Multiple organizations in Kuwait have been targeted since 2018 by a threat actor we track as SectorD01, whose primary targets appear to be located in the Middle East but also observed by us to target North America, Europe, South Asia and East Asia in other campaigns. In this analysis we will briefly go through some of the tools used by this threat actor in the campaign which are named Sakabota, Diezen, Gon, Hisoka, Netero, and EYE, and explain how these tools are linked to each other and to other activity in the region.
When we looked at 21 samples of the tool named Sakabota, we noticed the file internal comments “Blade for not to killing” and the file’s icon which resembles a scar and has the internal name “Icon_kenshin”. “Kenshin” is the name of the main character with that scar from the Japanese anime “Rurouni Kenshin”, otherwise known as “Samurai X” to English viewers. His sword is named Sakabatō, which is a reverse-edge sword which does not kill, and this lines up with the file internal comments of “not to [sic] killing”.
The samples we looked at had the version numbers 1.4, 1.5, 1.6, 2.5, and 2.6. Some of its functions include using WMIC/PSEXEC/dsquery/Mimikatz/plink/RAR, FTP uploading to ftp://www[.]pasta58[.]com with credentials “administrator”/”Mono8&^Uj”, downloading files, taking screenshots, performing RDP, IP/port scanning across common services, dropping the svhost.exe agent / Shell.aspx web shell (see below), clearing traces of itself, and closing itself. The hardcoded C2 addresses are set as pasta58[.]com and 176[.]9[.]235[.]101, and hardcoded DNSCAT C2 address as 217[.]79[.]183[.]33.
Besides the functionality changes across versions, the threat actor also attached various resources to the malware. Different samples had different resources attached to them, and this was irrespective of the version codes.
|dsquery||Trusted Microsoft command-line utility for querying Active Directory Services.|
|k||Most of the “k” resources we saw were empty, but there was one which contained a sort of cheat sheet of different commands which the attacker could use for many techniques such as password cracking, passing the hash, dumping passwords, using certutil, and using the other embedded resources.|
Interestingly, in one section of the cheat sheet, there were URL examples of how to access a web shell which could possibly be a GET version of LittleFace. This web shell URL contained the domain of a Taiwanese university, suggesting the university may have been compromised in the past.
|nircmd||64-bit NirCmd command-line utility from NirSoft.|
|PowerCat_DNS_small||A shortened version of the open-source powercat PowerShell utility.|
|rar||64-bit command-line WinRAR.|
|Local||Trusted Microsoft utility which has so far only been publicly reported to be used by TwoFace in 2017.|
|PSEXEC||Signed and trusted Sysinternals/Microsoft PsExec utility.|
This is an old version of PSEXEC which allows the attacker to bypass the graphical EULA using the “-accepteula” flag.
|Shell||Custom Shell.aspx web shell which uses md5 hashing to check the password given in the “id” parameter of the POST request.|
There are some commonalities between this web shell and the IntrudingDivisor web shell used by TwoFace, but this web shell is more limited in functionality and is used for uploading files or executing commands via “cmd.exe /c”.
It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Shell” button in Sakabota. Only four samples of Sakabota contained the embedded Shell.aspx.
|svhost||The executable svhost.exe dropper for the PowerShell malware Unit 42 named CASHY200, which accesses the C2 firewallsupports[.]com. This dropper had not been previously linked to the Sakabota malware.|
It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Agent” button in Sakabota. Only one sample of Sakabota contained the embedded svhost.exe.
|Diezen||Another backdoor with the picture of a samurai used by the attacker which connects to pasta58[.]com, the same C2 server as Sakabota.|
Another interesting thing to note is that the Sakabota malware was made to work not only with the embedded resources above, but also with Mimikatz which we believe was not embedded due to the likelihood of Sakabota being detected more easily. All of these tools together bear a striking resemblance to the various tools uploaded to a TwoFace web shell in the past.
Diezen is a simple backdoor which can be dropped by Sakabota which is set to connect to the same C2 address, pasta58[.]com, using a custom non-HTTP protocol over port 443 via the .NET TcpClient class primarily to execute attacker commands via “cmd.exe /c”. The samples we looked at had the version numbers 0.0.1, 0.5, and 0.6.
By the time Diezen reached version 0.6, it switched over to port 80 and added new functionality for file upload, download, taking screenshots, checking the user’s public IP via checkip[.]dyndns[.]org and checking if an alternative autostart location – the Start Menu – was available besides its normal usage of scheduled tasks. The feature of checking the user’s public IP was later carried over to the Hisoka malware as well, alongside implementing the previously unimplemented decryption and encryption routines, while the screenshot feature was carried over to the Gon malware.
Gon is the main character from the Japanese anime “Hunter × Hunter”. When looking at Gon and the other “Hunter × Hunter” themed malware, their code appears to have been originally branched out from the Sakabota malware. In Gon’s case, not only are there the embedded resources dsquery and plink, a large part of the non-GUI code is exactly the same and in fact still has remnants of “Sakabota” in one of its strings.
Just as the various versions of Sakabota have added functionality which were in its code but previously unimplemented, Gon has implemented some of Sakabota’s previously unimplemented code and also contains a password list containing slightly over 1000 passwords which are mainly variations around digits, the word “password”, and the word “kuwait”. These passswords are used for brute forcing from the tool.
EYE is the name of another simple tool we believe to be part of the attacker’s “Hunter × Hunter” themed toolset. The purpose of EYE is to log new processes created and to clear the attacker’s tracks when the attacker unexpectedly disconnects due to a new user logon. When looked at together with the other anime themed malware and the file icon, we believe the attacker thought of EYE as the scarlet eyes in “Hunter × Hunter”, giving the attacker additional capabilities when the attacker is emotionally agitated.
In fact, this clearing of tracks automatically upon disconnection is not a capability unique to the EYE malware as the exact same function exists in Sakabota. It hooks onto the .NET event SystemEvents.SessionSwitch so that if the attacker gets disconnected unexpectedly due to a new user logon, it will close all processes made after EYE was opened, delete file and registry keys related to attacker activity – recent files accessed, both automatic and custom jump lists which were first introduced in Windows 7, remote desktop history, search terms, autocomplete, and start menu run history. It will then close and delete itself.
Hisoka and Netero
Hisoka and Netero are also two important characters in the Japanese anime “Hunter × Hunter”.
Running Hisoka 0.8 with the arguments “66” will create a “Help.txt” file in the same folder, and this file contains instructions of how to use and interact with Hisoka from both the victim and attacker’s machine. It also contains functionality to query Active Directories via LDAP, which is likely meant to take over the functionality of the dsquery utility embedded in Sakabota. Funnily enough, the function is contained in an “AI” class of Hisoka which is most certainly not AI, proving even threat actors have joined the hype.
Hisoka is able to communicate with the attacker’s C2 server using a proper HTTP request over port 80 (unlike Diezen, which had its custom protocol and would be easily detected over the network) and DNS over port 53.
For its HTTP C2, it uses the hardcoded user agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36” from Chome version 73 which was released on March 12, 2019.
For its DNS C2, it has an unused feature to perform an nslookup.exe check against hisoka[.]<C2_Address> in order to check its status which may be useful to check against later versions we have not seen. Example commands for performing its status check are:
- nslookup.exe -type=”A” hisoka[.]microsofte-update[.]com 126.96.36.199
- nslookup.exe -type=”TXT” hisoka[.]microsofte-update[.]com 188.8.131.52
On the other hand, the Netero malware is a helper utility and loader built for Hisoka and in fact cannot function without it. Unlike Hisoka, the attacker does not interact with Netero via command-line arguments but has to interact via modifying an obfuscated “command” in the registry. The way Netero loads and encrypts/decrypts data from the registry is similar to Hisoka – various registry keys from HKCU\EUDC\313\hisoka_v2 (Hisoka uses HKCU\EUDC\313\hisoka) are loaded, XOR-ed with 0x53, then Base64 decoded.
The attacker commands are loaded from HKCU\EUDC\313\hisoka_v2\CM and checked every 1-4 seconds. All of the other configurations including the kind of C2 server to use are loaded in the same way and checked constantly, with the result of any command being returned in another registry key. In this way, the attacker becomes able to interact constantly with Netero purely via the registry and no longer requires a GUI or CLI. Since the interaction with the registry has to be XOR-ed and Base64 encoded for very command, it means the attacker is using another wrapper program instead for this interaction.
The attacker also added another C2 “engine” to the Netero malware’s functionality. While Hisoka could previously already communicate with its C2 server via DNS and HTTP, Netero is also able to communicate with the C2 server via EWS ([Microsoft] Exchange Web Services), interacting with Microsoft Exchange servers using saved drafts in a manner reminiscent to how it interacts with the attacker via the registry.
Both Hisoka and Netero are stated to be “Compatible with Sakabota v3.4”, while later samples of Diezen was compatible with v2.0 and v2.1. While we did not find any version 3 or above samples of Sakabota, it shows that Sakabota is still in active development alongside the “Hunter × Hunter” themed malware and the end goal is likely for either Sakabota or Hisoka to act as the wrapper for all of the other malware which interacts via command-line / registry, similar to how Sakabota already acts as a wrapper for many other tools such as Mimikatz and PSEXEC.
Based on the attacker’s personal cheat sheet, the chunks of code dedicated to finding server software, and the internal web shell code, it is quite likely that one of the initial access routes used by the attacker is attacking organization web servers through SQL injection vulnerabilities for web shell upload, and organizations likely to be targeted should take note of this.
Also, since SectorD01 was first discovered in 2016, they already had a penchant for using DNS in their various malwares for their C2 communications even up till recently. One of the easy ways to detect this is to monitor the network for suspicious DNS traffic, although DNS over HTTPS may mask this in the future. It remains to be seen if the other teams of SectorD01 will take up EWS as a C2 protocol as well.
We believe Gon and the other “Hunter × Hunter” themed malware were branched off from Sakabota (and Diezen) to get around Sakabota’s large file size and eventually compartmentalize the attacker’s various tools into a sort of framework as their capabilities mature.
Indicators of Compromise (IoCs)
Attacker Resources Embedded in Sakabota
Legitimate/Gray Resources Embedded in Sakabota
“Hunter × Hunter” Themed Malware
MITRE ATT&CK Techniques
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.
T1190 Exploit Public-Facing Application
T1059 Command-Line Interface
T1106 Execution through API
T1053 Scheduled Task
T1204 User Execution
T1061 Graphical User Interface
T1047 Windows Management Instrumentation
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1100 Web Shell
T1078 Valid Accounts
T1100 Web Shell
T1053 Scheduled Task
T1078 Valid Accounts
T1140 Deobfuscate/Decode Files or Information
T1202 Indirect Command Execution
T1112 Modify Registry
T1480 Execution Guardrails
T1107 File Deletion
T1070 Indicator Removal on Host
T1078 Valid Accounts
T1110 Brute Force
T1003 Credential Dumping
T1087 Account Discovery
T1482 Domain Trust Discovery
T1010 Application Window Discovery
T1083 File and Directory Discovery
T1046 Network Service Scanning
T1135 Network Share Discovery
T1057 Process Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery
T1210 Exploitation of Remote Services
T1075 Pass the Hash
T1076 Remote Desktop Protocol
T1105 Remote File Copy
T1021 Remote Services
T1051 Shared Webroot
T1077 Windows Admin Shares
T1113 Screen Capture
T1005 Data from Local System
T1039 Data from Network Shared Drive
Command and Control
T1043 Commonly Used Port
T1094 Custom Command and Control Protocol
T1105 Remote File Copy
T1132 Data Encoding
T1001 Data Obfuscation
T1008 Fallback Channels
T1071 Standard Application Layer Protocol
T1041 Exfiltration Over Command and Control Channel
T1048 Exfiltration Over Alternative Protocol
T1022 Data Encrypted
T1002 Data Compressed