DeCypherIT – All eggs in one basketDecember 12, 2019
Research by: Arie Olshtein
These days, attackers use cheap and publicly accessible services to help them bypass Anti-Virus protections and gain a foothold in their victims’ systems.
We give a behind the scenes look at a service called CypherIt, which is sold publicly as a legitimate service but is used to wrap malwares and hide their malicious content.
This evasion technique can also be used as a weapon against the malware writers, as we can use it to help detect malwares. All you need to do is to read the label on the basket. In this case, the basket is CypherIT, a well-known packer.
According to Check Point telemetry, about 13 percent of all the malicious executables sent by email during August – October 2019 used AutoIt crypters such as CypherIT to hide their malicious content.
Figure 1 – Malware families using AutoIt crypter August – October 2019.
Geographical distribution of affected victims:
Figure 2 – AutoIt distribution during August – October 2019.
Figure 3 – Attack flow.
Figure 4 – Attack flow encryption server & victim.
CypherIT is a service that is used to encrypt executable files. Its creators claim it makes the files fully undetectable (FUD) by Anti-Virus products. The service is sold publicly via designated websites. In addition to many other features, the service also provides file persistence on the system. The service is called a packer, or as it is more commonly referred to on hacking forums – crypter.
Figure 5 – Screenshot from the CypherIT official Website.
The CypherIT application sends the file to a web service, api.Cypherit[.]org, which wraps it with all the requested functionalities (e.g. persistence, Anti-Sandbox, Bypass UAC, and many more).
Figure 6 – CypherIT wrapping features.
Within seconds, the process is complete and you receive a new file. The original payload uses enhanced techniques that can bypass many different security products.
Figure 7 – The build on CypherIT servers.
The new sample generated by the web service is actually an executable file with embedded AutoIt script created on the server.
The promise this product holds led many actors to begin using the tool for a relatively low price – starting at $33 a month.
AutoIt & malwares:
Recently, we are seeing a rise in the number of malwares that use AutoIt in the infection process.
AutoIt is a scripting language designed for the Windows environment, and is a popular language of choice for malware writers. Once the script is created, you can easily create a stand-alone executable in the script compilation stage.
The ease of creating scripts, automated compression and default anti-debugging features make AutoIt scripting a favorite malware weapon.
From our telemetry on files that were using AutoIt during July – September, we can see some interesting insights –
- Eighteen percent of all malicious executable files sent by email used AutoIt.
- About 68 percent of all AutoIt executable files that were sent online were written for malicious purposes.
Figure 8 – Percentage of malicious AutoIt use.
Unpacking and de-obfuscating CypherIT
A cursory glance at the extracted AutoIt script from a sample generated by CypherIt may look heavily obfuscated, but CypherIt actually uses basic techniques. On the other hand, CypherIt constantly changes the obfuscations function, and adds excessive unused functions and conditions to evade detection.
CypherIt uses functions such as:
- Change the character order.
- Change the strings to hexadecimal.
- XOR with constant values.
- Rotate the strings.
- Embed many non-ASCII characters.
Figure 9 – Reverse strings.
Figure 10 – First argument XOR with the length of the second argument.
Figure 11 – String right rotation.
Figure 12 – BinaryToString with non-ASCII characters.
CypherIT changes the encryption methodology from time to time to better hide the payload.
The 3 main methods:
- Split the encrypted sample and concatenate as a hexadecimal string inside of the AutoIt script.
- Split the encrypted sample and convert it to reverse hexadecimal string and attach
it to the AutoIt executables as resources.
- Split the encrypted sample and attach it to the AutoIt executables as resources.
Let’s break down the last option.
After de-obfuscating the script, we can see a function call to load the encrypted resources of the executable.
The function receives two arguments:
- A hexadecimal string representing the name of the resource delimited with “|”.
- A resource type.
The function splits the string and loads the encrypted resource by name and type and concatenates the binaries to one piece.
Figure 13 – Loading and concatenating the encrypted resource.
In the next step, CypherIT decrypts the payload. Most of the samples use an AES256 algorithm, by calling to the following APIs:
Having said that, we also saw samples that were decrypted by writing to memory a shellcode that contains an RC4 algorithm.
Figure 14 – AES256 encryption.
After decrypting the payload, CypherIT injects it using a snippet of shellcode that uses the process hollowing technique. The shellcode maps the relevant API calls with the help of NtOpenSection and NtMapViewOfSecion to avoid detection by hooking.
This shellcode seems to be known and implemented in many other malwares and is sold in an online hacker’s forum as a “Frenchy shellcode.” The shellcode writer sometimes uses the explicit mutex “Startup_shellcode_[0-9]” or “frenchy_shellcode_[0-9]” .
To identify the binaries on the disk before they run on the memory (and avoid risk), we can unpack the samples and reveal the hidden malware payloads only by static analysis. After the unpacking process, we can determine the family and the type of the malware by looking at the binary’s content. As we show in the attached video, after the unpacking process is complete, more anti-virus engines can be used to detect and identify the malware family.
To get the original PE file for DeCypherIT:
- Extract 3 arguments for the AutoIt script:
- Resource names
- Resource types
- Load the resources and concatenate them by the string order. We created an equivalent function in Python:
print("[+] Try to load and concatenates the resources") resource_names_list = binascii.unhexlify(resource_names[2:]).decode("utf-8").split("|") ciphertext, ciphertext_len = get_concatenate_resource(hfile, resource_names_list, resource_type) print("[+] Try to decrypt the resources") plaintext = aes_decrypt(ciphertext, ciphertext_len, key, key_len) def get_concatenate_resource(hfile, resource_names, res_type): concatenate_resource = 0 size = 0 for resource_name in resource_names: h_res_info = ctypes.windll.kernel32.FindResourceW(hfile, resource_name, res_type) if not h_res_info: print("FindResourceW failed to find: %s resource_name" % win32api.GetLastError()) size += ctypes.windll.kernel32.SizeofResource(hfile, h_res_info) binary_data = win32api.LoadResource(hfile, res_type, resource_name) if concatenate_resource: concatenate_resource += binary_data else: concatenate_resource = binary_data return concatenate_resource, c_int(size)
Figure 15 – Load and concatenate the resources.
3. Send the concatenated resources and the key to AES256.
def aes_decrypt(buffer, buffer_len, key, key_len): try: # Get handle to key container hprov = c_void_p() if not windll.advapi32.CryptAcquireContextA(byref(hprov), 0, 0, PROV_RSA_AES, CRYPT_VERIFYCONTEXT): print("CryptAcquireContext failed: %s" % win32api.GetLastError()) return False # Create handle to MD5 object hHash = c_void_p() if not windll.advapi32.CryptCreateHash(hprov, CALG_MD5, 0, 0, byref(hHash)): print("CryptCreateHash failed: %s" % win32api.GetLastError()) return False # Hash the key if not windll.advapi32.CryptHashData(hHash, key, key_len, 0): print("CryptHashData failed: %s" % win32api.GetLastError()) return False # Generates AES_256 key hkey = c_void_p() if not windll.advapi32.CryptDeriveKey(hprov, CALG_AES_256, hHash, CRYPT_EXPORTABLE, byref(hkey)): print("CryptDeriveKey failed: %s" % win32api.GetLastError()) return False # Decrypts the buffer if not windll.advapi32.CryptDecrypt(hkey, 0, 1, 0, buffer, byref(buffer_len)): print("CryptDecrypt failed: %s" % win32api.GetLastError()) return False return buffer
Figure 16 – AES256 decryption
You now get the source payloads!
- The Packer as a Service sellers present the goods as a legitimate service, which continues the pretense by offering a crypter tool. However, the same service offers a way to bypass Anti-Virus protections and maintains persistence on the victim’s machine.
- We see the packer writers are an important resource for the threat actors. Making the packers available for public sale on an official website, such as CypherIT, leads to their being accessible by actors with malicious intent.
- Wrapping these malwares with packers make them even more powerful weapons. As a result of this ease of use, there is an increase in the number of different actors and the malware families they use in phishing emails.
Check Point protections:
As part of the Check Point SandBlast Zero-Day Protection solution, SandBlast Network prevents these attacks. This innovative zero-day threat sandboxing capability within the SandBlast solution delivers the best possible catch rate for these threats.
SandBlast Network Protections:
Packed executable files with CypherIT