Introducing DevOpt: A Multifunctional Backdoor Arsenal

Summary

In recent years, malware attacks have become increasingly sophisticated, and attackers are always finding new ways to exploit vulnerabilities and steal sensitive data. To stay ahead of these threats, security researchers must constantly monitor the landscape and identify new threats as they emerge. In this article, we'll take a closer look at the findings of a recent study conducted by Zscaler's ThreatLabz team, which uncovered a new backdoor built using Free Pascal that has the ability to steal data from infected systems. We'll explore the techniques used by this malware, as well as the tactics employed by cybercriminals to entice users into downloading malicious payloads. By understanding these threats, we can take steps to protect ourselves and our systems from the dangers of malware attacks.

Introduction

Zscaler ThreatLabz has recently unearthed a new backdoor called 'Devopt'. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development. In this blog post, we will delve into the specifics of this new backdoor and its workings. Additionally, we will offer tips on how to safeguard yourself against such attacks.

Key Takeaways

• Zscaler ThreatLabz uncovered a new backdoor and named it DevOpt based on the name of the persistence malware
• Discovered on a Russian website promising monetary rewards, victims are lured into downloading malicious payloads containing DevOpt malware
• The malware is currently still in development and is receiving continous improvement updates designed to make it a more potent and effective tool for attackers and threat for defenders
• DevOpt has advanced capabilities to function as a keylogger, stealer, grabber, and a clipper along with persistence mechanisms.

Campaign

While on the hunt for new malware, the ThreatLabz research team at Zscaler came across a newly discovered backdoor that was created using Free Pascal. This backdoor is particularly dangerous as it has the ability to steal data from infected systems.

Zscaler's ThreatLabz research team remains vigilant in tracking new malware threats. During a recent investigation, we discovered a backdoor that uses Free Pascal and is capable of stealing data from infected systems. Additionally, we came across a Russian website where users were offered financial rewards for completing a task that unwittingly involved downloading malware. Further analysis revealed that the downloaded malware had an archive icon, giving the impression of a compressed file and luring users into double-clicking it, which then executed the malware. This discovery underscores the lengths to which cybercriminals will go to lure users into downloading malicious payloads, using tactics such as offering financial incentives. It's worth noting that the malware's downloading URL pattern generally follows this structure: wdfiles-download[.]siteme[.]org/arxiv[digit].exe.

Fig 1. - Russian Website(Translated to english) enticing users into downloading malicious payloads.

Technical Analysis

Two versions of the backdoor have been discovered in the development stage. The first version, which lacks obfuscation to hide its strings, is roughly 20 MB in size and contains a Graphic User Interface not found in the newer variant, which is approximately 2 MB in size. The second version uses encoded integer-based strings for its functionality.

The older version uses plain text HTTP protocol, while the newer variant searches for OpenSSH DLLs in the infected system to establish encrypted HTTPS connections to its command and control. To establish network connections, the backdoor requires several DLLs: libcrypto-1_1.dll, libeay32.dll, libssl-1_1.dll, libssl32.dll, and ssleay32.dll. If the malware is unable to locate these DLLs, it becomes inactive and will not infect the system further.

The earlier version of the backdoor required user interaction by clicking on the Extract button, whereas newer versions run silently in the background without any need for user interaction.

Fig 2. - Earlier version of malware requiring user interaction

Based on the aforementioned observation, it can be concluded that the Threat Actor is adding more features to the backdoor and making it stealthier.

Additional Analysis

After analyzing the malware, our observations revealed that it contains numerous capabilities. The following functionalities were observed:

Persistence

Persistence refers to a malware's capability to remain active on a system even after a reboot or shutdown. This can be achieved by adding entries to the Windows Registry or by creating scheduled tasks. Once a malware establishes persistence, it can continue to operate in the background and carry out malicious activities undetected by the user.

Upon closer observation, researchers noticed that the malware replicated itself in the Startup folder, enabling it to initiate automatically whenever the computer is powered on. Further observations of different versions revealed that it duplicates itself with a name devopt[random 2 digits].exe under the following path: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. 
 

Fig 3. - Persistence mechanism

Clipper

A clipper malware is created to pilfer confidential data from victims. Once it is installed on a victim's device, it can record the clipboard data, which can potentially be used to steal other sensitive information like login credentials, credit card numbers, or other financial data.

Researchers noticed that the malware generates a file called 'clippa.dan' in the C:\User\[User] directory, which logs all the information copied to the clipboard.

Fig 4. - Clipper logging data from the system

Stealer

A stealer malware is created to pilfer sensitive information, such as login credentials, credit card details, and other personal data. Once it is installed on a victim's device, it can monitor the user's activity and steal sensitive information.

The malware generates two files, namely 'cdck.bin' and 'bdck.bin,' in the C:\User\[User] directory, which steal the credentials, cookies, history, and version information of the two specific browsers, respectively.

1. Chrome browser data collected from infected system: 

• [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies]
• [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\History]
• [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Login Data]
• [C:\Users\User\AppData\Local\Google\Chrome\User Data\Last Version]

      2. Yandex data collected from infected system: 

• [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies]
• [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\History]
• [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Ya Passman Data]
• [C:\Users\User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Ya Autofill Data]

Keylogger

Keylogger malware is specifically designed to capture every keystroke made by a user on their device. This can be used to steal sensitive information like login credentials, credit card details, and other personal data.

In this case, the malware creates a file named ‘Kebba.dan’ in the C:\User\[User] directory to log the keystrokes of the user.

Fig 5. - Keylogger logging keystrokes

Grabber

Fig 6. - Grabber enumerating the Directories for stealing file contents

Grabber malware is created to illicitly obtain files and other data from an infected device. It targets text, Word, Excel, and RTF files stored in the Document, Download, or Desktop directories, and saves the stolen data in a file named “grb.bin” located at C:\User\[User] directory.

Fig 7. - Grabber File contents stealing data 

Dropped text file 

In previous versions of this backdoor, researchers observed that it drops a file called ‘unpacked.dt’ in the ‘data’ folder of the current directory. This file is likely designed to confuse malware analysts because it appears to be an encoded malicious payload, but in reality, it contains randomly generated alphanumeric strings. In newer versions of the backdoor, a similar file named ‘0.txt’ is dropped in the current directory, which contains random strings that are hardcoded into the malware itself.

Fig 8. - Generating random alphanumeric strings for unpacked.dt file

Configuration File

The researchers noted the presence of a configuration file named "Winkeyjet.ini" that was dropped in the Users directory. This file contains information about the compromised system, such as the name of the operating system, a unique Device_ID, and the version number (Version) that represents the major version information of the compromised system. Additionally, the file includes the malware's hardcoded own version (OwnVer). The configuration file also specifies the Command and Control (CnC) server, which is responsible for providing instructions to the malware once it has been successfully installed.

Fig 9. - Configuration file generated recording the device and version information 

Additional investigation has uncovered that certain malwares that are still in the early stages of development are displaying a message box that contains the text "putin Xyilo", which is a slogan that ridicules Russian President Vladimir Putin.

Fig 10. - Msgbox displayed in underdeveloped versions of malware

Network Communication

Establishing a connection with the Command and Control (CnC) starts with the malware sending a "create" request. Upon recognizing the request, the CnC responds with a "200 OK" message.

After establishing the connection, the malware sends a command request to the CnC, which in turn responds with a SYNC command. Upon receiving the SYNC command, the malware executes the given command and sends a "SYNCRONIZED" response back to the CnC to indicate successful completion.

Fig 11. - Network communication steps 

Commands

Below are the encoded string commands used by the observed malware:

The previous version of the malware did not include the DRLS and PRLS commands for gathering drive and process information, respectively.

Conclusion

Based on the observations made during the malware analysis, it is evident that the malware in question is a sophisticated and multifunctional threat. The malware is capable of performing various malicious activities such as stealing confidential information, logging keystrokes, stealing files, and establishing persistent access to the victim's system.

It is also evident that the threat actor behind the malware is continuously improving the malware by adding new features, making it stealthier, and using various techniques to evade detection. The malware uses encoded strings for its commands and drops files with misleading names to deceive malware analysts.

Furthermore, the malware communicates with a Command and Control server to receive instructions and send stolen data. The server's IP address and other details are hardcoded into the malware.

Overall, the findings highlight the need for robust security measures to protect against advanced and evolving malware threats. It also emphasizes the importance of regular updates and security patches to mitigate the risks associated with these threats.

As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. The discovery of this new backdoor is a testament to the ever-changing tactics of attackers and underscores the importance of ongoing monitoring and research. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing their findings with the wider community. It is essential to stay informed and take necessary precautions to safeguard against malware attacks. Remember to keep your software up-to-date, use strong passwords, and be wary of suspicious emails or messages.

Zscaler Sandbox Coverage

Zscaler's multilayered cloud security platform detects indicators, as shown below:

Fig 12. - DevOpt Backdoor Zscaler sandbox report

The following threat names are detected by Zscaler's multilayered cloud security platform for identifying malicious payloads:

• Win32.Backdoor.DevOpt

MITRE ATT&CK Techniques

Indicators Of Compromise (IOCs)