KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
In announcing the release of the 64-bit version for Chrome last month, Google mentioned that one of the primary drivers of the move was that majority of Windows users are now using 64-bit operating systems. The adoption rate for 64-bit for Windows has been a tad slower than what Microsoft had initially predicted, but it has been steady, and it is evident in the availability of support by software developers. Unfortunately, however, we’ve been seeing the same adoption being implemented by attackers through 64-bit malware.
We’ve documented several instances of malware having 64-bit versions, including a 64-bit version of ZeuS, and we’ve been seeing the same in terms of targeted attacks. In fact, in our 2H 2013 Targeted Attack Trends report, almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms.
KIVARS: Earlier Versions
One of these malware we’ve found running on 64-bit systems is KIVARS. Based on our findings, early versions of this malware affects only 32-bit systems and is dropped by a malware we detect as TROJ_FAKEWORD.A (SHA1 218be0da023e7798d323e19e950174f53860da15). However, note that all versions of KIVAR used this dropper to install both the loader and backdoor.
Once executed, TROJ_FAKEWORD.A drops 2 executable files and a password-protected MS Word document which also serves as a decoy:
- %windows system%\iprips.dll – TROJ_KIVARSLDR
- %windows system%\winbs2.dll – BKDR_KIVARS
- C:\Documents and Settings\Administrator\Local Settings\Temp\NO9907HFEXE.doc – decoy document
Figure 1. TROJ_KIVARSLDR is installed as a service with an active name of “iprip”.
TROJ_KIVARSLDR will load and execute BKDR_KIVARS in memory. BKDR_KIVARS is capable of the following routines:
- Download\upload Files
- File manipulation\execution
- List drives
- Uninstall malware service
- Take screenshot
- Activate\deactivate keylogger
- Manipulate active windows (show,hide)
- Trigger left, right, and double left click,
- Trigger keyboard input
TROJ_FAKEWORD.A uses the RTLO technique as well as a MS Word document icon to convince the user that it is just a normal document — both techniques seen in previous campaigns such as PLEAD.
BKDR_KIVARS uses a slightly modified version of RC4 to decrypt it strings\configuration. It adds an extra byte parameter and checks this byte if it is equal\greater than 80h. If the condition is true, it will add the byte to RC4’s XOR’red output. It will also use this function to decrypt the 10h byte key.
Figure 2. The decryption of the malware string.
The dropped files were initially encrypted using an XOR key “55h”. The same goes for the key logger log file, which has the file name klog.dat.
Figure 3. Decrpyted klog.dat
The encryption for the initial packets sent by the BKDR_KIVARS uses RC4 as the encryption. It includes the following information:
- Victim’s IP
- Possible Campaign ID
- OS version
- Hostname
- Username
- KIVARS version
- Recent Document\Desktop folder
- Keyboard Layout
Figure 4. Decrypted packet sent by BKDR_KIVARS
64-bit Support
The newer versions of KIVARS, which consists of 32 bit and 64 bit versions, show slight differences when installed on a victim’s machine. For example, the loader and the dropped backdoor payload have random file names.
- %Windows%system32%\{random}.dll
- %Windows%system32%\{random}.{tlb|dat} – uses either tlb or dat as its file extension
In this version, the loader is still installed as a service and uses one of the following Service Active names:
- Iprip
- Irmon
- ias
The earlier versions of this BKDR_KIVARS only encrypts the “MZ” magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4.
Figure 5. This code snippet show the 64-bit loader decrypting the key for the modified RC4. Same procedure with the early versions of the malware.
C&C Communication
The new version sends a random generated packet. Based on this packet, a key is generated which serves as the checking for the C&C reply. Once it verifies the reply, it will send the same RC4 encrypted information, however the difference is that the 1st 4 bytes value is the size of the information.
Figure 6. The decrypted packet from the new version.
Here are the IOCs for KIVARS:
Detection | SHA1 | C&C | IP |
BKDR64_KIVARS.ZTAL-BA | f3703e4b11b1389fbda1fbb3ba7ff3124f2b5406 | herace.https443.org | 210.61.134.56 |
BKDR_KIVARS.ZTAL-BA | f797243bd709d01513897f26ce1f5517ab005194 | herace.https443.org | 210.61.134.56 |
TROJ_FAKEWORD.A | 218be0da023e7798d323e19e950174f53860da15 | ||
TROJ_KIVARSENC.ZTAL-A | 709312b048b3462883b0bbebb820ef1bc317b311 | gsndomain.ddns.us | 211.21.209.76 |
TROJ_KIVARSLDR.ZTAL-A | 6df5adeaea3f16c9c64be5da727472339fa905cb | ||
BKDR_KIVARS.ZTAL-A | 9991955db2623f7b34477ef9e116d18d6a89bc3e | ||
TROJ_KIVARSDRP.ZTAL-A | b9543a848d3dfbc04adf7939ebd9cfd758a24e88 | ||
TROJ_KIVARSENC.ZTAL-A | 8112760bf2191d25cbb540a5e56be4b3eb5902fe | ||
TROJ_KIVARSLDR.ZTAL-A | 17ab432d076cc6cb41fcff814b86baf16703e27c | ||
BKDR_KIVARS.ZTAL-A | 63d4447168f3d629ec867e83f4ad2e8f107bd3b2 | zyxel.blogsite.org | |
TROJ_KIVARSDRP.ZTAL-A | c738d64fdc6fcf65410ab989f19a2c12f5ef22ab | ||
TROJ_KIVARS.A | d35c2d5f9c9067702348a220f79904246fa4024f | gsndomain.ddns.us | 211.21.209.76 |
Connections to POISON
We’ve found that the threat actors using KIVARS are also using the POISON malware RAT as part of this campaign. Below are some of hashes connected to one of the C&C’s used by KIVARS:
Detection | SHA1 | C&C | IP |
BKDR_POISON.VTG | 6b6ef37904e1a40e33f3fc85da9ba142863867a2 | adobeupdate.ServeUsers.com | 210.61.134.56 |
TROJ_POISON.BHV | defeb241b5504c56603c0fd604aea6a79975b31d | butterfly.xxuz.com | 210.61.134.56 |
BKDR_POISON.TUET | ad935580a5d93314f5d22f2089b8e6efeca06e18 | truecoco.REBATESRULE.NET | 210.61.134.56 |
With additional analysis by Ronnie Giagone
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
Read more: KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
Incoming search terms