CyberThreatIntel/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
2019-08-26 19:11:36 +02:00

182 lines
15 KiB
Markdown

# Malware analysis on Gorgon APT campaign (23-08-19)
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
+ [First stage](#First)
+ [Second stage](#Second)
+ [Loader + Frombook](#Loader)
+ [Cyber kill chain](#Cyber-kill-chain)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
+ [Bitly link](#bitly)
+ [C2 domains](#C2)
+ [The troubling case of the Hagga account](#Hagga)
* [IOC](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#Original-Tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Ref previous analysis](#Documents)
## Malware-analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a>
###### Use a document with a macro as initial vector. On the code of the macro, some functions with differents names are used with the same code inside for obfuscate and make more harder the analysis.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/Samefunctions.PNG "")
###### Use in more at the function, strReverse for reverse the data. Finally, combine it and execute it with a Shell request.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Macro/macroCode.png "")
###### This use mshta command for download and execute the external content. The bitly URL go on the pastebin share and is the first stage.
### First stage <a name="First"></a>
###### The first stage executed on the computer is a js script who use nested unescape (3 times).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%201/Unescape1.PNG "")
###### At the 3th layer, we can see a vb script using some obfuscating methods (StrReverse, splited variables, multiples Wscript objects)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%201/Unescape3.PNG "")
###### Finally, the script kills the word, excel, publisher and powerpoint instances, add a persistence for re-executes this script for reinfecting the computer and create two schedule task for the second stage and close the hidden window. The persistence by Run key can look like useless but it used like an updating vector for change the TTPs or executing a kill switch on the operation.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%201/VBcodefinal.PNG "")
### Second stage <a name="Second"></a>
###### The first pastebin use too a js script with with 3 layers of unescape and the previous obfuscating methods.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/Unescape3.PNG "")
###### We can observe two additionals requested pastebin links, the first use the LoadWithPartialName funcion by Reflection Assembly in NET framework for download and execute raw hex data in memory, in addition, this executes an array of bytes of the PE downloaded by a hijack of the calc program. The second pastebin link close the hidden window.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20stage%202/VBcodefinal.PNG "")
### Loader + Frombook <a name="Loader"></a>
#### Loader
###### The loader have one layer of obfuscation in using the getstring method for have the command and the data of the future dll.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "")
###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "")
###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
###### Once the protection removed, we can see the functions used by the dll.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "")
###### The run method get the payload string push by the second PE, decode it and execute it.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "")
#### Frombook
###### We can observe on the structure, the encoding for scale the data and add junk code on the PE for avoid the detection of the AV (here, in the "Currentversion" string.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/dec.png "")
###### This sample is programming in C++ (Frombook is available in many language : VB, C, C++, C#...) and check the PE structure.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/CheckPE.png "")
###### This continue to detect and steal the data from the navigators.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/choicenav.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/chrome.png "")
##### This parsed and steal the passwords.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/config.png "")
##### We can observe the useragent settings who send the data to the C2.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/useragent.png "")
##### This use a run key as persistence for the frombook module.
##### Some features of Frombook form the cyberbit analysis can be observed in this analysis and the execution on the anyrun sandbox :
* ###### Process Hollowing
* ###### Keystroke logging
* ###### Clipboard monitoring
* ###### HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing
* ###### Browser and email client password grabbing
* ###### Capturing screenshots
* ###### Bot updating
* ###### Downloading and executing files
* ###### Bot removing
* ###### Launching commands via ShellExecute
* ###### Clear browser cookies
* ###### Reboot the system
* ###### Shutdown the system
* ###### Download and unpack ZIP archive
### Cyber kill chain <a name="Cyber-kill-chain"></a>
###### These process graphs represents the cyber kill chain of the initial vector and the Frombook module.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "")
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
#### Bitly link <a name="bitly"></a>
###### Bitly short link is currently used since June 2019 by the Gorgon Group, we can report all the clicks by location in this map world (don't forget that the sandbox goes to the links that this can modify this graphic representation.)
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Bitlyclicks.png "")
#### C2 domains <a name="C2"></a>
###### In the first time, we can note that all domains used as C2 contacts can be resolved.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/FakeC2domains.png "")
###### In the second time, if we reported all the domains for see if this registered in the WHOIS, we note again that some domains aren't be registered and used as fake domains. All the active domains are active in the last three months, that is match with the recent campaign since the June month.
|Domain|Status|
|:--------------- |:-------------|
|www[.]thedip.zone | not been registered yet|
|www[.]ycsfuoabdicating.review | not been registered yet|
|www[.]hongmenwenhua.com | registered but inused [Link](https://www.whois.com/whois/hongmenwenhua.com)|
|www[.]41230077.net | not been registered yet|
|www[.]1688jtn.com | not been registered yet|
|www[.]ichoubyou.net | registered and used [Link](https://www.whois.com/whois/ichoubyou.net) |
|www[.]grupomsi.com | unregistered / Domain to sale [Link](https://www.whois.com/whois/grupomsi.com)|
|www[.]qp0o1j3-dmv4kwncw8e.win | not been registered yet|
|www[.]klapki.online | not been registered yet|
|www[.]tourismmanagement.mba | not been registered yet|
|www[.]6474sss.com | not been registered yet|
|www[.]theaterloops.com | clientTransferProhibited [Link](https://www.whois.com/whois/theaterloops.com)|
|www[.]sukfat.com| clientTransferProhibited [Link](https://www.whois.com/whois/sukfat.com)|
#### The troubling case of the Hagga account <a name="Hagga"></a>
###### Like reported by me, the 15th May 2019 [(Link)](https://twitter.com/Arkbird_SOLG/status/1128696982783123457) after analysing the sample request of [JAMESWT_MHT](https://twitter.com/JAMESWT_MHT), this recurrent account have use pastebin as malware provider and drop many times different RAT and used each times the same tool obfuscating the strings with escape function and the "MySexoPhone" reference.
###### As reported by [Dodge This Security](https://twitter.com/shotgunner101) in this tweet [(link)](https://twitter.com/shotgunner101/status/1128753406259138560) and by cyberbit analysis some troubling timeline and malware used in the campaign and hosted by Hagga account. This can be proved this involvement in the Gorgon group.
###### Additionnal references :
* [HONKONE_K tweet about Gorgon group](https://twitter.com/HONKONE_K/status/1141181664296501252)
* [Revenge RAT dropped by Hagga account](https://twitter.com/Arkbird_SOLG/status/1159862633916506112)
* [Excel macro -> mshta bitly link -> AgentTesla dropped by Hagga account](https://twitter.com/jcarndt/status/1153678656784482304)
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|T1059 - Command-Line Interface<br>T1106 - Execution through API<br> T1170 - Mshta<br>T1086 - PowerShell<br>T1053 - Scheduled Task<br>T1064 - Scripting<br>T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059<br>https://attack.mitre.org/techniques/T1106<br>https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1086<br>https://attack.mitre.org/techniques/T1053<br>https://attack.mitre.org/techniques/T1064<br>https://attack.mitre.org/techniques/T1059|
|Persistence|T1060 - Registry Run Keys / Startup Folder<br>T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060<br>https://attack.mitre.org/techniques/T1053|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|Defense Evasion|T1170 - Mshta<br>T1064 - Scripting|https://attack.mitre.org/techniques/T1170<br>https://attack.mitre.org/techniques/T1064|
|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081|
|Collection|T1113 - Screen Capture<br>T1114 - Email Collection|https://attack.mitre.org/techniques/T1113/<br>https://attack.mitre.org/techniques/T1114|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description|
| ------------- |:-------------|
|IMG76329797.xls|e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59|
|mse60dc.exe|de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592|
|bitly.com|domain requested|
|xaasxasxasx.blogspot.com|domain requested|
|resources.blogblog.com domain requested|
|pastebin.com domain requested|
|67.199.248.14|ip requested|
|67.199.248.15|ip requested|
|104.20.208.21|ip requested|
|http[:]//www[.]bitly[.]com/aswoesx8sxwxxd |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/rjfk3j9m |HTTP/HTTPS requests|
|https[:]///pastebin[.]com/raw/tgP7S1Qe |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/0rhAppFq |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/c3V923PW |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/VFUXDF7C |HTTP/HTTPS requests|
|http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|http[:]//www[.]grupomsi[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|http[:]//www[.]theaterloops[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]sukfat[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|www[.]hongmenwenhua[.]com |Domain C2|
|www[.]ichoubyou[.]net |Domain C2|
|www[.]grupomsi[.]com |Domain C2|
|www[.]sukfat[.]com |Domain C2|
|www[.]theaterloops[.]com |Domain C2|
|210.188.195.164|IP C2|
|23.20.239.12|IP C2|
|185.68.16.122|IP C2|
|199.192.23.220|IP C2v
###### This can be exported as JSON format [Export in JSON]()
## Links <a name="Links"></a>
* Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 <a name="Original-Tweet"></a>
* Anyrun Link: <a name="Links-Anyrun"></a>
+ [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b)
+ [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e)
* Docs : <a name="Documents"></a>
+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
+ [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)