The Evolution of BackSwap

The BackSwap banker has been in the spotlight recently due to its unique and innovative techniques to steal money from victims while staying under the radar and remaining undetected. This malware was previously spotted targeting banks in Poland but has since moved entirely to focus on banks in Spain. The techniques used by it were thoroughly described by our fellow researchers at the Polish CERT and Michal Poslusny from ESET, who revealed and coined the malware’s name earlier this year. However after witnessing ongoing improvements to its malicious techniques we decided to share this information to the wider research community.

In the following research paper, we will focus on the evolution of BackSwap, its uniqueness, successes, and even failures. We will try to give an overview of the malware’s different versions and campaigns, while outlining its techniques, some of which were proven inefficient and dropped soon after their release by the developers. We will also share a detailed table of IOC and a Python3 script used to extract relevant information from BackSwap’s samples.

This research was done and published by me on Check Point Research Blog

Read on Check Point Research blog

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2

Prologue

Previously, in the first part of this article, we used Cutter, a GUI for radare2, to statically analyze APT33’s Dropshot malware. We also used radare2’s Python scripting capabilities in order to decrypt encrypted strings in Dropshot. If you didn’t read the first part yet, I suggest you do it now.

Today’s article will be shorter, now that we are familiar with cutter and r2pipe, we can quickly analyze another interesting component of Dropshot — an encrypted resource that includes Dropshot’s actual payload. So without further ado, let’s start.

Downloading and installing Cutter

Cutter is available for all platforms (Linux, OS X, Windows). You can download the latest release here. If you are using Linux, the fastest way to use Cutter is to use the AppImage file.

If you want to use the newest version available, with new features and bug fixes, you should build Cutter from source by yourself. It isn’t a complicated task and it is the version I use.

First, you must clone the repository:

git clone --recurse-submodules https://github.com/radareorg/cutter
cd cutter

Building on Linux:

./build.sh

Building on Windows:

prepare_r2.bat
build.bat

If any of those do not work, check the more detailed instruction page here

Dropshot \ StoneDrill

As in the last part, we’ll analyze Dropshot, which is also known by the name StoneDrill. It is a wiper malware associated with the APT33 group which targeted mostly organizations in Saudi Arabia. Dropshot is a sophisticated malware sample, that employed advanced anti-emulation techniques and has a lot of interesting functionalities. The malware is most likely related to the infamous Shamoon malware. Dropshot was analyzed thoroughly by Kaspersky and later on by FireEye. In this article, we’ll focus on decrypting the encrypted resource of Dropshot which contains the actual payload of the malware.

The Dropshot sample can be downloaded from here (password: infected). I suggest you star (★) the repository to get updates on more radare2 tutorials 🙂

Please, be careful when using this sample. It is a real malware, and more than that, a wiper! Use with caution!

Since we’ll analyze Dropshot statically, you can use a Linux machine, as I did.

Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1

Prologue

As a reverse engineer and malware researcher, the tools I use are super important for me. I have invested hours and hours in creating the best malware analysis environment for myself and chose the best tools for me and my needs. For the last two years, radare2 is my go-to tool for a lot of reverse-engineering tasks such as automating RE related work, scripting, CTFing, exploitation and more. That said, I almost never used radare2 for malware analysis, or more accurately, for analysis of malware for Windows. The main reason was that radare2 command-line interface felt too clumsy, complicated and an over-kill. IDA Pro was simply better for these tasks, a quick inspection of functions, data structures, renaming, commenting, et cetera. It felt more intuitive for me and that what I was searching for while doing malware analysis. And then came Cutter.

Cutter

Along the years, the radare2 community had tried to develop many different graphic-interfaces for radare2. None of them came even close to Cutter. Cutter is a QT C++ based GUI for radare2. In my opinion, it is the GUI that radare2 deserves. To quote from Cutter’s Github page:

Cutter is not aimed at existing radare2 users. It instead focuses on those whose are not yet radare2 users because of the learning curve, because they don’t like CLI applications or because of the difficulty…

Cutter is a young project, only one-year-old, and it is the official GUI of radare2 (the first and only GUI to be announced “official”). Cutter is a cross-platform GUI that aims to export radare2’s plenty of functionality into a user-friendly and modern GUI. In this post, I’ll show you some of Cutter’s features and how I work with it. To be honest, Cutter is intuitive so you probably won’t need me to show you around, but just in case.

Downloading and installing Cutter

Cutter is available for all platforms (Linux, OS X, Windows). You can download the latest release here. If you are using Linux, the fastest way to use Cutter is to use the AppImage file.

If you want to use the newest version available, with new features and bug fixes, you should build Cutter from source by yourself. It isn’t a complicated task and it is the version I use.

First, you must clone the repository:

git clone --recurse-submodules https://github.com/radareorg/cutter
cd cutter

Building on Linux:

./build.sh

Building on Windows:

prepare_r2.bat
build.bat

If any of those do not work, check the more detailed instruction page here.

Dropshot \ StoneDrill

Dropshot, also known as StoneDrill, is a wiper malware associated with the APT33 group which targeted mostly organizations in Saudi Arabia. Dropshot is a sophisticated malware sample, that employed advanced anti-emulation techniques and has a lot of interesting functionalities. The malware is most likely related to the infamous Shamoon malware. Dropshot was analyzed thoroughly by Kaspersky and later on by FireEye. In this article, we’ll focus on analyzing how Dropshot decrypted the strings inside it in order to evade analysis. In part 2 of this article, which will be published soon, we’ll focus on decrypting the encrypted resource of Dropshot which contains the actual payload of the malware.

The Dropshot sample can be downloaded from here (password: infected). I suggest you star (★) the repository to get updates on more radare2 tutorials 🙂

Please, be careful when using this sample. It is a real malware, and more than that, a wiper! Use with caution!

Since we’ll analyze Dropshot statically, you can use a Linux machine, as I did.

Fantastic Malware and Where to Find Them

We, as malware analysts, are always in need of new samples to analyze in order to learn, train or develop new techniques and defenses. One of the most common questions I get is “Where to find malware to analyze?” so I’m sharing here my private collection of repositories, databases and lists which I use on a daily basis. Some of them are updated frequently and some of them are not. The short description under each link wasn’t written by me, it was written by the owners of the repositories.

If you want to add another resource to the list please inform me in the comments.

Please, be careful when using these sites. Almost all of them contain malicious files. Use with caution!

General Samples

theZoo
theZoo is a project created to make the possibility of malware analysis open and available to the public.

contagio
Contagio is a collection of the latest malware samples, threats, observations, and analyses.

Hybrid Analysis
Free malware analysis service powered by Payload Security. Using this service you can submit files for in-depth static and dynamic analysis. You can also download samples from analysis submitted by others.

AVCaesar
AVCaesar is a malware analysis engine and repository, developed by malware.lu

Das Malwerk
DAS MALWERK collects executable malware from all kinds of shady places on the internet

KernelMode.info
An active community devoted to malware analysis and kernel development

MalShare
The MalShare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.

Megabeets collection of repositories contain malicious samples, domains and more #Malware #Megabeets https://t.co/G5SAWNYzyM

— Itay Cohen (@Megabeets_Blog) October 12, 2016

VirusBay
VirusBay is a web-based, collaboration platform where researchers can put their hands on malicious samples uploaded by colleagues and SOC professionals.

Virusign
Virusign downloads malware and sort files in order of relevance, for researchers to download samples and analyze them to create new signatures.

malware.one
A binary substring searchable malware catalog containing terabytes of malicious code. (Samples are not downloadable)

VirusShare
A repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

Malwarebytes Research Center
Forums to post new threats and URLs

Mobile Malware (Google Group)
A mailing list for researching mobile malware. This group allows material related to new mobile malware samples, analysis, new techniques, questions pertaining to the field, and other related material.

SARVAM
Search And RetrieVAl of Malware contains a database with tons of malicious samples.

Malekal
Malekal’s collection of malware

Malc0de
An updated database of domains hosting malicious executables.

VX Vault
S!Ri.URZ Collection of malware and URLs

Scumware
Providing access to a database which contains data such as: URL, MD5, IP, TLD, etc

Sucuri Malware Labs
Latest findings that Sucuri Labs seeing in the “wild”

abuse.ch
abuse.ch is running a couple of projects helping internet service providers and network operators protecting their infrastructure from malware. It includes several malware trackers.

Cybercrime Tracker
Lists the C&C panels of certain in-the-wild botnets.

Android Samples

Koodous
Koodous is a collaborative platform that combines the power of online analysis tools with social interactions between the analysts over a vast APKs repository.

AndroMalShare
AndroMalShare is a project to share Android malware samples

Android-Malware (Github)
Collection of Android malware samples collected from several sources/mailing lists

OSX Samples

Objective-See Mac Malware
Objective-See was created to provide simple, yet effective OS X security tools. Always free of charge. This repository contains malware samples for MAC.

Manwe MAC Malware Samples
Regularly updated fresh MAC malware feed

Linux Samples

Linux Sandbox
Linux Sandbox is a Cuckoo-based sandboxing system specifically crafted and tuned for Linux malware samples analysis.

Detux – The Linux Sandbox
Multiplatform Linux Sandbox. The samples are available to download.

Not working anymore or under maintenance:

OpenMalware
Open Malware Project by Danny Quis

Malwr
Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. You can also download samples from analysis submitted by others.

MalwareBlacklist
Repository of Malware URLs and Samples

Again, please be careful when using these sites. Almost all of them contain malicious files. Use with caution!