MSRT November 2013 - Napolar

  • Article

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines.

Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.

As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd.

Napolar is a trojan that can download and run files, utilize your machine’s resources to conduct a DDoS attack or serve as a SOCKS proxy, monitor network traffic, and steal credentials for FTP, POP3 and websites.  There is also a plugin infrastructure designed in Napolar, but we haven’t seen much usage of it.

Napolar infected machines in August/September 2013

Figure 1: Napolar infected machines in August/September 2013

The major infection vector used by Napolar during the spike of the week of August 23rd was a spammed link sent in a Facebook message.

The group behind this major  distribution chose to use public file sharing services (such as 4shared and mediafire) to host their malware. They also utilized computers infected by another family, Win32/Dorpiex, to send the malicious links to their Facebook friends.

The links redirect to a Napolar executable hosted on the file share service. The  files downloaded from those links  have a name and icon that make them look like an image (see example below) to lure people into opening it.

Although this is an old and well-known social engineering trick, sadly it still seems to trick a decent number of victims for the bad guys.

example of the downloaded file containing win32/Napolar

Figure 2: An example of the downloaded file containing win32/Napolar

Napolar installs itself in a similar way as other bots, but it takes a further step to install a user-mode rootkit to hide its file presence in the system and inject itself into newly created processes by hooking system native APIs (Ntdll!NtResumeThread and Ntdll!NtQueryDirectoryFile).

The chart below demonstrates a typical process found in Napolar. With newer variants, the main module name “lsass.exe” and plugins folder name “SlrPlugins” are changed to a random schema. There is more information on this in our Napolar family description.

Napolar starts when a user logs, because the Napolar file is located in the %Startup% folder. The  file is hidden by the user-mode rootkit so it can’t be seen directly with Windows Explorer. To be even stealthier, the main payload is injected and run in the explorer.exe process. The payload does the main tasks like communicating with a C&C, download files/plugins, etc. We have seen it download Win32/Dorpiex, which does further spreading, as well as Win32/Vicenor which does bitcoin mining.

A typical process found in Win32/Napolar

Figure 3: A typical process found in Win32/Napolar

When running in web browsers and processes where ws2_32.dll is loaded, Napolar monitors network traffic and captures credentials by matching given patterns. Default strings ‘USER’ and ‘PASS’ are used to capture credentials from unencrypted FTP and POP3 traffic, and more patterns can be given by a C&C to capture credentials from websites.

Besides hiding itself, Napolar also tries to block changes to the following registry key paths with its rootkit functionality:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components

According to one website that advertises and sells Napolar as Solar Bot, this “feature” is for anti-bot installation - which sounds like preventing other malware from installing. This reminds me of the already crowded and competitive black market.
There are a couple of anti-debugging tricks can be found in Napolar that are also worth mentioning. They are not new but work for common debuggers:

  • Using code section name “%*s%*s%s*” for crashing OllyDbg.
  • Self-debugging to evade single process debugging.
  • Hooking Ntdll!DbgUiRemoteBreakin to block debugger remote attaching.

More interestingly, Napolar is written like Shellcode so it’s able to self-relocate and dynamically resolve APIs. At first glance, it is an x86 executable; however, so it can work with both x86 and x64 platforms it embeds the x64 copy of itself (no PE structure, just code and data) in the x86 executable. The x64 code is then decompressed by standard API RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 as format if it is running under a Wow64 emulator.

To run the 64bit code from x86 code, Napolar allocates a 7 bytes buffer and puts far-call code calls into the decompressed x64 code with the segment selector set to 0x33 (the x64 code segment), then calls into the buffer. 

A typical process found in Win32/Napolar

Figure 4: Napolar generates far call code into segment 0x33

The far-call switches the current process to execute x64 code and do code injection into x64 explorer.exe.

Napolar is a trojan that can do pretty bad things – from deploying more malware to stealing your credentials. The social engineering trick it uses is simple but it works, just keep that in mind and be careful when opening executables sent on social networks. Even if it's sent from one of your friends, don’t open it if you have no idea what it is.

 As always, the best protection from Napolar and similar threats is an up-to-date real time security solution.

Shawn Wang
MMPC