## A41APT case ###### ~ Analysis of the Stealth APT Campaign Threatening Japan Yusuke Niwa / Hajime Yanagishita / Charles Li / Suguru Ishimaru / Motohiko Sato 2020/01/28 ----- #### Presenter / Coauthor ###### Yusuke Niwa Hajime Yanagishita ITOCHU Corporation. Macnica Networks ITCCERT Cyber Security Researcher Security Researcher Charles Li Suguru Ishimaru Team T5 Kaspersky Chief Analyst of TeamT5 GReAT Malware Researcher Motohiko Sato ITOCHU Corporation. ITCCERT Sr. Cyber Security Researcher ----- #### Agenda ##### 1. Campaign Overview 2. Malware Analysis 3. Characteristics of Intrusion 4. Threat Actor’s Infrastructure 5. Consideration of Threat Actor’s Attribution 6. Summary ----- ### 1.A41APT Campaign Overview ----- #### A41APT Campaign Overview ######  Period of Activity: March 2019 to January 2021 Present  Target: Japan (Japanese companies including overseas branches)  Initial Vector: Not Spear phishing But SSL-VPN abuse  Malwares: New type of malwares using dll-sideloading (SodaMaster/P8RAT/DESLoader/FYAntiLoader etc.)  Public Info: Very few [1][2][3][4]  Characteristics: Very tough to detect attacker’s intrusion We call this threat actor A41APT from the hostname feature 「DESKTOP-A41UVJV」that is continuously used ----- ### 2.Malware Analysis ----- #### 2.Malware Analysis ###### 1. DESLoader 2. DESLoader Payloads • SodaMaster • P8RAT Update • Stager Shellcode • FYAntiLoader 3. FYAntiLoader NEW 4. xRAT NEW ----- #### 2-1.DESLoader ###### Aka. SigLoader ▪ Loader file for DLL Side-Loading and files contain encrypted shellcode and payload. ▪ Decrypt multiple PEs and shellcodes sequentially in multiple stages. ▪ Multiple algorithms are used for decryption. ▪ Finally, the payload is executed in memory. ----- #### Example of DESLoader's payload decoding flow ###### reflective side-loading load decode dll injection policytool.exe jli.dll vac.dll stage_1.shellcode stage_1.dll load Junk code reflective decode dll injection stage_2.shellcode P8RAT pcasvc.dll (payload) Anti-analysis junk codes are found using OutputDebugStringA(), ----- #### jli.dll/stage_1.dll ###### Multiple algorithms (XOR, DES, AES and RSA) are defined and the order of using them is configured. Read encrypted data in specified DLL from the end of data till configured size and decrypt. skipped jli.dll XOR key = 0x9F Decryption Algorithm skipped AES key = 83H4uREKfFClDH8ziYTH8xsBYa32p3wl MZ (CBC mode) IV = 83H4uREKfFClDH8z PE Section table + Section 1 … N vac.dll skipped Embedded data ----- #### starge_1.shellcode ###### ▪ In addition to known "ecipekac" magic_bytes, some samples use {BFAFBFAF} or {9F8F7F6F} as magic_bytes. ▪ Prepare DLL from separately embedded data in shellcode stage1_1. shellcode stage_1.dll 0x00000 0x00000 MZ shellcode 0x000E0 PE 0x00bf5 ecipekac 0x00bfd Size of buf 0x001E8 Section table 0x00c01 Size of code 0x00c05 0x01000 Section 1 Section table Section1 … N 0x39a1d PE 0x39b25 MZ 0xXXXXX Section N ----- #### Variant of stage_2.shellcode ###### • In addition to stage_2.shellcode that has almost same feature as stage_1.shellcode, we found 2 types of stagae_2.shellcodes.  ​Stager Shellcode RC4  Shellcode dedicated for SodaMaster stage_2.shellcode SodaMaster (payload) **offset** **data** **description** 0x000 90 90 90 90 90 90 90 90 magic bytes for Identification, this is used for comparision before data processing ###### Embedded structure of 0x008 0x11600 Size of encrypted data, only this value (size) is observed ###### shellcode for SodaMaster 0x00C A9 5B 7B 84 9C CB CF E8 16 bytes RC4 key (each sample has B6 79 F1 9F 05 B6 2B FE different key) 0x01C C7 36 7E 93 D3 07 1E 86 Encrypted SodaMaster payload with RC4 ----- #### DESLoader TimeLine **Compile Date** **File name** **Algorithm** **Payload** ###### ▪ AES and DES algorithms 2019-10-18(JST) CCFIPC64.DLL AES xRAT 2019-10-24 SBIEDLL.DLL DES Stager_Shellcode ###### are implemented using proprietary coding 2019-12-262019-12-28 DBUS-1-3.DLLGLIB-2.0.DLL DESDES Stager_ShellcodeStager_Shellcode 2020-05-04 jli.dll DES SodaMaster ###### ▪ In many cases, not all 2020-05-04 jli.dll DES SodaMaster 2020-05-09 DBUS-1-3.DLL DES SodaMaster ###### ciphers are used 2020-05-30 dbus-1-3.dll DES Stager_Shellcode 2020-06-02 uxtheme.dll DES P8RAT ###### ▪ The order in which 2020-06-042020-06-30 UXTHEME.DLLVMTOOLS.DLL XOR->AES->DES (RSA Not Used)AES->DES (RSA XOR Not Used) SodaMasterP8RAT ciphers are used is 2020-06-30 SECUR32.dll AES->DES (RSA XOR Not Used) SodaMaster changed 2020-07-01 jli.dll DES P8RAT 2020-09-28 jli.dll DES->AES (RSA XOR Not Used) SodaMaster 2020-09-29 jli.dll DES->AES (RSA XOR Not Used) SodaMaster 2020-10-02 vmtools.dll DES->AES (RSA XOR Not Used) SodaMaster ###### ▪ DESLoader which implements only one 2020-12-212020-12-26 JLI.dlljli.dll DES->AES (RSA XOR Not Used)DES Stager_ShellcodeSodaMaster 2020-12-26 sbiedll.dll RSA(AES DES XOR Not Used) Stager_Shellcode ###### cipher contains a lot of OutputDebugStringA() 2020-12-27 JLI.DLL DES->AES (RSA XOR Not Used) Stager_Shellcode 2020-12-27 JLI.DLL DES->AES (RSA XOR Not Used) Stager_Shellcode 2020-12-27 JLI.DLL DES->AES (RSA XOR Not Used) Stager_Shellcode ###### code 2020-12-31 vmtools dll XOR->AES (RSA DES Not Used) P8RAT ----- #### 2-2.DESLoader’s Payload ###### 1. SodaMaster 2. P8RAT 3. FYAntiLoader ( ⇒.NET Loader(ConfuserEx v1.0.0) ⇒xRAT ) 4. Stager Shellcode ----- #### SodaMaster ###### Aka. DelfsCake, dfls, HEAVYPOT ▪ One of DESLoader's payloads ▪ Fileless RAT ▪ Command identifiers are d, f, l and s ▪ Same Compilation Time  5CFE0D92 (Mon Jun 10 07:58:10 2019) ▪ Check VM environment from the following registry value  HKCR¥Applications¥VMwareHostOpen.exe ----- #### SodaMaster ###### base64(RSA key) + 12bytes data ▪ Mutex value is hex value CRC32 calculated from hardcoded 0x8d01ca9f base64 string with CRC32 and Mutex = 9FCA018D reverse the order ▪ Initial C2 communication data Encrypted using RSA key is encrypted with RSA. RSA key User is hardcoded base64 key_blob host and data contains randomly PID generated RC4 key Exec Date ▪ Further communication data is RC4key encrypted with RC4 RC4 encryption ----- #### P8RAT ###### Aka. GreetCake ▪ One of DESLoader's payloads ▪ Fileless RAT ▪ Latest command identifiers are 300~309 ▪ Command 309 was implemented NEW after December 2020. ▪ Timer related strings at command 306 - 308 are not exposed at latest version. ▪ Main feature looks Command 301, Execution of secondary PE based payload downloaded into memory ----- #### P8RAT Update ###### ▪ Checks if processes characteristic of the guest OS of Virtual Machine is running or not ▪ Collects OS version, hostname and username ▪ Looks to checks if it is a sandbox or analyst environment ----- #### Stager Shellcode ###### ▪ One of DESLoader's Payloads ▪ CobaltStrike Stager Shellcode beacon ▪ In Later version in 2020, beacon contains HTTP Header mimicking jQuery Request ----- #### 2-3. FYAntiLoader ###### ▪ One of DESLoader's payloads ▪ Fileless type loader module ▪ .NET Loader having Provocative Export function name ▪ Contains .NET Loader packed with ConfuserEx v1.0.0 ▪ Looking for specific directory and search file with condition, then read file and decrypt payload ▪ Finally, Payload is xRAT ----- #### xRAT decoding flow with FYAntiLoader ###### reflective side-loading load decode dll injection usoclient.exe CCFIPC64.dll msftedit.prf.coo starge_1.shellcode starge_1.dll load FYAntiLoader reflective decode dll injection CppHostCLR load msdtcuiu.adi.wdb starge_2.shellcode blob starge_3.dll web_lowtrust.config.uninstall xRAT ----- #### 2-4.xRAT ###### VERSION 2.0.0.0 HOSTS 45.138.157.83:443; RECONNECTDELAY 1846872 KEY [redacted] AUTHKEY [redacted] DIRECTORY Environment.SpecialFolder.ApplicationData SUBDIRECTORY Subdir INSTALLNAME Client.exe INSTALL false STARTUP false MUTEX 3n5HUTePmoGqIF8CZanamdGw STARTUPKEY Quasar Client Startup HIDEFILE false ENABLELOGGER false ENCRYPTIONKEY KCYcz6PCYZ2VSiFyu2GU TAG [redacted] LOGDIRECTORYNAME Logs HIDEDIRECTORY false HIDEINSTALLSUBDIRECTOR false download_url none ----- ### 3.Characteristics of Intrusion ----- #### A41APT’s intrusion method ###### Internal Recon. Persistence of C2 Initial Intrusion Trace Removal Lateral Movement malware Communication Penetration via SSL-VPN Perform a port scan to Persistence by scheduled Communicate with C2 server Delete the event log after using vulnerabilities or search for open RDP or task registration to execute via DESLoader’s payload or communication with C2 is stolen credentials SMB port. Then, connect to the legitimate PE PowerShell remoting finished. RDP with an administrator account. Scheduled task registration Event log deletion A41APT Server* C2 Server **In Memory** Server DESLoader Payload ###### OR PowerShell AD Server Laptop Legitimate PE ----- #### Characteristics of Compromise ###### 1. Initial intrusion using SSL-VPN products 2. Network scanning and credential theft 3. PowerShell remoting to remove event logs 4. Persistence of malware by scheduled task ----- ###### 3-1.Initial intrusion via SSL-VPN (Exp. session hijacking) • In October 2019, an attacker used the hostname DESKTOP-A41UVJV to hijack sessions to enter the internal network via SSL-VPN product, Pulse Secure. • JPCERT also reported a similar attack targeting SSL-VPN [4]. • In some cases, attackers used credentials that they had stolen in the past intrusion. ----- ###### 3-2. Network scanning and credential theft Network scanning and RDP Credential theft ▪ Run csvde.exe, a CSV export command ▪ After the intrusion by SSL-VPN, perform line tool provided by Microsoft. internal network scanning to find open port RDP (3389/TCP) and SMB (445/TCP). ▪ Execute AdFind provided by joeware. ▪ Use an administrator account to deploy ▪ Dump of SYSTEM/SECURITY/SAM hive, RDP to servers with free RDP. etc. Exp. server types that are frequently compromised by RDP AD server File server Anti Virus management server Backup server ----- ###### 3-3. PowerShell remoting to delete event logs • Event log: the end of a PowerShell remoting session • Windows PowerShell.evtx EID: 403 • The "C2 address" and the "*.nls file name" are changed, but the rest is the same ⇒ probably common tools execution ----- ###### 3-4.Persistence of malware by scheduled task ▪ Registered a task scheduler that executes a legitimate executable file that loads DESLoader every 15 minutes. ▪ It is unlikely that the same scheduled task name is created on the compromised hosts. ----- |Scheduled Tasks|PE name| |---|---| |¥Microsoft¥Windows¥Sysmain¥HybridDriveCachePrepopulate|HybridDrive.exe| |¥Microsoft¥Windows¥Shell¥FamilySafetyMonitor|wpcmon.exe| |¥Microsoft¥Windows¥NetworkAccessProtection¥NAPStatus UI|NAPStatus.exe| |¥Microsoft¥Windows¥SideShow¥AutoWake|AutoWake.exe| |¥Microsoft¥Windows¥SystemRestore¥SR|srtasks.exe| |¥Microsoft¥Windows¥Shell¥FamilySafetyUpload|FamilySafety.exe| |¥Microsoft¥Windows¥File Classification Infrastructure¥Property Definition Sync|DefinitionSync.exe| |¥Microsoft¥Windows¥UpdateOrchestrator¥Refresh Settings|usoclient.exe| |¥Microsoft¥Windows¥WindowsUpdate¥AUSessionConnect|AUSession.exe| |¥Windows¥System32¥Tasks¥Microsoft¥Windows¥Shell¥WindowsParentalControls|ParentalControls.exe| |¥Microsoft¥Windows¥UpdateOrchestrator¥Schedule Retry Scan|usoclient.exe| |¥Microsoft¥Windows¥LanguageComponentsInstaller¥ReconcileLanguageResources|DiagPackage.exe| |¥Microsoft¥Windows¥Setup¥EOSNotify|EOSNotify.exe| ###### Exp. Improperly registered scheduled tasks observed in the past Scheduled Tasks PE name ¥Microsoft¥Windows¥Sysmain¥HybridDriveCachePrepopulate HybridDrive.exe ¥Microsoft¥Windows¥Shell¥FamilySafetyMonitor wpcmon.exe ¥Microsoft¥Windows¥NetworkAccessProtection¥NAPStatus UI NAPStatus.exe ¥Microsoft¥Windows¥SideShow¥AutoWake AutoWake.exe ¥Microsoft¥Windows¥SystemRestore¥SR srtasks.exe ¥Microsoft¥Windows¥Shell¥FamilySafetyUpload FamilySafety.exe ¥Microsoft¥Windows¥File Classification Infrastructure¥Property Definition Sync DefinitionSync.exe ¥Microsoft¥Windows¥UpdateOrchestrator¥Refresh Settings usoclient.exe ¥Microsoft¥Windows¥WindowsUpdate¥AUSessionConnect AUSession.exe ¥Windows¥System32¥Tasks¥Microsoft¥Windows¥Shell¥WindowsParentalControls ParentalControls.exe ¥Microsoft¥Windows¥UpdateOrchestrator¥Schedule Retry Scan usoclient.exe ¥Microsoft¥Windows¥LanguageComponentsInstaller¥ReconcileLanguageResources DiagPackage.exe ¥Microsoft¥Windows¥Setup¥EOSNotify EOSNotify.exe ----- ### 4.Threat Actor’s Infrastructure ----- #### Threat Actor’s Infrastructure ###### 1. The hostname used for the intrusion via SSL-VPN 2. Characteristics of the C2 infrastructure ----- ###### Hostname used for the initial intrusion via SSL-VPN ▪ Tendency to use distinctive hostnames and attempt intrusions while changing IP addresses  Host names used in breaches observed in the past DESKTOP-A41UVJV dellemc_N1548P ▪ Tendency to use an IP for intrusion that is different from the C2 server’s IP ----- ###### Characteristics of the C2 infrastructure ▪ For C2, there is a tendency to use IP addresses and not to use domains. ▪ From the observed C2 IP addresses, there is little bias toward country and AS, and we observed that there is a tendency not to reuse IP addresses repeatedly. ----- #### 5.Consideration of Threat Actor’s Attribution ----- #### Considerations for attribution of A41APT ###### 1. Relevance to APT10 2. Relevance to BlackTech ----- #### 1.Relevance to APT10 ###### Common TTPs ▪ APT10 involvement in targeted attack campaign against Turkey mentioned [5]. - Multilayers loading - CPPHostDLR loader - F**jYouAnti export ▪ Confirmed the existence of an early version of ShellCode - Look for payloads under SodaMaster (x86) in March 2019. “C:¥Windows¥Microsoft.Net” load ###### ▪ xRAT observed in A41APT campaign has common TTPs with BlackBerry Cylance reports Common TTPs in 2019 was confirmed [6]. SodaMaster xRAT/QuasarRAT connect MenuPass/QuasarRAT Backdoor Report ###### Run dll payload Attribute ###### Run Shellcode payload rare-coins[.]com APT10 ----- #### 2.Relevance to BlackTech ###### SodaMaster TSCookie ▪ Identified common features between SodaMaster and TSCookie [7]. ▪ The same information is collected from the compromised host in the initial stage Username ``` – Computer name – Current process ID – ▪ Observed existence of two malware, SodaMaster and TSCookie, on multiple compromised hosts ``` ----- ### 6.Summary ----- #### Wrap up:A41APT Campaign ###### ▪ Intrusion via SSL-VPN ADVERSARY(A41APT) ▪ Heavy usage of RDP for lateral movement (mainly servers) ▪ Strong association with APT10 ▪ Abusing DLL-Sideloading ▪ Relevance to BlackTech ▪ Remove traces CAPABILITIES INFRASTRUCTURE ▪ Targeting Japanese companies ▪ Heavy usage of IP addresses for C2 including overseas branches (no domain usage) ▪ Wide range of industries such as ▪ Less reuse of IP addresses for C2 manufacturing ----- #### Wrap up:TTPs ~MITRE ATT&CK Mapping~ ###### Tactics Techniques Initial Access External Remote Services (T1133) : Intrusion via SSL-VPN using vulnerabilities or stolen credentials Execution Command and Scripting Interpreter: PowerShell (T1059.001) Base64 obfuscated PowerShell commands (delete event log) Windows Management Instrumentation (T1047) : WMIC collects services for security products Persistence Scheduled Task/Job: Scheduled Task (T1053.005) : Privilege Escalation Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) Defense Evasion Deobfuscate/Decode Files or information (T1140) Indicator Removal on Host: Clear Windows Event Logs (T1070.001) Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) Credential Access OS Credential Dumping: Security Account Manager (T1003.002) OS Credential Dumping: NTDS (T1003.003) Discovery Account Discovery: Domain Account (T1087.002) Domain Trust Discovery (T1482) Software Discovery: Security Software Discovery (T1518.001) Lateral Movement Remote Services: Remote Desktop Protocol (T1021.001) Collection Archive Collected Data: Archive via Utility (T1560.001) : Compression by WinRAR ----- #### Wrap up:Features of this campaign ######  Targeting the kryptonite of EDR/FSA detection • Malware is written on the disk by the attacker's manual operation via SSL-VPN instead of malware-originated intrusion from Spear phishing email (legitimate file, loader, encrypted file) • Intrusion from group affiliates, including overseas companies • Malware is mostly placed on servers, and the number of compromised servers are very small. • Most of the malware detected in the same period have different C2 addresses, so there is little tendency to use the same samples.  After the intrusion, some rough operations were seen. • Heavy usage of network discovery using RDP • Common traces deletion method of event logs • Recorded attacker's hostname in event log ----- #### Examples of countermeasures against this campaign ###### SSL-VPN Governance(Overseas/affilates) • Implementation of MFA • Framework for sharing information (Incident, Threat Intel and security situation ) ###### • Patch adaptation operation - Apply same security level ###### • Monitoring - Apply same level of detection in each intrusion method ###### End User Additional threat visibility Additional Monitoring - Network Monitor by NTA - Audit authentication attemp of administrator account (success/failure) - Strengthen security measures for servers - Monitor deletion of Windows event log - Hunting stealthy attack by using EDR/FSA - Monitor login from host that is not in list of organization asset - Leverage Yara rule to detect loader or payload on - Monitor SSL-VPN log for suspicious login from unknown host memory ( e.g. hostname is not in organization asset ) ###### Strengthen Monitoring for Authentication Vendor (SOC) • Talk with end user to know white-list ( username, hostname, IP address and date/time ) of authentication and give proactive alert to end user ----- #### (Based on intrusion method) ###### Internal Recon. Persistence of C2 Initial Intrusion Trace Removal Lateral Movement malware Communication - Implementation of MFA - NW monitoring by NTA - Monitor the creation of - Payload detection by Yara - Monitor for traces of - Patch adaptation operation - Strengthen security measures suspicious scheduled task - C2 identification and blocking suspicious event log - Monitor suspicious logins for servers (EDR/FSA etc.) events. by malware analysis deletions. from overseas - Monitoring of administrator authentication attempt - Identify and block C2 by (success/failure) traces of suspicious PowerShell - Suspicious login monitoring remoting in event logs from hosts outside of asset management Scheduled task registration Event log deletion A41APT Event log Patch application Server C2 **In Memory** monitoring operation Server Monitoring Monitoring DESLoader NTA **OR** NTA payloads ###### MFA PowerShell ----- #### At the end... ######  A41APT campaign is very stealthy and difficult to detect, but it is not undetectable.  The compromised target has shifted from endpoint to server, and the intrusion route has also shifted from spear phishing to abusing SSL-VPN. Security measures need to be reviewed in your organization to respond to change in attack method.  By refining daily security operations and thoroughly reviewing the security holes in each organization's environment, it may be possible to detect and protect attacks from even small anomalies. ----- #### Reference ###### 1. 【緊急レポート】Microsoft社のデジタル署名ファイルを悪用する「SigLoader」による標的型攻撃を確認 https://www.lac.co.jp/lacwatch/report/20201201_002363.html 2. Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan- espionage 3. https://twitter.com/Int2e_/status/1333501729359466502?s=20 4. Pulse Connect Secure の脆弱性を狙った攻撃事案 https://blogs.jpcert.or.jp/ja/2020/03/pulse-connect-secure.html 5. APT10 THREAT ANALYSIS REPORT (ADEO IT Consulting Services) https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf 6. Threat Spotlight: MenuPass/QuasarRAT Backdoor https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor 7. https://blogs.jpcert.or.jp/ja/2018/03/tscookie.html ----- #### IoCs **MD5** **File name** **Payloads** **Comment** **Path of Encrypted xRAT** f6ed714d29839574da3e368e4437eb99 usoclient.exe xRAT Legitimate EXE Microsoft.NET¥test¥Framework¥v4.0.30319¥ dd672da5d367fd291d936c8cc03b6467 CCFIPC64.DLL xRAT DESLoader Config¥web_lowtrust.config.uninstall Encrypted stage_ 335ce825da93ed3fdd4470634845dfea msftedit.prf.cco xRAT 1.shellcode **Hostname of Intruded via SSL-VPN** Encrypted DESKTOP-A41UVJV f4c4644e6d248399a12e2c75cf9e4bdf msdtcuiu.adi.wdb xRAT stage_2.shellcode dellemc_N1548P web_lowtrust.confi 019619318e1e3a77f3071fb297b85cf3 xRAT Encrypted xRAT g.uninstall **C2** **Payloads** 7e2b9e1f651fa5454d45b974d00512fb policytool.exe P8RAT Legitimate EXE be53764063bb1d054d78f2bf08fb90f3 jli.dll P8RAT DESLoader 45.138.157[.]83 xRAT Encrypted f60f7a1736840a6149d478b23611d561 vac.dll P8RAT stage_1.shellcode 151.236.30[.]223 P8RAT Encrypted 59747955a8874ff74ce415e56d8beb9c pcasvc.dll P8RAT stage_2.shellcode 193.235.207[.]59 Stager Shellcode c5994f9fe4f58c38a8d2af3021028310 80f55.rec.dll SodaMaster(x86) 037261d5571813b9640921afac8aafbe 10000000.dll SodaMaster(x86) www.rare-coisns[.]com SodaMaster(x86) bca0a5ddacc95f94cab57713c96eacbf ResolutionSet.exe SodaMaster Legitimate EXE cca46fc64425364774e5d5db782ddf54 vmtools.dll SodaMaster DESLoader 88.198.101[.]58 SodaMaster wiaky002_CNC175 Encrypted stage_ 4638220ec2c6bc1406b5725c2d35edc3 SodaMaster 5D.dll 1.shellcode ----- # Any Questions? -----