X-Agent and X-Tunnel Malware

malware 18 2019 102

The Mueller Report release today released some new information. We were fascinated by this comment. Why did the computer anti-virus miss these two malwares?

Agent-X is a proxy server.

In order to run automatically when Windows starts up the Trojan creates
a hidden folder named sr64 under the current user’s Application Data
folder and copies itself to a randomly-named file in this folder. The
Trojan then creates the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sr64

Agent-X drops and loads a library file named sr32.dll in the same
hidden folder. This library file has stealth functionality which hides
the Trojan’s files and registry entries.

Agent-X runs a HTTP proxy and a SOCKS proxy, allowing a remote
attacker to route web or general-purpose traffic through the infected
machine.

Every 10 minutes the Trojan reports its presence and optionally attempts
to download an updated version of itself. Both the port numbers for the
proxy servers and the URLs for reporting and updating are stored in an
encrypted block of data at the end of the Trojan’s executable file.

The Trojan also creates the following registry entries for its own use:

HKCU\Software\Microsoft\Windows\CurrentVersion\Hash
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\btidnt

X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.

Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers “kazak” and “blablabla1234465”) was the primary developer and maintainer of X-Agent, according to the Mueller indictment, and he was assisted by another officer, Pavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks, Second Lieutenant Artem Malyshev (AKA “djangomagicdev” and “realblatr”) monitored the implants through the command and control network configured for the task.

The XTunnel malware that was used by Russian actor Fancy Bear to penetrate the Democrat National Committee (DNC) network was specifically designed to work against this target, Invincea researchers say.

The attack was carried out in April this year, but was the second time a Russian threat actor targeted DNC, after another group going by the name of Cozy Bear managed to penetrate the network in the summer of 2015. The incidents were analyzed by Crowdstrike, after DNC employees started receiving alerts from Yahoo regarding their potential account compromises.

The researchers discovered that the Fancy Bear threat actor used the XTunnel malware for compromise purposes. After taking a closer look at the malware, Invincea discovered that the malware didn’t cluster with other known threats and says that it was likely a “purpose-built original piece of code” meant to target the DNC network specifically.

As it turns out, the XTunnel tool has several capabilities that allowed it to easily compromise the targeted network, including VPN-style capabilities and the use of encryption (it exchanges SSH keys, uses private encryption keys, compresses and decompresses data, etc.). The malware also supports access to locally stored passwords, and can access the LDAP server, researchers discovered.

What’s more, the threat is modular, meaning that it can download additional files when needed, and can also probe the network for open ports, PING hosts, and send and receive emails. The malware has many other capabilities, some of which are shared by legitimate programs, Invincea reveals.

Some of the most important functions of the tool, however, include the ability “to hook into system drivers, access the local LDAP server, access local passwords, use SSH, OpenSSL, search and replace local files, and of course be able to maintain a persistent connection to a pre-specified IP address, even if the host is behind a NATed firewall,” Invincea’s Pat Belcher explains.

As if these abilities weren’t enough, the threat was also found to be able to monitor keyboard and mouse movements, and even to access webcams and USB drives. “That is a lot of capabilities packed into a file that is less than 2 MB in size,” Belcher notes.

Another interesting aspect of XTunnel is that its code isn’t obfuscated, as most modern malware employs this technique to make analysis challenging. This piece of malware contains strings of code that appear to be transparently showing exactly what the binary is intended to do, “as if it were originally developed to be an open source tool to provide encrypted tunnel access to internet hosts,” the security researcher says.

The researchers also discovered that the hackers used a very old but reliable network module –associated with softphone and VoIP applications over a decade ago – to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT). Thus, the DNC didn’t have many options when it came to detecting the malware’s network activity, except to catch it “port knocking” on the inside of the firewall.

However, the security company notes that, since many organizations run a firewall configuration where inside host are allowed outbound without restrictions, this type of activity would have been almost impossible to detect if only logs were used. Even with restricted outbound access, XTunnel could have used ICMP or UDP protocols to connect to the Russian command and control server, Invincea says.

Invincea released a report on these malware, but clearing away from any “Russian attribution” statements. Their report focuses on X-Tunnel, the malware used to steal the data from the DNC servers.

The company’s malware expert, Pat Belcher, says that this is a one-of-a-kind malware variant that appears to be custom-built and used only in limited, targeted attacks, not sharing any similarities with other malware families.

The malware has many capabilities that would allow it to be used as a RAT, a remote access trojan, but it appears that its role was to help the crooks steal data from compromised systems.

RAT features discovered inside X-Tunnel’s measly 2MB file include the ability to open SSH connections, encrypt traffic using SSL, access LDAP servers, read/write from Windows Console, compress/decompress data, steal passwords, download/upload files, capture mouse movements, use proxies, modify Windows services, and many other more.

Nevertheless, the vast majority of the features found by Invincea’s analysis show a tool designed for data exfiltration above all.

X-Tunnel is based on an open-source network tunneling protocol
Belcher claims that the name X-Tunnel, given to this tool, is not a coincidence. The malware seems to be a rough modification of the XTunnel PortMap open source project by Xten, a Chinese company.

This application was developed on XTunnel, a protocol used in the early days of softphones and VoIP communications, and was used to open connections from firewalled networks to IPs on the outside of the network without having to request system administrators to open special ports.

The XTunnel protocol would probe the firewall on its own, searching for open ports, and use the first port it found to open a connection.

Development of the protocol stopped when Xten was acquired by another company, who closed-source the project, taking it out of the hands of the open-source community.

“The Fancy Bear threat actors used, by today’s standards, a very old, but still reliable network module used for softphone and video and VoIP capabilities to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT),” Belcher explains.

“Previous reports from Crowdstrike and others note that the XTunnel tool was used to maintain network connectivity. Whether the XTunnel tool was used for additional purposes as its capabilities suggest is unknown, but it had the potential to support a full range of additional activity,” Belcher also added, reconfirming X-Tunnel’s additional RAT features.

A theory of the malware’s possible infection vector stems from a trojan named Komplex, which was found in September 2016 to be infecting Macs through a combination of emails sent to specific targets (aka spear phishing) and containing a PDF attachment that held the malicious code that would lead to infecting the system upon opening the PDF.

While this is a common vector for infection for many trojans, it is nonetheless important for users to practice safe internet habits and not open or preview emails from unknown senders, and under no circumstances should you ever open an attachment that is sent to you from someone you don’t know.

Install software only from authorized developers
While computers are understandably used to make our lives easier, the software that runs on them interacts with a lot of potentially sensitive data and can be targeted by threat actors or even be designed by them. To minimize this risk, Apple has implemented several technologies throughout the years, such as Gatekeeper and System Integrity Protection (SIP), that serve to allow authorized software developers with verified signatures the right to have their apps installed on macOS and to prevent malware from running by protecting system directories from unauthorized modification by rouge applications.

These technologies come turned on, by default, but can be manually disabled by administrators. Given the threats posed by malware introduced as trojans, setting Gatekeeper to allow software installs by the App Store and identified developers is a safe bet. Safer still, allowing software that comes from the App Store is the best protection.

 

 

 

 

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s