Welcome to another entry in our weekly Triage Thursday blog series. We have some more family detection updates for you this week:
- Fix for ZLoader API hammering
- QNodeServiceTrojan family update
- Netwalker ransomware review
- WSHRAT signatures
In other news, earlier this week @LibraAnalysis published a Java library for the Triage API! Big thanks to them for making this publicly available. Find more details in their blogpost about the project.
As of today, my Java library to connect with @hatching_io's Triage sandbox API is open-source! You can read my blog about it, which also links to the Github repository: https://t.co/Dvni046qEc pic.twitter.com/08mWqqYYO3— Max 'Libra' Kersten (@LibraAnalysis) October 14, 2020
If you’re looking for resources in other languages, don’t forget you can find our official Python/GoLang libraries on our GitHub. We covered these in more detail in last week’s blogpost.
We hope to have more news on some of the bigger features we’re working on over the next few weeks. In the meantime keep that feedback coming! You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account!
ZLoader API Hammering
While investigating some recent ZLoader samples which were evading our detection, we noticed that they were using an API hammering technique to create a huge number of events and overwhelm our agent. Initial samples were creating hundreds of thousands of mutex-related events, effectively triggering a denial of service on the kernel agent and preventing it from logging new events/processes.
We have updated the Triage agent to filter events more effectively as they are generated, preventing the spam entries from being recorded in any logs or reports. This fixes the issue while also helping to keep analysis log sizes down.
Since these initial samples we have observed other ZLoader analyses using different APIs for their spamming, mainly file creation. There are currently some remaining issues we are working to fix but the majority now function correctly and have successful configuration extraction.
- 201007-bq47zyvhf2 - example from before the fix, showing the mutex actions (note: page might take a moment to load) https://tria.ge/201015-fye6cmvw2x
This trojan family was first observed in early 2020. The malware itself is written using Node.js and is deployed using a Java dropper. It includes a range of stealer functionality including exfiltrating files, stealing data from installed software like browsers, and downloading additional content.
We have updated our support for this family to cover additional variants based on numerous samples submitted through MalwareBazaar by abuse.ch. Some samples are linked below, and you can find many more on MalwareBazaar.
Keeping up with constantly changing families can be tricky. It was recently brought to our attention that we had some conflicting detections around Netwalker/MailTo and variants of the family. We have reviewed our available samples and cleaned up/expanded the signatures to be more consistent.
As with many such RATs, the family is sold openly as a remote administration tool, claiming to only be intended to legitimate use. It has a range of capabilities including file upload/download, remote code execution and credential theft from installed browsers/email clients. It can also provide a full remote desktop connection to infected machines.