Malware authors are constantly coming up with innovative mechanisms to persist their malware infections. One of the more creative samples I have come across recently would be Troj/FRuWL-Gen, which attempts a number of different tactics to remain unnoticed while resident on an infected machine. Overall, this malware is nothing more than a dropper that installs an additional Trojan on the infected machine before deleting itself — a pretty typical malware installation pattern — but the techniques used to accomplish this simple goal are intriguing.
First off, Troj/FRuWL-Gen is a DLL with an entry point RVA of zero, so you might be inclined to think it is one of your basic resource-only DLLs — think again. This DLL has two exported functions, one of which contains the malicious dropper logic, and the other contains logic to check if the dropped component is installed. Moreover, unlike a normal DLL function export address which points directly to the function’s code, the exported dropper function address instead points to yet another address which leads to the actual dropper code. This adds yet another layer of obfuscation for the use of the DLL to potentially thwart some analysis tools.
But it is the mechanism to persist the dropped infection that is most interesting. Rather than creating another file on disk, the dropper logic writes an entire PE file into the registry. The executable is stored under the key HKLM\SOFTWARE\Licenses with a randomly generated entry name. You can spot the start of the ‘MZ’ header in the following image.
The ingenuity continues with the mechanism to execute the malicious code that waits patiently in the registry. Still motivated to avoid creating any new files, Troj/FRuWL-Gen disables the Windows System File Checker (sfc.dll) and patches kernel32.dll to run the malicious code on load — which will be whenever any process is started — nice. Notice the convenient jump-to-the-malicious-code instruction prepended in the registry data (image above) and the use of the call instruction to get the randomly generated key name onto the stack as written inline during the patching of the kernel32.dll (image below).
Rest assured this patched version of kernel32.dll is detected as Troj/KernelHk-A, which defeats this run-around attempt to persist the malware infection.
The authors of this malware are clearly skilled at assembly programming — thus it comes as no surprising that we have seen this packaged with other complex malware including W32/Scribble-B, and W32/Vetor-A. But unlike the sexy Waled spam campaigns we have seen recently, with these clear ties to Russian malware and the espionage undertones of DLL-injection into every running process, Troj/FRuWL-Gen is clearly “From Russia without Love”.