BLACKGEAR is an espionage campaign which has targetedusers in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for taking usingblogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.
Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users.Two thingsled us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.
This post will discuss this C&C routine, the tools used in these attacks, and the connections between these tools.
C&C configuration retrieval
Figure 1. Overview of C&C configuration retrieval method
Backdoors used byBLACKGEAR share a common characteristic: they all retrieve encrypted C&C configuration information from blogs or microblogs. An attacker would register an account on these services and then create posts. The encrypted C&C information would be between two hardcoded tags, as seen below:
Figure 2. Encrypted configuration information between tags
There are two reasons BLACKGEAR would use this technique. First, the beacon traffic of the backdoor would look like normal traffic to blogs. Secondly, the threat actor would be able to quickly change the C&C servers used if these were blocked. A defender would be unable to block this change in server from reaching any affected machines unless the legitimate site was blocked as well.
Tools Used by BLACKGEAR
Figure 3. Tools used by BLACKGEAR campaign
The malware tools used by BLACKGEAR can be categorized into threecategories:binders, downloaders and backdoors. Binders are delivered by attack vectors (such as phishing and watering hole attacks) onto a machine. These, in turn, drop decoys and downloaders. The latter connect to various sites under the control of the attacker and downloads backdoors. These use persistent methods to ensure that they remain present on the affected machines to give attackers access to the machine in question.
By separating the attack tools into three stages, threat actors are able to adapt quickly. If one component is detected and/or blocked, it can be replaced without disrupting the entire toolset.
Binder
The binder (which we detect as the TROJ_BLAGFLDR family) hidesas a normal folder by changing itsicon to a folder icon. Once the victim executes it, it executes the downloader in the background, drops a decoy folder that includes fakedocuments, then delete itself.This is so the victim won’t notice that the malicious downloader has been executed.
Downloader
TSPY_RAMNY
TSPY_RAMNY is a downloader dropped by TROJ_BLAGFLDR malware. To remain persistent, it moves itself to the windows temp folder and drops a *.lnk (Windows Shortcut)file in the startup folder that points to itself. It also sends information about the compromised host (such as network settings) back to the download site.
The download link is formatted in the following format:
http://{IP address}/{folder name}/{webpage name} (Example: http://{IP address}/multi/index.html)This is done so that if someone looks solely at the URL, the download of the backdoor will appear to be an ordinary website.
TSPY_YMALRMINI
TSPY_YMALRMINI is another downloader that is dropped by TROJ_BLAGFLDR malware, which also sends information about compromised hosts back to the download site. We were unable to determine which payloads were used by this downloader.However, our research indicates that some of these downloads are saved as drWaston.exe on the compromised host. This same file name is also used by some ELIRKS variants, indicating a possible connection. TSPY_YMALRMINI uses the same URL format as RAMNY.
TSPY_YMALRMINI has the same download link pattern as TSPY_RAMNY.The family name for this malware is because some variants have the PDB string“C:\toolson-mini\YmailerCreater Debug\Binder\Binder\YMailer.pdb”. In addition, these variants also create a log file named YmailerMini.log .
Backdoors
BKDR_ELIRKS
BKDR_ELIRKS was the first family of backdoors tied to BLACKGEAR. It retrieves encrypted C&C configuration information from various blogging or microblogging services. Once decoded, it connects to these C&C servers and waits for commands given by a threat actor.To remain persistent, it moves itself to the Windows temp folder and drops a *.lnk (Windows Shortcut)file in the startup folder that points to itself.
Its backdoor routines include getting information from the compromised host, downloading and running files, taking screenshots, and opening a remote shell.
BKDR_YMALR
BKDR_YMALR is a backdoor written using the .NET framework which is also known as LOGEDRUT. The detection name comes from a log file created by this malware family named YMailer.log . Its behavior is similar to ELIRKS both in terms of C&C information retrieval and available commands to a threat actor.
Encryption and Decryption
BKDR_ELIRKS
Reverse analysis of ELIRKS allowed us to determine how to decrypt the C&C information, which is done in the following python code:
#! /usr/bin/env pythonfrom ctypes import *
def decipher(v, k):
y=c_uint32(v[0])
z=c_uint32(v[1])
sum=c_uint32(0xC6EF3720)
delta=c_uint32(0x61C88647)
n=32
w=[0,0]
while(n>0):
z.value -= (y.value + sum.value) ^ (y.value * 16 + k[2]) ^ (( y.value >> 5 ) + k[3])
y.value -= (z.value + sum.value) ^ (z.value * 16 + k[0]) ^ (( z.value >> 5 ) + k[1])
sum.value += delta.value
n -= 1
w[0]=y.value
w[1]=z.value
return w
if __name__ == '__main__':
key = [0x8F3B39F1, 0x8D3FBD96, 0x473EAA92, 0x502E41D2]
ciphertext = [ciphertext1, ciphertext2] # you can input cipher text here
res = decipher(ciphertext, key)
plaintext = "%X" % (res[0])
c4 = str(int("0x"+plaintext[6:8],16))
c3 = str(int("0x"+plaintext[4:6],16))
c2 = str(int("0x"+plaintext[2:4],16))
c1 = str(int("0x"+plaintext[:2],16))
print c4+"."+c3+"."+c2+"."+c1
The malware contains shellcode with two things: the URL of the blog entry and the tags that identify where in the fake articles the hidden C&C information is located. Once the fake blog/microblog posts are downloaded, the malware finds and decrypts the C&C information.
The C&C information is stored in the post in two short bits of text. The first is an eight-character string that is decoded into a six-byte hexadecimal value. The second is a two-character string which is already in a hexadecimal format, and is concatenated towards the end. A modified version of the TEA algorithm decrypts these into the C&C server locations.
Figure 4. BKDR_ELIRKS decryption algorithm
BKDR_YMALR
BKDR_YMALR implements the same behavior
