In April of 2016, the Russian APT threat actor Fancy Bear successfully penetrated the network at the Democrat National Committee (DNC). This was apparently the second time a Russian threat actor had done so. According to Crowdstrike, a different Russian threat actor named Cozy Bear also compromised the DNC network back in the summer of 2015. Crowdstrike was hired by the DNC to provide forensics and recovery services after DNC employees began to receive popups warning them of potential compromise of their Yahoo accounts.
Figure 1: Screenshot from Wikileaks showing popup from Yahoo warning of likely compromise of account.
Crowdstrike released the hashes of binaries found for both the Cozy Bear and the Fancy Bear breaches. In this blog, we are going to discuss the capabilities of the Fancy Bear XTunnel binary, which posed as a file called “vmupgradehelper.exe.” Its MD5 is 9e7053a4b6c9081220a694ec93211b4e, and you can view its capabilities online here.
Invincea uses its DARPA-funded deep learning to automatically analyze and extract known capabilities of malware based on matching strings to StackOverflow definitions, and where possible, cluster them into related families of malware based on similarities of design and function. The XTunnel malware used by Russian threat actor Fancy Bear did not cluster with other known malware, meaning this binary was likely a purpose-built original piece of code to be used specifically against the DNC. However, while it may not cluster, it certainly does list its capabilities.
Figure 2: Screenshot of Invincea Deep Learning Feature Extraction of XTunnel Malware used by Fancy Bear
The XTunnel tool having VPN-style capabilities of course uses encryption, including exchanging SSH keys, using private encryption keys, compresses and decompresses data, etc. However, the remaining functionality and configurability of the XTunnel tool spelled doom for the DNC. The tool supports access to locally stored passwords and can even access the LDAP server. It is modular, so it can download additional files, probe the network for open ports, PING hosts and send and receive emails.
Invincea’s deep learning features extraction, based off matching strings to StackOverflow and sorted by confidence, showed additional capabilities of the Xtunnel malware. It should be noted that many legitimate programs also share the capabilities of the binary below.
The binary seems to be able to hook into system drivers, access the local LDAP server, access local passwords, use SSH, OpenSSL, search and replace local files, and of course be able to maintain a persistent connection to a pre-specified IP address, even if the host is behind a NATed firewall. It also seems to be able to monitor keyboard and mouse movements and perhaps even access the webcam and USB drives. That is a lot of capabilities packed into a file that is less than 2 MB in size.
Most modern malware uses obfuscation techniques such as packing or encryption to hide such capabilities from cursory inspection, and often malware will outright “lie” about its capabilities by injecting strings of other popular known good binaries into its own strings. For instance, one of the most popular programs that often has its strings appropriated by malware is the SSH program Putty. But this binary did not employ evasion or obfuscation. In fact, the strings seem to transparently show users exactly what the binary is intended to do, as if it were originally developed to be an open source tool to provide encrypted tunnel access to internet hosts.
Back in 2004, in the heyday of VoIP and soft phones, a company called Xten created a family of SIP products based on their XTunnel protocol. Softphones and VoIP applications couldn’t reliably operate inside of a firewalled environment that used Network Address Translation (NAT) without having to open up huge port ranges through the firewall. Requests for such port changes drove Security Administrators absolutely nutty. In fact, I remember way back when I was a firewall administrator and getting a few such requests to open port ranges on firewalls, and the loud discussions that ensued over how to keep the network secure.
The solution was to use a new protocol where an inside node would contact an external broker node and establish a two-way connection over whatever available port the VoIP/SIP software could find. I even remember seeing utilities like Skype portscan the inside NIC of a firewall looking for a way out. If it could get out via port 25 SMTP, it would take it. Ditto for AOL messenger and similar utilities.
The XTunnel Project became closed source and proprietary intellectual property when Xten was absorbed into a parent company during the years that the VoIP market began consolidating. There are a few independent developers that are still using the pieces of the XTunnel platform for network encryption. For instance, below is a screenshot of the XTunnel PortMap client developed in Chinese. This module does have some similar capabilities to the Russian binary above when viewed using Invincea’s Deep Learning. It also shares the attributes of clean transparent listing of strings between the Russian and Chinese version of XTunnel.
Figure 3: Screenshot of Chinese Version of XTunnel Port Mapper
The Fancy Bear threat actors used, by today’s standards, a very old, but still reliable network module used for softphone and video and VoIP capabilities to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT). Perhaps the only way the DNC could have detected the network activity associated with the Xtunnel is to have caught it “port knocking” on the inside of the firewall. But with so many organizations running a firewall configuration allowing any inside host outbound without restrictions, this would have been almost impossible to detect with logs only. Even if they had restricted outbound access XTunnel could have used other protocols such as ICMP or UDP to find its way outbound to the Russian command and control server.
The Invincea Deep Learning analysis neither supports nor refutes the Russian origins of the XTunnel binary. The binary appears to be a repurposed open source tool that was used for nefarious purposes within the DNC.
Previous reports from Crowdstrike and others note that the XTunnel tool was used to maintain network connectivity. Whether the XTunnel tool was used for additional purposes as its capabilities suggest is unknown, but it had the potential to support a full range of additional activity.
SHA256 Hashes shown:
XTunnel Port Mapper: b81b10bdf4f29347979ea8a1715cbfc560e3452ba9fffcc33cd19a3dc47083a4