Flamer/sKyWIper Malware: Analysis

As widely reported elsewhere, the Flamer/sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target various organizations in the Middle East. Its size is massive, with the core components written in Lua and modular support for other languages (e.g., C/C++). Compared to Stuxnet and Duqu, it's likely this malware framework was authored and developed in parallel, with a broader goal: comprehensive intelligence gathering.

Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere. These indicators are exceptionally useful for confirming whether or not this malware is active on a suspect system.

Mutex Activity

When the main payload (mssecmgr.ocxbdc9e04388bda8527b398a8c34667e18) is properly executed (with all relevant modules installed) via the command "c:\windows\system32\rundll32.exe c:\windows\system32\mssecmgr.ocx,DDEnumCallback," we notice sample generates numerous mutexes in order to synchronize copies of itself simultaneously injected into various core Windows processes (e.g., services.exe, iexplore.exe, winlogon.exe) that are already running.

DLL Loaded DLL Loaded Imagepath: C:\WINDOWS\system32\rundll32.exe
DLL Path: C:\WINDOWS\system32\mssecmgr.ocx
MD5: bdc9e04388bda8527b398a8c34667e18
SHA1: a592d49ff32fe130591ecfde006ffa4fb34140d5
Imagepath: C:\WINDOWS\system32\rundll32.exe
DLL Path: C:\WINDOWS\system32\mssecmgr.ocx
MD5: bdc9e04388bda8527b398a8c34667e18
SHA1: a592d49ff32fe130591ecfde006ffa4fb34140d5
Mutex Mutex Imagepath: C:\WINDOWS\system32\rundll32.exe Imagepath: C:\WINDOWS\system32\rundll32.exe
Mutex Mutex \BaseNamedObjects\msstx32kgvjd5982kvfj42jf3 \BaseNamedObjects\msstx32kgvjd5982kvfj42jf3
Mutex Mutex \BaseNamedObjects\Dynamic01ACFD8 \BaseNamedObjects\Dynamic01ACFD8
Mutex Mutex \BaseNamedObjects\svcctrlStartMutex_A74783D \BaseNamedObjects\svcctrlStartMutex_A74783D
Mutex Mutex \BaseNamedObjects\c__program files_common files_microsoft shared_mssecuritymgr_ssitable \BaseNamedObjects\c__program files_common files_microsoft shared_mssecuritymgr_ssitable

1) In general, it appears portions of the malware define mutexes where the name is the path to a file/directory on the system, with all the special characters replaced with underscores. These particular mutexes correspond to files written by the malware, likely to help each sub-process of the malware keep track of which files were written and when.

\BaseNamedObjects\c__program files_common files_microsoft shared_msaudio_audcache
\BaseNamedObjects\c__program files_common files_microsoft shared_msaudio_wpgfilter.dat
\BaseNamedObjects\c__program files_common files_microsoft shared_mssecuritymgr_mscrypt.dat
\BaseNamedObjects\c__program files_common files_microsoft shared_mssecuritymgr_ssitable
\BaseNamedObjects\c__windows_system32_boot32drv.sys

2) Some mutexes are based around keywords such as (DVAAccessGuard51EF43_ST_*, Dynamic*, msstx32*), with random numbers/characters appended at the end.

\BaseNamedObjects\DVAAccessGuard51EF43_ST_1276466823
\BaseNamedObjects\DVAAccessGuard51EF43_ST_1828812086
\BaseNamedObjects\DVAAccessGuard51EF43_ST_1882935530
\BaseNamedObjects\DVAAccessGuard51EF43_ST_2268035584
\BaseNamedObjects\DVAAccessGuard51EF43_ST_2552381995
\BaseNamedObjects\DVAAccessGuard51EF43_ST_3378709192
\BaseNamedObjects\DVAAccessGuard51EF43_ST_3540474086
\BaseNamedObjects\DVAAccessGuard51EF43_ST_3698762308
\BaseNamedObjects\DVAAccessGuard51EF43_ST_382268423
\BaseNamedObjects\DVAAccessGuard51EF43_ST_3925541371
\BaseNamedObjects\DVAAccessGuard51EF43_ST_4199649464
\BaseNamedObjects\DVAAccessGuard51EF43_ST_4278411391
\BaseNamedObjects\DVAAccessGuard51EF43_ST_4279860934
\BaseNamedObjects\DVAAccessGuard51EF43_ST_4283924476
\BaseNamedObjects\DVAAccessGuard51EF43_ST_561821132
\BaseNamedObjects\DVAAccessGuard51EF43_ST_78041531

\BaseNamedObjects\Dynamic01ACFD8
\BaseNamedObjects\DynamicE7B2D83A

\BaseNamedObjects\msstx32b98mtxntsl1142mtnt
\BaseNamedObjects\msstx32kgvjd5982kvfj42jf3

3) Another odd variation is the use of double underscores at the prefix and suffix of each name (__fajb*__), with random numbers/characters injected in the middle. These mutexes appear to synchronize writes to C:\Windows\Ef_trace.log, which appears to hold additional state information for the malware.

\BaseNamedObjects\__fajb2_vz35__
\BaseNamedObjects\__fajb3_i_h_s_p__

4) Aside from the (TH_POOL_SHD_PQOISNG_#PID#SYNCMTX) pattern mentioned in section 3.5 of the CrySyS report, we also observed the pattern (UPDT_SYNC_MTX_TME_ON_OFF_*_*), with numbers/dashes substituted in the middle and numerical process IDs at end. The purpose of these mutexes help the malware keep track of which core Windows processes were successfully injected. For example, the following mutexes illustrate that processes with the IDs of 544, 552, and 1272 were successfully injected:

\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_-1239717035_544
\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_-1239717035_552
\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_-1479756199_544
\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_-1479756199_552
\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_-2016674683_544
\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_-2016674683_552
\BaseNamedObjects\UPDT_SYNC_MTX_TME_ON_OFF_2122202994_1272

Registry Activity

1) It appears a fake audio driver (c:\program files\micros~1\msaudio\wavesup3.drv - bdc9e04388bda8527b398a8c34667e18) is installed, as shown below. This is another vector the malware uses to maintain persistent on the compromised system.

Regkey Regkey Setval Setval \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave8" = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave8" =
Regkey Regkey Setval Setval \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave9" = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave9" =
Regkey Regkey Setval Setval \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave9" = c:\progra~1\commo
n~1\micros~1\msaudio\wavesup3.drv
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"wave9" = c:\progra~1\commo
n~1\micros~1\msaudio\wavesup3.drv

2) Shortly thereafter, we see registry subkeys registered under the CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196):

Regkey Regkey Setval Setval \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Control Type" = 0x70010001
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Control Type" = 0x70010001
Regkey Regkey Setval Setval \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Item 0" = 0x00000000
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Item 0" = 0x00000000
Regkey Regkey Setval Setval \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Item 1" = 0x00000001
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Item 1" = 0x00000001
Regkey Regkey Setval Setval \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Item 2" = 0x00000000
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\
##?#PCI#VEN_80868DEV_2415&SUBSYS_00008086&REV_01#3&13C0B0C5&0&20#{6994ad04-93ef-11d0-a3cc-00a0c92
23196}\#Wave\Device Parameters\Mixer\2\Controls\0\"Item 2" = 0x00000000

CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196) appears to be the Audio GUID for the KS Media sound card driver, as published by ReactOS, which is supposed to be binary compatible with Microsoft Windows. The malware performs these registry key additions as part of its ability to record audio from the compromised system's microphone.

3) Lastly, the malware appears to leverage the registry key (HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\"StandardSize") to keep track of some sort of state information:

Regkey Regkey Setval Setval \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\"StandardSize" = 0x00000000 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\"StandardSize" = 0x00000000
Regkey Regkey Setval Setval \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\"StandardSize" = 0x6910e977 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\"StandardSize" = 0x6910e977

At first glance, it would seem that this activity is some sort of "background noise" generated by the Windows OS; however, this particular registry key does not appear to be published in the MSDN reference guide. Currently, it is unclear why this key is used by the malware.

Next Steps

Further analysis of this malware is ongoing; as we identify other unique indicators, we will provide further updates accordingly. In general, all FireEye products are able to detect this threat using dynamic VXE analysis, and then provide additional indicators of compromise (such as those shown above) in near realtime. These indicators of compromise are the actionable intelligence that incident responders can use to confirm whether this malware is present and active on suspect systems.