Threat Research

Possible New BadPatch Campaign Uses Multi-Component Python Compiled Malware

By Jasper Manuel | October 22, 2019

During our continued threat monitoring effort using a variety of sources, FortiGuard Labs came across an interesting tweet from the security researcher @h4ckak about a suspicious file that looks to be a decoy file in an APT campaign. We dug deeper and found that this file might be part of a new BadPatch campaign. BadPatch is a tag used for a set of malware that was used in a campaign with a possible link to the Gaza hackers group which was first reported in 2017. This group has been involved in an espionage campaign targeting the Middle East since 2012 based on the compilation timestamp of the first malware discovered. Since then, BadPatch has gone off our radar for almost two years.

Fig. 1. Tweet from the researcher Ring4sky

In this article, we will be discussing a new malware used in this attack that we have dubbed ‘B3hpy’ (pronounced as ‘bepai’) based on the strings we found on its code. 

Fig. 2. ‘b3h’ used as uid and version is Py 0.1

This malware is a multi-component python-compiled malware that has the capability to steal and exfiltrate data from targeted victims. We will also be discussing some patterns as proof of this malware’s possible link to BadPatch.

Attack Vector

The attack sample uploaded to VirusTotal is an executable file named رئيس الوزراء محمد إشتيه .scr (Prime Minister Mohammad Ishtayeh .scr). Although we didn’t find the initial vector from which this file came, we believe that it was distributed as an attachment to spam emails, similar to previous BadPatch attacks.

This executable file is an SFX executable containing two files:

Fig. 3. SFX executable containing the decoy document

When executed, this file opens the decoy .doc file, which contains text that looks like it was drawn from a news article from Sama News.

Fig. 4. Decoy document

Fig. 5. News site from which the original text was probably copied

It also executes the file d.exe, which only works on 64-bit Windows machine. We believe, though, that a 32-bit version may also exist as other component files, which we will discuss later, are 32-bit executables. The d.exe file is responsible for downloading three files.

Fig. 6. Additional files downloaded

Interestingly, the attackers host their malware files on GitHub. Some files were uploaded as long as two years ago, while others were only uploaded few days ago. However, they were also compiled in 2017 based on their compilation timestamps. This may mean that the attackers might have been using these files since the discovery of BadPatch in 2017, and still continues to do so today. While not all files are used by the sample we analyzed during our testing, we believe that they can be downloaded and run by the attackers whenever they want them executed.

hxxps://github[.]com/jamelarebhi1980/FilesRep    

Fig. 7. Component files hosted on GitHub

The files Bios.333 (saved as C:\ProgramData\drivers\sn3337.exe) and Bios.111 (saved as C:\ProgramData\drivers\Bios.exe) are then executed. The file sn3337.exe only sets an auto-start registry entry for the file Bios.exe.

Fig. 8. Auto-start mechanism

The file Bios.exe is a 32-bit Python 3-compiled executable. It is compiled using PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program. This file is the main malware component that initially communicates with the command and control server (C2) to download and install other component files. The 1.txt file contains base64 encoded data that, when decoded, contains the link to its copy (which can be used to update the C2 address to be used by the malware) on GitHub, along with the address of the C2 server.

Fig. 9. 1.txt containing the C2 address

Shift to Python-Compiled Malware

Earlier reports on BadPatch mentioned malware compiled with C++, Delphi, Visual Basic, and AutoIt. Even Android malware were used in those campaigns.  

Though the hacker group that launched the BadPatch campaign used a variety of compilers, the code logic in some of the malware they used in their previous attacks is very similar to that of the new Python compiled malware.

B3hpy Malware Analysis

In order to extract and analyse the python script and the packages it uses, we need to use a tool in PyInstaller named pyi-archive_viewer. With pyi-archive_viewer, we can extract the main file, which in this case is named “m6937.”

Fig. 10. pyi-archive_viewer showing files contained in the package

The extracted file is a .PYC file, which is a compiled python code. When a Python script (.PY) is run, Python compiles the script to a compiled byte code (.PYC) before running it. In order to decompile the code, we can use a tool called uncompyle6.

When decompiled, we can see that the decompiled code is pretty straightforward.

It first creates two files. One contains the text ‘b3h’ and the other contains the network adapter’s MAC address.

Fig. 11. Files containing the UID and MAC address

It then does an initial communication with its C2. It gets the address of the C2 from the file 1.txt.

All of its C2 communication start with sending a GET request to the path /api/v1/url, which provides a list of parameter names that will be used when sending POST requests to the C2.

Fig. 12. GET request to C2 to get parameter names to be used for the POST request

Interestingly, the parameter names that the C2 provides are combinations of Latin words (two or three Latin words joined into one word). Ex. “Fugiatodio” is a combination of “fugiat” and “odio” which translate to “shun hatred”. We tried to search for these strings from the C2 and found an interesting text file hosted on GitHub that contains many of these strings. However, we don’t know if this is coincidental or if it has really has been copied and used by the attackers.

The initial information it sends to the C2 contains the machine’s computer name, version (probably the malware version ‘Py version 0.1’), MAC address, the text ‘Hi, Connect ’, and the uid ‘b3h’. It does this by sending a POST request to the path /api/v1/logs using the parameters from the C2.

Fig. 13. POST request to C2 containing machine information

Next, it sends a list of files and directories found in the following folders:

%ProgramFiles%

%ProgramFiles (x86)%

%Windows%\Microsoft.NET\Framework

%Windows%\Microsoft.NET\Framework64

Fig. 14. POST request to C2 containing list of files in specific folders

After performing an initial communication with the C2, it then oddly checks for an active internet connection by connecting to http://www.google.com. Logically, this process should be the reverse.

If there’s an active internet connection, it tries to download and execute other malware components. 

Fig. 15. Downloading and executing component files

The response contains data in JSON format with two keys:

  • ‘files’: flag to send a notification to the C2 before downloading components
  • ‘data’: contains a list of objects

The ‘data’ key contains a list of objects that have six attributes:

  • ‘id’: service id of the component
  • ‘name’: probably the component name
  • ‘enabled’: install or remove a component
  • ‘download’: probably a flag to download the component
  • ‘url’: base64 encoded download URL of the component
  • ‘flag’: start or stop the component

The files it downloads are ZIP compressed.

At the time of this writing, we haven’t receive a response to download any component file.

Fig. 16. No download response from the C2

However, we believe that these components are also the ones we can find on the GitHub repo, with names having the format sp6937{component digit}.zip.

Looking at Component Files

sp69372.zip

This component gets a list of files with the following extension names:

Fig. 17. Extension names of files to list

It lists the files by order of priority of where the files were found. Here is the list of folders ordered by their priority:

  • %HomePath%\Desktop or %HomePath%\سطح المكتب
  • %HomePath%\Documents or %HomePath%\مستندات
  • Drives not starting with C:\
  • Directories in C:\ drive other than the above mentioned
Fig. 18. Folder priority

It then sends the data gathered to the attackers via SMTP using the following information:

Fig. 19. SMTP information

sp69373.zip

This component exfiltrates specific files from the victim machine specified by the attackers. It sends a POST request to the path /devices/settings/all with the MAC address of the victim machine to get a list of files (along with the specific file path, file type, or file name) to steal.

Fig. 20. Exfiltrate specific files

It then sends the files via SMTP also using the SMTP information mentioned above.

sp69374.zip

This component captures screenshots of the victim machine. It first captures a screenshot of the current display then gathers screenshots from windows with specific window texts. Some are related to internet browsers, the social networking site Facebook (also in Arabic), the instant messaging service Telegram, and the video-sharing site YouTube.

Fig. 21. List of window texts from which to take screenshots

It sends the screenshots via SMTP, also using the SMTP information mentioned above.

sp69375.zip

This component gets a list of files with the following extension names from the recently opened files.

Fig. 22. Extension names of files to list

It does this by enumerating all files in the %AppData%\Microsoft\Windows\Recent folder and checking if their target paths contain the above extension names.

It sends the list of files via SMTP also using the SMTP information mentioned above.

sp69376.zip

This component exfiltrates files with the following extension names from attached USB drives:

Fig. 23. Extension names of files to exfiltrate

It then sends the files via SMTP, also using the SMTP information mentioned above.

sp69377.zip

This component steals saved user passwords from Google Chrome’s Login Data.

Fig. 24. Stealing saved passwords from Chrome’s Login Data

It the sends the stolen data via SMTP, also using the SMTP information mentioned above.

Top Five Victims by Country

As expected, the highest concentration of victims were primarily from Palestine, as shown below. Interestingly, there is a small volume of victims from countries that are not in the Middle East. However, these are probably from the sandboxes of researchers, or even the attackers themselves testing their malware.

Fig. 25. Victims by Country

Possible BadPatch Link

BadPatch is a tag used for a set of malware written in Visual Basic (VB), AutoIt, and Android malware which was first reported in 2017. Based on this article, the nature of the activity and some of malware artifacts on the related IP address suggest a possible link to the Gaza Hackers group. We will not go further to find a link to Gaza Hackers group, but we will provide some evidence that ‘B3hpy’ may be part of BadPatch.

Let’s first take a look at the C2 address. The C2 is hosted at tstapi[.]pal4u[.]net. The domain pal4u[.]net has already been mentioned as hosting the BadPatch malware in the above mentioned article, so it is possible that the group behind this malware is also behind the BadPatch malware in 2017. Next, we looked at the BadPatch set of malware and found some similar patterns with ‘B3hpy’.

Fig. 26. BadPatch malware table

The malware used in the earlier campaign are very similar to the Python malware in terms of the method of data exfiltration, the data they gather, the SMTP credentials format, and the requested URL path where they get/send additional information. Also, similar to this Python malware, some of the samples came bundled in an executable format with their decoy document.

Conclusion

The malware used in this campaign is not very sophisticated, and is very similar to BadPatch. In fact, it looks like the same malware used in BadPatch campaigns of the past, only ported to a different programming language. At the least, this shows that classic tricks remain adequate to launch a successful espionage campaign. This also shows that the use of free services like GitHub, Pastebin, cloud hosting sites, etc. in APT attacks will continue since traffic going to these sites cannot be immediately blocked as they are legitimate sites.

Solution

Fortinet detects all the B3hpy samples as Python/B3hpy.A!tr.

Malicious URLs related to this malware are blocked by FortiGuard Web Filtering Service.

-= FortiGuard Lion Team =-

IOCs

C2 server:

tstapi[.]pal4u[.]net
195[.]154[.]216[.]74
github[.]com/jamelarebhi1980/FilesRep

Files:

ae912cba54e7e8339f43530f70deb5ae1bcc780fdd4b80569cbe628509468de4 - رئيس الوزراء محمد إشتيه .scr
85a1b924d766524f6760869e412b49d603cdf9975831e912463774913b6886ca - d.exe
ab08a5bdaeb122ad07f68ec747e4ee1681f7572ad69431d0a2038a6e2a6afce5 - Bios.111
9e64a490e5592b9d9064d018c559ae251e2ed757f0f2215aa4acbf4df183688a - Bios.333
fc0ac7f8d9346baf6e4e81d3a4d3bcb72bcd9e2269adfb36617bccd8a987a9e2 - Bios.exe
f0e3a5918ae76558b3a0ab50135403aadec88c55ffdc07624cbc5b8c2ba3669b - Reg.333
3dd6947dcb20e3c2fb5a54ed906ca51fab16563b207bd29cefd64d77d38ded66 - sp69372.exe
d97c841306828f9ebf6d7c0a69b33e82534f1ecf09554742a58f0d59d99b15af - sp69373.exe
75ce26405f46304abdca26e54bbd11506942a6f5bbd64c2974a68fd94087e814 - sp69374.exe
5badba04b373165ffe46b2f96b7f8a57ea352ba3800c34a535143b653fe2153f - sp69375.exe
a80e0118afe0dfba5c2802007041acacdce4222e03f8b64c0c3bd50ea6bf1032 - sp69376.exe
4d89147a7ac41b66aa037294ab96d83c5ce538a40b7c385461f0699e5859bc77 - sp69377.exe

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.