- 8c54df8f11f9cca98fd91fc8bf35c8763274e59e (python39.dll)
Trojan.Fruity.1 is a multi-component trojan downloader that installs other malware onto computers running Microsoft Windows. It is a modified copy of a legitimate python39.dll library from the Python programming language package. Attackers embed malicious code into this copy. It can reach target devices in various ways. For example, it can be distributed as part of malicious installers of harmless software, which contain all the trojan’s components and copy them into the system during installation.
When all the necessary components are copied onto a target computer, Trojan.Fruity.1 infects the system in several stages.
A trojanized version of the python39.dll library is launched by the legitimate app python.exe. It then searches the functions of the ntdll.dll and kernel32.dll libraries it needs, using the CRC32 hashes of these functions’ names. Next, it decrypts the contents of the idea.mp3 file, using XOR algorithm and a key located within the first 200 bytes of the file. Resulting is a compressed data massive and a shellcode for the next stage.
This library also reads the contents of the idea.cfg file. At the beginning of this file is the string fruit.png, containing information about the payload location for the second stage. This string can be a web link for downloading the target file from the Internet, or a path to a local file.
After these steps, the control is passed to the shellcode.
The shellcode decompresses the data massive, using the RtlDecompressBuffer function. Resulting is a .dll library. Next, shellcode launches a cmd.exe Windows command-line tool in a suspended state, for which the CREATE_SUSPENDED flag is used. It then writes the following information into the memory section of the created process:
- the fruit.png string;
- the shellcode for the Stage 3;
- a memory region with the data for this shellcode (a context for its operation).
Next, in the image of the decompressed .dll library, a patch is made that points to the context address in the process. To do so, a B8CBCBCBCB value is replaced with a B8<the address of the context beginning> value. After that, this library is injected into the cmd.exe process, whose operation is resumed. In the end, the control is passed to this library.
The .dll library injected into the cmd.exe verifies which string was received in the previous stage. If this string starts with the http abbreviature, it tries downloading a target file from the Internet, using the corresponding link. It uses the BITS service first; if that fails, it uses a WinINet API interface. If the beginning of this string has no http abbreviature, it is considered a path to a local file. In this particular case, the target is the local fruit.png file. This file is moved to the %TEMP%\\<rnd>.png, where <rnd.png> is a random 8-symbol hexadecimal number.
Next, the library runs Stage 3 shellcode at the 0x7610 address, transferring the path to a .png file as an argument to it. This shellcode decrypts the image, in which several malicious objects are hidden using steganography. These objects are two .dll libraries and the shellcode for executing Stage 4. The decrypted contents are written into the operating memory.
The shellcode from the fruit.png image verifies the active processes and searches among them for anti-virus software processes by their hash sums. It then tries to bypass their detection and also tries to prevent a possible debugging process.
Next, an injection attempt is executed for the msbuild.exe process. In case of failure, the attempt is repeated for the cmd.exe and notepad.exe processes. The Process Hollowing method is used to inject one of the two .dll libraries decoded earlier from the fruit.png image. The shellcode to initialize Sage 5 is also injected.
After that, a .dll file with a random name is created in the %TEMP% temporary directory. The contents of the second .dll library decoded from the fruit.png image are then copied into this file. Then this file is injected into the target process, but this time using the Process Doppelgänging method. This file is the Remcos RAT (Trojan.Inject4.57973) spyware trojan.
The shellcode injected at the previous stage into the target process puts a legitimate python.exe program into the Windows Autostart and additionally creates a task to launch it in the system scheduler. This program is also added to the scanning exclusions of the Windows Defender built-in Windows anti-virus.
Then, random data is written into the end of the python39.dll trojan file, which changes its hash sum. Moreover, its creation date and time are also modified.
More details on Trojan.Inject4.57973