noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Agilysys Inc.

Agilysys POS Platform Approved For Marriott International Properties In[...]
Ben Ray Luján

Heinrich, Luján, Vasquez Applaud Completion of Proposal to Expand Santa[...]
IHRSA - International Health,[...]

Daxko Appoints Jeff VanDixhorn as Chief Executive Officer

Trend Micro Inc.

06/14/2023 | News release | Distributed by Public on 06/14/2023 04:57

Behind the Scenes: Unveiling the Hidden Workings of Earth Preta

If all conditions are fulfilled, it will begin the installation procedure and drop several files. These files are embedded in the dropper and are decrypted with XOR keys.

Dropped fIle	XOR key
C:\users\public\update.pdf	update_key
C:\users\public\last.pdf	last_key
C:\users\public\waveedit.dll	waveedit_key
C:\users\public\WaveeditNero.exe	WaveeditNero_key

Table 2. The dropped files and the XOR keys used to decrypt them

After being dropped, WaveeditNero.exe will sideload waveedit.dll and decrypt the other two fake PDF files:

It decrypts C:\users\public\last.pdf with XOR key 0x36 and writes it to C:\users\public\documents\WinDbg(X64).exe.
It decrypts C:\users\public\update.pdf with XOR key 0x2D and writes it to C:\users\public\documents\libvlc.dll.

TONEDROP will set up a scheduled task for the process C:\users\public\documents\WinDbg(X64).exe, which will sideload C:\users\public\documents\libvlc.dll. Next, it will construct the malicious payload and run it in memory by calling the API EnumDisplayMonitors, which has a callback function.

The C&C protocol of TONESHELL variant D

We discovered a new variant of TONESHELL that has a command-and-control (C&C) protocol request packet format as follows:

Field name	Size	Data
magic	0x3	17 03 03
size	0x2	The payload size
payload	size	Payload

Table 3. Contents of the sent data after encryption

The C&C protocol is similar to the ones used by PUBLOAD and other TONESHELL variants. We classified it as TONESHELL variant D because it also uses CoCreateGuid to generate a unique victim ID, which is akin to the older variants.

In the first handshake, the payload should be a 0x221-byte-long buffer carrying the encryption key and the unique victim ID. Table 4 shows the structure of the payload. Note that the fields type, victim_id, and xor_key_seed are encrypted with xor_key before the buffer is sent.

FIeld name	Size (hex)	Description
xor_key	0x200	Key used to encrypt the traffic; this key is generated from xor_key_seed
type	0x1	0x08, a fixed value
victim_id	0x10	A unique victim ID generated by CoCreateGuid
xor_key_seed	0x10	A random seed generated by GetTickCount

Table 4. Content of the sent data

We found that the malware saves the value of the victim_id to the file %USERPROFILE%\AppData\Roaming\Microsoft\Web.Facebook.config.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format

related announcements

News

Information Technology

Trend Micro Inc.

Behind the Scenes: Unveiling the Hidden Workings of Earth Preta

Sharing and Personal Tools