Post

Saitama Backdoor

Posted
By greekbust
7 min read

Saitama Agent

On 26 April 2022, Malwarebytes identified a backdoor named Saitama. The backdoor was discovered after it was used in a targeted attack against the foreign ministry of Jordan. The tools, tactics, and procedures used have allowed the malware to be attributed to the Iranian threat group known as APT34. They are known to target sectors including financial, governmental, energy, chemical and telecommunications.

The malware itself specifically targets Microsoft Windows platforms and avoids devices where a mouse is not connected as an anti-analysis technique.

The adversary relies on the user enabling macros within an Excel spreadsheet attached to a Spear-phishing email as the initial access point. Once enabled, the backdoor Saitama is dropped on the system in the ‘%LocalAppData%\MicrosoftUpdate\’ directory, along with its configuration file and dependencies. Saitama then establishes and maintains persistence via a scheduled task created by the Excel spreadsheet named ‘update.exe’. Saitama then awaits commands from associated C2 domains ‘uber-asia[.]com’, ‘asiaworldremit[.]com’ or ‘joexpediagroup[.]com’. The C2 domain is chosen at random during its execution.

The primary purpose of Saitama is exfiltration of sensitive data. Saitama utilizes DNS tunneling and a non-standard encoding system to obfuscate its activity on a network. The malware also has reconnaissance capabilities used to gather information about the internal network of the target.

Saitama backdoor uses a “finite-state machine” approach to executing commands from its command and control (C2). Saitama abuses the DNS protocol for its C2 communications making it stealthier than standard detection evasion techniques. Each part of an IPV4 address the implant receives from the C2 server is interpreted as a command using its own randomly generated custom alphabet.

IP addresses and domain names relating to the internal infrastructure of the Jordanian government are found within the malware, indicating this version of Saitama was specifically designed for this highly targeted attack. Furthermore, it may also indicate that the threat actor had previous knowledge of the target’s internal infrastructure.

Availability

.NET debuggers and assembly editors make it easy to disassemble Saitama meaning it’s possible for the implementation of these techniques to be used in other samples of malware.

Technical Details

Saitama checks if a mouse is connected to avoid automated analysis and virtual machine environments.

Virtualization/Sandbox Evasion: System Checks (T1497.001)

Saitama uses the concept of ‘finite state machine’ and can transition into 8 different states. These states change depending on its environment and the data the agent can gather. Using these states, the malware can sleep for long periods of time, move to a ‘RECEIVE’ state to receive information from the C2 server or move to the ‘SEND’ state to send data to the C2. If the agent fails to send or receive data, it will change to the ‘SLEEP’ state.

Execution Guardrails (T1480)

Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)

Persistence is established once the macro implants a scheduled task called ‘MicrosoftUpdate’ that repeats every 4 hours. This task is only started if the computer has been idle for ten minutes.

Scheduled Task/Job: Scheduled Task (T1053.005)

The malware communicates by abusing the Domain Name System (DNS) protocol. In this case they use a technique called DNS tunneling during the agents ‘SendAndReceive’. ‘Receive’ and ‘Send’ states.

Application Layer Protocol: DNS (T1071.004)

The malware makes use of a domain generation algorithm (DGA) to dynamically define a destination domain for command-and-control traffic rather than rely on a list of static IP addresses or domain.

Dynamic Resolution: Domain Generation Algorithms (T1568.002)

The malware communicates by abusing the Domain Name System (DNS) protocol to conceal messages for C2 communications. In this case they use a technique called DNS tunneling during the agents ‘SendAndReceive’. ‘Receive’ and ‘Send’ states to emulate normal DNS traffic.

Protocol Tunneling (T1572)

Saitama initiates its counter by selecting a random number from 0 to 46655. The number is then encoded using a hard-coded base36 alphabet which both Saitama and the C2 share. The counter is then used to generate a custom alphabet which is used to encode and decode the message, acting as a substitution cipher. This message makes up part of the subdomain that the backdoor will use to contact its C2 domain. Saitama reads the last octet of an IPv4 address during a DNS lookup of its hardcoded root domains. These digits are then used as the backdoor’s ID. Saitama then increases its counter to 7806, indicating it is ready to receive commands. The ID and counter value make up the message section of the subdomain and a root domain is chosen at random.

Data Encoding: Non-Standard Encoding (T1132.002)

The backdoor uses three root domains at random:

  • uber-asia[.]com
  • joexpediagroup[.]com
  • asiaworldremit[.]com

Saitama’s domain lookups are interpreted by the C2 server using the following syntax:

1

Domain = message, counter ‘.’ Root domain

Saitama sends a request to the C2 server; the first message sent to the C2 is ‘0’ which is base36-encoded to ‘a’ to tell the server it has successfully compromised a new victim. The string ‘haruto’ is also added to the string, making the final string ‘aharuto’. Once the C2 server responds to the request with an expected payload size, Saitama will make one or numerous ‘RECEIVE’ requests so that it can calculate the amount of IPv4 addresses it will require to determine the payload. Messages containing ‘2’ are interpreted as a ‘RECEIVE’ request, sent along with its encoded ID and offset. This is used to determine which part of the payload is required while its being received by Saitama.

Application Layer Protocol: Web Protocols (T1071.001)

Saitama contains special functionality allowing it to interpret the bytes and octets of IPv4 addresses as segments of a command to create a payload. The C2 server responses to the backdoor with the payload size sent as IPv4 addresses. Saitama interprets these IPv4 addresses using the shared substitution cipher. Each octet of an IPv4 address sent to Saitama signifies the bytes and length of the payload the backdoor is about to receive. After establishing a tunnel between the victim and C2, Saitama increments its counter based on the amount of IPv4 addresses it will need to receive to compose a command which the implant can execute. This is due to the constraint of IPv4 address only containing four bytes of information.

The C2 is then able to choose one of the five different functions which are all represented by a number:

  • 43: Static
  • 70: Cmd
  • 71: CompressedCmd
  • 95: File
  • 96: CompressedFile

The malware can steal data by exfiltrating it over a C2 channel. Stolen data is encoded into the normal communications channel using the same protocol as other C2 communications.

Exfiltration Over C2 Channel (T1041) Archive Collected Data: Archive via Utility (T1560.001)

The adversary sends a spearphishing email containing a malicious Excel attachment named “Confirmation Receive Document.xls” impersonating personnel of the Jordanian Government. The Excel attachment contained an image convincing the victim to enable macros. Once the macro is enabled it performs various tasks such as:

  • Hiding the current excel sheet and showing a new sheet consisting of the Jordanian government ministry’s emblem.
  • Calling the ‘eNotif’ function to alert its C2 of the execution process and builds a subdomain of each step.
  • Checking if a physical mouse is connected to avoid virtualized analysis environments.

Phishing: Spearphishing Attachment (T1566.001)

Saitama is designed to receive commands from the C2 server or use built in commands hard coded into the backdoor.

The built-in commands allow Saitama to gather:

  • IP address of the device
  • Information about neighboring IPs
  • Domain Names
  • Usernames
  • OS versions
  • File and folder names
  • TCP connections
  • Internal IPs
  • DNS information

Command and Scripting Interpreter: PowerShell (T1059.001) Command and Scripting Interpreter: Windows Command Shell (T1059.003) System Information Discovery (T1082) Remote System Discovery (T1018) Account Discovery: Domain Account (T1087.002) System Owner/User Discovery (T1033) File and Directory Discovery (T1083) System Network Connections Discovery (T1049)

If the deployment environment passes the macros checks, The macro reads the base64 encoded executables saved in the Excel file’s form labels. Once decoded, the malicious files ‘update.exe’, ‘update.exe.config’ and ‘Microsoft.Exchange.WebServices.dll’ are dropped into ‘%LocalAppData%\MicrosoftUpdate\’.

User Execution: Malicious File (T1204.002)

The malicious macros use Windows Management Instrumentation (WMI) to communicate with the C2 server and is called multiple times during execution. The threat actors use this method to keep track of each stage of the attack.

Windows Management Instrumentation (T1047)

Saitama can get a listing of local system accounts using its inbuilt commands.

Account Discovery: Local Account (T1087.001)

Threat Intelligence, Malware
malware backdoor
This post is licensed under CC BY 4.0 by the author.