Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak

by Mohamad Mokbel (Threat Researcher)

On April 14, 2017, The Shadow Brokers (TSB) leaked a bevy of hacking tools named “Lost in Translation.” This leak is notorious for having multiple zero-day remote code execution (RCE) vulnerabilities targeting critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP) and applications like collaboration and web server-based software. The exploit toolkit includes EternalBlue, EternalChampion, EternalSynergy, EsteemAudit, EchoWrecker, ExplodingCan, EpicHero, and EWorkFrenzy, among others.

The leak also contains multiple post-exploitation implants and utilities, used for maintaining persistence on the infected system, bypassing authentication, performing various malicious activities, and establishing command-and-control (C&C) channels with a remote server, among others. Five of the most notable implants include DoublePulsar, PeddleCheap, ExpandingPulley, KillSuit (KiSu), and DanderSpritz, which all have different capabilities, features, and usage.

What stands out from all of those implants is a standalone executable that has the file name clocksvc.exe, located in the main folder of ExpandingPulley (EP), windowsResourcesEp. This implant has never received any public attention except for a brief mention of the IP address it connects to in a report by CYSINFO. We named this implant Tildeb (detected by Trend Micro as Trojan.Win32.TILDEB.A) because of a unique temporary file that it creates on the system under the name ~debl00l.tmp.

We reverse engineered Tildeb’s capabilities and found it targeting Windows NT 4.0 and Microsoft Exchange Server. Also of note are its multiple fatal programmatic mistakes throughout the code, the use of the mailslot mechanism for interprocess communications, and the level of attention it places on its internal operation as well as C&C communications to stay under the radar.

Analysis of Tildeb’s code reveals that it targets Windows NT 4.0 OS and Microsoft Exchange Server. However, despite the fact that it’s targeting older environments, CYSINFO’s report on its traffic capture shows successful communications with the hardcoded IP address. This could imply that the implant was active and in-the-wild. It also shows the scope and capabilities of the leaked hacking tools: If it is a target of interest, there’s an exploit and an implant for it regardless if it’s legacy or not.

Here are some of the key highlights of our analysis (find a detailed analysis of Tildeb in the attached technical brief):

File code and characteristics. Its compilation timestamp is October 3, 2000. However, it’s possible that it was made earlier considering the time it took to develop and the iterations it might have gone through. Although we cannot say that the compilation timestamp is accurate, it is unlikely to be a forged value considering the environment it is targeting and the compiler version used. Tildeb’s code is not obfuscated in any way, and thus has no anti-disassembly and anti-debugging features, encrypted strings, or similar obfuscation techniques.

Infection vector and relation to other files. Since Tildeb is positioned as a stand-alone implant, we couldn’t link it to any other files from the leak even while searching for various artifacts from the implant. However, we found that it could be related to an unknown exploitation framework or some other tool that works in conjunction with Tildeb. It is unknown how Tildeb gets delivered onto a targeted system, but it would not be surprising if it’s delivered via lateral movement or through some of the other exploitation frameworks with RCE modules targeting Windows NT.

Command-line options. Tildeb is a console-based executable that can take command-line arguments. It can take either 0, 1, 2, 3, or 4 number of arguments at once, and each serves a specific purpose. This includes: communicating to a hardcoded C&C server; creating Transmission Control Protocol (TCP) socket in listening mode; and instructing the implant to elevate privileges to inject code to an Exchange Server process.

Cleanup thread and main process cleanup code. Tildeb has specific behaviors and routines for terminating and deleting itself to stay hidden. For example, Tildeb has a fail-aware thread responsible for housecleaning with respect to specific operations in the code and throughout the program lifetime. Tildeb is not equipped with any persistence mechanism, and it is unlikely that one will be created considering what the cleanup code does.

Network communications. After setting up a secure communication channel, Tildeb is ready to receive control commands to perform various malicious activities on the infected system.

How Tildeb establishes a successful connection

Control commands. The core of Tildeb’s functionality lies in each of the control commands it supports. These commands include: deleting a file; maintaining the connection with the C&C server; uploading files to the C&C server; retrieving a list of files and folders in an infected system; and injecting malicious code into specific Exchange Server processes.

Our reverse engineering and understanding of the code showed that Tildeb is a collection of different code snippets. They are diverse and most likely written by different individuals or a group of individuals with different skill sets and experience. Likewise, some of the committed programmatic errors are fatal to the operation of the implant and breaks intended functionalities, while others are blatant mistakes.

The type of systems Tildeb is targeting could already be considered out-of-date. For example, extended support for Windows NT 4.0 Server and Workstation ended in 2004 (Embedded’s ended in 2006), while Exchange Server 5.5 hasn’t been supported since 2006.

However, it is possible that organizations could still be using these environments/platforms. This is demonstrated by the WannaCry ransomware outbreak, which affected systems and networks running an SMB protocol that was superseded by later protocols in 2007 and deprecated in 2014. This is particularly true for enterprises that use mission-critical and legacy applications that are still necessary for their business operations. Indeed, Tildeb’s potential impact and the challenges that organizations contend with when migrating from or using legacy technologies highlight the significance of securing the organization’s online premises — from gateways, endpoints, servers, and networks, along with the infrastructures that underpin them.

Our technical brief provides detailed research into Tildeb’s inner workings — its C&C communications protocol, control commands, and fail-aware cleanup processes, among other features and capabilities.

Trend Micro Solutions
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits or implants through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect similar threats even without any engine or pattern update.

The Trend Micro™ TippingPoint® system provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. TippingPoint’s Integrated Advanced Threat Prevention provides actionable security intelligence, shielding against vulnerabilities and exploits, and defending against known and zero-day attacks. TippingPoint’s solutions, such as Advanced Threat Protection and Intrusion Prevention System, powered by XGen™ security, use a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis to detect and block attacks and advanced threats.

Trend Micro™ TippingPoint™ customers are protected from Tildeb and its associated malicious activities via these  MainlineDV filters:

  • 33521: TCP: Tildeb Knock Request
  • 33522: TCP: Tildeb Acknowledgment Request

The Trend Micro™ Deep Discovery Inspector™  solution protects customers from Tildeb-related attacks via these DDI rule:

  • 3750: TILDEB – TCP (Request)

The post Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro