Last
week I read some blog posted by Cisco Talos regarding some APT malware that use a
very unique way to check if its code is running in virtual machine. I fetched the sample to have a personal look and it was really interesting. In this blog,
aside from its ANTI-VM, I will discuss some of its capability.
The
file is a .NET compiled executable. There is no encryption or obfuscation used by this malware to
hide or keeps its code from static analysis.
The
Anti-VM Techniques:
This
RAT show another interesting way to check the presence of virtual machine as a test environment that
are common in malware analysis and behavioral test.
 |
| Anti-VM techniques |
1. DetectVM - check if virtual machine are
installed in the compromised machine by looking to registry fragments.
 |
| VM check through Registry |
2. DetectVM2 - if the
response of the WMI request to BIOS version is one of the virtual machine listed
in its array it will flag it as VM
found.
 |
| VM check through BIOS version query |
3. DetectVM3 - by checking the manufacturer of the machine if it contains virtual, vmware or virtualbox using WMI request "Win32_ComputerSystem" .
 |
| VM check through Computer system Manufacture |
4. GetProcessId - checking Virtual machine by getting the process ID of the compromised machine. If the return value of Win32_processor query is null it is VM.
 |
| Check VM through Process ID value |
 |
| check VM through number of Core Processor of machine |
and last, the unique one where it use some api to check the temperature of the machine. since most virtual machine does not support this api error return means to be a existence of virtual machine.
 |
| CpuTemp checking |
RAT Capabilities:
This RAT is capable of doing some functions to gather information to the infected machine.
 |
| some functionality of this RAT |
create Mutex "LSASS" to check if its code is already running to the compromised machine
 |
| create mutex to the infected machine |
The C2 domain list server of this APT malware.
 |
| C&C server |
and also can kill itself by using some batch command.
 |
| batch file to delete file |
Conclusion:
Malware are really keep evolving and continuously find new way to bypass detection and keep their sample persisted in right machine. Virtual machine need also to improve their stuff against this attack. :)
