Post 0x03: Reverse Engineering CannibalRAT

Today we will be reversing some compiled Python malware – which in my opinion is one of the easiest things to reverse back into understandable code. We will be using IDA Pro (The free version – version 5), UPX, PEStudio, Python and a Python module called “Uncompyle6” which allows us to convert .pyc byte code to a python script.

Background:

This particular RAT is written in Python and compiled with Py2Exe – which wraps Python scripts into a standalone executable. The executable also wraps the Python27.dll, hence the large file sizes. The version that I have obtained is version 4, and it has been crafted to look like a .PDF file, but as you can see in the properties below, it is an executable.

According to Cisco’s Talos Intelligence Group, it has been targeting users of a Brazilian Public Sector Management School, and is named “CannibalRAT” due to the authors stealing code from other malware and using it in their RAT.

CannibalRAT is capable of stealing credentials from Chrome, Outlook and any stored Network details. It can screenshot, grab information such as the Operating System, CPU, Memory, Hostnames and Usernames, download and upload files (as well as execute them) and Zip/UnZip files. The version that I had was also packed with UPX.

Reversing Time:

First I will be opening the fake PDF file up in IDA pro, to get a brief overview of the file and to see whether or not it is packed.

As you can see, IDA is able to determine that this file is packed with UPX, which is simple to unpack. You can download UPX from here, it is free and allows you to pack/unpack executable’s. I will be unpacking it on Ubuntu, as it is already installed. All it takes to unpack it is to type in “upx -d *file name*”, and if the file is packed by UPX, it will unpack it.

Now we can put it back into IDA, and you will see there is a much bigger difference compared to the original file. The file is much more readable, and we can see several mentions to Python modules, and the Python DLL. Now we are sure that this is written in Python, we can check the resources of the file to see if it is compiled with Py2Exe or PyInstaller.

I open the executable in a program called PEStudio, which allows you to analyse the properties of the file in depth – including the Resources. You can download PEStudio from here. Instantly, you can see that there is a DLL and a Python Script in the resources, which tells us this particular RAT is compiled with Py2Exe. The DLL file is the Python 2.7 DLL, which is required to run Python. We are more interested in the PYTHONSCRIPT, which contains the byte code of the original script.

Right click the PYTHONSCRIPT resource and click dump (RAW) and save it somewhere. We will be utilizing this file to extract the plain text script.

The text stored in the dump file.

This is the script I will be using to extract the .pyc files from the dump file.

Code:

import marshal, imp

def main():
    f = open("Script.dump", "rb")
    print "[*] Opened!"
    f.seek(17)
    print "[*] Skipped over header!"
    
    unmarshal = marshal.load(f)

    for i in range(0, len(unmarshal)):
        open(str(i) + ".pyc", "wb").write(imp.get_magic()  + '\0' * 4 + marshal.dumps(unmarshal[i]))
    f.close()
    print "[*] Extracted Payload!"

if __name__ == "__main__":
    main()

Make sure you replace “Script.dump” with the name of your dump file.

Once you have run the script, you should see three .pyc files (for this sample anyway). This contains the unmarshaled, necessary byte code in order to reconstruct the script.

You have to install a module called uncompyle6 in order to reconstruct the payload, so in the console type in “pip install uncompyle6“. It will also download any required dependencies.

Now you are ready to use uncompyle6 to decompile the byte code back into three Python scripts. For each of the .pyc files, type in: “uncompyle6 -o *.py *.pyc“, where the * represents the filename.

Now you have the decompiled, original Python script! You can search through the code to find its features, any C2 servers it is calling out to, and how it persists on a system – if it even does.

If you want to analyse this particular sample, feel free to contact me at 0verfl0w33@protonmail.com, and I will make sure to get back to you ASAP.

MD5 of Sample: 8f5567e160e59e9f1d3d26be83333861

VT Scan: 25/67

Leave a Reply

Your email address will not be published. Required fields are marked *