# Tonto Team: Exploring the TTPs of an advanced threat actor operating a large infrastructure ###### Daniel Lunghi (@thehellu), Jaromir Horejsi (@JaromirHorejsi) ----- ## Outline ### • Introduction and history of the threat actor • Infection vectors • Custom and shared backdoors • Post-exploitation tools • Infrastructure, targets and further links • Conclusion and references ----- ## Introduction ### • Advanced threat actor likely based in China • Known under aliases Earth Akhlut, Cactus Pete, Lone Ranger, Tonto team • Operating for more than 10 years • Targets multiple government organizations and worldwide companies ----- ## History #### • 2012 – HeartBeat campaign • 2017 – Operation ORCA (Virus Bulletin) • 2018 – Operation Bitter Biscuit • 2018 – Bisonal Malware Used in Attacks Against Russia and South Korea • 2020 – Bisonal: 10 years of play • 2020 – Earth Akhlut ----- ## History naming ----- # Infection vectors ----- ## Infection vectors ### • Phishing websites • Spear-phishing emails with malicious attachments • Exploitation of vulnerabilities in security solutions ----- ## Infection vector phishing websites ----- ## Infection vector phishing websites ### • For a successful attack, the attacker requires strong user interaction • User awareness lowers the success rate of this type of attack • Phishing websites were blocked once noticed ----- ## Infection vector spear phishing ### • Malicious attachments ----- ## Infection vector spear phishing ### • Malicious attachments ----- ## Infection vector spear phishing ### • Malicious attachments ----- ## Infection vector spear phishing #### • Job application-themed spear phishing emails • RTF files with Microsoft Equation 2.0 related exploits (CVE-2017-11882 / CVE-2018-0802) • Royal Road RTF document builder ##### • “OLE Package Objects” with names 8.t or wd32PrvSE.wmf • Custom encryption starting with 0xb07477 or 0xb2a66d ----- ## Infection vector spear phishing #### • For a successful attack, the attacker requires user interaction • User awareness lowers the success rate of this type of attack • Applying updates prevents code execution in this context • Malicious documents and C&C were blocked once ----- ## Infection vector exploiting vulnerabilities ### • Exploiting vulnerabilities in security solution’s services exposed to Internet #### • CVE-2019-9489 (patched Apr 2019) • CVE-2020-8468 (patched Mar 2020) ----- ## Infection vector exploiting vulnerabilities ### • Exploiting vulnerabilities in security solution’s services exposed to Internet #### • CVE-2019-9489 (patched Apr 2019) • CVE-2020-8468 (patched Mar 2020) ----- ## Infection vector exploiting vulnerabilities ### • Minority of the cases used this infection vectors • Both vulnerabilities are required for a successful attack • Delivered payload was a dropper for the Shadowpad malware family ----- ## Infection vector exploiting vulnerabilities #### • For a successful attack, the attacker requires: ##### • A network access to the management server • An authentication bypass to such server • A vulnerability to execute code from this server #### • All of these conditions can be mitigated by network design and patch management • Malicious payloads and C&C were blocked once #### noticed ----- # Backdoors ----- ## Custom backdoors |Backdoor family name|First seen| |---|---| |Heartbeat|2009| |Old Bisonal|2011| |Chimaera|2012| |Dexbia|2014| |Bisonal01|2014| |Bisonal02|2017| |SPM|2018| |Typehash|2019| |Dumboc|2020| |Idles|2020| ----- ## Custom backdoors commands ### • All of them: #### • Process enumeration, download and file execution, interactive shell ### • Most of them: #### • File upload and deletion, terminate process ### • Some of them: #### • OS information collection uninstall wipe ----- ## Custom backdoors OS info #### • IP address • Code page • Time (tick count) • OS version, token information • Computer name, proxy information • Campaign ID, presence of VM ----- ## Custom backdoors C&C encryption ### • No encryption • XOR: used keys: 0x15, 0x1d, 0x1f • RC4: hardcoded password 0x12345678 • Custom: use of atypical constants 0x58BF and 0x3193 ----- ## Custom backdoors dexbia ### • Decryption steps #### • ELDLJFDRILGOEYFZGMCXDIHYGEDKAJIAFTFE • sY\xef_\xdb\xaa\x80\x9b\xa8KV\xce\xa0X\t\xd0\ x95\x86 • www[.]riss[.]ntdll[.]net ----- ## Custom backdoors dexbia ### Decryption steps #### ELDLJFDRILGOEYFZGMCXDIHYGEDKAJIAFTFE sY\xef_\xdb\xaa\x80\x9b\xa8KV\xce\xa0X\t\xd0\ x95\x86 www[.]riss[.]ntdll[.]net ----- ## Custom backdoors dexbia #### • Second loop with constants 0xCE6D (52845) = -0x3193 and 0x58BF (22719) can be also found in ##### Adobe Type 1 Font Format Specification ###### https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/T1_SPEC.pdf ----- ## Custom backdoors network encryption ### • No encryption • Encoding/compress: hex, zlib, base32, base64 • XOR: used keys: 0x28, 0x3f • RC4: hardcoded password 0x12345678 • zlib + RC4 • RC4 with 128-byte state vector ----- ## Custom backdoors network encryption ### • No encryption • Encoding/compress: hex, zlib, base32, base64 • XOR: used keys: 0x28, 0x3f • RC4: hardcoded password 0x12345678 • zlib + RC4 • RC4 with 128-byte state vector ### • Encoding/compress: hex, zlib, base32, base64 • XOR: used keys: 0x28, 0x3f • RC4: hardcoded password 0x12345678 • zlib + RC4 ----- ## Custom backdoors network traffic ### • Example of Chimaera C&C communication ----- ## Custom backdoors VM check ### • Most of these families try to detect whether they are running inside a virtual machine ----- ## Custom backdoors sandbox evasion ### • Time delay ----- ## Custom backdoors sandbox evasion ### • Likely anti-sandbox trick #### • request for a non-existent website • prefix www.github ##### • https://www[.]github##5o52d[.]com/Daf/post[.]asp #### • if this request fails, the backdoor code flow #### • if this request fails, the backdoor code flow continues as expected ----- ## Custom backdoors chimaera ### • Named after a caption found in the control panel ----- ## Custom backdoors chimaera ### • Control panel ----- ## Custom backdoors chimaera ### • Control panel |Col1|Col2|Col3| |---|---|---| ----- ## Custom backdoors chimaera ### • Code similarity with old bisonal #### • Send machine info • Campaign ID ----- ## Custom backdoors campaign IDs ### • Some of these families have a campaign ID: #### 416-J, 0209J, 0216jHC, 228KJ, 3sa, new, 711, Tran,ru, Test, DS, MN1223, 1228, dis, ser, mfa820, ser_ru, rogx64, m0N~1, word0302, low_mn, tnkk, solr, fvckrus, ENERGY ----- ## Shared backdoor ShadowPad ### • Backdoor handling multiple plugins • Used in advanced supply chain attacks discovered in 2017 and 2018 • Exclusive to Winnti/APT41 until 2019 ----- ## Shared backdoor ShadowPad #### • Usually only 5 plugins are embeded: ##### • “Plugins”, “Config”, “Install”, “Online”, “HTTP” • In some cases: “TCP”, “UDP” #### • Loaded through DLL side-loading vulnerabilities in signed executables • Uses anti-disassembly techniques • Sometimes packed with VMProtect ----- ## Shared backdoor ShadowPad ### • New in 2020: sandbox evasion #### • if the loading DLL is not the expected one, the program exits It evades sandboxes that usually load DLLs with rundll32.exe ----- ## Shared backdoor ShadowPad ### • Noticeable version tags ----- # Post-exploitation tools ----- ## Post exploitation tools public ### • privilege escalation tools #### • CVE-2019-0803 and MS16-032 exploits ### • hash computational tools • credential dumpers #### • gsecdump v0.7 • wdigest_extract • LaZagne ----- ## Post exploitation tools public ### • Network shares enumeration #### • nbtscan 1.0.35 • Inbtscan (Python version of nbtscan) ### • Keyloggers #### • Keylogger1217 ### • Lateral movement ----- ## Post exploitation tools private ### • Dumps information from the Domain Controller • Uses Network ----- ## Post exploitation tools hub relaying ###### 1. connects Port 3925 Port 5688 2. sends traffic 3. forwards traffic C&C server ----- ## Post exploitation tools hub relaying ### • Losing control of C&C does not expose the backend logic • C&C is simply a connection information forwarder ----- # Infrastructure ----- ## Infrastructure ### • Multiple “clusters” of domain names #### • Infrastructure overlap ### • Clusters were usually bound to a specific malware family ----- ## Infrastructure ### • From March to August 2020: #### • 49 domains resolving to an IP address • Of which 38 dynamic domain names • 46 different IP addresses ----- ## Infrastructure attacker s mistakes ### • Attacker misconfigured some C&C servers • We could find some new malware samples and families, as well as victims ----- ## Custom backdoors attacker s mistakes ----- ## Custom backdoors attacker s mistakes ----- ## Custom backdoors attacker s mistakes ### • Files with list of victims ----- # Targets ----- ## Targets ### • 61 targets in 19 different countries from January to July 2020 • Taiwan is the most targeted country, followed by India and Russia • Technology and manufacturing industries were the most targeted, followed by education and healthcare ### education and healthcare ----- ## Targets industries Technology Others 21,3% 23,0% Government 8,2% Manufacturing 18,0% Healthcare 13,1% Education 16,4% ----- ## Targets countries Taiwan 21,3% Others 27,7% India 13,1% Thailand 6,6% Russia 11,5% Australia 6,6% Canada Germany 6,6% 6,6% ----- # Links to other threat actors ----- ## Links to TICK threat actor ### • We found Shadowpad samples sharing encryption algorithms with samples from TICK (Operation Endtrade) • This suggests they share a builder • Shadowpad delivery mechanism is different for TICK, they use a dropper named CASPER ----- ## Conclusion ### • Earth Akhlut is an advanced threat actor with big operational and offensive capabilities • Patches need to be applied to security solutions • Public Internet access to management servers should be avoided unless necessary ----- ## References ###### • https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white- papers/wp_the-heartbeat-apt-campaign.pdf • https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south- korea/ • https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_E NG.pdf • https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html • https://success.trendmicro.com/solution/1122250 • https://success.trendmicro.com/solution/000245571 ----- Threats detected and blocked globally by Trend Micro in 2018. Created with real data -----