In announcing the release of the 64-bit version for Chrome last month, Google mentioned that one of the primary drivers of the move was that majority of Windows users are now using 64-bit operating systems. The adoption rate for 64-bit for Windows has been a tad slower than what Microsoft had initially predicted, but it has been steady, and it is evident in the availability of support by software developers. Unfortunately, however, we’ve been seeing the same adoption being implemented by attackers through 64-bit malware.

We’ve documented several instances of malware having 64-bit versions, including a 64-bit version of ZeuS, and we’ve been seeing the same in terms of targeted attacks. In fact, in our 2H 2013 Targeted Attack Trends report, almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms.

KIVARS: Earlier Versions

One of these malware we’ve found running on 64-bit systems is KIVARS. Based on our findings, early versions of this malware affects only 32-bit systems and is dropped by a malware we detect as TROJ_FAKEWORD.A (SHA1 218be0da023e7798d323e19e950174f53860da15). However, note that all versions of KIVAR used this dropper to install both the loader and backdoor.

Once executed, TROJ_FAKEWORD.A drops 2 executable files and a password-protected MS Word document which also serves as a decoy:

%windows system%\iprips.dll – TROJ_KIVARSLDR

%windows system%\winbs2.dll – BKDR_KIVARS

C:\Documents and Settings\Administrator\Local Settings\Temp\NO9907HFEXE.doc – decoy document

Figure 1. TROJ_KIVARSLDR is installed as a service with an active name of “iprip”.

TROJ_KIVARSLDR will load and execute BKDR_KIVARS in memory. BKDR_KIVARS is capable of the following routines:

Download\upload Files

File manipulation\execution

List drives

Uninstall malware service

Take screenshot

Activate\deactivate keylogger

Manipulate active windows (show,hide)

Trigger left, right, and double left click,

Trigger keyboard input

TROJ_FAKEWORD.A uses the RTLO technique as well as a MS Word document icon to convince the user that it is just a normal document — both techniques seen in previous campaigns such as PLEAD.

BKDR_KIVARS uses a slightly modified version of RC4 to decrypt it strings\configuration. It adds an extra byte parameter and checks this byte if it is equal\greater than 80h. If the condition is true, it will add the byte to RC4’s XOR’red output. It will also use this function to decrypt the 10h byte key.

Figure 2. The decryption of the malware string.

The dropped files were initially encrypted using an XOR key “55h”. The same goes for the key logger log file, which has the file name klog.dat.

Figure 3. Decrpyted klog.dat

The encryption for the initial packets sent by the BKDR_KIVARS uses RC4 as the encryption. It includes the following information:

Victim’s IP

Possible Campaign ID

OS version

Hostname

Username

KIVARS version

Recent Document\Desktop folder

Keyboard Layout

Figure 4. Decrypted packet sent by BKDR_KIVARS

64-bit Support

The newer versions of KIVARS, which consists of 32 bit and 64 bit versions, show slight differences when installed on a victim’s machine. For example, the loader and the dropped backdoor payload have random file names.

%Windows%system32%\{random}.dll

%Windows%system32%\{random}.{tlb|dat} – uses either tlb or dat as its file extension

In this version, the loader is still installed as a service and uses one of the following Service Active names:

Iprip

Irmon

ias

The earlier versions of this BKDR_KIVARS only encrypts the “MZ” magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4.

Figure 5. This code snippet show the 64-bit loader decrypting the key for the modified RC4. Same procedure with the early versions of the malware.

C&C Communication

The new version sends a random generated packet. Based on this packet, a key is generated which serves as the checking for the C&C reply. Once it verifies the reply, it will send the same RC4 encrypted information, however the difference is that the 1st 4 bytes value is the size of the information.

Figure 6. The decrypted packet from the new version.

Here are the IOCs for KIVARS:

Detection SHA1 C&C IP BKDR64_KIVARS.ZTAL-BA f3703e4b11b1389fbda1fbb3ba7ff3124f2b5406 herace.https443.org 210.61.134.56 BKDR_KIVARS.ZTAL-BA f797243bd709d01513897f26ce1f5517ab005194 herace.https443.org 210.61.134.56 TROJ_FAKEWORD.A 218be0da023e7798d323e19e950174f53860da15 TROJ_KIVARSENC.ZTAL-A 709312b048b3462883b0bbebb820ef1bc317b311 gsndomain.ddns.us 211.21.209.76 TROJ_KIVARSLDR.ZTAL-A 6df5adeaea3f16c9c64be5da727472339fa905cb BKDR_KIVARS.ZTAL-A 9991955db2623f7b34477ef9e116d18d6a89bc3e TROJ_KIVARSDRP.ZTAL-A b9543a848d3dfbc04adf7939ebd9cfd758a24e88 TROJ_KIVARSENC.ZTAL-A 8112760bf2191d25cbb540a5e56be4b3eb5902fe TROJ_KIVARSLDR.ZTAL-A 17ab432d076cc6cb41fcff814b86baf16703e27c BKDR_KIVARS.ZTAL-A 63d4447168f3d629ec867e83f4ad2e8f107bd3b2 zyxel.blogsite.org TROJ_KIVARSDRP.ZTAL-A c738d64fdc6fcf65410ab989f19a2c12f5ef22ab TROJ_KIVARS.A d35c2d5f9c9067702348a220f79904246fa4024f gsndomain.ddns.us 211.21.209.76

Connections to POISON

We’ve found that the threat actors using KIVARS are also using the POISON malware RAT as part of this campaign. Below are some of hashes connected to one of the C&C’s used by KIVARS:

Detection SHA1 C&C IP BKDR_POISON.VTG 6b6ef37904e1a40e33f3fc85da9ba142863867a2 adobeupdate.ServeUsers.com 210.61.134.56 TROJ_POISON.BHV defeb241b5504c56603c0fd604aea6a79975b31d butterfly.xxuz.com 210.61.134.56 BKDR_POISON.TUET ad935580a5d93314f5d22f2089b8e6efeca06e18 truecoco.REBATESRULE.NET 210.61.134.56

With additional analysis by Ronnie Giagone

For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.