BLYPT: A New Backdoor Family Installed via Java Exploit

Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its used of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. This affects unsupported Java 6 users, meaning they’re at extreme risk since no patch will be available. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.

Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.

Arrival and Installation

In one case, we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493, that has been exploited since February 2013. It was patched in March.

The exploit is used to download an installer (saved as ~tmp{random values}.tmp), which is responsible for downloading and installing the main BLYPT component onto the affected system. It is named logo32.png or logo64.png, depending on whether the user is running a 32-bit or 64-bit version of Windows, respectively. The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up.

We have identified two BLYPT variants, which can be identified based on the file name used to save the main BLYPT component. In both cases, they are saved in the %App Data%\Microsoft\Crypto\RSA directory. One variant is saved as NTCRYPT{random values}.TPL; the second variant is saved as CERTV{random values}.TPL. Both variants have 32- and 64-bit versiosons, and their behavior is mostly identical. (We detect these variants as BKDR_BLYPT.ABKDR_BLYPT.B and BKDR64_BLYPT.B.)

infection-diagram-BLYPT

Figure 1. Infection diagram for BKDR_BLYPT

One difference between the two is where their C&C server information is stored. The NTCRYPT{random values}.TPL variants do not actually contain any C&C information on their own; the installer instead saves C&C information in the registry that the BLYPT backdoor uses. The CERTV{random values}.TPL variants have their C&C server information embedded in the file itself. In both cases, the C&C information is stored in the registry under the HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\
5A82739996ED9EBA18F1BBCDCCA62D2C1D670C\Blob key.

 

While the C&C server information is stored in the same key, their formatting is different. For the first variant, once decoded, the information is in plain text and in the following format:

<ip1>#:<port1>#:#:<server page1>#;<ip2>#:<port2>#:#:<server page2 >#;<ipN>#:<portN>#:#:<server pageN>#;

The second variant stores its information in binary format, and once decoded has the following format:

struct
{
DWORD ip;
WORD  port;
} cncServer;

cncServer cncList[];

Raw Data Format Example:
<(DWORD)ip1><(WORD)port1><(DWORD)ip2><(WORD)port2><(DWORD)ipN><(WORD)portN>

Both variants encrypt their information using alleged (arc4) and use “http://microsoft.com” as the decryption key.

One more note about the installer: it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report. The URL would be: http://{malicious server}/index.aspx?info=<status keyword>. The status keyword can be any of the following:

  • startupkey_%d where %d = RegCreateKeyW return
  • reuse
  • configkey_%d where %d = RegCreateKeyA return
  • configkeyvalue_%d where %d = RegSetValueExA return
  • tserror_4_%d where %d = GetLastError from call to connect
  • createproc_%d where %d = GetLastError from call to CreateProcessW
  • reusereboot_%d_%d_%d

C&C Server Attribution

By decoding the configuration files used by this malware, we were able to determine the distribution of the C&C servers used by this threat, as seen in the chart below:

Targeted Attacks By Industry-copy

Figure 2. Location of BLYPT C&C Servers

Other Behavior

In addition to the C&C info mentioned earlier, BLYPT stores other information in the registry in the form of embedded “blobs”. These are as follows:

BLYPT_backdoor-table-1

Table 1. Blobs used by BLYPT

As a backdoor, BLYPT also allows an attacker to send commands to an affected system. Among the commands than can be executed are:

  • Receive updated DLL binary
  • Receive updated configuration
  • Receive HTTP request commands, such as:
    • Send GET request to http://103.31.186.19:1000/FetchIP.aspx to retrieve public IP of affected machine

Trend Micro Smart Protection Network protects users from this threat by blocking the related sites and detecting the malware. In addition, Deep Discovery protects users by detecting the downloaded files from the malicious C&C servers, while Deep Security covers the related vulnerability via DPI rule 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493).

 

With additional information from Darin Dutcher and Jayronn Christian Bucu. 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

BLYPT: A New Backdoor Family Installed via Java Exploit

Read more: BLYPT: A New Backdoor Family Installed via Java Exploit

Story added 20. September 2013, content source with full text you can find at link above.