## Operation LagTime IT: Colorful Panda Footprint ##### Virus Bulletin 2020 localhost Sept 30 Oct 2 2020 ----- ### Fumio Ozawa ##### ➢ SOC & malware analyst at NTT Security (Japan) KK ➢ Speaker at Japan Security Analyst Conference 2018 ### Shogo Hayashi ##### ➢ SOC & malware analyst at NTT Security (Japan) KK ➢ Responding to EDR detections and creating IoCs ➢ Co-founder at SOCYETI ### Rintaro Koike ##### ➢ SOC & malware analyst at NTT Security (Japan) KK ➢ Founder & researcher at nao_sec ----- # Introduction ----- ### TA428 #### ⚫ Chinese APT attack group ⚫ Mainly targeting East Asian countries ⚫ Recent operation : “LagTime IT” ### Operation LagTime IT #### ⚫ Attack campaign by TA428 since around March 2019 ⚫ Targeting East Asian governmental organizations ⚫ Using Royal Road RTF Weaponizer, Poison Ivy and Cotx RAT ----- ### Operation LagTime IT by TA428 is an attack campaign #### ⚫ Targeting governmental organization of East Asian countries ⚫ Still in place and actively working as of 2020 ### The existing research deals with only the initial stages #### ⚫ Royal Road RTF Weaponizer, Poison Ivy and Cotx RAT ⚫ Followed by complex attack with more malwares ### We succeeded in observing the subsequent attacks #### ⚫ Lateral movement ⚫ Unknown malwares ----- # Case 1 ----- ----- ----- ### The lure document file is an RTF file #### ⚫ Generated by Royal Road RTF Weaponizer ##### ➢ Exploits CVE-2018-0798 ➢ Executes 2byte-XOR-encoded shellcode ➢ Decodes "8.t" object and writs to “.wll" file ----- ----- ### The RAT has long been used by Chinese APT groups Startup Sequence #### ⚫ The Poison Ivy "useless.wll" placed in the Microsoft Word startup directory is automatically loaded and executed when Microsoft Word is started. ##### ➢ %APPDATA%¥Microsoft¥Word¥STARTUP¥useless.wll #### ⚫ If command line string contains “WORD.EXE”, the useless.wll runs the following command that calls function implemented on itself. ##### ➢ rundll32.exe %APPDATA%¥Microsoft¥Word¥STARTUP¥useless.wll,DllEntry10 #### ⚫ Function DllEntry10 decodes certain data with XOR and RC4 to restore main backdoor program and executes it. ----- ### Configuration ##### Decoded configuration data |Item|Value| |---|---| |C&C Server|95[.]179.131.29:443| ||95[.]179.131.29:8080| |Campaign ID|hold| |Group ID|hold| |Mutex|99x7nmpWW| |C&C Traffic Encryption Key (Camellia-256 in ECB mode)|3&U<9f*lZ>!MIQ| ----- ### C&C Communication #### ⚫ Same characteristics with the traffic generated by "SPIVY“, Poison Ivy variant ##### ➢ https://unit42.paloaltonetworks.com/unit42-new-poison-ivy-rat-variant-targets-hong-kong pro-democracy-activists/ ----- ----- ### The original RAT used by TA428 Behavior #### ⚫ Basically same characteristics as reported in the Proofpoint’s blog ##### ➢ https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it targets-government-information-technology ### Configuration ##### Decoded configuration data ###### Item Value C&C Server mtanews.vzglagtime[.]net:443 "mark" field in the C&C beacon 1011_15 "passwd" field in the C&C beacon P@SSaw1 |Item|Value| |---|---| |C&C Server|mtanews.vzglagtime[.]net:443| |"mark" field in the C&C beacon|1011_15| ----- ----- ### Outlook Password Dump v3.0 #### ⚫ Outlook Password Recovery Tool (The latest version is a commercial tool) ##### ➢ https://securityxploded.com/outlook-password-dump.php ----- ### nbtscan 1.0.35 #### ⚫ NETBIOS nameserver scanner (public tool) ##### ➢ http://www.unixwiz.net/tools/nbtscan.html ----- # Case 2 ----- ----- ----- ----- ### Scan Tool for MS17-010 #### ⚫ ms17-010-m4ss-sc4nn3r v1.0 ##### ➢ https://github.com/claudioviviani/ms17-010-m4ss-sc4nn3r/blob/master/ms17-010-m4ss sc4nn3r.py ----- ### Exploit Tool for MS17-010 #### ⚫ eternalblue.py ##### ➢ https://github.com/pythonone/MS17-010/blob/master/exploits/eternalblue/eternalblue.py ----- ----- ### Startup Sequence #### ⚫ Either one of the following DLL file (the Poison Ivy-B) is injected into lsass.exe on remote host by the MS17-010 exploiting tool and executed. ##### ➢ x86.dll: for 32bit environment ➢ x64.dll: for 64bit environment #### ⚫ The DLL file drops the following three files and executes PotPlayerMini.exe. ##### ➢ PotPlayerMini.exe: signed legitimate program ➢ PotPlayer.dll: malware ➢ PAME13.tmp: encoded configuration data #### ⚫ The PotPlayerMini.exe loads PotPlayer.dll, and the PotPlayer.dll decodes PAME13.tmp to get configuration data and starts working as a RAT. ----- ### Configuration ##### Decoded configuration data ###### Item Value 45[.]76.211.18:443 C&C Server 45[.]76.211.18:8080 Campaign ID TOEI Group ID TOEI Mutex G9u3cUoJs C&C Traffic Encryption Key kos@On (Camellia-256 in ECB mode) ### C&C Communication #### ⚫ Same characteristics with traffic by the Poison Ivy in Case 1 |Item|Value| |---|---| |C&C Server|45[.]76.211.18:443| ||45[.]76.211.18:8080| |Campaign ID|TOEI| |Group ID|TOEI| |Mutex|G9u3cUoJs| |C&C Traffic Encryption Key (Camellia-256 in ECB mode)|kos@On| ----- ----- ### show.exe #### ⚫ Windows Credential Stealer (Original Tool) ##### ➢ Steal usernames, domain names and passwords from lsass.exe process. ----- ----- ### Evidence #### ⚫ PDB File Path ##### ➢ Found string "Tmanger" in directory name that would represent this RAT ----- ### Startup Sequence and Persistence #### ⚫ Tmanger "dwm.exe" is placed and executed by Poison Ivy-B. ⚫ dwm.exe drops test.dll by extracting data from its resource section and expands it. ##### ➢ %Temp%¥test.dll #### ⚫ The dwm.exe drops master.exe by copying itself. ##### ➢ %Temp%¥master.exe #### ⚫ The dwm.exe executes the following command. ##### ➢ rundll32.exe %Temp%¥test.dll,Entery #### ⚫ The test.dll creates the following registry key and starts working as a RAT. ##### The registry key (Persistence) ###### Key Value HKEY_CURRENT_USER¥Software¥Microsoft¥Windows¥ %Temp%¥masterexe |Key|Value| |---|---| ----- ### Configuration #### ⚫ Three destinations with the same IP address but different port numbers ⚫ If the first port is unable, Tmanger tries to connect to the second port. ##### The decoded configuration data |Item|Value| |---|---| |C&C Server|172[.]105.39.67:80| ||172[.]105.39.67:443| ||172[.]105.39.67:5222| ----- ### C&C Communication #### ⚫ TCP Payload ##### ➢ Data Size (4 Bytes) + Encrypted Data #### ⚫ Encryption ##### ➢ Algorithm: RC4 ➢ Key (512 bits): **Encrypted Data** ----- ### C&C Communication #### ⚫ Decrypted Data ##### ➢ Encoded PID (4 Bytes) + Command (1 Byte) + Content #### ⚫ Encoded PID #### Encoded PID = ((PID % 9) × 1000) + ((PID % 1000) + 1000) ----- ### Command and Control #### ⚫ Tmanger has following functions: ##### ➢ Remote Shell (cmd.exe) ➢ Remote Shell (powershell.exe) ➢ Send Host Information ➢ Send File Contents ➢ Send Screen Capture Images ➢ Delete Files ➢ Keylogger ----- ----- ### Evidence #### ⚫ PDB File Path ----- ### Startup Sequence and Persistence #### ⚫ Poison Ivy-B places the installer "Instsrv.exe" and nccTrojan "WindowsResKits.dll" on "C:¥ProgramData¥Microsoft¥Crypto“, then launchs Instsrv.exe. ⚫ Instsrv.exe copies WindowsResKits.dll to following system directories. ##### ➢ %SYSTEMROOT%¥System32¥WindowsResKits.dll (in 32-bit environment) ➢ %SYSTEMROOT%¥SysWOW64¥WindowsResKits.dll (in 64-bit environment) #### ⚫ Instsrv.exe creates and start following fake service. |Col1|Fake service| |---|---| |Name|Image path| |Microsoft Windows Resource Kits|%SYSTEMROOT%¥System32¥svchost.exe -k WindowsResKits| ----- ### Configuration ###### Item ### Activation ##### Decoded configuration data |Item|Value| |---|---| |C&C Server|45[.]77.129.213:443| |Version Information|v2.1[exe]| |Activation Code|ncc| #### ⚫If the data received from C&C server includes activation code "ncc", nccTrojan activates its C&C functions. ⚫We call the new RAT "nccTrojan" because the activation code is characteristics for this RAT. ----- ### C&C Communication #### ⚫ TCP Payload ##### ➢ SIZE Field (8 Bytes) + Encrypted DATA Field ➢ The SIZE field expresses data size in decimal and unused digits are filled with invalid character “x”. ----- ### C&C Communication #### ⚫ Encryption ##### ➢ Algorithm: AES-256 in CFB mode ➢ Key (256 bits) / Initialization Vector (128 bits): The encryption key and initialization vector |Item|Value| |---|---| |Key (hex-encoded)|981511371412780969AFC3AB2072018709A83A3332466A8B56FF 3FAB8E6C3DAA| |IV (hex-encoded)|2042123224315117031B1A0A3CCDA53F| ----- ### C&C Communication #### ⚫ Decrypted DATA Field ##### ➢ Size (8 Bytes) + Command (1 Byte) + Content + Padding ➢ Size = length(Command + Content) ➢ The format of Size field is as same as that in TCP payload. ----- ### Command and Control #### ⚫ nccTrojan has following functions: ##### ➢ Remote Shell ➢ Send Disk Information ➢ Send File List ➢ Send Process List ➢ Download File (Read File) ➢ Upload Files ➢ Operate Files (Copy, Move, Delete) ➢ Kill Process ----- # Wrap up ----- ### Royal Road RTF Weaponizer #### ⚫ Used by Chinese APT groups ##### ➢ Temp.Trident, Tick and Tonto ➢ Mainly targeting East Asian countries ### Poison Ivy #### ⚫ SPIVY ##### ➢ Modified traffic structure ➢ Previously used in Hong Kong in March 2016 ###### – Used same DLL Side-loading technique "RasTls.dll" https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html https://unit42.paloaltonetworks.com/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/ ----- ### DLL Side-Loading #### ⚫ PotPlayerMini ##### ➢ Previously used by DragonOK ➢ DragonOK targets East Asian countries https://unit42.paloaltonetworks.jp/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ https://securelist.com/cve-2015-2545-overview-of-current-threats/74828/ ----- ### As a result of analyzing the observed attack cases, we found the following: #### ⚫ Operation LagTime IT has been observed since at least around March 2019 and its TTPs hasn’t changed for more than a year ⚫ Used a tool to exploit MS17-010 for lateral movement, NETBIOS scanner for environmental investigations, tools to steal credentials and new RATs such as Tmanger or nccTrojan ⚫ Colorful Panda Footprint (the TTPs of these attack cases overlap with those of several Chinese APT groups) ##### ➢ Tick, Tonto, DragonOK ----- ### Traffic Decryption Tools for Tmanger & nccTrojan #### ⚫ Later, we will announce the download site on our Twitter account ##### ➢ @GlobalNTT_JP (https://twitter.com/globalntt_jp) ----- ### Case 1 #### ⚫ MD5 ##### ➢ f1b21f5f9941afd9eec0ab7456ec78b8 (Lure Document) ➢ b26b60c8ba87df6322fa48916b7ba86d (Poison Ivy) ➢ 8fa6b43e35675b05bd4cbe8a9e9413b8 (Credential Stealer) ➢ f01a9a2d1e31332ed36c1a4d2839f412 (Environment Scanner) ➢ 11b2e94fdac1ff94899debbcf63c33aa (Cotx RAT) #### ⚫ Domain ##### ➢ news.vzglagtime[.]net (Attacker Server-A) ➢ mtanews.vzglagtime[.]net (Attacker Server-B) ----- ### Case 2 #### ⚫ MD5 ##### ➢ 60ec80e7e72afa9a24c48517d9e97f4c (Lure Document) ➢ 7372101f6423ee4226b83cca12b13bb9 (Poison Ivy-A) ➢ 8fa6b43e35675b05bd4cbe8a9e9413b8 (Credential Stealer-A) ➢ f01a9a2d1e31332ed36c1a4d2839f412 (Environment Scanner) ➢ 11b2e94fdac1ff94899debbcf63c33aa (Cotx RAT) ➢ d00d8f1c6ee37d86dd78bbbee328878c (Scan Tool) ➢ 78ea3649a05f241516288603e5305a79 (Exploit Tool) ➢ bcfd4ebf4856ae2eeba1604fd243d522 (Poison Ivy-B x86.dll) ➢ 7dfae85cb034a2ee5c715530e163b35d (Poison Ivy-B x64.dll) ➢ 4993e67fcabaf949380196fabe004fd4 (Credential Stealer-B) ➢ 8a79aeaed654e96d86fbe1bbc1e9de84 (Tmanger) ➢ c999b26e4e3f15f94771326159c9b8f9 (Installer) ----- ### Case 2 #### ⚫ Domain & IP ##### ➢ 95[.]179.131.29 (Attacker Server-A) ➢ mtanews.vzglagtime[.]net (Attacker Server-B) ➢ 45[.]76.211.18 (Attacker Server-C) ➢ 172[.]105.39.67 (Attacker Server-D) ➢ 45[.]77.129.213 (Attacker Server-E) ----- # Thank you -----