The RIG Exploit Kit has been causing trouble again, this time delivering a backdoor trojan called Grobios, which takes great pains to avoid detection and evade virtual and sandbox environments.
In a May 14 blog post, researchers from FireEye report that the trojan dates back to at least Mar 10, at which time victims were being directed to the RIG landing page after visiting the domain latorre[.]com[.]au. The domain had been compromised with an injected malicious iframe capable of loading a malvertisement domain that in turns leads to RIG.
Researchers and blog post co-authors Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi, report that the developers clearly tried to impede any attempts to dissect the malware, as it was well-protected with multiple anti-debugging and anti-analysis and anti-VM techniques.
However, this much is clear: “The main purpose of Grobios malware is to help attacker establish a strong foothold in the system by employing various kind of evasions and anti-VM techniques, said Ali Islam, director of FireEye Labs, in an email interview with SC Media. “Once a strong foothold is established, attacker can drop [the] payload of his/her choice, which can be anything from [an] infostealer to ransomware.”
In an effort to evade static detection, the studied Grobios sample was packed with the Windows executables compression tool PECompact. “The unpacked sample has no function entries in the import table,” the blog post states. “It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings.”
Before connecting to its two command-and-control servers (which are hardcoded and obfuscated into the malware), Grobios also performs a series of checks to detect numerous VM and analysis environments, including Xen, QEMU, VMware, Virtualbox and Hyper-V. For instance, it searches for analysis tools on the system; checks for certain telltale keywords in the username and registry keys; and looks for hashes of blacklisted process names, driver names, sandbox product IDs and DLL module names.
For persistence, the trojan drops multiple copies of itself into various folders and subfolders, disguising itself as legitimate installed software and using the Windows Encrypted File System to protect at least one of these copies.
“The malware changes the file Created, Modified, and Accessed times of all of its dropped copies to the Last Modified time of ntdll.dll,” the blog post continues, adding that Grobios can also bypass the “File Downloaded from the Internet” warning by removing the :Zone.Identifier flag using the DeleteFile API.