Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU.
This malware was first reported in 2018, and commonly have one of the following names:
Rich PE HDR f0430de1bc4cde1d5f423453919fe65c
Function Imports (Based on Python PEFile lib)
A quick peek into the import functions gives us an idea that the malware attempts to:
- Use network sockets by calling “WSAStartup”
- Obtain Local IP address by calling “GetAdaptersAddresses”
- Obtain basic system information, I.e Username, Computer name, Local Disk Drives and etc.
- Although not sure yet, but based on “HeadAlloc, VirtualAlloc, MapViewOfFile and UnmapViewOfFile”, we could assume that the malware is trying to perform some sort of process injection.
As soon as you attach the malware to IDA, you may be prompted with “WinMain” function, but that is not the real first function. The actual program starts from “start” function under Exports tab. start function seem to just perform some basic process initialization stuff I.E “GetStartupInfo, Calloc and etc”, nothing suspicious.
In WinMain function, the first thing you may notice is in the second function called which in my case is SUB_7FF77E9D9680” under “SUB_1400088E0”:
.text:00007ff77e9ebf56 lea rdx, [rsp+98h+lpSrc]
.text:00007ff77e9ebf5b lea rcx, [rsp+98+var_68]
.text:00007ff77e9ebf60 call sub_7ff77e9d9680
%ALLUSERSPROFILE% (ProgramData) is loaded in RAX register. This directory contains sensitive and installed software configurations such as SSH public and private keys. For now, we will just keep that in mind.
We then see that Software\Microsoft\MediaPlayer is loaded into memory as well using sub_1400092f0, even though this program have nothing to do with MediaPlayer.
Then “etl” is loaded and moved around the memory quite a bit as well.
Since there is way too much to investigate, lets try to investigate if there is some sort of process injection involved. To do that, we will just try to set some breakpoints on the start of some functions.
Below are the function you can set breakpoints at for identifying process injection. make sure that you set the breakpoints at the start of the functions.
Note: set a break on WinMain first and run the program, once kernel32.dll module is loaded, you can set the other breakpoints from there.
Once we’ve all the breakpoints on place, lets run the program until the program stops on either of our breakpoints.
Oho! look at this, our CreateFileW function triggered and it seems that RAX register points to the following file path “C:\ProgramData\976FA191.etl“.
Back tracing shows that CreateFileW was called from sub_7FF77E9DEFA0.
WriteFile is called twice on 976FA191.etl (Event Trace Log) 1. to write 4 bytes 2. to write 599 Bytes.
We then see, that CreateThread function is called multiple times, 1. to execute StartAddress 2. to execute sub_7FF77E9D1060 and 3. to execute sub_7FF77E9D34F0 and 4. to execute sub_7FF77E9D1060.
Aha! What do we have here, from the 4th thread windows socket called. At this point, we can use wireshark to capture any network traffic generated by the malware (optionally).
Website Links found on the stack of malware:
These websites doesn’t seem to have any history.
Part #2 coming soon. To be continued.