SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Gh0stnet now spreads as a fileless malware (Nov 02,2017)


The SonicWall Capture Labs Threat Research team recently observed a new version of Gh0stNet backdoor spreading with the file less technique, which is using PowerShell script for initial execution. This version of Gh0stNet is using new commands for communication.

Infection Cycle:

Upon execution the script spawns powershell.exe to perform malicious activities.

Fig1. Trojan uses owershell.exe to download and register itself as a startup item

Figure 1 shows the script will download a Base64 encoded data from a address. It then decodes and unzips the data to get the next level PowerShell script. The second stage PowerShell script is shown in the figure below:

Fig2. Base64 Encoded shellcode

After decoding the Base64 encoded shellcode, it calls "Inject-LocalShellcode" function to inject shellcode into the running instance of PowerShell as shown in the figure below:

Fig3. Powershell Shellcode injection

The injected shellcode contains code to unpack the embedded UPX packed file (without headers) and execute the unpacked code. Figure 4 below shows the UPX packed file that is present in the injected shellcode.

Fig4. Embedded UPX packed file

When the UPX unpacked code executes, it first decodes the Config string using a custom Base64 decoding key as shown below:

Fig5. Decrypting the config URL using a custom key

Visiting the URL shows a seemingly encoded information.

Fig6. Some encoded data shown on the page of the decoded URL

Figure 7 below shows that the malware searches for the marker "x=" in the response received from the URL post request. Once the marker is found, it decodes the string followed by marker to get the second stage Command and control server.

Fig7. Decoded response from the URL

After this the backdoor starts the communication with the command and control server by sending the following request:

Fig8.Scote_connection|hwid = [customid _from_created_cpuid]

It then creates a thread that will listen on the incoming commands from the command and control server.

The following are the commands sent from the remote server:
  • scote_info_ipconfig
  • scote_info_systeminfo
  • scote_drop
  • scote_upgrade
  • scote_upgrade_internal
Below are the functionality details for each command:
  • scote_info_ipconfig:

  • In response to this command the backdoor will collect the IP configuration information by executing "cmd.exe /C ipconfig" command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: "command=scote_info_ipconfig|buffer=[Encrypted IP Config]."
    The figure below shows that response packet.

    Fig9.Sample response to scote_info_ipconfig command

  • scote_info_systeminfo:

  • In response to this command the backdoor will collect the system information by excuting "cmd.exe /C systeminfo" command. It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: "command=scote_info_systeminfo|buffer=[Encrypted System Info]."

    The figure below shows that response packet:

    Fig10.Sample response to scote_info_systeminfo command

  • scote_drop

  • The backdoor will terminate after receiving this command.

  • scote_upgrade

  • After receiving this command the backdoor will inject the code in "svchost.exe" and "explorer.exe" and will terminate itself. Before code injection, the backdoor installs a hook for "ntdll. ZwDelayExecution" to evade analysis and perform code injection through the hooked function as shown below:

    Fig11.Code injection through another hooked function

SonicWALL Capture Labs provides protection against this threat with the following signature:

  • GAV: Ghostnet.A (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW04