Copyright © 2017 Virus Bulletin
The Talos researchers are no strangers to APT attacks. During recent research, we observed the ways in which APT actors are evolving and how a reconnaissance phase is included in the infection vector in order to protect valuable zero-day exploits or malware frameworks. Indeed, the development of exploits and complex malware is a big cost from the attacker's point of view, which is why they put a lot of effort into hiding them from analysts and security companies.
This paper presents five case studies that demonstrate how the infection vector is evolving. We chose five examples from different APT actors, showing that this trend is not related to a single group of attackers, but is in fact global.
After the case studies, we will describe some mitigations to help avoid infection.
Filename: NATO secretary meeting.doc
The first task of the Flash object is to gather information about the system using the flash.system.Capabilities.serverString API and to send this information to the attacker. The following is an example of the output of this function:
The values are documented by Adobe in . Some fields are interesting:
Figure 3 is a screenshot of the C&C used to send this information.
If the data matches the attacker's expectations, the server will send a second Flash object and an additional payload to the infected system (Figure 4).
The new Flash object will be loaded with the LoadBytes() API (this.swf variable) and the payload is passed in an argument in the 'sh' variable (we assume that sh is for shellcode). This case study demonstrates how the attackers protect their exploits, in this case a Flash exploit.
Thanks to Umbrella Cisco we were able to observe the DNS activity (Figure 5). The campaign started on 29 December 2016 with a very low level of activity. On 16 January, we see an uptick in activity – this is when we started to observe more public samples, which we used for our research purposes.
Filename: National Day Reception (Dina Mersine Bosio Ambassador's Secretary).doc
This case study revolves around a Microsoft Word document. The document is alleged to have been created by Dina Bosio, an individual whom we believe to be fictitious (see Figure 6).
As can be seen in Figure 7, the document contains a macro.
The purpose of the decrypted payload is to gather information about the targeted system and to download the final RAT (with the .pif extension) if the data meets the attackers' criteria (Figure 8).
In this case, the script collects network information, domain information, share information, user information, installed software, and task list.
The file in this case study is a Microsoft Excel document with a macro, the purpose of which is to drop and execute a VBS and a PowerShell script (see Figures 9 and 10). As with the previous case study, the purpose of the payload is to collect information about the infected system; Figure 11 shows the information-gathering script.
As in the other cases, if the collected data is good and is what the attacker is looking for, a binary is downloaded and executed on the system.
Filename: 5170101-17년_북한_신년사_분석.hwp (5170101-17 __ North Korea _ New Year _ analysis .hwp)
In this case study the infection vector is a Hanword document (HWP). Hanword is a well-known text editor in South Korea, widely used in the public sector (instead of Microsoft Office). The HWP format support OLE objects. The OLE objects are simply compressed with zlib. Figure 12 shows a screenshot of the analysed document.
The logo at the bottom of the document is that of the Ministry of Unification. The purpose of the ministry is to work on the unification of North Korea and South Korea. As expected, the HWP document contains OLE objects, as shown in Figure 13.
The OLE objects are executed when the user clicks on a link in the document. The objects drop two executables onto the disk:
The first step of the executable is to open a decoy document and present this to the user (Figure 14).
The next step is to gather information from the system:
The purpose appears to be to determine whether the target is suitable for attack. The data is sent to a (compromised) legitimate website of the South Korean government:
If the attackers decide that the victim's profile meets their requirements, a .jpg file is generated. This file is the binary executed on the infected system (the final RAT):
(where 02BC6B26 is the ID of the infected machine)
Figure 15, for example, shows a pcap of the communication between an infected machine and the C&C (the pcap comes from VirusTotal).
The decoded content is as follows:
0F37555F#0#0#0#TEQUILABOOMBOOM#janettedoe#C:\4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4#innotek GmbH VirtualBox 1.2
The first field contains an ID generated on the infected system, the fifth field is the hostname of the VirusTotal sandbox, the sixth field is the username, the seventh field is the execution path, and finally we can see the BIOS version of the VirusTotal sandbox. We can conclude that the sample was executed on a VirusTotal virtual machine.
In some cases, we are able to provoke APT actors and obtain the final RAT. This was the case with the Korean actor mentioned in case study #4. As before, the campaign started with two HWP documents.
The first email was sent from the official email contact of the Korea Global Forum. We assume that the account was compromised and abused by the attacker. The email asks the recipient to complete a form in an attached document (an HWP document), as shown in Figures 16 and 17.
As usual in HWP documents, the file contains OLE objects (compressed with zlib).
The document contains an EPS (Encapsulated PostScript) object. This object contains an exploit that is used to execute code thanks to the vulnerability CVE-2013-0808. The purpose is to download a PE file from a compromised website:
There is a similar .jpg pattern to the one in the previous case study. We named the downloaded RAT 'ROKRAT'.
This malware does not work on Windows XP or 2003. If it is executed on these platforms, an infinite loop is executed.
The next step is to check if there are any analysis tools running on the system.
If one of the following applications is running, the malware deduces that the system is a sandbox or an analysis machine:
In this case, the malware performs queries on legitimate websites and starts watching a Japanese anime, as shown in Figure 23.
We assume that these connections are intended to generate fake IOCs on sandbox systems.
If the malware is running on an intended system, it is able to initiate communications through three different communication channels:
The malware is able to communicate with the attackers using Twitter via seven different hard-coded Twitter API tokens, as shown in Figure 24.
ROKRAT is able to communicate with the attackers via Yandex. It is able to upload or download files on the Yandex cloud service. The malware contains four hard-coded tokens, as shown in Figure 25.
ROKRAT is able to communicate with MediaFire too. A single API token is hard coded in the analysed sample, as shown in Figure 26.
Each of the three platforms is legitimate and may be used by organizations in standard, day-to-day work. Additionally, these platform use HTTPS encryption. From an incident response point of view, this could frustrate efficient analysis and remediation of an incursion.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled => REG_DWORD = 0
It goes without saying that we also recommend keeping your software, OS and security products up to date and correctly configured.
The costs of developing a zero-day or complex malware framework is significant. That's why it makes perfect sense for malware actors to protect their investments and secure them from security researchers. Once a complex malware variant is discovered by the security industry, it is of little or no use to the threat actor.
There is a clear trend towards adding information-gathering mechanisms within the infection vector to avoid leaking valuable code to security analysts. It is likely that many targets of these attacks have already been compromised in the past by the same actors. Hence, the adversary knows the target infrastructure, the network IP ranges, the naming convention of the hostname or the username, the domain name, etc. of the targets they are seeking to infect. The information obtained by these pieces of malware allows the attacker to identify efficiently if the infected system shares the profile of the intended victim. With the benefit of this information, the attackers can perform additional tests before releasing their advanced and valuable malware. This new approach makes the jobs of security analysts and researchers more complex, yet also that little bit more interesting.