« Back to Blog

Shell Crew Variants Continue to Fly Under Big AV’s Radar

By The Cylance SPEAR Team


Cylance SPEAR™ has identified a newer family of samples deployed by Shell Crew that has flown under AV’s radar for more than a year and a half. Simple programmatic techniques continue to be effective in evading signature-based detection. 

Shell Crew, first named by RSA in this paper, has been incredibly proficient over time and breached numerous high-value targets. The backdoor provided an alternative foothold in several observed instances for the group and employed a few tricks like using the Intel SSE extended instruction set to avoid emulation and obscure analysis.

Most of the variants Cylance identified were 64-bit; however, a couple of earlier 32-bit variants were created in May 2015.

Malware Family

Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name.

The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. 

A few of the samples were picked up by AV heuristics within the last few months, but newer samples are still coming back with zero detection rates.

Persistence and Initial Execution Setup

The droppers for the backdoor use a semi-random name chosen from the existing service entries under the ‘netsvcs’ registry key on the machine. Once a suitable service name is identified, the dropper appends ‘ex.dll’ to the file path associated with the service DLL. The registry key, which contains available services that belong to the netsvcs group, is defined at:

‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs’

Pseudo code to create the service:

Figure 1: Pseudo Code Used to Create the Service

This initial DLL with ‘ex’ appended to the end of the file name is then saved into the system directory. The malware is copied from the resource section of the dropper and set in the registry to auto-start as the newly created service. The malware will temporarily be saved into the ‘temporary path’ location on the computer (found using the ‘GetTempPathA’ API call) and then moved into the final location under the system directory. 

“The GetTempPath function checks for the existence of environment variables in the following order and uses the first path found:

1. The path specified by the TMP environment variable.
2. The path specified by the TEMP environment variable.
3. The path specified by the USERPROFILE environment variable.
4. The Windows directory.”

Ref: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364992%28v=vs.85%29.aspx

The dropper will find and locate the backdoor as either ‘IDR_PEACH_DLL’ or ‘PEACH_DLL’ within the resource section of the dropper.

Dropper – Find resource pseudo code: 


Figure 2: Save RSC to Temp Path

The malware relies upon execution as a ServiceDLL to persist on a victim system and thus will utilize the ServiceMain export by default. During execution of ServiceMain, a new DLL is copied into the system directory with a randomized name, starting with the ascii characters ‘bt’ followed by 6 numeric digits and the extension ‘.dll’ and may display a falsified 'File Modified' date. 

Next, rundll32 will be used to call the exported function ‘stream’ from the newly copied ‘bt’ DLL. The name of the associated service will be added after ‘stream’ in the command line argument that calls the DLL. This control flow starts the primary operation of the DLL.

String Obfuscation Techniques

Some commands in the code are obfuscated by a simple technique that utilizes statically programmed fragments of strings when starting the ‘bt’ DLL. The code appends the strings in the proper order and then utilizes them in accordance with the part of execution that is being set up. This technique is fairly common and unsophisticated, but it may possibly help prevent rudimentary analysis by making it harder to read the strings seen in the binary.

An example of this is shown where the code is setting up the command line syntax to start rundll32 with the ‘bt’ file name utilizing the stream export:


Figure 3: Code Snippet Showing String Obfuscation

Ultimately, the code results prints this string (or something similar to it) for use by the malware:
C:\Windows\system32\rundll32.exe “C:\Windows\system32\bt123456.dll”,stream ServiceName.

Malware Configuration and Operation

The malware used a simple one-byte xor against the byte 0x91 to encode its configuration data. Once the configuration information is decoded in the normal execution flow, the malware will attempt to contact the command and control (C&C) server(s) using an HTTP GET request. The following python snippet can be used to find and decode the configuration block from StreamEx samples:

def ex_decode(buf):
               offset = buf.find("&^%$#")
               configblock = buf[offset+5:offset+5+0x3D8]
               out = ''
               for byte in configblock:
                              out += chr(ord(byte)^0x91)
               return out

Figure 4: Python Code Snippet to Find and Decode StreamEx Configuration Block

Interestingly, some of the samples appeared to utilize a log file to record the malware’s network operations. After the connection is made with the C&C server, the malware can send and receive data and accept input from the attackers, allowing them to take full advantage of the backdoor’s functionality. The log file that the malware writes to disk is located here: “%TEMP%\TT_2015.log”. The data in the log is displayed in the following format (this is where the misspelled string ‘start send requset’ is seen on disk):

[processID threadID] [year-month-day hour:minute:second] start send requset

The log data can be seen in the screenshot of the log file below:


Figure 5: Log Data

Pseudo code for the log file data:

Figure 6: Pseudo Code for the Log File Data

Another simple spelling mistake was also present across all of the identified droppers: ‘error. OpenSCManager faild’. Once the malware successfully makes a connection to one of the statically programmed domains, the attackers had the ability to instruct the malware to conduct various system operations to further their control over the victim’s environment.

Distribution and Associated Malware

Cylance identified several legitimate compromised Korean websites that were used to distribute StreamEx samples over the course of 2016. One of the most recent samples SPEAR found was served from the website ‘www(dot)aceactor.co(dot)kr’ and contained a configuration block dated October 16, 2016. A number of unique PlugX samples as well as another custom RAT were also served from the same website; they commonly used simple easy-to-remember names such as ‘a.exe’ or ‘32.exe’.

At the end of 2016, the group also took care to use private registration when reregistering domains that were originally purchased from a bulk reseller.


If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.


Figure 7: CylancePROTECT Console, Showing the Detection of Shell Crew Samples  

File Hashes (SHA256):

StreamEx 64-Bit Backdoors:

StreamEx 32-bit Backdoors:

StreamEx Droppers:

www (dot) aceactor (dot) co.kr - Compromised website


IP Addresses:

PDB Filepath:

Yara Rule:

rule StreamEx
$a = "0r+8DQY97XGB5iZ4Vf3KsEt61HLoTOuIqJPp2AlncRCgSxUWyebhMdmzvFjNwka="
$b = {34 ?? 88 04 11 48 63 C3 48 FF C1 48 3D D8 03 00 00}
$bb = {81 86 ?? ?? 00 10 34 ?? 88 86 ?? ?? 00 10 46 81 FE D8 03 00 00}
$c = "greendll"
$d = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36" wide
$f = {26 5E 25 24 23 91 91 91 91}
$g = "D:\\pdb\\ht_d6.pdb" 

$a or $b or $bb or ($c and $d) or $f or $g

Tags: Cylance SPEAR, Shell Crew, StreamEx