Recently, the velvet threat intelligence system has detected that a new variant of the SHIZ virus is spreading rapidly. The SHIZ virus is mainly aimed at foreign user groups, and when activated, it can steal sensitive information on the user's computer and perform other malicious actions. Not only that, but when the victim accesses the antivirus software**, it will also be hijacked by Google**, which will cause a lot of disturbance to the user.
After the virus runs, firstly, it will use adversarial means to detect the virtual machine environment and antivirus software, and the captured variant samples use a variety of countermeasures, in addition to using shellcode block execution, it also uses push ret to obfuscate the call flow of IDA decompilation and other means to fight against anti-software; Then, malicious modules are injected into the system process to perform malicious operations such as data theft, screenshots, and DNS hijacking. The virus execution process is shown in the following figure:
At present, velvet security products can intercept and kill the above-mentioned viruses, and velvet users are requested to update the virus database in time for defense. Velvet engineers recommend that you install and regularly update your antivirus, firewall, and security patches to ensure that your security is always up to date.
Means of confusion and confrontation
After the virus is started, it is loaded by the outermost loader, and there are multiple obfuscation methods in the outermost loader, which obfuscates the analysis of security personnel by performing a large amount of garbage, and also meaninglessly calls the cold API to detect the authenticity of the virtual behavior sandbox environment, related**, as shown in the following figure:
In order to prevent security personnel from profiling, the virus also uses push+ret to make function calls in the outermost loader, which can obfuscate the decompilation function of IDA, as shown in the following figure
Shellcode is executed by decryption, related **, as shown in the following figure:
During shellcode execution, it is executed sequentially in multiple chunks. After a block is executed, the executed block is encrypted before it is decrypted and the next block is executed. Related**, as shown in the image below:
Shellcode is mainly responsible for obtaining the inner module from the resource, decrypting and loading it into memory, related **, as shown in the following figure:
The virtual machine environment is detected in the inner module, as shown in the following diagram
Also add itself to the list of authorized applications of Windows Firewall by calling the Windows Firewall API, related **, as shown in the following image:
The module will also copy itself to the "C: Windows Apppatch" directory and add the boot auto-boot for persistence operations, as shown in the following image:
After the module performs the initialization operation, it will inject shellcode into the system process for execution, as shown in the following figure
Shellcode is mainly responsible for loading the final malicious module into memory, related **, as shown in the following figure:
Malicious modules on the inside
The malicious module uses the DGA domain name generation algorithm to dynamically generate a large number of domain names, which has the advantage of avoiding the defense system based on static blacklists, because these systems usually block malicious traffic by intercepting known malicious domain names, and hackers can register the domain names at any time to use, so that the traditional signature-based defense methods often cannot respond to this dynamically generated domain name in time, so that the malware can continue to communicate with the C2 server, Even if some of these domains are identified and blacklisted. The DGA algorithm is shown in the figure below:
During the analysis of the partial domain name list calculated by the DGA algorithm, no surviving C&C servers have been found, and it is not excluded that these domain names will be registered in the future, as shown in the following figure
Through the DGA domain name algorithm, after the C&C server is calculated, the C&C server will be connected to the C&C server and the command issued by the C&C server will be executed
loadCommand
From the C&C server ** malicious module and execute, related**, as shown in the following figure:
kill_osCommand
Emptying the disk MBR and deleting critical registry keys, resulting in a system error, related**, as shown in the following image:
The malicious module injects itself into other processes, such as system processes, browser processes, and svchostexe (dns cache server) and other processes to execute various malicious **, related**, as shown in the following figure:
If you find that your process name is svchostexe will hook dns-related functions to perform dns hijacking, related**, as shown in the following figure:
Taking the Hook dnsquery A function as an example, when the victim accesses the ** of the antivirus software, it will be hijacked to Google's **, related**, as shown in the following figure:
Monitor the victim's clipboard data via the hook getclipboarddata function, as shown in the following figure
By hooking multiple third-party libraries for processing signature files, if the signature file is found, it will be uploaded to the C&C server, related **, as shown in the following figure:
By hook winininetdll to record information about various web pages visited in the victim's computer, related**, as shown in the figure below
At the same time, this information will also be filtered, if it contains the login credentials and other information specified **, it will be recorded and uploaded to the C&C server, taking the httpsendrequestw function as an example, related **, as shown in the following figure:
Keylogging is also done through the functions related to the hook message, as shown in the following figure:
Take the hook translatemessage function as an example, the relevant **, as shown in the following figure:
The virus also takes screenshots of the victim, relevant**, as shown in the image below
List of high-quality authors
hash: