Last week, my colleague on the advanced threat research team, Rob Falcone, pointed me over at a sample that hit on our CommentCrew DES signature. Normally I would shrug this off as something old, but the compilation time on the binary showed June 4, 2013 and the command-and-control (C&C) server appeared to be active. I found a couple aspects to this file interesting.
It’s hard to forget the comprehensive report that Mandiant released back in February. Included in the malware appendix was a backdoor labeled WEBC2-QBP, named because of the delimiter used when parsing out commands. This specific sample used the Data Encryption Standard (DES) algorithm to encrypt and decrypt commands for processing, and had been using the static key of “Hello@)!0” since July 2010. Shortly after the report, a new variant of this tool was discovered, but with a couple changes. Most notably, the DES key had changed to “9X*KLD@EJaXKLW!SK” and the delimiter was now “META=” with an additional prefix of “AABB.”
Security researchers quickly identified this new variant and blogged about it publicly. Since the public became aware of this variant, they appeared to disappear again, so what makes these old, new samples interesting is that the attackers have potentially rolled back their code to the old version in an effort to avoid any unnecessary attention.
Beyond the sample, what I find most amusing is the low number of detections for this particular tool. Simply using the static signature of the DES key is enough to fingerprint and detect this sample yet only seven anti-viruses were able to identify it as malicious. While the results are disconcerting, it’s worth noting that these particular actors have historically been impressive when it comes to anti-virus evasion. I was lucky enough to track them last year for several months as they made small changes to their code and dropped detections from 20-some anti-viruses down to eight.
Seeing this new sample in the wild gives some hope that despite public attention, actors will still re-use existing tools. This implies that they may not feel it’s worth the effort to make changes and also that they don’t care. Whatever the case, that sort of mentality is something I can get behind. As they perform attacks, I will be watching and blocking them.