Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.Siggen28.53599

Added to the Dr.Web virus database: 2024-05-31

Virus description added:

  • sha1: 853d6a17f0a1a4035b52699a447eeb4ad1ca6cf7

Description

A malicious program for Windows written in C++. The main functionality of the trojan is to download and manage modules received from its C2 server.

Operating routine

The trojan has a number of basic and helper structs that are initialized at startup and stored as pointers in global variables.

Basic structs:

WinAPI wrapper

The trojan uses WinAPI system functions via a wrapper struct that contains a table of functions, library pointers, library load addresses, and an anti-debugging flag.

The table contains the following functions:

  • Functions for working with WinAPI, i.e., for finding a function pointer and calling it
  • Helper functions—the ad hoc implementation of the LoadLibrary and GetProcAddress calls
  • The configuration of the input parameters for a range of functions

When launched, the trojan initializes its main struct. It does this by using a modified CRC32 algorithm to find library load addresses in the PEB_LDR_DATA system struct. The trojan uses two methods to access functions stored in the libraries:

  • Ad hoc implementation of the LoadLibrary and GetProcAddress calls

The trojan has two functions that mimic the implementation of LoadLibrary and GetProcAddress. This method is used when the trojan needs access to an API contained in a library that has not yet been loaded into the process memory.

  • Searching for libraries by their hashes in the PEB_LDR_DATA system struct

The trojan searches for a required library in the PEB_LDR_DATA struct, using the InMemoryOrderModuleList list, which contains pointers to all the libraries loaded into the process memory and their names. The library name is matched by comparing the hash value generated using the modified CRC32 algorithm with the requisite library name. Next, the required library function is found in the table of exported library functions, in which case the function names are hashed in the same way. The library name and function are read using the modified CRC32 algorithm.

Logger struct

This is a struct whose main purpose is to generate the application log. The log contains information about errors and the step currently being executed.

System information collector struct

The main purpose of this struct is to collect system information and send it to the C2 server.

C2 server communication struct

This struct ensures the interaction with the C2 server. It contains a struct for working with the winhttp.dll library and information about the control server: the port, IP address and routing table.

Module and configuration struct

The main function of this struct is to manage the operation of modules and their configurations. It contains vectors that describe the modules, their configuration, and auxiliary system information.

Manager struct

The main purpose of this struct is to control program operation and ensure interaction between other structs. It holds pointers to all the other primary structs: WinAPI wrapper, logger, communication, and configuration.

Helper structs:

  • Structs for working with cryptography – SHA-1, SHA-256

  • Structs for working with auxiliary libraries: bcrypt, winhttp

  • Structs for storing various flags

Debugger evasion

When launched, the trojan also initializes 3 threads to evade debuggers:

Checking the debug registers

The trojan obtains the context of the parent thread and checks that the values of the Dr0–Dr7 registers are set to 0.

Checking for debugged environment

In the KUSER_SHARED_DATA structure, the trojan checks the first two bits in the KdDebuggerEnabled field; the value of these bits must be set to 0.

Using the NtQueryInformationProcess function, the trojan checks for the presence of a debugger by reading various parameters of the PROCESSINFOCLASS structure: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle, ProcessTlsInformation.

Checking for debugger drivers

The trojan scans the %WINDIR%\System32\drivers directory for files that indicate the presence of debugging software. It then calculates the filename hash, using the modified CRC32 algorithm, and compares the result to the blacklist hashes.

Checking for a copy of the trojan in the system

After initialization, the trojan attempts to create a mutex which is a Base64 SHA-1 encoded hash of the MachineGuid string value. If the attempt to capture the mutex fails, the line "Found another agent running. Exiting..." is written to the application log and the trojan is terminated.

Verifying keys and creating a handshake

The trojan checks for an existing handshake. This is done by accessing the key in the "Microsoft Software Key Storage Provider" CNG key storage, using the NCryptOpenKey function. The key name is a SHA-256 hash of the MachineGuid value. If such a key does not exist, the availability of the network connection is checked: if the connection is established, the trojan initiates the creation of the handshake:

  • A copy of the RSA internal key from the “Microsoft Software Key Storage Provider” CNG key storage is created
  • A key is received from the server
  • This key is stored in the storage with a name corresponding to the SHA-256 hash of the MachineGuid value.

The trojan parses the incoming packet for a new C2 server address and port number. Once the handshake is established, the following system information is sent to the C2 server: CPU architecture, OS name, user interface type, installed application identifiers, disk information, user names, and locale.

Basic functions

The trojan performs the following actions:

  • Loads and unloads modules
  • Sends messages to the C2 server about its operation or errors
  • Changes the configuration of modules
  • Updates the trojan body, if necessary

Module structure and configuration

A module is a dynamic library that is projected into the memory and has the following exportable functions:


Start
Stop
Configure
GetID
GetStatus
SetStatus
GetStarted
GetHandler
Destroy
PushErrorCMR

The module identifier indicates its function, i.e., knowing the identifier, you can determine which tasks are sent by the C2 server.

Identifier Purpose
238 Inject
27 Purpose unknown
44 Purpose unknown

JSON with module configuration


{
  "triggers": [
    {
      "schedule": "",
      "process": "",
      "repetitions": "",
      "sendCmr": {
        "name": "",
        "interval": ""
      }
    }
  ]
}

Module’s execution result

After the module completes its task, it generates a response


{
  "CommandModuleResponse": "",
  "requestId": "",
  "moduleId": "",
  "exitCode": "",
  "info": "Error" //this field is only shown if there was an error in the module’s operation; otherwise this field is missing.
}

Trojan update

While in operation, the trojan checks the availability of its update flag. If this flag is set, the trojan performs a series of system checks, and, based on the results, selects one of the two update strategies. If antivirus software is detected on the compromised PC, the trojan is updated through the loading of shellcode; otherwise, it is updated using the Inject module.

Checking for antivirus software

The trojan body contains a list of hashes of antivirus program names. When scanning for antivirus software, the trojan obtains a list of processes and calculates the hashes of running applications, which are compared to the following hardcoded list:


•	msmpeng 
•	mssense 
•	avastsvc
•	dwservice
•	avp
•	nortonsecurity
•	coreserviceshell
•	avguard
•	fshoster32
•	vsserv
•	mbam
•	adawareservice
•	avgsvc
•	wrsa

Shellcode for directory removal

Input arguments: directory name

Actions performed:

  • Looks up the kernel32.dll library address in the PEB_LDR_DATA struct
  • Gets the functions for the shellcode’s operation from the library export results, where the library name and function names are determined by their hashes
  • Determines the path to the %LOCALAPPDATA%\EROCS\ directory
  • Overwrites with zeros and deletes all the files in the specified directory
  • Deletes the directory itself

Shellcode for restarting the trojan

Actions performed:

  • Gets the list of processes, using the NtQuerySystemInformation function (the SystemProcessInformation parameter); checks that the UniqueProcessId field is equal to 0x434F5245
  • Deletes the HKEY_CURRENT_USER\Software\Uninstall key

Self-deletion

The trojan also has a self-deletion function that is triggered when the “deadline” registry key, which is responsible for the trojan lifetime and is updated when a new command from the C2 server is received, is set to a specific value. The trojan also initiates the self-deletion procedure, using WinAPI if errors are detected during the above checks. In this case, it performs the following actions:

  • Deletes its directory
  • Deletes the handshake
  • Deletes registry keys created while the trojan is in operation

Sending messages to the C2 server

The following User-Agent values are used by the trojan to send messages:


Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.3
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/53
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.3

All outgoing and incoming messages are encrypted using RSA.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android