{"id":16788,"date":"2019-11-05T18:40:56","date_gmt":"2019-11-06T02:40:56","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10527\/"},"modified":"2019-11-05T18:40:56","modified_gmt":"2019-11-06T02:40:56","slug":"news-10527","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10527\/","title":{"rendered":"Possible New BadPatch Campaign Uses Multi-Component Python Compiled Malware"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>During our continued threat monitoring effort using a variety of sources, FortiGuard Labs came across an interesting tweet from the security researcher <a href=\"https:\/\/twitter.com\/h4ckak\/status\/1177877381471784961\">@h4ckak<\/a> about a suspicious file that looks to be a decoy file in an APT campaign. We dug deeper and found that this file might be part of a new <a href=\"https:\/\/attack.mitre.org\/software\/S0337\/\">BadPatch<\/a> campaign. BadPatch is a tag used for a set of malware that was used in a campaign with a possible link to the Gaza hackers group which was first <a href=\"https:\/\/otx.alienvault.com\/pulse\/59e9f032e9106d63ba69039a\">reported<\/a> in 2017. This group has been involved in an espionage campaign targeting the Middle East since 2012 based on the compilation timestamp of the first malware discovered. Since then, BadPatch has gone off our radar for almost two years.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_2123795708.img.png\/1571683041249\/badpatch-one.png\" alt=\"Fig. 1. Tweet from the researcher Ring4sky\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 1. Tweet from the researcher Ring4sky<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In this article, we will be discussing a new malware used in this attack that we have dubbed \u2018B3hpy\u2019 (pronounced as \u2018bepai\u2019) based on the strings we found on its code.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_844427390.img.png\/1571683102276\/badpatch-two.png\" alt=\"Fig. 2. \u2018b3h\u2019 used as uid and version is Py 0.1\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 2. \u2018b3h\u2019 used as uid and version is Py 0.1<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This malware is a multi-component python-compiled malware that has the capability to steal and exfiltrate data from targeted victims. We will also be discussing some patterns as proof of this malware\u2019s possible link to BadPatch.<\/p>\n<h2>Attack Vector<\/h2>\n<p>The attack sample uploaded to VirusTotal is an executable file named \u0631\u0626\u064a\u0633 \u0627\u0644\u0648\u0632\u0631\u0627\u0621 \u0645\u062d\u0645\u062f \u0625\u0634\u062a\u064a\u0647 .scr (Prime Minister Mohammad Ishtayeh .scr). Although we didn\u2019t find the initial vector from which this file came, we believe that it was distributed as an attachment to spam emails, similar to previous BadPatch attacks.<\/p>\n<p>This executable file is an SFX executable containing two files:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_120045284.img.png\/1571683229643\/badpatch-three.png\" alt=\"Fig. 3. SFX executable containing the decoy document\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 3. SFX executable containing the decoy document<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When executed, this file opens the decoy .doc file, which contains text that looks like it was drawn from a news article from Sama News.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_956155025.img.png\/1571684027916\/badpatch-four.png\" alt=\"Fig. 4. Decoy document\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 4. Decoy document<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1178493710.img.png\/1571684048785\/badpatch-five.png\" alt=\"Fig. 5. News site from which the original text was probably copied\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 5. News site from which the original text was probably copied<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It also executes the file d.exe, which only works on 64-bit Windows machine. We believe, though, that a 32-bit version may also exist as other component files, which we will discuss later, are 32-bit executables. The d.exe file is responsible for downloading three files.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1307798156.img.png\/1571684123621\/badpatch-six.png\" alt=\"Fig. 6. Additional files downloaded\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 6. Additional files downloaded<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Interestingly, the attackers host their malware files on GitHub. Some files were uploaded as long as two years ago, while others were only uploaded few days ago. However, they were also compiled in 2017 based on their compilation timestamps. This may mean that the attackers might have been using these files since the discovery of BadPatch in 2017, and still continues to do so today. While not all files are used by the sample we analyzed during our testing, we believe that they can be downloaded and run by the attackers whenever they want them executed.<\/p>\n<p>hxxps:\/\/github[.]com\/jamelarebhi1980\/FilesRep\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_663054854.img.png\/1571684203774\/badpatch-seven.png\" alt=\"Fig. 7. Component files hosted on GitHub\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 7. Component files hosted on GitHub<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The files Bios.333 (saved as C:ProgramDatadriverssn3337.exe) and Bios.111 (saved as C:ProgramDatadriversBios.exe) are then executed. The file sn3337.exe only sets an auto-start registry entry for the file Bios.exe.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_12313775.img.png\/1571684255065\/badpatch-eight.png\" alt=\"Fig. 8. Auto-start mechanism\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 8. Auto-start mechanism<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The file Bios.exe is a 32-bit Python 3-compiled executable. It is compiled using <a href=\"https:\/\/www.pyinstaller.org\/\"><i>PyInstaller<\/i><\/a>, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program. This file is the main malware component that initially communicates with the command and control server (C2) to download and install other component files. The 1.txt file contains base64 encoded data that, when decoded, contains the link to its copy (which can be used to update the C2 address to be used by the malware) on GitHub, along with the address of the C2 server.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_17731150.img.png\/1571684334035\/badpatch-nine.png\" alt=\"Fig. 9. 1.txt containing the C2 address\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 9. 1.txt containing the C2 address<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Shift to Python-Compiled Malware<\/h2>\n<p>Earlier reports on BadPatch mentioned malware compiled with C++, Delphi, Visual Basic, and AutoIt. Even Android malware were used in those campaigns. \u00a0<\/p>\n<p>Though the hacker group that launched the BadPatch campaign used a variety of compilers, the code logic in some of the malware they used in their previous attacks is very similar to that of the new Python compiled malware.<\/p>\n<h2>B3hpy Malware Analysis<\/h2>\n<p>In order to extract and analyse the python script and the packages it uses, we need to use a tool in <i>PyInstaller<\/i> named <i>pyi<\/i>&#8211;<i>archive<\/i>_<i>viewer<\/i>. With <i>pyi<\/i>&#8211;<i>archive<\/i>_<i>viewer,<\/i> we can extract the main file, which in this case is named \u201cm6937.\u201d<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_2128220914.img.png\/1571684431507\/badpatch-ten.png\" alt=\"Fig. 10. pyi-archive_viewer showing files contained in the package\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 10. pyi-archive_viewer showing files contained in the package<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The extracted file is a .PYC file, which is a compiled python code. When a Python script (.PY) is run, Python compiles the script to a compiled byte code (.PYC) before running it. In order to decompile the code, we can use a tool called <i>uncompyle6<\/i>.<\/p>\n<p>When decompiled, we can see that the decompiled code is pretty straightforward.<\/p>\n<p>It first creates two files. One contains the text \u2018b3h\u2019 and the other contains the network adapter\u2019s MAC address.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_29894525.img.png\/1571684493741\/badpatch-eleven.png\" alt=\"Fig. 11. Files containing the UID and MAC address\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 11. Files containing the UID and MAC address<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then does an initial communication with its C2. It gets the address of the C2 from the file 1.txt.<\/p>\n<p>All of its C2 communication start with sending a GET request to the path \/api\/v1\/url, which provides a list of parameter names that will be used when sending POST requests to the C2.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_879136518.img.png\/1571684548732\/badpatch-twelve.png\" alt=\"Fig. 12. GET request to C2 to get parameter names to be used for the POST request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 12. GET request to C2 to get parameter names to be used for the POST request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Interestingly, the parameter names that the C2 provides are combinations of Latin words (two or three Latin words joined into one word). Ex. \u201cFugiatodio\u201d is a combination of \u201cfugiat\u201d and \u201codio\u201d which translate to \u201cshun hatred\u201d. We tried to search for these strings from the C2 and found an interesting text file hosted on <a href=\"https:\/\/gist.github.com\/soullivaneuh\/acc9c0ec725f094bcfbd\">GitHub<\/a> that contains many of these strings. However, we don\u2019t know if this is coincidental or if it has really has been copied and used by the attackers.<\/p>\n<p>The initial information it sends to the C2 contains the machine\u2019s computer name, version (probably the malware version \u2018Py version 0.1\u2019), MAC address, the text \u2018Hi, Connect \u2019, and the uid \u2018b3h\u2019. It does this by sending a POST request to the path \/api\/v1\/logs using the parameters from the C2.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1859765222.img.png\/1571684624761\/badpatch-thirteen.png\" alt=\"Fig. 13. POST request to C2 containing machine information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 13. POST request to C2 containing machine information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Next, it sends a list of files and directories found in the following folders:<\/p>\n<p style=\"margin-left: 40.0px;\">%ProgramFiles%<\/p>\n<p style=\"margin-left: 40.0px;\">%ProgramFiles (x86)%<\/p>\n<p style=\"margin-left: 40.0px;\">%Windows%Microsoft.NETFramework<\/p>\n<p style=\"margin-left: 40.0px;\">%Windows%Microsoft.NETFramework64<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_715153581.img.png\/1571684661340\/badpatch-fourteen.png\" alt=\"Fig. 14. POST request to C2 containing list of files in specific folders\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 14. POST request to C2 containing list of files in specific folders<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After performing an initial communication with the C2, it then oddly checks for an active internet connection by connecting to http:\/\/www.google.com. Logically, this process should be the reverse.<\/p>\n<p>If there\u2019s an active internet connection, it tries to download and execute other malware components.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_739637887.img.png\/1571684712040\/badpatch-fifteen.png\" alt=\"Fig. 15. Downloading and executing component files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 15. Downloading and executing component files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The response contains data in JSON format with two keys:<\/p>\n<ul>\n<li>\u2018files\u2019: flag to send a notification to the C2 before downloading components<\/li>\n<li>\u2018data\u2019: contains a list of objects<\/li>\n<\/ul>\n<p>The \u2018data\u2019 key contains a list of objects that have six attributes:<\/p>\n<ul>\n<li>\u2018id\u2019: service id of the component<\/li>\n<li>\u2018name\u2019: probably the component name<\/li>\n<li>\u2018enabled\u2019: install or remove a component<\/li>\n<li>\u2018download\u2019: probably a flag to download the component<\/li>\n<li>\u2018url\u2019: base64 encoded download URL of the component<\/li>\n<li>\u2018flag\u2019: start or stop the component<\/li>\n<\/ul>\n<p>The files it downloads are ZIP compressed.<\/p>\n<p>At the time of this writing, we haven\u2019t receive a response to download any component file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1330131685.img.png\/1571684781346\/badpatch-sixteen.png\" alt=\"Fig. 16. No download response from the C2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 16. No download response from the C2<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>However, we believe that these components are also the ones we can find on the GitHub repo, with names having the format sp6937{component digit}.zip.<\/p>\n<h2>Looking at Component Files<\/h2>\n<p><b><i>sp69372.zip<\/i><\/b><\/p>\n<p>This component gets a list of files with the following extension names:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_557825441.img.png\/1571687131709\/badpatch-seventeen.png\" alt=\"Fig. 17. Extension names of files to list\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 17. Extension names of files to list<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It lists the files by order of <i>priority<\/i> of where the files were found. Here is the list of folders ordered by their <i>priority<\/i>:<\/p>\n<ul>\n<li>%HomePath%Desktop or %HomePath%\u0633\u0637\u062d \u0627\u0644\u0645\u0643\u062a\u0628<\/li>\n<li>%HomePath%Documents or %HomePath%\u0645\u0633\u062a\u0646\u062f\u0627\u062a<\/li>\n<li>Drives not starting with C:<\/li>\n<li>Directories in C: drive other than the above mentioned<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1203445280.img.png\/1571687265444\/badpatch-eighteen.png\" alt=\"Fig. 18. Folder priority\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 18. Folder priority<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then sends the data gathered to the attackers via SMTP using the following information:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_857259123.img.png\/1571687380130\/badpatch-nineteen.png\" alt=\"Fig. 19. SMTP information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 19. SMTP information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>sp69373.zip<\/i><\/b><\/p>\n<p>This component exfiltrates specific files from the victim machine specified by the attackers. It sends a POST request to the path <i>\/devices\/settings\/all<\/i> with the MAC address of the victim machine to get a list of files (along with the specific file path, file type, or file name) to steal.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_35245962.img.png\/1571687489225\/badpatch-twenty.png\" alt=\"Fig. 20. Exfiltrate specific files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 20. Exfiltrate specific files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then sends the files via SMTP also using the SMTP information mentioned above.<\/p>\n<p><b><i>sp69374.zip<\/i><\/b><\/p>\n<p>This component captures screenshots of the victim machine. It first captures a screenshot of the current display then gathers screenshots from windows with specific window texts. Some are related to internet browsers, the social networking site Facebook (also in Arabic), the instant messaging service Telegram, and the video-sharing site YouTube.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1772712051.img.png\/1571687551442\/badpatch-twone.png\" alt=\"Fig. 21. List of window texts from which to take screenshots\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 21. List of window texts from which to take screenshots<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It sends the screenshots via SMTP, also using the SMTP information mentioned above.<\/p>\n<p><b><i>sp69375.zip<\/i><\/b><\/p>\n<p>This component gets a list of files with the following extension names from the recently opened files.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_471583542.img.png\/1571687680937\/badpatch-twtwo.png\" alt=\"Fig. 22. Extension names of files to list\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 22. Extension names of files to list<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It does this by enumerating all files in the %AppData%MicrosoftWindowsRecent folder and checking if their target paths contain the above extension names.<\/p>\n<p>It sends the list of files via SMTP also using the SMTP information mentioned above.<\/p>\n<p><b><i>sp69376.zip<\/i><\/b><\/p>\n<p>This component exfiltrates files with the following extension names from attached USB drives:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1107715655.img.png\/1571687804134\/badpatch-tw-three.png\" alt=\"Fig. 23. Extension names of files to exfiltrate\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 23. Extension names of files to exfiltrate<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then sends the files via SMTP, also using the SMTP information mentioned above.<\/p>\n<p><b><i>sp69377.zip<\/i><\/b><\/p>\n<p>This component steals saved user passwords from Google Chrome\u2019s Login Data.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1409947786.img.png\/1571687850969\/badpatch-tw-four.png\" alt=\"Fig. 24. Stealing saved passwords from Chrome\u2019s Login Data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 24. Stealing saved passwords from Chrome\u2019s Login Data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It the sends the stolen data via SMTP, also using the SMTP information mentioned above.<\/p>\n<h2>Top Five Victims by Country<\/h2>\n<p>As expected, the highest concentration of victims were primarily from Palestine, as shown below. Interestingly, there is a small volume of victims from countries that are not in the Middle East. However, these are probably from the sandboxes of researchers, or even the attackers themselves testing their malware.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1361668499.img.png\/1571687900485\/badpatch-twfive.png\" alt=\"Fig. 25. Victims by Country\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 25. Victims by Country<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Possible BadPatch Link<\/h2>\n<p>BadPatch is a tag used for a set of malware written in Visual Basic (VB), AutoIt, and Android malware which was first <a href=\"https:\/\/otx.alienvault.com\/pulse\/59e9f032e9106d63ba69039a\">reported<\/a> in 2017. Based on this article, the nature of the activity and some of malware artifacts on the related IP address suggest a possible link to the Gaza Hackers group. We will not go further to find a link to Gaza Hackers group, but we will provide some evidence that \u2018B3hpy\u2019 may be part of BadPatch.<\/p>\n<p>Let\u2019s first take a look at the C2 address. The C2 is hosted at tstapi[.]pal4u[.]net. The domain pal4u[.]net has already been mentioned as hosting the BadPatch malware in the above mentioned article, so it is possible that the group behind this malware is also behind the BadPatch malware in 2017. Next, we looked at the BadPatch set of malware and found some similar patterns with \u2018B3hpy\u2019.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_1668622765.img.png\/1571688097453\/badpatch-twsix.png\" alt=\"Fig. 26. BadPatch malware table \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Fig. 26. BadPatch malware table <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The malware used in the earlier campaign are very similar to the Python malware in terms of the method of data exfiltration, the data they gather, the SMTP credentials format, and the requested URL path where they get\/send additional information. Also, similar to this Python malware, some of the samples came bundled in an executable format with their decoy document.<\/p>\n<h2>Conclusion<\/h2>\n<p>The malware used in this campaign is not very sophisticated, and is very similar to BadPatch. In fact, it looks like the same malware used in BadPatch campaigns of the past, only ported to a different programming language. At the least, this shows that classic tricks remain adequate to launch a successful espionage campaign. This also shows that the use of free services like GitHub, Pastebin, cloud hosting sites, etc. in APT attacks will continue since traffic going to these sites cannot be immediately blocked as they are legitimate sites.<b><\/b><\/p>\n<h2>Solution<\/h2>\n<p>Fortinet detects all the B3hpy samples as Python\/B3hpy.A!tr.<\/p>\n<p>Malicious URLs related to this malware are blocked by FortiGuard Web Filtering Service.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2>IOCs<\/h2>\n<p>C2 server:<\/p>\n<p>tstapi[.]pal4u[.]net<br \/> 195[.]154[.]216[.]74<br \/> github[.]com\/jamelarebhi1980\/FilesRep<\/p>\n<p>Files:<\/p>\n<p>ae912cba54e7e8339f43530f70deb5ae1bcc780fdd4b80569cbe628509468de4 &#8211; \u0631\u0626\u064a\u0633 \u0627\u0644\u0648\u0632\u0631\u0627\u0621 \u0645\u062d\u0645\u062f \u0625\u0634\u062a\u064a\u0647 .scr<br \/> 85a1b924d766524f6760869e412b49d603cdf9975831e912463774913b6886ca &#8211; d.exe<br \/> ab08a5bdaeb122ad07f68ec747e4ee1681f7572ad69431d0a2038a6e2a6afce5 &#8211; Bios.111<br \/> 9e64a490e5592b9d9064d018c559ae251e2ed757f0f2215aa4acbf4df183688a &#8211; Bios.333<br \/> fc0ac7f8d9346baf6e4e81d3a4d3bcb72bcd9e2269adfb36617bccd8a987a9e2 &#8211; Bios.exe<br \/> f0e3a5918ae76558b3a0ab50135403aadec88c55ffdc07624cbc5b8c2ba3669b &#8211; Reg.333<br \/> 3dd6947dcb20e3c2fb5a54ed906ca51fab16563b207bd29cefd64d77d38ded66 &#8211; sp69372.exe<br \/> d97c841306828f9ebf6d7c0a69b33e82534f1ecf09554742a58f0d59d99b15af &#8211; sp69373.exe<br \/> 75ce26405f46304abdca26e54bbd11506942a6f5bbd64c2974a68fd94087e814 &#8211; sp69374.exe<br \/> 5badba04b373165ffe46b2f96b7f8a57ea352ba3800c34a535143b653fe2153f &#8211; sp69375.exe<br \/> a80e0118afe0dfba5c2802007041acacdce4222e03f8b64c0c3bd50ea6bf1032 &#8211; sp69376.exe<br \/> 4d89147a7ac41b66aa037294ab96d83c5ce538a40b7c385461f0699e5859bc77 &#8211; sp69377.exe<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/axJYBkABv34\/badpatch-campaign-uses-python-malware.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/badpatch-campaign-uses-python-malware\/_jcr_content\/root\/responsivegrid\/image_2123795708.img.png\/1571683041249\/badpatch-one.png\"\/><br \/>Read FortiGuard Labs&#8217; analysis of a potential new BadPatch campaign, which uses a multi-component python-compiled malware. to steal and exfiltrate data from its targets.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/axJYBkABv34&#8243; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16788","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16788"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16788\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16788"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}