2019-09-06 1. Background Introduction Recently, Rising Security Research Institute captured two APT attacks against China, one targeting the embassies of various countries in China and the other targeting the representative office of a technology company abroad. Once a user opens a phishing document, the computer will be remotely controlled by the attacker, resulting in the theft of internal confidential data such as computer system information, installers, and disk information. It is understood that the APT attack was launched by the internationally renowned "Sidewinder" organization, which has launched many attacks on Pakistan and Southeast Asian countries, but the last two APT attacks have frequently pointed to China, one is disguised as the Overseas Military Security Cooperation Center of the International Military Cooperation Office of the Ministry of National Defense, and sent false invitations to military attachés of embassies in China; The other was an attack on the overseas representative office of a technology company, to which the attacker sent a fake security and confidentiality manual.
Pictured: Phishing documents disguised as the Ministry of Defense
According to the analysis of the Rising Security Research Institute, although the targets and content of these two attacks are different, from the technical methods used by the attackers, it is concluded that it has a great relationship with the APT organization "Sidewinder", which has the main purpose of stealing confidential information in the fields of government, energy, military, minerals and other fields. The attack used fake emails as bait to send phishing emails related to Chinese embassies and technology enterprises abroad, using the Office remote code execution vulnerability (CVE-2017-11882) to send phishing emails related to Chinese embassies and technology enterprises, with the aim of stealing important confidential data, privacy information and scientific and technological research technology in our country. 2. Attack process
Figure: Attack flow
3. Analysis of phishing emails (1) Bait document 1. A document is disguised as an invitation letter sent by the Overseas Military Security Cooperation Center of the International Military Cooperation Office of the Ministry of National Defense to the military attaché of the embassies of various countries in China.
Figure: Bait document
(2) The content of the bait document 2 is related to the revision of the security and confidentiality work manual of the representative office of a technology company abroad.
Figure: Document content
(3) Detailed analysis Both decoy documents embed an object called "Wrapper Shell Object" at the end, and the object attribute points to the 1.a file in the %temp% directory. So, opening the document will release the 1.a file written by the JaveScript script in the %temp% directory.
Figure: Object properties
The decoy document then exploits the vulnerability CVE-2017-11882 to trigger shellcode execution 1.a.
Figure: shellcode
The shellcode process is as follows: Decrypt a JavaScript script through XOR 0x12, and the main function of this script is to execute the 1.a file in the %temp% directory.
Figure: JavaScript script ciphertext
Figure: Decrypted JavaScript script
ShellCode will change the command line arguments of the formula editor to a JavaScript script, and use the RunHTMLApplication function to execute the script.
Figure: Replace the command line
Figure: Running JavaScript
3. Virus analysis (1) 1.a File analysis 1.a is generated through the open-source DotNetToJScript tool, and its main function is to execute .net DLL files through JavaScript script memory. The script first decrypts the StInstaller.dll file and reflects the load of the work function in that DLL. The work function decrypts the incoming parameters x (parameter 1) and y (parameter 2), and after decryption, x is PROPSYS.dll and y is V1nK38w.tmp.
Figure: 1.a script content
(2) StInstaller.dll file analysis StInstaller.dll is a .NET program, which will create a working directory C:\ProgramData\AuthyFiles, and then release 3 files in the working directory, namely PROPSYS.dll, V1nK38w.tmp and write.exe.config, and put the WordPad program in the system directory (write.exe) Copy to that directory. Run write.exe (white file) to load the PROPSYS.dll (black file) in the same directory and run the malicious code by white and black.
Figure: work function
The following is the detailed process: 1. Call the xorIt decryption function in the work function to obtain 3 important configuration data, namely the working directory name AuthyFiles and the domain namehttps://trans-can.netand set the registry key name authy.
Figure: Decrypted data
Figure: xorIt decryption function
2. Create a working directory C:\ProgramData\AuthyFiles, copy the system files write.exe to the working directory, and set it to boot autoboot.
Figure: Creating AuthyFiles and write.exe
3. Release a randomly named file V1nK38w.tmp in the working directory. 4. Free the PROPSYS.dll in the working directory and update the file name of the file where you want to load the program next in the file V1nK38w.tmp.
Figure: Creation PROPSYS.dll
5. Link the spliced full URL:https://trans-can.net/ini/thxqfL ... vr/-1/1291/f8ad26b5Write to V1nK38w.tmp file. The file is then encrypted using the EncodeData function.
Figure: Create V1nK38w.tmp file
Figure: EncodeData encryption function
6. Create a configuration file write.exe.config to prevent compatibility issues with different .NET versions.
Figure: Create write.exe.config
Figure :write.exe.config content
7. Execute C:\ProgramData\AuthyFiles\write.exe to call the malicious PROPSYS.dll.
Figure: Executive write.exe
(3) PROPSYS.dll file analysis uses the DecodeData function to decrypt the V1nK38w.tmp, and load the execution V1nK38w.tmp after decryption.
Figure: Loading the execution V1nK38w.tmp
Figure: DecodeData decryption function
(4) V1nK38w.tmp file analysis V1Nk38w.tmp mainly stealing a large amount of information and receiving instructions for execution.
Figure: Main behavior
1. Load the initial configuration, which is decrypted by Default in the resource. The configuration content is the URL, the temporary directory of the uploaded file and the steal of the specified file suffix (doc, docx, xls, xlsx, pdf, ppt, pptx).
Figure: Loading configuration
Figure: Decrypted Default resource information
2. The configuration is encrypted using the EncodeData function and stored in the registry HKCU\Sotfware\Authy.
Figure: Configuration information encrypted in the registry
3. Visit the specified address to download the file and select the URL in the configuration information first, if not, select the default URL:https://trans-can.net/ini/thxqfL ... Mvr/-1/1291/f8ad26b。
Figure: Download data
4. Integrate the stolen information into a file, the file is named: random string + specific suffix, and the data content is stored in the temporary directory in plaintext.
Pictured: Stealing information files
Files with the suffix .sif mainly store system information, installer information, disk information, etc.
Figure: Information stored by the suffix .sif
The system information obtained is as follows:
The suffix is .fls.
Table: Information record
Figure: Storage information for the suffix .fls
A file with the suffix .flc records the information of all drive letters and the directory and file information under the drive letter. The following table shows the drive letter information that the attacker wants to obtain:
The directory information that the attacker wants to obtain is as follows:
The file information that the attacker wants to obtain is as follows:
Catches exceptions in program execution and logs exception information to a file with the .err suffix.
Figure: Catching an exception
5. Update the configuration data stored in the registry: First, traverse the system to find files with the same suffix as a specific suffix, then read and decrypt the configuration data from the registry HKCU\Sotfware\Authy, add the name and path of the found files to the configuration data, and finally encrypt the configuration information to continue storing the registry.
Figure: Find a specific suffix file
Figure: Record the path of the document to be uploaded
Figure: Upload a specified suffix document
6. Update the configuration data stored in the registry: Update the information of the uploaded file to the registry configuration data.
Figure: Decrypted configuration information in the registry
7. Compress and upload all the data content of the specific suffix file recorded in the registry configuration information.
Figure: Upload a suffix file
8. Upload files with sif, flc, err, and fls suffixes in the staging directory.
Figure: Upload files
4. Summary
The two attacks were not long apart, and the targets of the attacks were both targeted at sensitive areas and relevant institutions in China, and the purpose of the attack was mainly to steal private information within the organization, so as to formulate a targeted next attack plan. Most of the recently revealed Sidewinder attacks targeted Pakistan and Southeast Asian countries, but these two attacks targeted China, indicating that the group's attack targets have changed and increased its attacks on China. This year coincides with the 70th anniversary of the founding of our country, and relevant domestic government agencies and enterprises must pay great attention to it and strengthen preventive measures.
5. Preventive measures
1. Do not open suspicious emails or download suspicious attachments. The initial entrance to such attacks is usually phishing emails, which are very confusing, so users need to be vigilant, and enterprises should strengthen employee network security awareness training.
2. Deploy gateway security products such as network security situational awareness and early warning systems. Gateway security products can use threat intelligence to trace the trajectory of threat behavior, help users analyze threat behavior, locate threat sources and purposes, trace the means and paths of attacks, solve network threats from the source, and discover the attacked nodes to the greatest extent, helping enterprises respond and deal with them faster.
3. Install effective antivirus software to block and kill malicious documents and Trojan viruses. If the user accidentally downloads a malicious document, the antivirus software can block and kill it, prevent the virus from running, and protect the user's terminal security.
4. Patch system patches and important software patches in time.
6. IOC information
MD5
D83B3586393CAB724519B27B9857A4B237166FA93D776147E545AAD7E30B41608FD10BD711AB374E8DE9841CF8824758D4C3963B11E1732E1419ADF5F404E50C58DE7C0DF5BD677E1A3CDC099019015DA94BE8863E607DC7988F34F9073099168444A5850EEBA282 4D7C9BAD9189FF7E
url
https://trans-can.net/ini/thxqfL ... vr/-1/1291/f8ad26b5https://trans-can.net/ini/Wsx8Gb ... 31878/1346/cab43a7f
|
Posted on 9/21/2019 9:15:59 AM
|
|
|
