{"id":5617,"date":"2018-12-02T01:41:14","date_gmt":"2018-12-02T01:41:14","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5617"},"modified":"2018-12-02T01:41:14","modified_gmt":"2018-12-02T01:41:14","slug":"beyond-good-ol-run-key-part-95","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/12\/02\/beyond-good-ol-run-key-part-95\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 95"},"content":{"rendered":"<p>I recently read ESET research paper on <a href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/08\/Eset-Turla-Outlook-Backdoor.pdf\">Turla<\/a> [PDF warning].<\/p>\n<p>While reading it, I came across a description of Turla&#8217;s legacy persistence mechanism that requires a presence of The Bat! program on the infected system. While Eset&#8217;s paper claims Turla no longer uses this trick, I thought it would be a good idea to include the description of it in this series. Plus I added one more trick as a bonus.<\/p>\n<p>For these who don&#8217;t know, The Bat! is a very popular email client. It is actively developed and there are still many users that could be targeted by malware abusing this program&#8217;s plug-in framework.<\/p>\n<p>As per the ESET document:<\/p>\n<p style=\"padding-left: 30px;\">To register as a plugin for The Bat!, the malware was modifying the file %appdata%\\The Bat!\\Mail\\<br \/>\nTBPlugin.INI. This is the legitimate method to register a plugin for The Bat! and some plugins such<br \/>\nas anti-spam plugins also rely on it.<\/p>\n<p>The structure of the TBPlugin.INI is pretty straightforward &#8211; it&#8217;s a standard Windows .ini file:<\/p>\n<pre>...\r\n[Plugins]\r\nCount=&lt;number&gt;\r\nPlugin #1=&lt;file name&gt;\r\nPlugin #2=&lt;file name&gt;\r\n...<\/pre>\n<p>The .ini file may include other sections e.g.\u00a0[Plugin Data], and [AntiSpam].<\/p>\n<p>The default file extension for plugins is .tbp.<\/p>\n<p>The Plug-in is a standard DLL module; to work properly, it needs to export some, or all the APIs listed below:<\/p>\n<ul>\n<li>TBP_Initialize<\/li>\n<li>TBP_Finalize<\/li>\n<li>TBP_GetName &#8211; MUST be exported\/present for a plug-in to work<\/li>\n<li>TBP_GetVersion<\/li>\n<li>TBP_GetStatus &#8211; MUST be exported\/present for a plug-in to work<\/li>\n<li>TBP_GetInfo<\/li>\n<li>TBP_NeedConfig<\/li>\n<li>TBP_Setup<\/li>\n<li>TBP_SetConfigData<\/li>\n<li>TBP_GetConfigData<\/li>\n<li>TBP_NeedCOM<\/li>\n<li>TBP_GetSpamScore<\/li>\n<li>TBP_FeedSpam<\/li>\n<li>TBP_GetMacroList<\/li>\n<li>TBP_ExecMacro<\/li>\n<li>TBP_SetLibEntryPoints<\/li>\n<li>TBP_NeedResave<\/li>\n<li>TBP_SetCoreBridge<\/li>\n<\/ul>\n<p>More information on how to write The Bat! plug-ins (including sample plug-ins) can be found <a href=\"https:\/\/www.ritlabs.com\/en\/products\/thebat\/plugin.php\">here<\/a>.<\/p>\n<p>In my tests I managed to execute a test DLL without any of the required APIs exported by my library. When I tried to add my plug-in manually, the program did load the DLL and executed its DllMain routine, but complained about it not being a properly working plug-in:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5620 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat2.png\" alt=\"\" width=\"452\" height=\"174\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat2.png 452w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat2-300x115.png 300w\" sizes=\"(max-width: 452px) 100vw, 452px\" \/><\/a><\/p>\n<p>This is expected behavior. Most of the plug-in frameworks relying on DLLs load them by using a call to a LoadLibrary* API (calls DllMain), and then a sequence of GetProcAddress calls to retrieve plug-in interface pointers (exported APIs).<\/p>\n<p>Such &#8216;corrupted&#8217; plug-in DLL won&#8217;t survive manual configuration changes and updates to the TBPlugin.INI made by the program&#8217;s Preferences dialog box, plus will immediately catch attention of the user.<\/p>\n<p>BUT<\/p>\n<p>It still works. It&#8217;s a great lolbin opportunity.<\/p>\n<p>Looking at the documentation for developers, as well as checking the Preferences of the program, I noticed that apart from &#8216;standard&#8217; plug-ins, The Bat! supports another kind of plug-ins: ones that support antivirus function to scan files processed by this e-mail client.<\/p>\n<p>The web site I linked to earlier provides an example of a ClamAV plug-in (the F-Prot plug-in link is broken).<\/p>\n<p>One can add the AV plugin via the Preferences dialog box:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5618\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat1-300x218.png\" alt=\"\" width=\"500\" height=\"363\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat1-300x218.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat1-768x558.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat1-222x160.png 222w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/thebat1.png 800w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a>&#8230;or by manipulating the content of %appdata%\\The Bat!\\Mail\\AVConfig.INI file directly. This .ini file is &#8216;dedicated&#8217; to host configuration of the antivirus plugins. Its content looks like this:<\/p>\n<pre>...\r\n\r\n[Checkers]\r\nCount=&lt;number&gt;\r\nChecker #1=&lt;name&gt;.&lt;path&gt;\r\nChecker #2=&lt;name&gt;.&lt;path&gt;\r\n...<\/pre>\n<p>The antivirus plug-ins use a file extension .bav, and need to export some, of all the following APIs:<\/p>\n<ul>\n<li>BAV_Initialize<\/li>\n<li>BAV_Uninitialize<\/li>\n<li>BAV_ComNeeded<\/li>\n<li>BAV_GetName<\/li>\n<li>BAV_GetVersion<\/li>\n<li>BAV_ConfigNeeded<\/li>\n<li>BAV_Setup<\/li>\n<li>BAV_SetCfgData<\/li>\n<li>BAV_GetCfgData<\/li>\n<li>BAV_GetStatus &#8211; MUST be exported\/present for a plug-in to work<\/li>\n<li>BAV_MemoryChecking<\/li>\n<li>BAV_FileChecking<\/li>\n<li>BAV_StreamChecking &#8211; MUST be exported\/present for a plug-in to work<\/li>\n<li>BAV_CheckFile<\/li>\n<li>BAV_CureFile<\/li>\n<li>BAV_CheckMemory<\/li>\n<li>BAV_CureMemory<\/li>\n<li>BAV_CheckStream<\/li>\n<li>BAV_CureStream<\/li>\n<li>BAV_CheckStreamEx &#8211; MUST be exported\/present for a plug-in to work<\/li>\n<li>BAV_CureStreamEx &#8211; MUST be exported\/present for a plug-in to work<\/li>\n<\/ul>\n<p>The takeaway is that we have a few more forensic artifact to look at if The Bat! is, or was installed on the analyzed system(s):<\/p>\n<ul>\n<li>%appdata%\\The Bat!\\Mail\\TBPlugin.INI file<\/li>\n<li>%appdata%\\The Bat!\\Mail\\AVConfig.INI file<\/li>\n<li>*.tbp files<\/li>\n<li>*.bav files<\/li>\n<\/ul>\n<p>Why should we look at the .tbp and .bav files as well? A clever attacker could patch existing plug-ins (in a viral way).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently read ESET research paper on Turla [PDF warning]. While reading it, I came across a description of Turla&#8217;s legacy persistence mechanism that requires a presence of The Bat! program on the infected system. While Eset&#8217;s paper claims Turla &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/12\/02\/beyond-good-ol-run-key-part-95\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5617"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5617"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5617\/revisions"}],"predecessor-version":[{"id":5623,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5617\/revisions\/5623"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}