theZoo: Win32.OnionDuke.B

Win32.OnionDuke.DLL md5: c8eb6040fd02d77660d19057a38ff769 
Win32.OnionDuke.DLL sha256: 366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b 

I turned F-Secure’s emblem for OnionDuke into a creature. (F-Secure 2015)

Overview:

Win32.OnionDuke.B is reported as part of a backdoor from 2013-2015. The company F-Secure associates the malware with the threat actor “The Duke” (aka APT29, CozyBear). I am able to perform some Static Analysis, but due to a mixture of the malware’s complexity and my inexperience I am unable to perform a large amount of the analysis that I had hoped to perform. However, we are able to find some basic indicators that give us a good idea of the malware’s functionality.

Prologue:

This sample is an example of how arbitrary theZoo can be: OnionDuke has been documented as consisting of three components—Trojan-Dropper:W32/OnionDuke.A, Backdoor:W32/OnionDuke.A, and Backdoor:W32/OnionDuke.B—but only 1 of the 3 components was included in theZoo. The relation between the three components isn’t clear but Trojan-DropperW32/OnionDuke.A appears to be the executable that loads/drops the Backdoors, but I haven’t seen much information regarding the difference between Backdoor:W32/OnionDuke.A and Backdoor:W32/OnionDuke.B.

The malware was interesting to the Information Security community because of the infection vector. During part of the campaign, the malware was deployed by wrapping executable files that passed through a particular Tor node. The wrapper would execute and drop the backdoor payloads.

(If you are interested in who uploaded the sample to theZoo check my OSINT section below. It isn’t directly relevant to malware analysis but since the human side of malware analysis is interesting to me, I’ve investigated it as well.)

Analysis:

In my analysis, I am attempting to follow some of the basic process introduced in Practical Malware Analysis (PMA); that is, beginning with Basic Static analysis, moving to Basic Dynamic analysis; followed by an Advanced Static analysis and a Advanced Dynamic analysis. I am also experimenting with various tools to assist with my analysis.

In basic static analysis, we are trying to identify what we can learn about the malware without running the malware.

To begin analysis, I am using Detect it Easy (DIE) Below is the basic UI output.

According to the binary, it was compiled on 2013-07-05 and was compiled with Microsoft Visual C/C++.

DIE also makes viewing a listing of the Import Table of the Export Table easy. From DIE, we see that the DLL imports functionality from the following DLL: KERNEL32.dll, USER32.dll; ADVAPI32.dll, and ole32.dll. Looking at these DLL we can get an idea of what type of functionality OnionDuke possesses without running the DLL.

Imported functions of interest:

KERNEL32.dll: CreateDirectory, WriteFile, ReadFile, DeleteFile, LoadLibrary, Sleep, GetCommandLine, IsDebuggerPresent, TerminateProcess, GetCurrentProcess

USER32.dll: PostMessage, CreateWindow, DestroyWindow

ADVAPI32.dll: RegOpenKey, RegCloseKey, RegQueryValue, RegSetValue (The malware has the ability to modify registry keys.)

SHELL32.dll: SHGetFolderPath (this function is used to “redirect a known folder to a location that suits their needs” according to MSDN)

ole32.dll: CoInitialize, CoCreateInstance, CoUnintialize. (The malware is capable of using COM to interact with other programs.)

Exports:

This DLL also has a few entries in the Export Table: ADB_Add, ADB_Cleanup, ADB_Init, ADB_Load, ADB_Release, ADB_Remove, ADB_Setup. These are likely used by the loader to manage the DLL.

Strings

In reviewing the Strings in OnionDuke using DIE, the following are interesting to me: “AVHttpClient”, “AVNtHttpClient_UrlDownloadToFile”, “AVNtStartup_ExplorerShellFolders”.

I decided to try FireEye’s stringsifter to see which strings their machine learning identified as most interesting. Below, I have included an image of the beginning of the output to show the command to use the tool and the highest ranking strings (there are quite a few more). The sifter was useful in that it brought “UserCache.dll” to my attention.

Part of the output from FireEye’s stringsifter tool.

From these indicators, I suspect that the malware will use the DLL Export abilities for maintenance (install, removal, cleanup); I suspect that it will document what programs are running and document them with timestamps in order to pass those back to the malware operator.

We can see that the malware has the ability to open and set registry keys, but from Strings, we haven’t seen what registry keys are set by the malware, but we can anticipate finding registry keys being set during Dynamic Analysis or Advanced Static Analysis.

AVNtHttpModule_UrlDownloadToFile appears to be unique to Onion Duke. It may be an alternative to using the Windows API for managing networking functions. In another binary that appears to be from the same author, the networking Imports are encrypted with RC4, so it doesn’t seem unusual to me that it may be using the AVI and AVN functions in the picture above for its networking capabilities for a layer of obfuscation. (Note: I could not find any connection with the AVI requests and “AVI Networks”; at least at this point they seem completely unrelated.)

At this point in time, I have been unable to launch the DLL successfully. From what I have seen, I should theoretically be able to launch it using rundll32.exe OnionDuke.dll,ADB_Setup, but contrary to my expectation, this doesn’t appear to be working and I have not identified why.

In lieu of running OnionDuke, I examined some of the capability using FireEye’s Capa; below are the results from Capa:

Capa attempts to detect capabilities in executables and it can provide the user with the addresses of functions. Using it, I inspected parts of OnionDuke in Ida Pro that were interesting: such as the anti-analysis function, setting the registry, writing files. Capa did not find networking functions; which at least shows the use of the AVI/AVN… functions seen in the strings was sufficient to obscure it from Capa’s automated detection of networking.

(For those interested, Capa has an Ida Pro Plugin that looks amazing provided you have Ida Pro 7.4+. Their plugin provides easy access to the disassembly sections that capa identifies. The output I displayed above can give function addresses, but offers much less convenience. )

Conclusion (for now) and Reflection

At this point of my studying OnionDuke, I’ve ran into what appears to be limits of my ability. I may return to OnionDuke at a later time: there were features of OnionDuke that F-Secure reported that I had wanted to investigate, but was unable to. I may also investigate other OnionDuke binaries at some point.

In what analysis I was able to do, I was able to identify a few elements that appeared to be important and learn some useful tools along the way. We identified UserCache.dll being referenced in the binary. From other articles, I found that this dll has been used as a reliable indicator of compromise for OnionDuke infections and similarly named dll have been linked to other campaigns of the malware author. We also saw some networking functions that appeared to be attempts to avoid automated analysis. In regards to tools, we used stringsifter and capa from FireEye and found them useful in investigating the binary. I will continue to try these tools with other binaries and look for additional tools.

theZoo Upload: Open Source Intelligence (OSINT):

The binary for this article was uploaded to theZoo by the Github user Sheksa. Sheksa lists what appears to be his real name, Shahak Shalev (Shahack Shalev on LinkedIn: I suspect this is the same person: the person listed on LinkedIn has experience with the companies which focus in anti-malware.) Sheksa upload a total of 3 binaries to theZoo: Win32.OnionDuke.B, Trojan.Destroyer-Sony, and ExploitKit.0x88. OnionDuke and Destroyer-Sony were added 2014 Dec 14. He has largely been inactive in contributing to projects on Github since 2017. Per his LinkedIn, he was a Cyber Security Expert with the Israel Defense Forces at this time. Other google results suggest that he may have been a part of Israel’s Unit 8200.

Further Reading:

For those interested, some research was published regarding OnionDuke by F-Secure in 2014. At the time they published their research, they believe that OnionDuke had been active in October 2013 and had seen the binaries compiled in July. (Our binary was also timestamped July 2013.) They reported seeing evidence that this was “revision 4” of OnionDuke. F-Secure believes OnionDuke is related to other malware and an actor group they have tracked; for further details see their white paper listed below titled “The Dukes: 7 Years of Russian CyberEspionage”.

Interesting to me is that there are very little IOC (indicators of compromise) published for OnionDuke. Articles by F-Secure provide very little technical detail and almost no IOC. In one of their major write ups, F-Secure deliberately obscures the domains used by OnionDuke. (This may be because the domains were legitimate websites that had been compromised, but it isn’t clear.) Microsoft shared more information such as dropped files and domains contacted. (Information below.) In the last few years, the amount of sharing around malware analysis and IOC has changed substantially, and this lack of detail may simply be the norm for 2014.

The most interesting functionality mentioned regarding OnionDuke were the beacons to C2: according to F-Secure, OnionDuke checks hard-coded addresses as well as falling back to some dynamic Twitter handles. F-Secure was unclear whether this functionality was a part of the loader or the backdoor, but if I get the chance, this is a feature I am interested in looking into. As mentioned, F-Secure provided very few technical details, but I am interested in the dynamic Twitter handle generation.

In regards to IOC, Microsoft’s webpage from 2017 appears to be glitchy: their section on technical indicators does not expand reliably so you cannot view the details without using the web-browser to inspect the element and modifying the page on the client-side to display the content (which is what I had to do after attempting to use the webpage with Chrome, Edge, and Safari without success.) As a result, I am copying some of the documentation here for easy access and I am saving all the referenced webpages in order to have them in case the documents become inaccessible in the future.

Files Indicating Infection (Reported by Microsoft)

%LOCALAPPDATA%\adobe\acrobat\10.0\usercache.dll
%LOCALAPPDATA%\startup\kb2898323934.lnk
%TEMP%\319c.dll
%TEMP%\biclient.exe

Registry Changes (Reported by Microsoft)

HKLM\system\currentcontrolset\control\session manager
Sets value: “PendingFileRenameOperations
With data: “%TEMP%\biclient.exe

Contacted Domains (Reported by Microsoft)

  • www[.]administraciondefincasalcoy[.]com using port 80
  • www[.]alcoyensanche[.]com using port 80
  • rombeast[.]site50[.]net using port 80
  • www[.]fakolith[.]es using port 80
  • www[.]226ers[.]es using port 80
  • bi[.]bisrv[.]com using port 80

References:

Baumgartner, Kurt and Costin Raiu. (2015, Apr 15).The CozyDuke APT. https://securelist.com/the-cozyduke-apt/69731/ Accessed on 2021, Jan 28.

F-Secure. (2015, Sept). The Dukes: 7 Years of Cyber Espionage. https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf. Accessed 2021, Jan 28.

F-Secure. (2014, Nov 14). OnionDuke: APT Attacks Via the Tor Network. https://archive.f-secure.com/weblog/archives/00002764.html Accessed 2021, Jan 28.

Kovacs, Eduard. (2014, Nov 14). OnionDuke APT Malware Distributed Via Malicious Tor Exit Node https://www.securityweek.com/onionduke-apt-malware-distributed-malicious-tor-exit-node. Accessed 28 January, 2021.

Microsoft. (2017, Sept 15). TrojanDropper:Win32/OnionDuke.A. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper%3AWin32%2FOnionDuke.A Accessed 2021, Jan 28.

One thought on “theZoo: Win32.OnionDuke.B

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: