Tool of Chinese Espionage and Cyber Crime Group.
In this blog, i will be uncovering backdoor deployed by Chinese APT group APT-C-41(aka StrongPity) backdoor recently targeting Europe countries. APT-C-41 is known for conducting cyber crime and espionage operations against financial, industrial and educational sectors. Recent activities of APT-C-41 are caught since Nov of last year.
Static and Dynamic Analysis
Its 32bit malware.
Static Analysis (Advanced)
For starting with the advanced static analysis lets see the exports. In exports there is only one function , which is start function.exports of APTC41 backdoor.
Mainly in this function there are two functions, system_info_fetcher() and sort_of_main_function_for_access_scrambling_dll_loading(). Where the system_info_fetcher function is to fetch the system information for triage, whereas the sort_of_main_function_for_access_scrambling_dll_loading function is being deployed for the controlling access controls on systems, scramble up data and loading the dlls.Code & Call Graph of start(entry) function.
This function is basically made for getting all information of information of system using GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter function.
This function is responsible for the controlling access controls , setting up exceptions , applying anti analysis techniques and calling WinMain function.
Moving on to backdoor WinMain function, which is used to have calling seven functions.
GetModuleHandleA, GetProcAddress, GetLastError, callr_of_system_info_fetcher_for_win_main, Sleep, downld_plugin_from_C2.
firstly using the module of kernel32 is being loaded then after that the go_for_callr_of_dll_main() function is being executed which is main function for loading dlls for exploitation.
Then after that, callr_of_system_info_fetcher_for_win_main function is called which is used for fetching system information for the WinMain function. Then for sometime Sleep function is called for hiding the activities from user. Then for downloading plugin from C&C (command and control server) it uses downld_plugin_from_C2 function.
This module of APT-C-41 backdoor is responsible for making requests to the Command and Control Server (aka C&C/C2) using functions like WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpSendRequest, WinHttpReceiveResponse.
This function is deployed for downloading plugins from C2 using the functions like get_files_loaded_from_C2.
This function is mainly used for loading the files from command and control server.
This function is available for loading the plugins from the C2.
In this function, the C2 operations are being crafted for file removals.
For dynamic analysis , i had set the few breakpoints in the start function:
Luckily the breakpoints gets hits for this sample.
As the debugger hits at first breakpoint in start function following dlls are being loaded .
Soon after first breakpoint the debugger gets hits at the “004024FE” in WinMain function.
Then after that , the breakpoint is being hit at “75492E09”.
As the execution of debugger continues, the debug gets hit at the debugbreak in sub-routine “sub_77870530" which is just having the debugbreak function in it.
Since, execution on that debugbreak stops due to “debug trap” that is hardware interrupt and what that means is that debugger gets hits at the hardware breakpoint and after such interrupt no execution of debugging instruction will take place in memory and execution will only loop around the debug trap only.
So by stopping the debugging and setting again two breakpoints :
..:- make_requests_to_C2 .
When the first debugger breakpoints gets hit results are as shown below.
while executing further the execution gets to second breakpoint “make_requests_to_C2"
Since, execution on that debugbreak stops again due to “debug trap” and after such interrupt no execution of debugging instruction will take place in memory and execution will only loop around the debug trap only.
Indicators of Compromise(IOCs) and Detections
Network [ C2 Communications]
T1059, T1055, T1497, T1027, T1027.002, T1124, T1518.001, T1057, T1010, T1018, T1083, T1082, T1056, T1560, T1573, T1095, T1071.
Att&ck Mitre Techniques
Sample from Report