Exploring Bergard: Old Malware with New Tricks

January 28, 2016
Darien Huss

Updated 06/24/2016

The Bergard Trojan and the C0d0so group that made it famous with the November 2014 watering hole attack [1] via Forbes.com have received renewed attention recently, with other researchers [2] potentially linking emerging tools and recent attacks to the group. Proofpoint researchers conducted a historical analysis of samples related to this research and uncovered new malware variants and likely origins and methods of infection.

Many of these samples have not been discussed publicly and several have very little or no anti-virus coverage. The analysis that follows is of completed, historical attacks as well as an extremely recent and ongoing attack, providing insight into the volume and timeline of infections, as well as a timeline for attacker-initiated actions using a novel malware family.

Common link

In the malware used in the Forbes watering hole attack (the Bergard Trojan [3]), a simple single-byte XOR encoding technique (Fig. 1) was used to encode potentially suspicious strings, along with 5-byte padding prior to each string (Fig. 2).

Figure 1: String deobfuscation in sample: 3e92802ba89f3f2f66ce04311e0f3882

Figure 2: Deobfuscated strings in sample: 3e92802ba89f3f2f66ce04311e0f3882

Additionally, some of the variants contain a common PRNG algorithm that is used along with GetTickCount as a seed (Fig. 3) to pseudo-randomly generate lowercase letters (Fig. 4). By leveraging these two techniques utilized by Bergard, we were able to uncover new malware families and several adversary campaigns.

Figure 3: PRNG algorithm in sample: 3e92802ba89f3f2f66ce04311e0f3882

Figure 4: PRNG algorithm usage in sample: 3e92802ba89f3f2f66ce04311e0f3882

Related variants

There are several unique strings embedded in the first samples we analyzed which were also found in completely different malware families. In most of the samples we analyzed, they were found encoded using the same encoding mentioned in the previous section, however some older variants contained no XOR encoding but still used a 5-byte padding layout for interesting/suspicious strings. To further research possibly related samples as well as find completely new malware families, we developed a “shotgun yara” [4] approach that, when coupled with unique strings found commonly in related samples, allowed us to discover completely new malware families. In the next sub-sections we discuss several of the already known malware families and clusters we have found, as well as several previously unreported malware families that may exist in currently active attack campaigns.

PGV_PVID Variant

We refer to this family as the PGV_PVID variant based on the cookie variable utilized in the network beacons generated by these samples (Fig. 5). The samples that we were able to find with similar string encoding, PRNG algorithm, and similarly structured C2 beacon may be found in the IOCs section as well as a graph of the samples and their associated C2 in Figure 6.

Figure 5: PGV_PVID variant C2 beacon

Figure 6: Maltego graph of PGV_PVID variants

In numerous samples in at least the PGV_PVID family, the domain www.nsa[.]org[.]cn may be found encoded separate from the typical 5-byte padded obfuscated strings. For example, in sample 76259880a346ac1c3c8a9795af134f59 the following string is embedded in an encoded state using XOR key 0x90: [hxxp://www[.]nsa.org[.]cn/pwninfo[.]php]. This domain appears in an article citing a July 2, 2015 internal Department of Homeland Security report claiming that it was used in one of the breaches listed in the internal report [5]. We have been unable to confirm whether or not the domain appeared in the cited report, nor were we able to determine which breach the domain was related to, if any.

UID_SID Variant

Similar to the last variant, we refer to this one based on the Cookie variables that are used in the C2 beacons (Fig. 7,8). Unlike the last cluster however, this variant appears to have been used in an extensive DDNS cluster of infrastructure dating back to at least 2013. Tool usage in this cluster includes Gh0st, PlugX, Jolob, and Bergard (Fig. 9).

Figure 7: UID_SID variant GET C2 beacon

Figure 8: UID_SID variant POST C2 beacon

Figure 9: Maltego graph of UID_SID variant and related activity

In one instance related to this cluster of activity, we observed Bergard (md5: d778f8d822376ccd4d2e9dd7f2f0f947) receive instructions from its C2 to retrieve a PNG file (Fig. 10) containing an encoded PlugX payload (md5: 5c36e8d5beee7fbc0377db59071b9980). For an explanation of values received in the instructions from C2, refer to Table 1.

Figure 10: Bergard retrieving commands and encoded payload

Table 1: Description of Bergard C2 response




Location of encoded payload


Payload offset


Payload end


XOR key




Command. Supported commands: !info, !axel, !exec



While hunting for additional payloads that may be related to the previously mentioned Bergard samples, we came across what appears to be a malicious payload that utilizes the Tox protocol [6] to connect to a controller. In the two samples we found, they both contained identical string encoding to previous samples that we analyzed (Fig. 11). This payload is still being analyzed to determine its full capabilities, however it appears to at least be capable of receiving and executing additional payloads. We may provide an update at a later time once this payload is fully understood.

Figure 11: TXER string encoding and decoded strings

Bassos Campaign

During our research, we came across a recent campaign that is connected to a different currently active and ongoing campaign with potentially thousands of compromised victims. We are referring to this campaign as Bassos. We first discovered this threat after analyzing a compressed archive that was uploaded to VirusTotal (VT) on January 5th, 2016. Several items of importance were located in this archive, including VBS downloaders, a Java backdoor, and two Trojans containing identical string encoding with 5-byte padding: a custom Trojan  (aka, CustomTCP) that beacons to port 22 and a new Trojan we refer to as Rekaf (Table 2).

Table 2. Description of archive contents


MD5 Hash




VBS Downloader. Payload: likely CustomTCP



VBS Downloader. Payload: Rekaf



CustomTCP Trojan






Java Backdoor

Although we did not discover these samples in the wild, they potentially provide a glimpse into how the custom downloader and Rekaf are delivered to victims. Both VBS scripts operate very similarly, with one primary difference being that the mc.vbs script contains status reporting functionality to the following domain: www.jweblogic.com (Fig. 12) as well as checks if the “360rp” service is running (if found, it will not continue).

Figure 12: VBS Downloader reporting system information to status server

An additional, slightly different version of mc.vbs was also found (md5: 9f47f04aa9eb72f749cbf4bb7e40c446). Of the payload locations observed in the VBS scripts, we were able to retrieve payloads only from We were also able to retrieve mcs.exe (md5: 1501eed51578e795af7f2f5fb3078178) and McAltLib.dll (md5: 26e863f917da0b3f7a48304eb6d1b1d3) from, however we found no VBS script referencing that download location. The exact same or similar mcs.exe/McAltLib.dll combination was also likely hosted on [2] (Fig. 13).

Figure 13: Locations hosting 1501eed51578e795af7f2f5fb3078178 reported by VT

All three locations appear to be legitimately compromised websites in addition to hosting Jboss Application Server (JAS). It is our hypothesis that these legitimate compromised sites were all compromised sometime after early November using CVE-2015-7501 [7,8] and publicly available exploit code [9]. Several items support this hypothesis:

  • Many samples have compile times between November and now
  • Many samples first appeared in our sample exchange and on VT between November and now
  • CVE-2015-7501 received significant media attention in early November
  • The java backdoor contained in the archive found on VT appeared in public exploit code for CVE-2015-7501 [10]
  • The archive found on VT contains JAS logs of what appears to be a vulnerable version of JAS
  • Jboss themed C2 infrastructure

Without having analyzed the compromised servers, nor observing the first stage in any of the campaigns, it is impossible to know for certain if that is the vector of compromise for these legitimate websites. A broad overview of this campaign is provided in Maltego graph form in Figure 14.

Figure 14: Maltego graph of Bassos campaign


Like the custom downloader/McAltLib.dll payload, Rekaf/dbgeng.dll utilizes a signed, legitimate executable (iefix.exe) and DLL Search Order Hijacking [11] for execution. Upon successful execution, Rekaf first collects various system information in the format found in Figure 15. As shown in the image, this is likely the first version of Rekaf according to the ver0.0.1 indicator that is hardcoded in the sample.

Figure 15: Rekaf collected information exfiltrated to C2

Prior to submitting the collected information to C2, the information is encoded with the first byte in the MAC address, which is appended after the keyid variable in the URI (Fig. 16).

Figure 16: Rekaf HTTP POST C2 Beacon

If the server responds with an encoded string “Login Server Success” then the Rekaf bot will continue to perform HTTP GET requests to the server until it receives a command. Supported commands are listed in Table 3. Rekaf also stores detailed debug information in the following file appended to the result of WinAPI GetTempPath: MSHelper.bin. We have observed the adversaries retrieve this log from an infected machine with a timezone of GMT+8 on at least one occasion using the download command.

Table 3: Rekaf supported commands and descriptions




Download file from C2


Upload file to C2


Perform issued command using cmd.exe


Retrieve an updated payload


Lastly, Rekaf contains several encoded PEs embedded inside itself which may be dropped and executed in certain situations. Their functionality is still being analyzed and will not be covered in this report.

Monitoring Rekaf C2:

Upon discovering Rekaf, we began passively monitoring the C2 to gain insight into their operation. During our monitoring, we were able to collect information related to botnet volume in addition to a timeline of certain actions the adversaries conducted. While monitoring the Rekaf C2 we observed over two thousand unique infections. Figure 17 shows a frequency graph of new and duplicate infections occurring by date. Two dates, 12/22/15 and 1/19/16, have enormous peaks that could have occurred for a number of reasons including:

  • 12/22/15 was the beginning of a new campaign that may have stretched through to 12/30/15
  • 1/19/16 (and possibly 12/22/15): the botnet was updated, re-initialized, or C2 data was wiped

There could be another explanation for the peaks, however due to our monitoring beginning in the middle of a campaign our picture of the C2 may not be complete.

Figure 17: Volume graph of Rekaf infections by date (GMT)

In addition to monitoring infection volume, we also compiled a list of various actions we observed the adversaries take including: executables placed onto C2, executed commands sent to bots, large infection spikes, and compiled timestamps for related executables (Fig. 18).

Figure 18: Adversary actions graph by time of day

This is useful from an attribution standpoint as it could potentially reveal a normal working day for the adversary group. Our analysis of the available data suggests that this adversary group is located geographically somewhere in or near a GMT+8 timezone assuming they maintain normal working hours from 9am-10am to 6pm-8pm. An additional result from our analysis is that no observed actions were ever performed on a weekend (GMT), providing further evidence that this is most likely an organized outfit that functions during a standard work week.

Unfortunately the method we used for data collection could have resulted in us analyzing doctored data, including modified PE compile timestamps. Based on observed activity by this adversary group however, at this time we do not believe that timestamps were modified in any of the data we analyzed.


While monitoring the Rekaf C2 we observed the adversaries prepare what appears to be a new implant for delivery to already infected bots. We have named this backdoor VirdetDoor as it utilizes a signed WinDivert driver [12] for part of its operation. This executable may take two different command line arguments, -v which enables verbose logging to a file named msocache7.log, and –l [port] which changes the default listener port from 6666 to the specified port. The payload first listens for the string “Aabac” to initiate a connection. This payload is still being analyzed to determine its full capabilities and to confirm that it is in fact malicious in nature. We may provide an update at a later time once this payload is fully understood.


The CustomTCP Trojan was covered in a recent article and tentatively attributed to C0d0s0, while also explaining the same similarities we discussed earlier to the November 2014 Forbes watering hole attack (aka, Port 22 Variant) [2]. The adversaries controlling the C2 appear to be utilizing this malware extensively, as we observed them prepare four different CustomTCP payloads for delivery to already infected bots. This is in addition to other payloads we discovered while conducting our hunting research.



Recently the Bassos campaign has already been attributed to ‘C0d0s0’ (aka, Codoso) [2]. Based on the mail-news.eicp.org cluster of activity, that campaign appeared to have slightly different tactics, techniques, and procedures (TTPs), including potentially target-themed domain infrastructure as well as heavily relying on dynamic DNS for C2 domains. Due to the varying TTPs in infrastructure, we think it is possible that the Bergard and the related toolset could now be shared by multiple adversary groups. If that is the case, observing Bergard usage and related families do not provide clear indication that the C0d0s0 group is involved. Attribution becomes increasingly difficult as adversaries evolve and adapt so we have provided the data available to us to better assist organizations in formulating their own attribution.



The historical analysis conducted by Proofpoint researchers on recently completed campaigns revealed actions by what appear to be well-organized actors consistent with advanced persistent threats. Additionally, the in-depth analysis above on a currently ongoing campaign, Bassos, being conducted by possibly the same actor (‘C0d0s0’, ‘Codoso’) as the Forbes watering hole attack in 2014, provides insight into the adversary's activities and infection volume related to the Bassos campaign. Additionally, the email-news campaign, PGV_PVID campaign, and UID_SID variants may also be linked to C0d0s0 as well. However, the differences in TTP could indicate that the Bergard toolset is now available to multiple adversary groups. Regardless of the exact attribution for the attack, organizations, researchers, and vendors should take note of the growing potential footprint of the Bergard toolset.


Indicators of Compromise (IOC’s)





PGV_PVID Samples














PGV_PVID Domains











Mail-news campaign

Bergard samples




UID_SID samples




Gh0st samples






Jolob samples




PlugX samples







Confirmed Mail-news Domains








Bassos Campaign

VBS Downloader





CustomTCP samples











CustomTCP Domains





Rekaf samples





Rekaf Domains





Bergard samples





Bergard Domains/IP



Java Backdoor








Additional CustomTCP Payloads








Unclustered Bergard










  1. http://www.isightpartners.com/2015/02/codoso/
  2. https://github.com/darienhuss/shotgunyara/blob/master/shotgunyara.py
  3. http://freebeacon.com/national-security/opm-hack-part-of-large-scale-cyber-attack-on-personal-data/
  4. https://en.wikipedia.org/wiki/Tox_%28protocol%29
  5. http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/
  6. http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  7. https://access.redhat.com/solutions/2045023
  8. https://github.com/Xyntax/JBoss-exp/
  9. https://github.com/Xyntax/JBoss-exp/blob/master/iswin.jar
  10. https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html
  11. https://reqrypt.org/windivert.html