Carlos del Fresno

Beautifying the webinjects of Gootkit

At first glance, Gootkit’s webinjects may look like a messy bulk of binary data. But there is an easy way to decode them very nicely in just a matter of seconds. In this short article we are going to pretty print a particular webinject file from a recent Gootkit campaign. If you are new to this banking trojan, you might want to check out our previous article on Gootkit, where we saw how to recover the webinject configuration file from the Windows registry.
To facilitate this exercise, all of the used artifacts from this article are available on GitHub, including this unprocessed, raw configuration file:

It clearly has lots of plain texts, but also some binary code which are not understandable for humans. The keyword to interpret this data is Protocol Buffers, or in short protobufs. Protobufs is a stream-like data structure developed by Google. It has a very similar syntax to of JSON, but at the end everything will be encoded in a binary format. The usage of protobufs is not so common amongst today’s websites yet, but a malware relying on it, definitely shows that malware developers keep up to date with the latest trends.

First attempt

First we need to download protoc, the compiler for Protocol Buffers. If you are on Windows, you can download it directly from here, otherwise you might select from the other available options here.
Once we have the protoc compiler, we can then execute the following command:
protoc.exe –decode_raw < config.bin
This will generate an output like:

Which is already more pleasant to read, but still not good enough. We only have the numeric IDs instead of descriptive names. To fix this, we will have to use the parameter for the protoc compiler –decode instead of –decode_raw.

Second attempt

However, the –decode_raw option requires a message type to be passed along. Luckily, we can extract it from the malware’s source code. In client_proto_spyware.js we can find a reference to a base64 encoded protocol buffer:
var config_processor = require(“config_processor”);
var protobuf = require(‘protocol_buffers’)
var Buffer = require(‘buffer’).Buffer;
var messages = protobuf(
new
Buffer(‘bWVzc2FnZSBSZWRpcmVjdGlvbkVudHJ5IHsNCiAgICBvcHRpb25hbCBzdHJpbmcgbmFtZSA9IDE7DQogICAgb3B0aW9uYWwgc3RyaW5nIHVyaSA9IDI7DQogICAgb3B0aW9uYWwgc3RyaW5nIGtleXdvcmQgPSAzOw0KICAgIG9wdGlvbmFsIHN0cmluZyB1cmlwYXNzd29yZCA9IDQ7DQogICAgb3B0aW9uYWwgc3RyaW5nIGRhdGFwYXNzd29yZCA9IDU7DQp9DQoNCm1lc3NhZ2UgUHJvY2Vzc01vZHVsZSB7DQoJb3B0aW9uYWwgc3RyaW5nIHN6RXhlUGF0aCA9IDE7DQoJb3B0aW9uYWwgdWludDMyIEdsYmxjbnRVc2FnZSA9IDI7DQoJb3B0aW9uYWwgdWludDY0IGhNb2R1bGUgPSAzOw0KCW9wdGlvbmFsIHVpbnQ2NCBtb2RCYXNlQWRkciA9IDQ7DQoJb3B0aW9uYWwgdWludDY0IG1vZEJhc2VTaXplID0gNTsNCglvcHRpb25hbCB1aW50MzIgUHJvY2NudFVzYWdlID0gNjsNCglvcHRpb25hbCB1aW50MzIgcGNQcmlDbGFzc0Jhc2UgPSA3Ow0KCW9w…
After decoding the above string, we can find between the definitions, one of the following message types, which is what we exactly need:
message SpywareConfig {
repeated SpywareConfigEntry injects = 1;
repeated VideoConfigEntry recorders = 2;
repeated FragmentConfigEntry fragments = 3;
repeated MailFilterEntry emailfilter = 4;
repeated RedirectionEntry redirects = 5;
repeated PostParamsRecorderEntry post2macros = 6;
optional BotSettings settings = 7;
}
We have extracted all of the prototypes and saved them in a file called ‘protos.txt’.
Calling this time the protoc compiler, we get the final and clean output that we wanted:
protoc.exe –decode=SpywareConfig protos.txt < config.bin
Output:

Author: S21sec ACS Department

Beautifying the webinjects of Gootkit

Beautifying the webinjects of Gootkit At first glance, Gootkit's webinjects may look like a messy bulk of binary data. But there is an easy way to decode them very nicely in just a matter of seconds. In this short article…

Leer más

EFAIL: Malleability in symmetric cipher systems

In the previous post about EFAIL (https://www.s21sec.com/en/blog/2018/05/8326/) we talked about the risk that results from PGP using a “malleable” encryption algorithm. But, what does this mean? In this post we will see how this “malleability” allows the creation of fake…

Leer más

EFAIL – Is PGP really dead?

A vulnerability affecting PGP and S/MIME has been recently published (https://efail.de/). These are two mechanisms used for email encryption. As a way to mitigate this vulnerability, it has been recommended to disable message decryption plugins installed in email clients, and…

Leer más

First year of the COMPACT Project

Hacker themed films always tend to focus on threats against nation-wide organizations, such as army infrastructures, intelligence and counter-intelligence agencies, or even huge hydroelectric power plants whose failure threaten to flood thousands of square kilometres, affecting millions of people. Of…

Leer más

Solving the ROBOT CTF

After the publication of the previous post on ROBOT (https://www.s21sec.com/en/blog/2017/12/robot-bleichenbacher-returns/), some people wanted to see a proof of concept of the attack, so I started developing a set of tools that demonstrated an attack using a Bleichenbacher oracle. After a…

Leer más

ATM Jackpotting attacks reach the U.S.A

ATM Jackpotting attacks reach the U.S.A ATM operators in the U.S.A. have started 2018 with a new headache to take care of, as recent news show that ATM Jackpotting (a cyber-criminal technique widely spread across LATAM, Asia & Europe) has…

Leer más

ROBOT: Bleichenbacher returns

“Those who do not remember the past are condemned to repeat it” (George Santayana) Some days ago, a new vulnerability known as ROBOT and affecting some SSL/TLS implementations has been published. This acronym refers to “Return Of Bleichenbacher’s Oracle Thread”.…

Leer más

COBALT ATTACKS IN THE WILD

Recently, our analyst team had come across a suspicious email coming from a Russian sender with the following information: Subject: Блокировка интернет ресурса Sender: info@roskomnadzor.info Attached File: Wire problems.doc The Microsoft Word (MD5: c2c753f440314d1ec88c1569aa845ac2) was indeed a Microsoft Office RTF…

Leer más

Androkins hits Colombia

  A few weeks ago we wrote about Androkins (1). Since then we have been actively monitoring Androkins activity, and we are periodically seeing new and new botnets added to the list. Androkins botnets have an internal name which can…

Leer más