Reading Between the Lines of Code: Ziraat_Stealer
Hello Everybody! Today i will be conducting an analysis of a .NET information stealer.
MD5 hash: DC4200AC514006F084EAD7F83B84C928
Virus Total Link: https://www.virustotal.com/gui/file/a850de0705c0f6095910aa1d5ed0e73a49581aa7427fcfaf2ff5144e93b047c1/community
Analysis
The sample effectively disguises itself as a Data Recovery tool to bypass user detection. It is a 32-bit .NET binary, which allows for the conversion of the binary back to Intermediate Language (IL). This can be done using tools designed for such purposes, with DNSpy being a prime example.
Upon closer examination of the binary, several intriguing strings and imports were discovered. These findings are particularly significant because the binary is built on the .NET framework. To delve deeper into the initial data, the next step involves placing the file into DNSpy.
DNSpy is a powerful tool that enables users to inspect, de-compile, and debug .NET binaries. It is especially useful for analysing executable like the one in question. By loading the binary into DNSpy, one can gain insights into the code structure, dependencies, and other critical aspects that might reveal the true nature and intent of the binary.
The entry-point is the “GonnyCam.Main” main function. Here we see multiple Function start as different thread , where function names indicate them to achieve persistence , start keylogger , Password recovery etc..
Upon examining the Main function, it is evident that the threat actor has crafted a bespoke Remote Access Trojan (RAT) that allows for selective activation of desired functionalities within the executable. Of the numerous functions available, only the following have been enabled:
GetCurrentWindow : Gets the current window name where user is working.
RecordKeys : Keylogger function where keystrokes are logged.
ClipboardLogging : Captures the clipboard information
PasswordRecover : This function is designed to recover password from multiple sources such as email clients , downloaders , social media and browsers.
Further during the review of the function’s mentioned , we noticed that majority of the functions make a call to a function named “fandS”.
In the function Fands we see it comparing “R_list” value. This value calls a function named ReadMail(). Reviewing the function call , we see that its loading resource.
The function “ReadMail” has a obfuscated function call , Hence i deobfuscated the binary with “de4dot” and after analyzing the decoded function its renamed to “GClass0".
Going through “ReadMail” function ,it make a call to function “RSMDecrypt” where a byte array is passed by recovering it from the resource section of the binary.
By the review we can see that this is a AES decryption , where bytes are loaded from the resource section and decrypted. By setting a breakpoint at the return of the function , we can dump the decoded binary from memory.
During debugging we can see that the initial bytes in the return value as “4D5A”. Which indicates that the decrypted bytes are of a windows PE file.
Further , downloading the newly decrypted binary , we notice it to be a email-password recovery tool designed by “nirsoft”. The threat actor designed the RAT on a existing tool.
Now , going back to the function obfuscated function, where this decrypted binary is passed.
During the review we see certain values being passed to multiple highlighted function. However , based on the parameters passed , i taught them to be Windows API calls. Reviewing further revealed that these function names are encrypted and only decrypt at run time to bypass any static detection.
later , I wrote a simple python script to replicate the decrypt function and passed the function values. below are list of decrypted windows API names.
Command and Control
During the review of multiple core functionalities above we notice function “SendLog” which is used to send to a command and control sever.
We see that this function takes , a argument “Link” to which a variable named P_Link as highlighted below. The C2 domain here is “ziraat-helpdesk[.]com”.
The data is sent over a POST request , there are different type of POST request designed are for clipboard , Passwords , Keystrokes etc..
Conclusion
The analysis revealed that the .NET malware functions as a key-logger and is engineered to pilfer or retrieve passwords from a variety of email applications and browsers, including Outlook, NetScape, Thunderbird, Eudora, Firefox, Chrome, Internet Explorer, Opera, and Safari. It is characterized as a specialised Remote Access Trojan (RAT) with capabilities to extract sensitive information from infected systems.