Reversing highly sophisticated espionage tool from Chinese APT group.
It’s my second blog on SManager , in the first part of the blog i had reversed the packed sample of SManager , which is the installer of Smanager. Previous blog can be read from here.
Reversing APT Tool : SManager
Static and Dynamic Analysis of Chinese APT Backdoor
In this particular blog, we will see the internals of unpacked sample of SManager which i had un-packed from the previous sample mentioned in the my first blog about SManager.
So, Let’s dig-in
Mainly what’s happening in this sample is that , it exports to 2 file and creates one service.
Starting from the entry point, “Dll_Main_Entry” function which consists of thread_buffr_file_ops function.two functions “thread_ps_info_store” and “thread_buffr_file_ops”.
Where in first “thread_ps_info_store” function what happens is that it extracts the system information and returns that information to Dll_Main_Entry function using the functions “GetCurrentThreadId” and “GetCurrentProcessId”.
Using functions like “rtrn_thread_buffr_heap_info” & “FILE_oPS_THREAD_ops” ,threads information along with the processor information is being extracted from the infected systems.
Now, moving on to the second exported file which is used to create service for Communications with C2 with legit dll injection.
In this function, manly the service is being created for making connections with the Command and Control server (C2 aka C&C).
Now moving on , to another lastly exported “Entery” file in disassembly.
Here i had renamed the “Entery” function as this function for convenience for normal user to understand what it does. & what it does is that it downloads the plugin from the Command and Control Server (C2 aka C&C) using the function “plugin_download_from_C2_using_C2” after raising the exceptions using “SetUnhandledExceptionFilter” and also by setting the error mode at 0x8002u for the C2 communications happen smoothly as plugin_download_from_C2_using_C2 will downloads the plugin file from C2 and open the new plugin file on system.
In this function, for downloading the plugin from C&C server, following are the functions that are being deployed :
In this particular function, mainly what happens is that socket communications begins with the C&C server fro downloading plugin.
This function is particular responsible for downloading malicious plugin from the C2 server.
Setting up three breakpoints in the Dll_Main_Entry function for debugging the malicious dll what we obtain as a output which is similar to our static analysis for this unpacked binary.
Firstly it loads some .dll as shown in image below and then after it injects the payload ad starts some services and finally downloads the plugin.
Indicators of Compromise(IOCs) and Detections
Network [ C2 Communications]
Att&ck Mitre Techniques
Sample from Report