Researchers at LevelBlue Labs have recently identified a sophisticated new tactic employed by threat actors to exploit legitimate anti-virus software for nefarious purposes. This method involves a tool known as SbaProxy, which cleverly disguises itself as a legitimate anti-virus component, enabling it to establish proxy connections through a command and control (C&C) server.
SbaProxy represents an advanced addition to the arsenal of cybercriminals, capable of creating proxy connections that can be monetized. Its distribution occurs in various formats, including DLLs, EXEs, and PowerShell scripts, making it particularly challenging to detect due to its seemingly legitimate appearance and intricate design.
In a striking development, these threat actors have begun modifying authentic anti-virus binaries to serve malicious ends while maintaining their guise as benign software. This tactic complicates detection efforts, as the altered binaries are often signed with valid or convincingly valid certificates, allowing them to slip past security checks. Notable anti-virus products targeted in this campaign include Malwarebytes, BitDefender, and APEX products.
One example of this deception involves a certificate with the thumbprint “DCB42EF087633803CD17C0CD6C491D522B8A2A”, issued to “STERLING LIMITED”. This certificate remains valid and has been used to sign several samples associated with the current campaign, suggesting that the threat actor acquired it to facilitate their operations, as the issuance date aligns with the campaign timeline.
Technical Analysis
LevelBlue Labs first detected suspicious activities stemming from what appeared to be legitimate anti-virus binaries in early June. Further investigation linked this activity to a new tool associated with a campaign previously reported by Sophos in late April, marking a notable evolution in the threat actor's toolkit.
During the analysis, a sample masquerading as a BitDefender logging DLL was scrutinized. The exported functions in this malicious DLL mirrored those of the original DLL, with the exception of one altered function, ‘LogSetMode’. This function was modified to include a jmp instruction redirecting to another address that decrypts and executes a bundled XOR-encrypted shellcode.
The payload decryption function employs a convoluted loop that redundantly sets several local variables to a hardcoded value, repeating this action 448,840 times. This rudimentary technique serves to bypass detection methods reliant on emulation.
Upon completion of the loop, the code checks the value of one of the set variables, crashing if it does not meet expectations. Subsequently, it allocates memory for the payload, decrypts it using a hardcoded multi-byte XOR key, and executes the payload.
The initial communication with the C&C server consists of a series of calls to the ‘send’ function, transmitting all zero content and lengths of 16, 4, and 0 bytes, respectively. This sequence likely acts as a magic number to ensure that the C&C server only responds to the malicious client. After executing this series of sends, the client receives 16 bytes from the C&C and returns them over a new socket. This iterative loop allows for multiple active connections in parallel.
By hijacking legitimate anti-virus software, these attackers effectively evade detection, utilizing valid certificates and crafting malicious binaries that closely resemble legitimate software. This sophisticated approach underscores the evolving nature of cyber threats and highlights the importance of continuous vigilance and advanced detection techniques in cybersecurity.