Malware arsenal that have been used by very sophisticated & so-called state-sponsored cyber group named “Equation Group” already was perfectly described by Kaspersky in their report. As always, it is hard to make an assumption about attribution of this malware as well as about origins of such elite cyber group. Anyway, it’s obviously that code development and the cost of infrastructure for cyberattacks in such scale took enough human and money resources. As regular readers of my blog could notice, now I’m concentrating on research of rootkits allegedly belong to sophisticated/state-sponsored cyber actors. It is also interesting to assess skills of authors in driver development and compare it with code from another similar “products”.
The driver mstcp32.sys
(SHA256:26215BC56DC31D2466D72F1F4E1B6388E62606E9949BC41C28968FCB9A9D60A6) masked as “Microsoft TCP/IP driver”.
Authors also took some steps to mask malicious purpose of this driver. For example, if you look to its imports or dump strings from file, you can’t find something really suspicious. The driver imports API from NDIS kernel mode library called NDIS.SYS to work with network packets on physical level (that fully corresponds to its purpose). Actually, authors hid malicious indicators inside driver into encrypted data. Below you can see decrypted strings from driver’s body.
As you can see from dumped strings above, the rootkit attaches itself to Windows network stack for capturing packets on NDIS level. Also, it is clear that the rootkit implements injection of malicious code into trusted Windows processes - Services.exe (SCM) & Winlogon.
Below you can see compilation date of this driver, which indicates that it was compiled already almost 10 years ago. This means that cyber espionage group used the rootkit and was active already in 2007. Also authors were interested to make their operations stealthy from user eyes, putting code into Ring 0.
Timestamp from debug directory matches with its analog from IMAGE_FILE_HEADER.
Below you can see screenshot of start rootkit code.
Malicious data decryption is a first step that takes the driver. After that it creates device object with name \Device\Mstcp32 and performs initialization steps. The device name doesn’t hard coded into driver’s body, it forms on base of driver service name (Mstcp32 as original name).
As you can see from image above, driver dispatches following IRP requests:
- IRP_MJ_CREATE
- IRP_MJ_CLOSE
- IRP_MJ_READ
- IRP_MJ_WRITE
- IRP_MJ_DEVICE_CONTROL
- IRP_MJ_CLEANUP.
The driver registers itself as NDIS filter. It checks interface with GUID {4d36e972-e325-11ce-bfc1-08002be10318} (that located into encrypted part of data) and gets list of instances that already registered in Windows. It tries to find specific instance with value LowerRange == “ethernet” into HKLM\SYSTEM\CurrentControlSet\Control\Class{4d36e972-e325-11ce-bfc1-08002be10318}\000X\Ndi\Interfaces. After driver code found it, it appends own value to this parameter as shown on image below.
- Windows NT 4.0 (1381)
- Windows 2000 (2195)
- Windows XP (2600)
- Windows Server 2003 (3790)
The rootkit driver supports IOCTL for sending data over network on NDIS level. This means that network logic of communicating with remote host is located into user mode part that use driver for this purpose.
Article Link: http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html