# Evolution after prosecution
 : Psychedelic APT41


-----

### Who we are

###### Aragorn Tseng Charles Li Peter Syu Tom Lai


###### Malware Analysis Incident Response Threat Intelligence


###### Malware Analysis
 Threat Hunting Threat Intelligence


###### Malware Analysis Incident Response Tool Development


###### Incident Response
 Malware Analysis
 Penetration


-----

### AGENDA

###### 01 Initial Access

 02 Cobalt Strike Loader

 03 APT41’s Backdoor

 04 C2 Hiding Technique

 05 Relation to other operations


-----

## The content of APT41 in this
 talk is mainly from
 2020/9 to 2021/8


-----

### Target Country


###### Talk in last section


-----

### Target Industry

###### Healthcare High-tech Airlines


###### Telecom


###### Manufacturing


###### Media


###### Education Gaming Government Financial Energy Research


-----

### New TTP

 Dll hollowing technique

 Certificate bypass

 InstallUtil

 Early bird code injection

 CDN service and Cloudfare worker

 Some new backdoor


-----

### Initial Access

 CVE-2021-34527(printnightmare)

 SQL vulnerabilities

 phpmyadmin vulnerabilities

 Web vulnerabilities

 Flash installer

 Fake Decoy Icon


-----

## Cobalt Strike loader


-----

#### g Cobalt Strike


###### Use certificate bypass and dll hollowing technique in Chatloader


###### 2021.4


###### Use funnyswitch to load Cobalt Strike and use early bird code injection technique


###### 2020.7


###### Use CDN service in Cobalt Strike, especially DNS beacon


###### 2021.1


###### Chacha20 shellcode or loader(Chatloader) appeared to extract Cobalt strike Beacon


###### 2020.11


###### 2021.3


###### Use multiple .NET loaders and misuse InstallUtil to load CobaltStrike 2021.6


-----

### Chatloader

 Uses chacha20 algorithm to decrypt the payload

 Most of the payload is Cobalt Strike, but we have also seen another backdoor

 ETW bypass

 Dll hollowing

 Certificate bypass(MS13-098)

###### offset length data

 0x0:0xC 0xC config nonce

 0xc:0x10 0x4 config crc32

 0x10:0x14 0x4c config_enc_length

 0x14:0x14+config_enc config_enc_length ciphertext
 _length

 0 100 0 120 0 20 fi k

|te bypass(MS13-098)|Col2|Col3|
|---|---|---|
|offset|length|data|
|0x0:0xC|0xC|config nonce|
|0xc:0x10|0x4|config crc32|
|0x10:0x14|0x4c|config_enc_length|
|0x14:0x14+config_enc _length|config_enc_length|ciphertext|


-----

###### Header:CB2F29AD

|length|data|
|---|---|
|0x4|Header|
|0x4|Check User is SYSTEM|
|0x4|Mutex trigger|
|0x4|Delete Loader trigger|
|0x4|Patch EtwEventWrite trigger|
|0x4|Process Hollowing trigger|
|0x4|Injected Process Name Length(x2)|
|InjectedProcess Name Length(x2)|InjectedProcess Name|
|0x4|Payload in Loader|
|0x4|Payload Name Length(x2)|
|Payload Name Length(x2)|Payload Name|
|0x4|Payload Size|
|0x4|Payload FilePointor|

|length|data|
|---|---|
|0x4|Header|
|0x4|Check User is SYSTEM|
|0x4|Mutex trigger|
|0x4|Delete Loader trigger|
|0x4|Patch EtwEventWrite trigger|
|0x4|Payload in Loader|
|0x4|Payload Name Length(x2)|
|Payload Name Length(x2)|Payload Name|
|0x4|Payload Size|
|0x4|Payload FilePointor|
|0x4|Payload crc32|
|0xC|Payload Nonce|


###### 0x4 Payload crc32


-----

### Chatloader config example


====== Decrypt Config ======

Config Nonce (12 bytes) = 0xb5 0x5e 0x14 0x8d 0x46 0xe1 0x2e 0x97 0x5d 0x3d 0x75 0xf1

Config Nonce (base64) = tV4UjUbhLpddPXXx

Config CRC32 = 0xe 0xdc 0xac 0xad

Config CRC32 (base64) = DtysrQ==

Ciphertext length = 48

Config Key = 0xa2 0x42 0x99 0x5 0x5f 0x1f 0xc 0x14 0xcb 0xdd 0xb 0x1 0xdf 0xa6 0x4c 0x34 0xf5 0xfd 0x3 0x3c 0xa7 0xf1 0xaf 0x30 0xa0 0xc7 0x5c 0x57 0x35 0x9d 0x41 0xe0

Config Key (base64) = okKZBV8fDBTL3QsB36ZMNPX9Azyn8a8woMdcVzWdQeA=

====== Config ======

Head = 0xad 0x29 0x2f 0xcb

Check User is SYSTEM = 0

Mutex trigger = 0

Delete Loader trigger = 0

Patch EtwEventWrite trigger = 1

Payload in Loader = 0

Payload Name Length = 14

Payload Name = Despxs.dll

Payload Size = 3f800

Payload FilePointor = 0


-----

### Dll Hollowing

###### wlbsctrl.dll

 Dll hijack


###### Synchost.exe’s
 Module


###### libEGL.dll

 Signed file

 Read File


###### Signed file


###### dll hollowing
 launcher Load module
 Create Process Find target dll in
 System32


###### Synchost.exe


###### Choose aaclient.dll


###### DLL Hollowing: Inject
 l l d i


-----

### Dll Hollowing (cont.)


-----

### Certificate bypass

###### The address of the Certificate Table


###### セワシ

 Valid certificate


###### セワシ

 Shell code


###### Valid certificate


###### signature length


-----

### .NET loader

###### 1. System.Configur ation.Install.Inst aller


###### kstvmutil.ax

 2.Read File
 payload
 and decrypt with AES

 .NET loader(obfuscation by ConfuserEx)


###### InstallUtil.exe KBDHE475. dll
 Payload:
 3.Inject cobalt strike or
 Use InstallUtil to bypass application payload via other backdoor:
 Process
 allowlist restrictions. ex: Natwalk
 Hollowing
 sdiagnhost.exe


###### payload


-----

### .NET loader structure

###### Version 2.63

 offset data

 offset 38(h) – md5 hash of offset 48 until end
 47

 offset 48-53 Sha256 as AES key

 offset 54-67 MD5 as AES IV

 offset 68 - end Encrypted payload with AES(ECB) After decryption

 Version 17.102

 offset Data

 offset 84(h) -93 md5 hash of offset 48 until end

 offset 94-9f Sha256 as AES key

 offset a0-ab MD5 as AES IV

 offset ac - end Encrypted payload with AES(ECB)

|offset|data|
|---|---|
|offset 0-3|must be 1F A4 3A AC|
|offset 4-7|the length of the payload|
|offset 8 - end|malware payload|

|offset|data|
|---|---|
|offset 38(h) – 47|md5 hash of offset 48 until end|
|offset 48-53|Sha256 as AES key|
|offset 54-67|MD5 as AES IV|
|offset 68 - end|Encrypted payload with AES(ECB)|

|offset|Data|
|---|---|
|offset 84(h) -93|md5 hash of offset 48 until end|
|offset 94-9f|Sha256 as AES key|
|offset a0-ab|MD5 as AES IV|

|offset|data|
|---|---|
|offset 0-3|must be 0C C0 73 95|
|offset 4-7|the length of the payload|
|offset 8 - end|malware payload|


-----

### Fishmaster loader

 PDB : C:\Users\test\Desktop\fishmaster\x64\Release\fishmaster.pdb

 Some have “Bidenhappyhappyhappy” in strings

 Two ways to decrypt payload

 Xor with hardcode key, ex:” Bsiq_gsus” or “miat_mg”

 Use UUIDShellcode and callback function


-----

### Funnyswitch loader

 Name from ptsecurity*, which will inject .NET backdoor funny.dll in memory

 We found new version loader(mcvsocfg.dll) which may target McAfee user

 E:\VS2019_Project\while_dll_ms\whilte\x64\Release\macoffe.pdb

 Another :

##### E:\\VS2019_Project\\prewhiltedll\\x64\\Release\\prewhiltedll.pdb

 We found the new loader inject Cobalt Strike and funny.dll


-----

### Early code injection Loader

 Using open source Alaris loader* to use

##### syscalls to run cobalt strike

 Load PNG resource as payload and decrypt

##### with RC4

 Using Detour to hook the Freelibrary API of

##### the launcher

 Using early bird code injection technique

 NtTestAlert

 KiUserApcDispatcher


-----

## Backdoor


-----

#### APT41’s Backdoor during 2020-2021


###### RBRAT


###### Spyder


-----

### errorroot

 A listening-port backdoor, was first found in 2019

 New version in 2021

 c:\js\js.pdb

 add “http://+:80/default” to the URL Group of the server to enable the server

##### to open port 80

 If the format of packet which connecting to the errorroot is wrong, the server

##### will send a unique error message:" <meta http-equiv="refresh" content="0;url=/">" and redirect you to http://[IP]/

 It can just use curl to send the instruction to errorroot


###### "curl -v http://[ip]/default -d echo -e ‘\x00\x00\x00\x00\x65\x71\xae\xdc\x12\x34\x56\x78\x01\xbc’ --output -"


-----

### Command of errorroot

|command|description|
|---|---|
|0x12|Kill Process|
|0x13|Mimikatz_kuhl_m_ts_session|
|0x18|Start process|
|0x19|Call function by address(offset+0x50,0x58,0x60)|
|0x1A|Call function by address (offset+0x70,0x80)|
|0x1B|Call function by address (offset+0x68)|
|0x1C|Call function by address (offset+0x78)|

|command|description|
|---|---|
|0x0|send victim info(computer name, User name, Process name, Os versiion, IP)|
|0x1|Open shell|
|0x2|close process/thread/handle|
|0x3|write data to pipe(must use 0x1 to open a pipe)|
|0x4|send pipe info|
|0x7|send logic drive info|
|0x9|List File|
|0xB|Upload File|
|0xD|Download File|
|0xF|Delete File|


-----

### RBRAT

 Name from its function prefix

 Ex: “RB”Shell

 May have some relations to Rbdoor

 Mutex

 googleupdater1.0.1

 Listen port backdoor

 Import table with windivert

 Add firewall rule

|command|description|
|---|---|
|0|beacon|
|1|Open a shell(RBShell)|
|2|Upload file(RBUpload)|
|3|download file(RBDownload)|
|4|collect system info|
|5|collect network info|
|6|list process|
|7|collect service info|
|8|take screenshot|
|250|File Exploer(RBFileExploer)|


-----

### RBRAT(cont.)

 Having magic number of packets just like

##### Rbdoor /Stone

 Magic number (static key)

 0xA1B5D2F，0x4A3C7FD5

 One of Rbdoor’s magic number :

##### 0xABC18CBA*

 Shell command of RBRAT

 May modified from Cryptcat


-----

### Natwalk

 Dropped by chatloader

 First seen in the wild in 2021/3, and first seen on VT in 2021/7

 Shellcode based backdoor

 It uses register + offset to call the Windows api (also used by crosswalk)

 The name is from the unique file path it will look up :

##### “%AllUserProfile%\UTXP\nat\”


-----

### Natwalk(cont.)

 Transport protocol

 Raw TCP socket

 HTTPS:Post requests to C2 server

 gtsid : generated by CryptGenRamdom

 gtuvid : generated by CryptGenRamdom and md5 operation

 Uses chacha20 md5 to encrypt/decrypt the message to/from C2 server

###### the post request of Natwalk


###### raw TCP


-----

### Natwalk(cont.)

 Crosswalk also uses register + offset to call the Windows api in shellcode

 First cammand code are both 0x64

 But commands are different


-----

### Natwalk(cont.)


###### Software\Microsoft\Windows\CurrentVersion\Intern et Settings ProxyServer texplorer.exe %AllUsersProfile%\UTXP\nat\ %02X POST Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36 gtsid: gtuvid: https://msdn.microsoft.com https://www.google.com https://www.twitter.com https://www.facebook.com

|command|description|
|---|---|
|0x64|close connection|
|0x5C|create session key|
|0x66|open a shell|
|0x68|download file|
|0x70|Upload file|
|0x74|Delete File|
|0x78|kill process|
|0x7c|run shellcode|
|0x7e|Unknown|
|0x80|Unknown|
|0x82|list process|
|0x84|Unknown|
|0x8C|list service|


###### Unique string in the bottom of Natwalk


###### 0x8E list directory


-----

### HIGHNOON(Botdll64)

###### WmiApSrv.exe wbemcomn.dll sdhasjk.dll

 Dll hijack IAT modify


###### Decrypt payload with DPIAPI/AES


###### Botdll64.dll

 HIGHNOON
 Packed with UPX in memory
 Windivert.dll

 (3) re (2a)
 injected
 Matching
 packet
 packet

 (2b) non-matching packet


###### (1) packet


-----

### HIGHNOON Loader

###### DPAPI version
 AES version “F:\2019\RedEye\Door\Bin\Middle64.pdb”


-----

### HIGHNOON command

 Command is same as the HIGHNOON mentioned by Macnica* in 2018

|command|description|
|---|---|
|0|Bind Network Socket|
|1|Check IP address change and Receive Packet, Console Output|
|3|Console Output|
|4|Read //DEV//NULL and Console Output|
|5|Check IP address change and Receive Packet, Console Output|


-----

### Funnydll*

```
<?xml version="1.0" encoding="utf-8"?> <Config Group="redacted"
Password="test" StartTime="0" EndTime="24"
WeekDays="0,1,2,3,4,5,6"> <TcpConnector
address="4iiiessb.wikimedia.vip" port="443" interval="30-60"/>
</Config>

```

###### Base64+AES decrypt

 mcvsocfg.dll Stage_1.shellcode Funny.dll


###### config


###### Js module         


-----

### Funnydll

 In 2020, the config of funnydll is plaintext, in 2021, the config will decrypt by

##### funny.core.run which using AES and base64

 Command, protocol, and js module are same as 2020*


-----

### Shadowpad

 APT41 used the new builder of shadowpad in 2021, which was mentioned in

##### Ptsecurity’s report* which used new obfuscation method and decryption method for configuration

 We think this builder was a shared Tool, because we have also seen Naikon

##### Team use this builder

 Md5 of the loader:3520e591065d3174999cc254e6f3dbf5


###### def decrypt_string(src):
 key = struct.unpack("<H", bytearray(src[0:2]))[0] data_len = struct.unpack("<H", bytearray(src[2:4]))[0] data = src[4:4+data_len] result = "" i=0 while(i < data_len):


###### The method to decrypt the string of the configuration


###### tmp = key tmp += tmp key = key + (( tmp * 8 ) & 0xFFFFFFFF) + 0x107E666D result += chr(((HIBYTE(key) + BYTE2(key) + BYTE1(key) + LOBYTE(key)) ^ ord(data[i])) & 0xFF) i+=1


-----

### Shadowpad config example

id = 6/18/2021 11:26:19 AM
Messenger = TEST
Binary Path = %ALLUSERSPROFILE%\Microsoft\WinLSAM\
Binary Name = LSAM.exe
Loader Name = log.dll
Payload Name = log.dll.dat
Service Name = SystemAssociationManager
Service Display Name = System Association Manager
Service Description = This service provides support for the device association
software. If this service is disabled, devices may be configured with outdated
software, and may not work correctly.
Registry Key Install = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Value Name = LocalSystemAssociationManager
Inject Target 1 = %windir%\system32\svchost.exe
Inject Target 2 = %windir%\system32\wininit.exe
Inject Target 3 =
Inject Target 4 =
Supposed to have 4 server
Server1 = TCP://1dfpi2d8kx.wikimedia.vip:443
Server2 =
Server3 =
Server4 =
Socket 1 = SOCKS4
Socket 2 = SOCKS4
Socket 3 = SOCKS5
Socket 4 = SOCKS5
DNS 1 = 8.8.8.8
DNS 2 = 8 8 8 8


###### config offset:0x96


-----

## C2 Hiding


-----

### CDN service

 Https beacon : direct use CDN service

 Ex: microgoogle[.]ml

 DNS beacon

###### Real C2 IP


###### ns1.hkserch.com

 No resolution


-----

###### beacon C2 domain on some specific IP, ex: 8.8.8.251, 4.2.2.2


-----

### Cloudfare Worker


##### use Cloudflare Workers as redirector to hide the real C2 IP

###### proxy Real C2 Victim

 Cloudfare worker

 d d f k d


-----

## Relation to other operations


-----

##### APT41 and fishmaster operation


###### Fishmaster operation – TAG-22*


##### APT41 and

###### Funnyswitch

##### fishmaster operation dropper which 

###### injected cobalt strike

 New builder of Shadowpad Same PDB string
 ITW Url
 Same Xor key:
 Funnyswitch
 0x3A
 dropper which  injected funnydll
 Cobalt strike payload

 Fishmaster operation – TAG-22*


-----

###### Other operation

 IR case #Goblin panda cobaltstrike

cobaltstrike

[security_audit_template_final.doc](https://www.virustotal.com/gui/search/name%253Asecurity_audit_template_final.doc)

###### *RedFoxtrot Drop PCshare


-----

###### #Goblin panda

##### Connection to Gobling Panda or Other Chinese APT

###### *RedFoxtrot

[security_audit_template_final.doc](https://www.virustotal.com/gui/search/name%253Asecurity_audit_template_final.doc)

###### Drop PCshare


-----

### HW operation

 To detect the security issues of key national infrastructure, and to test their

##### event monitoring and ability to quickly coordinate with emergency incident

 The target involves many industries, including government, finance, electricity,

##### and business key enterprises in China.

 From OSINT, the operation started from 4/8 in 2021


-----

-----

### Maybe link to HW operation

###### Cobalt strike loader in IR case
 Cobalt strike loader in IR case
 which use alaris loader with
 Funnyswitch which used early bird code injection
 resource png payload


### Maybe link to HW operation

###### Cobalt strike loader in IR case
 Cobalt strike loader in IR case
 which use alaris loader with
 Funnyswitch which used early bird code injection
 resource png payload

 Same Cobalt
 Same unique
 Same loader strike payload
 shellcode in
 header
 caculating api hash

 调整中移在线服务有限公司
 运维安全管理与审计系统 VPN统一身份证认证
 南京木百文化传媒有限公司.exe 职工五险一金缴纳比例的通
 单点登录插件.exe ID.exe
 知.exe


-----

### Used(stolen) certificate

 Happytuk Co.,Ltd.

 Serial Number : 0E D4 DF 10 33 39 3F F2 AF 41 C5 71 A6 AA 19 D7

 Rhaon Entertainment Inc

 Serial Number : 06 80 8C 59 34 DA 03 6A 12 97 A9 36 D7 2E 93 D4

 Subgroup which maybe had relation to APT41

 Quickteck.com

 Serial Number : 70 D8 96 11 7E 15 30 2C 7E EF EC B2 89 B3 BF E0

 주식회사엘리시온랩(Elysion Lab Co., Ltd.)

 Serial Number : 03 D4 33 FD C2 46 9E 9F D8 78 C8 0B C0 54 51 47

 1.A Connect GmbH

 Serial Number : 00 A7 E4 DE D4 BF 94 9D 15 AA 42 01 84 3F 1A B6 4D


-----

### Takeaway

 Various kind of cobalt strike loader and some new attack techniques

 New backdoor ex: RBRAT and Natwalk

 C2 hiding techniques

 Relation to other operations


-----

### IOC

 Chatloader

7ee9b79f4b5e19547707cbd960d4292f

F5158addf976243ffc19449e74c4bbad

1015fa861318acbbfd405e54620aa5e3

a1d972a6aa398d0230e577227b28e499

 .NET loader

bd2d24f0ffa3d38cb5415b0de2f58bb3

 Fishmaster loader

 Funnyswitch loader

e0a9d82b959222d9665c0b4e57594a75

07a61e3985b22ec859e09fa16fd28b85

d720ac7a6d054f87dbafb03e83bcb97c

F85d1c2189e261d8d3f0199bbdda3849

5b2a9a12d0c5d44537637cf04d93bec5

 Early bird code injection loader

4598c75007b3cd766216086415cc4335

Fd6ae1b8713746e3620386a5e6454a8d

b028b4f8421361f2485948ca7018a2b0


 Errorroot

e960a17265925cf0f5706c9610551dd1

be473559dbd0098baab3e2a8ac40b780

 RBRAT

abbf8ae67cd49376a27e91f14852427e

6b852b60fc55ae2e4bb4141968b4d941

1746e35114807673c9af708c0b08213c

 Natwalk

1d36404f85d94bea6c976044cb342f24

7c6e75e70d29e77f78ea708e01e19c36

 HIGHNOON loader

407b5200c061123c9bd32e7eea21a57b

5b99fa01c72cebc53a76cc72e9581189

 Funnydll

e0a9d82b959222d9665c0b4e57594a75

 Shadowpad

af7cef9e0e6601cae068b73787e3ae81


-----

### IOC

###### symantecupd.com

 microsoftonlineupdate.dynamic- dns.net

 www.sinnb.com

 pip.pythoncdn.com

 img.hmmvm.com

 reg.pythoncdn.com

 bbwebt.com

 ns1.tkti.me

 test.tkti.me

 ns1.microsofts.freeddns.com

 api.aws3.workers.dev

 ns1.hkserch.com

 godaddy1.txwl.pw

 godaddy2.txwl.pw

 ns.cdn06.tk

 update.facebookdocs.com

 ns1.dns-dropbox.com


###### microgoogle.ml

 www.google-dev.tk

 api.gov-tw.workers.dev

 103.255.179.54

 www.omgod.org

 154.223.175.70

 687eb876e047.kasprsky.info

 zk4c9u55.wikimedia.vip

 193.38.54.110

 api.aws3.workers.dev

 4iiiessb.wikimedia.vip

 45.32.123.1

 158.247.215.150

 ntp.windows-time.com

 trulwkg5c.tg9f6zwkx.icu

 windowsupdate.microsoft.365filteri ng.com

 wustat.windows.365filtering.com


###### ns1.wystedba.top

 ns.cloud20.tk

 ns.cloud01.tk

 ns1.token.dns05.com

 sculpture.ns01.info

 work.cloud20.tk

 work.cloud01.tk

 help01.softether.net

 cloud.api-json.workers.dev

 update.microsoft-api.workers.dev

 up.linux-headers.com

 p.samkdd.com

 ns1.microsoftskype.ml

 ns1.hongk.cf

 ns1.163qq.cf

 163qq.cf

 depth.ddns.info


###### ooliviaa.ddns.info

 mootoorheaad.ns01.info

 token.dns04.com

 ns1.watson.misecure.com

 vt.livehost.live

 sociomanagement.com

 ns1.hash-prime.com

 wntc.livehost.live

 smtp.biti.ph

 perfeito.my

 cdn.cdnfree.workers.dev

 www.microsofthelp.dns1.us

 ns1.mssetting.com

 www.corpsolution.net

 www.mircoupdate.https443.net

 publicca.twhinet.workers.dev


-----

### Reference

 [1] https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti
###### group.pdf

 [2] https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41
###### backdoors-old-and-new/

 [[3] https://www.lac.co.jp/lacwatch/report/20210521_002618.html](https://www.lac.co.jp/lacwatch/report/20210521_002618.html)

 [[4] https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/](https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/)

 [[5] https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/](https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/)

 [[6] https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf](https://hitcon.org/2018/pacific/downloads/1214-R2/1330-1400.pdf)


-----

## THANK YOU!

##### aragorn@teamt5.org
 charles@teamt5.org
 peter@teamt5.org
 tom@teamt5.org


-----