Підтримка
Цілодобова підтримка | Правила звернення

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Поширені запитання |  Форум |  Бот самопідтримки Telegram

Ваші запити

  • Всі: -
  • Незакриті: -
  • Останій: -

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Зв'яжіться з нами Незакриті запити: 

Профіль

Профіль

Trojan.Siggen28.53599

Добавлен в вирусную базу Dr.Web: 2024-05-31

Описание добавлено:

  • sha1: 853d6a17f0a1a4035b52699a447eeb4ad1ca6cf7

Description

A malicious program for Windows written in C++. The main functionality of the trojan is to download and manage modules received from its C2 server.

Operating routine

The trojan has a number of basic and helper structs that are initialized at startup and stored as pointers in global variables.

Basic structs:

WinAPI wrapper

The trojan uses WinAPI system functions via a wrapper struct that contains a table of functions, library pointers, library load addresses, and an anti-debugging flag.

The table contains the following functions:

  • Functions for working with WinAPI, i.e., for finding a function pointer and calling it
  • Helper functions—the ad hoc implementation of the LoadLibrary and GetProcAddress calls
  • The configuration of the input parameters for a range of functions

When launched, the trojan initializes its main struct. It does this by using a modified CRC32 algorithm to find library load addresses in the PEB_LDR_DATA system struct. The trojan uses two methods to access functions stored in the libraries:

  • Ad hoc implementation of the LoadLibrary and GetProcAddress calls

The trojan has two functions that mimic the implementation of LoadLibrary and GetProcAddress. This method is used when the trojan needs access to an API contained in a library that has not yet been loaded into the process memory.

  • Searching for libraries by their hashes in the PEB_LDR_DATA system struct

The trojan searches for a required library in the PEB_LDR_DATA struct, using the InMemoryOrderModuleList list, which contains pointers to all the libraries loaded into the process memory and their names. The library name is matched by comparing the hash value generated using the modified CRC32 algorithm with the requisite library name. Next, the required library function is found in the table of exported library functions, in which case the function names are hashed in the same way. The library name and function are read using the modified CRC32 algorithm.

Logger struct

This is a struct whose main purpose is to generate the application log. The log contains information about errors and the step currently being executed.

System information collector struct

The main purpose of this struct is to collect system information and send it to the C2 server.

C2 server communication struct

This struct ensures the interaction with the C2 server. It contains a struct for working with the winhttp.dll library and information about the control server: the port, IP address and routing table.

Module and configuration struct

The main function of this struct is to manage the operation of modules and their configurations. It contains vectors that describe the modules, their configuration, and auxiliary system information.

Manager struct

The main purpose of this struct is to control program operation and ensure interaction between other structs. It holds pointers to all the other primary structs: WinAPI wrapper, logger, communication, and configuration.

Helper structs:

  • Structs for working with cryptography – SHA-1, SHA-256

  • Structs for working with auxiliary libraries: bcrypt, winhttp

  • Structs for storing various flags

Debugger evasion

When launched, the trojan also initializes 3 threads to evade debuggers:

Checking the debug registers

The trojan obtains the context of the parent thread and checks that the values of the Dr0–Dr7 registers are set to 0.

Checking for debugged environment

In the KUSER_SHARED_DATA structure, the trojan checks the first two bits in the KdDebuggerEnabled field; the value of these bits must be set to 0.

Using the NtQueryInformationProcess function, the trojan checks for the presence of a debugger by reading various parameters of the PROCESSINFOCLASS structure: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle, ProcessTlsInformation.

Checking for debugger drivers

The trojan scans the %WINDIR%\System32\drivers directory for files that indicate the presence of debugging software. It then calculates the filename hash, using the modified CRC32 algorithm, and compares the result to the blacklist hashes.

Checking for a copy of the trojan in the system

After initialization, the trojan attempts to create a mutex which is a Base64 SHA-1 encoded hash of the MachineGuid string value. If the attempt to capture the mutex fails, the line "Found another agent running. Exiting..." is written to the application log and the trojan is terminated.

Verifying keys and creating a handshake

The trojan checks for an existing handshake. This is done by accessing the key in the "Microsoft Software Key Storage Provider" CNG key storage, using the NCryptOpenKey function. The key name is a SHA-256 hash of the MachineGuid value. If such a key does not exist, the availability of the network connection is checked: if the connection is established, the trojan initiates the creation of the handshake:

  • A copy of the RSA internal key from the “Microsoft Software Key Storage Provider” CNG key storage is created
  • A key is received from the server
  • This key is stored in the storage with a name corresponding to the SHA-256 hash of the MachineGuid value.

The trojan parses the incoming packet for a new C2 server address and port number. Once the handshake is established, the following system information is sent to the C2 server: CPU architecture, OS name, user interface type, installed application identifiers, disk information, user names, and locale.

Basic functions

The trojan performs the following actions:

  • Loads and unloads modules
  • Sends messages to the C2 server about its operation or errors
  • Changes the configuration of modules
  • Updates the trojan body, if necessary

Module structure and configuration

A module is a dynamic library that is projected into the memory and has the following exportable functions:


Start
Stop
Configure
GetID
GetStatus
SetStatus
GetStarted
GetHandler
Destroy
PushErrorCMR

The module identifier indicates its function, i.e., knowing the identifier, you can determine which tasks are sent by the C2 server.

Identifier Purpose
238 Inject
27 Purpose unknown
44 Purpose unknown

JSON with module configuration


{
  "triggers": [
    {
      "schedule": "",
      "process": "",
      "repetitions": "",
      "sendCmr": {
        "name": "",
        "interval": ""
      }
    }
  ]
}

Module’s execution result

After the module completes its task, it generates a response


{
  "CommandModuleResponse": "",
  "requestId": "",
  "moduleId": "",
  "exitCode": "",
  "info": "Error" //this field is only shown if there was an error in the module’s operation; otherwise this field is missing.
}

Trojan update

While in operation, the trojan checks the availability of its update flag. If this flag is set, the trojan performs a series of system checks, and, based on the results, selects one of the two update strategies. If antivirus software is detected on the compromised PC, the trojan is updated through the loading of shellcode; otherwise, it is updated using the Inject module.

Checking for antivirus software

The trojan body contains a list of hashes of antivirus program names. When scanning for antivirus software, the trojan obtains a list of processes and calculates the hashes of running applications, which are compared to the following hardcoded list:


•	msmpeng 
•	mssense 
•	avastsvc
•	dwservice
•	avp
•	nortonsecurity
•	coreserviceshell
•	avguard
•	fshoster32
•	vsserv
•	mbam
•	adawareservice
•	avgsvc
•	wrsa

Shellcode for directory removal

Input arguments: directory name

Actions performed:

  • Looks up the kernel32.dll library address in the PEB_LDR_DATA struct
  • Gets the functions for the shellcode’s operation from the library export results, where the library name and function names are determined by their hashes
  • Determines the path to the %LOCALAPPDATA%\EROCS\ directory
  • Overwrites with zeros and deletes all the files in the specified directory
  • Deletes the directory itself

Shellcode for restarting the trojan

Actions performed:

  • Gets the list of processes, using the NtQuerySystemInformation function (the SystemProcessInformation parameter); checks that the UniqueProcessId field is equal to 0x434F5245
  • Deletes the HKEY_CURRENT_USER\Software\Uninstall key

Self-deletion

The trojan also has a self-deletion function that is triggered when the “deadline” registry key, which is responsible for the trojan lifetime and is updated when a new command from the C2 server is received, is set to a specific value. The trojan also initiates the self-deletion procedure, using WinAPI if errors are detected during the above checks. In this case, it performs the following actions:

  • Deletes its directory
  • Deletes the handshake
  • Deletes registry keys created while the trojan is in operation

Sending messages to the C2 server

The following User-Agent values are used by the trojan to send messages:


Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.3
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/53
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.3

All outgoing and incoming messages are encrypted using RSA.

Рекомендации по лечению

  1. В случае если операционная система способна загрузиться (в штатном режиме или режиме защиты от сбоев), скачайте лечащую утилиту Dr.Web CureIt! и выполните с ее помощью полную проверку вашего компьютера, а также используемых вами переносных носителей информации.
  2. Если загрузка операционной системы невозможна, измените настройки BIOS вашего компьютера, чтобы обеспечить возможность загрузки ПК с компакт-диска или USB-накопителя. Скачайте образ аварийного диска восстановления системы Dr.Web® LiveDisk или утилиту записи Dr.Web® LiveDisk на USB-накопитель, подготовьте соответствующий носитель. Загрузив компьютер с использованием данного носителя, выполните его полную проверку и лечение обнаруженных угроз.
Скачать Dr.Web

По серийному номеру

Выполните полную проверку системы с использованием Антивируса Dr.Web Light для macOS. Данный продукт можно загрузить с официального сайта Apple App Store.

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Скачать Dr.Web

По серийному номеру

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке