Research

A detailed analysis of the Menorah malware used by APT34

by Vlad Pasca, Senior Malware & Threat Analyst
by Vlad Pasca, Senior Malware & Threat Analyst

Executive summary

Menorah malware was used by the APT34 group, which targeted organizations in the Middle East and was discovered by Trend Micro in August this year. The malware creates a mutex to ensure that only one copy is running at a single time. It extracts the hostname and the username and computes a hash that identifies the infected machine. The following commands are implemented: create new processes, list files and subdirectories from a specific directory, exfiltrate arbitrary files, and download files on the host.

Analysis and findings

SHA256: 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345

The malware must run with a parameter that is equal to the first two letters from the current directory, as highlighted below.

Figure 1
Figure 1

It creates a mutex called “115CF7F6-69B4-49EE-B453-BAF00531AC52” to ensure that only one copy of the malware is running at a single time (Figure 2).

Figure 2
Figure 2

The process sets the interval of a timer to 32 seconds, which ensures a continuous communication with the C2 server:

Figure 3

Figure 3

The hostname and username are retrieved, and then the malware computes the MD5 hash of the concatenation between these two values:

Figure 4

Figure 4

Figure 5

Figure 5

The following string is constructed “d@<MD5 hash>@HostName|Username”, as highlighted in Figure 6.

Figure 6

Figure 6

The C2 server “http[:]//tecforsc-001-site1.gtempurl[.]com/ads.asp” is hard-coded in the malware (see Figure 7).

Figure 7

Figure 7

Figure 8

Figure 8

Figure 9

Figure 9

The binary chooses a random number between 3 and 14 and generates a string of characters based on a hard-coded “key”, as shown below:

Figure 10

Figure 10

Figure 11

Figure 11

The encoded string that identifies the host is exfiltrated to the C2 server via a POST request. The server response is read using the GetResponse, GetResponseStream, and ReadToEnd functions:

Figure 12

Figure 12

Figure 13

Figure 13

The malicious process creates a new thread that handles the C2 server response:

Figure 14

Figure 14

The server response has the following structure “[@<Value>@]”. The extracted value is Base64-decoded and decrypted using the XOR operator. The decrypted string has the following structure “Param1@Param2@Param3”. Param2 is a command ID that can be 1 or 2, and Param3 is the command to be executed that is Base64-encoded.

Figure 15

Figure 15

Figure 16

Figure 16

Command starts with “+sp” – Create a process and exfiltrate its output

The third parameter also contains a process name that will be spawned by the malware:

Figure 17

Figure 17

Figure 18

Figure 18

The CommandLineToArgvW API is used to obtain an array of pointers to the cmdline arguments. The binary creates an anonymous pipe using CreatePipe, and the read handle is made inheritable, as shown below:

Figure 19

Figure 19

Figure 20

Figure 20

The malware creates a new process via a function call to the CreateProcess function. The process’ output is read using the PeekNamedPipe and Read methods, and then exfiltrated to the C2 server:

Figure 21

Figure 21

Command starts with “+nu” – Send a specific string to the C2 server

The following string is sent to the C2 server “1.1.1|http[:]//tecforsc-001-site1.gtempurl[.]com/ads.asp” (see Figure 22).

Figure 22

Figure 22

Command starts with “+fl” – List files and subdirectories from a directory

The third parameter also contains a directory name:

Figure 23

Figure 23

The process calls the GetFiles and GetDirectories functions to extract the files and subdirectories from the main directory. For each of these, the LastWriteTime property is extracted:

Figure 24

Figure 24

Figure 25

Figure 25

The number of files and subdirectories is also added to the structure constructed above:

Figure 26

Figure 26

Command starts with “+dn” – Exfiltrate file content to the C2 server

The third parameter specifies a file that will be exfiltrated. The process reads the file content using the ReadAllBytes method (Figure 27).

Figure 27

Figure 27

The file name, along with the content that is Base64-encoded, is transmitted to the C2 server:

Figure 28

Figure 28

Depending if the file is found on the local machine, one of the following messages is sent to the C2 server:

Figure 29

Figure 29

If the command ID is 2, then the malware creates a file that is populated with content received from the C2 server (Figure 30).

Figure 30

Figure 30

The confirmation message that is sent to the server contains the file path created earlier:

Figure 31

Figure 31

Indicators of Compromise

SHA256

64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345

 

MUTEX

115CF7F6-69B4-49EE-B453-BAF00531AC52

 

C2 SERVER

http[:]//tecforsc-001-site1.gtempurl[.]com/ads.asp