URLs that can be hardcoded in the binary as shown in Figure 8. The URLs are currently down.
The resource “EXEVSNX” contains the version of the payload, which is 106 (Figure 11).
XRed collects system information, including the MAC address, username, and computer name, and transmits this data to the attacker using SMTP to email addresses shown in Figure 12. Additionally, the backdoor features keylogging functionality through keyboard hooking, as illustrated in Figure 13, with key mappings detailed in Figure 14.
The following remote commands can be executed from attacker’s server (Figure 15):
- GetCMDAccess – obtaining command prompt access.
- GetScreenImage – capture screenshot.
- ListDisk – list existing disks.
- ListDir – list directories.
- DownloadFile – download remote file.
- DeleteFile – delete file.
The XRed backdoor also possesses worm-like USB propagation capabilities. It verifies the presence of an “autorun.inf” file on any inserted drive; if absent, it generates the file and includes the following:
[autorun] open=Synaptics.exe shellexecute= Synaptics.exe
The autorun.inf file is designed to automatically execute the specified payload when the USB drive is inserted into a computer. This behavior leverages the AutoRun feature that was more prominently used in older versions of Windows to launch programs automatically from removable media.
The presence of both open=Synaptics.exe and shellexecute=Synaptics.exe commands in an autorun.inf file indicates an intention to execute system.exe automatically.
It’s also worth mentioning that the backdoor has an embedded password-protected VBA script. The script creates a copy of already existing XLSM files on the disk and injects the malicious VBA code into them. The malicious VBA script disables security warnings for VBA macros via the registry, as shown in Figure 16.
The script then copies Synaptics.exe from %USERPFORILE%/Synaptics and places it under the directory where the legitimate XLSM file exists with a hidden file attribute under the “~$cache1” name (Figure 17).
If none of the specified files are found locally (Figure 18), the macro attempts to download a file from one of the provided URLs (Figure 19). At the moment of writing this article, all of the URLs are offline.
We assess with high confidence that the developer of the backdoor is a native Turkish speaker, as evidenced by the presence of the Turkish language within the code. We also found multiple payloads potentially related to the same malware developer, you can access the indicators in the Indicators of Compromise section.
What did we do?
What can you learn from this TRU Positive?
- The case illustrates the complexity of initial infection methods, such as the trojanized “Windows InstantView.exe” file, emphasizing the importance of scrutinizing software sources.
- It highlights the necessity for organizations to implement robust security measures to scan and authenticate the legitimacy of all software installations, especially those that come bundled with hardware components or are downloaded from the internet.
- The backdoor’s method of dropping a malicious payload while simultaneously downloading and executing a legitimate file as a decoy showcases deception techniques used by malware developers.
- The use of hidden directories and Registry Run Keys for persistence, along with the creation of autorun.inf files for USB propagation, demonstrates the malware’s intention to move laterally, remain undetected and maintain long-term access to the infected systems. This emphasizes the importance of regular system audits, including registry and startup items checks, to detect and remove unauthorized persistence mechanisms.
- The malware’s use of autorun.inf to exploit the AutoRun feature in older versions of Windows for USB propagation points to the continued relevance of securing older systems and disabling legacy features that can be abused for malware spread. It highlights the need for comprehensive security policies that include disabling unnecessary legacy features on modern systems.
- The embedded password-protected VBA script that manipulates existing XLSM files and injects malicious code while disabling security warnings showcases the use of social engineering tactics by attackers. This reinforces the importance of continuous user education and awareness programs to recognize and avoid suspicious files and activities, reducing the risk of malware infection through social engineering tactics.
Recommendations from our Threat Response Unit (TRU):
- Configure Microsoft Office’s Trust Center settings to disable all macros with notifications or to only allow macros from trusted locations. This minimizes the risk of malicious macro execution.
- For organization-wide settings, use Group Policy templates for Office to manage macro settings, ensuring that macros are disabled or strictly controlled across all user workstations.
- Ensure that all endpoints are protected with up-to-date antivirus software or an Endpoint Detection and Response (EDR) tool capable of detecting and blocking known USB worms and other malware.
- Educate users about the risks associated with USB drives and the potential dangers of enabling macros in documents.
- Regularly conduct Phishing and Security Awareness Training (PSAT) sessions to inform users about the latest tactics used by attackers, such as USB worm propagation and malicious macros.
Detection Rules
You can access the detection rules here.
Indicators of Compromise
You can access the indicators of compromise here.
References
Source: Original Post