FireEye Labs recently observed an attack against the government
sector in Central Asia. The attack involved the new HAWKBALL backdoor
being delivered via well-known Microsoft Office vulnerabilities
CVE-2017-11882 and CVE-2018-0802.
HAWKBALL is a backdoor that attackers can use to collect information
from the victim, as well as to deliver payloads. HAWKBALL is capable
of surveying the host, creating a named pipe to execute native Windows
commands, terminating processes, creating, deleting and uploading
files, searching for files, and enumerating drives.
Figure 1 shows the decoy used in the attack.
Figure 1: Decoy used in attack
The decoy file, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C),
contains an OLE object that uses Equation Editor to drop the embedded
shellcode in %TEMP% with the name 8.t. This shellcode is decrypted in
memory through EQENDT32.EXE. Figure 2 shows the decryption mechanism
used in EQENDT32.EXE.
Figure 2: Shellcode decryption routine
The decrypted shellcode is dropped as a Microsoft Word plugin WLL
(MD5: D90E45FBF11B5BBDCA945B24D155A4B2) into
C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP (Figure 3).
Figure 3: Payload dropped as Word plugin
Technical Details
DllMain of the dropped payload determines if the string WORD.EXE is
present in the sample’s command line. If the string is not present,
the malware exits. If the string is present, the malware executes the
command RunDll32.exe <
C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP\hh14980443.wll,
DllEntry> using the WinExec() function.
DllEntry is the payload’s only export function. The malware creates
a log file in %TEMP% with the name c3E57B.tmp. The malware writes the
current local time plus two hardcoded values every time in the
following format:
<Month int>/<Date int>
<Hours>:<Minutes>:<Seconds>\t<Hardcoded
Digit>\t<Hardcoded Digit>\n
Example:
05/22 07:29:17 4 0
This log file is written to every 15 seconds. The last two digits
are hard coded and passed as parameters to the function (Figure 4).
Figure 4: String format for log file
The encrypted file contains a config file of 0x78 bytes. The data is
decrypted with an 0xD9 XOR operation. The decrypted data contains
command and control (C2) information as well as a mutex string used
during malware initialization. Figure 5 shows the decryption routine
and decrypted config file.
Figure 5: Config decryption routine
The IP address from the config file is written to %TEMP%/3E57B.tmp
with the current local time. For example:
05/22 07:49:48 149.28.182.78.
Mutex Creation
The malware creates a mutex to prevent multiple instances of
execution. Before naming the mutex, the malware determines whether it
is running as a system profile (Figure 6). To verify that the malware
resolves the environment variable for %APPDATA%, it checks for the
string config/systemprofile.
Figure 6: Verify whether malware is
running as a system profile
If the malware is running as a system profile, the string d0c
from the decrypted config file is used to create the mutex. Otherwise,
the string _cu is appended to d0c and the mutex is
named d0c_cu (Figure 7).
Figure 7: Mutex creation
After the mutex is created, the malware writes another entry in the
logfile in %TEMP% with the values 32 and 0.
Network Communication
HAWKBALL is a backdoor that communicates to a single hard-coded C2
server using HTTP. The C2 server is obtained from the decrypted config
file, as shown in Figure 5. The network request is formed with
hard-coded values such as User-Agent. The malware also sets the other
fields of request headers such as:
- Content-Length:
<content_length> - Cache-Control: no-cache
- Connection: close
The malware sends an HTTP GET request to its C2 IP address using
HTTP over port 443. Figure 8 shows the GET request sent over the network.
Figure 8: Network request
The network request is formed with four parameters in the format
shown in Figure 9.
Format = "?t=%d&&s=%d&&p=%s&&k=%d"
Figure 9: GET request parameters formation
Table 1 shows the GET request parameters.
|
Value |
Information |
|
T |
Initially set to 0 |
|
S |
Initially set to 0 |
|
P |
String from decrypted config at 0x68 |
|
k |
The result of GetTickCount() |
Table 1: GET request parameters
If the returned response is 200, then the malware sends another GET
request (Figure 10) with the following parameters (Figure 11).
Format = "?e=%d&&t=%d&&k=%d"
Figure 10: Second GET request
Figure 11: Second GET request parameters formation
Table 2 shows information about the parameters.
|
Value |
Information |
|
E |
Initially Set to 0 |
|
T |
Initially set to 0 |
|
K |
The result of GetTickCount() |
Table 2: Second GET request parameters
If the returned response is 200, the malware examines the Set-Cookie
field. This field provides the Command ID. As shown in Figure 10, the
field Set-Cookie responds with ID=17.
This Command ID acts as the index into a function table created by
the malware. Figure 12 shows the creation of the virtual function
table that will perform the backdoor’s command.
Figure 12: Function table
Table 3 shows the commands supported by HAWKBALL.
|
Command |
Operation Performed |
|
0 |
Set URI query string to value |
|
16 |
Unknown |
|
17 |
Collect system information |
|
18 |
Execute a provided argument using |
|
19 |
Execute a provided argument using |
|
20 |
Create a cmd.exe reverse shell, execute a |
|
21 |
Shut down reverse shell |
|
22 |
Unknown |
|
23 |
Shut down reverse shell |
|
48 |
Download file |
|
64 |
Get drive geometry and free space for logical |
|
65 |
Retrieve information about provided |
|
66 |
Delete file |
|
67 |
Move file |
Table 3: HAWKBALL commands
Collect System Information
Command ID 17 indexes to a function that collects the system
information and sends it to the C2 server. The system information includes:
- Computer Name
- User Name
- IP Address
- Active Code Page
- OEM Page
- OS Version
- Architecture Details
(x32/x64) - String at 0x68 offset from decrypted config
file
This information is retrieved from the victim using the following
WINAPI calls:
Format = "%s;%s;%s;%d;%d;%s;%s %dbit"
- GetComputerNameA
- GetUserNameA
- Gethostbyname and inet_ntoa
- GetACP
- GetOEMPC
- GetCurrentProcess and
IsWow64Process
Figure 13: System information
The collected system information is concatenated together with a
semicolon separating each field:
WIN732BIT-L-0;Administrator;10.128.62.115;1252;437;d0c;Windows 7 32bit
This information is encrypted using an XOR operation. The response
from the second GET request is used as the encryption key. As shown in
Figure 10, the second GET request responds with a 4-byte XOR key. In
this case the key is 0xE5044C18.
Once encrypted, the system information is sent in the body of an
HTTP POST. Figure 14 shows data sent over the network with the POST request.
Figure 14: POST request
In the request header, the field Cookie is set with
the command ID of the command for which the response is sent. As shown
in Figure 14, the Cookie field is set with ID=17, which is the
response for the previous command. In the received response, the next
command is returned in field Set-Cookie.
Table 4 shows the parameters of this POST request.
|
Parameter |
Information |
|
E |
Initially set to 0 |
|
T |
Decimal form of the little-endian XOR key |
|
K |
The result of GetTickCount() |
Table 4: POST request parameters
Create Process
The malware creates a process with specified arguments. Figure 15
shows the operation.
Figure 15: Command create process
Delete File
The malware deletes the file specified as an argument. Figure 16
show the operation.
Figure 16: Delete file operation
Get Directory Information
The malware gets information for the provided directory address
using the following WINAPI calls:
- FindFirstFileW
- FindNextFileW
- FileTimeToLocalFileTime
- FiletimeToSystemTime
Figure 17 shows the API used for collecting information.
Figure 17: Get directory information
Get Disk Information
This command retrieves the drive information for drives C through Z
along with available disk space for each drive.
Figure 18: Retrieve drive information
The information is stored in the following format for each drive:
Format = "%d+%d+%d+%d;"
Example: "8+512+6460870+16751103;"
The information for all the available drives is combined and sent to
the server using an operation similar to Figure 14.
Anti-Debugging Tricks
Debugger Detection With PEB
The malware queries the value for the flag BeingDebugged from PEB to
check whether the process is being debugged.
Figure 19: Retrieve value from PEB
NtQueryInformationProcess
The malware uses the NtQueryInformationProcess API to detect if it
is being debugged. The following flags are used:
- Passing value 0x7 to
ProcessInformationClass:
Figure 20: ProcessDebugPort verification
- Passing value 0x1E to
ProcessInformationClass:
Figure 21: ProcessDebugFlags verification
- Passing value 0x1F to
ProcessInformationClass:
Figure 22: ProcessDebugObject
Conclusion
HAWKBALL is a new backdoor that provides features attackers can use
to collect information from a victim and deliver new payloads to the
target. At the time of writing, the FireEye Multi-Vector Execution
(MVX) engine is able to recognize and block this threat. We advise
that all industries remain on alert, though, because the threat actors
involved in this campaign may eventually broaden the scope of their
current targeting.
Indicators of Compromise (IOC)
|
MD5 |
Name |
|
AC0EAC22CE12EAC9EE15CA03646ED70C |
Doc.rtf |
|
D90E45FBF11B5BBDCA945B24D155A4B2 |
hh14980443.wll |
Network Indicators
- 149.28.182[.]78:443
- 149.28.182[.]78:80
- http://149.28.182[.]78/?t=0&&s=0&&p=wGH^69&&k=<tick_count>
- http://149.28.182[.]78/?e=0&&t=0&&k=<tick_count>
- http://149.28.182[.]78/?e=0&&t=<int_xor_key>&&k=<tick_count>
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; InfoPath.2)
FireEye Detections
|
MD5 |
Product |
Signature |
Action |
|
AC0EAC22CE12EAC9EE15CA03646ED70C |
FireEye Email Security FireEye Network Security FireEye Endpoint |
FE_Exploit_RTF_EQGEN_7 Exploit.Generic.MVX |
Block |
|
D90E45FBF11B5BBDCA945B24D155A4B2 |
FireEye Email Security FireEye Network Security FireEye Endpoint |
Malware.Binary.Dll FE_APT_Backdoor_Win32_HawkBall_1 APT.Backdoor.Win.HawkBall |
Block |
Acknowledgement
Thank you to Matt Williams for providing reverse engineering support.
