Mumblehard malware -Components
Perl Backdoor
Perl backdoor will request for commands from its Command &Control Server and contains a URL to a file to be downloaded and executed. This backdoor is installed in crontab and has an execution time of every 15 minutes. At each run, every C&C server in the list is queried for a command. This backdoor supports only one command
0x10: Download from URL and execute Another important thing to note about this malware is that it disguises itself as httpd by assigning as $0 $0=”httpd”; This backdoor makes HTTP Get request to each C&C server in the list and the command is hidden in the PHPSESSID in the response header. This PHPSESSID is hex-coded by the server and in this, it will look like legitimate while doing packer analysis.
0x10: Download from URL and execute Another important thing to note about this malware is that it disguises itself as httpd by assigning as $0 $0=”httpd”; This backdoor makes HTTP Get request to each C&C server in the list and the command is hidden in the PHPSESSID in the response header. This PHPSESSID is hex-coded by the server and in this, it will look like legitimate while doing packer analysis. Upon analysis, this appears to be encrypted with same encryption algorithm that is used to obfuscate the whole program earlier. Upon decryption, following are the fields that are present in the PHPSESSIF field:
URL: URL field where the file is stored
URL Length : URL in bytes to get the executable
ID: This value indicates that the value is set by the C&C server upon receiving the command and is always 0x18.
Command: Down load the file at URL and execute it.
Timeout value: Timeout value in seconds to get the response from the URL or C&C server.
File Name: Actual file name to be downloaded and execute
File Name Length: Length in bytes of the file name.
This backdoor uses a hard code user agent and puts the information inside the user agent strings. Below is the format of the user agent being used by Mozilla client: Below is an example of the backdoor communicating with the C&C server of a successful download and execute command:
Spammer Daemon
This spammer daemon will send spam and is written in Perl and packed inside the ELF binary. It has two ways of sending spams which are stated below:
Communication with C&C servers C&C servers runs on port 25 but Mumblehard expects a POST request with binary data as its content. Upon analysis, following are the content of the POST request in binary
Magic Version Command Pid Extra Data Size Extra Data
In this, the extra data contain data about how many email were transmitted .The data contains a job ID, none of successful/unsuccessful emails being sent. The response from the server is HTTP 200 is ok and contains various important fields like job ID, recipients list, message, size of the message etc.
Proxy Feature Another way of sending spam for this is to use the proxy component. It works simply by listening for the inbound connections on TCP port and sends notifications to the C&C server that it is listening on that port. Spammer uses a “Create Connection command” to establish connection with C&C server. It is based on the SOCKS4 protocol and thus uses tunnel for arbitrary traffic through he infected host. Create Connection command fields are as below
Command Port IP
Indicators of Compromise
Following are the IOCS:
Communication with C&C servers C&C servers runs on port 25 but Mumblehard expects a POST request with binary data as its content. Upon analysis, following are the content of the POST request in binary
Magic Version Command Pid Extra Data Size Extra Data
In this, the extra data contain data about how many email were transmitted .The data contains a job ID, none of successful/unsuccessful emails being sent. The response from the server is HTTP 200 is ok and contains various important fields like job ID, recipients list, message, size of the message etc.
Proxy Feature Another way of sending spam for this is to use the proxy component. It works simply by listening for the inbound connections on TCP port and sends notifications to the C&C server that it is listening on that port. Spammer uses a “Create Connection command” to establish connection with C&C server. It is based on the SOCKS4 protocol and thus uses tunnel for arbitrary traffic through he infected host. Create Connection command fields are as below
Command Port IP
Magic Version Command Pid Extra Data Size Extra Data
In this, the extra data contain data about how many email were transmitted .The data contains a job ID, none of successful/unsuccessful emails being sent. The response from the server is HTTP 200 is ok and contains various important fields like job ID, recipients list, message, size of the message etc.
Command Port IP
For backdoor: TCP connection to 194.54.81.163 port 80 For proxy: TCP connection to 194.54.81.163 port 54321 For Spammer: TCP connection to 194.54.81.163/164 port 25 UDP packets to 194.54.81.162 port 53
HTTP requests with the following User-Agent pattern • Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/<1 or more digits>.<1 or more digits>.<1 or more digits> Firefox/7.0.1
Reference
http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf