When we refer to the sophistication of malware, we usually discuss implementations for Windows systems, however, there are many very interesting implementations for Unix systems. Although the WireNet versions for Linux haven’t been created recently (there are records of the threat as far back as 2012), what is true is that we continue to see new versions every day.
Therefore, in the next article, a WireNet sample will be analysed (8ac27ee1e5d02ce9d83ba26c50221ce07cdc378172c87a17ec6ef7fb10544734), emphasizing the methods of obtaining credentials, as well as its functionalities such as RAT and keylogger.
Firstly, it carries out the collection of the context of the computer, such as the time, the permissions it has and it identifies if the operating system is Red Hat or Debian, as well as the specific version of the computer.
As for persistence, it is carried out through the file autostart in the directory ~/.config/, which will allow the malware to start each time the user logs in.
Once the file is opened, it will include the following configuration:
Causing the file to be able to be executed as an Ubuntu launcher.
For Mozilla products, Wirenet carries out the decryption of passwords through the same routine carried out on the original software.
To do this, it obtains the encrypted credentials from the database signons.sqlite or the file logins.json. The latter, for example, stores the login information which we have chosen for our browser to remind us of.
Therefore, Wirenet, using functions referenced in the Mozilla API, carries out the decryption.
By searching open sources, you can find how, a very similar implementation, is available as open source in the following repository: https://github.com/kholia/mozilla_password_dump
As for the Pidgin instant messaging client, it stores the clear credentials in the file/.purple/accounts.xml, so, once it verifies the existence of the file, Wirenet parses it and sends it to the CnC server.
For this browser, it only checks the existence of the file and uploads it to the Command & Control server without decrypting it. Although the credentials are encrypted under the 3-DES algorithm, the decryption routine has been corrected and published (https://securityxploded.com/operapasswordsecrets.php) and there are even tools for decrypting it, so obtaining the credentials by the attacker would be insignificant.
Both Chrome as well as its associated open source project Chromium store their passwords in a sqlite3 database under the directory HOME/.config/google-chrome/Default/Login Data and HOME/.config/chromium/Default/Login Data.
Wirenet obtains it, decrypts it and then subsequently send the information to the C2.
Wirenet also has functionalities such as RAT, which capture desktop screenshots and uploads them to a CnC server.
This process is carried out through the exploitation of the X11 window manager API.
Similarly, it also uses a keylogger, where, through the function XListInputDevices(), it looks for devices with the label “System keyboard”, in order to execute XSelectExtensionEvent() and log all keyboard events with XNextEvent().
Command & Control
Through dynamic analysis, we can see communication against the host 103.192.226[.]209, which is carried out in an encrypted way through the AES algorithm.
Part of the communication with the server is carried out using the GET method, a request that has the following structure:
GET %s HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Interestingly, the User-Agent corresponds to Internet Explorer 11, a small incongruity if we take into account that the malware is aimed at computers running Linux.
As for the Command & Control server, no more open services have been found other than the RDP. Taking a look at the service interface, we observed that it is a Windows Server 2008 server configured in Chinese.