WannaCry Kill Switch Hero Faces New Charges, But Code Evals Say Little

A fresh FBI charge against Marcus Hutchins has led to the Kronos banking trojan and the UPAS Kit backdoor being linked in the news over the past week.

However, a fresh analysis this week shows that, at least on a code level, the similarities (and differences) between the two are far from conclusive.

Hutchins (a.k.a. “MalwareTech”) came to public attention in May of last year after discovering a hardcoded “kill switch” for the WannaCry ransomware that stopped the infamous campaign in its tracks. He was hailed a hero by the security community, given that WannaCry was at the time wreaking havoc in more than 150 countries, impacting large and small companies alike and causing millions in damages worldwide.

The accolades didn’t last long: The FBI in August 2017 hit the kill switch hero with cybercrime charges, for contributing to the development of the Kronos malware. Kronos has been around since June 2014, according to Malwarebytes, and began life as a banking trojan with ties to the leaked Zeus source code, as its name suggests. More recently, according to an analysis from Proofpoint, criminals have been seen using it as a downloader for follow-on malware, like point-of-sale skimmers.

Hutchins, who is living in California on bail while he awaits his court date, was then handed fresh charges last week; the FBI is now alleging that he conspired with the same person who first advertised Kronos on the Dark Web – one Russian-speaking “Vinnyk,” according to Malwarebytes and the indictment – to distribute the UPAS Kit malware, which is a backdoor spy-bot that is mainly used in the wild to download other malicious components.

Despite the differences between the payload functions, Check Point researchers decided to take a look at the two codebases to see if any links could be made.

Most significantly, “both pieces of malware… operate as user land rootkits, i.e. malware that uses various techniques in order to cover its own tracks and hide from system monitoring mechanisms,” said Check Point researcher Mark Lechtik, in an interview. “These are not very common in the wild in general.”

Kind of the Same, Kind of Different

In a comparison of the UPAS Kit and the Kronos banking trojan, Check Point also found a few other areas of overlap. For instance, UPAS Kit makes usage of multiple low-level ntdll functions and resolves their addresses during run-time.

“While it may serve as a means to thwart analysis, this is not a very sophisticated trick on its own,” wrote Lechtik, in an analysis. “In fact, a similar method is used in the Kronos malware to achieve the same goal. However, in this case the function names are not kept in cleartext in the binary, but rather as string hashes.”

There is also some overlap on the order of loaded functions (i.e. the order in which the table entries reside within the binary), the analysis pointed out; and, there’s also a similarity in the implementation of the MD5 function in that they both create a mutex name in a similar manner.

Also, there’s a similarity when it comes to conducting a successful injection. UPAS Kit and Kronos take different tacks – however, “both present an attempt to elevate the malware’s process token to SeDebugPrivilege, which is not mandatory for the injection to succeed,” Lechtik noted.

Meanwhile, on the evading-sandboxes front, UPAS and Kronos differ substantially, researchers found. For instance, both avoid detection by identifying the ThreatExpert sandbox, and perform checks to see if VMWare is running. In terms of process though, how the equivalent checks are made differ quite a bit, Check Point found.

“[Kronos’] checks cover more scenarios than [UPAS Kit], which may imply that the evasion procedures were written by different authors, or the same one taking a different approach to the problem,” wrote Lechtik.

The reverse-engineering analysis also uncovered that the hooking method used by Kronos is quite different from UPAS Kit, even though here too, there are similarities.

“Although both conduct inline hooking, Kronos uses a much more stable and safe implementation,” the analysis points out. “Inline hooking introduces a concurrency issue whereby a context switch that occurs before all stolen bytes are overwritten may cause a system crash if the hooked function is called (since it’s code is not in a consistent state). Therefore, the Kronos hooking method uses an atomic write of the prologue bytes using the instruction ‘lock cmpxch8b’. In this sense, the hooking engine of UPAS Kit is a lot simpler, and instead carries out an unsafe write with WriteProcessMemory function.”

However, when it comes to the hook functions themselves, eight of them appear in a similar form within Kronos, and serve the exact same purposes.

“This suggests that part of the rootkit component in those binaries was possibly reused,” Lechtik wrote.

Bottom Line

Ultimately, Lechtik concluded that neither of the malwares use particularly novel techniques or exhibit positively identifying “fingerprints” of their authors.

While there are some similarities in implementation of particular pieces of code, they don’t necessarily mean the two were written by the same author, he added.

“They could be result of reusing particular chunks of code from a single code repository that was available to several malware authors,” he told Threatpost. “It’s really hard to make a call whether both were written by the same author or not. The similarities between them could point at an author that shifted from one malware to another, and in that process improved his techniques, or otherwise totally different crooks who had access to some mutual code base. What can be said is that there is some resemblance in coding style.”

Bottom line? “It’s really hard to suggest anything by only looking at the code,” Lechtik said. “While the facts do show some similarities between the two pieces of malware, we should refrain from pointing fingers as a result of this.”