2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine

2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine/VERMIN_decode.py

@@ -0,0 +1,158 @@
+#!/usr/local/bin/python
+
+__author__ = "Juan C Cortes"
+__version__ = "1.0"
+__email__ = "jcortes@paloaltonetworks.com"
+
+from random import randint
+import zlib
+import binascii
+import sys
+import logging
+import hashlib
+import argparse
+import os
+import struct
+from tabulate import tabulate
+from Crypto import Random
+from Crypto.Cipher import AES
+
+def parse_arguments():
+    """Argument Parser"""
+    parser = argparse.ArgumentParser(
+        usage="Decrypt strings for VerminRAT")
+    parser.add_argument(
+        "-v",
+        "--verbosity",
+        action="store_true",
+        dest="vverbose",
+        help="Print debugging information")
+    parser.add_argument(
+        "-o",
+        "--output",
+        dest="output_file",
+        type=str,
+        help="Output results file")
+    parser.add_argument(
+        "input",
+        type=str,
+        action='store',
+        help="Input file of newline separated strings or single string")
+    parser.add_argument(
+        "-b",
+        "--blob",
+        action='store_true',
+        help="Param use for decrypting blobs of data instead of strings. Blob is autosave to 'blob.out'")
+    return parser
+
+def write_out(output_list, headers, output_file=False):
+    """
+    Pretty outputs list
+    :param output_list: List to output
+    """
+    print tabulate(output_list, headers, tablefmt="simple")
+    print ""
+    if output_file:
+        with open(output_file, "ab") as file:
+            file.write(tabulate(output_list, headers, tablefmt="simple"))
+            file.write("\n\n")
+
+def generateArray():
+    abyte = bytearray(6)
+    for i in range(0,6):
+       abyte[i] = randint(0, 0x7FFFFFFF) % 7
+
+    return abyte;
+
+def parseEncrypteStr(encryptStr):
+    try:
+        decoded = encryptStr.decode('base64')
+        hardcoded_crc32 = decoded[-4:]
+        parsedEncrypted = decoded[16:-4]
+        iv = decoded[:16]
+        return hardcoded_crc32,parsedEncrypted,iv
+    except Exception as e:
+        print e
+
+def bruteForceCRC32Value(valuecrc32):
+    while (True):
+        arry = generateArray()
+        crc32 = binascii.crc32(arry)
+        crc32 = crc32 % (1 << 32)
+        if crc32 == valuecrc32:
+            return(arry)
+
+def decryptStr(str,key,iv):
+    aes = AES.new(key, AES.MODE_CBC, iv)
+    blob = aes.decrypt(str)
+    return blob
+
+def parsePlainText(str):
+    char = ""
+    for i in str:
+        if 0x20 <= ord(i) <= 0x127:
+            char += i
+        else:
+            continue
+    return char
+
+def parseUnicde(str):
+    try:
+        uni = ""
+        for i in range(0,len(str)/2):
+            uni += str[i]
+        return uni.decode('utf16')
+    except Exception as e:
+        print e
+
+def main():
+    """Main Method"""
+    args = parse_arguments().parse_args()
+    strs = []
+
+    if args.vverbose:
+        logging.basicConfig(
+            level=logging.DEBUG,
+            format=' %(asctime)s - %(levelname)s - %(message)s')
+
+    if args.blob and os.path.exists(args.input) != True:
+        b = args.input
+        crc32Hardcode, encryptedStr, iv = parseEncrypteStr(b)
+        crc32Hardcode = bytearray(crc32Hardcode)
+        crc32Hardcode = struct.unpack('<I', crc32Hardcode)[0]
+        bruteArray = bruteForceCRC32Value(crc32Hardcode)
+        m = hashlib.md5()
+        m.update(bruteArray)
+        key = m.digest()
+        plain = decryptStr(encryptedStr, key, iv)
+        with open('blob.out', "wb") as file:
+            file.write(plain)
+
+
+    if os.path.exists(args.input) != True:
+        strs.append(args.input)
+
+    else:
+        with open(args.input, "rb") as open_file:
+            for line in open_file:
+                hash = line.rstrip()
+                strs.append(hash)
+
+    for s in strs:
+
+        crc32Hardcode,encryptedStr,iv = parseEncrypteStr(s)
+        crc32Hardcode = bytearray(crc32Hardcode)
+        crc32Hardcode = struct.unpack('<I', crc32Hardcode)[0]
+        bruteArray = bruteForceCRC32Value(crc32Hardcode)
+        m = hashlib.md5()
+        m.update(bruteArray)
+        key = m.digest()
+        plain = decryptStr(encryptedStr,key,iv)
+        parsestr = parsePlainText(plain)
+        unistr = parseUnicde(plain)
+        headers = ["ASCII","UNICODE"]
+        outputlist = [[parsestr,unistr]]
+        write_out(outputlist, headers, args.output_file)
+
+if __name__ == '__main__':
+    main()

2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine/hash.txt

@@ -0,0 +1,33 @@
+0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6
+154ef5037e5de49a6e3c48ea7221a02a5df33c34420a586cbff6a46dc5026a91
+24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18
+250cf8b44fc3ae86b467dd3a1c261a6c3d1645a8a21addfe7f2e2241ff8b79fc
+4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da
+92295b38daa4e44b9d257e56c5b271bbbf6a620312dc58e48e56473427170aa1
+9ea00514c4ae9519a8938924b02826cfafeb75fc70f16c422aeadb8317a146c1
+a3c84c5f8d981653a2a391d29f32c8127fba8f0ab7da8815330a228205c99ba6
+7b08b0d4d68ebf5238eaa8a40f815b83de372e345eb22cc3d50a4bb1869db78e
+f75861216f5716b0227733e6a093776f693361626efebe37618935b9c6e1bdfd
+51b0bb172c6e5eaa8e333fbf2451ae27094991b6330025374b9082ae8cd879cf
+46ae101a8dc8bf434d2c599aaabfb72a0843d21e2150a6c745c0c4a771c09da3
+488db27f3d619b3067d95515a356997ea8e840c65daa2799bdd473dce93362f2
+5a05d2171e6aeb5edd9d39c7f46cd3bf0e2ee3ee803431a58a9945a56ce935f6
+6f4e20e421451c3d8490067f8424d7efbcc5edeb82f80bb5562c76d4adfb0181
+9a81cffe79057d8d307910143efd1455f956f2de2c7cc8fb07a7c17000913d59
+c84afdd28fa0923a09f6dd3af1e3821cdb07862b2796fa004cd3229bc6129cbe
+6cf63ae829984a47aca93f8a1261afe5a06930f04fab6f86f6f7f9631fde59ec
+aa982fe7d28bbf55865047b16334efbe3fcb6bae06e5ed9cab544f1c8d307317
+2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef
+677edb1a0a86c8bd0df150f2d9c5c3bc1d20d255b6f7944c4adcff3c45df4851
+74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d
+e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7
+eb48a31f8f81635d24f343a09247284149884bd713d3bc1c0b9c936bca8bafd7
+15c52b01d2b9294e2dd4d9711cde99e10f11cd188e0d1e4fa9db78f9805626c3
+31a1419d9121f55859ecf2d01f07da38bd37bb11d0ed9544a35d5d69472c358e
+5586fb423aff39a02cddf5e456a83a8301afe9ed78ecbc8de2cd852bc0cd498f
+5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9
+eb48a31f8f81635d24f343a09247284149884bd713d3bc1c0b9c936bca8bafd7
+98073a58101dda103ea03bbd4b3554491d227f52ec01c245c3782e63c0fdbc07
+c5647603337a4e9bfbb2259c0aec7fa9868c87ded2ab74e9d233bdb2a3bb163e
+eb46b8978619a72f4b0d3ea8961dde527f8e27e89701ccd6e5643c33b103d901
+abd05a20b8aa21d58ee01a02ae804a0546fbf6811d71559423b6b5afdfbe7e64

README.md

@@ -13,6 +13,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
 
 
 ## 2018
+* Jan 29 - [[Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine](https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/) | [Local](../../blob/master/2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine)  
 * Jan 25 - [[Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) | [Local](../../blob/master/2018/2018.01.25.oilrig_Middle_East)  
 * Jan 18 - [[NCSC] Turla group update Neuron malware](https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20Neuron%20Malware%20Update.pdf) | [Local](../../blob/master/2018/2018.01.18.Turla_group_update_Neuron_malware)  
 * Jan 16 - [[Kaspersky] Skygofree: Following in the footsteps of HackingTeam](https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/) | [Local](../../blob/master/2018/2018.01.16.skygofree)