{"id":21483,"date":"2024-03-22T16:25:02","date_gmt":"2024-03-22T15:25:02","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=21483"},"modified":"2024-10-11T16:04:26","modified_gmt":"2024-10-11T14:04:26","slug":"unveiling-kamikakabot-malware-analysis","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2024\/03\/22\/unveiling-kamikakabot-malware-analysis\/","title":{"rendered":"Unveiling KamiKakaBot – Malware Analysis"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Back in January 2023 Group-IB first reported and documented the TTPs of DarkPink, an APT group that targets the Asia-Pacific regions.<\/span><\/p>\n

We\u2019ve been monitoring KamiKakaBot samples since September of last year. And at the start of this year in January we\u2019ve noticed 2 new samples being uploaded to Virustotal.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/k1-1.png” title_text=”k1″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

These 2 new samples have had a very low detection rate. Which led us to investigate them a bit closer.<\/span><\/p>\n

\u00a0<\/span>The following is a full writeup on the newer variants KamiKakaBot samples from the initial lure to full persistence on disk and credential stealer component.<\/span><\/p>\n

\n

Johann Aydinbas<\/a> was the first to spot this and mention it on twitter<\/a>. Kudos to him. <\/span><\/p>\n<\/blockquote>\n

[\/et_pb_text][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Start Of The Infection<\/strong><\/h1>\n

As discussed in the original Group-IB research blog, DarkPink APT uses ISO files as a phishing mechanism. And this case is not much different in terms of structure.The ISO in question is named \u201cProposed Concept Note on the AOIP-based Comprehensive Regional Architecture.iso\u201d<\/strong> and contains the following.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/k2-1.png” title_text=”ka2″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n\n\n\n\n\n\n\n
\n

Name<\/span><\/p>\n<\/td>\n

\n

Description<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

ID SOM LETTER ON CONCEPT NOTE ON THE AOIP-BASED COMPREHENSIVE REGIONAL ARCHITECTURE.PDF<\/span><\/p>\n<\/td>\n

\n

Lure document that is never used by the malware
<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

CN AOIP-BASED COMPREHENSIVE REGIONAL ARCHITECTURE (1).DOCX.EXE<\/span><\/p>\n<\/td>\n

\n

Legitimate WinWord.EXE binary masqueraded as a double extension file to incentivise the victim to click it<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

~CN AOIP-BASED COMPREHENSIVE REGIONAL ARCHITECTURE (1).DOC<\/span><\/p>\n<\/td>\n

\n

Lure document that also contains the .NET XML task that will load the KamiKakaBot main component as well as the credential stealer component<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

WWLIB.DLL<\/span><\/p>\n<\/td>\n

\n

Loader<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/span><\/p>\n

These newer KamiKakaBot samples use \u201cWWLIB.dll\u201d DLL in order to side-load the malicious payload, in contrast to \u201cMSVCR100.dll\u201d DLL that was used in older variants.<\/span><\/p>\n

Something to note is that winword.exe (which is the binary being used to sideload the WWLIB DLL) as well as many Microsoft Office utilities such as Excel, PowerPoint, etc are vulnerable to many other side loading vulnerabilities. As it\u2019s illustrated in the screenshot below that\u2019s taken from hijacklibs.net<\/a>.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/03\/k3.png” title_text=”k3″ _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

WWLIB Sideloading<\/strong><\/h1>\n

The infection starts when the victim launches the binary \u201cCN AOIP-BASED COMPREHENSIVE REGIONAL ARCHITECTURE (1).DOCX.EXE\u201d<\/em><\/strong> which is the legitimate \u201cWinWord.exe\u201d binary masqueraded as a word document using the double extension technique. It tries to side load the \u201cWWLIB.dll\u201d from the current directory.<\/span><\/p>\n

Once loaded, it starts by searching the current directory for a file that has the following characteristics:<\/span><\/p>\n