Osiris

Introduction

Osiris (not to be confused with the ransomware with the same name), is a banking trojan released in July 2018 which is a descendant of the Kronos banking trojan. Like its predecessors, it will steal credentials from victim computers

Analysis

The executable is a 32 bit executable compiled with Microsoft Visual C++:

When started, the malware will spawn wermgr.exe as a suspended process:

After spawning wermgr.exe, Osiris will perform transacted hollowing, which is a hybrid of process hollowing and process doppelganging to overwrite wermgr.exe to run a malicious payload found within the malware.

Using transacted hollowing

The process calls the following APIs to create a transacted file at "%TEMP%\Liebert.tmp" and write a malicious payload to the file before rolling back the transaction:

• ZwCreateTransaction

• RtlSetCurrentTransaction

• ZwCreateFile

• ZwWritefile

• ZwCreateSection

  • Allows malicious payload to remain in memory

• NtRollbackTransaction

  • Prevent the file from actually being created

Using these API calls, the malware can load its malicious payload into memory without writing to disk, evading AV file scans

When analysing the call to ZwWriteFile, I was able to find the payload that will be loaded:

Definitely an exe :D

From there, the malware will call the following calls to inject the exe into wermgr.exe and run it:

• NtMapViewofSection

  • Loads payload into wermgr.exe

• ZwProtectVirtualMemory

Set to rw then write

Set to rx

• NtWriteVirtualMemory

• ZwResumeThread

  • Runs the payload

Interestingly, this malware decided not to run UnmapViewOfSection like most malware do when hollowing a process. Instead, it opted to overwrite the first instruction of the entry function to wermgr.exe to jump to the malicious payload instead. After writing, it will resume thread and run the payload.

Malicious Payload

The malicious payload is another 32 bit executable:

Based on entropy analysis, it is safe to say that the malware is definitely packed to oblivion:

bruh

The unpacking sequence is a convoluted mess which I would not go in. But the jeez is, the malware undergoes a lot of xoring and DLLs were loaded dynamically via LoadLibraryA and APIs loaded via API hash resolving/GetProcAddress. After that, I decided to take a memory snapshot using IDA of the final payload and got the full unpacked malware! ;D

When the final payload is run, the program calls 2 threads, one for keylogging and another one for the normal C2 table:

Key Activities

C2 via tor

When searching strings found in the malware, the following URL is found:

The url http://suzfjfguuis326qw[.]onion/kpanel/connect.phpseems to be an onion link, which means that the C2 works using tor, making communication between the process and C2 server more secure and harder to track down the actual C2 server

Steal credentials from browsers

The malware is also capable of reading passwords stored in Google Chrome and Firefox, where they used sqlite to retrieve login information stored in Chrome by using SQL:

Getting path for Chrome passwords

Retrieving data by copying the data to the current directory and reading from it via a SQL query

Getting value from the columns for url,username and password

For firefox, it will get the install directory and read login.json in that directory, extracting the saved passwords from there:

reading the json file and extracting the encrypted passwords and username

From there it will decrypt the usernames and passwords using a default key since earlier versions of firefox use a default key to encrypt all the information stored in saved logins.

The passwords will then be saved in a file called "log" in the same directory as the malware.

Creating the log file before extracting passwords

Writing to log file

Dropping Exes and running them

The malware is able to download an exe from the C2 and execute it. This can be used for further exploitation of the victim by dropping ransomwares/other malware to increase damage dealt to the victim's computer

VNC

When analyzing, I manage to find the following Strings:

This implies that the malware uses vnc to provide a remote desktop to the remote actor which will allow them to remotely control the computer and get more information about the user.

Upon some digging, it can be deduced that the malware connects to the remote server at a certain port designated by the C2 server before connecting.

Keylogging

The malware also includes a keylogger that will track keyboard activity at windows which will help to capture sensitive information such as usernames and passwords for them to hijack their accounts.

setting the hook

capturing keystrokes together with current window title

Indicators of Compromise:

MD5: 5E6764534B3A1E4D3ABACC4810B6985D
SHA1: F10AD287F126F577F197070453812A7E88C2CC52
SHA256: e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0

• Files dropped:

  • %MALWAREDIR%\log

  • %MALWAREDIR%\%d.exe

• Mutexes

  • Global{AD3EBBCA-D942-886C-AD3E-CABB824AEA00}

• Network

  • http://suzfjfguuis326qw[.]onion/kpanel/connect.php