Monday, September 25, 2017

Learning about malware persistence through the lens of “Parite” Malware

In this series of posts, I’m continuing the Open Security Training materials, with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In this the final post in the series, we are looking at persistence through the lens of the Parite malware.

While in the previous blog posts we were able to see that the malware deleted itself and create new processes or became a process that gets loaded by “svchost.exe” in the case of Parite, the malware deletes itself like the others. However, unlike the others it does not create a new process.

While reviewing this in Process Hacker, it was noticed that “malware.exe” gets loaded and is immediately deleted. The image below shows the process being deleted.

Since we are unable to track the process creation above, we need to verify through other methods what is the malware doing. Fortunately we also have Autoruns.exe which allows us to compare autoruns along with the snapshot of our registry via RegShot.

Conducting the first set of analysis via Autoruns, we see a startup registry value “fmsiocps c:\windows\fmsiocps.exe” has been added to “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. Additionally, we see that the Registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls     ” now has the value “fmsiocps.dll c:\windows\system32\fmsiocps.dll”

Looking at Regshot output, we see key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe” was added. This corresponds to:

From above we see the “tqat.exe” executable will be launched under the debugger.

We also see additional keys from Regshot as shown below:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmsiocps: "C:\WINDOWS\fmsiocps.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "fmsiocps.dll"

The final line shows the value "fmsiocps.dll" now associated with the “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs”

The AppInit_DLLs registry entry will be used to load the  "fmsiocps.dll" into every user mode process. Now isn’t that some serious power to have?

Running a search in Process Hacker for the "fmsiocps.dll" shows that this DLL has been loaded into 6 applications, which include “FireFox.exe”, “explorer.exe” and even “ProcessHacker.exe” along with 3 others.

At this point, there is no need to go further as the objective was to demonstrate persistence. By Leveraging the “AppInit_DLLs” malicious software has the opportunity to be truly persistent.

Microsoft - Working with the AppInit_DLLs registry value