Beruflich Dokumente
Kultur Dokumente
Here we analyze four targeted attack tools with Taiwan and Vietnam Social engineering vector (no exploit code) with very credible
in their sights - but somehow linked together - and thereason why documents
they shouldn't be called advanced. Bad criminals: typos in configuration, naive cryptographic
implementation, weak code practices
Sophistication variability: from no obfuscation to hidden position
independent code, XOR encryption, XTEA encryption, stand-alone
re-usable components
Tailored infections: one threat doesn't persist, theother doesn't
do anything before areboot
1
Did you say Advanced Persistent Threats?
As we noticed from our telemetry data, themalicious software that thefile is anormal Word document, theexecutable displays
reaches its target through spear-phishing campaigns. thefirst theicon of aWord document.
dropper we analyzed came from thewebmail interface of
aVietnamese governmental institution. Using targeted emails Upon execution these droppers will decrypt their configuration
allows more chance of succeeding in theattack by using amore parameters using asimple one-byte key XOR-based cipher best
personalized and convincing message. It also narrows thedistribution described with some python code below. This configuration is stored
of themalicious files, giving them alonger shelf life since there is in thelast 32 bytes of thelast portable executable (PE) segment
less chance of their being found and analyzed by Anti-Virus (AV) of theexecutable. Inside this configuration is achecksum, some
companies. offsets and lengths of internal resources along with other seemingly
unused fields, as you will see in thestruct pictured below. ahard-
With knowledge of thecharacteristics of thefirst dropper, we were coded integer in thecode is compared with thechecksum in order
able to find arelated piece of malware in our collection. As mentioned to validate that configuration decryption worked. This checksum is
previously, they were carrying different threats but also had def xor _ decrypt(ciphertext, key): struct hidden _ segment _ data
adifferent filenames for i in range {
(len(ciphertext)): int checksum;
c = ciphertext[i] char delimiter;
Threat File name Translation if c: char unused[3];
Win32/TrojanProxy.Agent.NJK Bao cao ket qua.doc Vietnamese for if c != 0xff: int pe _ file _ offset;
[137 spaces].exe "report theresults" c ^= key int pe _ file _ size;
if (c and c != 0xff): char unused[4];
Terminator RAT .exe Chinese for
ciphertext[i] = c int doc _ file _ offset;
(Win32/Protux.NAR) "inspection report"
return ciphertext int doc _ file _ size;
char xorkey;
char unused[2];
The presence of all those spaces is used to push the".exe" off char last;
thescreen and out of sight of thevictim. To further convince theuser };
2
Did you say Advanced Persistent Threats?
thesame in both cases. theoffset and length pairs are used to extract Nature of thefile Filename
files from inside itself into thefilesystem.
Malicious payload %TEMP%\~hCb58.tmp
The dropper first drops themain malicious binary and then aWord Word document %TEMP%\~hC29f.doc
document into theuser's temporary folder. Both files are decrypted Copy of itself %TEMP%\~hCb37.tmp
using thesame simple XOR technique except that themalicious Table 1: Dropped files
binary is prefixed with 5 bytes that are hard-coded in thedropper (MZ
header), and then XOR'ed with another hardcoded one-byte key. We This same copy of thedropper, once executed with command-line
believe this is done to avoid being detected by some AV. arguments, has adifferent operation. It will first sleep for one second,
leaving enough time for theoriginal dropper execution to terminate.
First, after theextraction, themalicious binary will be executed by Then it will remove this original file and copy thedecoy document
thedropper. thebehavior of theanalyzed binaries will be covered (~hC29f.doc) in its place, keeping theproper .doc extension. Finally,
later. thedropper will then copy itself using ahandle retrieved aShellExecuteW with theopen operation is run on thenewly
with GetModuleHandle. It will execute this fresh copy with some copied document in order to open theproper editor registered for this
command line arguments in order to clean up after itself: namely, file type.
thecurrent full path and filename of thedropper and thefull path and
filename of thedropped Word document. Finally, it will exit.
4
Did you say Advanced Persistent Threats?
5
Did you say Advanced Persistent Threats?
The C&C commands are sent unencrypted and are always 796 bytes
long. thefirst Integer in thecommand data is thecommand ID.
thesupported commands are:
are usually part of theclient HTTP request and not server responses.
6
Did you say Advanced Persistent Threats?
Very simple, nothing fancy, and thecode doesn't reveal much about are thehighlights of theinteraction that we have observed on
theattackers intentions. Unfortunately, all that is left to thetrojan thesystem.
operator so we can't draw any conclusions about theoperation with
only themalware sample to work from. Rather than being simply 1. client <-
naive, this is rather stealthy. But then again, some funky strings are command id/name: 3008/Get Drives Infos
also present in thebinary like "I want to go to theGREAT WALL, inner client ->
Mongolia very much" and some unused proxy credentials (somnuek.
label: C:
bu / 044253516). These proxy credentials are not referred to anywhere
type: 3 (DEVICE _ FIXED)
in thecode which leads us to think that this is afeature supported by
free: 7828
themalware that was compiled out when this threat was assembled
total: 10228
for this campaign.
label: D:(8
The hardcoded campaign string (CPT-NMC) sent by theclient type: 5 (DEVICE _ CDROM)
further confirms thetargeted nature of theattack. CPT stands for free: 0
Central Post and Telecommunications Department, adepartment total: 589
of theVietnamese government. We can also notice that thetop-level
2. client <-
domain used for C&C (vnptnet.info) is strikingly similar to Vietnam's
command id/name: 1000/ExecuteCommandLine executed:
vnpt.vn which is Vietnam Posts and Telecommunications Group
netsta -ano
and probably chosen as ameans of camouflage within Intrusion
Detection System (IDS) logs. Finally, thedecoy document writes client ->
about telecoms and testing and carries some network diagrams,
'netsta' is not recognized as aninternal or
which all seems very credible to apotential victim. Looks like this
external command, operable program or batch file.
campaign was aimed at Vietnam's CPT and we know Vietnam's officials
have been under targeted attack this year. 3. client <-
command id/name: 1000/ExecuteCommandLine executed:
We're up all night to get lucky netstat -ano
7
Did you say Advanced Persistent Threats?
This is another behavior that reveals alittle bit more information Terminator RAT (aka FAKEM RAT)
about theway they operate. Once thevictim computer is flagged as
When we started analyzing this threat, our product detected it as
not of interest to theoperators, it is actively blocked from theC&C at
Win32/Protux.NAR. When we reverse engineered thecryptographic
theTCP layer rather than at theapplication layer (HTTP).
protocol of thenetwork communication with theC&C we found out
The non-persistence characteristic of theattack strengthens that thethreat was documented by malware.lu and Trend Micro as
thehypothesis that it is targeted since theattackers will leave little Terminator RAT or FAKEM RAT, but that our sample diverged alot
trace and little network activity if they don't install anadditional from theone they analyzed, and carried anadditional binary. Last
component through thetrojan. atypical attack scenario with this month, FireEye released ananalysis of asample very similar to this one but
tool would then be: figure out potential victims in anorganization; thehashes are still different. In this article, we will focus on giving
send spear-phishing emails; wait; get connections from thetrojan; additional details of thethreat and we encourage you to refer to these
and quickly and interactively investigate thecomputers for past articles for further background information.
thesensitive data you are looking for. If thedata isn't there pull
We first found out that what we called Win32/Protux.NAR was
theplug, and if it is there install anadditional component through
in fact theTerminator RAT when we looked at thenetwork
thecommands for file download (3004) and file execution(3011).
encryption and stumbled on malware.lus report titled APT1: technical
Without full incident investigation forensics, which we are not in backstage. Although their reference to theAPT1 group is challenged
aposition to perform, being anAV vendor rather than anincident by thecommunity, we definitely have here aprivate Trojan that has
response team, there is little we can do to help victims of this threat been re-used on several campaigns by thesame group. Compared
know what happened on their systems except to document how it with theAgent.NJK trojan, here thesophistication level is cranked up
works and hope that this information will be useful. one notch. First, theconfiguration and strings are encrypted using
aslightly modified implementation of XTEA. XTEA uses a128 bit key
and work on 64 bit blocks.
10
Did you say Advanced Persistent Threats?
With proper use of block chaining figure 14 wouldnt have carried any
discernable pattern. Heres theconfiguration of our sample before
decryption:
Figure 16:
Configuration
and strings
before decryption
(1) is theXTEA key, (2) shows two ports (9000, 9090) and some (1) is thefolder where themalware is installed (in %APPDATA%), (2)
other unencrypted material we couldn't figure out, (3) shows more marks thefilenames given to thecopied and extracted files, (3) shows
unencrypted strings related to theway themalware operates but theC&C's domain name, (4) is thename of thePE image resource
with null bytes injected in them (the strings are re-assembled before directory entry where further payloads are hidden (an executable
being used in thecode). file and position independent code) and (5) shows theregistry keys
modified for persistence.
Always moving
As you saw this threat relies heavily on theMOVEFILE _ DELAY _
UNTIL _ REBOOT flag of theMoveFile() function. This serves as
asimple way to relocate themalware executable even if thefile is
currently executing. It may also prevent triggering heuristics and
sandbox technologies. That said, those delayed moves don't stop
there. On each subsequent execution of thebinary alittle evasion
maneuver is performed. First, it will copy itself into atemporary
location (GetTempPath() + "~7ti2"). Then, arandom number of
random bytes are appended to theend of thefile. Lastly, amove
with theMOVEFILE _ DELAY _ UNTIL _ REBOOT and MOVEFILE _
REPLACE _ EXISTING flags will be performed to replace thecurrently
running binary on reboot. This implies that thehash will change on
every reboot without affecting proper operation.
and strings and thread creation as on its first run, but then thethread
takes aseparate branch based on thefact that it is run from afolder
which contains the"App" string. In that branch it will first sleep for 5
minutes and then will perform thecopy/move operation described
earlier, and then reach its main payload.
14
Did you say Advanced Persistent Threats?
Figure 21: kernel32.dll hashes to lookup Figure 22: After loading function addresses
15
Did you say Advanced Persistent Threats?
The code then creates anEvent named 'sxX5{c4' with bytes long and thesystem's codepage is included as aninteger. There
theCreateEvent function and uses it as amutex to ensure that are also some hardcoded integers: two integers of value 0x130, 0x0
only one copy of itself will execute at any one time. Now, moving on (1) and aninteger of value 0x30005 (2). Both of these are identical to
to themain payload, we reach aloop on all C&Cs in its config. Two those observed by FireEye. There is also some string value that could
of these are hardcoded and are thesame as theone in theXTEA be thecampaign ID (3). Unlike theother unknown values this one is
encrypted config, as mentioned earlier. thethird is theone injected not embedded in thecode but in theconfiguration, and there is some
earlier which points to thehost's current IP and hardcoded port attempt at obfuscating theaccess to thevariable, which in our case
8000 (as explained later). It will loop forever on all three and will was thestring "wet". therest of thepacket is empty (bytes 321 to 1024)
sleep 30 seconds if it can't connect. Upon asuccessful connection, except for thelast byte where there is anewline character ("\n").
themalware will send information about theclient to theC&C in
a1024 byte packet. theformat is pictured below.
16
Did you say Advanced Persistent Threats?
As you can see, these are again very generic, meaning that
themalware's true goals and capabilities are hidden when doing
static analysis. However Trend Micro was able to observe attackers
and documented some of thecode that attackers sent in their 0x211
17
Did you say Advanced Persistent Threats?
18
Did you say Advanced Persistent Threats?
Summary of similarities
Same network encryption algorithm ("ARCHY"[::-1] xor/ror3)
Same 1024 byte network payload
Same commands (0x211, etc.)
Most C&C rely on dynamic DNS
Operated from thesame /24 network owned by aTaiwanese ISP
19
Did you say Advanced Persistent Threats?
interesting to see that theuse of ACCELORATOR name as thehidden running. Additionally, as with theTerminator / FakeM RAT threat,
PE resource or thenetwork protocol encryption key are things that thebinary will perform alittle dance meaning that on each execution
haven't changed between campaigns. What conclusions can be it will copy itself into atemporary location (GetTempPath() + "~7ti3"),
drawn from this observation is anexercise left to thereader. append arandom number of random bytes to theend of thefile,
then add theXTEA encrypted configuration. Lastly, amove with
Proxy tunnel component theMOVEFILE _ DELAY _ UNTIL _ REBOOT and MOVEFILE _
REPLACE _ EXISTING flags will be performed to replace thecurrently
Again, comprehensively described by FireEye as sss.exe, this component
running binary. So thehash of thefile will change but behavior and
is present for theeventualities where thetarget's network doesn't
functionality stays intact. Finally, we observed adifferent location for
allow anoutgoing network connection to reach theC&C servers
thestored proxy configuration than theone FireEye reported. In our
directly. In anutshell, it binds to thelocal port 8000 and will tunnel
case it was stored in %Windir%\Proxy.
through anything that connects to it via thelegitimate proxy
configured on thecomputer. It uses theHTTP CONNECT verb to get The addition of this component as astand-alone to augment
anend-to-end tunnel up to theC&C. Terminator RAT's exfiltration capabilities is very interesting as it could
be easily re-used. Additionally, aloosely coupled component with no
In our investigation, thefile was named winslogon.exe and had
malicious behavior (although suspicious) packaged with aRAT whose
adifferent hash, solely because theconfiguration (and maybe
malicious payload is well hidden in position-independent shellcode
thecode) was different. We also noticed thepresence of anencrypted
supporting very generic commands, makes thestatic analysis of
log file (hardcoded to %TEMP%\~DF3bbs.tmp) which can be decrypted
thethreat quite difficult and leaves everything to theimagination
with asingle byte key XOR (0xAB) as shown by thecode below.
about what it is that theattackers are after.
key = 0xAB
ct = open("logfile", "rb").read() There is no ain this APT
pt = "".join([chr(ord(e) ^ key) for e in ct]) Indeed, none of these threats were packed to thwart reverse-
print pt engineering, no exploit code was used and there were several
observations of poor software development and operational
Listing 7: Decrypt proxy tunnel component logs
practices: sloppy coding, bad cryptography, operator errors, leakage
It uses anEvent Object named with thenon-printable character of unused proxy credentials and even mistakes in configuration that
represented by 0x13 to ensure that only one instance of theproxy is rendered aC&C domain completely useless. This is not advanced.
20
Did you say Advanced Persistent Threats?
21