# Blog #### Cybersecurity DNA ----- ##### APT15 Background Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government. The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage. APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. They are known for “living off the land,” meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target. Other names for the group are Vixen Panda, Ke3chang, Royal APT, and Playful Dragon. There are many articles and researches online about APT15 and their [activities, the most recent one by NCC Group; although posted in](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/) March 2018, it refers to a campaign in 2017. In addition, although the 2017 campaign has been documented, during our research regarding MirageFox, we found a recently uploaded binary (6/8/2018) from the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected with only 7/66 detections on [VirusTotal.](https://www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/detection) ##### APT15 Code Reuse We found the new version of the RAT on VirusTotal hunting, by a YARA [signature we created based off code only found in Mirage and Reaver,](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) both attributed to Chinese government affiliated groups. After seeing that these binaries were new uploads to VirusTotal, with very few detections, we analyzed them using Intezer Analyze™ to see if we could find any code reuse ----- (https://analyze.intezer.com/#/analyses/d00b6787-0078-4148-aec3- a66779a22ba5) As can be seen in this code reuse analysis report (SHA256: 28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a), there is shared code with Mirage and Reaver. The compilation timestamp is from June 8, 2018 while the upload date to VirusTotal was June 9, 2018. [(VirusTotal)](https://www.virustotal.com/#/file/28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a/detection) On VirusTotal, we can see there are only 10/66 detections for this binary, 11/66 for another similar version of MirageFox (SHA256: 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5), ----- Remote Shell: The function above is seen throughout many of the binaries in the Mirage family and is executed when a command is sent from the C&C. It is responsible for executing commands in cmd.exe (later down in the functions, not seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA). Configuration Decryption: ----- Another small, but same important function in the photo above, is the function for decrypting the data containing the C&C configuration. [Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) C&C server, the port, name of the binary, a sleep timer, and what Palo Alto calls a “campaign identifier.” ##### Technical Details At this moment, we were unable to retrieve the original infection vector and other information regarding what other tools the APT15 group is using to attack their targets. We are able to come up with a _few very interesting conclusions about what is going on here,_ _although we cannot say for sure what the case is without the full_ _context._ Firstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for the modules, the name field is filled with a string MirageFox_Server.dat. ----- Evidently in the image, you can see there is an exported function. The MirageFox binaries export a function called dll_wWinMain, the name of an export in vsodscpl.dll, a module by McAfee that is loaded by a few of their executables that import and call this function. This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process. DLL hijacking techniques have been seen in the past with the APT15 group. The problem here is that once the export is called the first time, the module renames itself to sqlsrver.dll and there is no evidence within the module of any type of persistence. By renaming it to this, the future executions of the RAT will not be through a McAfee binary. The future persistence could be setup through another component of the malware or even a command sent by the C&C to the infected computer. The most interesting part is the decrypted C&C configuration, as can be seen in the image below. ----- _Port: 80_ _Sleep Timer: 30000_ _Campaign Identifier: Mirage_ If you look at it the decrypted configuration, you may notice that the IP _being used for the C&C is an internal IP address. If you read the report_ mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an _organization they have already infiltrated and are connecting to the_ _internal network using a VPN._ The rest of MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the ----- typically seen in APT15 s RATs. ##### Conclusion There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries. As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected. ###### IOCs MirageFox 28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5 b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2 RoyalAPT 016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734 RoyalAPT C&C buy.healthcare-internet[.]com Mirage (w/ Same C&C Config Decryption) 5787eff4b4d6ee5b4c5457c9af5e2f2e3c75204b5989606b1faa9b944dc49a30 b6bd5d8f5a824db05c37dde459b60a5571df87966e00390f2df56628da49b856 ----- da4dbc738d069fbcc9b96ab4af2bd3f7a87c7b69a4b47071e099e36b481dfa01 f633df1fb42666f62eb23fd70dac4e3c0c4908af123f9335f3b58e6ea205df8a e67e58bc736bd54e6915cb43af5f3c332da3592839a5a4884ba141b089310815 1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f 27a0ce9761363f6a1eafc719b96bbe1f9a426e50e8b5abf84db963efddb89a8d d22c2ef1453d5575e05a673777931e07c44734fe467a77969bebe86e26aacf98 f85023ae81917a7fae0d987134a968ffad346d5c3b35d3a98e237419dd334696 24b3c3527a2431d1c1dd27fe6566ddcaa8e4b92e31e468bb733e827350830a14 57550ab2d20a757b24137ab764a2e9bf644fd8e1f4313bca22e04db7fa608cc2 4d45ddc35abf77cded21bafe5483d345585c1d84f52a101a65ebfda88be5ad7d 421f4c83898ff3ae9b2a94621140ef770888a8a0914b163cdae4690433173899 c27fb5fd362fdaec2e344564f76197d01e1dc463ee3552b16452fc41e67f2709 cec9c4e48fad6e4c2b7cf4bc34d357893ef878e8be076c9f680f297e06184c20 By Jay Rosenberg Jay Rosenberg is a self-taught reverse engineer from a very young age (12 years old), specializing in Reverse Engineering and Malware Analysis. Currently working as a Senior Security Researcher in Intezer. Share: ----- [Digital Certificates- When The Chain Of T…](https://www.intezer.com/digital-certificates-when-the-chain-of-trust-is-broken/) ##  -----