www-jmbit-de/content/blog/2024-06-05-nullbulge-invest...

16 KiB

title date draft
Investigating Nullbulge - a BeamNG mods malware Group 2024-06-05 true

Over the last few days, I started Investigating a piece of malware that got downloaded with BeamNG[^1] mods. It was originally discovered by Eric Parker, who describes both its discovery and major features in his video.

First Sample

The sample originally uncovered by Eric Parker is a modified version of the PySilo[^2] malware that has been compiled using PyInstaller and Python 3.10, making it fairly difficult to reverse engineer. However, I was still able to analyze it using both static and dynamic analysis tooling.

General static analysis

First, I used a couple general tools for static file analysis. To be mentioned here are [^3]Capa, Detect-It-Easy[^4] and yara[^5]. All of those gave certain insights on the file and informed the way to go forward.

Detect-It-Easy is essentially a more powerful file command that gives you additional information about a file. In this case, it gave me the following Information:

PE64
    Linker: Microsoft Linker(14.36.33135)
    Compiler: Microsoft Visual C/C++(19.36.33135)[C]
    Tool: Visual Studio(2022 version 17.6)
    Packer: PyInstaller

This tells us the File is a 64Bit PE (Portable Executable) packed with PyInstaller[^6], meaning it's compiled and packed from Python for 64 Bit Windows. In this case, we can likely ignore the Linker, compiler and Tool information, as Pyinstaller likely just uses those under the hood.

Capa is much more verbose, but has a nicely formatted output. It analyzes the calls the program makes to the OS or other common locations to make informed guesses about the likely capabilities/uses of the program: {{< rawhtml >}}

┍━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ ATT&CK Tactic          │ ATT&CK Technique                                                                   │
┝━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ DEFENSE EVASION        │ Obfuscated Files or Information T1027                                              │
│                        │ Virtualization/Sandbox Evasion::System Checks T1497.001                            │
├────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ DISCOVERY              │ File and Directory Discovery T1083                                                 │
│                        │ System Information Discovery T1082                                                 │
├────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ EXECUTION              │ Command and Scripting Interpreter T1059                                            │
│                        │ Shared Modules T1129                                                               │
┕━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙

┍━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ MBC Objective               │ MBC Behavior                                                                  │
┝━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ ANTI-BEHAVIORAL ANALYSIS    │ Virtual Machine Detection [B0009]                                             │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ DATA                        │ Checksum::Adler [C0032.005]                                                   │
│                             │ Compress Data [C0024]                                                         │
│                             │ Compression Library [C0060]                                                   │
│                             │ Encode Data::XOR [C0026.002]                                                  │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ DEFENSE EVASION             │ Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02]      │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ DISCOVERY                   │ Analysis Tool Discovery::Process detection [B0013.001]                        │
│                             │ File and Directory Discovery [E1083]                                          │
│                             │ System Information Discovery [E1082]                                          │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ EXECUTION                   │ Command and Scripting Interpreter [E1059]                                     │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ FILE SYSTEM                 │ Create Directory [C0046]                                                      │
│                             │ Delete Directory [C0048]                                                      │
│                             │ Delete File [C0047]                                                           │
│                             │ Read File [C0051]                                                             │
│                             │ Writes File [C0052]                                                           │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ OPERATING SYSTEM            │ Environment Variable::Set Variable [C0034.001]                                │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ PROCESS                     │ Create Process [C0017]                                                        │
│                             │ Terminate Process [C0018]                                                     │
┕━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙

┍━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ Capability                                           │ Namespace                                            │
┝━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ reference analysis tools strings                     │ anti-analysis                                        │
│ reference anti-VM strings targeting Qemu             │ anti-analysis/anti-vm/vm-detection                   │
│ reference anti-VM strings targeting Xen              │ anti-analysis/anti-vm/vm-detection                   │
│ compute adler32 checksum                             │ data-manipulation/checksum/adler32                   │
│ compress data via ZLIB inflate or deflate            │ data-manipulation/compression                        │
│ encode data using XOR (6 matches)                    │ data-manipulation/encoding/xor                       │
│ accept command line arguments                        │ host-interaction/cli                                 │
│ query environment variable (4 matches)               │ host-interaction/environment-variable                │
│ set environment variable (4 matches)                 │ host-interaction/environment-variable                │
│ get common file path                                 │ host-interaction/file-system                         │
│ create directory (2 matches)                         │ host-interaction/file-system/create                  │
│ delete directory                                     │ host-interaction/file-system/delete                  │
│ delete file                                          │ host-interaction/file-system/delete                  │
│ enumerate files on Windows                           │ host-interaction/file-system/files/list              │
│ get file size                                        │ host-interaction/file-system/meta                    │
│ read file on Windows (10 matches)                    │ host-interaction/file-system/read                    │
│ write file on Windows (2 matches)                    │ host-interaction/file-system/write                   │
│ get disk information (2 matches)                     │ host-interaction/hardware/storage                    │
│ create process on Windows                            │ host-interaction/process/create                      │
│ terminate process                                    │ host-interaction/process/terminate                   │
│ link many functions at runtime (2 matches)           │ linking/runtime-linking                              │
│ linked against ZLIB                                  │ linking/static/zlib                                  │
│ parse PE header (3 matches)                          │ load-code/pe                                         │
│ resolve function by parsing PE exports               │ load-code/pe                                         │
┕━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙

{{</ rawhtml >}} If we weren't sure already, this wold certainly greatly increase the likelyhood of this software being malicious. No normal software needs to evade sandboxing and virtualization. We will later see that these features are implemented in a very simple way and not really relevant for most sandboxing platforms.

Finally, for a good measure, I ran it through yara:

DebuggerException__SetConsoleCtrl
anti_dbg
screenshot
win_token
win_files_operation
Big_Numbers1 
CRC32_poly_Constant 
CRC32_table 
MachO_File_pyinstaller 
IsPE64 
IsWindowsGUI 
IsPacked 
HasOverlay 
HasDigitalSignature 
HasDebugData 
HasRichSignature 
Microsoft_Visual_Cpp_80 
Microsoft_Visual_Cpp_80_DLL 

Yara can be a bit noisy, but in this case it also shows us that the application has some anti-debug operations, the ability to take screenshots and some features indicative of encryption.

Dynamic analysis

Dynamic analysis essentially just means watching the Malware do its thing and analyzing that. For this I usually use my own installation of CAPE sandbox, but hosted services like tria.ge and intezer are also available.