Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU.
This malware was first reported in 2018, and commonly have one of the following names:
ctlnetw.exe
msctray.exe
ctlnetw.bin
myfile.exe
FTP_DATA-F0eY4D2cESu95zaM75.exe
Malware Hashes
MD5 e8e1fcf757fe06be13bead43eaa1338c
SHA-1 7a976e6b79c78d0bdc2140f7a0aab45ccc848c0c
SHA-256 dea3a99388e9c962de9ea1008ff35bc2dc66f67a911451e7b501183e360bb95e
Vhash 035066655d1555151098z5dvz27z
Authentihash 396b24a6ccf99bef630564847b48e08d3b56f19e36f1732ff2156ac963f762b6
Imphash 2c18645ebf353d637d9283fab4f19635
Rich PE HDR f0430de1bc4cde1d5f423453919fe65c
SSDEEP 6144:bRGF50eRU9YdT/d05hAhTpYJbKIAtoSmsXh0jo1O50zbp0Z0jo58m:bRY0sUKdba5hAHiZZom
TLSH T19B644B2A7AA84CF9E877817C8D964646E3B178457B34DBCF1260423E5E33ED98D36321
Function Imports (Based on Python PEFile lib)
HeapReAlloc
ReadFile
GetFileSize
CreateFileW
WriteFile
VirtualProtect
CreateProcessW
GetModuleFileNameW
GetProcAddress
LoadLibraryA
DeleteFileW
GetFileAttributesW
GetModuleHandleA
ExpandEnvironmentStringsW
GetTickCount
MapViewOfFile
SetFilePointer
CreateFileMappingW
GetLastError
CreateMutexW
GetComputerNameW
GetVolumeInformationW
SleepEx
VirtualAlloc
VirtualFree
SetLastError
IsBadReadPtr
FreeLibrary
HeapFree
GetProcessHeap
HeapAlloc
MultiByteToWideChar
WideCharToMultiByte
WaitForSingleObject
GetExitCodeThread
CreateThread
TerminateThread
CloseHandle
WriteConsoleW
SetStdHandle
UnmapViewOfFile
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
DecodePointer
EncodePointer
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
LoadLibraryW
ExitThread
GetCurrentThreadId
GetCommandLineA
GetStartupInfoW
GetStdHandle
HeapSetInformation
GetVersion
HeapCreate
FlsGetValue
FlsSetValue
FlsFree
FlsAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapSize
GetModuleHandleW
ExitProcess
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetStringTypeW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetConsoleCP
GetConsoleMode
LCMapStringW
FlushFileBuffers
RegSetValueExW
RegQueryInfoKeyW
RegEnumValueW
RegDeleteValueW
GetUserNameW
RegCreateKeyExW
RegQueryValueExW
RegEnumKeyExW
RegCloseKey
WSAStartup
WSACleanup
GetAdaptersAddresses
A quick peek into the import functions gives us an idea that the malware attempts to:
- Use network sockets by calling “WSAStartup”
- Obtain Local IP address by calling “GetAdaptersAddresses”
- Obtain basic system information, I.e Username, Computer name, Local Disk Drives and etc.
- Although not sure yet, but based on “HeadAlloc, VirtualAlloc, MapViewOfFile and UnmapViewOfFile”, we could assume that the malware is trying to perform some sort of process injection.
As soon as you attach the malware to IDA, you may be prompted with “WinMain” function, but that is not the real first function. The actual program starts from “start” function under Exports tab. start function seem to just perform some basic process initialization stuff I.E “GetStartupInfo, Calloc and etc”, nothing suspicious.
In WinMain function, the first thing you may notice is in the second function called which in my case is SUB_7FF77E9D9680” under “SUB_1400088E0”:
.text:00007ff77e9ebf56 lea rdx, [rsp+98h+lpSrc]
.text:00007ff77e9ebf5b lea rcx, [rsp+98+var_68]
.text:00007ff77e9ebf60 call sub_7ff77e9d9680
%ALLUSERSPROFILE% (ProgramData) is loaded in RAX register. This directory contains sensitive and installed software configurations such as SSH public and private keys. For now, we will just keep that in mind.
We then see that Software\Microsoft\MediaPlayer is loaded into memory as well using sub_1400092f0, even though this program have nothing to do with MediaPlayer.
Then “etl” is loaded and moved around the memory quite a bit as well.
Since there is way too much to investigate, lets try to investigate if there is some sort of process injection involved. To do that, we will just try to set some breakpoints on the start of some functions.
Below are the function you can set breakpoints at for identifying process injection. make sure that you set the breakpoints at the start of the functions.
WinMain
CreateFileW
CreateThread
MapViewOfFile
UnmapViewOfFile
Note: set a break on WinMain first and run the program, once kernel32.dll module is loaded, you can set the other breakpoints from there.
Once we’ve all the breakpoints on place, lets run the program until the program stops on either of our breakpoints.
Oho! look at this, our CreateFileW function triggered and it seems that RAX register points to the following file path “C:\ProgramData\976FA191.etl“.
Back tracing shows that CreateFileW was called from sub_7FF77E9DEFA0.
WriteFile is called twice on 976FA191.etl (Event Trace Log) 1. to write 4 bytes 2. to write 599 Bytes.
We then see, that CreateThread function is called multiple times, 1. to execute StartAddress 2. to execute sub_7FF77E9D1060 and 3. to execute sub_7FF77E9D34F0 and 4. to execute sub_7FF77E9D1060.
Aha! What do we have here, from the 4th thread windows socket called. At this point, we can use wireshark to capture any network traffic generated by the malware (optionally).
Website Links found on the stack of malware:
msmovieultimate.com
mstablebeforehelpfulperson.com
msgameabovehealthygroup.com
mslifeofmentalservice.com
msresultunderexpensiveinformation.com
mscentreintoavailableplace.com
These websites doesn’t seem to have any history.
Part #2 coming soon. To be continued.