{"id":24300,"date":"2024-04-15T18:46:18","date_gmt":"2024-04-16T02:46:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/04\/15\/news-18030\/"},"modified":"2024-04-15T18:46:18","modified_gmt":"2024-04-16T02:46:18","slug":"news-18030","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/04\/15\/news-18030\/","title":{"rendered":"Smoke and (screen) mirrors: A strange signed backdoor"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Tue, 09 Apr 2024 19:08:05 +0000<\/strong><\/p>\n

\n

In December 2023, Sophos X-Ops received a report of a false positive detection on an executable signed by a valid Microsoft Hardware Publisher Certificate. However, the version info for the supposedly clean file looked a little suspicious.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: Version info of the detected file. Note the typos \u2018Copyrigth\u2019 and \u2018rigths\u2019<\/em><\/p>\n

The file\u2019s metadata indicates that it is a \u201cCatalog Authentication Client Service\u201d by \u201cCatalog Thales \u201d \u2013 possibly an attempt to impersonate the legitimate company Thales Group. However, after digging into both our internal data and reports on VirusTotal, we discovered that the file was previously bundled with a setup file<\/a> for a product named LaiXi Android Screen Mirroring<\/a>, \u201ca marketing software\u2026[that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.\u201d<\/p>\n

It’s worth noting that while we can\u2019t prove the legitimacy of the LaiXi software \u2013 the GitHub repository has no code as of this writing, but contains a link to what we assume is the developer\u2019s website \u2013 we are confident that the file we investigated is a malicious backdoor.<\/p>\n

This isn\u2019t the first time Sophos X-Ops has seen threat actors abusing the Microsoft Windows Hardware Compatibility Program (WHCP). In December 2022, almost exactly a year before conducting this research, we reported that attackers had deployed cryptographically-signed drivers<\/a> in a failed attempt to disable Sophos endpoint security products. Those drivers, variants of BURNTCIGAR\/POORTRY<\/a> (an EDR killer sold on criminal forums and linked to ransomware gangs such as LockBit and CUBA) were signed with a legitimate WHCP certificate. However, other than the abuse of WHCP, we didn\u2019t observe any evidence that the December 2023 backdoor is in any way linked to that earlier EDR killer.<\/p>\n

Just as we did in 2022, we immediately reported our findings to the Microsoft Security Response Center. After validating our discovery, the team at Microsoft has added the relevant files to its revocation list<\/a> (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234).<\/p>\n

While writing this article, which is based on our independent research into this backdoor in December 2023, we became aware that Stairwell had published its own article<\/a> on this topic in January 2024, based on information in a tweet by Johann Aydinbas<\/a> (also in January 2024). Our research validates and expands on some of those findings.<\/p>\n

Picking up the trail<\/h1>\n

As noted above, the threat actor behind the malicious file managed to obtain a Microsoft Windows Hardware Compatibility Publisher signature from Microsoft, so we started our analysis from there.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: Signature of Catalog.exe<\/em><\/p>\n

Authenticode<\/a> is a Microsoft code-signing security measure, which identifies the publisher of an application and provides verification that the application hasn\u2019t been modified since it was signed and published. Fortunately, Microsoft provides code snippets<\/a> on how to process these signatures and extract further metadata from them. One of the pieces of information we were able to extract was the original requesting publisher.<\/p>\n

\"A<\/a><\/p>\n

Figure 3: Extracting the original requesting publisher from the malicious file<\/em><\/p>\n

In this case, the original requesting publisher is Hainan YouHu Technology Co. Ltd, which is also shown as the publisher of the LaiXI software.<\/p>\n

\"A<\/a><\/p>\n

Figure 4: Hainan YouHu Technology Co. Ltd is also shown as the publisher of the LaiXi application<\/em><\/p>\n

We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation\/building process of the LaiXi application. However, we will note that given the links between LaiXi and the malicious backdoor we investigated \u2013 and the length of time those links have existed (since at least January 2023, as we\u2019ll discuss shortly) \u2013 users should exercise extreme caution when it comes to downloading, installing, and using LaiXi.<\/p>\n

Technical analysis<\/h1>\n

The suspicious file embeds a tiny freeware proxy server, called 3proxy<\/a> \u2013 a sketchy feature for an authentication client. We assess that this embedded binary is intended to monitor and intercept network traffic on an infected system.<\/p>\n

\"A<\/a><\/p>\n

Figure 5: Strings relating to the embedded proxy server within the malware<\/em><\/p>\n

When the file executes, it installs itself as a service called \u2018CatalogWatcher\u2019, with a service description of \u2018Google ADB LoaclSocket [sic] Multi-threading Graphics API\u2019 \u2013 a complete mismatch for the file version information shown in Figure 1. While we can\u2019t confirm it, we assess that this is connected to link to a setup file for the LaiXi Android software, and an attempt to trick infected users into believing that the service is legitimate.<\/p>\n

\"A<\/a><\/p>\n

Figure 6: The function for creating the CatalogWatcher service<\/em><\/p>\n

Once the service runs, the malware queues a new work item\/thread via QueueUserWorkItem to the threadpool. Once the process has enough resources available, the malicious thread starts. This thread embeds the core functionality of the backdoor itself.<\/p>\n

Interestingly, this function starts with an attempt to call the function VmProtectBeginVirtualization(), which is an export of the VMProtectSDK32.DLL by VMProtect.<\/p>\n

\"A<\/a><\/p>\n

Figure 7: Start of function for C2 communication<\/em><\/p>\n

As per the VMProtect user manual<\/a>, this function is used to define areas of code to protect via obfuscation and virtualization. Legitimate software developers often use virtual machine-based code protection to help prevent applications from being reverse-engineered \u2013 but threat actors also abuse it to try and thwart malware analysis. For more detail on reverse-engineering applications that use virtual machine-based protection, see a blog I wrote on my personal site<\/a> a few years ago. In this case, the function is not properly obfuscated. We conclude that the threat actor may have intended to do this, but failed for some unknown reason.<\/p>\n

We also note that the POORTRY\/BURNTCIGAR samples we reported to Microsoft in December 2022 were packed with VMProtect. Back then, we already suspected that the attackers were using commercial packers such as Armadillo or VMProtect to hide the software\u2019s malicious intent and get their drivers signed. It is possible that the threat actor behind this backdoor was attempting to do the same (although we should point out that the use of obfuscation, packers, and virtualization \u2013 including VMProtect \u2013 is very common across many malware developers).<\/p>\n

The C2 server string \u201ccatalog[.]micrisoftdrivers[.]com\u201d \u2013 a lookalike domain of microsoftdrivers[.]com – is decrypted via a simple XOR operation. A Python reimplementation of the decryption routine is below:<\/p>\n

# Decrypts to catalog[.]micrisoftdrivers[.]com  s = \"c`vbhja)e`iye~aidu`zbpdd6zuv\"  cc = \"\"  i = 0  while i < len(s):      ch = chr((ord(s[i]) ^ i))      cc += ch      i += 1<\/pre>\n
Threat hunting<\/h1>\n
Finally, we wanted to determine if the threat actor had embedded the same payload into other products. We checked both our own telemetry and other sources, but saw no evidence that the backdoor has been bundled with anything other than LaiXi. We did, however, find multiple other variants \u2013 some of which were linked to a file named \u2018Laixi_Update_1.0.6.7_b.exe\u2019, indicating that other files, not just the setup installer, contain the malicious backdoor.<\/p>\n
We\u2019ve classified all the samples we discovered into four groups, based on the compilation timestamp.<\/p>\n
\"A<\/a><\/p>\n
Figure 8: The four groups of samples and their chronological classifications<\/em><\/p>\n
While the compilation timestamp of a PE file can be faked, we looked at the time delta between the moment the file was compiled and the time it initially appeared in our systems, and assess that the compilation stamps are likely genuine.<\/p>\n