CyberThreatIntel/Indian/APT/Donot/17-09-19/Malware analysis.md

Analysis of the Donot APT campaign

Table of Contents

• Malware analysis
  • 86ccedaa93743e83787f53e09e376713.docx
  • d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc
  • 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx
  • pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc
  • A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx
• Cyber Threat Intel
  • Opendir analysis
• Indicators Of Compromise (IOC)
• References MITRE ATT&CK Matrix
• Links
  • Original Tweet
  • Link Anyrun
  • Documents

Malware analysis

86ccedaa93743e83787f53e09e376713.docx

The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection.

This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object.

This extract and execute the zip archive from the RTF file.

On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex.

After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2.

This collect the list of disks and the types of this.

This can save and execute a stream from the C2.

d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc

The second samples use the same TTPs and use Template injection.

The RTF file download and executed drop the same backdoor.

01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx

The next sample use Template injection too for download and executed drop the RTF file.

The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer.

The backdoor use a timer for as anti-sandbox method and check the features.

This push in memory the backdoor and check the system informations.

This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer.

pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc

This continue to use Template injection.

The RTF file dropped extract a js file, a dll and an exe file.

The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample.

A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx

The TTPs is the same that the second sample for the last samples.

Cyber Threat Intel

Opendir analysis

We can note that the server are main hosted by DigitalOcean cloud provider.

IP	URL	Opendir	ASN	Organization	Route	Coordinates	Country
178.62.188.63	hxxp[:]//en-content.com/SecurityM/EFILE	Yes	AS14061	DigitalOcean Amsterdam	178.62.128.0/18	52.3740,4.8897	Netherlands
178.62.186.233	hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN	Yes	AS14061	DigitalOcean Amsterdam	178.62.128.0/18	52.3740,4.8897	Netherlands
156.67.222.128	hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl	No	AS47583	Hostinger International Limited	156.67.208.0/20	1.3667,103.8000	Singapore
159.89.104.38	hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC	No	AS14061	DigitalOcean, LLC	159.89.96.0/20	50.1155,8.6842	Germany
157.230.213.81	hxxp[:]//mscheck.icu/SecurityScan/XLSS	No	AS14061	DigitalOcean, LLC	157.230.208.0/20	40.8043,-74.0121	United States
146.185.139.134	hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X	No	AS14061	DigitalOcean Amsterdam	146.185.128.0/19	52.3740,4.8897	Netherlands
146.185.139.134	hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F	No	AS14061	DigitalOcean Amsterdam	146.185.128.0/19	52.3740,4.8897	Netherlands

The group use multiple OS and Web Servers, this can be explained by two possible reasons. First, Donot can be multiple groups with differents levels of skills or the attacker have don't protect some servers due this used for weak interest targets.

IP	URL	Opendir	Webserver	OS
178.62.188.63	hxxp[:]//en-content.com/SecurityM/EFILE	Yes	Apache	CentOS
178.62.186.233	hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN	Yes	Apache	CentOS
156.67.222.128	hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl	No	LiteSpeed	CentOS
159.89.104.38	hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC	No	Apache	CentOS
157.230.213.81	hxxp[:]//mscheck.icu/SecurityScan/XLSS	No	Nginx ?	Ubuntu ?
146.185.139.134	hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X	No	Nginx	Ubuntu
146.185.139.134	hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F	No	Nginx	Ubuntu

List of files on the opendir :

IP	URL	Files	Date (Last modified)	Size
178.62.188.63	hxxp[:]//en-content.com/SecurityM/	DFILE DFILE- EFILE EFILE- LIN	2019-08-30 12:46 2019-08-29 12:05 2019-08-30 12:49 2019-08-29 12:19 2019-08-30 12:49	1.1M 1.1M 685K 685K 685K
178.62.186.233	hxxp[:]//bsodsupport.icu/ScanSecurity/	DOCS DOCSN DOCSN-1 XLSS XLSSN XLSSN-1	2019-08-16 08:17 2019-08-27 07:03 2019-08-22 08:52 2019-08-16 08:26 2019-08-28 06:39 2019-08-22 08:59	1.1M 1.1M 1.7M 697K 685K 885K

We can confirm that the campaign have begin early August 2019 and reuse old tools.

Cyber kill chain

The process graph resume the cyber kill chain used by the attacker.

References MITRE ATT&CK Matrix

List of all the references with MITRE ATT&CK Matrix

Enterprise tactics	Technics used	Ref URL

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)

Indicator	Description
	Domain requested
	IP requested
	HTTP/HTTPS requests
	IP C2
	Domain C2

This can be exported as JSON format Export in JSON

Links

Original tweet: https://twitter.com/Timele9527/status/1173431630171492352

Links Anyrun:

Samples :

• 86ccedaa93743e83787f53e09e376713.docx
• d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc
• 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx
• 17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc
• A1719.docx
• INGOs Spending on Rohingyas.doc
• Scan0012.docx

Opendir:

• SecurityM Opendir
• ScanSecurity Opendir

Documents:

• UACme