In 2021 September, I came across a (then) recent sample for Zloader. After finishing with most of the static analysis steps, I noticed there is already existing research on this by SentinelOne, but I thought carrying on with the analysis will be good practice and use of my time.
The delivery of the malicious file is through malwaretisment according to SentinelOne.
Users searching for Zoom(and likely Teamviewer) installers are shown with paid ads and download and execute the installer directly from the ads.
It seems, that we are working with an MSI (Microsoft Installer Package) file, based on the file signature according to filesignatures.net:
MSI doesn’t really masquarade much of the content, so we can see plenty of strings in cleartext.
Although, the same initial info about the components can be viewed with simply opening the file in an archive manager, such as 7z, a few years ago I came across a nice tool called Orca.exe, which is now part of the Windows SDK Components for Windows Installer Developers. You can find the legitimate individual executable as well with a bit of searching.
After loading the .msi file, we are presented with the following:
We have plenty of menu options, and the .dll and other components are immediately revealed.
The unique ComponentID GUIDs are meant to provide a mapping to the absolute path of the files included. The MSI file format combines these .dlls, .exes and the .bat file into one installation package.
After a bit of browsing we could see some interesting information about the binary:
The binary data itself points to:
Another small snippet that comes with the package is the icon:
With the value of another .tmp file.
Another hint that the installation uses Java:
It seems that the file was compiled using the Windows Installer XML (WiX) toolset. The Wix Toolset is used to create Windows installation packages which can be downloaded as a Visual Studio extension.
Only by looking at the Orca tool’s output we can recognize the field Action and the target.
The XML structure and the documentations with the GUIDs will help to understand this process better. They can be used to add further custom actions to installers - at this point unclear whether a way of simply defining the whole packaging and install process, or actually bundling malware to an existing binary. we will keep an eye out for this.
The same file has been submitted with different filenames to VirusTotal:
So presumably the threat actors are using several different malwartisment campaigns for different popular desktop software.
The InstallExecuteSequence provides useful information from Orca is the installation chain of events.
The function names that looked like Win32 API functions, are eventually undocumented, and I assume are also part of the Wix tool.
The Register.exe is removed after being executed:
Some further information about the Java version:
Another table provides information about the validation actions:
The whole Orca content is also exportable in .idt, or Windows Installer Database Text Archive Files, and .ibd, or MySQL InnoDB Table files. But in fact the .ibd files seems to directly contain the binaries in Logo.ico.ibd and WinxCA.ibd.
Besides the aforementioned files, we can notice a Binary and an Icon file. The binary contains an executable:
A quick check also reveals that the certificate used for signing the original MSI file has been explicitly revoked:
Flyintellect Inc. is a company registered in Canada very recently, according to several websites, such as canadacompanyregistry.com
Some further checks on Imports/Exports and Dependencies using CFF Explorer:
The identified MZ file from the Orca export in the .ibd format is legitimate wixca.dll used by the Windows Installer XML Toolset.
Now let’s jump to the rest of the extracted content(most of the files are legitimate windows .dlls):
Based on hash analysis, timestamps, and filenames the following files attract of our interest:
These files were also recent in VT at the time of the analysis, and the former two share the same hash.
The .bat file sends a webrequest and acquires a further file, which was not available at the time of the analysis, and this is when I started to research and found the SentinelOne article.
The update.bat appears to have the following content per the SentinelOne research:
It is clear that the command disables Microsoft Defender features and adds exclusions. For the changes to take effect, the commands require local administrator privileges on the victim computer, however we have learned about the malvertisment distribution, so the users are very likely going to grant the permissions at installation. Company/family computers with locked down permissions are luckier in this case.
Furthermore, SentinelOne reports the download of:
saved as “tim.exe”. The execution of the “tim.exe” is done through the LOLBAS command
Loading the file to Ghidra results in a missing PDB Symbol reference.
In the readable data section we can find some text related to wextract.pdb:
Unfortunately, symbols for wextract.exe are not available in C:\symbols, and we are out of luck this time.
Wextract.exe works with the extraction of .cab files. In line with this, we can also find the following text extracted:
Which translates to:
It looks like the Russian error codes for wextract.exe. Every packaged executable on Windows will need to come with certain resources for it to run on different language sets, etc.
A quick comparison of the legitimate wextract.exe and our newly found friend reveals, that the Sections are pretty similar:
Legitimate wextract.exe(from System32) Sections on VirusTotal:
Malicious wextract.exe Sections on VirusTotal:
Legitimate wextract.exe Resources:
Malicious wextract.exe Resources:
The differences are where malicious content is embedded, starting from RCDATA.
A more elegant way to explore this is with Resource Hacker:
We got the answer that the malware is actually bundled together with the legitimate C:\Windows\System32\wextract.exe Windows binary.
The diff of the components can be also extracted, and in the RCDATA there are some content of interest. RUNPROGRAM will execute:
Yet again, with simply 7z you can extract the content of the file:
Which is resulting in tim.bat, which has the following content:
So tim.bat will download 2 files:
The latter, nsudo.bat is still available on the site.
The script therefore yet again reaches out to the same website it originates from and after disabling UAC controls, Defender, modifies the HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system registry, and runs several further .bat scripts and initiates a restart for the changes to take place.