Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Siggen28.53599

Added to the Dr.Web virus database: 2024-05-31

Virus description added:

  • sha1: 853d6a17f0a1a4035b52699a447eeb4ad1ca6cf7

Description

A malicious program for Windows written in C++. The main functionality of the trojan is to download and manage modules received from its C2 server.

Operating routine

The trojan has a number of basic and helper structs that are initialized at startup and stored as pointers in global variables.

Basic structs:

WinAPI wrapper

The trojan uses WinAPI system functions via a wrapper struct that contains a table of functions, library pointers, library load addresses, and an anti-debugging flag.

The table contains the following functions:

  • Functions for working with WinAPI, i.e., for finding a function pointer and calling it
  • Helper functions—the ad hoc implementation of the LoadLibrary and GetProcAddress calls
  • The configuration of the input parameters for a range of functions

When launched, the trojan initializes its main struct. It does this by using a modified CRC32 algorithm to find library load addresses in the PEB_LDR_DATA system struct. The trojan uses two methods to access functions stored in the libraries:

  • Ad hoc implementation of the LoadLibrary and GetProcAddress calls

The trojan has two functions that mimic the implementation of LoadLibrary and GetProcAddress. This method is used when the trojan needs access to an API contained in a library that has not yet been loaded into the process memory.

  • Searching for libraries by their hashes in the PEB_LDR_DATA system struct

The trojan searches for a required library in the PEB_LDR_DATA struct, using the InMemoryOrderModuleList list, which contains pointers to all the libraries loaded into the process memory and their names. The library name is matched by comparing the hash value generated using the modified CRC32 algorithm with the requisite library name. Next, the required library function is found in the table of exported library functions, in which case the function names are hashed in the same way. The library name and function are read using the modified CRC32 algorithm.

Logger struct

This is a struct whose main purpose is to generate the application log. The log contains information about errors and the step currently being executed.

System information collector struct

The main purpose of this struct is to collect system information and send it to the C2 server.

C2 server communication struct

This struct ensures the interaction with the C2 server. It contains a struct for working with the winhttp.dll library and information about the control server: the port, IP address and routing table.

Module and configuration struct

The main function of this struct is to manage the operation of modules and their configurations. It contains vectors that describe the modules, their configuration, and auxiliary system information.

Manager struct

The main purpose of this struct is to control program operation and ensure interaction between other structs. It holds pointers to all the other primary structs: WinAPI wrapper, logger, communication, and configuration.

Helper structs:

  • Structs for working with cryptography – SHA-1, SHA-256

  • Structs for working with auxiliary libraries: bcrypt, winhttp

  • Structs for storing various flags

Debugger evasion

When launched, the trojan also initializes 3 threads to evade debuggers:

Checking the debug registers

The trojan obtains the context of the parent thread and checks that the values of the Dr0–Dr7 registers are set to 0.

Checking for debugged environment

In the KUSER_SHARED_DATA structure, the trojan checks the first two bits in the KdDebuggerEnabled field; the value of these bits must be set to 0.

Using the NtQueryInformationProcess function, the trojan checks for the presence of a debugger by reading various parameters of the PROCESSINFOCLASS structure: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle, ProcessTlsInformation.

Checking for debugger drivers

The trojan scans the %WINDIR%\System32\drivers directory for files that indicate the presence of debugging software. It then calculates the filename hash, using the modified CRC32 algorithm, and compares the result to the blacklist hashes.

Checking for a copy of the trojan in the system

After initialization, the trojan attempts to create a mutex which is a Base64 SHA-1 encoded hash of the MachineGuid string value. If the attempt to capture the mutex fails, the line "Found another agent running. Exiting..." is written to the application log and the trojan is terminated.

Verifying keys and creating a handshake

The trojan checks for an existing handshake. This is done by accessing the key in the "Microsoft Software Key Storage Provider" CNG key storage, using the NCryptOpenKey function. The key name is a SHA-256 hash of the MachineGuid value. If such a key does not exist, the availability of the network connection is checked: if the connection is established, the trojan initiates the creation of the handshake:

  • A copy of the RSA internal key from the “Microsoft Software Key Storage Provider” CNG key storage is created
  • A key is received from the server
  • This key is stored in the storage with a name corresponding to the SHA-256 hash of the MachineGuid value.

The trojan parses the incoming packet for a new C2 server address and port number. Once the handshake is established, the following system information is sent to the C2 server: CPU architecture, OS name, user interface type, installed application identifiers, disk information, user names, and locale.

Basic functions

The trojan performs the following actions:

  • Loads and unloads modules
  • Sends messages to the C2 server about its operation or errors
  • Changes the configuration of modules
  • Updates the trojan body, if necessary

Module structure and configuration

A module is a dynamic library that is projected into the memory and has the following exportable functions:


Start
Stop
Configure
GetID
GetStatus
SetStatus
GetStarted
GetHandler
Destroy
PushErrorCMR

The module identifier indicates its function, i.e., knowing the identifier, you can determine which tasks are sent by the C2 server.

Identifier Purpose
238 Inject
27 Purpose unknown
44 Purpose unknown

JSON with module configuration


{
  "triggers": [
    {
      "schedule": "",
      "process": "",
      "repetitions": "",
      "sendCmr": {
        "name": "",
        "interval": ""
      }
    }
  ]
}

Module’s execution result

After the module completes its task, it generates a response


{
  "CommandModuleResponse": "",
  "requestId": "",
  "moduleId": "",
  "exitCode": "",
  "info": "Error" //this field is only shown if there was an error in the module’s operation; otherwise this field is missing.
}

Trojan update

While in operation, the trojan checks the availability of its update flag. If this flag is set, the trojan performs a series of system checks, and, based on the results, selects one of the two update strategies. If antivirus software is detected on the compromised PC, the trojan is updated through the loading of shellcode; otherwise, it is updated using the Inject module.

Checking for antivirus software

The trojan body contains a list of hashes of antivirus program names. When scanning for antivirus software, the trojan obtains a list of processes and calculates the hashes of running applications, which are compared to the following hardcoded list:


•	msmpeng 
•	mssense 
•	avastsvc
•	dwservice
•	avp
•	nortonsecurity
•	coreserviceshell
•	avguard
•	fshoster32
•	vsserv
•	mbam
•	adawareservice
•	avgsvc
•	wrsa

Shellcode for directory removal

Input arguments: directory name

Actions performed:

  • Looks up the kernel32.dll library address in the PEB_LDR_DATA struct
  • Gets the functions for the shellcode’s operation from the library export results, where the library name and function names are determined by their hashes
  • Determines the path to the %LOCALAPPDATA%\EROCS\ directory
  • Overwrites with zeros and deletes all the files in the specified directory
  • Deletes the directory itself

Shellcode for restarting the trojan

Actions performed:

  • Gets the list of processes, using the NtQuerySystemInformation function (the SystemProcessInformation parameter); checks that the UniqueProcessId field is equal to 0x434F5245
  • Deletes the HKEY_CURRENT_USER\Software\Uninstall key

Self-deletion

The trojan also has a self-deletion function that is triggered when the “deadline” registry key, which is responsible for the trojan lifetime and is updated when a new command from the C2 server is received, is set to a specific value. The trojan also initiates the self-deletion procedure, using WinAPI if errors are detected during the above checks. In this case, it performs the following actions:

  • Deletes its directory
  • Deletes the handshake
  • Deletes registry keys created while the trojan is in operation

Sending messages to the C2 server

The following User-Agent values are used by the trojan to send messages:


Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.3
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/53
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.3

All outgoing and incoming messages are encrypted using RSA.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android