Sunday, 22 March 2015

AlienSpy Java Rat Overview


AlienSpy is a cross platform Java RAT with support for Windows, Linux and Mac systems. 
The samples I was able to analyze used a demo version of the Allatori Java Obfuscator (v5.3) which can be seen in the obfuscated method naming and Splash page shown when the malware is launched.


Allatori Name Obfuscation

Allatori Splash Screen

I won't dive into the Allatori obfuscation methods or the container in detail other than to understand how the malicious jar is encapsulated within the package.  The container has a simple structure containing two resource files (config.ini & password.ini) and four class files.


Jar Overview
Once executed the container follows a simple path to decrypt and execute the payload.
  • Init LoadStub Thread
  • Load config.ini contents
  • Spawn DecryptStub Thread
  • Create key -- Load password.ini contents and append static_key (set in LoadPassword.class)
  • Decrypt config.ini using created key 
  • Spawn LoadStubDecrypted
  • Initialize JarInputStream object from decoded config data
  • Spawn thread with decoded Jar

Unpacking the Payload

Analyzing the decryption method in the DecryptStub class shows the encryption has changed from previous versions. The payload stored in the config.ini file is encrypted using RC4 and the decrypt key is composed of the sha256 hash of a dynamic key stored in the password.ini file and a static key defined in the LoadPassword.class. 

Looking at the de-obfuscated strings in the LoadPassword class shows the static key as ALSKEOPQLFKJDUSIKSJAUIE. 

Appending Static Key
The sha256 hash is then created from the combined dynamic and static key.

key = sha256(dynamic_key + static_key)

For this sample the key is calculated using the following:

sha256('l85T4gI3' + 'ALSKEOPQLFKJDUSIKSJAUIE')


To extract the properties (config.xml) or the entire payload I've put  together a script to decode the latest version of the AlienSpy rat. 

https://github.com/idiom/IRScripts/blob/master/alienspy-decrypt.py

Once the rat is decoded we can decompile it and take a look at the layout and functionality. The decoded AlienSpy RAT has a simple layout containing a two resources config.xml & keystore.test and a collection of classes within three packages. 






Persistence

When the malware is launched it checks the INSTALL property which is populated from the config.xml resource. If the property is set to True the installation method is triggered using the following properties to generate the directory and file on the host system. 

  • JAR_FOLDER       - Name of folder to copy malware into 
  • JAR_NAME          - Name of the file
  • JAR_EXTENSION  - Extension of the file
  • JAR_REGISTRY    - Name of persistence setting

Windows

On Windows systems the malware is copied to new directory with %appdata% and a new value under the Run key is created to launch the malware. The value name is the string defined within the JAR_REGISTRY config setting and the value is the command line to launch the malware 'java -jar <path-to-jar>'. The jar path and file name is defined by the JAR_ properties described above. 




Depending if the user is a local administrator or not the value is created under the Run key in HKLM or HKCU to either infect the system or only the current user. To check if the user is an administrator the file tem.txt is created within the Windows directory and deleted. If this succeeds the Administrator Property is set to true. 



Linux

On a Linux system the jar file is copied to the hidden directory <JAR_FOLDER>  within the user's home directory and renamed to <JAR_NAME>.<JAR_EXTENSION>. The malware then creates a .desktop file within the users autostart directory ~/.config/autostart/<JAR_REGISTRY>.desktop to launch the RAT when the desktop is started.


MacOS 

Like on Linux systems the malware creates a file under a new directory <JAR_FOLDER> in the user's home. It then creates a new job within the user's Library/LaunchAgents directory com.<JAR_REGISTRY>.plist

The generated configuration file has the optional key RunAtLoad set to true; this instructs launchd to run the job once when it is loaded.  


Once the job file is created, it then runs the command "chflags hidden <JAR_FOLDER>" to set the hidden flag and hide the directory from the UI. 

Sandbox Detection

When executed AlienSpy checks if it is running within either a VirtualBox or VMWare environment. If it detects that it is running within a VM the application exits. The detection technique isn't advanced and is done by detecting files installed as part of the VM host guest tools. 

For VirtualBox this is either the file "/etc/init.d/vboxadd" in Linux or the directory "Oracle\Virtualbox Guest Additions" in Windows. If the RAT is running within a Mac environment it returns false. 


VirtualBox Detection

Similarily for VMware  this is the directory "/etc/vmware-tools" in Linux "/Library/Application Support/VMware Tools" in Mac and "VMware\VMware Tools" in Windows.

VMWare Detection


Communication 

AlienSpy uses SSL Sockets to communicate with the C2 server. The server and port are both defined within the config.xml file. 
  • DNS   - Hostname or IP address
  • PORT - TCP port 
The jar file contains a keystore resource keystore.test which is used to trust the C2 SSL certificate. Using keytool we can look at the contained certificates. 

Note: The password for the keystore is 'storepass' and is defined in utils\AlienSSLSocket.class


When examining the certificate details I was able to trace it back to a how-to post on SSLSockets and creating a keystore. 


The majority of settings for the certificate have just been directly copied from the examples in the article (keystore name, password and certificate properties). 


C2 Subscription

To subscribe to the C2 server the rat first creates and configures the SSL connection then sends 1 then sends the properties describing the host system. At this point the malware is in listening mode waiting for commands from the C2 server.  





Commands 

Once connected to the C2 server the RAT waits for a command. Commands have a simple syntax of command_id [1..10] and an optional payload for the command. 


IdPayloadDescription
1 [0] - Message Type
[1] - Option Type
[2] - Title
[3] - Message
Display Message Box
2 [0] - URL
[1] - Number of times to open the URL
Open the URL the requested number of times. Hardcoded to sleep 2s every iteration.
3 N/A Shutdown
4 N/A Restart
5 N/A Uninstall
6 N/AUpdate Offline
7 URL for update. Update Online
8 [0] - URL for download.
[1] - Extension to append to file.
Download & Execute
9 Plugin Name Run Plugin
10N/AStart Heartbeat

From what I've observed the first command after subscription is generally '10' which instructs the infected host to begin sending a heartbeat every 60 seconds.  

  • Write 1 
  • Write PINGPONG
  • Sleep 60s

The heartbeat will continue running on a separate user thread while the malware waits for the next command from the server.


Updating 

There are two commands the C2 server can send for updating infected hosts; an online update or an offline update. 

An offline update instructs the client to make another connection to the C2 server. Once the updated rat is downloaded it will call uninstall to remove the existing version then launch the updated one from the temp file. 


An online update includes a URL as the payload which instructs the RAT where to download the updated version from. A GET request is sent to the URL with the hardcoded UserAgent

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

The same process seen in the update offline is followed, the new version is downloaded into a temporary file and the client uninstalls the existing version and updates to the newly downloaded version.

Download & Execute

The server can issue the command Id 8 which instructs the client to download and execute the downloaded file. The payload for this command includes the URL to download the file from and the extension to append to the file once it is downloaded. 

Requests are made using the UserAgent: 

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Once the file is downloaded the file is passed to an opener function where it determines how to launch the downloaded file. The opener first checks if the downloaded file ends in '.jar' if it does it will generate a string 'java -jar <downloaded jar>' and execute it. 

If the malware is running on MacOS it will also append the argument -Dapple.awt.UIElement=true



If the file doesn't end in .jar the opener will use the preferred method to open files for the host OS. For Windows systems this is cmd, for Linux this is either /usr/bin/open or /usr/bin/xdg-open and for MacOs this is java.awt.Desktop.getDesktop().open



Open URL

The server can instruct clients to open a URL. The payload to this command contains the URL to open and the number of iterations. The client will then open the URL the requested number of times sleeping for 2 seconds between iterations.  

  • For MacOS it will launch the URL using:  open -a Safari <URL>
  • For Windows it will launch the URL using: cmd.exe /c START iexplore.exe <URL>
  • For Linux it will launch the URL using: /usr/bin/xdg-open <URL>  

Conclusion

Incident Responders looking for systems compromised by AlienSpy can extract host and network indicators from the properties defined in the config.xml file. Additionally systems would also be beaconing to the C2 server every 60 seconds.

AlienSpy is used to deliver other malicious payloads to infected systems. Detecting the presence of AlienSpy should be considered to be only part of the compromise.

If you have any samples, would like to collaborate feel free to reach out to me on twitter @seanmw. I'm interested in looking at how AlienSpy is being used in phishing campaigns to deliver malware.

Samples

The samples I used for the post can be found using the hashes below:
  • Sample 1: f3366d437f9461f1486406972f52e7aab47174db 
  • Sample 2: c932064fe6a7dfc96fb2a3ffec2b7f4e5b7e048f

References
  • http://contagiodump.blogspot.ca/2014/11/alienspy-java-rat-samples-and-traffic.html
  • https://developer.gnome.org/autostart-spec/
  • https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
  • https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/launchd.plist.5.html#//apple_ref/doc/man/5/launchd.plist

6 comments:

  1. great writeup, thanks. Would have been nice if you included the network artifacts as well.

    ReplyDelete
    Replies
    1. Hi Alexander,

      I'm still looking at how the RAT is used to deliver malware onto infected systems, so I hope to have another post soon which will include packet captures.

      Delete
  2. Creating "a Run key" for persistence wouldn't necessarily do anything...creating a _value_ beneath the appropriate Run key, with data pointing to the file to be launched, does provide persistence.

    Is there anything known about the value name? Is it consistent, random every time?

    ReplyDelete
    Replies
    1. Hi Harlan,

      My bad, I should have been more descriptive (dangers of late night posting).

      I've made a update to better explain that a value is created under the run key. The value name is defined in the JAR_REGISTRY config setting which would be random. And the data is a command line to launch the jar file.

      Delete
  3. Has anyone managed to get this exploit to actually work (execute the .jar, create the subdirectories, go after the payload and drop it into place, and then execute the malware in the payload) in Linux? So far all I've seen is that the source code mentions Linux, OSX, Android, etc. But little evidence of actually working in those platforms.

    ReplyDelete
  4. I don't quite understand the last tips you mentioned. can you explain it more specifically? I was recommended a free data recovery software named MiniTool Power Data Recovery. Have you heard about it? My friend said it was efficient and convenient.

    ReplyDelete