The Pylot (or Travle) malware family appears to be an evolution of the NetTravler malware family (commonly used by NetTraveler or APT-21 threat group). This latest variant has been observed as a secondary payload used in conjunction with malicious carrier files (typically MS Office or Rich Text Format (RTF) documents).
The Pylot malware has been observed being installed via shellcode from known CVEs in Office products as well as by malware loaders (or first stage malware variants, specifically the cmstar malware family). A Yara signature and additional scripts were created for Carbon Black TAU’s internal analysis, and are being shared with this post to assist any investigations or research related to this family.
The following table list the metadata for the files that were a were analyzed for the first scenario.
RTF Carrier File |
|
SHA256 |
79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3 |
Revision time |
11/20/15 1:45 |
Author |
HCL |
Number of pages |
1 |
Creation time |
11/20/15 1:45 |
Number of words |
2 |
Version |
1 |
Operator |
HCL |
Pylot Sample 1 |
|
File Name : Pylot_sample.dll File Size : 208,154 bytes MD5 : f456d82e4815ce381d6d1bf23322aca6 SHA1 : 2535558d28b5431e41fd8e1eb88dbc099d74a7c5 SHA256 : 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6 Fuzzy : 3072:zPNKts9RnF3Xo+T/pJbiFLxfZubTHPKorZShP/UB+zvkpdISZQM4ED:x9RlXo+LPmLQbTHPpZSlUBy+IM4ED Compiled Time : Wed Jan 27 13:18:46 2016 UTC PE Sections (5) : Name Size MD5 .text 147,968 5b3872364e2efbb4e83966ea9c2f48b9 .rdata 35,840 c17dec1fc11e3134c03a993f3509699a .data 4,608 100820dd666d8eeca7c7ff43ab9552b8 .rsrc 5,120 8c96d665232c7e447ac6131b479a0af6 .reloc 20,992 439f3ea4d036d3aab2d23e675dcd8e13 + 0x34a00 0 d41d8cd98f00b204e9800998ecf8427e None Original DLL : pilot.dll DLL Exports (1) : Ordinal Name 1 MSOHost Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit |
Table 1: File Metadata
The RTF document that is listed in the table above attempts to exploit an older CVE (cve-2014-1761), to ultimately execute shell code. Regardless of the exploit used the shell code would bare the same characteristics. The image below is a screen shot of the RTF document. The area highlighted in red, is the list override exploit, that is referenced in the above CVE link. The data highlighted in yellow is the shellcode and encoded payload. Even though the shellcode is obfuscated, there are still some stings present, that are used by the shellcode to create and entrench the file on an infected system (which are highlighted in green).
Figure 1: RTF visualization
Shellcode
The shellcode, as it is written in the RTF file, is obfuscated to lessen the likelihood of detection and make analysis more difficult. The shellcode will perform a couple of basic commands to clear registers that will be utilized, and a portion of its data (0x325 bytes) is XORed with the value 0x9E (highlighted in red in the image below). Once this is complete it will continue with the execution flow.
The shellcode is a straightforward loader which will ultimately decode the payload, and write the file to disk. The shellcode will also entrench the malicious payload in a typical location used by malware for entrenchment (Software\Microsoft\Windows\CurrentVersion\Run), before using rundll32.exe to initially execute the binary.
Figure 2: Decoding Routine
The shellcode uses a name hashing function that is a common technique in shell code, in which the code will first locate the process environment block (PEB) from the thread information block (TIB), which is highlighted in red below. This is used to locate the list of loaded modules (doubly-linked). The shellcode will then take each entry and normalize the string name, by making all of the characters in the module name uppercase (highlighted in green). The characters of the module name are then rotated right by 13 and added together, and then compared to a hard coded value for Kernel32.dll (highlighted in blue). Once the target module is located in memory it can be called with the appropriate arguments.
Figure 3: Name hashing function
The snippet of python code below can be used with a list of common module names to determine the string values of the hardcode values used with this variant.
def ror(val, r_bits, max_bits): out = ((val & (2**max_bits-1)) >> r_bits % max_bits) | (val << (max_bits-(r_bits % max_bits)) & (2**max_bits-1)) return out
def hash_string(proc_name): name_hash = 0 for x in proc_name: x = ord(x) if x >= 97: #0x61 x = x - 32 #normalize to uppercase back = ror(name_hash, 13, 32) #ROR 0x0D name_hash = back + x & 0xFFFFFFFF # add that value to original char return name_hash |
Table 2: Python implementation of name hashing algorithm
In this sample the malicious payload will be written to disk as comctl32.dll, and the shellcode will utilize rundll32.exe to execute the payload calling the MSOHost export. The malware will then run and communicate with a hard coded C2 that is contained inside the configuration block that is characteristic for the pylot family. A python script was written to parse a pylot variant executable and extract the relevant configuration information. The script is attached to this post. An example of the output can be seen in the table below. The previous analysis by Kaspersky Labs, detailed the overall functionality of pylot family.
TX-Trill:couyon$ python Pylot_config_Decoder.py pylot_1.exe [!] Resource Located Name: RAW_DATA [+]Decoding Configuration... Primary C2 : young.aviodyoung.com Secondary C2 : Not Used URL Path 1 : /vgs/wksur.py URL Path 2 : Not Used C2 Port 1 : Not Used C2 Port 2 : 80 Campaign ID : xcvwerx Sample ID : qTyx0736R Primary RC4 key : MTzXBLRfWOpcjsKZGUbS Secondary RC4 key : MTzXBLRfWOpcjsKZGUbS Beacon Timer : 60000 milliseconds |
Table 3: Pylot configuration output
Carrier File Scenario 2
The following table list the metadata for the initial carrier file that was analyzed for the second scenario.
RTF Carrier File |
|
SHA256 |
6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786 |
Revision time |
2016-11-08 08:47:00 |
Author |
Shaimenova |
Company |
parliament |
Number of pages |
9 |
Creation time |
2016-11-08 08:47:00 |
Number of words |
1586 |
Version |
2 |
Operator |
AutoBVT |
CMStar Sample 1 Loader |
|
File Name : CMStar_sample.exe File Size : 77,824 bytes MD5 : 7ce99c26ee05efb81c3a123152ccce5e SHA1 : 3be63458fe1298b0ebf36e019a895519fd96fb22 SHA256 : 928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d Fuzzy : 1536:nPLpKSgx0fEYLwOAXhENg7Ofp15yUxBix1Y:PLE0fEYL/KVaryNY Compiled Time : Thu Oct 20 07:00:38 2016 UTC PE Sections (4) : Name Size MD5 .text 12,288 b0001edc7a3ebc2cb52944a7aa61293d .rdata 4,096 a1ffda038f8171993651bed5f7547b96 .data 4,096 3eae055efca4b7f380118d3320dcde5f .rsrc 53,248 880b916c741d16b6f46f58c1107cca7d Magic : PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
Table 4: RTF and CMStar metadata
The carrier file for this scenario is also a RTF document and will attempt to exploit cve-2015-1641. If successfully exploited the shellcode will decode a malicious payload (which is encoded using the same method as in the first scenario. This executable is then written to disk, and is a CMStar variant loader (listed in the table above). This loader will extract a resource that is named 12358, and decode the file (XOR 0x30), before writing it to disk. The loader will then execute rundll32.exe, calling the MSOProtect export of the CMStar variant. The metadata for the CMStar payload is listed in the table below.
CMStar Sample 1 Payload |
|
File Name : Resource_decoded.dll File Size : 50,688 bytes MD5 : cc018500132a811e1f7d4d54763f6ab1 SHA1 : dd048ab61a8591ce4d14e9bc5a7b34e6996501f0 SHA256 : fab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201 Fuzzy : 768:5WPPGyX/nibX/44zMLiuTXVR4Gcfd25hH1fzQMo6llRc:nyXPiL9uTXVR2d25XFl Compiled Time : Wed Oct 12 12:45:10 2016 UTC PE Sections (4) : Name Size MD5 .text 29,184 5a823113d6e3589d38f093615598217b .rdata 4,096 028c81fb15600d1cdf89637bc899eaa3 .data 12,288 8c92626431fbf58dd4357f8e18124c72 .reloc 4,096 a22b36f23cde94d421b40566d6cf36e1 Original DLL : UpdateService.tmp DLL Exports (1) : Ordinal Name 1 MSOProtect Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit |
Table 5: CMStar payload metadata
The CMStar malware will decode some basic configuration information, necessary to communicate with the C2. The decoding function will copy hard coded strings into memory, and then for each character of the encoded string, subtract a hard code value and the counter value (which is increased for each character).
The snippet of python code below can be to decode the CMStar related configuration strings. In the example below the “encoded_string” variable a is a list containing the values of one of encoded strings (r€}H>?BBKBKGEIQSIMTT), which when decoded is the primary C2.
encoded_string = [0x72,0x7F,0x80,0x7D,0x48,0x3E,0x3F,0x42,0x42,0x4B,0x42,0x4B,0x47,0x45,0x49,0x51,0x53,0x49,0x4D,0x54,0x54] i = 0 out = '' for x in a: out = out + chr(x - i - 10) i = i + 1 print out |
Table 6: CMStar Configuration script
Once the strings are decoded the CMStar malware will beacon to http://108.61.189[.]176 and request the file a554L8iVaSIDKYO.dat (hardcoded name). This file is an obfuscated Pylot variant. The image below is an overview of the a554L8iVaSIDKYO.dat file contents, as it would appear when downloaded. The dword highlighted in red is a header marker. The next three dword values are all stored as little endian and are used in decoding the payload data which is highlighted in purple.
Figure 4: Encoded Pylot overview
The obfuscated file is bloated compared to the actual size of the embedded payload. The encoding technique uses a dword of bytes to store 1 byte of actual data. To decode the data, a dword value is read into memory (the first dword 0x33 is 51 decimal) from the data section (highlighted in purple). The second dword value (highlighted in green) is used as the starting seed value (0x01 is 1 decimal). The third dword (highlighted in blue) is used as the number of rounds to perform the modification loop (0x03EB is 1003 decimal). The fourth dword (highlighted in yellow) is used as a modulo value in the modification loop (0x5BD is 1469 decimal). To decode the first byte of data the following python snippet replicates the decoding function.
start = 51 #dword value from data area output = 1 #dword seed value For x in range(1003): #dword round value Output = (output * start) % 1469 #dword modulo value print chr(output) #This results in “M” or the first character in an MZ header |
Table 7: Python implementation of decoding function
The table below list the metadata for the fully decoded Pylot payload. The CMStar malware will then execute rundll32.exe calling the MSOProtect export to run the Pylot sample.
Pylot Sample 2 |
|
File Name : Pylot_sample_2.dll File Size : 180,736 bytes MD5 : d5c679df69751936d0fa380f2e4bf017 SHA1 : 2488d05f619124ef56a802407745579a02d0d36e SHA256 : c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a Fuzzy : 3072:F0KN9+4oQQh/gspsXTrzh+lYHUUd5U5+:f9+4oRHEJk95+ Compiled Time : Mon Nov 07 03:10:36 2016 UTC PE Sections (5) : Name Size MD5 .text 124,416 ed3027599e9cffb50c4dcbdc01582fc1 .rdata 33,792 a1d51a7f4cddb3189168f0b3b09047fd .data 4,608 36ed52fc43b3ae5cb504a8976c8e5d02 .rsrc 5,120 ab29ae998157877652d20952075c1bd2 .reloc 11,776 05e1f820b39bbe58d609e0b2a3f78905 Original DLL : pilot.dll DLL Exports (1) : Ordinal Name 1 MSOProtect Magic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit |
Table 7:Pylot metadata
The configuration information for the above Pylot sample is listed in the table below.
Pylot Sample 2 Configuration Data |
|
[!] Resource Located Name: RAW_DATA [+]Decoding Configuration... Primary C2 : pgbkrrq3434.com Secondary C2 : Not Used URL Path 1 : /iow/qlmbn.py URL Path 2 : Not Used C2 Port 1 : Not Used C2 Port 2 : 80 Campaign ID : uuqigas Sample ID : fGAka0109 Primary RC4 key : BBidRotnqQpHfpRTi8cR Secondary RC4 key : BBidRotnqQpHfpRTi8cR Beacon Timer : 60000 milliseconds |
Table 8: Pylot sample 2 configuration
IOCs
Yara Signature |
rule pylot_payload_2018_Q1 : TAU pylot { meta: author = "CarbonBlack TAU" //JMyers date = "2018-Jan-8" description = "Designed to catch pylot payload" rule_version = 1 yara_version = "3.6.0" TLP = "Green" exemplar_hashes = "c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a, 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6" strings: $s1 = "FindResource" $s2 = "LoadResource" $s3 = "RAW_DATA" wide $s4 = "KB178495.DAT" wide $s5 = "KB887209" wide $s6 = "KB287640" wide $s7 = ".decompress" wide condition: all of them } |
Indicator |
Type |
Context |
79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3 |
SHA256 |
RTF Carrier File |
0d06925ce5d306e94fac4cbbbf67362a |
MD5 |
|
1d01a78ccfc4b646b46082a7135f6ac5b364010ba0ca10d0ba94b9e48dce8350 |
SHA256 |
Pylot Sample 1 |
f456d82e4815ce381d6d1bf23322aca6 |
MD5 |
|
young.aviodyoung.com |
URL |
Pylot Sample 1 C2 |
6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786 |
SHA256 |
RTF Carrier File |
9381a0ef7039409b7354ff9bbd754283 |
MD5 |
|
928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d |
SHA256 |
CMStar Loader |
7ce99c26ee05efb81c3a123152ccce5e |
MD5 |
|
fab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201 |
SHA256 |
CMStar Sample |
cc018500132a811e1f7d4d54763f6ab1 |
MD5 |
|
URL |
CMStar C2 |
|
c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a |
SHA256 |
Pylot Sample 2 |
d5c679df69751936d0fa380f2e4bf017 |
MD5 |
|
pgbkrrq3434.com |
URL |
Pylot Sample 2 C2 |
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.