• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Threats

Obfuscation: The Abracadabra of Malware Authors

Author avatar of Shyam Sundar RamaswamiAuthor avatar of Sreenidhi RamadurgamAuthor avatar of Sneha ShekarShyam Sundar Ramaswami, Sreenidhi Ramadurgam, and Sneha Shekar
Updated — September 26, 2023 • 7 minute read
View blog >

When analyzing suspicious domains, Dropbox is one of the brands that is usually under scrutiny. Typically, we are looking at a phishing page that is pretending to be Dropbox in order to steal user credentials. Other times, as with most cloud content hosting sites, we find shared links hosted on Dropbox that lead to a malicious file.

In this blog post, as members of the Security Research Analyst team, we’re going to run through an analysis we did of a file that was hosted on a Dropbox shared link that turned out to be using some pretty interesting obfuscation techniques in order to hide the real intentions of the file. The file was initially received as a zip archive. Inside was what appeared to be a .scr file, or a screensaver file.

A New Screensaver

We started out doing some typical forensic steps by running the file against pestr in REMnux. From this, we were able to determine that it contains a couple of .exe and .vbs files. This led us to the conclusion that the file wasn’t packed.

Random ASCII characters

The file was then run through CFF Explorer to see if it was a screensaver or just posing as one. The PE header starts with MZ which indicates that it is an executable.

File ASCII analysis

The file was probably renamed from .exe to .scr to either evade security solutions or to distribute it as a free screensaver. The .scr file was unzipped and it had a whopping 59 files within it. When all the files from the unzipped scr file were inspected, each of them were of various file types. We then realized that those were not the real extensions, but just another trick to evade analysis. Most of these were actually just text files.

Let’s start with ‘csn.vbs’. When dealing with malware, vbs files which are usually launched through macros can contain malicious code that furthers the infection process usually by contacting a domain or IP address to download additional malware. Upon opening the file, it was observed that the whole file was filled with Chinese text.With further inspection we realized that this was merely used as an obfuscation method to hide the actual code, thus making it harder to detect.

Chinese characters to obfuscate

After filtering out all the Chinese text, we obtained the function from this file.

Screenshot of a .vbs script

The vb script calls a file named agj.exe and ‘gjm=loo’ is passed as a parameter to it. Our next step was to inspect these two files.

Would you like some more files?

When analyzing agj.exe, we went back to the parent folder to look for it, and realized the file was not present in the set of 59 files. Usually in such cases, URLs will later be contacted through a powershell command when another file is executed in order to download additional files. However, in this analysis we didn’t observe that behavior. So where was the file? After enabling the Windows OS to ‘show hidden files’, voila! We found agj.exe. The malware author was using another technique to hide their tracks.

We then started inspecting gjm=loo. We looked into the properties of the file, and noticed that the file size was 215 MB. But the original scr file was only 1.25 MB. The malware authors must have used some compression techniques to compress the 59 files into one. The smaller file size makes the file easier to distribute and thus infect more victims.

When inspecting the ‘gjm=loo’ file, we again saw that it was filled with Chinese text. However, this time the file was too large that it crashed every possible GUI editor we tried. Manually removing the Chinese characters like the previous time was out of the question since this contained more than 2,045,440 lines. A python regex script was made to try to handle this, but also crashed. We opened it in powershell and found out that a set of characters repeated every 9,200 lines. Every command was also preceded by ‘#ce’. We made use of this to filter out only the actual code.

Pattern filtering

Upon inspecting the code, we noticed that the ‘gjm=loo’ file refers to another file, ‘mgi.cpl’.

Script analysis

The .cpl is a control panel item. Again, it wasn’t actually a cpl file, but a text file in which the extension was renamed. A lot of the code in the ‘gjm=loo’ file were AutoIt functions. AutoIt is a scripting language designed to automate functions in the Windows UI as well as for use with general scripting tasks.

AutoIt in this case is probably used to prevent antivirus systems from recognizing the malware’s signature. The code is compiled and run as a valid AutoIt process with the malicious payload loaded into an AutoIt process memory space. Malware authors leverage and abuse trusted processes to hide and masquerade their malware.

The ‘gjm=loo’ file has a slew of global variables and has the typical traits of malware, using suspicious functions and variables. We initially thought that these may be some address locations that the variables point to. However, digging deeper we realized that these are in fact keycode constants. Keycode constants/values can be used anywhere in code in place of the actual values. For instance, the first variable declared equals 0x1. This is a keycode constant for a left mouse button. So when this variable is invoked somewhere in the program, it causes the left button to be clicked.

Global constants

Some of these global variables also pointed to cryptographic algorithm identifiers. For example, 0x00008001 is the MD2 hashing algorithm. All these cryptographic techniques are used at a later stage by the attacker. There were more than 12 different functions here, all of which were called by one main function. When we skimmed through the code, VMwaretray.exe, VBoxService.exe and other such keywords caught our attention immediately. These are traits of typical sandbox evading malware. If the malware figures out that it is executing in a virtual machine, it stops execution immediately or exhibits a fake behavior.

The code also had a function to ensure persistence. This particular sample achieved persistence by writing itself to the registry. The adversary is trying to maintain their foothold. This is seen below.

Function analysis

The abuse of WScript has massively increased over the years. Malware authors make extensive use of this due to its ability to interpret the .js and .vbs files. This particular malware uses WScript to invoke the vb script.

The actual trojan DLL was made by the following function.

Function analysis

The function makes a call to the file ‘mgi.cpl’ and extracts the trojan code in between the strings “Troj” and “ FinTroj”. The string is just an encrypted text of 484,000 length.

Various encryption techniques such as RC2, Triple DES, SHA, etc were used to encode the trojan code. After encoding the whole code, the malware author reversed the string and placed it in the file. When this string is invoked in the main program, the string is first reversed and then passed to a function that creates a DLL.

The DLL injection

The DLL injection is performed by inserting code into the running process. The adversary is trying to gain higher-level permissions. Privilege escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. This is done by attaching to a process and allocating some memory within the process for the malicious code. This memory allocation is done by a function called VirtualAllocEx(). The code is then inserted in the existing process. This is taken care of by the WriteProcessMemory() function. The base address of the malicious code is noted so that it can be called whenever required. This is usually done using the thread invocation mode so that it may go unnoticed. The malware may inject its own malicious code into the DLL.

Malware code

So far, we have done only static analysis on the sample. When we dynamically executed it, we figured out the process tree of the malware looks something like this.

Process tree of the malware

When the .scr file is executed, it invokes wscript.exe which helps to execute the vbs script. As discussed earlier, the vb script contains a variable oddshl which causes “agj.exe gjm=loo”, to be executed. This triggers the DLL injection which spins a child process RegSvcs.exe. This is where the actual trojan resides.

Attacker’s Infrastructure

After executing the trojan in a sandboxed environment to do dynamic analysis, we see that the file exhibits Nanocore RAT behavior. Nanocore is a modular remote access trojan (RAT). Its infection method is through spam emails, attachments, and software bundles. Nanocore is able to disable antivirus software, bypass firewalls and make registry modifications. This threat can lead to the installation of additional malware and the loss of sensitive information.

During this analysis the RAT made a callout to the dynamic DNS (DDNS) domain of nikkycharles3[.]ddns[.]net which would be the command and control server (c2 server) where the malware can receive commands to initiate different modules, drop additional malware, or send stolen information.

DNS queries graph
Query volume timeline taken from Cisco Umbrella Investigate

Once we had the DDNS domain that was acting as the c2 server, we started investigating the hosting infrastructure. The hosting IPs hosted many more DDNS domains and we were able to find additional malicious artifacts and RATs that were communicating to them. The attacker’s infrastructure is primarily located in Nigeria on ASN 36873. You can find a full list of IOCs at the end of this blog post. They include 79 hosting IPs and over 200 c2 servers.

Why Umbrella?

Umbrella protects users from connecting to malicious sites on the Internet and analyzes over 180 billion DNS requests daily. The sheer volume of DNS requests gives our Researchers a unique view of the Internet to better identify trends on threats, faster. Our statistical models and threat hunting techniques allow our Researchers to be aware of an attacker’s infrastructure before new attacks can launch.

Interested in trying out Umbrella? Sign-up for a free 14-day trial today.

IOCs:

Initial Files:
4fc39b14caa8a3cdca1c57b157b0dd2bd8ec49dc7c550e3811a8bb95f1244927
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella