Recently, we’ve seen a number of reports related to 9002 remote access Trojan (RAT). The Trojan drops a PowerPoint presentation that contains details about the 2nd Myanmar Industrial Human Resource Development Symposium. The Trojan’s technical details and the vectors of its propagation were recently described in the blog by Unit42 (1).
The 9002 RAT is not new. First reports could be linked to Operation Aurora and dated back to 2009 (2). This variation of the Trojan was also mentioned in the 2013 FireEye blogs about the Sunshop campaign (3) and operation ephemeral hydra (4). In the latter case, the Trojan used a diskless method of operation and was notoriously more difficult to detect and track. The evolution of the Trojan continued as it was detailed in the post by Palo Alto Networks in June 2015, (5) and the threat intelligence briefing by ASERT(6) followed in July of the same year.
The Virus Total retro hunts search on a number of Yara rules, matching a file content and structure of the recently reported 9002 RAT main.dll Trojan component, which ultimately discovered just two files linked to the recent malware campaign: the dropper (22672EEB15AB0D07A3DFE4D03C5F0990) and the actual main.dll file (E9086E4D958C65C19509573A4272D8D7). It likely shows that either the malware payload is uniquely crafted, or that it manages to stay under the radar for most of the affected users. The dropper file poses as a PowerPoint presentation, exploiting an icon image taken from a legitimate PowerPoint file (Fig.1).
Fig. 1. A Trojan dropper posing as a PowerPoint presentation file.
Once the 2nd Myanmar Industrial Human Resource Development Symposium.exe file is executed, the Trojan drops the main.dll (E9086E4D958C65C19509573A4272D8D7), RealNetworks.exe (61BE380332CAB60B691A27D002D4D579) and MPAMedia.dll (E48A4CB7325ADCB38127A95AD47CD24D) files. When analyzing the dropper code it became clear that three files are stored in the dropper’s .data section unencrypted. The RealNetwork.exe and main.dll files are dropped in a %user% folder under a randomly generated subfolder name, and the MPAMedia.dll file is written into the mpaplugins subfolder posing as a legitimate RealNetwork player plugin file.
Fig. 2. The Trojan dropper and the dropped files.
The Trojan relies on a dll side loading technique to launch the malware payload, which has been most often used as a method to masquerade malware as a legitimate file. The Trojan dropper launches the RealNetwork.exe executable, a legitimate media files player program, which in turn loads the MPAMedia.dll assuming that it represents a legitimate plugin module. Upon loading the dll the control is transferred to the DllEntryPoint function within the dll. This function is normally exported by every dll and is responsible for dll’s initialization. In case of MPAMedia.dll the function initializes and transfers control to malware code contained in the main.dll file. The specific actions performed by MPAMedia.dll are best described on Fig.3.
Fig. 3. MPAMedia.dll malware side loading schema
MPAMedia.dll checks for the date and if satisfied modifies the parent process in memory, the RealNetwork.exe, to include 6 bytes of code at a predefined offset. Once the patch is complete the execution control is returned to the RealNetwork process, giving a user a sense that the legitimate process continues to execute. The code inside RealNetwork process runs until the patch is reached. The patch transfers the control back to one of the MPAMedia.dll functions, which loads the main.dll file, and calls stdInstall() and CreateFunc() routines exported by the main.dll. If the calls are successful the MPAMedia.dll executes an endless loop allowing the mail.dll code to run in the parent’s process space.
Looking at MPAMedia.dll file, there are a number of things that could be used to build a Yara rule for the hunt. For instance, there is a portion of code that obfuscates the imported names of the APIs and a dll library by using a strcpy function. (Fig.4)
Fig. 4. Strcpy obfuscation of the library and APIs name strings
Also such technique is often employed by malware actors; the API names and a library used make it fairly specific to the MPAMedia.dll file.
Removing references to specific code locations makes the search bytecode pattern address agnostic, resulting in the Yara rule general enough to hopefully cover a number of variations of the MPAMedia.dll malware file (Fig.5).
Fig. 5. Yara rule for MPAMedia.dll Virus Total retrohunt
The search through Virus Total submissions turned up three files. Two of them were already familiar to us and were associated with the recent malware campaign, but the third one (81AAECD5963E96817D4DE231030F1871) was just fairly recently submitted (2016-06-30) from the United States and appeared to be a version of the MPAMedia.dll plugin. The Yara rule search failed to find a dropper. Either the dropper has this file compressed or encrypted, or it has yet to be submitted to Virus Total (as of 8/11/2016).
Analysis of the recently submitted MPAMedia.dll showed that it still relies on a host process for its launch, as well as the check for the same date condition. However, instead of the main.dll, it expects a realplayer1.lib file to be found in the same location as a host process. (Fig.6.)
Fig. 6. Side loading technique employed by a MPAMedia.dll variant.
The MPAMedia.dll once called from the host process allocates a block of memory, searches for a file realplayer1.lib, reads it in to the previously allocated memory, and calls the beginning of the memory block. At the moment of writing, according to Virus Total, there are 15 reported detections out of 54 with the consensus name: Backdoor.Win32.Gulpix
The search for the 9002 Trojan variations is still on.