Insights and Research

Frenchy – Shellcode in the Wild

For the past few months, the Zscaler ThreatLabZ research team has seen a number of AutoIt and .NET samples from different malware families using what is being called Frenchy shellcode. The name is so given because of the mutex name it creates: frenchy_shellcode_{version}. In this blog, we will provide a brief analysis of a .NET sample using the Frenchy shellcode and also provide an overview of various malware types that are using it.

As the execution of the malware begins, it extracts an embedded compressed resource with the name asmz://4da3bcc9092d2b15c67c8bb6a3248c6d/279552/z. When decompressed, this resource turns out to be a dynamic-link library (DLL) file, which is also .NET compiled with the MD5 2d80d567add3e9ebe93118c28fd96ad8.

Figure 1: Decompression routine
 

 Figure 2: Compressed resource name stored in the variable

Control is transferred to this extracted DLL by invoking one of its routines named Average().

Figure 3: Average() function invoked in the extracted DLL

During execution, this DLL extracts the embedded AES-encrypted resource with the name 501Yek31KYThe AES key used for decryption is hardcoded with the value zlauDo4j2s76f3bAu7vJla9qxo4T9fDA. On decryption, the file turns out to be another .NET compiled executable with the MD5 9f93df82804d1467ba0096f91ecf091b.
 

  • When execution begins, the executable performs two checks for virtual environment detection and terminates itself if either of the two is successful:

                1. If SbieDll.dll is present

                2. If the caption of the main window of any of the running process is empty
 

  • For persistence, it creates a copy of itself in the %APPDATA%/Tasks/ folder with the name ThumbnailExtractionHost.exe, a VBS file with the name vTzzHA5v.vbs in the same folder to invoke ThumbnailExtractionHost.exe and a URL file in the startup directory with the name 89f429NZ.url to invoke vTzzHA5v.vbs.
  • Finally, the Frenchy shellcode and the main malware binary are extracted. This executable contains two resources encrypted with Advanced Encryption Standard (AES). One resource with the name 9BMPzLT7ztLkxO7r contains the Frenchy shellcode and another with the name HC8354RuK8FCQSpg contains the main malware binary.

 

Figure 4: AES encrypted resource – malware payload
 

Figure 5: Extracted main malware payload [MD5: ac8ef8b4aeede1adab7366ca7e5a75be (AgentTesla)]
 

Figure 6: AES encrypted resource – Frenchy shellcode
 

Figure 7: Extracted Frenchy shellcode [MD5: abdb5f121849f3f3718768d37abe0173]

Memory is allocated for the shellcode and main payload. Control is transferred to the Frenchy shellcode by creating a delegate using its memory location pointer along with two arguments:
 

  1. Currently executing binary full path 
  2. Pointer to memory location of main payload

Figure 8: Control transferred to Frenchy shellcode memory location

 

Frenchy Shellcode Analysis

The main functionality of the shellcode is to perform hollow process injection, which injects malicious code in system memory. Execution of the shellcode starts with a relative jump instruction with the two arguments passed to the shellcode available on the stack.

Following the jump instruction, all the strings that will be used by the shellcode are generated on the stack. The interesting thing that this shellcode does is map all the required DLL again in the memory and make further calls via these newly loaded DLLs. This function helps bypass API monitoring that is done by some sandboxes in the user space. Four DLLs, namely advapi32.dll, ntdll.dll, user32.dll, and kerne32.dll, are mapped using the ZwOpenSection and ZwMapViewOfSection APIs. The DLL name used for ZwOpenSection is in the following format: \\KnownDlls32\\{dll_name}.dll.

Once the kernel32.dll is loaded, Frenchy shellcode extracts the address of LoadLibrary and GetProcAddress to load further required DLLs and extract necessary API addresses.

Now, when this initialization phase is complete, the shellcode’s main functionality begins. First, it creates the mutex with the name frenchy _shellcode_{version} where {version} is 002 in this case.
 

Figure 9: Frenchy shellcode version 002

Frenchy shellcode creates a process of currently executing binary in suspended mode.

Figure 10: Creating new process in suspended mode

It creates a new section to be shared with the newly created process.

Figure 11: Shared section

Finally, the shellcode maps the view of this section into a newly created process, copies the main malware payload to this mapped view, modifies and sets the context of the newly created process, and starts the process main thread by calling NtResumeThread.
 

Malware variants using the Frenchy shellcode:

Win32.Backdoor.404Keylogger                       6a8a308fd9d93877405edddaca2dc0b1

Win32.Backdoor.AgentTesla                           ff87170119ffe5da1a9933eac4813e89

Win32.Backdoor.AysncRAT                            4e0620db87741809db739b36d493efd3

Win32.Backdoor.DarkComet                          aca05d97aa34360a18ce7e4a331195b8

Win32.Backdoor.HawkEye                             c1da6168e4ce782169295858057d6a82

Win32.Backdoor.Keybase                              db5fe533c78602a3d4e5a2a307782855

Win32.Backdoor.LimeRat                               7f3b73f4680cd45b2f06cd991c26b60a

Win32.Backdoor.Nanocore                             d18509eb899f634f579e154b226c1f72

Win32.Backdoor.NetWiredRC                        2d1ed53e7af0864f0916a4ce4f5e40b7

Win32.Backdoor.NjRat                                   a7b38bf292212efd6c0bf11060483b19

Win32.Backdoor.NjRatLime                           88c674e2dcd55b5e8672c1a063d06fd4

Win32.Backdoor.PhoenixKeylogger               382609b2a5c90f287b466f55911238d2

Win32.Backdoor.PredatorLogger                   16cbd896990793871fd3fd7bcd23cf1a

Win32.Backdoor.QuasarRAT                         db07aca234c3f12a141760cfc6a46e0e

Win32.Backdoor.RemcosRAT                        4ef1c56657d74aa09d77573273f99750

Win32.PWS.AZORult                                     6e33a3075b667eab19647f1d149a510f

Win32.PWS.FormBook                                  6e685961cc335b33d05e6415700fcf96

Win32.Ransom.Adame                                  20716b0abbf051ec151fecc0cc957145

Win32.Ransom.Phobos                                  0e1b676f95c0e51163178ffdd99817c8

Win32.Trojan.APT33                                      9aa2f7959f31196f6c5aa37ae3c5a2ae

 

Conclusion

Zscaler ThreatLabZ is actively tracking this mode of delivery and malware families involved to ensure coverage for Zscaler customers.

 

 

Stay up to date with the latest digital transformation tips and news.

By clicking the submit button, you are agreeing to our privacy policy.