Travle aka PYLOT backdoor hits Russian-speaking targets

0
1347

At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware. So, with this intelligence ready we are sharing our findings in this blog to supplement Palo Alto’s research with additional details.

Technical Details

MD5 SIZE LINKER COMPILED ON
7643335D06BAEC5A14C95A393592EA3F 164352 11.0 2016-10-14 06:21:07

The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.

First of all, we detected numerous malicious documents being used in spear-phishing attacks with file names suggesting Russian-speaking targets with executables maintained in encrypted form:

This encryption method has been well known for a long time – it was first used in exploit documents to conceal Enfal, then we discovered this backdoor – Travle. Later documents with such encryption started maintaining another one APT family – Microcin. Travle C2 domains often overlap with those of Enfal. In regard to NetTraveler, at some point Enfal samples started using the same encryption method for maintaining the C2 URL as was used in NetTraveler:

Enfal sample with NetTraveler-like C2 string encryption

So, clearly these backdoors – Enfal, NetTraveler, Travle and Microcin – are all related to each other and are believed to have Chinese-speaking origins. And after finding the string “Travel path failed!” we believe that the Travle backdoor could be intended as a successor to the NetTraveler malware.

The malware starts by initializing the following variables:

%TEMP%\KB287640\ – local malware drop-zone
%TEMP%\KB887209\ – plugins storage
<malware install path>\~KB178495.DAT – configuration file path

Surprisingly, these paths remain the same in all samples of this family. If no configuration file is found, Travle reads the default settings from its resource “RAW_DATA. Settings are maintained in an encrypted form. Here is the code for decryption:

for (i = size – 1; i > 1; –i)
buf[i] ^=  buf[i – 2]

The storage format for the configuration block is as follows:

  Offset Size Value
0 0x81 C2 domain
0x102 0x81 C2 URL path
0x204 2 C2 port (not used)
0x206 0xB not used
0x21C 0xB Sample ID
0x232 0x401 Bot’s first RC4 key
0xA34 0x401 Bot’s second RC4 key
0x1238 2 not used

The described sample maintains the following configuration data:

Field Value
C2 domain remember123321.com
C2 URL path /zzw/ash.py
Sample ID MjdfS0584
1st RC4 key mffAFe4bgaadbAzpoYRf
2nd RC4 key mffAFe4bgaadbAzpoYRf

The Travle backdoor starts its communication with the C2 by sending gathered information about the target operating system in an HTTP POST request to a URL built using the C2 domain and the path specified in the settings. The information sent includes the following data:

  • UserID – based on the computer name and IP-address
  • Computer name
  • Keyboard layout
  • OS version
  • IP-addresses
  • MAC-address

Once the C2 receives the first packet, it responds with a block of data containing the following information:

  • URL path for receiving commands
  • URL path for reporting on command execution results
  • URL path for downloading files from C2
  • URL path for uploading files to C2
  • C2 second RC4 key
  • C2 first RC4 key
  • C2 ID

After this packet has been received, Travle waits for additional commands from the server.

Communication encryption

The ciphering algorithm depends on the type of transmitted object. There are three possible variants:

  1. Data
    • Data is ciphered with Base64
    • The resulting string is appended to the header with a size of 0x58 bytes
    • The resulting buffer is ciphered by RC4 with the C2 first RC4 key
    • The resulting buffer is ciphered with Base64
  2. List of strings
    • Each line is ciphered by RC4 with the C2 second RC4 key
    • The resulting buffer is ciphered with Base64
    • All the previously Base64-ciphered strings are merged in one delimited with \r\n”
    • The resulting string is appended to the header with a size of 0x54 bytes
    • The resulting buffer is ciphered by RC4 with the C2 first RC4 key
    • The resulting buffer is ciphered with Base64
  3. File
    • Compressed with LZO
    • The resulting archive is ciphered with the C2 second RC4 key

Messages format

The header for the transmitted data is as follows:

Offset (bytes) Size (bytes) Description
0 0x14 Random set of bytes
0x14 4 Data type / Command ordinal
0x18 4 NULL / Command ID
0x1C 4 Size of data
0x20 0x14 Sample ID
0x34 0x24 User ID
0x58 Size of data Data

The file is transferred to the C2 in a POST request as a multipart content type with boundary “kdncia987231875123nnm“. All samples of Travle we have discovered use this value.

Message types from bot to C2

The command ID is specified at offset 0x18 in the header.

Technical messages are as follows:

ID Description Data content
1 Information about OS Information about OS
2 Request for the first command NULL
3 Request for the list of commands NULL
4 Command is successfully executed Information about command execution or the name of transmitted file
5 Command execution failed Information about an error

Operational messages are as follows:

ID Description Data content
1 Bot sends the list of files in the requested directory The list of files
11 Bot sends the content of the requested file The content of the file

Message types – from C2 to bot

In case of bot sending POST request C2 responses with data of following format:

ID Description Data content
0 Information about C2 The list of C2 parameters
1 Commands The list of commands

Bot also may send GET request for retrieving a specific file from the server. In this case, C2 responses with the requested file.

General communication between bot and C2

Interaction with C2 includes two stages:

1st (automatic – carried out with no operator actions). It consists of:

  • Sending information about the OS
  • Receiving information about C2
  • Sending a request for the first command
  • Receiving the command with ordinal 1 and first argument “*”
  • Sending the request for the next command

2nd (carried out by operators). It consists of:

  • Sending commands to the bot
  • Sending files to the bot
  • Sending results of the executed commands to the C2

Commands – general bot functionality

Ordinal Arguments Action
Scan File System
1 Path In case of “Path” is not “*”, the bot collects the list of files and folders in the specified directory with creation date between specified values and files with an “Encrypted” attribute.
If the “Path” is “*”, the search for files and folders is done in complete file system.
In any case, the search is recursive.
Minimum date
Maximum date
Run Process
2 Path to the batch or executable file The bot executes specified batch file or application with passed arguments.
Command line arguments
File Presence Test
4 File name The bot examines if specified file exists.
Delete File
3 File name File deletion.
Rename File
5 Old file name File renaming.
New file name
Move File
6 Old path File moving.
New path
Create New Config
7 Content of the new configuration The bot creates the file with new configuration.
Process File With Batch
48 Batch script The bot sends GET request to the C2 for downloading a file specified in one command argument. Batch script received in another command argument is saved in the file and executed with a parameter – file name of the downloaded file.
File path
Run Batch
49 Batch script The bot receives a BAT-file and executes it.
Download File
16 File path The bot sends a GET request for downloading a file. The file is saved with the specified name and location.
Upload File
17 File path The bot sends the content of a requested file in a POST message.
Download And Run Plugin
32 Plugin name The bot sends a GET request for downloading Plugin (DLL). Plugin is saved in the file system and launched with the use of the LoadLibrary API function.
Plugin argument
Unload Plugin
33 Plugin name The bot unloads a plugin library from memory.
Delete Plugin
34 Plugin name The bot unloads a plugin from memory and deletes the plugin file.
Load And Run Plugin
35 Plugin name The bot loads a plugin in memory with a specified parameter.
Plugin argument

Plugins

Unfortunately, we have been unable to receive plugins from any C2 found in examined Travle samples, but after analyzing the code of Travle we can briefly describe how they are handled.

Plugins are handled with the use of commands 32-35. From all the analyzed Travle samples, we found out that not every Travle sample is able to work with plugins.

Each plugin DLL is saved in a file and loaded with the use of the LoadLibrary API function. The DLL should export three functions: GetPluginInfo, Starting and FreeMemory. These functions are invoked one-by-one at the plugin DLL loading stage. When Travle has to unload the plugin DLL it calls the FreeLibrary API function.

In all analyzed Travle samples, plugins are saved in the same location: %TEMP%\KB887209\.

Conclusion

The actor or actors responsible for the Travle attack has been active during the last few years, apparently not worried about being tracked by AV companies. Usually, modifications and new additions to their arsenal are discovered and detected quite quickly. Still, the fact that they didn´t really need to change their TTPs during all these years seems to suggest that they don´t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks.

We detect Travle samples with the following verdicts:

Trojan.Win32.Tpyn.*
Trojan.Win32.TravNet.*
Trojan-Spy.Win32.TravNet.*
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Win32.TravNet.gen
HEUR:Backdoor.Win32.NetTraveler.gen

More information about the Travle APT is available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

– Read more