Part 2: 5 versions of Evora
In the 1st part of this installment, it was concluded that Evora is a look alike of Elise. Therefore, Evora highly likely evolved from Elise. This, I call the first version of Evora and was believed to have been released as early as 2012.
Evora Version 2
Then, in early 2014, a change is observed in samples of Evora that were compiled thereafter. The general working mechanisms of the malware, including its core features such as C2 communications methods and payload configuration remains relatively the same.
However, the way the malware was loaded and executed in memory took a change. If I were to describe it, version 1 is 1-dimension, while version 2 became 2-dimensional, as illustrated in the diagram below. This was briefly mentioned in my previous blog post titled Confusing Naming Convention.
For version 2, payload is embedded within the executable dll. When executed, the dll calls the export function responsible for the routine of loading the embedded payload into memory and executing it subsequently. This way of execution and its loading routine will become a characteristic feature of Evora version 2 and later.
Evora Version 3
In 2016, another version was released. This time round, the major change lies in the C2 communication protocol. The protocol is considered proprietary like the one used in Evora version 1 and 2.
I did not analyse deeply enough to figure out how this new C2 communication protocol works. But briefly looking through the malware in the debugger, it was observed that random bytes hardcoded in the malware was sent to C2, unlike the previous versions where encrypted and encoded machine info, Command ID, campaign name etc were sent.
This probably suggests that information such as Command ID and campaign name are encrypted first before being hardcoded in the malware for deployment. This is likely also why SSL encryption enforcement newly introduced in Evora version 2 was discontinued in this version, as there is no way analysts could decrypt the pre-encrypted bytes and knowing the actual content that is sent to the C2, and thus is believed to be more secure and encryption is therefore not needed.
Evora Version 4 & Version 5
2 of the Sagerunex samples reported by Symantec in September 2019, was observed to be compiled in 2018 and 2019 respectively. The major difference in these two recent samples as compared to the previous 3 versions is again on the C2 communication protocol.
Both of these two recent samples appeared to have used legitimate platforms as their C2. Since they uses different platforms, I split them into 2 different versions.
Version 4:
Evora Version 4, compiled in 2018, makes use of either Twitter or Dropbox. A flag in the malware, determines which of these application it would use, and the specific credentials for the application is included in the payload configuration. In other words, whoever deploys the malware would have to configure the malware to use either Twitter or Dropbox before deployment.
The malware connects to either of the application using the respective API protocol. Instructions and information are retrieved, downloaded, uploaded through the API to Twitter direct messaging or Dropbox folder.
Version 5:
Evora Version 5, compiled in 2019, uses an email collaboration platform named Zimbra. It has two editions, a network edition (commercial), and an open-sourced edition.
Connecting using Zimbra SOAP protocol, the malware receives instructions from and uploads information to the controller via Zimbra platform.
Conclusion
Likely evolved from Elise malware, Evora have had went through at least 5 rounds of major change, since early 2012. In between the 5 versions, there are many other minor changes not mentioned, such as being more modular, and introduction of the obfuscation of strings. But the major change is always pertaining to C2 protocol.
Also, it is interesting that each of these versions seems to be released 2 years apart, except for the latest Version 4 and Version 5 which was released 1 year apart. Does this mean that there will be a new version this year?
~Back to geumland
