# 360威胁情报中心 **[ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en](https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/)** ## Background Recently, 360 Threat Intelligence Center is investigating one email phishing attack which is targeting one Pakistani businessman who is working in China. First attack of this campaign took place in May 2018. Attackers have taken over of target machines over months. TTP of this targeting attack will be introduced, as well as remediation advice. We identified this APT group coded as ‘APT-C-35’ in 2017, who is mainly targeting Pakistan and other South Asian countries for cyber espionage[1]. Arbor also published APT research on this group, and named it ‘Donot’[2]. The group attacked government agencies, aiming for classified intelligence. At least 4 attack campaigns against Pakistan have been observed by us since 2017. Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims. Two unique malware frameworks, EHDevel and yty, are developed by attackers. In the latest attack, Donot group is targeting Pakistani businessman working in China. ## Fishing Attack The process of attacking target is as following: ## Malware Analysis ----- ### Dropper - Excel Macros Attackers lure victim to open decoy Excel file with malicious macro which is sent as attachment in a phishing email. While macro code is running, office_update.exe is dropped at C:\micro and run. The decoy Excel document pretends to be pricing list of one BMW car, which is easy to have trust of the victim: ### Downloader - office_update. exe filename office_update.exe MD5 2320ca79f627232979314c974e602d3a Office_updata.exe is a downloader, which is able to download a BAT file by http://bigdata.akamaihub.stream/pushBatch: The BAT file is mainly to modify registry for persistence, and create a directory with hidden property, etc. It can also download wlidsvcc.exe from http://bigdata.akamaihub.stream/pushAgent, then save it in %USERPROFILE%\BackConfig\BackUp directory: After that, Office_updata.exe will remove itself from system. ### Plugin - Downloader - wlidsvcc.exe Filename wlidsvcc.exe MD5 68e8c2314c2b1c43709269acd7c8726c ----- Wlidsvcc.exe is also a downloader. It downloads 3 plugins from C2 server, naming wuaupdt.exe, kylgr.exe, and svchots.exe. Mutex "wlidsvcc" is created to ensure that only one instance runs in system: Then, it determines if the current process path is %USERPROFILE%BackConfig\BackUp\wlidsvcc.exe: If the path meets condition, wlidsvcc.exe communicates with C2 (bigdata.akamaihub.stream) by POST, which is to retrieve remote commands If C2 sends ‘no’ command, wlidsvcc.exe will retry to contact C2 after sleeping for 90 seconds: If ‘cmdline’ command is received, wlidsvcc.exe runs plug-in %USERPROFILE%\BackConfig\BackUp\wuaupdt.exe, and then listens for follow-up commands: ----- If commands are neither ‘no’ nor ‘cmdline’, wlidsvcc.exe downloads http://bigdata.akamaihub.stream/orderMe to C:\Users\%s\BackConfig\BigData, then puts itself into waiting mode: ### Plugin executor - wuaupdt.exe Filename Wuaupdt.exe MD5 35ec92dbd07f1ca38ec2ed4c4893f7ed wuaupdt.exe is a CMD backdoor, which can receive and execute CMD commands sent from C2. It can also execute other plugins if commands are issued by attackers. The analysis of all backdoor plugins is shown in the following section. Execute C2 commands: ### Backdoor - Plugins wuaupdt.exe will execute corresponding plug-ins according to the commands issued by attackers. All plugins’ details are as following. #### Keylogger - Kylgr.exe Filename Kylgr.exe MD5 88f244356fdaddd5087475968d9ac9bf PDB path c:\users\user\documents\visualstudio2010\Projects\newkeylogger\Release\new keylogger.pdb ----- This plugin is a keylogger. It firstly creates a file inc3++.txt in current directory and check whether a keylogging file exists in %USERPROFILE%\Printers\Neighbourhood directory. If yes, it saves log file name and its last modification time to inc3++.txt: If keylogging file is found in %USERPROFILE%\Printers\Neighbourhood, the log file is moved to directory %USERPROFILE%\Printers\Neighbourhood\Spools: A new keylogging file is created in %USERPROFILE%\Printers\Neighbourhood, with filename ‘username_year_month_day(hour_minute_second)’. Then, it monitors activities of mouse and keyboard constantly. ----- If window name is obtained, the name and pressed keys are logged: #### File - listing - svchots.exe Filename svchots.exe MD5 14eda0837105510da8beba4430615bce This plugin traverses disk C, D, E, F, G and H to collect filenames: ----- Following directories are excluded: The, files with following extensions are collected: ----- If files matching above criteria are found, file names and last modification date of them are written into test.txt file in the current directory, and they are copied to %USERPROFILE%\Printers\Spools directory, with appending ‘txt’ as new extension name: #### Systeminfo – spsvc.exe Filename Spsvc.exe MD5 2565215d2bd8b76b4bff00cd52ca81be This plugin, packed by UPX and written by Go Language, aims to collect various system information. It creates several CMD processes for information collection. Information is saved to a file located in directory %USERPROFILE%\Printers\Spools: ----- #### Uploader – lssm.exe Filename Lssm.exe Md5 23386af8fd04c25dcc4fdbbeed68f8d4 The purpose of this plugin is to upload collected information and files, stored in %USERPROFILE%Printers\Spools directory, to C2 bigdata.akamaihub.stream ----- #### Uploader – lssmp.exe Filename lssmp.exe MD5 b47386657563c4be9cec0c2f2c5f2f55 Digital signature COMODO CA Limited Similar to lssm.exe, lssmp.exe uploads collected info and files to C2. It has a digital signature: The plugin searches for explorer.exe in process list: ----- Then, it extracted out a PE file from its resource section: The PE file is injected into explorer.exe process for running: ----- The injected PE file has similar functionalities as lssm.exe, since it uploads keystroke log to C2 server: ----- ## Pivoting Some other decoy documents and plugins are found to have connections with the files in this attack. ### CSD_Promotion_Scheme_2018. XLS Filename CSD_Promotion_Scheme_2018. XLS MD5 82a5b24fddc40006396f5e1e453dc256 The decoy document is an Excel file with malicious macros. When it is opened, a window of Excel security disclamation pop up, warning user that this file has risky macros: ----- The main function of malicious macro code is to drop skypet.exe in the directory %APPDATA%, and to drop skype.bat in the directory C:\Skype. skypet.bat is executed after that: Same pricing list of a BMW car is content of the Excel file: ----- ### Skyep.bat Skyep.bat creates 3 directories %USERPROFILE%Printers\Spools, %USERPROFILE%BackConfig\BackUp and %USERPROFILE%BackConfig\BigData, and then sets these folder properties to hidden: The BAT file also gets the computer name, and save it into %USERPROFILE%\BackConfig\Backup\pcap.txt: And it creates multiple registry entries for persistence. Then, it starts skyep.exe and deletes itself: ### Skyep.exe File‐ name Skyep.exe MD5 f67595d5176de241538c03be83d8d9a1 PDB C:\Users\spartan\Documents\Visual Studio 2010\Projects\downloader new 22 jun use\downloader\Release\downloader.pdb Skyep.exe, disguising as a voice software Skype, downloads csrsses.exe from http://databig.akamaihub.stream/pushBatch (it is still alive) to the \BackConfig\BackUp\ for running: ----- ### Csrsses.exe The file name Csrsses.exe. MD5 e0c0148ca11f988f292f527733e54fca This file, similar to wlidsvcc.exe, is to execute commands from C2 server. Firstly, it reads computer name from \\BackConfig\\BackUp\\pcap.txt The computer name is then processed to a string: "orderme/computer name - random number". It contacts C2 databig.akamaihub.stream for commands: ----- It check value of Content-Type to determine next operation. If the value is application, it downloads file from C2 to \\BackConfig\\BigData\\ directory: If the value is "cmdline", \\BackConfig\\BigData\\wuaupdt.exe is executed: If command is"batcmd", \\BackConfig\\BigData\\test.bat is started: ## Attribution -- Donot (APT-C-35) ----- By analyzing the macro code, plugins, domain name /IP correlation in the attack, we confirm that Donot APT Group (APT-C-35) is behind the attack. ### Similarity of Macro Code ASERT disclosed one macro sample linking to DONOT APT Group in March 2018[2]. That macro sample is very similar to the sample in this attack: a decoy picture is pop up after macro runs. ### Similarity of Plug-ins Similar to previous Donot samples, new sample downloads plugins from C2. It is also packed by UPX and is written in Go language. Furthermore, it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack[1], and C2 addresses are same to previous ones. ## Conclusion ----- From the attack activity captured this time, it is obvious that Donot APT group is still keen on Pakistan as primary target of attack, and even expands scope of attack to include Pakistani staffs and institutions in China. There is a sign that the Donot group has never stopped its attacks and another cyber espionage attack could be launched soon. 360 Threat Intelligence Center suggests enterprises to improve employees' security awareness by provide them sufficient security training, especially anti-phishing training. Situational awareness, asset management, and threat intelligence can prevent such attacks significantly. For 360 ESG customers, detection to Donot group and related IOCs are supported by products integrated with threat intelligence, including 360 Threat Intelligence Platform, SkyEye Advance Threat Detection System, 360 NGSOC. ## IOC **MD5** 82a5b24fddc40006396f5e1e453dc256 f67595d5176de241538c03be83d8d9a1 e0c0148ca11f988f292f527733e54fca 2320ca79f627232979314c974e602d3a 68e8c2314c2b1c43709269acd7c8726c 35ec92dbd07f1ca38ec2ed4c4893f7ed 88f244356fdaddd5087475968d9ac9bf 14eda0837105510da8beba4430615bce 2565215d2bd8b76b4bff00cd52ca81be 23386af8fd04c25dcc4fdbbeed68f8d4 b47386657563c4be9cec0c2f2c5f2f55 **C&C** databig.akamaihub.stream bigdata.akamaihub.stream 185.236.203.236 unique.fontsupdate.com **PDB path** C:\Users\spartan\Documents\Visual Studio 2010\Projects\downloader new 22 jun use\downloader\Release\downloader.pdb C:\users\user\documents\visualstudio2010\Projects\newkeylogger\Release\new keylogger.pdb ## Reference 1. https://ti.360.net/blog/articles/latest-activity-of-APT-C-35/ ----- 2. https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/ -----