Deobfuscating APT32 Flow Graphs with Cutter and Radare2

Standard

The Ocean Lotus group, also known as APT32, is a threat actor which has been known to target East Asian countries such as Vietnam, Laos and the Philippines. The group strongly focuses on Vietnam, especially private sector companies that are investing in a wide variety of industrial sectors in the country. While private sector companies are the group’s main targets, APT32 has also been known to target foreign governments, dissidents, activists, and journalists.

APT32’s toolset is wide and varied. It contains both advanced and simple components; it is a mixture of handcrafted tools and commercial or open-source ones, such as Mimikatz and Cobalt Strike. It runs the gamut from droppers, shellcode snippets, through decoy documents and backdoors. Many of these tools are highly obfuscated and seasoned, augmented with different techniques to make them harder to reverse-engineer.

In this article, we get up and close with one of these obfuscation techniques. This specific technique was used in a backdoor of Ocean Lotus’ tool collection. We’ll describe the technique and the difficulty it presents to analysts — and then show how bypassing this kind of technique is a matter of writing a simple script, as long as you know what you are doing.

5 Ways to patch binaries with Cutter

Standard

I recently watched a video by LiveOverflow in which he showed how different tools are used to patch binaries. By demonstrating some of the features that Radare2, Ghidra, and Binary Ninja offer for the task, the viewer can get some sense of the things they can get from using these tools.

While all these tools are great, and although Radare2 was showed there (and oh boy, things went wrong), there was one tool, which is dear to my heart, that wasn’t there – Cutter.  Notwithstanding that it is the youngest member of the pack, Cutter is growing up very fast and when it has to do with binary patching – it does not stay behind.

“Binary Patching”, for those the term is unfamiliar, is the process of applying small changes and modifications to a binary file, usually in order to change its behavior. By modifying data or code, the user can change certain values in the program or specific instructions, and adjust the binary to their desired outcome.

5 Ways to patch binaries with Cutter - banner

Wanna skip the boring parts? Jump straight to the methods:

Method 1: Reverse the jump
Method 2: Straight from the decompiler
Method 3: NOP’ing your way
Method 4: Disassemble the instruction
Method 5: Assemble the bytes
Bonus: Using radare2 console from within Cutter

Cutter

Cutter is a free and open-source reverse engineering framework powered by radare2. It offers a wide range of features for reverse-engineers where the most important of them are disassmebler, a grpah, a decompiler (based on Ghidra’s decompiler), and a hex-editor and from recently – a debugger.

To download the latest release of Cutter, ahead to the official website. If you want to build Cutter from the source to enjoy the latest improvement and features, and you are up for a ride – check out the Building page on the documentation.

Please note that this article will be quite straight forward and will not cover different features of Cutter.

Getting to know our target

For this article, we will use the same binary that was used on LiveOverflow’s video – license_1.c.

Click here to download the binary for Linux.

The source code can be found here and is also pasted below to make it easy for us.

#include <string.h>
#include <stdio.h>
int main(int argc, char *argv[]) {
        if(argc==2) {
		printf("Checking License: %s\n", argv[1]);
		if(strcmp(argv[1], "AAAA-Z10N-42-OK")==0) {
			printf("Access Granted!\n");
		} else {
			printf("WRONG!\n");
		}
	} else {
		printf("Usage: <key>\n");
	}
	return 0;
}

The program is rather simple. It receives a license-key from the user and then compares it to a hardcoded key “AAAA-Z10N-42-OK”. If the keys match, it will print “Access Granted!”. Otherwise, it will print “WRONG!”

$ license_1 test_key
Checking License: test_key
WRONG!

Out goal is to patch the program in a way that we will receive the Success message upon entering a wrong key.

Before we start – because we are going to modify the binary, I prefer to make a backup of the original file.

$ cp license_1 license_1.backup

Let’s open Cutter and select the license_1 binary from our computer. On the next dialog, make sure to select “Load in write mode (-w)”. You can leave the other settings as-is and press Ok.

Go to the main function by choosing it from the Functions list on the side or by typing “main” on the navigation-box at the top of the interface. The `main()` function is very small and contains all the logic of the program.

The function `main()` only has 6 blocks which makes it very easy for us to find the place we want to patch. And indeed, we see the block with strcmp comparison and we want to patch the conditional jump in a way that it will continue to the success message. By modifying `jne 0x400617` (jump not equal) to `je` (jump equal) we will get the success message as long as we do not give the right key. Muhahah.

 


Method 1: Reverse the jump

The easiest and probably the most intuitive way is to right-click the `jne` instruction and choose “Edit -> Reverse jump”.

Cutter is smart and can detect for us the inversed instruction for the condition. In this case, from `jne` to `je` and vice versa.

Now we can testthat our changes indeed work, with the same input we tried before. The changes we do are automatically apllied to the binary so we can simply test it.

$ license_1 test_key
Checking License: test_key
Access Granted!

Yes! Patching is easy. Let’s see other ways to do the same.

 


Method 2: Straight from the decompiler

If you downloaded the official release version, your Cutter should come with an integrated Ghidra decompiler via its native implementation called r2ghidra-dec. If you build Cutter by yourself, you will need to build r2ghidra-dec as well. Just follow the instructions in the link.

Open the decompiler window from “Windows -> Decompiler” and seek to the `main` function. Now click on the line where it says if (iVar1 == 0) { and again go to “Edit > Reverse jump.

This shows the great power of using the decompiler in Cutter.

 


Method 3: NOP’ing your way

This is yet another easy way to skip the check and go straight to the success message. Simply right-click on the condition in the disassembly view, and then select “Edit -> Nop Instruction”.

Before:

0x00400602 call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
0x00400607 test eax, eax
0x00400609 jne 0x400617
0x0040060b mov edi, str.Access_Granted

After:

0x00400602 call sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
0x00400607 test eax, eax
0x00400609 nop
0x0040060a nop
0x0040060b mov edi, str.Access_Granted

 


Method 4: Disassemble the instruction

In this method, we will change the instructions itself from `jne` to je. Again, right-click on the condition and this time choose “Edit -> Instruction”. Then simply change the text from `jne 0x400617` to `je 0x400617`. Cutter will automatically fetch a preview of the bytes that are constructing the instruction. Press Ok.


Method 5: Assemble the bytes

If you are tired of assembly and want to go back to the old days of bytes-patching and modify the bytes themselves – you can! Simply go to “Edit -> Bytes” and change from `750c` to `740c` (from `jne` to je). Cutter will show you a preview of the instruction to make sure you are not making some mess.

 


Bonus: Using radare2 console from within Cutter

If you are familiar with radare2, you will likely be happy to know that Cutter is coming with an integrated radare2 console. Open it from “Windows -> Console” and start typing your favorite r2 commands. And that’s right, you can simply patch the bytes from the command-line using the `w` commands such as wx, wa and so on. To know more, check w?for help.

 

Epilogue

In this article, we learned a little bit more about this great tool called Cutter. We faced a problem that reverse-engineers are often faced, and solved it using 5 different methods. There are more methods to patch bytes (for example using the hex-editor in cutter) but these 5 should be enough of a start. Unlike most of my articles, this is a short post and a very straight forward one.  Hopefully, you learned something new. Cheers!

 

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Standard

 Prologue

Previously, in the first part of this article, we used Cutter, a GUI for radare2, to statically analyze APT33’s Dropshot malware. We also used radare2’s Python scripting capabilities in order to decrypt encrypted strings in Dropshot. If you didn’t read the first part yet, I suggest you do it now.

Today’s article will be shorter, now that we are familiar with cutter and r2pipe, we can quickly analyze another interesting component of Dropshot — an encrypted resource that includes Dropshot’s actual payload. So without further ado, let’s start.

Downloading and installing Cutter

Cutter is available for all platforms (Linux, OS X, Windows). You can download the latest release here. If you are using Linux, the fastest way to use Cutter is to use the AppImage file.

If you want to use the newest version available, with new features and bug fixes, you should build Cutter from source by yourself. It isn’t a complicated task and it is the version I use.

First, you must clone the repository:

git clone --recurse-submodules https://github.com/radareorg/cutter
cd cutter

Building on Linux:

./build.sh

Building on Windows:

prepare_r2.bat
build.bat

If any of those do not work, check the more detailed instruction page here

Dropshot \ StoneDrill

As in the last part, we’ll analyze Dropshot, which is also known by the name StoneDrill. It is a wiper malware associated with the APT33 group which targeted mostly organizations in Saudi Arabia. Dropshot is a sophisticated malware sample, that employed advanced anti-emulation techniques and has a lot of interesting functionalities. The malware is most likely related to the infamous Shamoon malware. Dropshot was analyzed thoroughly by Kaspersky and later on by FireEye. In this article, we’ll focus on decrypting the encrypted resource of Dropshot which contains the actual payload of the malware.

The Dropshot sample can be downloaded from here (password: infected). I suggest you star () the repository to get updates on more radare2 tutorials 🙂

Please, be careful when using this sample. It is a real malware, and more than that, a wiper! Use with caution!

Since we’ll analyze Dropshot statically, you can use a Linux machine, as I did.

Continue reading

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1

Standard

Prologue

As a reverse engineer and malware researcher, the tools I use are super important for me. I have invested hours and hours in creating the best malware analysis environment for myself and chose the best tools for me and my needs. For the last two years, radare2 is my go-to tool for a lot of reverse-engineering tasks such as automating RE related work, scripting, CTFing, exploitation and more. That said, I almost never used radare2 for malware analysis, or more accurately, for analysis of malware for Windows. The main reason was that radare2 command-line interface felt too clumsy, complicated and an over-kill. IDA Pro was simply better for these tasks, a quick inspection of functions, data structures, renaming, commenting, et cetera. It felt more intuitive for me and that what I was searching for while doing malware analysis. And then came Cutter.

 

Cutter

Along the years, the radare2 community had tried to develop many different graphic-interfaces for radare2. None of them came even close to Cutter. Cutter is a QT C++ based GUI for radare2. In my opinion, it is the GUI that radare2 deserves. To quote from Cutter’s Github page:

Cutter is not aimed at existing radare2 users. It instead focuses on those whose are not yet radare2 users because of the learning curve, because they don’t like CLI applications or because of the difficulty…

Cutter is a young project, only one-year-old, and it is the official GUI of radare2 (the first and only GUI to be announced “official”). Cutter is a cross-platform GUI that aims to export radare2’s plenty of functionality into a user-friendly and modern GUI. In this post, I’ll show you some of Cutter’s features and how I work with it. To be honest, Cutter is intuitive so you probably won’t need me to show you around, but just in case.

Downloading and installing Cutter

Cutter is available for all platforms (Linux, OS X, Windows). You can download the latest release here. If you are using Linux, the fastest way to use Cutter is to use the AppImage file.

If you want to use the newest version available, with new features and bug fixes, you should build Cutter from source by yourself. It isn’t a complicated task and it is the version I use.

First, you must clone the repository:

git clone --recurse-submodules https://github.com/radareorg/cutter
cd cutter

Building on Linux:

./build.sh

Building on Windows:

prepare_r2.bat
build.bat

If any of those do not work, check the more detailed instruction page here.

Dropshot \ StoneDrill

Dropshot, also known as StoneDrill, is a wiper malware associated with the APT33 group which targeted mostly organizations in Saudi Arabia. Dropshot is a sophisticated malware sample, that employed advanced anti-emulation techniques and has a lot of interesting functionalities. The malware is most likely related to the infamous Shamoon malware. Dropshot was analyzed thoroughly by Kaspersky and later on by FireEye. In this article, we’ll focus on analyzing how Dropshot decrypted the strings inside it in order to evade analysis. In part 2 of this article, which will be published soon, we’ll focus on decrypting the encrypted resource of Dropshot which contains the actual payload of the malware.

The Dropshot sample can be downloaded from here (password: infected). I suggest you star () the repository to get updates on more radare2 tutorials 🙂

Please, be careful when using this sample. It is a real malware, and more than that, a wiper! Use with caution!

Since we’ll analyze Dropshot statically, you can use a Linux machine, as I did.

Continue reading

Reversing a Self-Modifying Binary with radare2

Standard

Prologue

It took me three months to finish writing this article. I had so many tasks on my to-do list that sadly this one was pushed down to the bottom of the list. Last weekend I made a promise to myself that until Sunday I’m going to finish writing it, I successfully kept my word and here it is, another radare2 tutorial.

Today we’ll solve a very nice challenge, “packedup”, written by ad3l for r2con 2017 competition. It is not the first writeup that I publish from r2con competition, you can check out “Reverse engineering a Gameboy ROM with radare2” as well, make sure not to miss the cool swags I got from winning the competition.

This article is aimed to those of you who are familiar with radare2. If you are not, I suggest you to start from part 1 of my series “A Journey Into Radare2”.

So, without further ado, let’s dig into the binary.

 

Getting radare2

Installation

Radare2’s development is pretty quick – the project evolves every day, therefore it’s recommended to use the current git version over the stable one. Sometimes the stable version is less stable than the current git version!

$ git clone https://github.com/radare/radare2.git
$ cd radare2
$ ./sys/install.sh

If you don’t want to install the git version or you want the binaries for another machine (Windows, OS X, iOS, etc.) check out the download page at the radare2 website.

Updating

As I said before, it is highly recommended to always use the newest version of r2 from the git repository. All you need to do to update your r2 version from the git is to execute:

$ ./sys/install.sh

And you’ll have the latest version from git. I usually update my version of radare2 in the morning with a scheduled task, so I can wake up to the latest version available. If you’re using radare2 often, I recommend you do the same.

packedup

You can download packedup from here. I suggest you to star () the repository to get updates about more radare2 tutorials 🙂

First thing to do, obviously, is to execute the binary and get a basic feeling of what we are going to face.

$ ./packedup 
Welcome to packedup for r2crackmes :)
Flag << MEGABEETS     
Try again!

packedup is executed, it requests us to give it a flag. It then probably does some calculations at the backend to see if the inputted flag is the right one. I entered “MEGABEETS” which is likely not the correct flag and finished with the fail message — “Try again!”.

Reversing time!

Now for our favorite part, let’s open the binary with radare2 and try to figure out how packedup is checking the submitted flag:

$ r2 ./packedup
— Here be dragons.
[0x004004d0]>
aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)

Analysis

I usually begin with executing aa (analyze all) or with aas (to analyze functions, symbols and more). The name is misleading because there is a lot more to analyze (check aa?) but it’s enough to start with for most of the binaries I examined. This time we’ll start straight with aaa to make things simpler and due to the binary’s small size. You can also run radare2 with the -A flag to analyze the binary straight at startup using aaa (e.g r2 -A ./packedup).

Note: as I mentioned in the previous posts, starting with aaa is not always the recommended approach since analysis is very complicated process. I wrote more about it in this answer — read it to better understand why.

Getting Information

So now that we opened our binary with radare2, we have been located automatically at the program’s entrypoint. But before we start working on the code itself It’s a good approach to get to know our binary characteristics. radare2 can show us the information we need using the i command (I removed some information for the sake of readability):

[0x004004d0]> i
...
file ./packedup
format elf64
iorw false
mode -r-x
size 0x1878
humansz 6.1K
type EXEC (Executable file)
arch x86
...
bintype elf
bits 64
...
endian little
...
intrp /lib64/ld-linux-x86-64.so.2
lang c
...
machine AMD x86-64 architecture
stripped true
...

The i command used for getting info about the opened file. It’s a wrapper around rabin2 which is an information extractor tool in the radare2 framework. radare2 offers us tons amount of information about the binary. Check out i? to list the information’s subcommands.

packedup is a 64-bit stripped ELF binary. Cool. Let’s move on.

Continue reading