Monday, October 17, 2022

Researching golang malware and how I hate security industry naming conventions - Part 2

I did some string searches in Hybrid-Analysis as well to look for more files. (Thanks Hybrid-Analysis for a researcher account!) I finally ended up with this yara rule (i'll learn to write better rules one day):

rule gsh_backdoor
        $a = "startInteractive"
        $b = "main.winService"
        $c = "main.(*winService).Start"
        ($a and $b and $c) and filesize < 6MB and filesize > 2MB
and uint16(0) == 0x5A4D

Searching that on Hybrid-Analysis results in the following hashes:

You can also run strings on the file and extract C2 information by doing egrep:
strings -f * | egrep '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})'

18077efa0c23e9370eb95ca6c5ece82bcf61e63505a87aea8cb6a14d15500a8c.bin.sample: 142.93.213[.]221:21
55320dcb7e9e96d2723176c22483a81d47887c4c6ddf063dbf72b3bea5b279e3.bin.sample: 107.181.246[.]146:443
57a45d3010d74cbd089cacf23bc0f68eaa3fb8dc5479dbe8ed8e19004badfdb6.bin.sample: 198.199.104[.]97:443
95c6d0d4e619334b3d8adb5340198c420f78f937f3dc944bc12a2be7f73fb952.bin.sample: 64.227.88[.]98:443
9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765.bin.sample: 107.181.246[.]146:443
b63ea16d5187c1fa52a8a20c3fd7b407033bcd4142addb1ce91923d6b2f19555.bin.sample: 45.76.236[.]136:443
winnta.bin: 195.149.87[.]87:443

One more thing I noticed while researching this is mention of "geodezine" backdoor. Some of the samples connect to the same C2 server as the golang backdoor connects to. I haven't looked too much into it but here's a rule:

rule geo_backdoor
        $a = "geodezine"
        $b = "cmd.exe"
        $c = "URLDownloadToFilDeleteUrlCacheEn"
        ($a and $b and $c) and filesize < 100KB and uint16(0) == 0x5A4D

And here are the hashes that show up on Hybrid-Analysis:

Summary of where this Golang malware shows up and timeline:
December 2017
The Shadows of Ghosts Inside the response of a unique Carbanak intrusion
Filename: ctlmon.exe
Malware name: GOTROJ
C2: 107.181.246[.]146
Attack involved exploitation of CVE-2017-5638

May 2021
Mercenary APT Groups Targeting the Financial Services Industry
Filename: winnta / main
Malware name: GOTROJ-related / gsh
C2: 45.76.236[.]136, 198.199.104[.]97
"cyber mercenary attack targeting a major US-based financial services organization"

August 2021
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Filename: winnta
Malware name: GOTROJ
exploitation of CVE-2020-14882 and CVE-2020-14750

March 2022
Forged in Fire: A Survey of MobileIron Log4Shell Exploitation
Malware name: DARKDOOR
C2: 162.33.178[.]149, 195.149.87[.]87
Attributed to UNC961 and related to exploitation of Log4j in Horizon and MobileIron

April 2022
Ragnarlocker Ransomware IOCs
Filename: ctlmon.exe
Malware name: GOTROJ
C2: 45.63.89[.]250
Related to breach involving Ragnarlocker according to the post

September 2022
This is the sample that I started out my research with
Filename: winnta.exe
Hash: 020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee
C2: 195.149.87[.]87
I just found the sample. I'm not sure what campaign it's related to or any other details. The C2 matches the Mandiant report though.

You should be able to pivot from C2 to sample hash or sample hash to C2 using VirusTotal. Some vendors didn't supply C2s or hashes.

As far as I know, I have not seen any of these samples running and successfully connecting to C2 in any of the public sandboxes. I haven't seen results in Shodan or Censys that show the C2 port open even with historical search for the September 2022 sample.

There may be more samples on VirusTotal but I'm doing this independently and don't have access to VT.

I'm not a CTI person. To me this looks like a golang backdoor used by multiple actors. I just hope this post helps anyone Googling things because this sample has been called different things by different vendors and that's annoying.