Backdoor.ADDNEW (DarkDDoser) and Gh0st, a match made in heaven?

At FireEye we monitor all kinds of attacks: targeted, non-targeted, and everything in between. We always try to figure out, not just how a piece of malicious code works, but also other possibilities, like whether it is related to some other malware, in what way, etc.

Gh0st has been much talked about and there is a lot of good research out there on this RAT (Remote Access Trojan). This RAT has been used in many serious attacks and a quick Google search on the Gh0st RAT will give you a lot of good articles which will go into great detail about the versions and the inner workings of the malware. However this post is not about Gh0st. Very recently while investigating some of these Gh0st infections, we identified another interesting piece of malware.

We have seen Gh0st infections in the past but these infections were especially interesting as we saw Gh0st and Backdoor.ADDNEW co-existing on the same machine and even talking to the same CnC IP (31.33.33.7) using different ports. To rule out the possibility of a coincidence, we started looking at other systems that had Gh0st infections and interestingly enough some of these systems were also infected with ADDNEW. This was good enough reason for us to see what this Backdoor was trying to do. We saw the machines getting infected with Gh0st within one week of them getting infected with ADDNEW. The machines used the "Gh0st" magic keyword to beacon back to their CnCs.
WHOIS OF THE IProle:            Network Operation Centre Bouygues Telecom FAIremarks:         Bouygues Telecom ISPaddress:         Bouygues Telecomaddress:         13-15 avenue du Marechal Juinaddress:         92366 Meudon-la-Foret cedex

address:         France

abuse-mailbox:   abuse_box@bouyguestelecom.fr

admin-c:         LH761-RIPE

admin-c:         FT4354-RIPE

tech-c:          LH761-RIPE

tech-c:          FT4354-RIPE

nic-hdl:         NOCB1-RIPE

mnt-by:          BYTEL-MNT

source:          RIPE # Filtered

Backdoor.ADDNEW (DarKDdoser)

The malware binary is UPX compressed. When this binary is executed it drops an exe (svchost.exe) in the "Documents And Settings\\<User>\\Local Settings\\Application Data\\Microsoft" folder. The dropped binary is also UPX compressed.

The Backdoor uses a custom protocol over TCP to communicate to its CnC. The picture below shows the CnC communication of the Backdoor. Since the domain to which the malware was communicating was down, we used Mandiant’s FakeNet and recorded all the communication. In the picture below you see the very first communication that is sent to the CnC by the infected machine. The "NEW" keyword that is sent back to the CnC lets the CnC know that it is a newly infected machine. The following CnC communications are replaced with the "OLD" keyword as you can see in the picture below.

First_message

The malware also communicates to its CnC about the port it’s listening on. In the picture above "3174" is the port number that the malware is informing its C2. We also noticed another type of communication where the malware clearly informs its CnC that it is awaiting further commands for it to take actions on the compromised machine.

Addnew_cmds

These are some of the callback channels we observed. I have highlighted some of the interesting commands that were sent from the infected machine to the CnC. The keywords highlighted in blue are the ports that the malware is using.

31.33.33.7

---------------

ADDNEW|Stable|5.1|US|Windows XP x86|Idle...|3175|NEW

 31.33.33.7

---------------

ADDNEW|Zombie|5.6b|US|Windows XP x86|Idle...|3175|NEW

 31.33.33.7

---------------

ADDNEW|Idle...|3.61|US|Windows XP x32|

 31.33.33.7

---------------

ADDNEW|Stable|5.1|US|Windows XP x86|Idle...|4444|NEW

 31.33.33.7

---------------

ADDNEW|Stable|5.1|US|Windows XP x86|Idle...|3175|NEW

 31.33.33.7

---------------

ADDNEW|Idle...|My Bitch|US|Windows XP Service Pack 2|Awaiting commands

31.33.33.7

---------------

ADDNEW|Idle...|Default|US|Windows XP Service Pack 2|Awaiting commands

 31.33.33.7

---------------

ADDNEW|ddoser|5.1|US|Windows XP x86|Idle...|3175|NEW

 31.33.33.7

---------------

ADDNEW|Stable|5.1|US|Windows XP x86|Idle...|200|NEW

The Backdoor has certain key functions. It is able to steal Mozilla FireFox passwords. It does this by getting the path to the signons.sqlite database. This sqlite DB is used by Mozilla to store username and passwords.

Signons

 

Sqlite

Moz

Apart from stealing Mozilla passwords the malware doubles as a DDOSer. The malware has the following DDOS modules.

a)    UDP Flood

b)   SYN Flood

c)    HTTP Flood

We also observed that the malware had the following commands embedded in it.

PING                    

UNINSTALL              

STATUS|UDP Flood Active

STATUS|SYN Flood Active

HTTP                    

STATUS|HTTP Flood Active

STOPFLOOD: Stops the DDOS Flood              

CLOSE                  

SHOWDNS                

RESTART                

DOWNLOAD: Downloads a file using the URLDownloadToFileA() API.

UPDATE: Downloads an update to a file using the URLDownloadToFileA() API.

STATUS|Executed!         

PASSWORDS      

FIREFOX: Uses the mechanism described above to steal Mozilla passwords

As you can see, some commands are pending research and we need to figure out how they work.

More importantly though, there are strings in the binary referencing "DarkDDOSER." One can only speculate if in some way "DarkDdoser" and the Gh0st RAT complement each other.

Reference:


http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf

 MD5 Samples:

c56168033971d5bd315e3ffc1afaafcf

0ad1096a2e64476b3764ffd1baf53cb4

3b3a31c51f7a0f8fe9f0252f5460d011

691305b05ae75389526aa7c15b319c3b

a077e72b378e3135ef285a95e0404b47