ELF_PLEAD - Linux Malware Used by BlackTech

In a past article, we introduced Linux malware ELF_TSCookie, which is used by an attack group BlackTech. This group also uses other kinds of malware that affects Linux OS. PLEAD module for Windows which we introduced before has its Linux version (ELF_PLEAD) as well. This article describe the details of ELF_PLEAD in comparison to PLEAD module.

Comparison between PLEAD Module and ELF_PLEAD

ELF_PLEAD and PLEAD module share many parts of the code, and most of the functions including communication are similar. Figure 1 shows the comparison of the main functions of PLEAD module and ELF_PLEAD.

Code comparison of PLEAD module and ELF_PLEAD
Figure 1: Code comparison of PLEAD module and ELF_PLEAD
(Left: PLEAD module / Right: ELF_PLEAD)

It is clear from the flow of processing that the two types of malware are quite similar. The next sections will describe the features of ELF_PLEAD from the following perspectives:

  • Configuration
  • Communication protocol
  • Commands

Configuration

ELF_PLEAD possesses its configuration with the size of 0x1AA. Figure 2 is an example of configuration. It contains information such as C&C servers and an encryption key. (Please see Appendix A for the details of configuration.)

Configuration example
Figure 2: Configuration example

The configuration is RC4-encrypted, and the 32-byte string right before the encrypted configuration is the encryption key itself. Figure 3 is an example of encrypted configuration and its key.

Encrypted configuration and encryption key class=
Figure 3: Encrypted configuration and encryption key

Communication protocol

While PLEAD module uses HTTP protocol to communicate with its C&C servers, ELF_PLEAD uses its custom protocol. Besides the difference, the data format and the method for exchanging the encryption key are almost the same. Figure 4 describes the flow of communication that ELF_PLEAD performs.

Communication flow of ELF_PLEAD
Figure 4: Communication flow of ELF_PLEAD

ELF_PLEAD exchanges a part of RC4 key at the time of first communication. After that, a RC4 key generated by the exchange will be used for the communication that follows. The data sent is RC4-encrypted and then LZO-compressed. (Please see Appendix B for the details of communication protocol.)

Commands

ELF_PLEAD is equipped with 5 command groups as follows. (Please see Appendix C for the details of command functions. The command number may vary in some samples.)

  • CFileManager (group number 0): commands for operation on files
  • CFileTransfer (group number 1): commands for sending/receiving files
  • CRemoteShell (group number 2): commands for remote shell
  • CPortForwardManager (group number 3): commands for proxy mode
  • No name (group number 0xFF): commands for malware control

Command group names
Figure 5: Command group names

It is clear that the functions are almost the same as PLEAD module.

In closing

It has been confirmed that BlackTech uses different kinds of malware including TSCookie, PLEAD and KIVARS, which target Linux OS as well as Windows OS. If such malware is found in your Windows environment, it is recommended to check your Linux environment as well.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A: ELF_PLEAD Configuration

Table A: Configuration
Offset Description Remarks
0x000 RC4 Key Used for encrypting communication
0x004 ID
0x024 Port number 1
0x026 Port number 2
0x028 Port number 3
0x02A C&C server 1
0x0AA C&C server 2
0x12A C&C server 3
  • Configuration format may vary in some samples.

Appendix B: Contents of data exchanged

Table B-1: Format of sent data
Offset Length Contents
0x00 4 RC4 Key (Key4)
0x04 4 Hash value
0x08 4 RC4 key (Key1)
0x0C 2 Length of data sent
0x0E 2 Length of data at offset 0x10 before compression
0x10 - Encrypted data (RC4 +LZO) (See Table A-2 for details.)
Table B-2: Format of encrypted data
Offset Length Contents
0x00 2 0xFF
0x02 4 RC4 key (Key2)
0x06 - Random data (at least 128 bytes)
Table B-3: Format of received data
Offset Length Contents
0x00 4 RC4 key (Key4)
0x04 4 Hash value
0x08 4 RC4 key (Key1)
0x0C 2 Length of data sent
0x0E 2 Length of data at offset 0x10 before compression
0x10 - Encrypted data (RC4 +LZO) (See Table A-4 for details.)
Table B-4: Format of encrypted data in the received data
Offset Length Contents
0x00 2 0x01FF
0x02 4 RC4 key (Key3)

Appendix C: ELF_PLEAD commands

Table C-1: Commands without group name (group number 0xFF)
Value Contents
4 Send random data
5 Reconnect
6 Restart
7 End
8 End
9 Change socket
11 Change C2 server
Table C-2: Commands for CFileManager (group number 0)
Value Contents
32 Send list of files
37 Send file size, mode, timestamp
39 Change file name
41 Delete file/directory
43 Upload file
45 Execute file
49 Create directory
51 Move file
53 Delete directory
Table C-3: Commands for CFileTransfer (group number 1)
Value Contents
64 Send file/directory information
67 Create directory
70 Download file
71 Send file information
75 Upload file
Table C-4: Commands for CRemoteShell (group number 2)
Value Contents
80 Launch remote shell
Table C-5: Commands for CPortForwardManager (group number 3)
Value Contents
96 Set up proxy
100 Connect proxy
102 Send proxy data
104 -
106 -
108 End proxy

Appendix D: C&C server

  • mx.msdtc.tw

Appendix E: Malware hash value

  • 5b5f8c4611510c11d413cb2bef70867e584f003210968f97e0c54e6d37ba8d8d
  • ca0e83440b77eca4d2eda6efd9530b49ffb477f87f36637b5e43f2e428898766
Back
Top