Reversing the hijacked ua-parser-js’s malware payload (Danabot)

The popular NPM package ua-parser-js gathers over 8 million downloads per week, it is used to detect the client’s machine information including browser, OS, and more. On October 22 2021, the package developer’s NPM account has been hijacked and and was used to deploy malicious versions (0.7.29, 0.8.0, 1.0.0) of the package, resulting in a supply chain attack for systems that downloaded the malicious versions. The payload is said to be a password-stealing trojan (DANABOT) and it is downloaded and executed on the affected machines as create.dll.

See this article for more information about the whole behavior of the malicious versions of ua-parser-js.

As in the bleeping computer article, the password stealing trojan create.dll is run from the bat file (preinstall.bat) using the command “regsvr32.exe -s create.dll”, the -s switch prevents any messages being shown.

Upon execution of the malware, it loads the necessary libraries (wshtcpip.dll, mswsock.dll, ws2_32.dll) for communication to its C&C server.

The malware code executes in the .rdata section which is usually only used to store data such as strings. In this system call, it used inet_addr to convert its C&C IP to the proper format.

It connects to its C&C server using the ws2_32’s “connect” function. Notice that the debugger was not able to determine that it is the connect function.

Jumping to the memory address specified by the call, it reveals the address of the true “connect” function.

These non-direct calls to API functions are one of its anti-analysis techniques to confuse debuggers.

The previous address is the ws2_32.dll’s connect function

It uses port 443 for its communications with the C&C server. The port and the C&C IP are stored in a sockaddr structure

Encrypted Communications

After the connection with the C&C is established, it uses advapi32.dll functions for its encrypted communications.

The malware uses the following functions for its encryption:

CryptAcquireContext: Used to obtain access to Cryptographic service provider (CSP). In this function call, the CRYPT_VERIFYCONTEXT flag is set which is usually used for “applications that are using ephemeral keys”. Cryptographic provider type is PROV_RSA_FULL. The output of this function is a handle to the CSP that is used to generate the session key in the CryptGenkey function

CryptGenKey: Used to generate a public/private key pair. Returns the handle to the newly generated key

It uses 0x00006610 or CALG_AES_256 as its encryption algorithm

CryptExportKey: Exports the public/private key pair. The handle of the key pair is passed to this function. This function returns Key BLOB data

Output from CryptExportKey: Privatekey BLOB shows the magic number RSA2

CryptDestroyKey: Releases the handle created from CryptGenKey function

CryptReleaseContext: Releases the handle to the CSP returned by the CryptAcquireContext function

CryptEncrypt: Encrypts the data using the keys generated from previous API calls

The malware encrypts the newly generated RSA key using the CryptEncrypt function.

This is possibly the session key used for C&C communications. It is encrypted using the CryptEncrypt function.

The key above encrypted in AES-256.

CryptCreateHash: Initiates hashing of data. Returns a handle to CSP hash object

The malware uses 0x00008003 or MD5 as its hashing algorithm

CryptHashData: Compute the cryptographic hash on a stream of data. The handle from CryptCreateHash is passed to this function

CryptDestroyHash: Destroys the handle created by the CryptCreateHash

After its encryption and hashing routine, it communicates with the C&C server using ws2_32.dll functions:

It uses “send” to transmit the below data. It also uses this function to send the encrypted session key.

The malware always starts with the hex digits 0x24 ($) followed by 0x01. This is the first transmission to the C&C server.

Although the pattern was found to be 0x24, 0x01 for its initial beaconing, encrypted communications prevent intrusion detection systems to match its signatures with the malware traffic as well as the data being exfiltrated from the machine.

Other indicators that your machine ran create.dll malware:

File named “Bynooty” on C:\ProgramData folder