CyberWire Daily - Ezuri: Regenerating a different kind of target. [Research Saturday]
Episode Date: April 3, 2021Guests Fernando Martinez and Tom Hegel from AT&T Alien Labs join Dave to discuss their team's research "Malware using new Ezuri memory loader." Multiple threat actors have recently started using a Go ...language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments. The research can be found here: Malware using new Ezuri memory loader Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers
and analysts tracking down threats and vulnerabilities, solving some of the hard
problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We came across an interesting loader that was targeting Linux operating systems.
And taking a dive into that particular loader, it kind of opened the door into an interesting set of events that we haven't quite seen very often.
Joining me are Fernando Martinez and Tom Hagel from AT&T Alien Labs.
We're discussing malware using the new Izuri memory loader.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
The characteristics of that loader were pretty unique.
That's Tom Hagel.
And then linking it back to a certain adversary group really made it stand out as a next step evolution in that adversary group.
So it kind of really captured our attention at that point.
Well, let's dig into some of the details here.
Let's go through it step by step here.
I mean, we've got this loader and it's using the Go language tool, which is acting
as a packer. Can you give us a little of the technical background on that for folks who aren't
familiar with it? Perhaps aren't Unix folks. What is a Go language and how does that relate to
what we found here? So the Go language is another language, a scripting language that anybody can use. That's Fernando Martinez.
Same as Python, BASC, or any other. It's just a little bit more complex at the time of the
scripting or analyzing something, but at the time of the scripting, it's supposed to make it easier
for you. And so it is a little bit newer than other scripting languages. It's not so used by the community.
But for attackers or somebody developing code,
it is useful for them if they do not want to have an easy way of decrypting.
If they don't want the security researchers to have an easy way of decrypting that code,
it is way more efficient because all the libraries are compiled together
and most of the times, many libraries that they don't need are compiled all together
and making the researcher harder to identify what libraries are inside
and what has a malicious purpose or a good purpose.
Well, let's go through it together.
I mean, walk us through the details
of what you found in this loader.
So this loader, what it does is
hides an encrypted payload and its purposes.
So the only thing that you see is that
that program has been written in Golang
and that it has something encrypted.
You don't know the purpose, if it's good or bad.
And then whenever it's dec don't know the purpose, if it's good or bad.
And then whenever it's decrypting the payload,
it just runs the payload in memory,
so it's hidden from the analyst,
any antivirus in the system or anything.
And it does a really good job at staying hidden for those security tools.
Let's talk about Zuri itself.
So this is code that had been posted on GitHub?
Yeah.
Looking into the code that we had available, we identified some strings that
lead us to a GitHub user called GUITMC, who appears to be an offensive
researcher.
We identified that this tool was first released in GitHub around 2019.
And the full code was there.
And probably just for good purposes, it was posted on GitHub.
But it wasn't recently until 2020 when it started to be noticed in the malicious or the attackers community.
And it was started by being used by some attackers like Team TNT.
But the ability of having that code in GitHub
allows the offensive community and the defensive community
to have a look at it and know what it does
and identify how to protect against it.
And I suppose it's worth noting that the actual name Azuri has kind of an amusing origin.
That was really fun to find because, well, the first thing you do is definitely do a Google
search for it. And all of a sudden you identify that you get more drawings than malware
related results.
And it came from the magic,
the gathering game,
which is a card game with magical creatures.
And so that card from the magic,
the gathering,
the Suri card has the capability of regenerating another target elf,
talking about the magical creature.
Funny here is that the creator of the Suri
identified this malware as something that can regenerate
another target elf referring to the program
or executable in Linux.
Right, so a bit of clever wordplay there, I suppose,
from whoever came up with this.
Yeah, it's definitely a funny story to tell after all the research.
Now, an interesting detail here is that everything happens in memory,
so we're not writing anything to disk, which makes it harder to detect, yes?
Yes, that's true. As soon as any files touches the drive, it is easier to see it in the logs
or see it afterwards whenever you're doing an investigation. But if it only runs in memory,
it is harder to identify those logs or traces that it leaves behind.
And you just have to catch it while it's running,
or it's going to be way harder afterwards.
Now, in part of your research here,
you've identified some malware authors who've been using this.
Can you take us through that part?
Who's out there using this?
Yeah, Team TNT has been the actor that really caught our attention.
They are an opportunistic group that really kind of came to rise, I would say, mid-2020.
After some reports from ourselves and Trend Micro and Cato Security,
we started to see this adversary attack cloud instances such as AWS and then container systems such as Docker and Kubernetes and so forth.
But Zuri really became used by multiple actors kind of all generally right now on an opportunistic level.
And Team TNT really kind of sticks out just because of their success and scale of targeting.
And Team TNT really kind of sticks out just because of their success and scale of targeting.
But at this point, there are definitely others out there that are, you know, at this rate, nameless that are definitely using the tool set.
And how would you find yourself with this on your system?
What sort of methods are they using to get people to execute the code? Yeah, in this case, what we're seeing are vulnerable cloud and container type
systems that are not properly secured through best practices, such as vulnerable to exploits
that should have been patched and incorrectly secured credentials and services overall for those systems. Once they're on there, they begin to
execute the loader. And then at that point, it really kicks off the defense evasion techniques
to then load up their ultimate intentions right now, which tends to be isolated around
cryptojacking and credential theft for the systems themselves. But ultimately, it comes down to really doing the best practices for these systems
since they're public-facing often, updating, properly configured, and locked down overall.
Now, according to your research here, this is particularly effective at avoiding antivirus detection.
Can you explain that part of it for me?
Sure.
Yeah.
So whenever the payload is packed and encrypted, as Suri is doing, they have the capability
of hiding all those techniques and purposes of the payload.
So whenever we looked into VirusTotal to see how it was identified by several antivirus,
Whenever we looked into virus total to see how it was identified by several antivirus, we identified that if the payload was encrypted with the jury, only three out of 60 or 70
antivirus identified it as malicious, whereas whenever the payload was not encrypted, almost
all of the antivirus identified it as malicious around 50 or out of 60.
Yeah, and one interesting note there is, you know, the loader really kind of helps on multiple levels
because it has the payload that's encrypted, and it's all written in Go.
So the delivery process is rather difficult to detect right now because of Go
and the actual malicious payload is encrypted.
And then you have the execution side, which is where you would hope to catch it if you didn't catch it on the delivery
side. And the execution really follows it through the memory-only approach. So you have to be doing
memory scanning rather than looking at pure AV or files on the system themselves for AV detection.
So there's quite a few steps of defense evasion that you really kind of have
to be on top of to catch this type of stuff. Well, I mean, let's dig into that. What are
your recommendations here for people to best protect themselves? Yeah, you know, I'll kind
of start there. I think one of the biggest things is really following the best practices to ensure that things that are public-facing are following
updates and secure compartmentalization through things aren't executed unless you're authorized,
things are properly secured through credentials, and so forth. Having a publicly accessible service,
you want to make sure that nothing can be executed as well. And that's just the basics to avoid the really common stuff. You know, then it gets into, you know, if you have to
operate in like a zero trust type approach, or you have to, you know, kind of consider your
environment constantly compromised and be able to hunt and detect this type of stuff while it's
already in your network. So there's definitely multiple levels, but I think the biggest bang for your buck here is really,
again, making sure that you have the basic best practices for public infrastructure
in the cloud and container type systems. In your estimation, how would you rate this
in terms of sophistication? Yeah, on my side, I would say sophistication is rather, I would say medium sophistication.
It's not extreme.
There's definitely a lot more sophisticated stuff out there.
The persistence of this group is eye-opening.
While these type of approaches are not uncommon,
seeing the persistence of this group
and their constant tool set evolve,
such as Azure or targeting AWS credentials,
I would say the group themselves
tends to be a little bit more sophisticated.
And we can start to see them evolve over time.
I think there's gonna be a lot more interesting stuff
coming from TNT overall.
But the approach overall, I would say medium sophistication.
There's definitely easier ways to do things that still work,
but there's definitely at the same time a lot more capable mess
that are a little bit more technically difficult.
And what do we know about Team TNT?
Do we have any background information, any guess of who they are? operating in your business-like capacity. So they tend to be spread remotely to many different
locations. So no attribution at this point, being that their overall mission tends to be financially
motivated and opportunistic in nature. There hasn't been any clear links to certain objectives
or anything like that outside of those. So attribution at this point is not quite possible,
at least from our perspective,
but it is definitely possible to continue to link their activities
just based off of what they're doing themselves.
They're not afraid to put their name on things and say,
this is Team TNT, which is pretty common with a lot of
crimeware-type groups trying to build a reputation and so forth.
But yeah, I think one thing that's really interesting on Team TNT itself is, again,
their evolution to continually take steps to advance their capabilities.
The one thing that really catches my attention is them recently going after AWS credentials
in scenarios after using Azure to
get into environments. Targeting AWS credentials in an opportunistic fashion isn't too surprising.
However, that really, in my opinion, opens the door for them to kind of take it to the next level
of completely compromising organizations for intellectual property theft or access for
espionage or things like that. So, you know, complete network and cloud container compromises
rather than just crypto jacking. A little bit more complex, but I think that this group is
starting to walk down that path. I just wanted to add that, I think I forgot to mention,
the Azure E-Mailware loader was created in 2019,
but it wasn't until almost 2020 when it was posted on Black Hat forum called Evolove Code
that it was made more public.
And afterwards, a few weeks after, we started seeing it on on TNT and other attackers also.
Our thanks to Fernando Martinez and Tom Hagel from AT&T Alien Labs for joining us.
We'll have a link to the research in the show notes.
for joining us. We'll have a link to the research in the show notes. Thank you. safe and compliant. Thanks for listening.