“PowerLoader v2.0 and sons” – communication protocol details

2013.05.29

First of all – for those who do not know, what PowerLoader is:

pl1

From ‘Aliens’ movie. Always wanted one to clean mess in my room at my teen-age.

But – we will talk about another Power Loader – v2.0

pl2

Recently Alexandr Matrosov of Eset reported about new malware found in wild since September 2012. You are highly recommended to read Alexandr’s  post before continue to this one.

Main PoverLoader feature – dropper or loader, which means – it arrives to victim machine first, checks it and grabs from C&C suitable package for this victim.

Why You need dropper with C&C, anyway? 

Few core reasons:

1. No need to use sophisticated Exploit Kits (it can be used, as additional layer, anyway). PowerLoader arrive via spam and perform all anti-forensics. No exploits, no crashes, no noise.

2. More scalable system of infecting victims – binary executed, report to C&C and receive final malware. Among features:

– GeoIP on server side – C&C check bot’s origin and able to serve malware per GeoIP list

– Anti-Forensics – C&C have options to detect unusual behaviour of bot, mark it as non-trusted and not reply at all.

– few more interesting features in process…

3. Well, You still may execute commands on victim machine, and that mean – You may create a market to sell “installs” for others

Now, in this article I will disclose a bit of networking magic behind this piece of malware.

Step1:

Ok, it arrived to my hand as Skype spam in Russian segment of Internet. Victim computer send the following messages to contact list:

“это очень хорошая фотография вы http://fur.ly/9jyz?open=target.skype.name 😀 “

Translate is: this is very nice picture of Yours [link] 😀

If You’ll look at URLQuery Search results, You may see campaign that ended few days ago. I am talking about dates 21-26.05.2013.

Step2:

Ok, now, when victim click on link, it moved to 4shared.com hosting page that provide link to archive skype.zip.

pl4

In archive we will find binary with quite-picture-alike name:

File: Skype-DCIM_0000106249210293201.exe

MD5: 8bf55ee2229a4fa6dbcca437b9c364fb

Step3:

When executed, bot send POST request to hard-coded C&C server

pl5

After some research, it appear to be RC4 encryption, where key – HOST value, encoded in PowerLoader v2.0

After decode – it looks like:

pl6

Where first value is unique bot ID, generated on machine,  third value is OS version. Two another values for now is have no info for me, if You have an idea – please poke me 🙂

Response from C&C to client sent also in RC4 encryption.

This is how it looks like:

pl7

Here RC4 key – unique Bot-ID, that Bot report first time it connect to C&C…
See decoded response under original packet, after Decoded:

🙂

Afterwards, it grab binary from remote host (it’s even without extension .exe, dropper know to perform all manipulations needed to make in executable) and execute.

Done and Done.

Please stay safe!

D.L.

Leave a comment