How to hijack a legitimate software to launch a malware ?

Sebdraven
2 min readFeb 28, 2018

--

I’ve analyzed this dropper js: https://www.hybrid-analysis.com/sample/d7abafd2d8a9fcbcc7da09cffa7006df80a42c1731287d59b2a1d71c4ee183a2?environmentId=100

The code is a bit obfsucated and after a good beautifier and decode hexa strings it’s better to analyze it.

The interisting part is at the end of the file:

The first part of code checks if C:\\ProgramData\\abc123 doesn’t exist to create it.

And with the function jXxzlCXaBCDBMIA06KMKC256D7M8JHI0CC40E0 it download two files:

hxxp://notificachile[.]org/hooponoponod8/attrib[.]jpg

and

http://notificachile.org/hooponoponod8/dDDDE3333inNNFIniT11118[.]jpg

The first file is 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c.

It’s a legit exe developped by vmware

And the second one is : d3d7b56b3b97ff71d522df66bdb59fdd6ba8e630835167c3bc57288f8d5a88ef

it’s a dll and this file is malicious, it’s a banker trojan

And the dropper js renames this file in shfolder.dll like that

var AKrmjVaCK6A6MKEK7FD4K7K0KNE2JJG1C99AHK = zAtCnlAvI5CJN52A0FK7LEFD1H63G522GE15KI(_0xf4b3[24]);

if you check the import table of the legit file:

Like the malicious dll is the same folder like the legit file and exposed the same function SHGetFolderPathW, the trojan is loaded and not the Windows DLL.

This technic is used by PlugX to bypass the security products. Like the software is legit, the security products don’t verify the dll’s loaded. It’s fail !

--

--

Sebdraven

Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher