[ Malware Analysis #5] — Eternity Project — Eternity Worm

In this article we will continue the analysis of the Eternity Project, this time we will have a look at the Eternity Worm, so let’s start…

Artifacts:

Eternity Worm Stage 1:

856ef7f611f594731015621e730d9713ae59824f3280703bd3c7de5ba8884767

Eternity Worm Stage 2:

Static Analysis:

Eternity Worm Stage 1:

This sample of Eternity Worm has an icon of an image to deceive naïve users especially if the file extension was hidden, and it’s a good trick because further down the analysis we see that after running the assumed to be an image (malware) it will run an image from its resources to hide its execution:

Extension trick

Throwing the sample on“Detect It Easy” we find that it’s .NET obfuscated sample as it appear from the “.text” section:

Detect it easy

Unpacking The Malware:

Running the sample in “dnspy” we can see that it is heavily obfuscated and very similar to “Eternity Stealer” malware. So I used “de4dote” to deobfuscate and clean the sample :

Obfuscated main method

de4dote command used to deobfuscate the sample

main method after deobfuscating

From the cleaned version image above, we can see that the loader will get its resources, and it will start by loading the encrypted image and its key, then decrypt it with a simple decryption routine and run it. Also, do the same with the worm executable and exit after executing it:

Loader resources

Hex-editor view of the decryption process of the image

To Get the decrypted malware sample, we set a breakpoint after the decryption routine and then save the buffer that holds the malware with the right extension and we will get a working sample:

Saving the after the decryption

Hex-editor view of the decryption process of the wrom

Or using python we can decrypt resource files after saving it :

Python script to decrypt resource files

Exit after executing the Worm

Eternity Worm Stage 2:

Geo-fencing:

The Eternity Worm start by enumerating the languages on the machine and if it found that the machine has a Ukrainian language, it will print the message “Glory to Ukraine” and exit, otherwise it will continue execution:

Geo-fencing method

Anti-Repeating:

This feature is not a core functionality of the malware, it’s added base on the buyer’s choice. The malware will check if there was “- -debug” string in the command line argument, and if it found nothing, it will create a named object/Mutex with the name “nwwqwdpozq”. Failing to create the Mutex will cause the exit of the process, otherwise the execution will continue:

Anti-Repeating method

File Fetching & C2 communication:

Downloaded files:

• “hxxp[://]soapbeginshops[.]com/kingz[.]exe”
• “hxxp[://]soapbeginshops[.]com/ItsMe[.]zip”
• “hxxp[://]lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd[.]onion[.]pet/shared/telegram[.]exe”

We can also capture the requests with Wireshark and Fakenet :

Get request of “kingz.exe”

Downloading “ItsMe.zip”

Downloading “telegram.exe”

Get request of “ItsMe.zip”

Get request of “telegram.exe”

Spreading Techniques:

1 - Telegram spamming:

• Download fake “telegram.exe” and starting the executable with argument “Hahahahaha, you seen this??” . The argument could be used like this “Hahahahaha, you seen this??[PAYLOAD_URL]”.

Telegram spamming method

2 - Infect Files:

• Enumerate directories (Desktop - Pictures - Documents) and get list of files from it.

Files infecting method

• For each file it checks its extension by hash, and if it fit any of the following extensions it will be infected:

(png - exe - txt - zip - xlsx - bat - mp3 - mp4 - py - pyw - docx - jar - pdf - pptx)

Extension comparison

• Create a loader executable in the Temp directory which will contain:

— Stub that will decrypt and execute resources files.

— Encrypted code of the original file.

— Encrypted code of “kingz.exe” and decryption key for it.

• Change the icon of the file to simulate original file icon.
• Copy original file (Created, Modified,Accessed) time and date to the fake file.
• Copy the fake file to original file place, and spoofs the extension using the RTLO (Right-to-Left Override) technique. This will make the file appear with original file extension while its using “scr” extension, which is a Screen saver that will execute the code.

• The result will be an executable similar to stage 1 loader, that will execute the original file and the “kingz.exe” executable.

3 - Infect Drives Files:

• Infect removable drives only, by infecting the files the same way mentioned previously.

Drives infecting method

4 - Infect Python interpreter:

• Infect Python OS module by adding base64 code at the beginning or the end of the file, which will download “kingz.exe” file.

Python infecting interpreter

Base64 code at the end of the “os.py”

Decoded base64

5 - Infect Cloud Directories:

• Get files from directories (Dropbox - OneDrive) and infect them the same way mentioned previously.

Cloud infecting method

6 - Create discord spam

Retrieve the username with a GET request to “hxxps[://]discord[.]com/api/users/@me”, which return a JSON and then retrieving the value from the field “username#” and value of the field “discriminator”, the channels are retrieved with a request to“hxxps[://]discord[.]com/api/users/@me/channels”. Then iterates the list of IDs, and for each one, it will make a POST request to “hxxps[://]discord[.]com/api/v9/channels/{0}/messages”, using the ID and the content of the message which is: “Hahahahaha, you seen this??[PAYLOAD_URL]”.

Channels enumerate method

Sending malicious message method

Features:

• Geo-Fencing.
• Anti-Repeating.
• Obfuscation.
• Anti-VM.
• Anti-TaskManager .
• Anti-Debugging.
• Set Critical Process.
• Elevate Privileges.
• Self Destruct.
• extension spoofing
• Icon spoofing.
• Discord spamming.
• Telegram spamming.
• Python Interpreter Infection.
• User directories infection.
• Cloud directories infection.
• Removable drives infection.

Yara Rule:

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!