Zero Day Malware Discovered: Wonder Botnet

Introduction

Surfing the darknet, we found a forum in which some users shares many cracked software each other. One of these software promises to generate Premium Account for Netflix services for free. So we decided to analyze it. With our surprise, we discovered that it is a malware (without generating any Netflix account, unfortunately).

This malware is not indexed yet: only one site on the Clearnet takes track of it and it was uploaded for the first time around September 20^th, probably by the author in order to test its stealthy. Studying the malware, we realized that it is a bot that belongs to an alive botnet. We were able to estimate the size of the botnet analyzing the number of visits to the Pastebin page that contains the payload. In fact, the malware is composed by a first part, which is a downloader for a second part, which is a real bot, just uploaded on Pastebin.

Figure 1 – Number of visits on Pastebin page

There is no existing report, obviously, about this sample. So, we need to analyze in deep the malware to understand its complete behavior.

Basic static Analysis

Downloader

Filename: wonder.exe

MD5	486954967e02a2e1577bd7dd91026102
SHA-1	27b2fc98c91dddf002cda77da3f44cf9a05d7fba
SHA-256	c3f5f5bfe39b55ffe0343950e0a4bf0433c35679a01daf07ce6c0ccc7d4da9b7
File size	365 KB

Table 1 – Generic Info about Wonder Downloader

Sections

Table 2 – Info about Wonder Downloader’s Sections

Payload/Bot

Filename: payload.exe

MD5	84fdcb1f23f592543381c85527c19aaa
SHA-1	cc2f96a2f4dbc4b0176bab37c22a48ebfe1bac06
SHA-256	15d390626fea8d06adc261e0588ec40d17b6a62a2320313073ba94809c5e0f4d
File size	205 KB

Table 3 – Generic Info about Wonder Bot

Sections

Table 4 – Info about Wonder Bot’s Sections

Using some static analysis tools, such as PEiD, we discovered that the malware is based on .NET Framework and it is written in C#.

Figure 2 – PEiD view

Behavioral Analysis

The infection starts with the execution of the “wonder.exe” file, which is the downloader of the effective payload. The downloader tries to connect to “pastebin.com” in order to retrieve the encoded payload. Otherwise, if there isn’t internet connection, the file “wonder.exe” crashes with the following screen.

Figure 3 – Wonder crash screen

In a standard condition, in which the internet connection is up, the downloader retrieves from “https://pastebin.com/raw/E8ye2hvM” the bot payload to execute.

When the payload starts, in the first time it tries in vain to resolve the domain “wiknet.mooo.com” because it’s not registered. Successively, it resolves “wiknet.wikaba.com” to the IP “104.200.67.190”.

Figure 4 – DNS traffic of the malware

Accessing to this site using a browser, we have the following screen:

Figure 5 – Fake site screen

This is a fake page of another existing site, “www.support.com”, which has the same front-end page. The interesting thing about the fake page is that every link on it refers to the original page: so, if we click on one link of them, we are redirected on the corresponding page on “support.com”.

At this point, the only reasonable hypothesis is that this IP refers to a Command and Control.

From the point of view of the behavioral analysis, the only suspicious activities found are:

The DNS requests showed in Figure 3.
The creation of a file in “AppData/Local/Temp” path, probably used as support for the bot actions.
The persistence mechanism, adding to “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup” a link to itself.

All the traffic between the bot and the C2C is on TLSv1 layer, so we can’t see.

Advanced analysis

Using specific tools to analyse .NET applications, we deobfuscated and decompiled the bot and we found much more information about it.

Evasion Techniques

As all the sophisticated malwares, it applies some evasion techniques in order to avoid the detection and the analysis:

Figure 6 – Searching of VBox libraries

In the Figure 5 we can see that the malware searches for some specific virtualization software libraries, such as “vmGuestLib.dll” and “vmbusres.dll”, in order to realize that it is in a virtual environment and do not show its malicious behavior. In fact, if its conditions are verified, it can kill itself or show the following windows:

Figure 7 – Evasion technique

Malware’s control flow

With our advanced techniques, we extracted the complete working scheme of the malware.

Figure 8 – Complete scheme of the malware’s behavior

As above mentioned, the malware’s logic can be divided in two parts: downloader logic and bot logic.

Downloader Logic:

Check Internet connection: the first stage is control whether the connection is present. If it isn’t the malware kill itself.
Download the payload from “pastebin.com/raw/E8ye2hvM”: the payload is codified in Base64 and it is incapsulated into a GZ archive.

Figure 9 – Raw data of the payload

Decode and extract the retrieved payload.
Execute the payload: the bot is executed in the same address space of the downloader.

Bot Logic:

Create Startup link: the persistence mechanism is implemented adding to “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup” a link to the file that contains the downloader, for two reasons:
- The payload will be downloaded on every reboot of the machine, so the bot code could be modified by the author, who could implement new features.
- The bot code is loaded in the downloader’s memory space so it is never written on the disk of victim’s machine.
Check Internet connection: if it isn’t present the bot waits for it.
Connect first to “wiknet.mooo.com” without response. After it resolves “wiknet.wikaba.com” to the IP address “104.200.67.190”.
Send POST request to the “/FeedBack.php” path: the bot reveals its existence to the C2C sending a request with the “User-Agent” header with its own Bot_ID (which we successively deepen).
Find commands files already downloaded: the bot searches the commands downloaded in the previous contact with C2C, which are stored in some files in the “AppData/Local/Temp” path.
Send info about the system and retrieve new commands at “/CheckVersion.php” path: the bot sends all the info gathered about the victim machine to the C2C through a POST request at the specified path. The response contains the new command that will be execute by the bot.
Execute the command just received.

Bot ID creation

Because of its “bot nature”, once installed on the victim machine, the bot has to create an ID for identify itself into the botnet. This ID is forged encrypting some host information using MD5 algorithm and adding a static string to it.

Figure 10 – Bot ID creation

Commands List

The bot receives some commands from C2C. Through the advanced analysis we have reported a list of all available commands. Some commands, at this time, are not implemented yet. The list of commands is:

KEYWORD	Add all files contained in a specific folder into a rar archive
KEY	Create a file “ky” in the path. This file is a trigger to upload all info gathered to the C2C at the path “/log.php”
KEYS	Delete the “ky” file
REUPLOAD	Contact the C2C at the path “/FeedBack.php”
RESTARTME	Restart the bot
BLOCK	Create the kill switch and stop the bot
SCREEN	Take a screenshot
LAN	Create a file “LA” in the path. This file is a trigger to a feature not implemented yet.
LANS	Delete the “LA” file
USB	Create a file “us”+BOT_ID in the path. This file is a trigger to infect Removable Devices.
USBS	Delete the “us”+BOT_ID file
HD	Create a file “hd”+BOT_ID in the path. This file is a trigger to infect Hard Drives.
HDS	Delete the “hd”+BOT_ID file
SHUTDOWN	Shutdown the system
RESTART	Reboot the system
PROCANDSOFT	List all active processes and all installed softwares
DEL-TEMP	Delete all files in “AppData/Local/Temp” path
RAR	Create a RAR archive adding to it all the information gathered. The archive is sent to the C2C.
RARM	Create a RAR archive adding to it all the information gathered in that month. The archive is sent to the C2C.
RARW	Create a RAR archive adding to it all the information gathered in that week. The archive is sent to the C2C.
KILL	Kill a specific process

Table 3 – Commands List

Kill Switch

The malware can be stopped by the C2C using the command “BLOCK”. This command creates a new file in the “AppData/Local/Temp” path called:

“Block~” + BOT_ID

Where BOT_ID is the same string showed in Figure 9.

The file can be used also as a vaccine by the user to avoid the infection.

Figure 11 – Kill Switch

Yara Rules

import “pe”

rule Wonder_Botnet_Downloader {

meta:

description = “Yara Rule for Wonder Botnet Downloader identification”

author = “CSE CybSec Enterprise – Z-Lab”

last_updated = “2017-10-19”

tlp = “white”

category = “informational”

condition:

(

pe.version_info[“CompanyName”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”

pe.version_info[“Comments”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”

pe.version_info[“FileDescription”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”

pe.version_info[“LegalCopyright”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”

pe.version_info[“LegalTradeMarks”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”

pe.version_info[“ProductName”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”

)

and pe.number_of_imports == 1 and pe.imports(“mscoree.dll”)

}

rule Wonder_Botnet_Bot {

meta:

description = “Yara Rule for Wonder Botnet Payload identification”

author = “CSE CybSec Enterprise – Z-Lab”

last_updated = “2017-10-19”

tlp = “white”

category = “informational”

strings:

// SmartAssembly Obfuscator

$a = “SmartAssembly”

// MD5 encryption

$b = “MD5CryptoServiceProvider”

condition:

$a and $b and

(

pe.version_info[“Comments”] contains “Folder Details”

pe.version_info[“LegalCopyright”] contains “Copyright Folder”

pe.version_info[“LegalTradeMarks”] contains “Folder Details”

)