Detecting Cmstar variants using Security Analytics

Blog Post created by ahsonbol on Sep 30, 2015

Cmstar is a custom downloader that was used in cyber espionage attacks. The name comes from one of the strings its author writes to a text file on an infected machine for debugging purposes. Cmstar network activity is close to Enfal; a malware family that has been used in targeted attacks for years.

Cmstar collects some information about the infected system like the Windows version, the CPU architecture and whether an antivirus is installed or not. It encodes all that info using a single byte XOR algorithm and sends them to its C2 server via an HTTP POST request. Cmstar uses the same XOR algorithm to build the URL and other HTTP request parameters from embedded encoded strings.

Event reconstruction of one of those sessions shows the encoded information being passed from the infected system to the C2 server:


Values for both directory and filename meta keys were the same in all samples analyzed by FirstWatch:


Assuming the appropriate meta keys are enabled, the following query can be used to detect Cmstar network activity:

          action = 'put' && directory = '/cgl-bin/' && extension = 'cgi' && client !exists

You can read more about Cmstar on Palo Alto unit 42 blog.

All of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.