torsdag 9 oktober 2014

Andromeda - Vulnerabilities and Enumeration

Andromeda has been around for quite some time and is a well known loader capable of both formgrabbing and keylogging. The bot has been well documented on several blogs around the web, however, I've not seen anyone taking a closer look at the panel source code, so when I stumbled upon the latest version of the panel I decided to take a look to see if there is anything useful in terms of vulnerabilities.

I was able to acquire logs during one of my investigations which illustrate how Andromeda is sold to the buyers and how to acquire the panel. It's sold through using an automated system, commands available to the buyer is shown below:
Available commands for buyers

Admin panel

The panel comes in a password protected RAR-archive which holds:
Andromeda Panel
Check out this post by @kafeine on how to panel looks in general, this post focus mostly on the source code and functionality.

Starting from the top with adm.php it is packed:

After unpacking and formatting it ends up with a layer of string obfuscation as shown in the extract:
Unpacked code with obfuscated strings
The strings are decoded using the below function where the first parameter is the encoded string and the second is the key:
Function for decoding strings

Using that same function together with some PHP "preg_match-magic" the code ends up much more readable.

PHP Code Injection (requires credentials)

One function that stood out in the code was SaveSettings:

SaveSettings to config (note: syntax is somewhat off)
The settings are written directly to file, without any checks for malformed content in the actual values. There is no validation done from the code where the function is called from either, opening up for PHP code injection.

Writing PHP code to config
Executing commands through config.php

Cross Site Scripting (requires credentials)

As it's possible to add tasks which are then listed in the panel, the code for adding them reveal that no validation is done for injecting for example Javascript and HTML:
Code for adding tasks to database
Leveraging the URL-field, whatever code that is injected will be executed if the tasklist is viewed.

Javascript saved in the URL field
Result of the Javascript while viewing tasklist

Command Enumeration (requires RC4 key)

Having established two vulnerabilities in the admin panel, the same type of code (obfuscation and naming convention) is also found in the gate (gate.php). Since Andromeda doesn't have the ability to upload files it ain't possible to remotely upload files, such as with the ZeuS remote update vulnerability.

However, it is however possible to communicate with the panel to retrieve commands and submit data in the form of keylogs and grabbed forms. The key can be acquired through debugging (out of scope in this post).

Code for parsing data from POST-request
The format used to doing a regular checkin is id:%lu|bid:%lu|os:%lu|a:%lu|rg:%lu, more can be found analyzing the binary (out of scope for this post). If the data is encrypted with the correct key and posted to the panel, the panel will respond with HTTP 200 OK and encrypted data if tasks have been configured.

The response is encrypted using the bot id as key.

If the wrong key is used to encrypt the data or the data is malformed, the panel will return HTTP 404 response.

Python makes it easy to automate all of this to enumerate commands from an existing server [script]:
Script for enumerating commands from panel

Uploading keylogs and formgrabs can be done by appending fg: or kl: followed by base64-encoded logs to the above format. Each grabbed form and each keylog is delimited by 0x01, the values in each log are delimited by 0x02 (for example user-agent, cookie and URL for forms grabbed).
Code for parsing uploaded logs
An example of formatting for keylogs before base64 encoding:
\x01<keylog>\x02<process caption>\x02<process name>\x01

\x01<cookie>\x02<form data>\x02<user-agent>\x02<URL>\x01

The data posted does however not execute in the panel as it gets escaped on output. But it does enable for leaving a message to the actor(s) running the panel.


The vulnerabilities might very well exist in more places but vulnerabilities specified does however enable for example researches to battle malware and malware campaigns.

By enumerating commands from the panel, it's possible to track the actors steps by downloading the malware and plugins that the bot is intended to download.

It's also possible to leave a message in the form of keylogs and formgrabs to let the actor(s) know that they are under the observation.

Recommended Reading

Inga kommentarer:

Skicka en kommentar