Malware Analysis for ELF Files: Hakai Variant | Case Study - Intezer

Intezer Analyze™ ELF Support Release: Hakai Variant Case Study

Written by and

    First Name
    Last Name
    Job Title
    Company
    Email
    Country

    Join our free community
    Get started
    Share Article
    FacebookTwitterLinkedIn

    Top Blogs

    ELF SUPPORT

    We would like to proudly announce that Intezer Analyze™ now supports genetic malware analysis for ELF binaries! You may now upload ELF files to our system and find code reuse. We have already indexed the genes of millions of different files into our ELF genome database, classified into both malicious, trusted, and neutral (libraries) software. The support extends to ELF binaries that have been compiled in either the x86 or x86_64 architectures.

    INTEZER ANALYZE™ ELF FEATURES

    Here are the features that are currently available for ELF files:

    • Code Reuse
    • View Related Samples
    • String Reuse
    • View Shared Code / Unique Code
    • Vaccination (Enterprise)
    • IDA Plugin (Enterprise)

    VAST WORLD OF ELF MALWARE

    A lot of malware created for Linux flies completely under the radar when it comes to detection. There are many different types of malware we have seen, from cryptominers to APTs, and much more to be discovered. We would like to show you an example of an ELF analysis in our system by using Hakai (based off Mirai) and its direct variants.

    VAST WORLD OF ELF MALWARE

    https://analyze.intezer.com/#/analyses/10cf5913-9b2d-455b-9187-14115b9dff4f

    If we dive in to the related Hakai sample, we can see an evolution of code from other variants.

    VAST WORLD OF ELF MALWARE

    https://analyze.intezer.com/#/analyses/10cf5913-9b2d-455b-9187-14115b9dff4f/families/0b5c90cf-e2ed-4247-b3b7-418465e73c5e

    HAKAI VARIANTS: KENJIRO & IZUKU

    We would like to demonstrate an example of malware that shows how useful looking for code reuse is by showcasing variants off Hakai with low detections on VirusTotal, Kenjiro (6/60), and Izuku (7/60). According to Intezer Analyze™, the code base is almost exactly the same for both Kenjiro and Izuku, but the C&Cs are different and also the strings the malware seems to use to name itself.

    VAST WORLD OF ELF MALWARE

    We decided to dive a bit deeper to see the small changes in the code. After further investigation, we could see Kenjiro seems to be an upgraded version of Izuku. One of the differences between Kenjiro and Izuku is that it changes its UDP flood algorithm to add some randomization to the buffer, where Izuku’s flood algorithm uses the same string.

    UDP flood algorithm

    We can also see in the code that these Hakai variants use 4 exploits to spread:

    TRY IT OUT

    We invite you to try out our new support of ELF binaries by registering to our free community edition of Intezer Analyze™. We are still working on adding more data to our system in order to give you better results on your upload. Stay tuned for new features and blog posts that will include future ELF malware research!

    IoCs

    Kenjiro        8917934e6fa901f22b58fd7424a45f50b5a89f9daa871a69b45d6a39191c9f1b

    Izuku 03a6f848b05d27bfbe8360c3c9ecd2cd9aa33d43702186c62c4a115e23383983

    Hakai Variants:

    16eb66ebe74931e637d856b2189714fc3e25baf8af5ba41bb75f976ca56ee307

    4a6ee70c3952092d41ef89f0d0910015c00b026a84c07eff1fbcda1a0a00fb1c

    0f5b814308193064bc4ece4266def5c1baecc491117f07650c5117762648d4c5

    721da99e8789cdcb73db87353e2be7b82c9158e2929b9eaa7d5b4660b6d4d1e2

    C&Cs:

    46[.]166[.]185[.]42

    77[.]87[.]77[.]250

    178[.]128[.]185[.]250

    148[.]72[.]176[.]78

    hakaiboatnet[.]pw

    Jay Rosenberg

    Ignacio Sanmillan

    Nacho is a security researcher specializing in reverse engineering and malware analysis. Nacho plays a key role in Intezer\'s malware hunting and investigation operations, analyzing and documenting new undetected threats. Some of his latest research involves detecting new Linux malware and finding links between different threat actors. Nacho is an adept ELF researcher, having written numerous papers and conducting projects implementing state-of-the-art obfuscation and anti-analysis techniques in the ELF file format.

    © Intezer.com 2021 All rights reserved