TeamT5 はJapan IT Weekに出展します
技術分析

In-Depth Analysis and Scanning Program of the Worm Malware Win32.Parite

2023.02.15GSS & IR Team
Share:
The incident response team of TeamT5 discovered a worm virus named Win32.Parite during an incident investigation. In the incident, the executable file in the victim host was infected by Win32.Parite. The infected host could spread to other execution files and wait for the attacker to connect; if the connection succeeds, the attacker can perform various communication and data collection behaviors on the infected host, which will have a profound impact.
In this blog, we provide a detailed analysis of the worm virus and develop a scanning program with instructions on how to remove it, to help companies improve their cybersecurity defenses. We also urge companies that are still using 32-bit operating systems (e.g. WinXP/2003/7) to use scanning programs to scan their internal network systems.

Basic Information of Malware Win32.Parite

how-to-detect-and-recover-from-virus-win32-parite_pic1.png Image source: VirusTotal

Malware Analysis

Win32.Parite: Shellcode

TeamT5 obtained the malicious file. We use Stud_PE to observe. There is a section named .heb, and the program entry point is pointed to this section. The characteristic of the Win32.Parite virus is that it inserts itself in the last section whose name is a random combination of letters.
how-to-detect-and-recover-from-virus-win32-parite_pic2.png

The entry point is a small decoder. The edx in the temporary register is the operation value of xor decoding, while esi is the address of the encoded data, and edi is the size of the encoded data.
When decoding, the operation is 4 bytes at a time, and the range of all addresses is 0x43502E+4~0x43502E+0x59C, because the method of [push/pop] dword ptr [esi+edi] is used, so the target address of xor here will be is [esp].
how-to-detect-and-recover-from-virus-win32-parite_pic3.png

After understanding the above, you can use 010 Editor to do the XOR operation. After unpacking, there is a piece of shellcode.
how-to-detect-and-recover-from-virus-win32-parite_pic4.png
how-to-detect-and-recover-from-virus-win32-parite_pic5.png

What is interesting is that this worm virus also has a deformation function . Observing the three infected files, we found that the shellcode commands are different, but the purpose is the same. They all aim to obtain the decoded value, encoded address, and size of encoded data.
how-to-detect-and-recover-from-virus-win32-parite_pic6.png

After decoding, continue to analyze the shellcode. The first group of instructions after unlocking is a call, followed by a Parite custom structure. The interesting thing is that the original entry point is protected by an encoded program.
how-to-detect-and-recover-from-virus-win32-parite_pic7.png

The main program of Shellcode has only a few functions:
  • GetDeclareAPI: Obtain the API address when needed and store it in the Stack.
  • RegQuery_PINF: Query whether the PINF code exists, and the content is stored in the path of the virus body.
  • Call_DLL_Initiate: Call “Initiate” in the main program DLL, which contains the original entry point for unlocking the EXE.
  • Drop_DLL_File: If the PINF doesn't exist, it will drop the virus body (DLL) and create the key value of a PINF login file.
how-to-detect-and-recover-from-virus-win32-parite_pic8.png

Shellcode obtains some necessary Windows APIs through GetDeclareAPI(sub_435254), and then queries the PINF key value located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer through RegQuery_PINF(sub_435360).
how-to-detect-and-recover-from-virus-win32-parite_pic9.png

In the infected host, it can be seen that the value of PINF is \x09\x00, where 9 is the virus version, separated by \x00, and then followed by the DLL path.
how-to-detect-and-recover-from-virus-win32-parite_pic10.png

If the key exists and the value of the first 2 bytes is greater than or equal to 9, the shellcode will load the DLL module of the virus body through Call_DLL_Initate (sub_4353C8), and use GetProcAddress to obtain the address of the Initiate function. Then, it passes in the configuration address of 000435032 and jumps into execution.
how-to-detect-and-recover-from-virus-win32-parite_pic11.png
If the key value does not exist, the shellcode will decode the virus body (DLL) at the back through Drop_DLL_File (sub_435400) and throw it out. Then, it executes Call_DLL_Initate (sub_4353C8) to load the DLL module of the virus body.
how-to-detect-and-recover-from-virus-win32-parite_pic12.png

The offset address and file size (Size) of the DLL, as well as the encoded XOR key, can be seen in the configuration.
how-to-detect-and-recover-from-virus-win32-parite_pic13.png

In the Drop_DLL_File(sub_435400) function, the Decoder_Content(sub_4355A0) function will be called, and the content is encoded and decoded using xor dword.
how-to-detect-and-recover-from-virus-win32-parite_pic14.png

Win32.Parite: Virus Body

The decoded DLL is packed with UPX, and the main virus module itself is written in Delphi. Line 23 of the exported Initiate function has a function to decode the original entry point (OEP).
how-to-detect-and-recover-from-virus-win32-parite_pic15.png

The program code in the Decode_OEP(sub_4022BC) function mainly obtains the two array addresses of 43504D and 43506E in the configuration block. It performs calculations through the sub_40232C function to generate a value of 16 bytes, which is divided into 4 groups of DWORD values, and The encoded OEP is XORed four times. The final result is the original OEP. With OEP, the infected PE execution file can be successfully repaired.
how-to-detect-and-recover-from-virus-win32-parite_pic16.png

Then, use SetWindowsHookExA to set a global hook to inject the DLL into all handlers.
how-to-detect-and-recover-from-virus-win32-parite_pic17.png

When the injected handler is explorer.exe, Win32.Parite will start to execute the behavior of the worm.
how-to-detect-and-recover-from-virus-win32-parite_pic18.png

Win32.Parite: Backdoor Functionality

In the program code in the virus main DLL, you can see a piece of interesting code. Win32.Parite supports backdoor function. The backdoor uses UDP protocol to send commands. The result of the report will be sent back to the UDP 30168 communication port of the controlling terminal. When uploading data, it is necessary to monitor the TCP 30169 communication port on the controlling terminal and wait for the controlled terminal to actively connect, and then the data content can be uploaded.
how-to-detect-and-recover-from-virus-win32-parite_pic19.png

Report Information to the Host

The controlling terminal sends out the characters of "e" to the UDP 30167 communication port of the controlled end.
how-to-detect-and-recover-from-virus-win32-parite_pic20.png

The controlled terminal will report the host information to the UDP 30168 communication port of the control terminal.
how-to-detect-and-recover-from-virus-win32-parite_pic21.png

Execute Commands

The controlling terminal will report the host information to the UDP 30168 communication port of the control terminal.
how-to-detect-and-recover-from-virus-win32-parite_pic22.png

When the command is successfully executed, the controlled end will return the character "g", followed by the string of Done.
how-to-detect-and-recover-from-virus-win32-parite_pic23.png

Upload Files

The controlled terminal sends out the character z, followed by the file name, and finally ends with \x00, and the file will be stored in the %WINDIR% folder.
how-to-detect-and-recover-from-virus-win32-parite_pic24.png

The control terminal listens to the TCP 30169 communication port, and waits for the content of the data that can be sent after the successful connection of the controlled terminal. After the connection is terminated, the data will be written into the file.
how-to-detect-and-recover-from-virus-win32-parite_pic25.png
The control terminal listens to the TCP 30169 communication port, and waits for the content of the data that can be sent after the successful connection of the controlled terminal. After the connection is terminated, the data will be written into the file.
  • Add 1 Section
  • The original entry point (OEP) is pointed to the Section where the last virus is located
  • The image file (Image) loaded into the memory becomes larger
  • Modified the properties of .rdata
  • Added new virus section
how-to-detect-and-recover-from-virus-win32-parite_pic26.png

In the file comparison, there are two places that were last modified, namely C600 and E9F8.
how-to-detect-and-recover-from-virus-win32-parite_pic27.png

You can see that these two places are actually the first two functions of kernel32.dll in Import Tables. Because the infected file did not write its own Shellcode to fetch the API, it relies on inserting LoadLibraryA and GetProcAddress in the import table to ensure that it is included in the Shellcode. These two functions can be used normally to obtain the API to be used, and it will be restored when the Shellcode is executed.
how-to-detect-and-recover-from-virus-win32-parite_pic28.png

Detox Program

After knowing what has changed in the infected file, we can write a detox program to repair the infected file. The detox program basically does the following:
Checks if the entry point falls on the last section with a section name of .Read the operation value of xor decoding, the address of the encoded data and the size of the encoded data Decode and read the configuration of Parite Decode original entry point Number of sections minus 1 Size of image minus the virtual size of the last section delete the last section header Modify the attributes of the .rdata section Repair introduction table

Instructions

Usage: fix.exe <file or directory> how-to-detect-and-recover-from-virus-win32-parite_pic29.png

Test

> fix.exe setupSrv.exe
how-to-detect-and-recover-from-virus-win32-parite_pic30.png

The repaired archives will be in the same path, with the archive name _clean ending with . Looking at the repaired file, you can see that the last infected section and entry point (ep) have been fixed.
how-to-detect-and-recover-from-virus-win32-parite_pic31.png

Check if the Host is Compromised

We understand that when the control end sends the character e to the UDP 30167 communication port of the controlled end, the controlled end will report the host information to the UDP 30168 communication port of the control end.
Therefore, we can use this point to develop a scanning program to send e characters to the intranet host and monitor the UDP 30168 communication port on the sending end to wait for the return information.

Scanner

Instructions

Usage: scan.exe iplist
how-to-detect-and-recover-from-virus-win32-parite_pic32.png

Test

> scan.exe 127.0.0.1
> scan.exe 192.168.0.0/16
how-to-detect-and-recover-from-virus-win32-parite_pic33.png

Download the Scanner Tool

IoC

file namemd5compiler-stamp (UTC) type
setupSrv.exec5e7e7007b7ea6a3361fea7d4b0298592009-12-04 13:35:59 UTCEXE
cft3B18.tmpfe763c2d71419352141c77c310e600d22001-10-11 12:01:58 UTCDLL



Reference

2023.02.15GSS & IR Team
Share:

Related Post

We use cookies to provide you with the best user experience. By continuing to use this website, you agree to ourPrivacy & Cookies Policy.