#### The Secret Life of RATs: connecting the dots by dissecting multiple backdoors ###### Cyber Defense Institute, Inc. Kawakami Ryonosuke, Nakajima Shota Trend Micro ----- ##### > whoami ➢ He is engaged in malware analysis, incident response work, and threat research at Cyber Defense Institute, Inc. ➢ Has presented at JSAC2018~2024, domestic and international conferences. ➢ He has conducted workshops at Security Camp and JSAC. Shota Nakajima ➢ He is engaged in malware analysis, incident response work, and threat research at Cyber Defense Institute, Inc. ➢ Hoby/Interest: Reverse Engineering and Implementing attacking techniques. ➢ This is his first appearance at JSAC. Kawakami Ryonosuke ➢ He focuses on threat intelligence research in the Asia Pacific region at Trend Micro Inc. ➢ He specializes in threat hunting, incident response, malware analysis and targeted attack research ----- ###### Three Possible Related Incidents (Actors) • GroundPeony • Taiwan, Hong Kong, Korea, Nepal, India • Government agencies, educational and research institutions, telecommunications carriers • RatelS • APT for organizations in Japan • Earth Estries (FamousSparrow) • Philippines, Taiwan, Malaysia, South Africa, German and U.S.A. Government agencies and technology industry organisations. ----- ##### Overview ``` 1st Stage 2nd Stage Payload (shellcode loader) (in-memory PE loader) use micDown GroundPeony Decrypt by RC4 with hardcoded key use RatelS Ratel Master Mofu Loader Decrypt by Custom Alg SlyMongo use Earth Estries HemiGate Decrypt by RC4 with ``` ----- ##### micDown(GroundPeony ) ``` DLL ###### ● Created in ProgramData¥mic¥ Side-Load ○ mic.exe ■ legitimate file used for side-load ● version.dll mic.exe version.dll ■ DLL that decrypts and reads mic.doc executed using side-load ● mic.doc ○ Encoded Mofu Loader Load & Decrypt ○ Decrypts and executes the micDown of the encoded payload mic.doc mic.ver ● mic.ver (Mofu Loader, micDown) (micDown config) ○ Config file in mic.doc ``` ----- ##### HemiGate(Earth Estries) ###### ● Created in ProgramData¥WinDrive¥ ○ taskhask.exe DLL ■ legitimate file used for side-load Side-Load ● K7AVWScn.dll ■ DLL that decrypts and reads ``` taskhask.exe K7AVWScn.dll taskhask.doc executed using side- load ● taskhask.doc ○ Encrypted Dracu Loader ○ Decrypt and execute the internalized Load & Decrypt second payload HemiGate ● taskhask.dat taskhask.doc taskhask.dat (Dracu Loader, HemiGate) (HemiGate config) ○ Encrypted taskhask.doc config file. ``` ----- ##### RatelS ###### ● msbtc.exe ○ legitimate file used for Side-load ``` DLL ● VERSION.dll Side-Load ○ Executed via Side-Load ○ Decrypt msbtc.dat ● msbtc.dat msbtc.exe VERSION.dll (Mofu loader) ○ Encoded Mofu Loader ○ Decrypt and execute the RatelS of the encapsulated payload ● msbtc.cfg Load & Decrypt ○ RatelS config file msbtc.dat msbtc.cfg (Mofu Loader, RatelS) (RatelS config) ``` ----- # 01 ### micDown vs RatelS ----- ##### DLL Side-Loading ###### ● Both use the same legitimate application, but different hash ○ notiu.exe ○ OSS notification application ● Both implement decryption routine in VerQueryValueW GroundPeony 1[st] Stage Loader RatelS 1[st] Stage Loader ----- ##### GroundPeony vs Ratel Master ###### ● 1[st] Stage: Same legitimate application used for DLL Side-Loading ● 2[nd] Stage: Shellcode using the same algorithm to decrypt the payload ● API Hashing algorithm and API used by Shellcode are the same GroundPeony RatelS ``` Custom xor DLL DLL Custom xor Custom xor + RC4 Side-Load Side-Load + LZNT1 LZNT1 notiu.exe Version.dll shellcode micDown notiu.exe Version.dll shellcode RatelS ``` ----- ##### DLL Side-Loading ###### ● Functions performed by Side-Load ○ VerQueryValueW ● No code-level similarity between VerQueryValueW GroundPeony 1[st] Stage Loader RatelS 1[st] Stage Loader ----- ##### 2nd Stage PE Loader (Mofu Loader) ###### ● API Hashing algorithm (ror 12) and the API used are the same GroundPeony 2nd Stage Loader RatelS 2nd Stage Loader ----- ##### 2nd Stage PE Loader (Mofu Loader) ###### ● Custom XOR algorithm is the same ○ sub + xor + add GroundPeony 2nd Stage Loader RatelS 2nd Stage Loader ----- ##### Payload ###### ● Magic number in PE header of the 2nd payload decoded by custom XOR + LZNT1 is removed GroundPeony payload RatelS payload ----- ##### RatelS x86 Version ###### ● As reported by LAC, the RatelS builder, but it only supports the build for x64 version, even though the builder contains both x86/x64 components Strings related to the x86 version Builder GUI only has button Save x64. module included in the builder. ----- ##### Mofu Loader in VT ###### ● Shellcode loader similar to the loader used in RatelS ● 2[nd] Stage used Mofu Loader but with different payload ``` mdmerge.exe MidlrtMd.dll mdmerge.dat MidlrtMt.dll (Encrypted SlyMongo) RC4 MidlrtMe.dll Inject explore.exe ``` ----- ##### SlyMongo ###### ● Backdoor using the Mongoose framework, a networking library for embedded applications written in C/C++. ----- ``` コマンド一覧 ##### SlyMongo ``` **Command ID** **Description** **Command ID** **機能概要** 0x1 - 0x10 Reading file 0x2 - 0x11 Writing to file 0x3 - 0x12 Creating a directory 0x4 - 0x13 Rename 0x5 - 0x14 Deleting files 0x6 - Launch of specified file 0x15 (ShellExecuteA) 0x7 - 0x16 Enumerate files 0x8 - 0x17 Creating a directory 0x9 - 0x18 Enumerating processes 0xA Enumerate drive information 0x19 Granting SeShutdownPrivilege 0xB - 0x1A Setting flags 0xC - 0x1B Granting SeShutdownPrivilege 0xD Writing to file 0x1C Terminating processes 0xE Getting file information 0x1D - Network communication related 0xF settings 0x1E - ----- # 02 ### HemiGate vs RatelS ----- ##### HemiGate vs. RatelS ###### ● 1[st] Stage: No similarities in codes, but similar techniques ● 2[nd] Stage: different in-memory PE Loader (Dracu Loader vs Mofu Loader) ● Payload: Similarities at the implementation level, such as code and configurations, are recognized. HemiGate RatelS ``` DLL Copy on DLL Custom xor Side-Load RC4 memory Side-Load RC4 + LZNT1 K7AVMScn.exe K7AVWScn.dll Shellcode HemiGate notiu.exe Version.dll Shellcode RatelS (Dracu Loader) (Mofu Loader) ``` ----- ##### 1st Stage main routine ###### ● No similarities in the implementation of functions performed, but similarities at the TTP level, such as use of RC4 and file naming conventions for encrypted payloads HemiGate 1st Stage RatelS 1st Stage Decrypt with RC4 using the first 0x10 of the Decrypt encrypted files with RC4 using encrypted file as the key hardcoded keys ----- ##### HemiGate 2nd Stage ###### ● Simple in-memory PE Loader called Dracu Loader ○ PE is appended after shellcode ----- ##### HemiGate vs. RatelS ###### ● Several code-level similarities and similarities in the communication implementation part HTTP request headers are similar (HemiGate / RatelS) ----- ##### HemiGate vs. RatelS ###### ● Similarities in code-level and the C&C communication implementation Code to get proxy information matches ( HemiGate / RatelS) ----- ##### HemiGate vs. RatelS ###### ● Similarities in code-level and the C&C communication implementation The code in the authentication section matches. ( HemiGate / RatelS) ----- ##### HemiGate vs. RatelS ###### ● Implementation does not match, but coding-style looks similar Window name is the same (HemiGate / RatelS) ----- ##### HemiGate vs. RatelS ###### ● Implementation does not match, but coding-style looks similar Keylog output path and file name are similar (HemiGate / RatelS) ----- ##### HemiGate vs. RatelS ###### ● Similarities in the structure of the config ○ Same size of one field in config ○ Same format: [Flag][Port][C2 Address] ○ Interval numbers at the end ○ Similar size and configuration of the whole config. HemiGate RatelS Port Port ----- ##### HemiGate vs. PlugX ###### ● HemiGate and PlugX show similarities in implementation Window name is the same (HemiGate / PlugX) ----- ##### RatelS vs. PlugX ###### ● As already reported by LAC, there are some implementation similarities between RatelS and PlugX Module Mapping (RatelS / PlugX) ----- ##### HemiGate vs. RatelS vs. PlugX ###### ● HemiGate and RatelS have matches at the implementation-level and similarities at the malware coding-style-level ● Implementation-level matches were also reported between PlugX and RatelS ● This suggests that these RATs might possibly be related to the same or collaborating developers and share source code **Similarity of** **Similarity of** **Configuration** **Family** **Window Name** **Module Implementation** **Module Mapping** **communication** **Keylogging** **Structure** HemiGate ◯ ◯ ◯ ◯ ◯ - RatelS ◯ ◯ ◯ ◯ ◯ ◯ PlugX - - - ◯ ◯ ◯ ----- # 03 ### Other Findings ----- ###### HemiGate and PlugX on the same server ● We confirmed that HemiGate and PlugX were hosted on the server ● In addition, we confirmed that the HemiGate C&C server matches the domain used by GroundPeony use GroundPeony 139[.]84[.]166[.]104 onedrivo[.]com use Earth Estries PlugX HemiGate ----- ###### Suspicious VT account uploading Mofu Loader ● Investigation of Mofu Loader on VT confirms that an account (d03b8b03) has uploaded multiple Mofu Loaders from CN and HK ● Some of the malware uploaded by the account is for testing purposes and is unlikely to be the victim ● It should also be noted that the account uploaded SIESTAGRAPH and HUI Loader, which link to different threat actors **First Seen** **File Name** **Country** **Note** 2023/06/28 9:26 Client.exe CN,shenzhen SIESTAGRAPH RC4 ver HUI Loader 2023/06/28 8:45 versions.dll CN,shenzhen (Compile Time 2023-06-21 08:16:07) 2023/04/12 3:09 OneDrive.zip CN,shenzhen Mofu Loader -> SlyMongo 2023/03/23 3:01 OneDrive.zip HK Mofu Loader -> SlyMongo 2023/03/23 2:36 NetLabs.zip HK Dracu loader -> Hemigate ----- # 04 ### Summary ----- ##### Relationships between actors ###### ● GroundPeony and Ratel Master shared Mofu Loader ● Earth Estries and GroundPeony shared C2 ● RatelS and HemiGate have similar malware implementations ● Both also have similarities with PlugX ● HemiGate and SlyMongo with C2 for testing were submitted from the same VT account From the above, we can infer that several groups ----- ##### Timeline GroundPeony Earth Estries RatelS Master SlyMongo ``` 2022-05-24 2022-12-03 2022-12-15 Loader of Hemigate RatelS Builder SlyMongo 2023-03-17 compiletime compiletime compiletime Spear phishing 2020-09-22 2021-08-24 2022-04-15 email sent to TW Domain registration for Domain registration Loader of Hemigate 2022-06-30 government cloudshappen.com for onedrivo.com compiletime Loader of Hemigate compiletime 2022-05-09 Hemigate compiletime 2024-10-30 RatelS compiletime ``` `2022-02-24 03:40:11 UTC` `2022-02-24 03:38:03 UTC` 2022-10-05 `2024-10-23` ``` Mofu Loader compiletime Mofu Loader compiletime Mofu Loader compiletime version.dll compiletime to load SlyMongo to load SlyMongo to load SlyMongo 2024-11-06 micDown compiletime ``` ----- ##### IoC **File Name** **Sha1** **Note** 1.cab 5f9c5655e779467fb353c74901cf66ede29647f1 Dracu loader -> Hemigate 2.cab 84b8c462107ab54cf660ef33f969d937efad38f1 PlugX libvlc.dll bc92d96b409e7bda6d46caf4843dc9507c45b00f Mofu Loader -> SlyMongo usost.ppt f9b1ca8b5386bc93bbc49d63d4e18fd8f14f25a9 SlyMongo Decrypt by libvlc.dll OneDrive.zip 3b7426be3bc95c860083516057a76f5605d59402 Mofu Loader -> SlyMongo OneDrive.zip 86c60bb1513b98f8023b0f5e27b598125c3f75e0 Mofu Loader -> SlyMongo OneDrive.zip 5bde79892a7944e415c9332fbf1a6768dff447b5 Mofu Loader -> SlyMongo NetLabs.zip 213df95ee891a2235f04f7748dd2f955b2b3cb58 Dracu loader -> Hemigate ----- ##### YARA Rules ###### ● Mofu Loader ● HemiGate(Payload) ● SlyMongo(Payload) ----- ##### YARA Rules ``` rule MofuLoader { meta: description = "detect MofuLoader in memory" strings: /* LAB_0000000f XREF[1]: 00000020(j) 0000000f c1 ca 0c ROR EDX,0xc 00000012 0f be c0 MOVSX EAX,AL 00000015 49 ff c3 INC R11 00000018 03 d0 ADD EDX,EAX 0000001a 41 8a 03 MOV AL,byte ptr [R11] 0000001d 41 3a c7 CMP AL,R15B 00000020 75 ed JNZ LAB_0000000f 00000022 81 fa a1 CMP EDX,0x1da0a3a1 a3 a0 1d 00000028 74 62 JZ LAB_0000008c 0000002a 81 fa d0 CMP EDX,0x4717a7d0 a7 17 47 00000030 74 45 JZ LAB_00000077 00000032 81 fa a3 CMP EDX,0x8f592ca3 2c 59 8f 00000038 74 31 JZ LAB_0000006b 0000003a 81 fa a0 CMP EDX,0xb01ff0a0 f0 1f b0 00000040 74 15 JZ LAB_00000057 00000042 81 fa 4f CMP EDX,0xd7656a4f 6a 65 d7 00000048 75 52 JNZ LAB_0000009c 0000004a 41 0f b7 02 MOVZX EAX,word ptr [R10] 0000004e 44 8b 34 87 MOV R14D,dword ptr [RDI + RAX*0x4] 00000052 4c 03 f1 ADD R14,RCX 00000055 eb 45 JMP LAB_0000009c */ $ror = { c1 c? 0c } $api_hashing = { 81 f? a1 a3 a0 1d 74 ?? 81 f? d0 a7 17 47 74 ?? 81 f? a3 2c 59 8f 74 ?? 81 f? a0 f0 1f b0 74 ?? 81 f? 4f 6a 65 d7 } ``` ----- ##### YARA Rules ``` rule Hemigate { meta: description = "detect Hemigate in memory" strings: $cmd1 = ".?AVCATcpSocket@@" $cmd2 = ".?AVCBaseSocket@@" $cmd3 = ".?AVCFile@@" $cmd4 = ".?AVCmd@" $cmd5 = ".?AVCPro@@" $cmd6 = ".?AVCRdp@@" $cmd7 = ".?AVCShell@@" $cmd8 = ".?AVCSocket5@@" $cmd9 = ".?AVCSTlsSocket@@" $cmd10 = ".?AVCTransf@@" $cmd11 = ".?AVCFileMoniter@@" $cmd12 = ".?AVCKeylogPlug@@" $cmd13 = ".?AVCPipe@@" condition: 8 of them ``` ----- ##### YARA Rules ``` rule SlyMongo { meta: desctiption = "Detect SlyMongo" hash = "3AA9AB1C50B6F1D8878C7F6FA9E21407579534F1C213DB5433003C14A29373E7" strings: /* 0x14000dc93 3BCF cmp ecx, edi 0x14000dc95 0F8714030000 ja 0x14000dfaf 0x14000dc9b 0F8442020000 je 0x14000dee3 0x14000dca1 83E90A sub ecx, 0xa 0x14000dca4 0F8482010000 je 0x14000de2c 0x14000dcaa 83E903 sub ecx, 3 0x14000dcad 0F846C010000 je 0x14000de1f 0x14000dcb3 83E901 sub ecx, 1 0x14000dcb6 0F84AC000000 je 0x14000dd68 0x14000dcbc 83E901 sub ecx, 1 0x14000dcbf 0F848D000000 je 0x14000dd52 0x14000dcc5 83E901 sub ecx, 1 0x14000dcc8 7472 je 0x14000dd3c 0x14000dcca 83E901 sub ecx, 1 0x14000dccd 7460 je 0x14000dd2f 0x14000dccf 83E901 sub ecx, 1 0x14000dcd2 744A je 0x14000dd1e 0x14000dcd4 83E901 sub ecx, 1 0x14000dcd7 7438 je 0x14000dd11 0x14000dcd9 83F901 cmp ecx, 1 0x14000dcdc 0F8554050000 jne 0x14000e236 */ $cmp_cmd = {3B CF 0F 87 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 E9 0A 0F 84 ?? ?? ?? ?? 83 E9 03 0F 84 ?? ?? ?? ?? 83 E9 01 0F 84 ?? ?? ?? ?? 83 E9 01 0F 84 ?? ?? ?? ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 F9 01 0F 85 ?? ?? ?? ??} ``` ----- ## Thank you ###### Do you have any questions? Please keep this slide for attribution CREDITS: This presentation template was created by **[Slidesgo, and](https://bit.ly/3A1uf1Q)** [includes icons by Flaticon, and infographics & images by Freepik](http://bit.ly/2TyoMsr) -----