ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and decrypting an encrypted payload written to disk (CaddyWiper). It has been used against Ukrainian targets in destructive attacks and it’s believed to be linked with the Russian threat actor known as Sandworm (aka BlackEnergy).At the time of writing several Caddywiper-related analyzes can already be found on the net but none seem to delve into what happens in its loader. Having worked on this malware family in order to hunt for similar samples I decided to share a quick analysis that led to the creation of a hunting YARA rule.
INSIGHTS
This piece of malware it is not complex in its logic; The loader expects to be launched with two parameters from the command line. The first represents the decryption key and the second the path of the payload on the disk. Immediatly after the execution smong the first interesting things it goes to dynamically resolve the shell32.CommandLineToArgW and kernel32.GetCommandLine API functions.
It calls the latter in order to retrieve the parameters with which the executable has been launched and shell32.CommandLineToArgW in order to parse the command line string and get an array of pointers to the command line arguments. The next operation of interest is the resolving of kernel32.ReadFile and kernel32.GetFileSize API functions in order retrieve and work on the encrypted CaddyWiper payload written on the disk (pa.pay).
Below the image as this payload appears in its original encrypted form
As said the primary job of such malware is reading, decrypting and executing the CaddyWiper payload. Regarding this task it’s possibile to observe the execution on 00471B04. Here one byte from the input key (JRIBDFIMCQAKVBBP) is used to decrypt the payload as reported above.
As result a decrypted payload as shown following can be observed
At this point we land on real CaddyWiper payload. Even here the malware goes to retrieve several API function that will need to operate on various areas of the affected systems like FindFirstFileA, FindNextFileA, CreateFileA, WriteFile etc.etc. after to have retrieved the machine role via DsRoleGetPrimaryDomainInformation.
At this point the malware starts its job by iterating through files on the system and replacing their contents with null-bytes (\x00). It’s starts by looking for files under %SystemDrive%\Users and continuing to logical drives D:\ up to Z:\. Disk partitions from //./PHYSICALDRIVE9 to //./PHYSICALDRIVE0 are the last to be impacted.
THREAT HUNTING
In this analysis we observed an essential point of the execution chain. It allows the loader to decrypt and execute the real payload of the attack. In my opinion indeed one good point to hunt for threats similar to the ArguePatch version described here is at sub_471B04. According with the logic of the executable this function is needed to recover the malicious payload and ensure that the targeted systems are impacted.
Creating a rule on this code fragment (reported following) is then useful for the hunting of similar payloads:
| YARA |
| rule Sandworm_ArguePatch_76444_00001 : RUSSIAN THREAT ACTOR { meta: author = “Emanuele De Lucia” description = “YARA hunting rule for ArguePatch variants” tlp = “white” hash1 = “cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327” /* 0x4719c6L 8A01 mov al, byte ptr [ecx] 0x4719c8L 33D2 xor edx, edx 0x4719caL 8B7DF8 mov edi, dword ptr [ebp – 8] 0x4719cdL 320457 xor al, byte ptr [edi + edx*2] 0x4719d0L 42 inc edx 0x4719d1L 8801 mov byte ptr [ecx], al 0x4719d3L 83FA10 cmp edx, 0x10 0x4719d6L 72F2 jb 0x4719ca 0x4719d8L FF4DFC dec dword ptr [ebp – 4] 0x4719dbL 41 inc ecx 0x4719dcL 395DFC cmp dword ptr [ebp – 4], ebx 0x4719dfL 75E5 jne 0x4719c6 */ strings: $hex = { 8A 01 33 D2 8B 7D ?? 32 04 57 42 88 01 83 FA ?? 72 ?? FF 4D ?? 41 39 5D ?? 75 ?? } condition: (uint16(0) == 0x5a4d and $hex) } |