A hard look at at BBTok

Next, Trammy.dll^[F10] schedules a task that adds the folder C:\ProgramData to Windows Defender’s exclusions. 

The DLL contacts the open directory hxxps://fileondemandd(dot)site/^[U2] (see figure 8) and downloads the ZIP archive filea.tat^[F12].

The archive is password protected. The password is vsfdefender and has not been changed in a long time, e.g., the archives in the Checkpoint article from one year ago also use this password (samples are named BBTok by Checkpoint with filenames fe, fe2, and fe235). However, this password only succeeds for the files that are being used by the malware. Attempting to unpack the whole archive with this password results in ‘wrong password’ error messages. This could be intentional to thwart bruteforcing of the archive’s password.

We obtained seven files from the ZIP archive^[F12]. Six of them (CCProxy.exe^[F15], wke.dll^[F16], Web.exe^[F17], CCProxy.ini, AccInfo.ini and LeftTime.ini) belong to the CCProxy application developed by Youngzsoft Co., Ltd that can be used, for example, to filter and monitor network traffic. Trammy.dll^[F10] extracts all of them to C:\Program Files\SearchIndexer^[P4] except for Web.exe^[F17] which remains unused. CCProxy.exe^[F15], masked as Searchlndexer.exe (with small “L” instead of large “i”), is the main application and registered as a local service which automatically starts on Windows boot. CCProxy.ini and AccInfo.ini configure CCProxy to accept HTTP connections from localhost on port 8118, which is used to disguise the communication with the CnC server^[U3]. 

The wke.dll^[F16] is superfluous because it is only required by the non-extracted Web.exe^[F17]. The seventh file is named explorer.exe^[F14] and was compiled with Embarcadero Delphi 11.0 Alexandria. Trammy.dll^[F10] extracts it to the program data folder and registers it as a local service as well. In previous articles (link 1, link 2), the Delphi payload was BBTok.

After establishing persistence, Trammy.dll^[F10] creates the empty file internal_drive_version2.3.4.txt^[P2], which is used to determine if the code already ran. Then Trammy.dll^[F10] displays the default Windows license expiration warning and reboots the system. On reboot, the CCProxy service starts with its custom configuration and the fake explorer.exe^[F14] is called with a renamed filea.tat^[F12] as argument. Figure 9 shows the overview for this part of the infection chain.

In our next article, we will describe how the Delphi payload^[F14] communicates with the CNC server^[U3] via CCProxy using the Realthinclient SDK.