Game of Trojans: Dissecting the #Khalesi Infostealer Malware

During the end of August 2018, the security community discovered an infostealer malware in the wild named Khalesi. This malware was identified by the security community as part of the Kpot malware campaign. Some of the recent Khalesi variants in this campaign were compiled with a Visual Basic 6 (VB6) compiler while the others were compiled via a regular Portable Executable (PE) compiler.  The Khalesi infostealer variants appearing in this blog post were compiled around the same time. For the most part, the functionality of all these variants is similar. When executed, the malware communicates with a Command and Control (C2) domain and collects a wide variety of data from multiple sources on the affected systems. It steals Windows and browser credentials, credit card information, virtual coins, data from messaging apps (such as Skype and Telegram) and so on. The two variants mentioned in this report also present Anti-Analysis techniques. Also, both of the variants attempt to communicate with the same C2 domain. Online resources suggest that this C2 domain was created around the same time when both of the Khalesi variants were compiled. However, this C2 was short lived and is no longer online.

This blog post provides a technical analysis of two Khalesi infostealer variants, including dynamic and static analysis, a brief analysis of the variant compiled with a VB6 compiler and a more detailed analysis of the variant compiled with a regular PE compiler. In addition, we will explain how the enSilo Endpoint Security Platform with post-infection protection blocks the malicious operation in real-time. Finally, this blog post provides static and network Indicators of Compromise (IOCs).


Technical Analysis

 

The following are the static characteristics of the Khalesi variant compiled with a VB6 compiler:

File Name: finalvr.exe


File SHA1:C37B9B9FEA73C95DE363E8746FF305F4B23F0C28


File Size:786432 bytes


Compile Time: 2018-08-29 15:11:00


Upon execution, this variant runs through the VB6 DLL file MSVBVM60.DLL and starts its “unpacking” process. Then it tests to see if it is running through a debugger by calling the Windows API KiUserExceptionDispatcher()from ntdll:

image 1 trojan blogFigure 1: KiUserExceptionDispatcher

The Windows API RtlRaiseException()is called from inside the  KiUserExceptionDispatcher, con() and contains the following instructions:

image 2 trojan blogFigure 2: RtlRaiseException

When this function is called, it causes an exception to be consumed by the debugger application rather than the debuggee of the variant itself. As a result, the debugger fails to execute this variant further and the OS generates an error which causes the executable to terminate. However, this variant executes normally outside of a debugger, or if the exception is bypassed. In this case, the variant will drop another variant of itself under the program data folder. The following are the static characteristics of this variant:

File Path:C:\ProgramData


File Name:Kip1.exe


File SHA1: 70DF9DF1FFE20E7EAC54E424C2E76242696904D2


File Size: 786432 bytes


Compile Time: 2018-08-29 15:11:00


Thereafter, in an effort to sustain persistency, it adds itself as a scheduled task as shown in Figure 3.


image 3 trojan blogFigure 3: Schedule Task

This scheduled task is set to run every 1 minute. The name of this task is Ebrin. The scheduled task registration is achieved by using the schtask.exe command.


image 4 trojan blogFigure 4: schtasks.exe command

After this process is completed it changes the Internet settings on the system by modifying the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

 

It spawns Internet explorer and communicates with the C2 domain seeyouonlineservice[.]com as shown in Figure 5.


image 5 trojan blogFigure 5: C2 Communication

More in this campaign, enSilo has come across the following variant of Khalesi:

 

File Name: soft.exe


File SHA1: FCF2918829132CD43890129B8255F1D1533E07AB


File Size: 87040 bytes


Compile Time: 2018-08-28 01:06:58


Upon execution, this variant calls CoInitialize (will be described later in the blog), initializes multiple strings and constructs the C2 URL shown in Figure 6.


image 6 trojan blog
Figure 6: List of initialized strings


The list of initialized strings in Figure 6 provide a great view, of the malware objectives and communication techniques. The strings suggest that this variant also communicates with the same C2 domain seeyouonlineservice[.]com we observed earlier.

During the execution process, Khalesi uses the FCICreate to create cabinet files, as shown in Figure 7.


image 7 trojan blogFigure 7: FCICreate


According to Microsoft, the FCI (File Compression Interface) is a library that provides the ability to create cabinets (also known as "CAB files") and this reduces the size of the file data. The table below indicates the functions of that library, also used during the execution.

Function

Description

FCIAddFile

Adds a file to the cabinet currently being constructed.

FCICreate

Creates an FCI context.

FCIDestroy

Deletes an open FCI context, freeing any memory and temporary files associated with the context.

FCIFlushCabinet  

Completes the current cabinet.

FCIFlushFolder

Forces the current folder under construction to be completed immediately.

After it executes Khalesi creates multiple .tmp files in the %TEMP% directory as shown below:

 

image 8 trojan blog

Figure 8: Temp Files

 

 

These .tmp files contain all the information the malware has gathered from the victim.  The files named CAB[0-9A-Z]{4}.tmp are gathered (including snapshots) into a cabinet file that is created as a system file (which will make it hidden by default). The cabinet file and the screenshots are named [0-9]{10}.

After that, Khalesi documents the Security Identifier of the running process and the Operating System (OS) version. This will be sent later to the C2. For now, if the Security Identifier is bigger than SECURITY_MENDATORY_UNTRUSTED_RID it will follow up the CoInitialize that was called earlier and create a COM Instance using the CoCreateInstance function:


image 9 trojan blogFigure 9: CoCreateInstance Function

When the rclsid value is checked, it matches the Internet Explorer rclsid as shown in Figure 10.


image 10 trojan blogFigure 10: Internet Explorer rclsid

Khalesi uses this procedure to launch two Internet Explorer processes shown below:


image 9 trojan blogFigure 11: Launching Internet Explorer

The use of the COM technique for communication has few advantages:

 

  1. 1.   It obscures malicious traffic with the remote host within an iexplore.exe process instead of the malware process.
  2. 2.   It complicates reverse engineering because there is no immediate evidence for network communication while statically inspecting the malware.

This results in a stealthier communication.

 

After Internet Explorer was launched, Khalesi verifies the connection to the constructed URL (seeyouonlineservice[.]com). If it does not succeed, Khalesi will use one of the following hardcoded IP addresses as the new C2:

  1. 1. 174[.]138[.]48[.]29
  2. 2. 46[.]101[.]70[.]183
  3. 3. 91[.]217[.]137[.]44
  4. 4. 80[.]233[.]248[.]109

All of these IP addresses belong to web hosting services in Eastern Europe. Besides this communication process, Khalesi also modifies the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

 

This is done in an effort to lower security settings.

 

Anti-VM, Anti-Disassembly & Anti-Sandboxing Techniques

 

After initialization, the execution continues to the main module. At the beginning of the execution there is a call to suspicious looking address seen in Figure 12.


image 12 trojan blog
Figure 12: Main Module

 

When accessing this function, IDA cannot display this address range as a graph as shown in Figure 13.


image 13 trojan blogFigure 13: Warning Message

The malware creator uses a well-known anti-disassembly technique. The function uses a jump instruction to a location + 1 byte that leads to an interpretation of completely different byte code by the system. Once that process is completed, Khalesi iterates the current loaded executable modules, in an attempt to find those related to debugging and analysis tools such as api-monitor, CAPE sandbox , etc.

 

Thereafter, Khalesi  will check for the following drivers in the system directory:

 

  1. 1. VBoxGuest.sys
  2. 2. VBoxMouse.sys
  3. 3. VBoxVideo.sys

If it discovers one of these drivers the execution will crash.

 

Before returning to the main module, the variant will perform the following steps:

 

  1. 1. Loop the loaded modules linked list once again, to acquire the ntdll.dll memory base address
  2. 2. Save the ExitProcess API function base address
  3. 3. Use VirtualProtect to change ntdll.dll permissions to Read, Write, Execute
  4. 4. Write into the DbgBreakPoint() ntdll function the ExitProcess call and a return instruction
  5. 5. Alter ntdll.dll permissions back to Read, Write

When a debugger attaches to a running process of this Khalesi variant, the Windows API function DbgBreakPoint() is called from ntdll. This function allows the debugger to gain control because an exception that the debugger can intercept is being raised. This requires that the function remains intact. Due to alteration of the function shown in Figures 14 and 15, the ExitProcess will force the malware process to exit if a debugger attaches to it.


image 14 trojan blog


Figure 14: ExitProcess Function



image 15 trojan blog


Figure 15: DbgBreakPoint

 


Stealing objectives

 

This particular Khalesi variant tries to steal the following information using the execution process of the main module:

Browser 

Messaging & Voice Call

Virtual Coins

Windows

Banking  

File Transfer Protocol Clients

VPN

 Gaming  

Mozilla Firefox

Skype

Etherum

Harvest User Credentials

Credit Cards

FileZilla

 NordVPN 

Steam

Internet Explorer

Telegram

Electrum

General Machine Information

 

Winscp

EarthVPN

World of Warcarft

Opera

Discord

Bytecoin

 

 

TotalCommand

 

 

 

PSI

 Namecoin 

 

 

IPSwitch

 

 

 

Pidgin

Monero

 

 

 

 

 

Once the information was gathered, it will be written as described before to the %TEMP% directory as shown in the following figure:

image 16 trojan blogFigure 16: sysinfo.txt

Once the information gathering process is completed, and the execution passes certain conditions (these will be described later in the blog) the data is sent via a POST request to the C2 URL [http]://seeyouonlineservice[.]com/regbot.php as shown in the following figure:


image 17 trojan blogFigure 17: POST request

The file is then deleted, right after changing the system file attributes to normal.

 

C2 Communication

 

The malware communicates with the C&C server by sending the following GET and POST requests:

C&C Command

Method

  Purpose

Config.php

GET

  Get configuration from the C&C server

Ip.php

GET

  Get external IP

Regbot.php

POST

  Bot registration and delivery of stolen data

East-European Connection

 

Before sending the stolen information, this Khalesi variant uses the GetUserDefaultLangID() and GetKeyboardLayoutList() Windows API functions to check for an East-European keyboard layout and default language. The following figure shows this process:


image 18 trojan blogFigure 18: Using the GetKeyboardLayoutList Function

If any East-European keyboard layout and default language is detected, this Khalesi variant won’t send the stolen data to the C2 domain. 

 

About the C2 Domain

 

Unfortunately, the C2 domain seeyouonlineservice[.]com was short lived. It was created and registered in August, 2018 as shown in Figure 19, around the same time the Khalesi variants were compiled. However, the domain went offline during the production of this blog.


image 19 trojan blog

Figure 19: Domain Registration



Additional Variants in the Wild

 

The following hashes belong to similar Khalesi infostealer variants found in the in wild:

 

File Name:soft.exe


File SHA1: 6ace6f3631ef8773f0af2233595ee5f8d662134c


File Size: 221696 bytes


Compile Time: 2018-08-29 22:58:44



File Name: soft.exe


File SHA1: 7dc34dc7936b257830477353f681bdcb6ba3313d


File Size: 87040 bytes


Compile Time: 2018-08-27 22:06:58



File Name: soft.exe


File SHA1: b349e41aa4303e2ec503c66da5e56791b123d11f


File Size: 86528 bytes


Compile Time: 2018-08-29 22:58:44


These variants are similar to the variant compiled with a regular PE compiler. These variants have the same amount of Windows API functions, sections and entropy and were compiled at around the same time. In addition, these variants also appear to be communicating with the seeyouonlineservice[.]com C2 domain.

 

enSilo Prevents Khalesi Infostealer Malware Attacks

 

 

The following figures illustrate how the enSilo Endpoint Security Platform is capable of tracking the entire threat chain of this malware at any of the attack stages.


image 20 trojan blogFigure 20: Logging Mode

image 20a trojan blog

In addition, the following figures illustrate how the enSilo Endpoint Security Platform is capable of tracking the entire threat chain of this malware at any of the attack stages.


image 21 trojan blogFigure 21: Protection Mode

These event graphs show how enSilo automatically classifies the attack as malicious using a Machine Learning algorithm. As a result, enSilo prevents any damage done following the execution of this malware. And, this entire detection-to-prevention process is done in real-time. Finally, enSilo is also capable of detecting this malware before it executes.

Indicators of Compromise


File Name: soft.exe


File SHA1: FCF2918829132CD43890129B8255F1D1533E07AB


File Size: 87040 bytes


Compile Time: 2018-08-28 01:06:58



File Name: finalvr.exe


File SHA1: C37B9B9FEA73C95DE363E8746FF305F4B23F0C28


File Size: 786432 bytes


Compile Time: 2018-08-29 15:11:00



File Name: Kip1.exe


File SHA1: 70DF9DF1FFE20E7EAC54E424C2E76242696904D2


File Size: 786432 bytes


Compile Time: 2018-08-29 15:11:00



File Name: go.exe


File SHA1: C450634B90CCEAC6F7393D38FEA10453A6010DFE


File Size: 471120 bytes


Compile Time: 2007-10-06 14:45:00



File Name: crsoft.exe


File SHA1: 9DCADA7455205B44B5FE69F765CAECCA4F14403C


File Size: 146432 bytes


Compile Time: 2018-08-29 15:24:39


Regex for cabinets files full path:


%APPDATA%\CAB[0-9A-Z]{4}.tmp


%APPDATA%\[0-9]{10}


Network IOCs


seeyouonlineservice[.]com


botsphere[.]biz

 


The website botsphere[.]biz was still compromised and serving the malware during the time of analysis.


IP Addresses


174[.]138[.]48[.]29


46[.]101[.]70[.]183


91[.]217[.]137[.]44


80[.]233[.]248[.]109


101[.]99[.]70[.]55


77[.]222[.]40[.]43


All of these IP addresses belong to web hosting services that are located Eastern Europe.

Related Blog Posts