The Bot Engine framework is typically used in a two-step infection process. In the first step, the malware dropper is used to deliver the Bot Engine framework to the victim’s computer. Once the Bot Engine framework is installed, it will then download various modules, which include the Nemesis stealer. The Nemesis stealer is a powerful malware that can steal a wide range of sensitive information from the victim’s computer, such as passwords, credit card numbers, and other personal data.
Bot Engine Dropper
The malware dropper we observed uses multiple stages to load the final malware, Bot Engine, in memory. The loader uses simple obfuscation techniques such as byte reorder, base64, zlib compression, and storing payload in text. Even though the method is simple, it is likely to evade detection such as entropy scanners.
File Information
DarkArmor conducted an analysis on the Bot Engine dropper, which possesses the following properties.
File name: tvdeveloper_40d.exe
MD5: 5fb7e4ddb88b99cfb88e2294f62d9078
SHA-1: b88e18a3c4926a188ed55201c5d894c4226093f8
SHA-256: c5ebdc51e607782526b087aff5e3e2bf6fd5e68fa43efe32902d3d1099138b75
Size: 12,800 bytes
File extension: exe
File MIME type: application/x-msdownload
Stage 1
The executable is named tvdeveloper_40d.exe and is a .NET application. Upon execution, the application automatically requests and downloads a resource from the following URL.
hxxps://album.moto-style[.]nl/2020/images/css/design/fabric/bo/Czdcfrl.bmp
The payload is encoded in base64 and in reverse order. Once the malware downloader decodes and reverses the byte order, it proceeds to load the second stage of the malware in memory.
The second stage payload has the following properties.
File name: Olfsmurrlsmxr.dll
MD5: 0ae02f7b9e5000abc9e3e172df298b2a
SHA1: c594fb26cf2b5ee1db12c0112e353851747d3cf3
SHA256: 64578f5f9fc969db0a16d992cb4b6601a11c74618ffec0df9d010128958dd568
Size: 3,114,496 bytes
File extension: exe
File MIME type: application/x-msdownload
Stage 2
After loading the second stage, the dropper proceeds to load the obfuscated payload stored in a JSON file located in the resource. The payload is encoded in base64, with the byte order reversed and compressed using gzip. Figure 3 illustrates the payload stored in the resource path.
The following python code decodes the payload.
The second stage payload has the following properties.
File name: OneDriveTimerUI.exeMD5: 07fc6df90bc349c094c258e7a87dee6bSHA1: 7c1f791077006af1aedfcdd6d4d45862b2db8b91SHA256: 26d911140d34903e94d8c310e2be8508d0a6ed7100c85a8cc58dc44f663ccfedSize: 1,911,808 bytesFile extension: exeFile MIME type: application/x-msdownload
Stage 3
OneDriveTimerUI.exe serves as a Bot Engine loader, with the Bot Engine being compressed and stored in the resources. Once the application is loaded, it decompresses the compressed file and executes Bot Engine.
Bot Engine
The Bot Engine is a C# backdoor framework that enables cybercriminals to use and customize with ease. The framework provides a capability for developers to enhance any feature without altering the core of the malware. Below is a list of the engine’s features:
Common Modules
Below are the list of library/module included in Bot Engine framework.
IEngine
IEngine is a class define methods used to perform C2 communication by the Bot Engine. This allows the developer to create new method of communication such as SSH, FTP or UDP. As demonstrated by the modules included in the Bot Engine, the engine is highly flexible and capable of leveraging various platforms for C2 communication beyond the common web method.
The following are the engines included in this sample.
AzureWrapper
This is an engine wrapper that utilizes the Azure platform to retrieve commands from a specified folder within the bot and upload any extracted data executed by malware, such as stolen information. In this example, the bot continuously monitors the directory named ‘bdir’ for commands and uploads the data to the folder named ‘botshare’
OneDriveWrapper
This is an engine wrapper that utilize Microsoft’s Sharepoint to retrieve commands from the Sharepoint server. The location of the SharePoint folder are based on the account specified in the settings.
WebChannelWrapper
This engine wrapper communicates with the C2 server through web requests. The engine uses the POST method to retrieve commands from the C2.
C2 Command
The C2 commands are a list of instructions that the Bot Engine uses to communicate with the C2. These commands include the Bot ID of the infected machine and the specific command. Below is a list of these commands.
Modules
Indicators of Compromise
Web Channel C2
hxxp://91.107.143[.]20/api/support
Web Channel C2
hxxp://95.217.248[.]46/api/support
Bot.dll
MD5: 5fb7e4ddb88b99cfb88e2294f62d9078
SHA1: b88e18a3c4926a188ed55201c5d894c4226093f8
SHA256: c5ebdc51e607782526b087aff5e3e2bf6fd5e68fa43efe32902d3d1099138b75
m_Bot.dll
MD5: 4d23ca54f57f2ce79afa9e1208c26ca0
SHA1: da7b74eea51a4a116cc0a3bee6a70d72b86d9ea7
SHA256: 7168a2fbd9344b1fd6d510f6a6eb414c186a719b84dc131f4b7ccd48785cb3e8
m_CMD.dll
MD5: e2912b300cca330251e519c38d68edfe
SHA1: 8303a32f6947052cc28d0b08b02ec51db60a217c
SHA256: 26041bc45cac9050cdf0270d1e33ba2706827288d319313c12d93a085da0ac21
m_POWERSHELL.dll
MD5: 87755b6d3b5024c795f02d4be412303f
SHA1: a3d1f93cd7dbbeba01261ae095fdc99278b72e4b
SHA256: 0bf00f13823860c53221d04f0b6c73a05426fc1934f46aa4963ef9ce1572cfd4
m_PRINTSCREEN.dll
MD5: 813d8765fd3fa02244633addcbbe2395
SHA1: 6b8ce38b6a36f1f377d37d2b5e41d9ebe2ce4f2f
SHA256: 8a08f32ca1cc16f4f2f675a8ef6c5452638d4debc5243d88c533269113f0b7f1
Conclusion
The Bot Engine backdoor is a straightforward backdoor that offers essential functionality, such as executing commands, dropping files, and retrieving files. What sets Bot Engine apart is the adaptability of its framework and how easily a developer can tailor the backdoor to suit a specific environment. Furthermore, since the malware resides in memory, detection of this attack must occur in memory. This backdoor is likely to remain a significant threat in the future.
