Salim Bitam

Not sleeping anymore: SOMNIRECORD's wake- up call

Elastic Security Labs 연구원들은 C++로 작성된 새로운 멀웨어 제품군을 발견했으며, 이를 SOMNIRECORD라고 부릅니다. 이 멀웨어는 백도어로 작동하며 DNS로 가장하면서 명령 및 제어(C2)와 통신합니다.

4 min readMalware 분석
더 이상 잠들지 않습니다: 솜니레코드가 알려주는 모닝콜

서문

While monitoring the REF2924 activity group, Elastic Security Labs researchers identified a new malware family written in C++ that we refer to as SOMNIRECORD. This malware functions as a backdoor and communicates with command and control (C2) while masquerading as DNS, allowing attackers to bypass network security controls such as firewalls and intrusion detection systems. Like NAPLISTENER and SIESTAGRAPH, these factors make it difficult to detect and block using strictly network-based technologies.

분석

Upon execution, SOMNIRECORD first generates a random string of three characters used as a unique identifier for the running malware instance. It then probes a domain name that is hardcoded into the binary (" dafadfweer.top") by appending the random three-character string and the string " -PROBE" to the domain name. SOMNIRECORD simulates a DNS query to retrieve the number of commands that are queued for the backdoor to execute, each stored in a TXT record of the associated domain.

After obtaining the number of commands waiting to be executed, the backdoor retrieves each command individually by sending a DNS query for a TXT record. The backdoor prepends the previously-generated random string to the " -CMD" string before sending the DNS query. This allows the backdoor to receive each command individually and execute them accordingly.

Command handling

The malware's command handling function is a critical component that enables it to execute commands received from the C2 server. This function processes the command and performs the appropriate action based on the command type. In this malware, there are five commands that the malware can execute: SYS, PSL, sleep, ECM , and WS :

SYS ” is used to retrieve information about the infected machine. When this command is executed, the SOMNIRECORD payload collects information about the computer name, the number of processors, OEM ID, and processor type. This information can be used to fingerprint/identify specific infected machines.

PSL ” is used to list all processes currently running on the infected machine by executing the system command “tasklist”.

ECM ” allows the malware to execute any software already present on the system, such as cmd.exe.

sleep ” is used to change the beacon interval to the c2 server.

WS ” is used to deploy an ASPX-based webshell to a specified path. The ASPX is hardcoded into the malware itself.

To communicate command results to its C2 server, SOMNIRECORD employs a unique technique that involves encoding the output of executed commands as hex values, prepending the previously generated random string to the " -DATA" string and then appending the hex values. The malware then performs a DNS query to the subdomain, allowing the encoded command output to be transmitted to the C2 server for example: XXX-DATA-68656c6c6f20776f726c64.dafadfweer.top

리소스

Elastic Security Labs has provided a SOMNIRECORD signature in our open protections artifact repository here.

Sources

Code similarity analyses play an important role in discovering the sources of malicious code used by adversaries. In an effort to identify the source of SOMNIRECORD, we identified an open source project called DNS-Persist that contained similar logic. Like NAPLISTENER, we believe the attacker was inspired by this project and then added modifications to facilitate success in a specific target environment.

핵심 사항

  • The use of open source projects by the attacker indicates that they are taking steps to customize existing tools for their specific needs and may be attempting to counter attribution attempts
  • SOMNIRECORD uses DNS to pattern communication with its command and control (C2), which enables attackers to bypass network egress controls and monitoring