Cmstar Downloader: Lurid and Enfal's New Cousin

Reprint from Unit 42.

In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.

Unit 42 is aware of threat actors using two toolkits – MNKit and the Tran Duy Linh toolkit – to produce malicious documents that exploit CVE-2012-0158 in order to implant Cmstar. The Cmstar downloader itself has several unique and interesting features, as well as substantial infrastructure overlap with other tools worth discussing.

Manual Building of Import Address Table

The Cmstar downloader starts by manually building its import address table (IAT), much like shellcode would; however, it uses a rather unique technique. Instead of finding API function names based on their hashed values, this malware enumerates libraries’ export address table (EAT) and searches for the name of the API function the payload needs to load by using a character to offset array. The payload pairs several comma-separated lists of characters with comma-separated lists of numbers. Each list of characters consists of the set found within the API function name the payload seeks to add to its IAT, while the corresponding list of numbers specifies the offset in the function name where those characters should be placed. For example, if the payload has “D,e,A” paired with “0,5,19”, this results in the following mapping:

• “D” at offset 0 in API function name
• “e” at offset 5 in API function name
• “A” at offset 19 in API function name

The payload loads a specific Windows library’s EAT by calling the ImageDirectoryEntryToData API function using the IMAGE_DIRECTORY_ENTRY_EXPORT flag. It then enumerates the library’s EAT to find exported function names by checking each function name for the character and the specific offset. Once found, the payload adds the address for the specific API function to its IAT. For instance, the payload checks the EAT of “wininet.dll” using the comparisons mentioned above to find the address to the “DeleteUrlCacheEntryA” API function. One specific Cmstar payload that we analyzed used the character/offsets seen in Figure 1 to locate the API functions within three different Windows libraries to build its IAT.

Figure 1. Character and Offset Pairs Found in Cmstar Payload and the Resulting API Function Names

Cmstar Behavior

After manually creating the IAT, Cmstar decrypts its configuration, several encrypted strings, and a piece of shellcode. The embedded configuration contains nothing more than a URL that Cmstar uses as its command and control (C2) location. The encrypted strings within the Trojan include fields used within the HTTP requests that Cmstar will create to communicate with its C2 server, as well as additional strings used to interact with the registry. The Cmstar sample associated with the MNKIT delivery document creates the following registry key to automatically execute at system startup:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xpsfiltsvcs: “rundll32.exe
• C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpsfiltsvcs.dll,XpsRegisterServer”

Unit 42 found an additional encrypted registry key that would allow Cmstar to automatically start up after reboots. However, the code does not decrypt, reference, or use the following registry key in any way, which suggests that the malware author left this artifact in the code after swapping to the run key listed above:

• HKCU\Software\Microsoft\CTF\LangBarAddIn

Cmstar also decrypts a 752-byte piece of shellcode that carries out communications with the C2 server, specifically by sending HTTP POST requests to the following URL:

• http://happy.launchtrue[.]com:8080/cgl-bin/update.cgi

It should be noted that the C2 URL contains the string ‘cgl-bin’, which visually resembles the common cgi-bin folder used by many webservers to run server-side scripts. Unit 42 used the Palo Alto Networks AutoFocus threat intelligence service to locate additional samples using the ‘cgl-bin’ string within URLs of HTTP requests and found several samples of the Cmwhite tool associated with the LURID/Enfal downloader¹, as seen in Figure 2. Figure 2. Cmwhite Tools Using “cgl-bin” within HTTP RequestsCmstar’s HTTP POST requests sent to ‘happy.launchtrue[.]com’ contain data that the Trojan gathers from the infected machine that has the following structure:<Windows Version number>@@<CPU Architecture (2 for x64, 1 for x86)>??<boolean for elevated privileges>]]**<boolean if antivirus processes are found>!!<static version string>==In one example, Unit 42 observed the following data within an analysis environment, which was then encrypted using a single-byte XOR algorithm and a key of 0x45 before being sent to the C2 server:510@@1??1]]**0!!150316o==Helpfully, the malware author writes log messages to the ‘DF64159.TMP’ file, used for debugging purposes throughout the execution of the Cmstar downloader. The log messages are abbreviated strings that describe specific activities during the execution of the code. For instance, the downloader uses the CreateMutex to create a mutex named ‘{53A4988C-F91F-4054-9076-220AC5EC03F3}’ to determine if another instance of the code is running. If the downloader determines another instance of itself is running, the code writes the string ‘CM**’ – which happens to be the basis for the name of the Trojan – to the log file. Unit 42 created a Yara signature to detect Cmstar samples based on these debugging strings, which is available in the appendix.

Hashing Process Names

As mentioned in the behavioral analysis section, the Cmstar downloader gathers system-specific information to send to the C2 server. One such piece of information is the existence of specific running processes. Many malware families and tools check for the existence of antivirus, but the Cmstar tool does so in a clever way. Rather than including a list of strings of associated processes, Cmstar enumerates the running processes and subjects these process names to a hashing algorithm. The results of this algorithm are then compared against three static values: 0x1E00AFA, 0xBEE091E8 and 0xD46FCDFA. Unit 42 reverse engineered the algorithm and created the function seen below to generate hashes in order to determine the processes Cmstar is trying to find:

Unit 42 found that the string ‘avp’ subjected to the algorithm above results in the value 0x1E00AFA, which suggests the Cmstar sample specifically looks for Kaspersky’s Anti-virus product (avp.exe) running on the compromised system. If the Trojan finds processes whose hash matches the three values mentioned earlier, it sets a boolean value (the character ‘1’) within the data sent to the C2 server and continues carrying out its functionality. Rather than altering its activities, Cmstar only notifies the C2 server if a system is running one of these processes, suggesting that the threat actors might employ this technique as a filtering mechanism to ignore analysis systems and researchers.

Threat Infrastructure

In order to determine the intrusion set involved with the Cmstar, Unit 42 enumerated infrastructure used by the downloader for its C2 servers. The related infrastructure chart in Figure 3 shows a rather large cluster of related entities with one small set of entities that do not share any related entities with the larger cluster.Figure 3. Infrastructure and Entites Related to CmstarAs seen in the chart above, the C2 domain ‘happy.launchtrue[.]com’ was originally registered using the email address ‘WANGMINGHUA6@GMAIL[.]COM’. When Unit 42 used the Palo Alto Networks AutoFocus threat intelligence service to locate additional Cmstar samples, we found several with C2 domains that also had the same original registrant:

• links.dogsforhelp[.]com
• three.earewq[.]com
• question.eboregi[.]com
• here.pechooin[.]com
• sarey.phdreport[.]com
• bakler.featurvoice[.]com

The only known Cmstar C2 domain not initially registered by the email address was help.ubxpi0s[.]com. Further analysis revealed that additional domains related to Cmstar C2 domains were also originally registered using the email address ‘WANGMINGHUA6@GMAIL[.]COM’ and updated to the current information within a few days. In addition, this was the original registrant for C2 domain used in our Google Code blog², indicating this registrant email is likely a re-seller, and/or someone who initially sets up infrastructure for particular APT threat actors.

• forever.cowforhelp[.]com
• question.shiesiido[.]com
• endline.biortherm[.]com
• right.marubir[.]com
• baby.brabbq[.]com
• lind.kruptcy[.]com

The rest of the domains related to the Cmstar infrastructure did not use the original registrant noted above, but instead kept the same information initially used to register them. The difference in domain registration patterns could indicate threat actor preference, or could indicate there are at least two groups using this malware whose infrastructure at times overlaps.

• under.suttgte[.]com
• help.ubxpi0s[.]com
• finally.basiccompare[.]com
• crystal.diskfunc[.]com
• queenfansclub[.]com
• novnitie[.]com
• flash-vip[.]com
• replyfunt[.]com
• natcongress[.]com
• keep.regebky[.]com
• love.regebky[.]com

Interestingly, the updated registrant information (or original, in the cases where it wasn’t changed) for all of the C2 domains in this blog has also been used to register scam sites, most purporting to sell knock-off designer products like shoes, software, or cell phones.  The contact emails and contact names can vary, but the address is re-used. Blue Coat noted this pattern as well in a blog published late last year, which also noted the  ‘WANGMINGHUA6@GMAIL[.]COM’ registrant email.³ It is not known whether the threat actors conducting the malicious activity are also behind the scam sites.

Conclusion

The Cmstar tool has several interesting features, including a previously unseen method of manually creating its import address table using an API function name character to offset mapping techniques, and a hashing algorithm used to find antivirus processes on an infected system. Both of these features are noteworthy and may provide the ability to correlate future tools to the same group and/or malware authors.The URL used by Cmstar to communicate with its C2 server, as well as significant infrastructure overlap, show a direct relationship between the Cmstar downloader, Lurid/Enfal and Cmwhite tools. In a majority of the cases, threat actors using the Cmstar downloader initially register the C2 domains using the email address ‘WANGMINGHUA6@GMAIL[.]COM’ and later change the registration information to include a different email address. Unit 42 cannot positively confirm that the threat actors control the ‘WANGMINGHUA6@GMAIL[.]COM’ email address, or if the email address belongs to a reseller that the threat actors buy domains from to create their infrastructure; however, we do believe this is an interesting TTP worth tracking in future infrastructure enumeration.

1. THE “LURID”DOWNLOADER – Nart Villeneuve and David Sancho – http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf
2. Attacks on East Asia using Google Code for Command and Control – Jen Miller-Osborn and Rob Downs — http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/
3. Linking APTs from 2011 and 2014 to an Active Scam Network – Kiel Wadner – https://www.bluecoat.com/security-blog/2014-10-08/linking-apts-2011-and-2014-active-scam-network