Free Trial
Schedule Demo
The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Comments
Researchers have observed TinyLoader, a well-known backdoor, delivering point-of-sale and banking trojan malware over the past few years. Fidelis Cybersecurity Threat Research happened to notice it delivered from a site that hosted a variety of other malware and that was an association we had not seen previously so it prompted us to take a deeper look. This post covers our malware analysis and then describes how our research allows for direct interaction with the command-and-control server.
Tinyloader has a few unique characteristics
Understanding how TinyLoader functions allows us to mimic bot functionality. Doing this then provides a mechanism to connect directly to malicious C2 servers to monitor commands issued, modules sent, and the running processes targeted by the operators.
In this post, we will discuss TinyLoader delivery vectors, various characteristics of its C2, and finally, how to create a script to mimic the bot functions to monitor C2 activity. We have made our script available on Fidelis Cybersecurity Github(.
The TinyLoader sample we observed was as a secondary infection. A machine that had been infected with Nymaim was later found to be downloading “93.174.91.49/pos.exe”. What’s also interesting about that IP is that the Nymaim malware was downloaded by a BetaBot sample that also came from the IP “93.174.91.49/bbcrypt.exe”. The BetaBot was found downloading Nymaim from “updateservers312.com/jaff/515_new_c.exe”.
For this research, we analyzed this TinyLoader sample: 037c675489bb0faeab114bbd6cf3067a — though any of the TinyLoader samples mentioned in the IOC section below will provide a similar outcome.
The main part of the bot is XOR encoded and wrapped in a similar fashion. The bot brute forces the XOR key out by comparing it against a known value. The brute force loop provides a custom sleep routine that was likely put in place to cause sandboxes to time out.
The first C2 transmission is a sort of checkin:
The data is in the form of:
struct c2_data
{
int req_num;
int campaign_id;
short length;
byte unknown;
byte bit_version;
}
The ‘req_num’ or request number is initially set to all NULLs but is then changed by the subsequent downloaded bytecode. This lets the C2 fully control the bot as it sets up what the bot will request next. The ‘campaign_id’ is hardcoded in the bot which is why it is labeled as such. The 0x0c in the picture is the length of the data, while the ‘bit_version’ is set by the bot after a call to IsWow64Process.
The C2 responses are sets of code sequences containing bytecode blobs that will be executed. This is an interesting way to control infections. We broke out the responses into a list (below). Due to the nature of this capability, the bot could essentially download any code to run on the infected machines.
C2 traffic responses(commands):
The initial blob of bytecode returned is used to copy a second handler bytecode blob into the memory address provided. The bot then sets req_num to 00 01 00 00. Each new request returns the same sort of setup where bytecode is sequentially written and then a handler is eventually added to initialize the code.
This sequence continues in a list of request numbers.
Request Number:
è 00 03 00 00
è 00 04 00 00
è 00 05 00 00
è 00 06 00 00
è 00 07 00 00 -> this sections detonates the blob of data that’s been copied
When detonated, this copied over bytecode has a whitelist of process names and a mutex. It will attempt to create the mutex and then enumerate all running processes while building a list of those not in the whitelist.
Below we can see a snippet of the code to check each process name to see if it contains a 4 byte string.
We can get a list of all the strings the bot uses to check if it’s not interested in that process.
Data is sent back to C2 with a req_num of 00 0a 00 00 along with the process list appended to the previously mentioned structure. There is also a hardcoded string that is prepended to the data which can be seen in both the bytecode and the traffic.
If the bot sends an Update Binary command, the return is bytecode to copy over a PE updated TinyLoader binary. It then sets the req num to 00 00 c1 00 to begin the next sequence.
The bot then downloads chunks through the following sequence.
Request Number:
Next, the newly downloaded bot begins running through the same C2 process again before continuing with the following sequence.
The bot then goes through the following sequence to download code. The code chunks are saved for later. The code module normally downloaded contains the bytecode that can be used to download other files.
Request Number:
The next step begins a recurring sequence between the bot and the C2 that will do one of two things: It will cause the bot to sleep before its next checkin, or the C2 will issue a command for the bot to do something. In this manner, the C2 can use this as both a way to tell if a bot is ‘alive’ and either tell the bot to checkin again later or issue some other command.[JR1]
Request Number:
Now we just need to account for receiving the data. Since the data length from the C2 is sent within the first 12 bytes we can just receive the first 12 bytes, pull out the length and then account for how much more we should read. Adding the below to our send_msg function.
For the C2 message itself we can just use a Python class to mimic the structure we have previously laid out.
This leaves us with decoding the traffic and then pulling out the relevant data we want. The decode function is a simple XOR loop.
Now we just need to see if this data is the same as the sleep routine but for demonstration purposes we’ll just try to find the next command if it exists and log the data received to screen. For all the recent versions of TinyLoader we’ve gone through the received bytecode appears to always have the ‘mov edx, dword [ebp]’ command right before it loads the next C2 command in place, this could be different for other versions and since we are dealing with bytecode being executed dynamically via C2 it could technically be anything.
The full script will be included with this post. For testing we used a currently live C2 of 194.165.16.40 port 40020.
Decoded this gives us the commonly delivered bytecode that will sleep and then perform the same request again, this makes the bot perform this ‘checkin’ over and over again until it is given another command.
Awesome, so now we can either expand on this by accounting for all possible commands from the C2 or simply use this script as a way to test for payloads on a live C2 without having to actually run the bot the entire time.
TinyLoader continues to be a widespread threat to global organizations. Here we have discussed TinyLoader capabilities, infector vectors, and how to craft a script to monitor ongoing C2 commands.
Fidelis customers are protected from TinyLoader by a variety of mechanisms designed to detect malware throughout the infection chain.
Nymaim from BetaBot:
88222c301245b686535cf4f572d9fb4dd5061ab799a9e1417389759551c52ddc
Cerber from BetaBot:
91.174.91.49/encrypted.exe
cedf32b8227b0eec266dd4d73ec687e2a6a17786d6caff22c2e8b4e31bbc1679
Pivoting off IP we can find a large number of exe files being downloaded from this IP.
01eef6f633d5c0e234de5149ffd46e8c file1.exe
037c675489bb0faeab114bbd6cf3067a pos.exe
06446f3aa3abe01f761003a6d88350f8 bbcrypt.exe
06e01e694ea6faa8d9971187760b69d7 file1.exe
08a0635de60adc56637ffb733632d74d bbcrypt.exe
08b3e12693107b139d166cf004ee69c6 file1.exe
09f040baeb18dd4dbb2892315bbc2a74 file1.exe
0a445b8527db0f645bb26381b3ea121b bbcrypt.exe
0f00309e831e2de35f830f271019561e bbcrypt.exe
1227bf7476a60099d50500097da2f62f bbcrypt.exe
133f4ddd6587342f3b2e7df344cddd84 file11.exe
15e9f391ed79ee67c3dfef4186e61c93 file1.exe
17aa0b3bdb21d2a4456096a408374847 bbcrypt.exe
17cbe09f9c75a497b4f440d874e9433a file1.exe
18aa8578fc4c1f28580cb0539314f0c4 bbcrypt.exe
1a1bf6a037fc8872af04a634a8350106 file1.exe
1c34903b4b0f15b371bc79993d3d3b69 file1.exe
1e5d0cb43f14a9f234b1bd3a702b180d file1.exe
1f66d882cd7353d53c336e4cded7a88f file1.exe
202e98702cc5417b9b3bc6582403aa0d bbcrypt.exe
203ea8613c6bcf4b00349e79057df64e bbcrypt.exe
22ac8b47d9bfaa37771fb8b5960591a3 file1.exe
23392d31732116f676da8d86a6a792d1 bbcrypt.exe
23fd4eede972e67a929bc22efb0a3f6f bbcrypt.exe
264ec404e3f8b998eb2c5e371cf57566 bbcrypt.exe
278ba01eb01ae1915995b139e9e44c8d bbcrypt.exe
2806c76e30b30e27dc9c2c44afae2421 bbcrypt.exe
2afda33879ff3362389bd4c7278bbccc bbcrypt.exe
2cfb09816d25ca8bf750c3d71b81bc73 file1.exe
307a3d0591126d91768248fef407bc0c bbcrypt.exe
3095aac456a760269e662f2a8b850807 file1.exe
31a94cd639f31ec104bb5e0f6d52ba97 bbcrypt.exe
348943966fd92ec68b67891b2aaadcef file1.exe
34b5e2bf2f8f4808ad2afdf9b7c818af bbcrypt.exe
382ef22d698d7ca31ab40d4477def648 diablo.exe
39ed54bd2f81af790398e76819dceab6 bbcrypt.exe
3b6807cff5e0b259dc7f8934941cd270 file1.exe
3ce23461e15c48785716ecef4a2f9be8 file1.exe
4417d04466c94be002ec1319cb6963d9 bbcrypt.exe
4460468f06890d6dd50ad39f7935b66e bbcrypt.exe
4568b93a5a61666b4cae9bd92861ca9b bbcrypt.exe
46cfafb4e49835f989f49d9605368fc8 file1.exe
4f0095efe732df35e5fdca48effd0ed0 diablo.exe
54c2f5b380df43b0da649cd7118b0e8a bbcrypt.exe
564b12ef14968096fce401450766c850 bbcrypt.exe
57c3a19cc82c565f374031b6146eeecb file1.exe
58078ba2941f787afdf1277bcb73e10d file1.exe
5b4362c9cca45132fddffef66f0f86cc bbcrypt.exe
5ba6fba029815441b9b6bf9141587b2d file1.exe
5ed6a7906319dcdc63a9a42acd04e89a file1.exe
660e2ed1b3ed3fbd6723371a17cb5e8f bbcrypt.exe
666b43bd3085644dfa465817f1eeeabf bbcrypt.exe
66bf885615062d0d0c975929d1cfcd78 file1.exe
671de81cd315901cd345e597136717cc bbcrypt.exe
6764bab6681d8c79a8f04cb331edfaa4 file1.exe
6768e98b4fd0480d28f98f250c56aa81 file1.exe
6929a050973f88e605ecfff2d9a32710 file1.exe
6a620166fd6c46c654f0700b9c6176fa bbcrypt.exe
6c5ce2db6a5a5575aff5eb76cf7b8079 bbcrypt.exe
71760870c2867df833511fedfbd47016 bbcrypt.exe
71fef8e6944f516de0b5f001804d0125 file1.exe
770f736f54269b59825bdd63afe69674 bbcrypt.exe
784628c5e11a7afa9b844494a0bb0a4e bbcrypt.exe
7efa1049dbe632489de7a1020b6ef3a8 bbcrypt.exe
7f9c0d816f41d8f746f5490778babe38 bbcrypt.exe
7ff716b819b147849b5f58030fa435c0 bbcrypt.exe
865ad7924c7734617a30d5c98176f551 bbcrypt.exe
8726bfef33c8e26360059e03c518df88 bbcrypt.exe
88d476af67813490d2fc5073f719ce8f file1.exe
8a3f3a144a71b0d813453edb3c4fd6d8 bbcrypt.exe
8ad61159772403d62d9cbe19d5aebff5 file1.exe
8e0a7b73a3e2e0a24218299e8ac10b84 bbcrypt.exe
8fe749c3bb54d41a41adbbe127d41056 file1.exe
922273ab07f43c1b74432e03b835b910 bbcrypt.exe
93c6b9230cf273f7d8cc225cda497610 bbcrypt.exe
9ce851a9818b482e63dfa8b76d2027b9 bbcrypt.exe
9df6d2bfdc079e5e7b75c79c62c9e0c8 file1.exe
a1e137f7c9c3e77f5984c1b509618654 file1.exe
a429ada759f01b4cf03a04273f053c29 bbcrypt.exe
a73381725799dc7a8e5e589c2720b981 bbcrypt.exe
a9e42466fae3c6431b57b0b71a941127 file1.exe
aae23f544a3bd55e636e92d05a6c506e file1.exe
abe28a4d652bfe964f977ba6c7f7f238 file1.exe
ad521ea0d6ac85da951e93a7e587f3a4 file1.exe
adcc46856a8b23367ca14fd0fe9e3590 bbcrypt.exe
af6bb23635adb72b06472ae068dd9ace file1.exe
af97678035cdb7abece1b2948f264ea9 file1.exe
b0a8715cdc389e734e8520007f543e25 bbcrypt.exe
b21195fa096f183355d95623be3b0b0b file1.exe
b2657e68dd05916685e4f3fe0c8e1e2a file1.exe
b5b9551018eb3bedffd661aeb3668426 bbcrypt.exe
b75e530d9b92e03e02739e452ac33690 bbcrypt.exe
b96528677db7d432f9c7b0e51ccd9d08 file1.exe
b9bf04d5b241a01ddbd5a43da368a708 bbcrypt.exe
bbea51ea37aa1b84365005987c131da5 bbcrypt.exe
be8f8ab76620f02dec7dc9b999271d11 file1.exe
c05bc7a032823415819697926fafb16b bbcrypt.exe
c0c75098126d2273ba97c50492e88d04 bbcrypt.exe
c0e42e01ed6208ae6e1f49362dc0d0d3 bbcrypt.exe
c279e52b01635fc53c872b882089b54c bbcrypt.exe
c58040264dc14e7d1034bf45f80b925f file1.exe
ca6c277da5ef8e2f6769af35c5f3da62 bbcrypt.exe
ce6c0cee1ed5c6a60bf7159152734291 file1.exe
d1b0fd26318d2f5609207d98ede83df6 bbcrypt.exe
d7002a10efe01df6e87e496fabc6dcd6 file1.exe
d8da9596c2aea62e5e3f6ab2d9b50b09 bbcrypt.exe
da65f374e62d79f0bef1d76050ff0c8a file1.exe
dfa4f4a0be28f18d41026d786395a094 bbcrypt.exe
e36d9f1267f363b55aa803a57a17d015 bbcrypt.exe
e76626cc4b23e2b5d8d90e031ff51f10 file1.exe
eeef3596818c9b566abbda6c288f271a bbcrypt.exe
f03b105bcc8fc8e1f7e56c92fbd9b2e2 bbcrypt.exe
f4cef44721a9f484b12d65dd17a90400 file1.exe
f69ae0dc9b0587a5651e7ce286adad53 bbcrypt.exe
f805232a4ac1d49309bfb7216e9a4960 bbcrypt.exe
fa12b8c288ac8177180f9d4758c40be9 file1.exe
fc5af82d8370e248c14765070a1ed1fa bbcrypt.exe
Running through one of the betabots: fc5af82d8370e248c14765070a1ed1fa
Gives us C2 structure for the campaigns.
lago333.com
lago333.xyz
lago333.site
lago333.club
Also seen later being used by both SmokeLoader and BetaBot
lago666.online
lago666.com
lago444.com
Also some macro document campaigns related to this IP:
826c9f9da5e5f93e63e28c12213d6e1d763fba3241b7603c00a0255dd5ed42c8
037c675489bb0faeab114bbd6cf3067a pos.exe
553eb8235557a5569f31ecb598bac871 PickerHost.x32.exe
553eb8235557a5569f31ecb598bac871 printui.x32.exe
81f31223f92bf7a21a0776aad8a207d7 igfxEM.x32.exe
19a0f00423015e6493440183fcc051da dellqmgr.exe
References:
