[ Malware Analysis #5] — Eternity Project — Eternity Worm
In this article we will continue the analysis of the Eternity Project, this time we will have a look at the Eternity Worm, so let’s start…
Artifacts:
Eternity Worm Stage 1:
Eternity Worm Stage 2:
Static Analysis:
Eternity Worm Stage 1:
This sample of Eternity Worm has an icon of an image to deceive naïve users especially if the file extension was hidden, and it’s a good trick because further down the analysis we see that after running the assumed to be an image (malware) it will run an image from its resources to hide its execution:
Throwing the sample on“Detect It Easy” we find that it’s .NET obfuscated sample as it appear from the “.text” section:
Unpacking The Malware:
Running the sample in “dnspy” we can see that it is heavily obfuscated and very similar to “Eternity Stealer” malware. So I used “de4dote” to deobfuscate and clean the sample :
From the cleaned version image above, we can see that the loader will get its resources, and it will start by loading the encrypted image and its key, then decrypt it with a simple decryption routine and run it. Also, do the same with the worm executable and exit after executing it:
To Get the decrypted malware sample, we set a breakpoint after the decryption routine and then save the buffer that holds the malware with the right extension and we will get a working sample:
Or using python we can decrypt resource files after saving it :
Eternity Worm Stage 2:
Geo-fencing:
The Eternity Worm start by enumerating the languages on the machine and if it found that the machine has a Ukrainian language, it will print the message “Glory to Ukraine” and exit, otherwise it will continue execution:
Anti-Repeating:
This feature is not a core functionality of the malware, it’s added base on the buyer’s choice. The malware will check if there was “- -debug” string in the command line argument, and if it found nothing, it will create a named object/Mutex with the name “nwwqwdpozq”. Failing to create the Mutex will cause the exit of the process, otherwise the execution will continue:
File Fetching & C2 communication:
Downloaded files:
- “hxxp[://]soapbeginshops[.]com/kingz[.]exe”
- “hxxp[://]soapbeginshops[.]com/ItsMe[.]zip”
- “hxxp[://]lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd[.]onion[.]pet/shared/telegram[.]exe”
We can also capture the requests with Wireshark and Fakenet :
Spreading Techniques:
1 - Telegram spamming:
- Download fake “telegram.exe” and starting the executable with argument “Hahahahaha, you seen this??” . The argument could be used like this “Hahahahaha, you seen this??[PAYLOAD_URL]”.
2 - Infect Files:
- Enumerate directories (Desktop - Pictures - Documents) and get list of files from it.
- For each file it checks its extension by hash, and if it fit any of the following extensions it will be infected:
(png - exe - txt - zip - xlsx - bat - mp3 - mp4 - py - pyw - docx - jar - pdf - pptx)
- Create a loader executable in the Temp directory which will contain:
— Stub that will decrypt and execute resources files.
— Encrypted code of the original file.
— Encrypted code of “kingz.exe” and decryption key for it.
- Change the icon of the file to simulate original file icon.
- Copy original file (Created, Modified,Accessed) time and date to the fake file.
- Copy the fake file to original file place, and spoofs the extension using the RTLO (Right-to-Left Override) technique. This will make the file appear with original file extension while its using “scr” extension, which is a Screen saver that will execute the code.
- The result will be an executable similar to stage 1 loader, that will execute the original file and the “kingz.exe” executable.
3 - Infect Drives Files:
- Infect removable drives only, by infecting the files the same way mentioned previously.
4 - Infect Python interpreter:
- Infect Python OS module by adding base64 code at the beginning or the end of the file, which will download “kingz.exe” file.
5 - Infect Cloud Directories:
- Get files from directories (Dropbox - OneDrive) and infect them the same way mentioned previously.
6 - Create discord spam
Retrieve the username with a GET request to “hxxps[://]discord[.]com/api/users/@me”, which return a JSON and then retrieving the value from the field “username#” and value of the field “discriminator”, the channels are retrieved with a request to“hxxps[://]discord[.]com/api/users/@me/channels”. Then iterates the list of IDs, and for each one, it will make a POST request to “hxxps[://]discord[.]com/api/v9/channels/{0}/messages”, using the ID and the content of the message which is: “Hahahahaha, you seen this??[PAYLOAD_URL]”.
Features:
- Geo-Fencing.
- Anti-Repeating.
- Obfuscation.
- Anti-VM.
- Anti-TaskManager .
- Anti-Debugging.
- Set Critical Process.
- Elevate Privileges.
- Self Destruct.
- extension spoofing
- Icon spoofing.
- Discord spamming.
- Telegram spamming.
- Python Interpreter Infection.
- User directories infection.
- Cloud directories infection.
- Removable drives infection.