KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”

In announcing the release of the 64-bit version for Chrome last month, Google mentioned that one of the primary drivers of the move was that majority of Windows users are now using 64-bit operating systems. The adoption rate for 64-bit for Windows has been a tad slower than what Microsoft had initially predicted, but it has been steady, and it is evident in the availability of support by software developers. Unfortunately, however, we’ve been seeing the same adoption being implemented by attackers through 64-bit malware.

We’ve documented several instances of malware having 64-bit versions, including a 64-bit version of ZeuS, and we’ve been seeing the same in terms of targeted attacks. In fact, in our 2H 2013 Targeted Attack Trends report, almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms.

KIVARS: Earlier Versions

One of these malware we’ve found running on 64-bit systems is KIVARS. Based on our findings, early versions of this malware affects only 32-bit systems and is dropped by a malware we detect as TROJ_FAKEWORD.A (SHA1 218be0da023e7798d323e19e950174f53860da15). However, note that all versions of KIVAR used this dropper to install both the loader and backdoor.

Once executed, TROJ_FAKEWORD.A drops 2 executable files and a password-protected MS Word document which also serves as  a decoy:

  • %windows system%\iprips.dll – TROJ_KIVARSLDR
  • %windows system%\winbs2.dll – BKDR_KIVARS
  • C:\Documents and Settings\Administrator\Local Settings\Temp\NO9907HFEXE.doc – decoy document

kivars1

Figure 1.  TROJ_KIVARSLDR is installed as a service with an active name of “iprip”.

TROJ_KIVARSLDR will load and execute BKDR_KIVARS in memory. BKDR_KIVARS is capable of the following routines:

  • Download\upload Files
  • File manipulation\execution
  • List drives
  • Uninstall malware service
  • Take screenshot
  • Activate\deactivate keylogger
  • Manipulate active windows (show,hide)
  • Trigger left, right, and double left click,
  • Trigger keyboard input

TROJ_FAKEWORD.A uses the RTLO technique as well as a MS Word document icon to convince the user that it is just a normal document — both techniques seen in previous campaigns such as PLEAD.

BKDR_KIVARS uses a slightly modified version of RC4 to decrypt it strings\configuration. It adds an extra byte parameter and checks this byte if it is equal\greater than 80h. If the condition is true, it will add the byte to RC4’s XOR’red output. It will also use this function to decrypt the 10h byte key.

kivars2

Figure 2. The decryption of the malware string.

The dropped files were initially encrypted using an XOR key “55h”. The same goes for the key logger log file, which has the file name klog.dat.

kivars3

Figure 3. Decrpyted klog.dat

The encryption for the initial packets sent by the BKDR_KIVARS uses RC4 as the encryption. It includes the following information:

  • Victim’s IP
  • Possible Campaign ID
  • OS version
  • Hostname
  • Username
  • KIVARS version
  • Recent Document\Desktop folder
  • Keyboard Layout

kivars4

Figure 4. Decrypted packet sent by BKDR_KIVARS

64-bit Support

The newer versions of KIVARS, which consists of 32 bit and 64 bit versions, show slight differences when installed on a victim’s machine. For example, the loader and the dropped backdoor payload have random file names.

  • %Windows%system32%\{random}.dll
  • %Windows%system32%\{random}.{tlb|dat} – uses either tlb or dat as its file extension

In this version, the loader is still installed as a service and uses one of the following Service Active names:

  • Iprip
  • Irmon
  • ias

The earlier versions of this BKDR_KIVARS only encrypts the “MZ” magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4.

kivars5

Figure 5.  This code snippet show the 64-bit loader decrypting the key for the modified RC4. Same procedure with the early versions of the malware.

C&C Communication

The new version sends a random generated packet. Based on this packet, a key is generated which serves as the checking for the C&C reply. Once it verifies the reply, it will send the same RC4 encrypted information, however the difference is that the 1st 4 bytes value is the size of the information.

kirvir_072014

Figure 6. The decrypted packet from the new version.

Here are the IOCs for KIVARS:

Detection SHA1 C&C IP
BKDR64_KIVARS.ZTAL-BA f3703e4b11b1389fbda1fbb3ba7ff3124f2b5406 herace.https443.org 210.61.134.56
BKDR_KIVARS.ZTAL-BA f797243bd709d01513897f26ce1f5517ab005194 herace.https443.org 210.61.134.56
TROJ_FAKEWORD.A 218be0da023e7798d323e19e950174f53860da15
TROJ_KIVARSENC.ZTAL-A 709312b048b3462883b0bbebb820ef1bc317b311 gsndomain.ddns.us 211.21.209.76
TROJ_KIVARSLDR.ZTAL-A 6df5adeaea3f16c9c64be5da727472339fa905cb
BKDR_KIVARS.ZTAL-A 9991955db2623f7b34477ef9e116d18d6a89bc3e
TROJ_KIVARSDRP.ZTAL-A b9543a848d3dfbc04adf7939ebd9cfd758a24e88
TROJ_KIVARSENC.ZTAL-A 8112760bf2191d25cbb540a5e56be4b3eb5902fe
TROJ_KIVARSLDR.ZTAL-A 17ab432d076cc6cb41fcff814b86baf16703e27c
BKDR_KIVARS.ZTAL-A 63d4447168f3d629ec867e83f4ad2e8f107bd3b2 zyxel.blogsite.org
TROJ_KIVARSDRP.ZTAL-A c738d64fdc6fcf65410ab989f19a2c12f5ef22ab
TROJ_KIVARS.A d35c2d5f9c9067702348a220f79904246fa4024f gsndomain.ddns.us 211.21.209.76

Connections to POISON

We’ve found that the threat actors using KIVARS are also using the POISON malware RAT as part of this campaign. Below are some of hashes connected to one of the C&C’s used by KIVARS:

Detection SHA1 C&C IP
BKDR_POISON.VTG 6b6ef37904e1a40e33f3fc85da9ba142863867a2 adobeupdate.ServeUsers.com 210.61.134.56
TROJ_POISON.BHV defeb241b5504c56603c0fd604aea6a79975b31d butterfly.xxuz.com 210.61.134.56
BKDR_POISON.TUET ad935580a5d93314f5d22f2089b8e6efeca06e18 truecoco.REBATESRULE.NET 210.61.134.56

With additional analysis by Ronnie Giagone

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”

Read more: KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”

Incoming search terms

Story added 3. July 2014, content source with full text you can find at link above.