DeCypherIT – All eggs in one basket

December 12, 2019

Research by: Arie Olshtein

These days, attackers use cheap and publicly accessible services to help them bypass Anti-Virus protections and gain a foothold in their victims’ systems.
We give a behind the scenes look at a service called CypherIt, which is sold publicly as a legitimate service but is used to wrap malwares and hide their malicious content.

This evasion technique can also be used as a weapon against the malware writers, as we can use it to help detect malwares. All you need to do is to read the label on the basket. In this case, the basket is CypherIT, a well-known packer.
According to Check Point telemetry, about 13 percent of all the malicious executables sent by email during August – October 2019 used AutoIt crypters such as CypherIT to hide their malicious content.

Figure 1 – Malware families using AutoIt crypter August – October 2019.

Geographical distribution of affected victims:

Figure 2 – AutoIt distribution during August – October 2019.

Attack flow:

Figure 3 – Attack flow.

Figure 4 – Attack flow encryption server & victim.

CypherIT is a service that is used to encrypt executable files. Its creators claim it makes the files fully undetectable (FUD) by Anti-Virus products. The service is sold publicly via designated websites. In addition to many other features, the service also provides file persistence on the system. The service is called a packer, or as it is more commonly referred to on hacking forums – crypter.

Figure 5 – Screenshot from the CypherIT official Website.

The CypherIT application sends the file to a web service, api.Cypherit[.]org, which wraps it with all the requested functionalities (e.g. persistence, Anti-Sandbox, Bypass UAC, and many more).

Figure 6 – CypherIT wrapping features.

Within seconds, the process is complete and you receive a new file. The original payload uses enhanced techniques that can bypass many different security products.

Figure 7 – The build on CypherIT servers.

The new sample generated by the web service is actually an executable file with embedded AutoIt script created on the server.
The promise this product holds led many actors to begin using the tool for a relatively low price – starting at $33 a month.

AutoIt & malwares:

Recently, we are seeing a rise in the number of malwares that use AutoIt in the infection process.
AutoIt is a scripting language designed for the Windows environment, and is a popular language of choice for malware writers. Once the script is created, you can easily create a stand-alone executable in the script compilation stage.
The ease of creating scripts, automated compression and default anti-debugging features make AutoIt scripting a favorite malware weapon.

From our telemetry on files that were using AutoIt during July – September, we can see some interesting insights –

  • Eighteen percent of all malicious executable files sent by email used AutoIt.
  • About 68 percent of all AutoIt executable files that were sent online were written for malicious purposes.

Figure 8 – Percentage of malicious AutoIt use.

 

Unpacking and de-obfuscating CypherIT

Obfuscation:
A cursory glance at the extracted AutoIt script from a sample generated by CypherIt may look heavily obfuscated, but CypherIt actually uses basic techniques. On the other hand, CypherIt constantly changes the obfuscations function, and adds excessive unused functions and conditions to evade detection.

CypherIt uses functions such as:

  • Change the character order.
  • Change the strings to hexadecimal.
  • XOR with constant values.
  • Rotate the strings.
  • Embed many non-ASCII characters.

Figure 9 – Reverse strings.

Figure 10 – First argument XOR with the length of the second argument.

Figure 11 – String right rotation.

Figure 12 – BinaryToString with non-ASCII characters.

Unpacking:

CypherIT changes the encryption methodology from time to time to better hide the payload.
The 3 main methods:

  • Split the encrypted sample and concatenate as a hexadecimal string inside of the AutoIt script.
  • Split the encrypted sample and convert it to reverse hexadecimal string and attach
    it to the AutoIt executables as resources.
  • Split the encrypted sample and attach it to the AutoIt executables as resources.

Let’s break down the last option.
After de-obfuscating the script, we can see a function call to load the encrypted resources of the executable.
The function receives two arguments:

  1. A hexadecimal string representing the name of the resource delimited with “|”.
  2. A resource type.

The function splits the string and loads the encrypted resource by name and type and concatenates the binaries to one piece.

Figure 13 – Loading and concatenating the encrypted resource.

In the next step, CypherIT decrypts the payload. Most of the samples use an AES256 algorithm, by calling to the following APIs:

  • CryptAcquireContext
  • CryptCreateHash
  • CryptHashData
  • CryptDeriveKey
  • CryptDecrypt

Having said that, we also saw samples that were decrypted by writing to memory a shellcode that contains an RC4 algorithm.

Figure 14 – AES256 encryption.

After decrypting the payload, CypherIT injects it using a snippet of shellcode that uses the process hollowing technique. The shellcode maps the relevant API calls with the help of NtOpenSection and NtMapViewOfSecion to avoid detection by hooking.
This shellcode seems to be known and implemented in many other malwares and is sold in an online hacker’s forum as a “Frenchy shellcode.” The shellcode writer sometimes uses the explicit mutex “Startup_shellcode_[0-9]” or “frenchy_shellcode_[0-9]” .

To identify the binaries on the disk before they run on the memory (and avoid risk), we can unpack the samples and reveal the hidden malware payloads only by static analysis. After the unpacking process, we can determine the family and the type of the malware by looking at the binary’s content. As we show in the attached video, after the unpacking process is complete, more anti-virus engines can be used to detect and identify the malware family.

To get the original PE file for DeCypherIT:

  1. Extract 3 arguments for the AutoIt script:
    • Resource names
    • Key
    • Resource types
  2. Load the resources and concatenate them by the string order. We created an equivalent function in Python:

print("[+] Try to load and concatenates the resources")
resource_names_list = binascii.unhexlify(resource_names[2:]).decode("utf-8").split("|")
ciphertext, ciphertext_len = get_concatenate_resource(hfile, resource_names_list, resource_type)
print("[+] Try to decrypt the resources")
plaintext = aes_decrypt(ciphertext, ciphertext_len, key, key_len)


def get_concatenate_resource(hfile, resource_names, res_type):
    concatenate_resource = 0
    size = 0
    for resource_name in resource_names:
        h_res_info = ctypes.windll.kernel32.FindResourceW(hfile, resource_name, res_type)
        if not h_res_info:
            print("FindResourceW failed to find: %s resource_name" % win32api.GetLastError())
        size += ctypes.windll.kernel32.SizeofResource(hfile, h_res_info)
        binary_data = win32api.LoadResource(hfile, res_type, resource_name)
        if concatenate_resource:
            concatenate_resource += binary_data
        else:
            concatenate_resource = binary_data
    return concatenate_resource, c_int(size)

Figure 15 – Load and concatenate the resources.

        3. Send the concatenated resources and the key to AES256.


def aes_decrypt(buffer, buffer_len, key, key_len):
    try:
        # Get handle to key container
        hprov = c_void_p()
        if not windll.advapi32.CryptAcquireContextA(byref(hprov), 0, 0, PROV_RSA_AES, CRYPT_VERIFYCONTEXT):
            print("CryptAcquireContext failed: %s" % win32api.GetLastError())
            return False
        # Create handle to MD5 object
        hHash = c_void_p()
        if not windll.advapi32.CryptCreateHash(hprov, CALG_MD5, 0, 0, byref(hHash)):
            print("CryptCreateHash failed: %s" % win32api.GetLastError())
            return False
        # Hash the key
        if not windll.advapi32.CryptHashData(hHash, key, key_len, 0):
            print("CryptHashData failed: %s" % win32api.GetLastError())
            return False
        # Generates AES_256 key
        hkey = c_void_p()
        if not windll.advapi32.CryptDeriveKey(hprov, CALG_AES_256, hHash, CRYPT_EXPORTABLE, byref(hkey)):
            print("CryptDeriveKey failed: %s" % win32api.GetLastError())
            return False
        # Decrypts the buffer
        if not windll.advapi32.CryptDecrypt(hkey, 0, 1, 0, buffer, byref(buffer_len)):
            print("CryptDecrypt failed: %s" % win32api.GetLastError())
            return False
        return buffer

Figure 16 – AES256 decryption

You now get the source payloads!

Conclusions

  • The Packer as a Service sellers present the goods as a legitimate service, which continues the pretense by offering a crypter tool. However, the same service offers a way to bypass Anti-Virus protections and maintains persistence on the victim’s machine.
  • We see the packer writers are an important resource for the threat actors. Making the packers available for public sale on an official website, such as CypherIT, leads to their being accessible by actors with malicious intent.
  • Wrapping these malwares with packers make them even more powerful weapons. As a result of this ease of use, there is an increase in the number of different actors and the malware families they use in phishing emails.

Check Point protections:

As part of the Check Point SandBlast Zero-Day Protection solution, SandBlast Network prevents these attacks. This innovative zero-day threat sandboxing capability within the SandBlast solution delivers the best possible catch rate for these threats.

SandBlast Network Protections:

• Packer.Win.AutoITCrypter
• Injector.Win.FrenchySC

Packed executable files with CypherIT

Remcos
09327de815fd446a69a27f327fd06fe6fd0737db
0a6f468b41e36a2bf03215784dc2bdf9bce0ef85
0f4d58154ac7bc5580f3c760cc0de3b0ba9f8f9c
110d9f5d617aaa5505c444bd63f7a09d408d9feb

NanoCore
12a7697d0d21d6647634943843806bf3f4d411fa
847018d0eb621e45c4fd4e70457fc67ec356ca37
d13118207995424b7bb9bb5dd7075be5cc6c68bb
74e6086662ea1e218f1f75380cdf077a5b33e97a

NJRat
6135b88053f5a38ed8c9f405e246c12b9af6888f
6d32f1e923787103f7e0b9750da977c093bc6c93
773c07f1d969c84b9a3514929fa457a65429757f
03ffca17b0e24300d50932f249e29d5949af102c

AZORult
2c503ebb906bebf9acccdb7a30abd73e239832af
30ba243b15eb8e9cfba269a870047067521c3dba
34837088731b4b849c37f2115df978f4a64d5462
3f6d798f5823f62f9594ead58291569563fc30d7

AgentTesla
836f4ca5b7ca85d3c39bba66c6de492628c84eea
85176880895a609a9b096d7cfecbb0586c70ceec
8e0a1ce880f3a59ac5a8c7952c0491a8676dd2ee
aaba803a3a6942e28d5b317fc238df66d0df4f23

NetWire
0ab635dfb7904fb85576c0e3d426bebea2ded7c1
3e89455e0fa0e8cc6db29305101bcbac92f4ea04
581d696d971c4efee8a7327a34605342eb4bbe19
ba58cfcf178d6285868599af41dca318ea879bd4

lokibot
5f8fed869e17b960b262ea367586404f5483bdd0
46b18946838feba1b75394c7acffd50e77f9d0db
5a9c742de65bb46a8215a4ebd938f707114f0db4
a95ff3544b64a48fbe7e1187396ce3ca9960253e