Easy Unpacking-Golang-based ELF malware
While I was looking into TeamTNT associated binaries (especially the XMRIG ones), I found a blog post which was published by Trend Micro research some time ago. The blog was about TNTbotinger malware in which attackers used shell-script as the initial vector.(Read full blog here)
In this brief blog we would be looking at how we could approach the debugging and unpacking of the golang ELF malware binary. The sample we would be looking into is the same XMRIG binary(E52646F7CB2886D8A5D4C1A2692A5AB80926E7CE48BDB2362F383C0C6C7223A2) from the Trend Micro blog. The sample is also available on MalwareBazaar.The sample is UPX compressed so we would directly be using uncompressed UPX binary.
Quick overview of the malware binary
Below shows the list of important functions used by the malware:
- r2 -d <ELF_FILE>
- afl | grep ‘main’ (for listing functions in radare2)
Looking at the functions above, its clear that the embedded miner in the golang ELF was AES encrypted which later gets decrypted and run in memory.
If we run strace along with the ELF malware, we can see below that the malware binary used write and memfd_create syscall to load the embedded ELF miner into the memory.(later which gets executed using execve)
About memfd_create syscall, read here.
Let’s now look at the steps to unpack the miner from TNTBotinger malware.
Unpacking TNTBotinger (using GDB debugger)
After loading TNTbotinger malware with gdb, we first look for functions using command: info functions.
We start by putting a breakpoint on main(main.main in our case) and run using the command: r.
We put another breakpoint on main.runFromMemory function and we will also follow/debug child process in case it gets fork via parent process, command: set follow-fork-mode child
Everything looks fine till here, it seems that we are in the same thread so now we would put BP on write syscall and continue, command: b syscall.Write
We could see that the malware binary is ready to write the miner into memory, right from here we dump the miner ELF. Command used for this is dump:
Full command to dump miner ELF:
dump binary memory <path> <array> (array+len)
Well! we just saw how easy it was to debug and unpack Golang ELF malware using GDB.
Alongside this, If we scan this unpacked file on VT, it comfortably gets detected as a miner:
Also, the strings inside the unpacked binary clearly suggests that it’s a miner:
NOTE: Ezuri crypter uses AES encryption to pack binary executable, same steps could also be applied to unapck ezuri packed ELF binary.
In the later blogs/parts we would explore more interesting techniques used in ELF malwares.