As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts.
Using the authoritative metadata manifest of Microsoft-released files that are found in our clean-file metadata feed can help reduce antimalware resources spent flagging known bad files by eliminating already known good files. It can also help our partners and customers quickly categorize fake Microsoft files – files that can be used by malware creators to hide their malicious code.
One threat that we have seen using Microsoft file names is Win32/Bioazih, a family of remote access tools (RAT).
Bioazih is a backdoor mutation that can be used for targeted attacks. It was named after a string in its code:
Figure 1: Bioazih string found in malware code
We have seen Bioazih used in targeted attacks in conjunction with other RAT families in an attempt to prevent detection.
The Bioazih threat
Bioazih is not a new threat. We first detected it in 2010 and continue to see variants in the wild, albeit in small numbers. However, its code is frequently updated to avoid being detected by antivirus products and increases the risk of infection during targeted attacks.
Bioazih is usually installed by a malware dropper or document exploit – typically attached in spear-phishing emails. Once a user opens the attachment, a decoy file is displayed while the malware is run in the background. Figure 2 and 3 show Japanese and Russian decoy files that can be dropped at the same time as Bioazih malware:
Figure 2: A Japanese language XLS bait file. The title roughly translates to: “Hiroshima Domain Shelter Table”
Figure 3: A Russian language DOC bait file. The title roughly translates to: “TELEPHONE DIRECTORY Primary trade union organization GROUPS OJSC, Magnitogorsk Iron and Steel Works, Mining and Metallurgical Union RUSSIA”
A second stage executable dropper is then run, installing any of the following EXE or DLL components (depending on the variant) which contains the payload:
- <system folder>dmdskngr.dll
- <system folder>dmserver.dll
- <system folder>dssemh.dll
- <system folder>tdmserver.dll
As seen above, several of the files names used by this malware are deceptively similar to Microsoft files. The malware does this in an attempt to avoid discovery and to make detection and removal more difficult. This is a common malware technique and one we hope to address in our Microsoft Clean-File Metadata Initiative.
The DLL is injected into a legitimate process as a persistence mechanism. On initial execution the RAT phones home to its command and control (C&C) server to send information from the affected PC. Figure 4 is a screenshot of the HTTP request format for newer variants:
Figure 4: TCP stream of a Bioazih phone home request
Once running, the malware can execute the following commands:
- Run a remote command shell
- Terminate a process
- Uninstall itself
- Manipulate files and folders
- Download and run files
- Upload files to a malicious hacker
The evolution of Bioazih
Bioazih has been used in a number of targeted attacks where it sends a campaign password or tag to its C&C server to identify its victims. In Figure 4, we can see the campaign tag under the pass parameter. Below is a table of Bioazih campaigns that we have seen and their respective tags.
Figure 5: Bioazih timeline and campaign tags
In recent years, Bioazih’s persistence is due, in part, to a number of code updates. This includes added or removed functionality, as well as updated C&C communication parameters, format, encryption, and installation routines.
In 2011, samples b1e51e43f3064abb800ff7b0a815d452, b6721b5e84de365cd9f1434b99888d26 and 5afa2b1045e9735e97703298c2bf2bde contained an export named Test that simply pointed to a RETN code. The sample b6721b5e84de365cd9f1434b99888d26 did not have a C&C server in its code and instead used its campaign tag mfc3 as the parameter for C&C connection, resulting in that RAT instance being useless to the attacker. This suggests these variants may be test builds of updated Bioazih code.
We have observed that Bioazih’s code, which is written in C++, has similarities to the HeartBeat APT and Bisonal (detected as Trojan:Win32/Korlia). Both malware families are also written in C++. It has been previously reported by Coseinc that Bisonal uses code that is freely available through a Chinese underground site.
One of the later variants (51f7f3d6f78b9dea06f520b7648bfdc2) include a path in its code pointing to the C++ source code HttpSever.cpp as shown below.
Figure 6 CPP code reference in malware code
Searching online for the string HttpSever returned source code that had a similar spelling and is available on a Chinese source code sharing site. Since the source code is freely available for this malware, it makes it easier for people to mutate and that makes it more difficult for antivirus vendors to track and detect.
Command and control
It appears that, perpetrators of Bioazih relied heavily on URL redirection and dynamic DNS services to hide their C&C servers. The IP addresses that the C&Cs point to were hosted in the USA, Ghana, and Egypt. Some of the Bioazih C&Cs display the message below, which suggests that they may be using a virtual private server (VPS) to host their C&Cs which helps to hide the attacker’s real location.
Figure 7: Page displayed by some of Bioazih C&Cs
We mapped the C&C infrastructure of some of the Bioazih campaigns and saw multiple overlaps between Bisonal (Trojan:Win32/Korlia) and Bioazih C&Cs:
Figure 8 Bioazih and Bisonal C&C overlaps
We also saw that at least one Bioazih C&C overlapped with a known Sluegot/TABMSGSQL (detected as Trojan:Win32/Sluegot) IP address.
Figure 9: Bioazih and TABMSGSQL C&C overlap
Overlaps in its C&C infrastructure suggests that it is very likely that Bioazih is part of a larger campaign.
Detecting and removing Bioazih
A combination of factors can hinder the analysis and detection of threats such as Bioazih. For example, the availability of source codes in underground forums helps malicious hackers create countless mutations of malicious code in an attempt to evade detection and discovery.
The Microsoft Clean-File Metadata Initiative can help our partners and customers better detect and remove these threats by addressing its use of common Microsoft file names. By providing metadata straight from the source, we add a layer of protection that increases confidence in our whitelisting technologies therefore allowing us to release more signatures while minimizing the risk of false positives.
To help stay protected against Bioazih and other threats, use up-to-date real-time security products such as Windows Defender for Windows 8.1. We also recommend enabling the Microsoft Active Protection Service (MAPS) to take full advantage of Microsoft’s cloud protection service.
Roland Dela Paz