ch0ic3/CyberThreatIntel

Fork 0

StrangerealIntel 7e2fec5c05

Update Malware analysis 31-08-19.md

2019-09-01 01:30:02 +02:00

9.2 KiB

Raw Blame History

Malware analysis on Bitter APT campaign (31-08-19)

Malware analysis
- Initial vector
- ArtraDownloader
Cyber Threat Intel
Indicators Of Compromise (IOC)
References MITRE ATT&CK Matrix
Links

Malware-analysis

Initial vector

Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL.

This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit.

This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it.

Here we can see the redirection and the data sended on the victim.

ArtraDownloader

In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor.

In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char.

We can edit a script for decode the encoded string.

Now we can see the actions did by the malware.

Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language.

This query the registry for get the version of the OS

This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).

After perform the reconnaissance actions, this send the informations to the C2

In additional capacity, this can send a query the C2

Cyber kill chain

This process graph represents the cyber kill chain of Bitter sample.

Cyber Threat Intel

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL
Execution	T1059 - Command-Line Interface T1106 - Execution through API T1170 - Mshta T1086 - PowerShell T1053 - Scheduled Task T1064 - Scripting T1059 - Command-Line Interface	https://attack.mitre.org/techniques/T1059 https://attack.mitre.org/techniques/T1106 https://attack.mitre.org/techniques/T1170 https://attack.mitre.org/techniques/T1086 https://attack.mitre.org/techniques/T1053 https://attack.mitre.org/techniques/T1064 https://attack.mitre.org/techniques/T1059
Persistence	T1060 - Registry Run Keys / Startup Folder T1053 - Scheduled Task	https://attack.mitre.org/techniques/T1060 https://attack.mitre.org/techniques/T1053
Privilege Escalation	T1053 - Scheduled Task	https://attack.mitre.org/techniques/T1053
Defense Evasion	T1170 - Mshta T1064 - Scripting	https://attack.mitre.org/techniques/T1170 https://attack.mitre.org/techniques/T1064
Credential Access	T1081 - Credentials in Files	https://attack.mitre.org/techniques/T1081
Collection	T1113 - Screen Capture T1114 - Email Collection	https://attack.mitre.org/techniques/T1113 https://attack.mitre.org/techniques/T1114

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
IMG76329797.xls	e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59
Inj.dll	84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6
mse60dc.exe	de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592
bitly.com	domain requested
xaasxasxasx.blogspot.com	domain requested
resources.blogblog.com domain requested
pastebin.com domain requested
67.199.248.14	ip requested
67.199.248.15	ip requested
104.20.208.21	ip requested
http[:]//www[.]bitly[.]com/aswoesx8sxwxxd	HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/rjfk3j9m	HTTP/HTTPS requests
https[:]///pastebin[.]com/raw/tgP7S1Qe	HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/0rhAppFq	HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/c3V923PW	HTTP/HTTPS requests
https[:]//pastebin[.]com/raw/VFUXDF7C	HTTP/HTTPS requests
http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn	HTTP/HTTPS requests
http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1	HTTP/HTTPS requests
http[:]//www[.]grupomsi[.]com/ao/	HTTP/HTTPS requests
http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1	HTTP/HTTPS requests
http[:]//www[.]theaterloops[.]com/ao/	HTTP/HTTPS requests
http[:]//www[.]sukfat[.]com/ao/	HTTP/HTTPS requests
http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn	HTTP/HTTPS requests
www[.]hongmenwenhua[.]com	Domain C2
www[.]ichoubyou[.]net	Domain C2
www[.]grupomsi[.]com	Domain C2
www[.]sukfat[.]com	Domain C2
www[.]theaterloops[.]com	Domain C2
210.188.195.164	IP C2
23.20.239.12	IP C2
185.68.16.122	IP C2
199.192.23.220	IP C2

9.2 KiB

Raw Blame History

Malware analysis on Bitter APT campaign (31-08-19)

Table of Contents

Malware-analysis

Initial vector

Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL.

This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit.

This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it.

Here we can see the redirection and the data sended on the victim.

ArtraDownloader

In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor.

In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char.

We can edit a script for decode the encoded string.

Now we can see the actions did by the malware.

Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language.

We can observe that the malware push the persistence in the startup menu.

This query the registry for get the version of the OS

This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).

After perform the reconnaissance actions, this send the informations to the C2

In additional capacity, this can send a query the C2

Cyber kill chain

This process graph represents the cyber kill chain of Bitter sample.

Cyber Threat Intel

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

This can be exported as JSON format Export in JSON

Links

9.2 KiB Raw Blame History

Malware analysis on Bitter APT campaign (31-08-19)

Table of Contents

Malware-analysis

Initial vector

Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL.

This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit.

This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it.

Here we can see the redirection and the data sended on the victim.

ArtraDownloader

In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor.

In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char.

We can edit a script for decode the encoded string.

Now we can see the actions did by the malware.

Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language.

We can observe that the malware push the persistence in the startup menu.

This query the registry for get the version of the OS

This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).

After perform the reconnaissance actions, this send the informations to the C2

In additional capacity, this can send a query the C2

Cyber kill chain

This process graph represents the cyber kill chain of Bitter sample.

Cyber Threat Intel

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

This can be exported as JSON format Export in JSON

Links

9.2 KiB

Raw Blame History