Blog

Leouncia – Yet Another Backdoor – Part 2

[Note: This post is continuation of my previous article]

Let's dive deeper into the internals of this powerful backdoor program.

1. Protocol Decryption

Leouncia's C&C payload decryption consists of two major phases. The first part is the formulation of a dynamic permutation table using a variable 128 bit key. This permutation table is further used to decrypt the actual payload.

Let me explain it step by step:

1.1 Table Construction

The main ingredient of this table construction is a 128 bit key. This key is extracted from the first 16 bytes of every payload stub. By payload stub, I mean the data after removing HTTP headers. After the first 16 bytes will be the actual payload to be decrypted.

As part of the table construction, 1032 bytes of memory is allocated. After skipping the first 8 bytes, the next 1024 bytes are initialized with a counter value ranging 0×00 to 0xff. These values are assigned in chunks of 4 bytes so 256 iterations are enough to initialize this complete buffer. Next comes randomization of this buffer. This randomization is controlled by a dynamic byte value taken from the table itself and using it with one of the key's bytes. Let's explain it using a C style syntax.

buf = Start of 1024 byte long buffer
A    = Initialized with start of buffer
B    = initialized with start of key buffer
R    = Initialized with 0
i and j = two counters initialized with 0

then it happens like this:

START loop

R = R  + A[i] + B[J]
SWAP (A[i], buf[R])

j = j + 1
if ( j >= 16)
    j = 0

i = i + 4

END loop (terminate after 256 iterations)

 

Gen_table

1.2 Decryption routine

Once the permutation table is ready, it's time for the actual decryption. Data after the first 16 bytes of the payload and the above permutation table is passed onto the decryption routine.

The logic inside the decryption routine is:

buf              = Start of the 1024 bytes long permutation buffer.
payload       = stub data + 16
payload_len = size of payload
v4               = buf[4]

backup_res, backup_cnt, payload_index, cnt, res, vCnt  =  0
 

START LOOP 

cnt = cnt + 1

[take value from buf at index cnt]
vCnt = buf[cnt] 
res = v4 + vCnt

v4 = res

[save value at index cnt int a variable]
backup_cnt = buf[cnt]; 

[save value at index res int a variable]
backup_res  = buf[res]

[Swap value at res with value at cnt]
buf[cnt]  = backup_res    
buf[res]  = backup_cnt
         
index = backup_cnt + backup_res

 [xor it with current payload byte]
 payload[payload_index++] ^= buf[payload_index]

 if ( payload_index >= payload_len )
      END loop

 

  Dec_payload

Result of this decryption is that a binary buffer like:

45ecc8e0129a29ccbe3f3eb1440f898ca06a1f030f0713dedb08c01294bf
7df6d99349ed5a0a1e5a8e6e0cc1c14fe156ce0cfd5d83219dae2c91b294
fa54ff07e2032ac529a21934493fcb96aaf0823dbfabac30567a1f421171
a4fc03c5c422d2a2b8dbfe71036eac5ed558774dc6495049fa1ca97ee35a
ced0f4f750b82ead7ab30b960f16782ba25446f9380c9c80fbf2940bd1cb
00edc6377abf312c3a6c589bcab3bf6ba2fd3c47587a31376551a2f25322
269e3ffb3401eb3bcae192bca1d7d496edf077c81bea0ce50ddcef91ac05
8d58dcc4518630a642bb9781a3b20f3b4148caa1722bfb54967bcad4296e
36076740e92850eb538a6349919d5a0abbf521a35fa846c18ec88704402d
5fbc104148393c3bae01b9dcb3241b02a57756d65613dbe92ab84029a98a
05f7d28f2570224dc19c99c41d3a5d09517db13f107819b6ea71f53c87b3
8dd6db6104b2934566e7bfcea2222e799b7ed8ae81eebf1a7a0883094499
faf7680be0931d05a479b1c31d9700dfe84525f3a082cf3de897d68d64ad
f306da12435f980c9d5861cab4b0e793dfb12b27131fc303212059444ea3
1756866e333c6b9cfb9a19bb18f01c2fa9344999

will get converted into plain text like:

Volume in drive C has no label.
Volume Serial Number is 48E4-C8B8

 Directory of C:\Documents and Settings\Administrator\Desktop

12/02/2010  06:34 PM    <DIR>          .
12/02/2010  06:34 PM    <DIR>          ..
12/02/2010  06:32 PM            45,056 a.txt.exe
11/29/2010  04:10 PM            45,056 ~svohost.exe
               2 File(s)         90,112 bytes
               2 Dir(s)  66,822,197,248 bytes free

 

2. Payload Commands

Leouncia payload commands consist of four major categories. Each of these commands are recognized by different opcodes defined by the single characters 'y', n', 'c' and 'd'.

2.1  'd' – Hibernation

Like Vinself, Leouncia has the capability to hibernate itself for an extended period of time. This hibernation is controlled by a file named "readx". Once this command is received, Leouncia tries to read the "readx" file from the current directory. How is this file get created in the first place? I'll explain that later. The file "readx" will contain the activation date and time in 'FileTime' format like \HIGH DATE\LOW DATE. Leouncia will construct the system time out of it and will check if the current date and time is ahead of or equal to this. If not it will hibernate itself until that time comes.

Note: The routine to manage all this hibernation is also invoked at the beginning of every execution.

2.2  'c' – Prepare hibernation time

This command has a format like 'c'<a value either '1' or '2'><number of milliseconds or a date in FileSystem date format> like c2xxxxxx or c1\xxxxxx\xxxxxxx, where x can be a character between '0' to '9'.  When '2' is received as the parameter, Leouncia assumes that the next string is representing seconds and it hibernates itself for this many seconds. Where in the case of '1'  Leouncia considers the next string as an activation date and time and writes that into the "readx" file.

2.3  'n' – Miscellaneous

This is an umbrella command where the next characters represent different types of sub commands.

  This is list of available sub commands:

  •   '1' This command asks Leouncia to enumerate the running process list, encrypt it and send it back to the CnC server.
  •    '2'  Get dynamic data from the CnC and create and write it to a file specified by the attacker.
  •    '3'  Read the attacker's specified file onto system and send contents back to CnC.
  •    '4'  Invoke an attacker's specified process onto infected system.
  •    '5' Given pid (process id), terminate a running process.
  •    '6'  Send a list of all logical drives back to attackers.

2.4  'd'  Spawn windows commands prompt and run commands of the attacker's choice.

This command serves as a reverse shell for the attackers. The attacker specify its commands in response to 'GET' requests and the backdoor component invokes these commands on the Windows command shell and sends the response back to the CnC in the form of a 'POST'.

In my lab run, attackers tried to run a variety of commands on my lab machine , some of them are as follows:

Note: Text in blue are commands and in red are response.

n6
A:\ C:\ D:\

n3.\a.txt.exe?0

MZ……

ytime /t
06:36 PM

 yat 18:39 cmd.exe /c "del "C:\Documents and Settings\Administrator\Desktop~svohost.exe"

Added a new job with job ID = 1   
etc.

3. What's in the name?

I named this malware Leouncia because the malware is using it as a magic string while dynamically generating its random URIs. The only explanation for this strings is a quick search on google showing some random guy using it as its Avatar name. A coincidence? Well, I am not sure.

I would like to wrap up my post here. Leouncia analysis is an ongoing effort and can't be explained all in a short blog post but I tried my best to explain all the significant areas.

Atif Mushtaq

Detailed Question/Comments : research {@} fireeye DOT COM

One thought on “Leouncia – Yet Another Backdoor – Part 2

Comments are closed.