Recently, Cisco Talos released a report about a piece of fileless malware dubbed “Divergent,” a malware loader being used to infect victims with this previously undocumented payload.
“This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware,” the research team noted in a blog post that details the threat. “The use of NodeJS is not something commonly seen across malware families.” They note that this malware can be leveraged to attack corporate networks and is likely designed to conduct click-fraud. And this malware is particularly tricky because it burrows deep within the host.
The Divergent malware was actually first seen in PolySwarm, before other multi-scanners like VirusTotal. Below, we show you how you can find malware details in PolySwarm using the IOCs (provided in the Talos report). And, without even running a debugger, malware analysts are able to extract important malware details from PolySwarm.
Overview of what we will cover
- URL scan of dropper and second stage hosting URLs
- Malware search using Hash Lookup of IOCs/hashes
- Malware search using PolySwarm Metadata Searching tool
- Malware search using a Yara Rule for Live Hunting
URL Scanning
Dropper
Let’s use PolySwarm CLI to scan the URL that was used to install a malicious remote assist tool. Run the following command:
$ polyswarm url https://uoibppop.tk
Scan report for GUID 2d73758e-a5f5-43f8-9711-f8663c07864b
=========================================================
Report for artifact url, hash: a951ab7047501b7df4b7c658ec2caff689a78e27041bd69e515598599243e5e1
Nucleon: Clean
Virusdie: Clean
Cyradar: Malicious, metadata: {'malware_family': 'malicious', 'scanner': {'environment': {'architecture': 'x86_64', 'operating_system': 'Linux'}, 'vendor_version': '', 'version': '0.1.0'}}
ZeroCERT: Clean
Second Stage
Next, let’s use PolySwarm CLI to scan 2 URLs used for the second stage Powershell malware hidden as PNG files.
To scan the first URL, run the following command:
$ polyswarm url http://1292172017.rsc.cdn77.org/images/trpl.png
Scan report for GUID 701659fe-70e2-41f1-ba65-78ec13061759
=========================================================
Report for artifact url, hash: 17cae7914970fec803e6e0cca15a3a705f580437f6da4f91b9913796f3420ad9
Virusdie: Clean
Cyradar: Malicious, metadata: {'malware_family': 'malicious', 'scanner': {'environment': {'architecture': 'x86_64', 'operating_system': 'Linux'}, 'vendor_version': '', 'version': '0.1.0'}}
Nucleon: Clean
ZeroCERT: Clean
Permalink with these results: https://polyswarm.network/scan/results/file/17cae7914970fec803e6e0cca15a3a705f580437f6da4f91b9913796f3420ad9
To scan the second URL, run the following command:
$ polyswarm url http://1292172017.rsc.cdn77.org//imtrack/strkp.png
Scan report for GUID 6069f280-70e6-438a-a460-eae275080141
=========================================================
Report for artifact url, hash: 17ebd6367bef3b6d34a5b6718f3a528a8bf081eafd9cae8e0e569ac1edad2382
Virusdie: Malicious, metadata: {'malware_family': '', 'scanner': {'environment': {'architecture': 'x86_64', 'operating_system': 'Linux'}, 'version': '0.3.0'}}
Nucleon: Clean
Cyradar: Malicious, metadata: {'malware_family': 'malicious', 'scanner': {'environment': {'architecture': 'x86_64', 'operating_system': 'Linux'}, 'vendor_version': '', 'version': '0.1.0'}}
ZeroCERT: Clean
Permalink with these results: https://polyswarm.network/scan/results/file/17ebd6367bef3b6d34a5b6718f3a528a8bf081eafd9cae8e0e569ac1edad2382
Hash Searching
In the news, there were 14 hashes for PE Files. Put those hashes into a text file, and then run the following command to look up those hashes in PolySwarm:
$ polyswarm search hash -r IOCs_SHA256.txt
Result Summary:
- 7 files
- Dates:
- First seen: Sat, 27 Jul 2019 04:35:08 GMT
- First seen: Sat, 27 Jul 2019 06:14:30 GMT
- First seen: Sat, 28 Sep 2019 21:47:15 GMT
- First seen: Sun, 28 Jul 2019 08:57:25 GMT
- First seen: Sat, 27 Jul 2019 04:35:08 GMT
- First seen: Mon, 25 Mar 2019 19:39:04 GMT
- First seen: Tue, 26 Mar 2019 18:13:28 GMT
- Hash:
- SHA256: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
- SHA256: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
- SHA256: 2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9
- SHA256: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
- SHA256: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
- SHA256: a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
- SHA256: 607b2f3fd1e73788a4d6f5a366c708dbb12d174eba9863ade0af89ca40e1fdba
- Scan Results:
- Permalink: https://polyswarm.network/scan/results/file/ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
- Permalink: https://polyswarm.network/scan/results/file/a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
- Permalink: https://polyswarm.network/scan/results/file/2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9
- Permalink: https://polyswarm.network/scan/results/file/b2d29bb9350a0df93d0918c0208af081f917129ee46544508f2e1cf30aa4f4ce
- Permalink: https://polyswarm.network/scan/results/file/bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
- Permalink: https://polyswarm.network/scan/results/file/ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
- Permalink: https://polyswarm.network/scan/results/file/a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
- Permalink: https://polyswarm.network/scan/results/file/607b2f3fd1e73788a4d6f5a366c708dbb12d174eba9863ade0af89ca40e1fdba
Metadata Searching
Let’s try to find samples from this malware by its internal features. (Note: everything found from the searches are this malware family.)
By pefile.imphash
Let’s use PolySwarm CLI to perform a metadata search for the imphash: pefile.imphash:"2023fb6f54ebc52867881c8549c2fc62"
$ polyswarm search metadata 'pefile.imphash:"2023fb6f54ebc52867881c8549c2fc62"'
Found 4 matches to the search query.
Search results for {'query': {'query_string': {'query': 'pefile.imphash:"2023fb6f54ebc52867881c8549c2fc62"'}}}
File a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
File type: mimetype: application/x-dosexec, extended_info: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
SHA1: 5b24a3b32d9dba95b296a7a16cbcf50a7df2d196
MD5: 08ac667c65d36d6542917655571e61c8
First seen: Sat, 27 Jul 2019 06:14:30 GMT
Observed countries:
Observed filenames: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
File ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
File type: mimetype: application/x-dosexec, extended_info: MS-DOS executable
SHA256: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
SHA1: dd17b5d7442011effa2156c2470e7ad87e0435c0
MD5: 4bfc121ed751e5f5982e8cf207b1185c
First seen: Sat, 27 Jul 2019 04:35:08 GMT
Observed countries:
Observed filenames: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
File a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
File type: mimetype: application/x-dosexec, extended_info: MS-DOS executable
SHA256: a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
SHA1: a021803abe807323d43f0a26f55817d4f88ad84a
MD5: a42f269b966fd4cc700eb6a119470c22
First seen: Mon, 25 Mar 2019 19:39:04 GMT
Observed countries:
Observed filenames: a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
File bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
File type: mimetype: application/x-dosexec, extended_info: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
SHA1: 4d004abbc5a9085d713e6c3a79269c67f65484db
MD5: da8b478f6c1fa76858b67b1329bac447
First seen: Sun, 28 Jul 2019 08:57:25 GMT
Observed countries:
Observed filenames: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
By IPV4
Let’s use PolySwarm CLI to perform a metadata search for the ipv4 strings. We’ll use the ipv4 address from the C2.
$ polyswarm search metadata 'strings.ipv4:95.70.244.209' | tee -a polyswarm_metadata_search_ipv4.log
Found 3 matches to the search query.
Search results for {'query': {'query_string': {'query': 'strings.ipv4:95.70.244.209'}}}
File a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
File type: mimetype: application/x-dosexec, extended_info: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
SHA1: 5b24a3b32d9dba95b296a7a16cbcf50a7df2d196
MD5: 08ac667c65d36d6542917655571e61c8
First seen: Sat, 27 Jul 2019 06:14:30 GMT
Observed countries:
Observed filenames: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
File ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
File type: mimetype: application/x-dosexec, extended_info: MS-DOS executable
SHA256: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
SHA1: dd17b5d7442011effa2156c2470e7ad87e0435c0
MD5: 4bfc121ed751e5f5982e8cf207b1185c
First seen: Sat, 27 Jul 2019 04:35:08 GMT
Observed countries:
Observed filenames: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
File bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
File type: mimetype: application/x-dosexec, extended_info: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
SHA1: 4d004abbc5a9085d713e6c3a79269c67f65484db
MD5: da8b478f6c1fa76858b67b1329bac447
First seen: Sun, 28 Jul 2019 08:57:25 GMT
Observed countries:
Observed filenames: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
By lief.imported_functions
Now let’s try to find this malware from ‘Imported Functions’ with ‘AND’ operator, so we find the larger set of results for this specific malware.
$ polyswarm search metadata 'lief.imported_functions:"AdjustTokenPrivileges" AND lief.imported_functions:"LdrEnumerateLoadedModules" AND lief.imported_functions:"Sleep" AND lief.imported_functions:"OutputDebugStringA" AND lief.imported_functions:"GetCursorPos"'
Found 4 matches to the search query.
Search results for {'query': {'query_string': {'query': 'lief.imported_functions:"AdjustTokenPrivileges" AND lief.imported_functions:"LdrEnumerateLoadedModules" AND lief.imported_functions:"Sleep" AND lief.imported_functions:"OutputDebugStringA" AND lief.imported_functions:"GetCursorPos"'}}}
File a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
File type: mimetype: application/x-dosexec, extended_info: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
SHA1: 5b24a3b32d9dba95b296a7a16cbcf50a7df2d196
MD5: 08ac667c65d36d6542917655571e61c8
First seen: Sat, 27 Jul 2019 06:14:30 GMT
Observed countries: ES
Observed filenames: a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
File ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
File type: mimetype: application/x-dosexec, extended_info: MS-DOS executable
SHA256: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
SHA1: dd17b5d7442011effa2156c2470e7ad87e0435c0
MD5: 4bfc121ed751e5f5982e8cf207b1185c
First seen: Sat, 27 Jul 2019 04:35:08 GMT
Observed countries: ES
Observed filenames: ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
File a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
File type: mimetype: application/x-dosexec, extended_info: MS-DOS executable
SHA256: a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
SHA1: a021803abe807323d43f0a26f55817d4f88ad84a
MD5: a42f269b966fd4cc700eb6a119470c22
First seen: Mon, 25 Mar 2019 19:39:04 GMT
Observed countries: ES
Observed filenames: a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
File bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
File type: mimetype: application/x-dosexec, extended_info: PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
SHA1: 4d004abbc5a9085d713e6c3a79269c67f65484db
MD5: da8b478f6c1fa76858b67b1329bac447
First seen: Sun, 28 Jul 2019 08:57:25 GMT
Observed countries: ES
Observed filenames: bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
Live Hunting
Now that we have found some details and some unique features from this Malware, let’s create a Yara rule and enable a Live Hunt, so we can be alerted about future campaigns:
rule divergent_malware {
meta:
author = "PolySwarm"
description = "Divergent Fileless Malware"
strings:
$a = "\"accl\":"
$b = "\"acll\":"
$c = "\"version\":"
condition:
$a and $b and $c
}
While drafting this report, we viewed our Live Hunting results 24 hours later, and found some new samples that had been uploaded to PolySwarm:
Examining the scan results of that first sample, we see that it is also clearly malicious:
And if you look at the File Details tab of the scan results, you’ll get a full list of IOCs / C&C endpoints. Here is a screenshot of part of that list:
***
If you are not already using PolySwarm, try it out here. It’s free to use (however Threat Hunting and some other advanced features require a paid subscription). Simply create an account and start leveraging PolySwarm: https://polyswarm.network/