Why MegaCrypter is a ‘MegaFail’

Whilst threat hunting at Countercept, we often come across all sorts of weird and wonderful payloads executing on client networks. From script kiddie python mischief to advanced fully featured Trojans – we’ve seen it all.

Posted on 19 October 2017 by Adam Orton

Over the last few months, we've spotted a handful of WSF payloads both on client networks and uploaded to open-source malware repositories that are obfuscated using the "MegaCrypter" [1] tool. In all cases, these payloads have ultimately delivered the reasonably old-school "Houdini" RAT, but more on that later.

 

What’s interesting about these particular payloads is that – despite the effort that the attacker went to obfuscate the final payload – an oversight left the door wide open for our threat hunting team to extract the final payload from the original file in one-two lines of Python.

 

Although it is called MegaCrypter, the techniques employed are not encryption, but simple encoding functions. This blog post will provide a short analysis of the various layers and components of these payloads that need to be decoded, uncovering the secret that MegaCrypter should more accurately be called “MegaFail”.

 After reading this, analysts should be able to:

 

  • Extract MegaCrypt-encrypted payloads;
  • Quickly analyse and extract payloads encrypted using this and similar tools;
  • Save time when dealing with this particular type of threat.

 

Initial infection

In the cases investigated by Countercept the victim was lured into manually downloading and executing the malicious WSF files, usually having received an e-mail message containing a benign PDF with a link to the payload. Of particular interest here was the use of hxxps://github[.]com to host the payload under a publicly accessible project.

 

 A quick interlude, what IS a WSF file? 
wsf

A Windows script file is basically a format that allows the Windows Scripting Host (Wscript.exe) to provide a wrapper around a number of other high-level scripting languages, primarily VBScript and Jscript, although Wikipedia indicates that much worse is possible [2].

 

Helpfully, Windows has a default file handler configured for WSF files, which means that if an unsuspecting user clicks on one, Wscript will automatically execute the content and it’s game over.

 

If you want to enumerate which scripting engines are currently installed on your local machine, simply search the “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\” registry hive for "ScriptEngine" keys, as shown below. The corresponding "Shell\Open" key will detail which binary will handle/execute scripts of this type.

Figure 1
reg editor

 

What does a MegaCrypted WSF file look like?

The image below shows a snipped and shortened view of a MegaCrypt “encrypted” WSF file with a couple of important sections numbered.

 

Section 1 – This is a large Jscript.Encoded code block, which serves a number of purposes, including VM/AV detection, persistence, and – most importantly –  final payload “decryption”.

 

Section 2 – This is the actual “encrypted” payload that is executed once all of the pre-requisite checks and “decryption” routines have executed. Note the “//” delimiters at either end of this block of data. We’ll come back to these later.

 

Section 3 – What kind of hacker tool worth its salt is complete without a super 1337 ASCII banner? Happily, this also serves as a nice signature to go hunting for MegaCrypt files in VirusTotal, or similar, using some simple YARA rules.

Figure 2

figure 2

 

Jscript.Encoded, you say?

For those not familiar with the Jscript.Encode function, it is an age-old Microsoft library that uses a 3-alphabet, polyalphabetic substitution algorithm to obfuscate the original source code. It has been around forever and – naturally – multiple people have written deobfuscators in a variety of languages and web-based tools.

 

One of those tools is the “decode-vbe.py” tool written by Didier Stevens (amongst a vast array of other excellent tools Didier has written for carrying out similar tasks), [3] or for those wanting a quick web-based tool, a quick Google will provide multiple free offerings.

If we feed the data from section 1 in the WSF file into a Jscript.Encode decoder, we are left with another reasonably obfuscated VBS script, which has been prettified and analysed below.

 

Arrays of obfuscation

The first variable in the VBS script is a large array of mixed values – in this case, “_0xf908”. We can see some clear text variables of obvious usage, such as “WScript.Shell”, “SysWOW64” etc. There are also a number of large semi-hexadecimal variables, sprinkled with “@” characters, which look pretty interesting. 

Figure 3
figure 3

The main body of the script is actually heavily reliant on the above array, likely in an attempt to prolong analysis and frustrate the person reversing the sample. The array also makes the script difficult to read and manually doing a find-and-replace for every value would take up valuable time.

 

Luckily, we have a keen eye and can spot that a particular hex-blob from the array is used heavily and is also executed by the script. Whenever this particular array variable is used, a find-and-replace is done on the “@” character, replacing it with a “7”. If we extract just this variable and carry out the replacement, the purpose is quickly apparent and we get a decryption script with references to the encrypted payload shown as Section 2 in Figure 2.

 

Military-grade encryption, ‘tis not

A quick review of the final decryption code reveals the shockingly bad “crypto” provided by MegaCrypter and we start to get a sneaky feeling that we could solve this with a one-liner. The decryption function does the following:

  1. Splits the original unmodified WSF file by the “//” delimiter to obtain the “encrypted” payload.
  2. Does a find-and-replace on some characters to create a string of hexadecimal characters
  3. Iterates over the string, converting the characters into their actual hexadecimal values before carrying out an XOR operation with the static decimal value “255” (0xFF).
figure 4
Figure 4

 

Who-dini?

The final payload in all of the cases analysed by Countercept was the well-known and well-analysed “Houdini RAT” or “H-RAT”, which has been detailed by numerous researchers in recent years, [4] [5] so won’t be covered here.

 

Additional research into possible links between the Houdini authors and the MegaCrypt authors might yield interesting links, as yet uncovered, but that’s a topic for another day.

 

One line to rule them all

Observant readers will have noticed that for all of the wrappers, layers, pomp and ceremony deployed by the WSF file, you can actually extract the final payload from the source file rather easily.

 

Below is a (long) one-liner written in Python that takes a MegaCrypter WSF file as an argument and outputs the final decoded payload. Based on observed samples, the XOR key is static, as are the delimiters, but the below snippets could be easily modified where needed if other variants are detected.

import sys;print("".join(chr(ord(x) ^ 255) for x in open(sys.argv[1],"r").read().split("//")[1].replace("@","B").replace("$","A").replace("+","C").replace("-","D").replace(":","E").replace(".","F").replace(">","6").replace("<","5").decode("hex")))

OK, I know this is gross, so for a more usable script, the following might be more appropriate:

import sys
def megaDecode(data):
   data = data.replace("@","B").replace("$","A").replace("+","C").replace("-","D").replace(":","E").replace(".","F").replace(">","6").replace("<","5")
   data = "".join(chr(ord(x) ^ 255) for x in data.decode("hex"))
return data       
print(megaDecode(open(sys.argv[1],"r").read().split("//")[1])) 

#BlueTeamBonus

The ASCII banner noted in Figure 2 is also a great way to signature MegaCrypter. A simple YARA rule to detect this, or go hunting for similar, is given below.

rule megaCrypter
{
   meta:
      description = "MegaCrypter WSF/VBS Detection"
      author = "Adam Orton @ Countercept"
      date = "11-October-2017"
      version = "1"
   strings:
      $megaCryptUrl = "[ http://MegaCrypter.Us ]"
      $megaHexUrl = { 5b 20 68 74 74 70 3a 2f 2f 4d 65 67 61 43 72 79 70 74 65 72 2e 55 73 20 5d }
   condition:
      $megaCryptUrl or $megaHexUrl
}

Conclusion

 Although seemingly difficult to unravel at first glance, MegaCrypter is actually simple to decode once you understand what is happening under-the-hood. It, arguably, does not constitute encryption –  just overly complex encoding that is rapidly de-codable.

 

Hopefully the provided YARA rule and accompanying decoder script will save analysts time in the future when dealing with this particular threat.

 

 


http://MegaCrypter[.]us

https://en.wikipedia.org/wiki/Windows_Script_File

https://blog.didierstevens.com/2016/03/29/decoding-vbe/

https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

http://pwndizzle.blogspot.com/2013/09/how-not-to-obfuscate-your-malware.html