Decoding RevC2 strings

Malware News
1

By: Jason Reaves

Recently Zscaler reported on a component being leveraged in campaigns and related to Venom Spider[1]. Some of the recent samples we looked at appeared to have their strings obfuscated.

f598477a2cac439195ccf740bb38f50c2032a80be1cfeb5d34e1577f750c72bb

The sample builds out a table using hardcoded data:

@AB,0xffffffff,CDEFGHIJ456789:;<=KLMNOPQ,0x00,0x01,0x02,0x3,0x4,0x5,0x6, 0x7,0x8,0x9,0xa,0xb,0xc-0x19,R,0xffffffff,STUV,0x1a-0x33,WXYZ,0xffffffff

The table aligns with decoding in base91+, the alphabet string in the binary looks more like base95 but for decoding we can just rip the decoding table out and use that to decode the strings. It also lets us quickly check if the alphabet remains static by trying it over lots of samples quickly.

After the base95 decoding the result is XOR decoded using a hardcoded string, using some base91 decode code in python we can create a decoder:

decode_table = [255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 62, 255, 63, 64, 65, 66, 255, 67, 68, 69, 70, 71, 72, 73, 74, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 75, 76, 77, 78, 79, 80, 81, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 82, 255, 83, 84, 85, 86, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 87, 88, 89, 90, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255]

def decode(encoded_str):
    ''' Decode Base91 string to a bytearray '''
    v = -1
    b = 0
    n = 0
    out = bytearray()
    for strletter in encoded_str:
        c = decode_table[strletter]
        if c == 255:
            continue
        if(v < 0):
            v = c
        else:
            v += c*91
            b |= v << n
            n += 13 if (v & 8191)>88 else 14
            while True:
                out += struct.pack('B', b&255)
                b >>= 8
                n -= 8
                if not n>7:
                    break
            v = -1
    if v+1:
        out += struct.pack('B', (b | v << n) & 255 )
    return out

def decr(a):
    t = decode(a)
    key = bytearray(b'8dPtXeHtprHxQELs')
    for i in range(len(t)):
        t[i] ^= key[i%len(key)]
    return t

Decoding strings:

bytearray(b'cmd /c ')
bytearray(b'dir "%LocalAppData%\\Login Data" /s /b & dir "%appdata%\\Login Data" /s /b')
bytearray(b'dir "%LocalAppData%\\Cookies" /s /b & dir "%appdata%\\Cookies" /s /b')
bytearray(b'C:\\ProgramData\\Temp\\Cookies')
bytearray(b'C:\\ProgramData\\Temp')
bytearray(b'SELECT host_key, name, encrypted_value, path, is_secure, is_httponly, samesite, expires_utc FROM cookies')
bytearray(b'new.ocx')
bytearray(b'ws://nopsec.]org:8082')

Another sample(c81d49c1907f27ea24a938ebbeb5f21bd30b4b186d99ec9c9458ce34f6bef72e):

bytearray(b'cmd /c ')
bytearray(b'dir "%LocalAppData%\\Cookies" /s /b & dir "%appdata%\\Cookies" /s /b')
bytearray(b'C:\\ProgramData\\Temp\\Cookies')
bytearray(b'C:\\ProgramData\\Temp')
bytearray(b'SELECT host_key, name, encrypted_value, path, is_secure, is_httponly, samesite, expires_utc FROM cookies')
bytearray(b'module.ocx')
bytearray(b'ws://finatick.]com:8082')

Continuing to trace the samples back we found a few different versions, such as this one that writes the data to disk:

a10266c38c5f24201aa68cb3b0f7f24f44f4b5df635c5e2aebddb041b00d8a8f

IOCs:

jetmains.]com:8082
zoho-cloudfront.]com:8082
finatick.]com
nopsec.]org

Potential distro related:

cloudyvault.]org 
cloudmort.]com
seopager.]xyz
gdrive.]rest
shadon.]net
sharesmydrive.]com

OCX filename checks:

xpr.ocx
new.ocx
brain.ocx
dWin.ocx
fer.ocx
iDriver.ocx
bajo.ocx
mojo.ocx
module.ocx
pp.ocx

References

1: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader

2: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/

Decoding RevC2 strings was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Decoding RevC2 strings. By: Jason Reaves | by Jason Reaves | Walmart Global Tech Blog | Dec, 2024 | Medium