Overview
DarkArmor recently analyzed a malware dropper that dropped a malware downloader called Bot Engine, which then downloaded a recent Nemesis stealer. This report describes the Bot Engine framework and how it is used to infect users.
Bot Engine is a modular malware framework that allows developers to easily customize and enhance their malware. It has a number of core functionalities, such as C2 communication, encryption methods, obfuscation of data layers, and communication logic. These features allow malware creators to build more effective and sophisticated attacks.
The Bot Engine framework is typically used in a two-step infection process. In the first step, the malware dropper is used to deliver the Bot Engine framework to the victim’s computer. Once the Bot Engine framework is installed, it will then download various modules, which include the Nemesis stealer. The Nemesis stealer is a powerful malware that can steal a wide range of sensitive information from the victim’s computer, such as passwords, credit card numbers, and other personal data.
In Figure 1, we provide an overview of the Bot Engine and its components.
Bot Engine Dropper
The malware dropper we observed uses multiple stages to load the final malware, Bot Engine, in memory. The loader uses simple obfuscation techniques such as byte reorder, base64, zlib compression, and storing payload in text. Even though the method is simple, it is likely to evade detection such as entropy scanners. Figure 2 shows the flow of the Bot Engine dropper.
File Information:
DarkArmor conducted an analysis on the Bot Engine dropper, which possesses the following properties.
- File name: tvdeveloper_40d.exe
- MD5: 5fb7e4ddb88b99cfb88e2294f62d9078
- SHA-1: b88e18a3c4926a188ed55201c5d894c4226093f8
- SHA-256: c5ebdc51e607782526b087aff5e3e2bf6fd5e68fa43efe32902d3d1099138b75
- Size: 12,800 bytes
- File extension: exe
- File MIME type: application/x-msdownload
Stage 1
The executable is named tvdeveloper_40d.exe and is a .NET application. Upon execution, the application automatically requests and downloads a resource from the following URL.
- hxxps://album.moto-style[.]nl/2020/images/css/design/fabric/bo/Czdcfrl.bmp
The payload is encoded in base64 and in reverse order. Once the malware downloader decodes and reverses the byte order, it proceeds to load the second stage of the malware in memory.
The second stage payload has the following properties.
File name: Olfsmurrlsmxr.dll
MD5: 0ae02f7b9e5000abc9e3e172df298b2a
SHA1: c594fb26cf2b5ee1db12c0112e353851747d3cf3
SHA256: 64578f5f9fc969db0a16d992cb4b6601a11c74618ffec0df9d010128958dd568
Size: 3,114,496 bytes
File extension: exe
File MIME type: application/x-msdownload
Stage 2
After loading the second stage, the dropper proceeds to load the obfuscated payload stored in a JSON file located in the resource. The payload is encoded in base64, with the byte order reversed and compressed using gzip. Figure 3 illustrates the payload stored in the resource path.
The following python code decodes the payload.
import sys
import zlib
import json
import base64
import gzip
data = json.loads(open(sys.argv[1], "r").read())
decoded = base64.b64decode(data["33"])[::-1]
decompressed = gzip.decompress(decoded)
open(sys.argv[1]+"_33.decoded.bin", "wb").write(decompressed)The second stage payload has the following properties.
File name: OneDriveTimerUI.exe
MD5: 07fc6df90bc349c094c258e7a87dee6b
SHA1: 7c1f791077006af1aedfcdd6d4d45862b2db8b91
SHA256: 26d911140d34903e94d8c310e2be8508d0a6ed7100c85a8cc58dc44f663ccfed
Size: 1,911,808 bytes
File extension: exe
File MIME type: application/x-msdownload
Stage 3
OneDriveTimerUI.exe serves as a Bot Engine loader, with the Bot Engine being compressed and stored in the resources. Once the application is loaded, it decompresses the compressed file and executes Bot Engine. Figure 4 depicts the file stored in the resources.
Bot Engine
The Bot Engine is a C# backdoor framework that enables cybercriminals to use and customize with ease. The framework provides a capability for developers to enhance any feature without altering the core of the malware. Below is a list of the engine’s features:
- Flexible library that can be use and integrate with different malware module.
- The common library provide AV detection, encryption methods, system profiling, and common protocol between the engine and the C2.
Common Module
Below are the list of library/module included in Bot Engine framework.
| Module Name | Description |
| BotLoader | Download a binary from a URL and execute. |
| Commonlib | Common class to identify Antivirus software, encryption and decryption functions, system information gathering, and Json library. |
| IceLoader | API to inject an DLL into a process. |
| DeviceID | API to generate a system ID of the infected system. |
| DInvoke | API to inject .net library. |
IEngine
IEngine is a class define methods used to perform C2 communication by the Bot Engine. This allows the developer to create new method of communication such as SSH, FTP or UDP. The following are the engines included in this sample.
| Engine Name | Description |
| AzureWrapper | This is an engine wrapper that utilizes the Azure platform to retrieve commands from a specified folder within the bot and upload any extracted data executed by malware, such as stolen information. In this example, the bot continuously monitors the directory named ‘bdir’ for commands and uploads the data to the folder named ‘botshare’. |
| OneDriveWrapper | This is an engine wrapper that utilize Microsoft’s Sharepoint to retrieve commands from the Sharepoint server. The location of the SharePoint folder are based on the account specified in the settings. |
| WebChannelWrapper | This engine wrapper communicates with the C2 server through web requests. The engine uses the POST method to retrieve commands from the C2. |
As demonstrated by the modules included in the Bot Engine, the engine is highly flexible and capable of leveraging various platforms for C2 communication beyond the common web method.
C2 Command
The C2 commands are a list of instructions that the Bot Engine uses to communicate with the C2. These commands include the Bot ID of the infected machine and the specific command. Below is a list of these commands.
| Name | Command | Description |
| Powershell | b_<bot id>_ps.txt | Retrieve the PowerShell command to execute by the Powershell module. |
| CMD | b_<bot id>_cmd.txt | Retrieve the DOS command to execute by the Powershell module. |
| Stealer | b_<bot id>_stealer.txt | Retrieve the Stealer module from the C2. |
| Print Screen | b_<bot id>_scr.txt | Command to take the screenshot of the infected machine. |
| Print Screen File | b_<bot id>_scr.jpg | Command to send the captured screenshot to the C2. |
| Response | b_<bot id>_resp.txt | Command specify the content is the output of a previous command. |
| Ping | b_<bot id>_ping.txt | Inform the C2 the system is infected. |
| Pong | b_<bot id>_pong.txt | Specify the command is retrieved. |
| Run | b_<bot id>_run.txt | Upload the output of the DLL execute. |
| Inject Shellcode | b_<bot id>_inject.txt | Specify the shellcode is injected. |
| Kill | b_<bot id>_kill.txt | Command to terminate the malware. |
| Message | b_<bot id>_msg.txt | Send logs message to the C2 |
Modules
| Name | Command | Description |
| PrintScreen | m_PRINTSCREEN | Take a screenshot of the desktop and return the bytes of the image. |
| Powershell | m_POWERSHELL | Execute a PowerShell command. |
| CMD | m_CMD | Execute a command and return the output of the command. |
| Stealer | m_STEALER | Harvest the system and application information include credentials of the application and saved password in the browser. |
Indicators:
Below are the list of indicators.
| Indicator Type | Indicator |
| Web Channel C2 | hxxp://91.107.143[.]20/api/support |
| Web Channel C2 | hxxp://95.217.248[.]46/api/support |
| Bot.dll | MD5: 5fb7e4ddb88b99cfb88e2294f62d9078 SHA1: b88e18a3c4926a188ed55201c5d894c4226093f8 SHA256: c5ebdc51e607782526b087aff5e3e2bf6fd5e68fa43efe32902d3d1099138b75 |
| m_Bot.dll | MD5: 4d23ca54f57f2ce79afa9e1208c26ca0 SHA1: da7b74eea51a4a116cc0a3bee6a70d72b86d9ea7 SHA256: 7168a2fbd9344b1fd6d510f6a6eb414c186a719b84dc131f4b7ccd48785cb3e8 |
| m_CMD.dll | MD5: e2912b300cca330251e519c38d68edfe SHA1: 8303a32f6947052cc28d0b08b02ec51db60a217c SHA256: 26041bc45cac9050cdf0270d1e33ba2706827288d319313c12d93a085da0ac21 |
| m_POWERSHELL.dll | MD5: 87755b6d3b5024c795f02d4be412303f SHA1: a3d1f93cd7dbbeba01261ae095fdc99278b72e4b SHA256: 0bf00f13823860c53221d04f0b6c73a05426fc1934f46aa4963ef9ce1572cfd4 |
| m_PRINTSCREEN.dll | MD5: 813d8765fd3fa02244633addcbbe2395 SHA1: 6b8ce38b6a36f1f377d37d2b5e41d9ebe2ce4f2f SHA256: 8a08f32ca1cc16f4f2f675a8ef6c5452638d4debc5243d88c533269113f0b7f1 |
Conclusion
The Bot Engine backdoor is a straightforward backdoor that offers essential functionality, such as executing commands, dropping files, and retrieving files. What sets Bot Engine apart is the adaptability of its framework and how easily a developer can tailor the backdoor to suit a specific environment. Furthermore, since the malware resides in memory, detection of this attack must occur in memory. This backdoor is likely to remain a significant threat in the future.
