{"id":15459,"date":"2019-05-31T10:10:03","date_gmt":"2019-05-31T18:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/05\/31\/news-9208\/"},"modified":"2019-05-31T10:10:03","modified_gmt":"2019-05-31T18:10:03","slug":"news-9208","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/05\/31\/news-9208\/","title":{"rendered":"Hidden Bee: Let’s go down the rabbit hole"},"content":{"rendered":"

Credit to Author: hasherezade| Date: Fri, 31 May 2019 17:32:57 +0000<\/strong><\/p>\n

Some time ago, we discussed the interesting malware, Hidden Bee<\/a>. It is a Chinese miner, composed of userland components, as well as of a bootkit part. One of its unique features is a custom format used for some of the high-level elements (this format was featured in my recent presentation at SAS<\/a>).<\/p>\n

Recently, we stumbled upon a new sample of Hidden Bee. As it turns out, its authors decided to redesign some elements, as well as the used formats. In this post, we will take a deep dive in the functionality of the loader and the included changes.<\/p>\n

Sample<\/h3>\n

831d0b55ebeb5e9ae19732e18041aa54<\/a> – shared by @James_inthe_box<\/a><\/p>\n

Overview<\/h3>\n

The Hidden Bee runs silently\u2014only increased processor usage can hint that the system is infected. More can be revealed with the help of tools inspecting the memory of running processes.<\/p>\n

Initially, the main sample installs itself as a Windows service:<\/p>\n

\"\"
Hidden Bee service<\/figcaption><\/figure>\n

However, once the next component is downloaded, this service is removed.<\/p>\n

The payloads are injected into several applications, such as svchost.exe, msdtc.exe, dllhost.exe, and WmiPrvSE.exe.<\/p>\n

\"\"<\/figure>\n

If we scan the system with hollows_hunter<\/a>, we can see that there are some implants in the memory of those processes:<\/p>\n

\"\"
Results of the scan by hollows_hunter<\/figcaption><\/figure>\n

Indeed, if we take a look inside each process’ memory (with the help of Process Hacker), we can see atypical executable elements:<\/p>\n

\"\"
Hidden Bee implants are placed in RWX memory<\/figcaption><\/figure>\n

Some of them are lacking typical PE headers, for example:<\/p>\n

\"\"
Executable in one of the multiple customized formats used by Hidden Bee<\/figcaption><\/figure>\n

But in addition to this, we can also find PE files implanted at unusual addresses in the memory:<\/p>\n

\"\"
Manually-loaded PE files in the memory of WmiPrvSE.exe<\/figcaption><\/figure>\n

Those manually-loaded PE files turned out to be legitimate DLLs: OpenCL.dll<\/a> and cudart32_80.dll<\/a> (NVIDIA CUDA Runtime, Version 8.0.61 ). CUDA is a technology belonging to NVidia graphic cards. So, their presence suggests that the malware uses GPU in order to boost the mining performance.<\/p>\n

When we inspect the memory even closer, we see within the executable implants there are some strings referencing LUA components:<\/p>\n

\"\"
Strings referencing LUA scripting language, used by Hidden Bee components<\/figcaption><\/figure>\n

Those strings are typical for the Hidden Bee miner, and they were also mentioned in the previous reports<\/a>.<\/p>\n

We can also see the strings referencing the mining activity, i.e. the Cryptonight miner.<\/p>\n

\"\"<\/figure>\n

List of modules:<\/p>\n

bin\/i386\/coredll.bin
dispatcher.lua<\/a>
bin\/i386\/ocl_detect.bin
bin\/i386\/cuda_detect.bin
bin\/amd64\/coredll.bin
bin\/amd64\/algo_cn_ocl.bin
lib\/amd64\/cudart64_80.dll
src\/cryptonight.cl
src\/cryptonight_r.cl
bin\/i386\/algo_cn_ocl.bin
config.lua<\/a>
lib\/i386\/cudart32_80.dll
src\/CryptonightR.cu
bin\/i386\/algo_cn.bin
bin\/amd64\/precomp.bin
bin\/amd64\/ocl_detect.bin
bin\/amd64\/cuda_detect.bin
lib\/amd64\/opencl.dll
lib\/i386\/opencl.dll
bin\/amd64\/algo_cn.bin
bin\/i386\/precomp.bin<\/pre>\n
And we can even retrieve the miner configuration:<\/p>\n
\n
\n