Panda Banker’s Future DGA
Since we last visited the Panda Bankers at the malware zoo, two new versions have emerged: 2.2.6 and 2.2.7. While sifting through the encrypted strings of the latest version, two interesting ones stood out:
- DGA, download “%S”.
Tracing the first one through the code does indeed lead to a DGA or a domain generation algorithm. It looks to be a backup mechanism for when the primary hardcoded C2s have gone down. Searching older samples reveal that the strings and the DGA have actually been around since version 2.2.1. This post takes a closer look at the algorithm using this sample (version 2.2.7) as a reference.
Domain Generation Algorithm
Panda’s DGA requires three inputs:
- RSA public key from the base config
- Current date
- dgaconfigs from the base config
Our previous post discusses locating and decrypting the base config along with extracting the RSA public key. The key for this sample is:
This 293-byte blob is fed into RC4’s key-scheduling algorithm (KSA) to produce a 258-byte S string:
The next input into the DGA is the date in Unix timestamp format—in the malware this is calculated using a SYSTEMTIME with wHour, wMinute, wSecond, and wMilliseconds fields zeroed and some FILETIME math. The number of seconds since the Unix epoch is XOR’d with the first DWORD of the S string:
This modified S string is then SHA256 hashed. Next, the first five bytes of the digest are converted to hexadecimal and become the first part of the generated domain. For example, for September 15, 2016 (1473897600) for this sample, the first part is:
dgaconfigs are the third input and are contained in the base config:
Each config is “\x00” separated and once extracted are:
Combining each config with part one from above completes the domain generation:
A proof of concept Python implementation of the algorithm will be available on our Github here.
- Domains change daily
- The number of daily domains depends on the number of dgaconfgs
- The DGA is tied to an embedded RSA public key so is campaign/customer specific
- The length of the domain depends on the dgaconfigs but are at least 10 characters based on the first part
Using this classification system, this DGA could be classified as a time-dependent, deterministic, and hash-based DGA or TDD-H.
A Future DGA
While the DGA functionality has been available in Panda Banker for a few versions, a bug in the code has prevented the malware from using it. An incorrectly formatted URL causes a parsing function to fail and prevents the malware from phoning home to the domains.
As mentioned above, development on this malware has continued at a fairly quick pace though, so it is quite likely this bug will soon be identified and fixed. But until then this oversight provides a rare opportunity for defenders to get ahead of the curve and preemptively monitor and mitigate a threat.