# Sailing the Seven SEAs ###### Deep Dive into Polaris' Arsenal and Intelligence Insights Still Hsu ----- ### whoami ###### ◆ Aliases ◆ Still Hsu ◆ Azaka Sekai (安坂星海) - they/them ###### ◆ Occupation ◆ Threat Intelligence Researcher @ TeamT5 ◆ Interested in... ◆ Windows internals ◆ .NET ◆ Anything and everything! ----- ### AGENDA ###### 01 whoami ###### 02 Introduction ###### 03 Arsenal Overview 04 Malware Overview 05 Changes 06 Summary / Findings ----- ### Introduction ###### ◆ Chinese-based APT group active since 2011 ◆ Aliases - Mustang Panda - Twill Typhoon - Earth Preta ###### ◆ Targets - PH, MM, TH, TW, and other Asian ###### countries - Countries related to EU ----- ### Arsenal Overview - 2019- ~ now - Heavy focus on PlugX and USB ###### spreadability - PlugX Fast (THOR) / MiniPlug / PlugDisk - UDiskShell - 2022 ~ now - NoFive - TOnePipeShell / TOneDisk - QReverse - And many more one-time-use ###### malware/tools. ----- ###### Hasn’t this been covered already? ----- https://www.trendmicro.com/en_us/ researc h/22/k/earth-preta-spear-phishinggovernments-worldwide.html https://www.trendmicro.com/en_us/ researc h/23/c/earth-p reta-updated-steal thystrategies.html https://www trendmicro com/en us/ researc h/23/f/behind-the-scenes-unveiling-the ###### Hasn’t this been covered already? https://www.trendmicro.com/en_us/ researc h/22/k/earth-preta-spear-phishing- ----- ## So what’s the deal? ----- ###### I feel obligated to ----- ### Set A ----- ### Set A ----- ### Set B ----- ### Set B ----- ## Let’s start from the beginning… ----- ## TVLoad + Cobalt Strike + NoFive ----- ### Early TVLoad ###### ◆ Mid-2021 ◆ Drops files under Public\Libraries ◆ Persists - `Rundll32.exe` ``` SHELL32.DLL,ShellExec_RunDLL C:\Users\Public\Libraries\win\Acrobat.e xe ###### ◆ Decodes and executes Cobalt Strike Stager in memory ``` ----- ### Later TVLoad ###### ◆ Early 2022 - Targets the Philippines ###### ◆ Similar pattern of dropping files under Public\Libraries ◆ Initially used the same Cobalt Strike decoding pattern ◆ Executes NoFive stager ----- ### NoFive Stager ###### ◆ Shellcode-based downloader ◆ Reports to C2 with ◆ Victim ID (GetVolumeInformation) ◆ Computer name ◆ Username ◆ Downloads and executes next stage shellcode ----- ### NoFive RAT ###### ◆ Shellcode-based payload ◆ Extremely simple backdoor - File management - Sleep interval change - Remote shell ###### ◆ Stackstrings in command handler ----- ### Key Features of NoFive ----- ### Key Features of NoFive ----- ### Key Features of NoFive ``` 78 5A 12 4D 75 14 14 11 6C 02 71 15 5A 73 05 08 70 ``` ----- ### Key Features of NoFive ----- #### Summary for Early NoFive - Stager + Beacon design - The overall code structure looks ###### like... that - Uses hardcoded RC4 key for comms - Traffic disguised as TLS 1.2 ###### Application Data - `0x17` - `0x03` - `0x03` - `<2-byte-payload-size>` - `` ----- ## TOnePipeShell ----- ### Early TOnePipeShell ###### ◆ Mid-2022 - First spotted targeting Myanmar government ----- ### Early TOnePipeShell - Mid-2022 - First spotted targeting Myanmar government - `~$20220621.docx` - `C:\Users\Public\Documents\Microsoftap` ``` ps.exe ``` - `~$20220622.docx` - `C:\Users\Public\Documents\VERSION.dll` - Embedded payload within loader - XOR 0x7D -> embedded 32-byte XOR key - XOR key -> payload -> shellcode ----- ### Early TOnePipeShell ###### ◆ Similar code structure to NoFive ◆ Supports up to 10 C2s ----- ### Early TOnePipeShell - Stack strings in command handler - “Create TOnePipeShell Class Error!” - Supported features - Remote shell - Process execution - File upload/download/delete - Not all features are always present ----- ### Early TOnePipeShell ###### ◆ XOR 0x00 ~ 0x1F as initial handshake key ◆ RC4 for future comms ----- ###### Key Features of Early TOnePipeShell ----- ###### Summary for Early TOnePipeShell ◆ Largely the same as NoFive ◆ Slight difference in traffic encoding ◆ Iconic stackstring identifier ◆ No stager – straight payload delivery/execution ----- ## QReverse ----- ### QReverse ###### ◆ Mid-2023 - Codename “talos” / “qreverse” ----- ### QReverse Loader - Uses multiple layers of XORs to ###### decode the payload for the first stage - `data[i] ^= key[i] ^ key[i+1] ^` ``` key[i+3] ``` - Uses stackstring as XOR key for the ###### second stage - Key 135790t4jigae90uiojw23rwcz56 ----- ### QReverse RAT - Debug string - `g:\program\trojan\talos\talos-` ``` 20210909\test\test_dll_class\qr everse.cpp ``` ----- ### QReverse RAT ###### ◆ Uses multi-layered XOR for configuration decode - `Data[i] ^= Key[i] ^ Key[i+2] ^` ``` Key[i+5] ^ Key[i+10] ``` ----- ### QReverse RAT ###### ◆ Fully featured RAT ◆ System information ◆ Remote shell ◆ File management ◆ Set new C2 ◆ Screenshot ◆ Create process with specified token, etc. ----- ### Summary for QReverse ###### ◆ Fully featured RAT ◆ Uses multi-layered XOR for config/traffic encoding ◆ Currently unknown if it is exclusive to Polaris - Seen in other operations with wildly different TTPs - Possibly bought? ----- ## U2DiskWatch ----- ### U2DiskWatch ###### ◆ First appeared in Sophos report back in late-2022[1] ◆ Spreader module for installing any of the given files ----- ### U2DiskWatch ###### ◆Spotted spreading NoFive in late 2023 ----- ### U2DiskWatch ###### ◆Spotted spreading NoFive in late 2023 ----- ## TOneDisk ----- ### TOneDisk ###### ◆Late-2023 ◆Installer for TOnePipeShell ◆USB infection module ◆Same shared struct shenanigans ◆Typically compiled in debug build ----- ### TOneDisk Installer - Requires argument to launch - `-debug` - Clears directories - `%public%\Libraries` - `%public%\AvastAntiVirus` - `%public%\AdobeDesktop` - `%public%\NeroEdit` - `%public%\WaveEdit` - `%public%\<9-char-random-name>\wave\` ----- ### TOneDisk Infection Module - Requires argument to launch - `-Install` - Monitors incoming removable drives by ###### looping GetDriveType - Writes fake folder to drive (USB ``` Disk(GB).exe) ``` - Hides original/written files to ``` \u200D\\u200D\\u200D\ ``` ----- ### Later revision - Early-2024 - Requires different sets of arguments - `-i` - `Installer (INSTALL.dll)` - `-f / -w` - `Watchdog? Watch? (PC2U.dll)` ----- ### Later revision - Copies payload as fake documents - `Launcher -> .log` - `Loader -> .pdf` - `Encoded payload -> .dat` - Infection module now combined with ###### TOnePipeShell ----- ## Changes over the years ----- ###### Many variants were developed in the last few years ----- ## NoFive ----- ### NoFive RAT (Type 2) ###### ◆ Late-2022 ◆ More or less the same ◆ Communication method changed from TCP to HTTP ----- ### NoFive RAT (Type 3) - Mid-2023 - Encoding method changed from RC4 to 4 ###### sectioned-XOR; similar to Qreverse - Still uses HTTP - Back to Type 1 in 2024? ----- ## TOnePipeShell ----- ### TOnePipeShell (Type 2) - Mid-2022 - Trend Micro’s Type B - Reduced number of C2 slots - Communication - TCP - Cipher - 0x20-sized XOR key ----- ### TOnePipeShell (Type 3) - Early 2023 - Writes a 4-byte GUID to file - `C:\Users\Public\.inf` - Communication ###### ◆ TCP - Cipher ###### ◆ 0x20-sized XOR key ----- ### TOnePipeShell (Type 4) - Mid-2023 - Trend Micro’s Type D - C2 config structure a lot more defined - Writes a 16-byte GUID to file - `%AppData%\Roaming\Microsoft\Web.Facebook.` ``` config ``` - Communication - TCP - Cipher - 0x200-sized XOR key ----- ### TOnePipeShell (Type 5) - Mid-2023 - Writes a 16-byte GUID to file - `%public%\Documents\.dat` - PE instead of shellcode - Requires “-startup” - Contains version number “x1.0” + “BeCtrl” - Communication - HTTP/TCP - Cipher - 0x20-sized XOR key ----- ### TOnePipeShell (Type 5.5) - Late-2023 - Similar to Type 5 - Back to being shellcode - Uses version number “V1.0” - Communication - HTTP/TCP - Cipher - 0x20-sized XOR key (QReverse-styled) ----- ### TOnePipeShell (Type 6) - Late-2023/early-2024 - Writes a 16-byte GUID to file - `%public%\.ini` - Contains FatalErrorLNK/hello world\r\n - Started using 13131313 (0xC85E31) as hash seed - Communication - TCP - Cipher - 0x100-sized XOR key ----- ### TOnePipeShell (Type 6.5) - Mid-2024 - Found in TOneDisk - Writes a 16-byte GUID to file - `C:\ProgramData\SoftwareDistribution.d` ``` b ``` - Slightly different handshake format - Compiled as debug build - Communication - TCP - Cipher - 0x100-sized XOR key ----- ### TOnePipeShell (Type 7) - Mid-late-2024 - Current latest version - Writes a 16-byte GUID to file - `%public%\preferences.ini` - Communication - TCP - Cipher - 0xE9-sized XOR key - Includes computer name as part of ###### handshake instead of just GUID ----- ## Summary/Findings ----- ### Easter eggs ----- ### Challenges when REing - Large shared struct - Changes with every sample - Every similar malware family has a ###### different layout - Difficult/time-consuming to navigate ###### and rebuild even with various IDA plugins - ----- ### Challenges when REing - Debug build complexity - Having debug build sounds great on ###### paper - Nightmare to navigate without relevant ###### symbols - Too many MSVC junk ----- ##### Shared concepts across families - Base design/structure remains largely the ###### same across families - Shared large structures - Import table configuration/API hashing - Fake TLS packaging & primarily ###### communicates over TCP ----- ### Spreading via USB - Spread via USB - Not a new tactic – but they are picking it ###### back up for TOne series - Suggests airgap attacks against military ###### units - ...or in general, greater possibility of ###### infecting other endpoints ----- ### New launchers & loaders Launcher Vendor Loader lslic.exe SafeNet, Inc. lsapiw32.dll ssvagent.exe Sun Microsystems, Inc. ssv.dll AutoUpdateApp.exe Conceiva Pty. Ltd. AutoUpdate.dll Acrobat Elements.exe Adobe Systems Inc. ContextMenu.dll - Started using more and more dokanctl.exe CleverFiles dokan1.dll ###### undocumented sideloading WebEntryWizard.Exe Data Access Worldwide vdfvm17.dll combos EACoreServer.exe Electronic Arts EACore.dll - Instead of just Acrobat, Razer, GetCurrentRollback.exe Microsoft Corporation GetCurrentDeploy.dll Avast, etc. …and many more ----- ###### Tampers with PDB path a lot... By hand? ----- ###### ...but also forgets to sometimes??? (YK likely stands for 遠控, “remote control”) ----- ### Bigger Picture - Constantly making changes - New revision every few months if not ###### more often - Detection evasion? - “Minimalistic” approach - Remote shell and sometimes basic file ###### management only ----- ### Bigger Picture - Different deployment strategies - PH/MM/TH/TW -> ###### TOnePipeShell/TOneDisk/NoFive - VN/ID/MN -> PlugDisk/PlugX - EU/MN/TW -> MiniPlug - Continues to target sensitive sectors - Military - Government ----- ## Conclusion ----- ### Key Takeaways ###### ◆ Polaris is still at it well after a whole decade ◆ New (and old) TTPs - Disguises as TLS Application Data traffic - Constantly making changes to evade detection - Abuses previously undocumented legitimate launchers - Still targets removable devices for airgapped devices ----- ### Mitigations ###### ◆ Beware of phishing emails - This is still their primary point of entry ###### ◆ Double check before clicking on anything in a removable drive - If navigating to the device results in only one file or executable, and not the ###### files you expect – STOP! ----- ## THANK YOU! ###### links.azaka.fun still@teamt5.org -----