Blog

Leouncia – Yet Another Backdoor

This is the second article in a row where I am going to disclose the presence of another new backdoor malware. I have recently seen this backdoor emerging on the threat landscape while investigating some targeted attacks. I named this malware Leouncia. Why? I'll make it clear later.

Like Vinself, Leouncia is a powerful backdoor that is designed to take complete control over the infected machine. In terms of code base, both malware look very different, but during my investigation, I found some definite design similarities. I also found additional evidence that is sufficient to link the botnet operators behind these two malware.

Are we prepared to face this threat? When I first submitted this malware to Virus Total last week, anti virus coverage for this backdoor was very limited. There were only two AVs out of 43 available on Virus Total that were able to detect it but using generic heuristics only. At this moment I can see some improvements as one more AV has recently added detection for this, making the detection rate 3 out of 42.

 

  Liouncia

 

Similar to Vinself, Leouncia also uses HTTP to carry its custom obfuscated payload. I found Leouncia's obfuscation techniques far more sophisticated than what I found within Vinself. Moreover, Leouncia tries its best to hide its presence from signature based sensors. It generates its http communication randomly by using varying levels of system information in conjunction with Windows random number generation APIs. The result is that every instance of its C&C communication will be different from the previous one.

  Cnc

 

At the moment this backdoor is communicating to a C&C at info.new-soho.com which is currently resolving to an IP address of 64.255.101.100. I was hit by a surprise when I looked into the WHOIS information for this C&C domain. The registrant of this domain is some guy 'lu jhon' who is also the registrant of one of the Vinself C&C domains ftp.winself.com.

See the screen shot below:

Winselfvssoho

 

This is a good evidence showing that the master minds behind both of these malware might actually be same.

In terms of functionality, Leouncia offers a rich set of features. At a high level, this backdoor offers four different types of commands recognized by the op codes 'y', 'n' , 'c' and 'd'. After  de-obfuscation, the first letter of every command payload will start with one of the above four letters followed by the parameters required to accomplish this command. As rule of a thumb, the backdoor will get the bot herders commands as part of an HTTP "GET Response" and the malware response back to the C&C will be given in the form of an HTTP "POST request". An intelligent technique used for granting the attacker full control over the infected system even behind corporate firewalls.

In a lab run, the attackers tried to run a variety of commands on the infected system (under my control).

Note: Text in pink are commands and in blue are response.

ydir

Volume in drive C has no label.
Volume Serial Number is 48E4-C8B8
Directory of C:\Documents and Settings\Administrator\Desktop

11/29/2010  05:43 PM    <DIR>          .
11/29/2010  05:43 PM    <DIR>          ..
11/29/2010  04:10 PM            45,056 a.txt.exe
11/29/2010  04:10 PM            45,056 svohost.exe
               2 File(s)         90,112 bytes
               2 Dir(s)  66,822,578,176 bytes free

The Remote Shell Execute: dir completed!

 

yat 18:39 cmd.exe /c "del "C:\Documents and Settings\Administrator\Desktop\~svohost.exe""

Added a new job with job ID = 1
The Remote Shell Execute: at 18:39 cmd.exe /c "del "C:\Documents and Settings\Administrator\Desktop\~svohost.exe"" completed!

etc.

I must say analyzing these targeted malware in a real time (Pirpi, Vinself and now Leouncia) is a unique experience. Just like it happens in spy movies,  you start with creating a fake setup looking identical to a normal operating environment. You leave lots of honey tokens as  bait in that system like fake documents, emails etc. You then wait like a ghost for the bot herder to logon onto this ambush.  It takes some time but sooner or later malware operators manually log into these so called victim machines and then it happens right in front of your eyes, attackers trying to steal every bit out of your system. At that very moment you can sense their presence closer than ever before.

These types of highly controlled attacks paint a very scary picture. I would like to repeat what I said earlier, there are many criminal organizations who have their own political agenda, something beyond material gains. The time has come to face this next generation of malware.

I have decided to split this article into two parts. This article (first part) was all about the high level details. In the next part, I will be discussing the low level details and inner workings of this malware. Users who are interested to learn more about this threat, can jump to my next article.

Leouncia – Yet Another Backdoor Part 2

Atif Mushtaq

Detailed Question/Comments : research {@} fireeye DOT COM

One thought on “Leouncia – Yet Another Backdoor

Comments are closed.