Original release date: February 8, 2021

Malware Analysis Report

10320115.r1.v1

2021-02-05

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report provides detailed analysis of malicious artifacts associated with a sophisticated supply chain compromise of Solar Winds Orion network management software, identified by the security company FireEye as TEARDROP.

TEARDROP is a loader designed to decrypt and execute an embedded payload on the target system. The payload has been identified as the Cobalt Strike Beacon Implant (Version 4) and provides a remote operator command and control capabilities over a victim system through an encrypted network tunnel. The capabilities include the ability to rapidly exfiltrate data, log keystrokes, take screenshots, and deploy additional payloads.

For a downloadable copy of IOCs, see: MAR-10320115-1.v1.stix.

Submitted Files (2)

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c (1817a5bf9c01035bcf8a975c9f1d94…)

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 (b820e8a2057112d0ed73bd7995201d…)

Domains (2)

ervsystem.com

infinitysoftwares.com

Findings

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

Tags

backdoordroppertrojan

Details

Name
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

Size
321024 bytes

Type
PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows

MD5
35abfb98dac5bf48f7ac0e67afc9bdb7

SHA1
9185029c2630b220a74620c8f3d04886a457e1cf

SHA256
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

SHA512
93f1336e3bc7ac01561f0ad7ce5fec7ae078e55db0f5b0cf0663cb5dbbe2acb08f27490da179e27579debc04843bf02f047456c516bf0345ba827e0efe85149a

ssdeep
6144:NQGxkGwaxIOkqNQI7LI8L/pOXlZg2gv+rtcOHNManxm2wf:NtxpgyNQIo8LePWOHWgTa

Entropy
7.922861

Antivirus

BitDefender
Generic.Teardrop.1.244AC43A

Clamav
Win.Dropper.Teardrop-9808996-3

Emsisoft
Generic.Teardrop.1.244AC43A (B)

Lavasoft
Generic.Teardrop.1.244AC43A

Microsoft Security Essentials
Trojan:Win64/Cobaltstrike.RN!dha

Symantec
Backdoor.Teardrop

YARA Rules

rule CISA_10320115_01 : TEARDROP trojan backdoor
{
   meta:
       Author = “CISA Code & Media Analysis”
       Incident = “10320115”
       Date = “2020-12-31”
       Last_Modified = “20201231_1800”
       Actor = “n/a”
       Category = “Trojan Backdoor”
       Family = “TEARDROP”
       Description = “Detects variants of TEARDROP malware”
       MD5_1 = “f612bce839d855bbff98214a197489f7”
       SHA256_1 = “dc20f4e50784533d7d10925e4b056f589cc73c139e97f40c0b7969728a28125c”
       MD5_2 = “91e47c7bc9a7809e6b1560e34f2d6d7e”
       SHA256_2 = “b37007db21a7f969d2c838f3bbbeb78a7402d66735bb5845ef31df9048cc33f0”
       MD5_3 = “91e47c7bc9a7809e6b1560e34f2d6d7e”
       SHA256_3 = “1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c”    
   strings:
       $s0 = { 65 23 FB 7F 20 AA EB 0C B8 16 F6 BC 2F 4D D4 C4 39 97 C7 23 9F 3E 5C DE }
       $s1 = { 5C E6 06 63 FA DE 44 C0 D4 67 95 28 12 47 C5 B5 EF 24 BC E4 }
       $s2 = { 9E 96 BA 1B FB 7F 19 5A 8C 06 AB FA 43 3B F0 83 9E 54 0B 02 }
       $s3 = { C2 7E 93 FC 02 B9 C6 DE 2B AF C6 C2 BE 2C 88 02 B4 1D 03 F5 }
       $s4 = { 48 B8 53 4F 46 54 57 41 52 45 C7 44 24 60 66 74 5C 43 C6 44 24 66 00 48 89 44 24 50 48 B8 5C 4D 69 63 72 6F 73 6F }
       $s5 = { 48 83 F8 FF 48 8D }
       $s6 = { 8B 0A 48 83 C2 04 8D 81 FF FE FE FE F7 D1 21 C8 25 80 80 80 80 }
       $s7 = { 5B 5E 5F 5D 41 5C 41 }
       $s8 = { 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 53 00 65 00 74 00 75 00 70 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 }
       $s9 = { 64 6C 6C 00 4E 65 74 53 65 74 75 70 53 65 72 76 69 63 65 4D 61 69 6E }
       $s10 = { 41 31 C0 45 88 04 0A 48 83 C1 01 45 89 C8 41 39 CB 7F }
   condition:
       ($s0 or $s1 or $s2 or $s3) or ($s4 and $s5 and $s6 and $s7 and $s8 and $s9 and $s10)
}
rule FireEye_20_00025665_01 : TEARDROP APT dropper
{
   meta:
       Author = “FireEye”
       Date = “2020-12-13”
       Last_Modified = “20201213_1916”
       Actor = “n/a”
       Category = “Hacktool”
       Family = “TEARDROP”
       Description = “This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.”
       MD5_1 = “”
       SHA256_1 = “”
   strings:
       $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
       $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
       $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
   condition:
       all of them
}
rule FireEye_20_00025665_02 : TEARDROP APT dropper
{
   meta:
       Author = “FireEye”
       Date = “2020-12-13”
       Last_Modified = “20201213_1916”
       Actor = “n/a”
       Category = “Hacktool”
       Family = “TEARDROP”
       Description = “This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.”
       MD5_1 = “”
       SHA256_1 = “”
   strings:
       $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
       $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
       $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
       $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
       $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
   condition:
       (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2018-12-09 10:37:58-05:00

Import Hash
0a331624686ac9055694d7ddd9c0815d

Company Name
None

File Description
Network Setup Service

Internal Name
None

Legal Copyright
© Microsoft Corporation. All rights reserved.

Original Filename
NETSETUPSVC.DLL

Product Name
Microsoft® Windows® Operating System

Product Version
10.0.14393.0

PE Sections

MD5
Name
Raw Size
Entropy

d990149684ac611b98b9d389766a7e17
header
1024
2.584189

5fbd9948fd72f083803635022111fd99
.text
23552
6.358535

122bd1d155ed0c51226ea0b38872e13d
.data
286720
7.998098

9d8aead5ec18fa55740a34a7eaa3c2bb
.rdata
1536
3.673323

7b5aab64a2810cf05bd80323f8aa17d4
.pdata
1536
3.660221

8b15f6849b0bf0f60bd81b23988f5ca7
.xdata
1024
2.883941

d41d8cd98f00b204e9800998ecf8427e
.bss
0
0.000000

091c8665b4cd95cc583105c223f156aa
.edata
512
0.967748

c94c470079ed994735caebed176cd925
.idata
2560
4.429320

c806ece4d1aa4e25beb529c6e7dc947d
.CRT
512
0.253231

9f168cc07fa95e573b1f74a2e4614f79
.tls
512
0.331828

5b06dd2d5de3cb635e5e15313a541789
.rsrc
1024
2.933337

99450283e3e0c313f697d0165f585598
.reloc
512
1.239038

Relationships

1817a5bf9c…
Connected_To
ervsystem.com

Description

This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. The malware attempts to read the first 64-bytes of a file named “festive_computer.jpg” (Figure 1). It does not utilize the data it reads from this file and it will continue executing even if this file is not present on the target system.

After attempting to read the file “festive_computer.jpg,” it will decrypt and execute an embedded code buffer using an XOR based stream cipher (Figure 2). Below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:

—Begin Cipher Key—
C27E93FC02B9C6DE2BAFC6C2BE2C8802B41D03F53365B25AEE1A67D0E9525171F5F7149045E5D1F672176CA686C3C7A0D34E5FF1FBCBF6C14C4BEE2867A296DDE199179CB4D4CC93EA4DFB75510AB9F531EDCCA291B74C7FAA9D7156A97F359B6E68D9EA2D77E646654D3533D8A135A1E604FE6A55EE72B4543A7F331B473A9B7D14765D01DF7ACC0370894DE2530F8FDB51066AE70B0D462A15
—End Cipher Key—

The embedded code buffer has been identified as the Cobalt Strike Beacon (version 4) Remote Access Tool (RAT). Displayed below is the embedded Beacon configuration data:

—Begin Cobalt Beacon Configuration Data—
Port                             – 443
SleepTime                 – 7200000
MaxGetSize                – 1399696
Jitter                            – 18
MaxDNS                     – 255
C2Server                     – ervsystem.com/2019/Two-Man-Point-The-Brands/
UserAgent                    – Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; rv:11.0) like Gecko
HttpPostUri                 – /2019/Users-Case-Documentation-And-Yourselt/
Malleable_C2_Instructions        – Remove 38 bytes from the end
                                Remove 1554 bytes from the beginning
                                Base64 decode
HttpGet_Metadata                 – Referer: https://yahoo.com/
                                Host: ervsystem.com
                                Accept: */*
                                Accept-Language: en-US
                                Accept-Encoding: gzip, deflate
                                Connection: close
                                PHPSESSID=
                                Cookie
HttpPost_Metadata                – Referer: https://yahoo.com/
                                Host: ervsystem.com
                                Accept: */*
                                Accept-Language: en-US
                                Connection: close
                                name=”uploaded_1″;filename=”04373.avi”
Content-Type: text/plain

                                p
SpawnTo                         – b’x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′
PipeName                         –
DNS_Idle                         – 9.9.9.9
DNS_Sleep                        – 0
SSH_Host                         – Not Found
SSH_Port                         – Not Found
SSH_Username                 – Not Found
SSH_Password_Plaintext     – Not Found
SSH_Password_Pubkey         – Not Found
HttpGet_Verb                     – GET
HttpPost_Verb                    – POST
HttpPostChunk                    – 0
Spawnto_x86                     – %windir%syswow64msiexec.exe
Spawnto_x64                     – %windir%sysnativeprint.exe
CryptoScheme                     – 0
Proxy_Config                     – Not Found
Proxy_User                     – Not Found
Proxy_Password                 – Not Found
Proxy_Behavior                 – Use IE settings
Watermark                        – 892810033
bStageCleanup                    – True
bCFGCaution                     – False
KillDate                         – 0
bProcInject_StartRWX             – False
bProcInject_UseRWX             – False
bProcInject_MinAllocSize         – 7281
ProcInject_PrependAppend_x86     – b’x90′
                                Empty
ProcInject_PrependAppend_x64     – b’x90x90x90′
                                Empty
ProcInject_Execute             – ntdll:RtlUserThreadStart
                                CreateThread
                                NtQueueApcThread
                                SetThreadContext
ProcInject_AllocationMethod     – NtMapViewOfSection
bUsesCookies                     – True
HostHeader                     –
—End Cobalt Beacon Configuration Data—

Screenshots

Figure 1 – Screenshot of the code structure that tries to read “festive_computer.jpg” from disk.

Figure 2 – Screenshot of TEARDROP using an algorithm to decrypt the embedded code buffer which contains the Cobalt Strike Beacon remote access tool (RAT).

ervsystem.com

Tags

command-and-control

URLs

ervsystem.com/2019/Two-Man-Point-The-Brands/

Ports

443 TCP

Whois

Domain Name: ERVSYSTEM.COM
Registry Domain ID: 2222911627_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.epik.com
Registrar URL: http://www.epik.com
Updated Date: 2020-09-04T23:23:29Z
Creation Date: 2018-02-04T08:45:05Z
Registrar Registration Expiration Date: 2022-02-04T08:45:05Z
Registrar: Epik, Inc.
Registrar IANA ID: 617
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4253668810
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Privacy Administrator
Registrant Organization: Anonymize, Inc.
Registrant Street: 704 228th Ave NE
Registrant City: Sammamish
Registrant State/Province: WA
Registrant Postal Code: 98074
Registrant Country: US
Registrant Phone: +1.4253668810
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Privacy Administrator
Admin Organization: Anonymize, Inc.
Admin Street: 704 228th Ave NE
Admin City: Sammamish
Admin State/Province: WA
Admin Postal Code: 98074
Admin Country: US
Admin Phone: +1.4253668810
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Privacy Administrator
Tech Organization: Anonymize, Inc.
Tech Street: 704 228th Ave NE
Tech City: Sammamish
Tech State/Province: WA
Tech Postal Code: 98074
Tech Country: US
Tech Phone: +1.4253668810
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS3.EPIK.COM
Name Server: NS4.EPIK.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships

ervsystem.com
Connected_From
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

Description

This domain is the command and control (C2) for the sample “1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c.”

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Tags

backdoortrojan

Details

Name
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Size
530432 bytes

Type
PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows

MD5
bd842c41b4c1b3c2deb475d7a3876599

SHA1
f7e61eb028b399b74c73883a2fccedbe56ecea2e

SHA256
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

SHA512
110a10662342b0d5716c3307c51fa8a591bf621049d8d291aa44f8ab864ab075064651750334619292e9362136e328c14dd637033c244d42551ac5b321941aad

ssdeep
12288:NMINVoXxVuxcowWRjZ9dpOLg8UU8YhUhKEcBvg+:2rxIwU19eL4oUAEun

Entropy
7.533146

Antivirus

BitDefender
Trojan.Teardrop.C

ESET
a variant of Generik.NFGRBKQ trojan

Emsisoft
Trojan.Teardrop.C (B)

Lavasoft
Trojan.Teardrop.C

Microsoft Security Essentials
Trojan:Win64/Cobaltstrike.RN!dha

Symantec
Backdoor.Teardrop

YARA Rules

rule FireEye_20_00025665_02 : TEARDROP APT dropper
{
   meta:
       Author = “FireEye”
       Date = “2020-12-13”
       Last_Modified = “20201213_1916”
       Actor = “n/a”
       Category = “Hacktool”
       Family = “TEARDROP”
       Description = “This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.”
       MD5_1 = “”
       SHA256_1 = “”
   strings:
       $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
       $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
       $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
       $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
       $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
   condition:
       (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

ssdeep Matches

No matches found.

PE Metadata

Compile Date
2018-03-09 23:23:43-05:00

Import Hash
3417123af2f473f771d46841bfce6d48

Company Name
None

File Description
GetText: library and tools for native language support

Internal Name
None

Legal Copyright
© 2015 Free Software Foundation <www.fsf.org>

Original Filename
libintl3.dll

Product Name
libintl3.dll

Product Version
0.14.4.1952

PE Sections

MD5
Name
Raw Size
Entropy

1ae8ec5795f9a3cad5d54e569634d668
header
1024
2.703747

989e04fb5dc1eb83a3055a3fea30fb7a
.text
209408
6.327319

d2bcd776a8ca1ed76feb8344d0739f1a
.data
286720
7.998501

fdbd0954169972c21876938dbd536da3
.rdata
1536
3.636101

7eddb104f4aad897faffc33762e896cf
.pdata
7680
5.364572

8232395ce211b61e4df169c38afdb7f6
.xdata
3072
1.658757

d41d8cd98f00b204e9800998ecf8427e
.bss
0
0.000000

add3d2ca7de32da5c3a5d2718129d600
.edata
15872
5.809199

8e6af2ae43eb16502507eeb8c7c03aa5
.idata
2560
3.983544

768bf26d947f32101953daeeea4a19b1
.CRT
512
0.238291

60227c557d35a7f2cf79a13c284b1dab
.tls
512
0.335735

2d007e3e5c7f7423ed5c43b129f03f34
.rsrc
1024
2.956911

ddbe94bbe8aeacf9cb120fe816659354
.reloc
512
1.215071

Relationships

b820e8a205…
Connected_To
infinitysoftwares.com

Description

This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. During runtime, the malicious application decodes and executes an embedded code buffer using an XOR based stream cipher. Displayed below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:

—Begin XOR Cipher Key—
AFAFD51031EE936AFC50B611CDC70E7E62A7BAFCA72B43DB0023915BBBBAC016A5331CB28EE6E3DF0804B24004D219EE7ED24C7B41D9669C21A7AECB1B87927C4ED5A25949404DD2218091F00DD9F874B955D1615534FEF8C5200DFDA816FF4A023CF1D2E679AFCA79A5C5BB4C871ABF34CA641E5F1ACC42864CEE8BF5921A4E0DAC1D18C090D15D0CC79A843D9F763B4D323A34B26216F065705A62B47000BED185E7E2A7DE306DB6C94B5D3C2DA5FF8149AB8A7D13C3E0A3DAC5BEC46A9BD0D9
—End XOR Cipher Key—

The embedded code buffer contains the malicious identified as Cobalt Strike Beacon (version 4) RAT. Displayed below is the embedded Beacon configuration data:

—Begin Cobalt Beacon Configuration Data—
BeaconType                     – HTTPS
Port                             – 443
SleepTime                        – 14400000
MaxGetSize                     – 1049217
Jitter                         – 23
MaxDNS                         – 255
C2Server                         – infinitysoftwares.com,/files/information_055.pdf
UserAgent                        – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
HttpPostUri                     – /wp-admin/new_file.php
Malleable_C2_Instructions        – Remove 313 bytes from the end
                                Remove 324 bytes from the beginning
                                XOR mask w/ random key
HttpGet_Metadata                 – Referer: https://twitter.com/
                                Host: infinitysoftwares.com
                                Accept: */*
                                Accept-Language: en-US
                                Accept-Encoding: gzip, deflate
                                Connection: close
                                PHPSESSID=
                                Cookie
HttpPost_Metadata                – Host: infinitysoftwares.com
                                Accept: */*
                                Accept-Language: en-US
                                Connection: close
                                name=”uploaded_1″;filename=”33139.pdf”
Content-Type: text/plain

                                r
SpawnTo                         – b’x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′
PipeName                         –
DNS_Idle                         – 208.67.220.220
DNS_Sleep                        – 0
SSH_Host                         – Not Found
SSH_Port                         – Not Found
SSH_Username                     – Not Found
SSH_Password_Plaintext         – Not Found
SSH_Password_Pubkey             – Not Found
HttpGet_Verb                     – GET
HttpPost_Verb                    – POST
HttpPostChunk                    – 0
Spawnto_x86                     – %windir%syswow64print.exe
Spawnto_x64                     – %windir%sysnativemsiexec.exe
CryptoScheme                     – 0
Proxy_Config                     – Not Found
Proxy_User                     – Not Found
Proxy_Password                 – Not Found
Proxy_Behavior                 – Use IE settings
Watermark                        – 943010104
bStageCleanup                    – True
bCFGCaution                     – False
KillDate                         – 0
bProcInject_StartRWX             – False
bProcInject_UseRWX             – False
bProcInject_MinAllocSize         – 8493
ProcInject_PrependAppend_x86     – b’x90x90′
                                Empty
ProcInject_PrependAppend_x64     – b’x0fx1fx00′
                                Empty
ProcInject_Execute             – ntdll:RtlUserThreadStart
                                CreateThread
                                NtQueueApcThread
                                SetThreadContext
ProcInject_AllocationMethod     – NtMapViewOfSection
bUsesCookies                     – True
HostHeader                     –
—End Cobalt Beacon Configuration Data—

Screenshots

Figure 3 – Screenshot of the XOR based cipher utilized by this TEARDROP variant to decode an embedded Cobalt Strike Beacon payload.

infinitysoftwares.com

Tags

command-and-control

URLs

infinitysoftwares.com/files/information_055.pdf

Ports

443 TCP

Whois

Domain Name: infinitysoftwares.com
Registry Domain ID: 2356151174_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2021-01-01T07:00:00Z
Creation Date: 2019-01-28T07:00:00Z
Registrar Registration Expiration Date: 2021-01-28T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: See PrivacyGuardian.org
Registrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Registrant City: Phoenix
Registrant State/Province: AZ
Registrant Postal Code: 85016
Registrant Country: US
Registrant Phone: +1.3478717726
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Admin City: Phoenix
Admin State/Province: AZ
Admin Postal Code: 85016
Admin Country: US
Admin Phone: +1.3478717726
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: See PrivacyGuardian.org
Tech Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Tech City: Phoenix
Tech State/Province: AZ
Tech Postal Code: 85016
Tech Country: US
Tech Phone: +1.3478717726
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS1.DNSOWL.COM
Name Server: NS2.DNSOWL.COM
Name Server: NS3.DNSOWL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships

infinitysoftwares.com
Connected_From
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Description

This domain is the C2 for the sample “b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07.”

Relationship Summary

1817a5bf9c…
Connected_To
ervsystem.com

ervsystem.com
Connected_From
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

b820e8a205…
Connected_To
infinitysoftwares.com

infinitysoftwares.com
Connected_From
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870
CISA Service Desk (UNCLASS)
CISA SIPR (SIPRNET)
CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.surveymonkey.com/r/G8STDRY

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov
E-Mail: [email protected]
FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.Original release date: February 8, 2021

Malware Analysis Report
10320115.r1.v1
2021-02-05

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report provides detailed analysis of malicious artifacts associated with a sophisticated supply chain compromise of Solar Winds Orion network management software, identified by the security company FireEye as TEARDROP.

TEARDROP is a loader designed to decrypt and execute an embedded payload on the target system. The payload has been identified as the Cobalt Strike Beacon Implant (Version 4) and provides a remote operator command and control capabilities over a victim system through an encrypted network tunnel. The capabilities include the ability to rapidly exfiltrate data, log keystrokes, take screenshots, and deploy additional payloads.

For a downloadable copy of IOCs, see: MAR-10320115-1.v1.stix.

Submitted Files (2)

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c (1817a5bf9c01035bcf8a975c9f1d94…)

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 (b820e8a2057112d0ed73bd7995201d…)

Domains (2)

ervsystem.com

infinitysoftwares.com

Findings

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

Tags

backdoordroppertrojan

Details
Name 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
Size 321024 bytes
Type PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 35abfb98dac5bf48f7ac0e67afc9bdb7
SHA1 9185029c2630b220a74620c8f3d04886a457e1cf
SHA256 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
SHA512 93f1336e3bc7ac01561f0ad7ce5fec7ae078e55db0f5b0cf0663cb5dbbe2acb08f27490da179e27579debc04843bf02f047456c516bf0345ba827e0efe85149a
ssdeep 6144:NQGxkGwaxIOkqNQI7LI8L/pOXlZg2gv+rtcOHNManxm2wf:NtxpgyNQIo8LePWOHWgTa
Entropy 7.922861
Antivirus
BitDefender Generic.Teardrop.1.244AC43A
Clamav Win.Dropper.Teardrop-9808996-3
Emsisoft Generic.Teardrop.1.244AC43A (B)
Lavasoft Generic.Teardrop.1.244AC43A
Microsoft Security Essentials Trojan:Win64/Cobaltstrike.RN!dha
Symantec Backdoor.Teardrop
YARA Rules
  • rule CISA_10320115_01 : TEARDROP trojan backdoor
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10320115”
           Date = “2020-12-31”
           Last_Modified = “20201231_1800”
           Actor = “n/a”
           Category = “Trojan Backdoor”
           Family = “TEARDROP”
           Description = “Detects variants of TEARDROP malware”
           MD5_1 = “f612bce839d855bbff98214a197489f7”
           SHA256_1 = “dc20f4e50784533d7d10925e4b056f589cc73c139e97f40c0b7969728a28125c”
           MD5_2 = “91e47c7bc9a7809e6b1560e34f2d6d7e”
           SHA256_2 = “b37007db21a7f969d2c838f3bbbeb78a7402d66735bb5845ef31df9048cc33f0”
           MD5_3 = “91e47c7bc9a7809e6b1560e34f2d6d7e”
           SHA256_3 = “1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c”    
       strings:
           $s0 = { 65 23 FB 7F 20 AA EB 0C B8 16 F6 BC 2F 4D D4 C4 39 97 C7 23 9F 3E 5C DE }
           $s1 = { 5C E6 06 63 FA DE 44 C0 D4 67 95 28 12 47 C5 B5 EF 24 BC E4 }
           $s2 = { 9E 96 BA 1B FB 7F 19 5A 8C 06 AB FA 43 3B F0 83 9E 54 0B 02 }
           $s3 = { C2 7E 93 FC 02 B9 C6 DE 2B AF C6 C2 BE 2C 88 02 B4 1D 03 F5 }
           $s4 = { 48 B8 53 4F 46 54 57 41 52 45 C7 44 24 60 66 74 5C 43 C6 44 24 66 00 48 89 44 24 50 48 B8 5C 4D 69 63 72 6F 73 6F }
           $s5 = { 48 83 F8 FF 48 8D }
           $s6 = { 8B 0A 48 83 C2 04 8D 81 FF FE FE FE F7 D1 21 C8 25 80 80 80 80 }
           $s7 = { 5B 5E 5F 5D 41 5C 41 }
           $s8 = { 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 53 00 65 00 74 00 75 00 70 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 }
           $s9 = { 64 6C 6C 00 4E 65 74 53 65 74 75 70 53 65 72 76 69 63 65 4D 61 69 6E }
           $s10 = { 41 31 C0 45 88 04 0A 48 83 C1 01 45 89 C8 41 39 CB 7F }
       condition:
           ($s0 or $s1 or $s2 or $s3) or ($s4 and $s5 and $s6 and $s7 and $s8 and $s9 and $s10)
    }
  • rule FireEye_20_00025665_01 : TEARDROP APT dropper
    {
       meta:
           Author = “FireEye”
           Date = “2020-12-13”
           Last_Modified = “20201213_1916”
           Actor = “n/a”
           Category = “Hacktool”
           Family = “TEARDROP”
           Description = “This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.”
           MD5_1 = “”
           SHA256_1 = “”
       strings:
           $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
           $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
           $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
       condition:
           all of them
    }
  • rule FireEye_20_00025665_02 : TEARDROP APT dropper
    {
       meta:
           Author = “FireEye”
           Date = “2020-12-13”
           Last_Modified = “20201213_1916”
           Actor = “n/a”
           Category = “Hacktool”
           Family = “TEARDROP”
           Description = “This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.”
           MD5_1 = “”
           SHA256_1 = “”
       strings:
           $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
           $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
           $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
           $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
           $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
       condition:
           (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-12-09 10:37:58-05:00
Import Hash 0a331624686ac9055694d7ddd9c0815d
Company Name None
File Description Network Setup Service
Internal Name None
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename NETSETUPSVC.DLL
Product Name Microsoft® Windows® Operating System
Product Version 10.0.14393.0
PE Sections
MD5 Name Raw Size Entropy
d990149684ac611b98b9d389766a7e17 header 1024 2.584189
5fbd9948fd72f083803635022111fd99 .text 23552 6.358535
122bd1d155ed0c51226ea0b38872e13d .data 286720 7.998098
9d8aead5ec18fa55740a34a7eaa3c2bb .rdata 1536 3.673323
7b5aab64a2810cf05bd80323f8aa17d4 .pdata 1536 3.660221
8b15f6849b0bf0f60bd81b23988f5ca7 .xdata 1024 2.883941
d41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000
091c8665b4cd95cc583105c223f156aa .edata 512 0.967748
c94c470079ed994735caebed176cd925 .idata 2560 4.429320
c806ece4d1aa4e25beb529c6e7dc947d .CRT 512 0.253231
9f168cc07fa95e573b1f74a2e4614f79 .tls 512 0.331828
5b06dd2d5de3cb635e5e15313a541789 .rsrc 1024 2.933337
99450283e3e0c313f697d0165f585598 .reloc 512 1.239038
Relationships
1817a5bf9c… Connected_To ervsystem.com
Description

This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. The malware attempts to read the first 64-bytes of a file named “festive_computer.jpg” (Figure 1). It does not utilize the data it reads from this file and it will continue executing even if this file is not present on the target system.

After attempting to read the file “festive_computer.jpg,” it will decrypt and execute an embedded code buffer using an XOR based stream cipher (Figure 2). Below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:

—Begin Cipher Key—
C27E93FC02B9C6DE2BAFC6C2BE2C8802B41D03F53365B25AEE1A67D0E9525171F5F7149045E5D1F672176CA686C3C7A0D34E5FF1FBCBF6C14C4BEE2867A296DDE199179CB4D4CC93EA4DFB75510AB9F531EDCCA291B74C7FAA9D7156A97F359B6E68D9EA2D77E646654D3533D8A135A1E604FE6A55EE72B4543A7F331B473A9B7D14765D01DF7ACC0370894DE2530F8FDB51066AE70B0D462A15
—End Cipher Key—

The embedded code buffer has been identified as the Cobalt Strike Beacon (version 4) Remote Access Tool (RAT). Displayed below is the embedded Beacon configuration data:

—Begin Cobalt Beacon Configuration Data—
Port                             – 443
SleepTime                 – 7200000
MaxGetSize                – 1399696
Jitter                            – 18
MaxDNS                     – 255
C2Server                     – ervsystem.com/2019/Two-Man-Point-The-Brands/
UserAgent                    – Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; rv:11.0) like Gecko
HttpPostUri                 – /2019/Users-Case-Documentation-And-Yourselt/
Malleable_C2_Instructions        – Remove 38 bytes from the end
                                Remove 1554 bytes from the beginning
                                Base64 decode
HttpGet_Metadata                 – Referer: https://yahoo.com/
                                Host: ervsystem.com
                                Accept: */*
                                Accept-Language: en-US
                                Accept-Encoding: gzip, deflate
                                Connection: close
                                PHPSESSID=
                                Cookie
HttpPost_Metadata                – Referer: https://yahoo.com/
                                Host: ervsystem.com
                                Accept: */*
                                Accept-Language: en-US
                                Connection: close
                                name=”uploaded_1″;filename=”04373.avi”
Content-Type: text/plain

                                p
SpawnTo                         – b’x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′
PipeName                         –
DNS_Idle                         – 9.9.9.9
DNS_Sleep                        – 0
SSH_Host                         – Not Found
SSH_Port                         – Not Found
SSH_Username                 – Not Found
SSH_Password_Plaintext     – Not Found
SSH_Password_Pubkey         – Not Found
HttpGet_Verb                     – GET
HttpPost_Verb                    – POST
HttpPostChunk                    – 0
Spawnto_x86                     – %windir%syswow64msiexec.exe
Spawnto_x64                     – %windir%sysnativeprint.exe
CryptoScheme                     – 0
Proxy_Config                     – Not Found
Proxy_User                     – Not Found
Proxy_Password                 – Not Found
Proxy_Behavior                 – Use IE settings
Watermark                        – 892810033
bStageCleanup                    – True
bCFGCaution                     – False
KillDate                         – 0
bProcInject_StartRWX             – False
bProcInject_UseRWX             – False
bProcInject_MinAllocSize         – 7281
ProcInject_PrependAppend_x86     – b’x90′
                                Empty
ProcInject_PrependAppend_x64     – b’x90x90x90′
                                Empty
ProcInject_Execute             – ntdll:RtlUserThreadStart
                                CreateThread
                                NtQueueApcThread
                                SetThreadContext
ProcInject_AllocationMethod     – NtMapViewOfSection
bUsesCookies                     – True
HostHeader                     –
—End Cobalt Beacon Configuration Data—

Screenshots

Figure 1 - Screenshot of the code structure that tries to read "festive_computer.jpg" from disk.

Figure 1 – Screenshot of the code structure that tries to read “festive_computer.jpg” from disk.

Figure 2 - Screenshot of TEARDROP using an algorithm to decrypt the embedded code buffer which contains the Cobalt Strike Beacon remote access tool (RAT).

Figure 2 – Screenshot of TEARDROP using an algorithm to decrypt the embedded code buffer which contains the Cobalt Strike Beacon remote access tool (RAT).

ervsystem.com

Tags

command-and-control

URLs
  • ervsystem.com/2019/Two-Man-Point-The-Brands/
Ports
  • 443 TCP
Whois

Domain Name: ERVSYSTEM.COM
Registry Domain ID: 2222911627_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.epik.com
Registrar URL: http://www.epik.com
Updated Date: 2020-09-04T23:23:29Z
Creation Date: 2018-02-04T08:45:05Z
Registrar Registration Expiration Date: 2022-02-04T08:45:05Z
Registrar: Epik, Inc.
Registrar IANA ID: 617
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4253668810
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Privacy Administrator
Registrant Organization: Anonymize, Inc.
Registrant Street: 704 228th Ave NE
Registrant City: Sammamish
Registrant State/Province: WA
Registrant Postal Code: 98074
Registrant Country: US
Registrant Phone: +1.4253668810
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Privacy Administrator
Admin Organization: Anonymize, Inc.
Admin Street: 704 228th Ave NE
Admin City: Sammamish
Admin State/Province: WA
Admin Postal Code: 98074
Admin Country: US
Admin Phone: +1.4253668810
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Privacy Administrator
Tech Organization: Anonymize, Inc.
Tech Street: 704 228th Ave NE
Tech City: Sammamish
Tech State/Province: WA
Tech Postal Code: 98074
Tech Country: US
Tech Phone: +1.4253668810
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS3.EPIK.COM
Name Server: NS4.EPIK.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships
ervsystem.com Connected_From 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
Description

This domain is the command and control (C2) for the sample “1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c.”

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Tags

backdoortrojan

Details
Name b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
Size 530432 bytes
Type PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 bd842c41b4c1b3c2deb475d7a3876599
SHA1 f7e61eb028b399b74c73883a2fccedbe56ecea2e
SHA256 b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
SHA512 110a10662342b0d5716c3307c51fa8a591bf621049d8d291aa44f8ab864ab075064651750334619292e9362136e328c14dd637033c244d42551ac5b321941aad
ssdeep 12288:NMINVoXxVuxcowWRjZ9dpOLg8UU8YhUhKEcBvg+:2rxIwU19eL4oUAEun
Entropy 7.533146
Antivirus
BitDefender Trojan.Teardrop.C
ESET a variant of Generik.NFGRBKQ trojan
Emsisoft Trojan.Teardrop.C (B)
Lavasoft Trojan.Teardrop.C
Microsoft Security Essentials Trojan:Win64/Cobaltstrike.RN!dha
Symantec Backdoor.Teardrop
YARA Rules
  • rule FireEye_20_00025665_02 : TEARDROP APT dropper
    {
       meta:
           Author = “FireEye”
           Date = “2020-12-13”
           Last_Modified = “20201213_1916”
           Actor = “n/a”
           Category = “Hacktool”
           Family = “TEARDROP”
           Description = “This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.”
           MD5_1 = “”
           SHA256_1 = “”
       strings:
           $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
           $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
           $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
           $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
           $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
       condition:
           (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-09 23:23:43-05:00
Import Hash 3417123af2f473f771d46841bfce6d48
Company Name None
File Description GetText: library and tools for native language support
Internal Name None
Legal Copyright © 2015 Free Software Foundation <www.fsf.org>
Original Filename libintl3.dll
Product Name libintl3.dll
Product Version 0.14.4.1952
PE Sections
MD5 Name Raw Size Entropy
1ae8ec5795f9a3cad5d54e569634d668 header 1024 2.703747
989e04fb5dc1eb83a3055a3fea30fb7a .text 209408 6.327319
d2bcd776a8ca1ed76feb8344d0739f1a .data 286720 7.998501
fdbd0954169972c21876938dbd536da3 .rdata 1536 3.636101
7eddb104f4aad897faffc33762e896cf .pdata 7680 5.364572
8232395ce211b61e4df169c38afdb7f6 .xdata 3072 1.658757
d41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000
add3d2ca7de32da5c3a5d2718129d600 .edata 15872 5.809199
8e6af2ae43eb16502507eeb8c7c03aa5 .idata 2560 3.983544
768bf26d947f32101953daeeea4a19b1 .CRT 512 0.238291
60227c557d35a7f2cf79a13c284b1dab .tls 512 0.335735
2d007e3e5c7f7423ed5c43b129f03f34 .rsrc 1024 2.956911
ddbe94bbe8aeacf9cb120fe816659354 .reloc 512 1.215071
Relationships
b820e8a205… Connected_To infinitysoftwares.com
Description

This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. During runtime, the malicious application decodes and executes an embedded code buffer using an XOR based stream cipher. Displayed below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:

—Begin XOR Cipher Key—
AFAFD51031EE936AFC50B611CDC70E7E62A7BAFCA72B43DB0023915BBBBAC016A5331CB28EE6E3DF0804B24004D219EE7ED24C7B41D9669C21A7AECB1B87927C4ED5A25949404DD2218091F00DD9F874B955D1615534FEF8C5200DFDA816FF4A023CF1D2E679AFCA79A5C5BB4C871ABF34CA641E5F1ACC42864CEE8BF5921A4E0DAC1D18C090D15D0CC79A843D9F763B4D323A34B26216F065705A62B47000BED185E7E2A7DE306DB6C94B5D3C2DA5FF8149AB8A7D13C3E0A3DAC5BEC46A9BD0D9
—End XOR Cipher Key—

The embedded code buffer contains the malicious identified as Cobalt Strike Beacon (version 4) RAT. Displayed below is the embedded Beacon configuration data:

—Begin Cobalt Beacon Configuration Data—
BeaconType                     – HTTPS
Port                             – 443
SleepTime                        – 14400000
MaxGetSize                     – 1049217
Jitter                         – 23
MaxDNS                         – 255
C2Server                         – infinitysoftwares.com,/files/information_055.pdf
UserAgent                        – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
HttpPostUri                     – /wp-admin/new_file.php
Malleable_C2_Instructions        – Remove 313 bytes from the end
                                Remove 324 bytes from the beginning
                                XOR mask w/ random key
HttpGet_Metadata                 – Referer: https://twitter.com/
                                Host: infinitysoftwares.com
                                Accept: */*
                                Accept-Language: en-US
                                Accept-Encoding: gzip, deflate
                                Connection: close
                                PHPSESSID=
                                Cookie
HttpPost_Metadata                – Host: infinitysoftwares.com
                                Accept: */*
                                Accept-Language: en-US
                                Connection: close
                                name=”uploaded_1″;filename=”33139.pdf”
Content-Type: text/plain

                                r
SpawnTo                         – b’x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′
PipeName                         –
DNS_Idle                         – 208.67.220.220
DNS_Sleep                        – 0
SSH_Host                         – Not Found
SSH_Port                         – Not Found
SSH_Username                     – Not Found
SSH_Password_Plaintext         – Not Found
SSH_Password_Pubkey             – Not Found
HttpGet_Verb                     – GET
HttpPost_Verb                    – POST
HttpPostChunk                    – 0
Spawnto_x86                     – %windir%syswow64print.exe
Spawnto_x64                     – %windir%sysnativemsiexec.exe
CryptoScheme                     – 0
Proxy_Config                     – Not Found
Proxy_User                     – Not Found
Proxy_Password                 – Not Found
Proxy_Behavior                 – Use IE settings
Watermark                        – 943010104
bStageCleanup                    – True
bCFGCaution                     – False
KillDate                         – 0
bProcInject_StartRWX             – False
bProcInject_UseRWX             – False
bProcInject_MinAllocSize         – 8493
ProcInject_PrependAppend_x86     – b’x90x90′
                                Empty
ProcInject_PrependAppend_x64     – b’x0fx1fx00′
                                Empty
ProcInject_Execute             – ntdll:RtlUserThreadStart
                                CreateThread
                                NtQueueApcThread
                                SetThreadContext
ProcInject_AllocationMethod     – NtMapViewOfSection
bUsesCookies                     – True
HostHeader                     –
—End Cobalt Beacon Configuration Data—

Screenshots

Figure 3 - Screenshot of the XOR based cipher utilized by this TEARDROP variant to decode an embedded Cobalt Strike Beacon payload.

Figure 3 – Screenshot of the XOR based cipher utilized by this TEARDROP variant to decode an embedded Cobalt Strike Beacon payload.

infinitysoftwares.com

Tags

command-and-control

URLs
  • infinitysoftwares.com/files/information_055.pdf
Ports
  • 443 TCP
Whois

Domain Name: infinitysoftwares.com
Registry Domain ID: 2356151174_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2021-01-01T07:00:00Z
Creation Date: 2019-01-28T07:00:00Z
Registrar Registration Expiration Date: 2021-01-28T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: See PrivacyGuardian.org
Registrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Registrant City: Phoenix
Registrant State/Province: AZ
Registrant Postal Code: 85016
Registrant Country: US
Registrant Phone: +1.3478717726
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Admin City: Phoenix
Admin State/Province: AZ
Admin Postal Code: 85016
Admin Country: US
Admin Phone: +1.3478717726
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: See PrivacyGuardian.org
Tech Street: 1928 E. Highland Ave. Ste F104 PMB# 255
Tech City: Phoenix
Tech State/Province: AZ
Tech Postal Code: 85016
Tech Country: US
Tech Phone: +1.3478717726
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS1.DNSOWL.COM
Name Server: NS2.DNSOWL.COM
Name Server: NS3.DNSOWL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships
infinitysoftwares.com Connected_From b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
Description

This domain is the C2 for the sample “b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07.”

Relationship Summary

1817a5bf9c… Connected_To ervsystem.com
ervsystem.com Connected_From 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
b820e8a205… Connected_To infinitysoftwares.com
infinitysoftwares.com Connected_From b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.surveymonkey.com/r/G8STDRY

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Leave a Reply

Verified by MonsterInsights