MALWARE ANALYSIS OF BACKDOOR CREATOR : FATRAT.
In the past few years of cyber world, cybercriminals are implementing new techniques to hide their malicious code inside other files in such a fashion that it is undetected by antivirus.. For it, they are using several complex infection processes than the previous one. As the technology changes, the new generation of cyber criminals are now putting their steps forward. They are now leaving traditional cybercrimes and using advance techniques where the malicious payload is hidden in encrypted files--which ever be the known file format. There are several example over internet in which cyber attacks or incidents shows that attackers are using sophisticated techniques.
In September 2016, Cisco talos-intel identified an exploitable out-of-bounds vulnerability present in the JPEG 2000 image file format parser which is implemented in OpenJPEG library and now identify by its TALOS-2016-0193 identification number or Common Vulnerabilities and Exposures CVE-2016-8332. This JPEG 2000 is a file format which is specially used for embedding images inside the PDF documents. This specific vulnerability is so dangerous that it allow attacker to write out-of-bound heap which include the heap corruption and then arbitrary code execution is possible . In March 2016 Kaspersky Lab, catch a malicious payload hidden in the PNG file i.e. it is embedded with the PNG file. This attack starts with a simple phishing PDF .
Such types of incidents shows that now images over the internet are not seen as innocent. They now can be a medium to compromise the protected system. The attacker manipulate the images and these images are harmless until a trigger or input is given in the form of double click done by the user on that image which immediately start a malicious activity .
Researchers of Sucuri in July 2013 reported an incident where they found an backdoor present on a site that which was compromised. This backdoor did not depend on the normal patterns like base64 and gzip encoding which is used to hide the contents contained within it .
This backdoor is divided into two parts. Both of part are functions in which the first part is a mix of exif_read_data function which is used to read the image headers and the preg_replace function which is used to execute the content. both PHP functions are actually stored its data within the EXIF header location of a JPEG image.
$exif = exif_read_data('/homepages/clientsitepath/
Both functions are harmless by themselves. However, pregreplace has a tricky and hidden options. On passing "/e" modifier it execute the content(eval), instead of just searching /replacing .On looking to bun.jpg file, second part of backdoor looks like:
yOya^@^PJFIF^@^A^B^@^@d^@d^@^@ ya^@! Exif^@^@II*^@^H^@^@^@^B^@^ O^A^B^@^F^@^@^@&^@^@^@^P^A^B^ @m^@^@^@,^@^@^@ ^@^@^@^@/.*/e^ @ eval ( base64_decode("aWYgKGl zc2V0K CRfUE9TVFsie noxIl0pKSB7ZXZhbChzdHJ pcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSk pO30='));@yi^@^QDucky^@^A^@^D^@^@ ^@<^@^@yi^@^NAdobe^
This types of incident show that, over internet, there are several freely available tools which are used to hide the malicious payload inside the images. FATRAT is one of them. It is a massive exploiting tool which is easy to understand and create backdoor. This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .This tool is used to post exploitation attack like browser attack, dll, bypass AV, etc. In this paper, We compile the malware and payload with the JPEG images and make it a malicious image. After it, analysis is done in our own malware analysis setup lab and show the result.
In this paper, we analyze the backdoor creator and demonstrate the Practical approach which are used by the security personals or researcher to find out the hidden files or proving the presence of hidden data inside the image.
The Fatrat is a massive exploiting tool . It create backdoor for windows, linux, mac and android. It can bypass antivirus. It checks for metasploit service and start if not present. It is capable of crafting meterpreter reverse_tcp, start multiple meterpreter reverse_tcp listners. It uses the fast search in searchsploit and many more. The functions provided by the fatrat are:
1) Create backdoor with msfvenom
2) Create FUD 100% Backdoor [slow but powerfull ]
3) Create FUD Backdoor with Avoid 1.2
4) Create FUD 100% Backdoor with backdoor-factory [embed]
5) Backdooring Original apk [Instagram, Line, etc ]
6) Create Fud Backdoor 1000% with PwmWinds [Excelent]
7) Create Backdoor For office with Microsploit
8) Create auto listeners
9) Jump to msfconsole
11) File Pumper [Increase Your Files Size]
12) Configure Default Lhost & Lport
The FATRAT facilitate the following facilities under different section shown below:-
2. FATRAT ANALYSIS
Using FATRAT, several samples are created using different functionality provided and discussed previously:
Step 1: Hashing : A Fingerprint for malware-Hashing is used to uniquely identify malware. For it Message Digest Algorithm 5 (MD5) hash function is commonly used.
Output Hash :
Step 2: Finding Strings:
Output : Presence of powershell.exe in hidden mode detected Presence of Mingw detected but failed during execution
Step 3: Detecting Packers with PEiD
Output:- Sample is not packed with any kind of UPX, beside it on digging gets Magic literal: PE32 executable for MS Windows (GUI)
Step 4: Check PE Files Headers and Sections with Image file header
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-05-18 00:45:53
Entry Point 0x000014C0
Number of sections 15
Step 5: Analysis using IDA Pro. In this step, we show to difference of real genuine Image vs Malicious crafted coded Image.
Real Image :- As we see in IDA pro disassembler, there is no import or export funtions are used as it is a real genuine Image.
Malicious crafted coded Image.:- There are several import or export functions are used.
Same file but with Embedded codes
Step 7:- Opening shellcode As there are lots of Import functions hide inside the images and using on executing it.
Step 8 :- Analyzing the genuine Image vs Malicious crafted coded Image in Hex Editor Neo
During the searching of artifacts, we find out the attacker IP and powershell in hidden
CONCLUSION & FUTURE WORK
Malicious payload which is hide using FATRAT are hard to detect & this scheme is generally used by the criminal to act maliciously in other area. For it, they generally used the various types of file format in which JPEG is the most innocent one. So, the challenges of scanning billions of image which are crossing the organization borders, irrelevant to their size, which are non-impacting anomalies are huge.
This provide an opportunity to the malware authors to take it as a advantage and using it to hide malicious code which leave an organization, stealthily send commands to infected victim and transferring various types of malwares across existing types of defenses. So as a researcher it is required to analyze such types samples and detect the images containing the malicious content in the real time scenario.
 Cisco, 2016, "Vulnerability Spotlight:OpenJPEG JPEG2000 mcc record Code Execution Vulnerability",Available at:<http://blogs.cisco.com /security /talos/vulnerability-spotlight-jpeg2000>, [ Accessed on 19 Oct 2016].
 Securelist, 2016, " PNG Embedded--Malicious payload hidden in a PNG file", Available at: <Error! Hyperlink reference not valid.>, [Accessed on 20 Oct 2016].
 Sacuri, 2013, " Malware Hidden Inside JPG EXIF Headers", Available at: <Error! Hyperlink reference not valid.>, [Accessed on 2 Nov 2016].
 Fatrat, 2017, "The Fatrat", Available at: <https://github.com/Screetsec/TheFatRat>, [Accessed on 5/09/2016]
 Github, https://cloud.githubusercontent.com/assets/17976841 /25420100/9ee12cf6-2a80-11e7-8dfa-c2e3cfe71366.png
 Github, https://cloud.githubusercontent.com/assets/17976841 / 18483873/39d54372-7a10-11e6-890f-41803a33b9c9.png
 Github, https://cloud.githubusercontent.com/assets/17976841/18483871/39cb81ca-7a10-11e6-84f3-1683067fa4f5.png
 Github, https://cloud.githubusercontent.com/assets/17976841/18483870/39cb46ba-7a10-11e6-859b-1c1baa3c1b0a.png
(1) Rakesh singh kunwar, (2) Priyanka sharma, (3) K. V. Ravi kumar
(1,2,3) Raksha Shakti University, Gujarat, India
(1) email@example.com, (2) firstname.lastname@example.org, (3) email@example.com
|Printer friendly Cite/link Email Feedback|
|Author:||Kunwar, Rakesh singh; Sharma, Priyanka; Kumar, K.V. Ravi|
|Publication:||International Journal of Cyber-Security and Digital Forensics|
|Date:||Jan 1, 2018|
|Previous Article:||A Virtual Environment Forensic Tool.|
|Next Article:||Audio Steganography via Cloud Services: Integrity Analysis of Hidden File.|