[email protected] (04) 3795 8282 - (04) 3795 8228 - 1800 556 864
.03 Dec



General information

MD5: 08e71118bad94617bf25a0d42db6a564

Filename: KBDUS.dll

The CMD CMDD monitoring system detected malicious code that took advantage of Unikey software to attack Vietnamese users. Unikey is Vietnamese typing software for Windows very popular in Vietnam. Taking advantage of this, an attacker could create unikey installers using the official UnikeyNT.exe file but insert it in the same malicious directory. and use many techniques to trick users into running (exploit, phishing ...). Therefore users should only download the official version of unikey from the website unikey.org nor open strange files with strange paths. Also update the vulnerability patches for Windows.



Technical analysis

In the case below, the file kbdus.dll (PE 32bit) containing malicious code has been inserted in the same directory as UnikeyNT.exe (version 4.0 RC2 Build 091101 NT). The attacker also changed the time attribute of the kbdus.dll file to the time of the UnikeyNT.exe file so that people could easily deceive the user. In fact, this file was compiled at the beginning of October 2019.



kbdus.dll is a library that will be loaded when the user uses the US keyboard layout (id 0x00000409). The attacker did an analysis of how Unikey works and realized when UnikeyNT.exe loaded the attached dll, UKhook40.dll, that would execute the LoadKeyboardLayoutA function to load the layout with id 0x00000409. Kbdus.dll will then load up. Because kbdus.dll is placed in the same directory as UnikeyNT.exe, this file will be loaded first, so it will execute malicious code contained in it.

At the DLL's DllMain function, the malicious code has created a new thread to execute its malicious behavior.

The malware created a mutex with the name "Global \ mFNXzY0g" to avoid overlapping execution. Malicious strings that are mostly used have been obfuscated with their own stackstring or encryption functions. The coding function here is simply set by adding the value of each character by 1 (for example, a hex "K" with a value of 0x4b will be encoded into 0x4c with the letter "L"). ). On ida pro you can use idapython to patch these characters. For stackstring, you can use ironstring.py's script flare-teamto simplify the analysis.

After creating and testing the mutex, the malicious code proceeds to read data from special registry keys. Most likely these keys are generated when the user executes an installation file prepared by the attacker. The first is the value "CB5JQLWSYQP2CWVRMJ8NB4CCUE1B8K4A" in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler". This value will contain an envelope structure and xlm data. The information in the structure includes a number of values that the malware can check after decoding the data, such as the size of the xlm data before and after, the md5 data before and after it.

The decoded data is in xlm format, which will be maliciously read into a memory area via api in the xmllite.dll library.

The next value in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler" is read as "F430D64D98E6EAC972380D568F080E08". It contains another data structure that also includes size and md5 information about the data in it. Based on this struct, the malicious code will decrypt to a different PE file with the decrypt method and check similar to the process of processing xml data.

This PE file is a dll named Knocker.dll and exported to the function named Construct, whose compile time is almost the same as the above kbdus.dll file. The malicious code loads the DLL into memory. Then the malicious code finds the address of the Construct function and executes it with the parameter is the address of the previously read data structure xml data.

Through APIs like VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress, the PE file has been mapped to memory as a regular PE file. Before executing the Construct function, the malicious code also executes through the DllMain function in the dll to ensure the dll works properly.


Knocker.dll - Construct

At construct, the malicious code copies the data received from the parameter into another memory area, then begins collecting information about the user's computer. Information collected includes CPU, RAM, Windows information, computer name, organization, user information, language, timezone, network card, partition drive information and operating system installation.

The malware then generated a UUID in the key "HKEY_CLASS_ROOT.kci \ PersistenHandler". save 2 md5 values. The first value is generated from information about the user sid, username, and computer name. The second md5 information is based on cpu, ram, disk, network adapter values.

The malware continues to create a string to identify computers with the form "PC: %s; MAC: %s; SerVer: %f ”. This data will be in a struct that malicious code will encode in base64 form to send using GET method.

The request information sent to C&C has the form:

"Hxxp: //news.vnxahoi [.] Com: 443 / 4BwhFJ9p / job.php? [UUID] [data \ _in \ _base64]"

With user agent:

"Mozilla / 4.0 (compatible; MSIE 8.0; Win32)"

The enclosed header is:

"Content-Length: %d \ r \ nCache-Control: no-cache \ r \ nMD5: %s \ r \ nConnection: Close \ r \ n"

On the first connection, malicious code waits to receive a command to execute. And the second connection will be sent similar to the first with the purpose of reporting the execution of the command but using the POST and request methods to change with the format:

"Hxxp: //news.vnxahoi [.] Com: 443 / 4BwhFJ9p / job.php? [UUID] [create \ _process \ _sate]".

This is the final step in the execution of the malware. However, at the present time, the response is a 404 Not Found so the malicious code cannot continue to perform its other behaviors.


Information about c & c

Tested some information about the domain of c & c know the ip that this domain points to is 125 [.] 212.218.121.

Some other domains pointing to this ip are:

Assess the level of danger

This is an attack campaign that is well researched, very dangerous and hard to detect. Because unikey is a very popular text input method in Vietnam, it can be said that every Windows computer in Vietnam has Unikey installed. Attackers only need to drop the kbdus.dll file into the unikey folder to be able to exploit the victim's machine. It is recommended that users should carefully check the Unikey installation directory, remove the kbdus.dll file or use anti-malware products to protect their computers. CMDD of CMC has updated the malicious code kbdus.dll, users can download it at the following link: https://cmccybersecurity.com/cmc-antivirus-free/

Write a post