82 lines
7.7 KiB
Markdown
82 lines
7.7 KiB
Markdown
# Malware analysis about unknown Chinese APT campaign
|
|
## Table of Contents
|
|
* [Malware analysis](#Malware-analysis)
|
|
+ [Initial vector](#Initial-vector)
|
|
+ [ESET Remote Administrator](#ESET-Remote-Administrator)
|
|
+ [Hijacking DLL](#Hijacking-DLL)
|
|
+ [Cyber kill chain](#Cyber-kill-chain)
|
|
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
|
* [IOC](#IOC)
|
|
* [Links](#Links)
|
|
+ [Original Tweet](#Original-Tweet)
|
|
+ [Links Anyrun](#Links-Anyrun)
|
|
+ [Documents](#Documents)
|
|
+ [Ref MITRE ATTACK](#Ref-MITRE-ATTACK)
|
|
|
|
## Malware analysis <a name="Malware-analysis"></a>
|
|
### Initial vector <a name="Initial-vector"></a>
|
|
###### The initial PE extract the fake document and a second PE which create a Run key as persistence, extract the legit ESET 5 RAT and the hijacking dll and shellcode to execute (by folder permissions).
|
|
###### Here, we can see the persistence (Run key) for the dropper.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/Loader/RegKey.png "Push registry key")
|
|
###### This detect if the persistence is already pushed and edit the status of key in reedit the key.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/Loader/RegStatus.png "Change registry key")
|
|
###### This use the RichEdit function for push the data on the documentused as leur for decoy the victims.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/Loader/RichEdit.png "Use RichEdit for drop the document")
|
|
###### Once this did, this executes it and waits for the command of the attacker.
|
|
### ESET Remote Administrator <a name="ESET-Remote-Administrator"></a>
|
|
###### The new PE file is ESET Remote Administrator, we can see the verification of the validation of the certificate.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/eset/Cert.png "Analysis Certificate ESET")
|
|
###### This key is after used on the cryptographic function for crypt and encypt the differents parts of the legit tool.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/eset/crypto.png "Cryptographie ESET")
|
|
###### This load after the xml configuration for the global parameters on the ESET software, this manage the service of the RAT and the status if need it.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/eset/config.png "Configuration RAT ESET")
|
|
###### All this things prove the utilisation of the legit RAT tool of ESET at the malicious usage by the attackers.
|
|
### Hijacking DLL <a name="Hijacking-DLL"></a>
|
|
###### The dll prepare the shellcode with a localAlloc (content in the dat file).
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/hijack/alloc.png "Allocation in DLL")
|
|
### After push it in the memory, this protect it with a Virtualprotect.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/hijack/virtualprotect.png "Virtualprotect in DLL")
|
|
### We can see all the events on do by the hijacking DLL.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/hijack/command.PNG "Resume action in the DLL")
|
|
|
|
### Cyber kill chain <a name="Cyber-kill-chain"></a>
|
|
###### The process graph resume the cyber kill chain used by the attacker.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/Cyberkillchain.png "Cyber kill chain")
|
|
### Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
|
|
###### The malware is as well-know RAT, PlugX current used since 2012 on the Chinese APT group.The domain used as C2 is based in Canada by the cloud provider GoDaddy.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/IP.PNG "C2 informations")
|
|
###### The information put in the domain register has a Chinese provenance.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/domain.png "C2 informations")
|
|
###### This operation is done by the Chinese APT group(s) after the visit of the U.S. National Security Advisor in Mongolia about the national security concept.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/USvisit.png "US visit in Mongolia")
|
|
###### The document are a compiled of muliple documents about the national security concept available on the web.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/China/APT/Unknown/20-08-19/Images/Liks.PNG "Document on the web")
|
|
###### The others samples are leurs against Jaish group who have recently infiltrate Kashmir. Pakistan and China cooperate against the Jaish Association who have increased since the attack foiled in November 2018 against the Chinese consulate. This infiltration on the Jaish group on the Kashmir has give all the cyberattacks who have analysed and military deployments observed by [d-atis](https://twitter.com/detresfa_) between Pakistan, India and China since the last 2 months.
|
|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
|
|
|
| Indicator | Description|
|
|
| ------------- |:-------------:|
|
|
|c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763|NATIONAL SECURITY CONCEPT OF MONGOLIA.exe|
|
|
|918de40e8ba7e9c1ba555aa22c8acbfdf77f9c050d5ddcd7bd0e3221195c876f|DSR & CSR of Special Branch Sind.exe|
|
|
|fb3e3d9671bb733fcecd6900def15b9a6b4f36b0a35bdc769b0a69bc5fb7e40d|Daily News (19-8-2019)(Soft Copy).lnk|
|
|
|94d55adbc7ec682feca892158af2a85a5e00efa597aa982d2353cae5c9c8e306|http_dll.dll|
|
|
|22213496e4613b226f30da3c9f3dd612c9655cdc3fd72bafc3a21d38893879fa|http_dll.dat|
|
|
|c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763|unsecapp.exe|
|
|
|a0385659fe284a85d471da0e909bfbb102bfe184b1466912c1cf41844ce4ee4b|Daily News (19-8-2019)(Soft Copy).doc|
|
|
|9555d2ae685a1606cac0992922cecd7872dd0267c8bf8267a137c5a41a14c32c|NATIONAL SECURITY CONCEPT OF MONGOLIA.docx|
|
|
|9a8880b4495d103ae30f7b0cd77824c25e2adcbd6f616e01798de6defd1bbfef|DSR.docx|
|
|
|167.88.180.148|IP C2|
|
|
| www.apple-net.com |Domain C2|
|
|
## Links <a name="Links"></a>
|
|
###### Original tweet: [https://twitter.com/h4ckak/status/1163328926573137922](https://twitter.com/h4ckak/status/1163328926573137922) <a name="Original-Tweet"></a>
|
|
###### Links Anyrun: <a name="Links-Anyrun"></a>
|
|
* [NATIONAL SECURITY CONCEPT OF MONGOLIA](https://app.any.run/tasks/b5289acd-0e7b-45dc-987e-7d2920d14a30)
|
|
* [Daily News (19-8-2019)(Soft Copy)](https://app.any.run/tasks/ee97b8a5-0632-4eee-b091-d6e8bb371e0f)
|
|
* [DSR & CSR of Special Branch Sind](https://app.any.run/tasks/755521b5-f008-4ab1-95c1-cfe93fb58f1e)
|
|
###### Documents: <a name="Documents"></a>
|
|
* [The U.S. National Security Advisor pays visit to Mongolia](https://montsame.mn/en/read/194438)
|
|
* [Meet the Karachi policewoman who foiled terrorist attack on Chinese consulate](https://www.indiatoday.in/world/story/karachi-policewoman-suhai-aziz-talpur-chinese-consulate-terror-attack-1394871-2018-11-23)
|
|
* [Policewoman who defended Chinese consulate in Karachi commended for her courage](https://www.scmp.com/news/asia/south-asia/article/2174762/policewoman-who-defended-chinese-consulate-karachi-commended)
|
|
* [5 Jaish terrorists infiltrate Kashmir, high alert sounded in valley](https://www.indiatoday.in/india/story/jaish-terrorists-infiltrate-kashmir-alert-valley-1576321-2019-08-02)
|
|
###### Ref MITRE ATTACK : [PlugX RAT](https://attack.mitre.org/software/S0013/) <a name="Ref-MITRE-ATTACK"></a>
|