YoungLotus – Chinese Malware Analysis
During my malware analysis, I came across a malware that had not been analyzed by anyone yet. Its name is YoungLotus, and there is very little information about it on the Internet. That is why I decided to study it and write this article. As in my previous article, I will unpack and describe the main characteristics of the malware, its persistence methods, the way it communicates with C2, and its main capabilities.
Unboxing
While analyzing the different variants of YoungLotus, I noticed that it is distributed as a DLL library. Most often, this library is packaged into an executable file, which loads it into memory and jumps to its entry point.
I will show an example of unpacking one of these instances. This time I used IDA in conjunction with x32dbg. All unpacking happens in the main function.
After decryption and memory allocation, the malware copies the decrypted code into the allocated memory and looks for an entry point into a library named Shellex
. The malware then copies the configuration information to the buffer and proceeds to the entry function. IDA did not recognize the function argument mw_main
but after unpacking it is immediately clear that this one accepts a configuration byte array.
To unpack, we need to set a breakpoint at the moment the function is called. mw_main
. Such transitions are often very easy to recognize because they use the instruction jmp
or call
with a register as an argument.
Now we just need to go to the address that is in the register eax
and unload the memory segment that includes this address. In our case, in eax
the address was located 0x10008538
and at the beginning of the segment there was a PE file header:
Now we can move on to examining the malware itself.
Configuration and fixing
To pin, the malware creates a new service. Its configuration information consists of the control server domain, the service Group key, the service Remark key, the service name, the service display name, the service description, the control server port, the flag to run without pinning, and magic bytes that will be sent in the first message to C2.
Since this malware attaches itself to the victim's computer by creating a service, it requires administrator privileges to function correctly. If the malware fails to create a service, it simply stops working.
Different variants implement the pinning mechanism differently. My main instance copies itself along the path C:\Windows\Microsoft.Net\Framework\v3.5\
and creates the corresponding service. At the same time, the malware changes its name to mscorsvw.exe
to make it more difficult to identify.
In general, the method of fixing in different options may differ, but they all have in common that they create a system service.
Protocol of the VPO
To interact with the control server, the malware uses its own protocol. Before sending a message, it is encrypted with a simple XOR. Different implementations of the malware have different encryption algorithms. An example of one of the instances:
The protocol packet format is quite simple. First there are three constant bytes (in my samples these were bytes 0x687820), then there is the message length, a reserved field, the number 1, the action number and an array with arguments for the action. The minimum packet length is 16 bytes, but a packet can also consist of the first 3 bytes.
struct packet {
BYTE signarute[3]; // 0x687820
DWORD message_length;
DWORD reserved;
DWORD reserved; // Всегда 1
BYTE action_number;
BYTE param[];
};
When launched, the malware connects to the C2 server using the parameters specified in the configuration. The first packet that the malware sends contains information about the system. This information can be retrieved again by sending the 0x687820 bytes without the rest of the packet. This packet contains the host name, processor characteristics, current date, and other information about the system. This packet looks something like this:
After establishing a TCP connection and receiving the first packet from the client, the C&C server can send commands to control the malware. In order to fully explore the capabilities, I recreated the C&C server using Python. This server will allow us to fully test all the malware's functions. Here are the basic functions for sending and receiving messages:
def listen(conn, addr):
while True:
data = conn.recv(8192) # Размер буфера, определенный во вредоносе
print(decrypt(data))
def send(conn, addr):
while True:
try:
port = str(addr[1])
message = input(port + ">").encode().decode("unicode_escape")
if(message == ""): # Пустое сообщение
continue
if(message == "hx "): # Запрос на обычный ответ
conn.send(encrypt(message.encode()))
continue
if(message[0] == "#"): # Отправка голых байтов
conn.send(encrypt(message[1::].encode()))
continue
if(message == "dis"): # Разрыв соединения
conn.close()
break
args = message.split(" ")
action = args[0]
argument = args[1]
response = \ # Формирование пакета
b"hx " \ # Сигнатура
+ (len(argument) + 16).to_bytes(4, "little") \ # Длина сообщения
+ b"\x11\x11\x11\x11\x01\x00\x00\x00" \ # Зарезервированные значения
+ int(action).to_bytes(1, "little") \ # Номер действия
+ bytes(argument, encoding="raw_unicode_escape") # Аргумент действия
conn.send(encrypt(response))
except:
print("Error")
And this is what the main loop looks like. When a new connection is made, we create two new threads for sending and receiving messages.
import threading
import socket
sock = socket.socket()
sock.bind(("0.0.0.0", 3306))
sock.listen(1)
while True:
try:
conn, addr = sock.accept()
print('connected:', addr)
thread_listen = threading.Thread(target=listen, args=[conn,addr])
thread_send = threading.Thread(target=send, args=[conn,addr])
thread_listen.start()
thread_send.start()
except KeyboardInterrupt:
break
finally:
print("Error on connection")
Functions decrypt
And encrypt
vary depending on the malware instance. For my instance, these functions simply add or subtract a value from a byte and apply XOR to it. With such a simple server, we can perform all the actions that this malware provides.
YoungLotus Features
The malware has all the basic functions of a RAT. It allows you to control the system state, files, users, registry, services, processes and windows. Like almost any other RAT, YoungLotus has a large handler function with all the actions of the malware, which is called after receiving a message from the control server. Below is a table of all the actions of the malware:
Number actions | Description of action |
0x0 | Turn off computer |
0x1 | Remove the malicious service and shut down |
0x8 | Download and run the file from the link |
0xE | Find process by name |
0xF | Find window by name |
0xD | Open dialog box |
0x10 | Open proxy |
0x11 | Close proxy |
0x65 | Run file action handler |
0x69 | Launch shell (cmd) |
0x6A | Run the system action handler |
0x6C | Run service action handler |
0x6D | Run registry action handler |
The last five actions create another connection to the control server and also have their own action numbers (except 0x69). The handlers of these connections work the same way as the main handler. Note that older versions of the malware (about a year ago) did not have these last five actions. This means that the Trojan is still being worked on and that the developers intend to use it further. Now let's take a closer look at these handlers.
File actions. Before performing some actions on a file, it must be selected using action 0x3. After that, you can start working with the file. Table of file actions:
Number actions | Description of action |
0x1 | Display the contents of a folder |
0x3 | Select file for further actions |
0x4 | Writing to file |
0x5 | Reading from file |
0x7 | Deleting a file |
0x8 | Deleting a folder |
0xB | Moving a file |
0xC | Launching a file |
0x11 | Copying a file |
Actions with the system. This handler contains various actions that work with the system. For example, searching for antivirus software or actions with users. Table of actions with the system:
Number actions | Description of action |
0x1 | Getting information about processes |
0x2 | Getting a list of open windows |
0x3 | Obtaining information about the system, including antivirus software |
0x4 | Getting information about users |
0x8 | Getting information about the process |
0xС | Setting parameters for the user |
0xE | Create a user |
0x10 | Deleting a user |
0x15 | Turn off computer |
Actions with services. Here are the most basic interactions with services that the malware may need during its work. Table of actions with services:
Number actions | Description of action |
0x1 | List of all services |
0x64 | Delete service |
0x65 | Start the service |
0x66 | Check if the service is not stopped |
0x67 | Check if the service is running |
0x68 | Check if the service is suspended |
0x69 | Setting the startup mode – starting the service when the system boots |
0x6A | Setting the startup mode – manual service startup |
0x6B | Set startup mode to do not start |
Registry actions. There is nothing unusual here either. Just standard actions with registry keys and values. Registry actions table:
Number actions | Description of action |
0x1 | Get the value of the key |
0x2 | Create a key |
0x3 | Delete key |
0x4 | Set value for key |
0x5 | Delete value for key |
Links to other malware
During the analysis, I noticed that YoungLotus is very similar to another well-known trojan – FatalRATwhich I also recently analyzed. FatalRAT was in the news a few years ago, it was first discovered by AT&T. The main code fragments of these malware are the same, only the arsenal of actions differs. FatalRAT has keylogger, infostealer, VM bypass functions, and others, but does not have all the other functions that YoungLotus has. In general, FatalRAT is an improved version of YoungLotus, but with other capabilities.
FatalRAT uses 0x535609 bytes as its protocol signature. This distinguishes it from YoungLotus. The library entry point is most often called SVP7 in FatalRAT, while Shellex is used in YoungLotus.
Judging by the date of its first appearance in the news, YoungLotus appeared a couple of years earlier than FatalRAT. Both malwares were developed in China. This is indicated by the IP addresses of the control servers, which are located in China and South Korea, and the AT&T study.
During its operation, one of the YoungLotus instances downloads malware onto the victim's computer. Blackmoon. This trojan is downloaded from the hook domain.[.]ftp21[.].cc. From subdomains of ftp21 domain[.]ss are spreading Both malwares are YoungLotus and Blackmoon. The distribution campaign began about a week ago. That's when the first malicious links were noticed. The domain itself is located in South Korea.
Conclusion
YoungLotus is not very common. New specimens appear a couple of times a month. I think this is due to the fact that not a single normal Yara rule has been written for this malware yet. Therefore, the detection percentage remains quite low. This is why I wrote my rule, so that this type of malware could be detected more often.
This is my second article on malware analysis. Since writing the previous article, I have learned many new tools and techniques. I also plan to continue researching malware and writing articles analyzing it.
Yara's Rule
rule win32_younglotus {
meta:
author = "Reedus0"
description = "Rule for detecting YoungLotus malware"
reference_1 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus"
reference_2 = "https://habr.com/ru/articles/827184/"
version = "1"
strings:
$string_0 = "%s:%d:%s"
$string_1 = "SYSTEM\\CurrentControlSet\\Services\\"
$string_2 = "WinSta0\\Default"
$string_3 = "%4d-%.2d-%.2d %.2d:%.2d"
$string_4 = "%d*%sMHz"
$string_5 = "Win7"
$string_6 = "Shellex"
$string_7 = "%s%s%s%s%s%s"
$string_8 = "AVtype_info"
condition:
uint16(0) == 0x5A4D and 6 of them and filesize < 300KB
}
MITRE ATT&CK
Tactics | Description |
T1573 | Encrypted channel |
T1569 | System service |
T1140 | Deobfuscation of files or information |
T1136.001 | Create an account |
T1082 | Finding system information |
T1518 | Software detection |
T1112 | Modifying the registry |
T1608.001 | Downloading malware |
T1012 | Registry Query |
T1095 | Non-application layer protocol |
T1543.003 | Creating or modifying a system process: Windows Service |