1/20 False flag or upgrade? Suspected sea lotus uses the Glitch platform to reproduce the attack sample mp.weixin.qq.com/s/1L7o1C-aGlMBAXzHqR9udA Original Red Raindrop Team Qi Anxin Threat Intelligence Center 2022-01-20 02:01 Included in the topic #APT 52 Overview The Qi'anxin Red Raindrop team continues to pay attention to the attack activities of global APT organizations, including the OceanLotus APT organization. Recently, a foreign manufacturer Netskope released an analysis report on mht format files (Web archive files) implanted into malware by carrying Office macros , because the attack methods used by the samples mentioned are similar to those of OceanLotus. The report believes that the attack was carried out by the Ocean Lotus organization. After in-depth analysis of such samples by the researchers of the Red Raindrop team, it was found that there are some characteristics in the attack process that are different from the previous attacks of Ocean Lotus. Therefore, the possibility of other attack groups imitating Ocean Lotus cannot be ruled out. Based on the existing public information, the specific identity of the gang behind the attack cannot be determined for the time being. In addition, we noticed that such samples use the Glitch platform to deliver subsequent malware, and further found that they are in the same vein as the attack samples disclosed by Qi'anxin Threat Intelligence Center in December last year . This article will deeply analyze the samples involved in this attack, sort out other associated attacks, compare with the historical attack methods of OceanLotus, and summarize the similarities and unique characteristics of the attacks. Such attack samples have the following characteristics: 1. The macro code will release 32-bit or 64-bit malicious DLL according to the system version, and a piece of random data will be inserted when releasing the malicious DLL; 2. Both the macro code and malicious DLL are obfuscated; 3. The malicious DLL transmits the collected information back to the C2 service hosted by the Glitch platform, and then downloads the 7z-compressed subsequent malware and executes it. Sample information [1] [2] https://mp.weixin.qq.com/s/1L7o1C-aGlMBAXzHqR9udA javascript:void(0); 2/20 The collected attack sample information is as follows MD5 file type file name 0ee738b3837bebb5ce93be890a196d3e RAR HS.rar 11d36c3b57d63ed9e2e91495dcda3655 RAR Tai_lieu.rar 204cb61fce8fc4ac912dcb3bcef910ad RAR TL-3525.rar a7a30d88c84ff7abe373fa41c9f52422 RAR Note.rar b1475bdbe04659e62f3c94bfb4571394 RAR CV.rar b2eb3785e26c5f064b7d0c58bdd3abe0 RAR List Product.rar d8fa458192539d848ee7bb171ebed6bd RAR GiftProducts.rar e7ce1874ab781c7a14019b6a6e206749 RAR PaymentRequest.rar eb6cf9da476c821f4871905547e6a2b4 RAR DeliveryInformation.rar f5ea39b70f747e34ae024308298f70ac RAR Document.rar f8d30c45ed9d3c71ec0f8176ddd7fd8f RAR Gift Products.rar The names of the collected attack samples are basically in English, only Tai_lieu.rar is Vietnamese, which means "file". The RAR file contains mht files that carry Office macros. The sample execution flow is as follows. 3/20 Detailed analysis Take the sample 11d36c3b57d63ed9e2e91495dcda3655 as an example for analysis. file name Tai_lieu.rar MD5 11d36c3b57d63ed9e2e91495dcda3655 file type RAR RAR contains a mht format file Tailieu.doc with the same name as RAR, which will prompt the victim to enable macros when opened. 4/20 Enabling the macro will open Document.doc with no specific content, just an error message to confuse the victim. VBA After VBA is obfuscated, in addition to name obfuscation, it also uses Chr function to concatenate key strings, and uses mixed operations of hexadecimal, octal and decimal to obtain constant numbers. 5/20 After enabling the macro, first determine whether it is VBA7 and whether the system version is 64-bit, and save the judgment result in the global variable hPY42J6w. Create a directory "%ProgramData%\Microsoft Outlook Sync", and copy the original guest.bmp file in the system to the new directory to save the malicious DLL that will be released next. 6/20 Call the function kPW1Jdp7d4eP95n to release the doc file and dll file saved at the end of the mht file. The file data spliced at the end of the mht file are 32-bit dll, 64-bit dll and doc files in sequence. The file release sequence is from back to front, so the end of each file data will be followed by a 4-byte data to mark the length of the file data, which can be used to locate the starting position of the file data when releasing. 7/20 The hPY42J6w variable that previously saved the machine version judgment result determines which files are released: if the variable is 1, the file release operation will be performed when the variable v2yHmJl5EO064cV is 0 and 2, and the doc file and 32-bit dll will be released at this time; otherwise, if hPY42J6w If it is 2, the doc file and 64-bit dll are released. The doc file and dll file data spliced at the end of the mht file are not encrypted or encoded, but the way of saving and releasing the dll file data is special. Doc file data is stored in the file in its complete form and extracted directly upon release. Dll file data is saved in the following form: first two 4-byte data, and then the dll file removes the remaining data of the first two bytes (ie 0x4D5A) as the magic number of the PE file. Therefore, the length of the file data saved in mht will be 6 bytes larger than the original file length. When the Dll file data is released, it first reads 2 placeholders from mht for subsequent repair of the DOS header and removes the remaining original file data of 0x4D5A. Then insert a piece of random data into the read data for expansion processing. The position and length of the inserted data are determined by the two 4-byte data mentioned above. Finally, save the obtained data in the guest.bmp file in the "%ProgramData%\Microsoft Outlook Sync" directory. Then the macro code copies the guest.bmp that saves the data of the dll file to background.dll, changes the first two bytes of the file to "MZ", thereby repairs the DOS header, calls the OpenProfile function of background.dll, and deletes the guest.bmp file . 8/20 Finally set the opened mht file attribute to system hidden, then close the file. Freed DLL The functions of the 32-bit and 64-bit dll released by VBA macros are the same, because a random data will be inserted when the dll file is released, so the hash value of the dll file is not fixed. file name background.dll MD5 fca9347b37c737930d0aaa976c3e234b (not fixed) file type Win32 DLLs File size 23712256 bytes The released dll file instructions are obfuscated, and there are two export functions, the function names are OpenProfile and SaveProfile. The functions of the two functions are to achieve persistence by setting scheduled tasks, and to inject subsequent payloads into remote puppet process execution. The DllMain function of Backgroud.dll stores the key strings and other parameters used by the exported function in global variables. 9/20 The OpenProfile function is called by VBA, which sets up a scheduled task through a COM object to run another exported function of the dll, SaveProfile. SaveProfile injects the PE file embedded in the dll into the remote puppet process. The command to create the remote process is "rundll32.exe kernel32.dll,Sleep". 10/20 The offset of the address pointed to by the instruction register in the remote thread register context from the starting address of the memory where the injected data is stored is 0x44C20. After the PE injected into the memory is dumped, the only exported function is the location in the disk file. 11/20 DLL injected into memory file name - MD5 9fd6ae7e608b3b7421f55b73f94b4861 file type Win32 DLLs File size 717824 bytes The released 32-bit dll and the 64-bit dll injected into the remote process are both 32-bit, with the same file size and the same function. The DLL is injected into memory as an unmapped file, and the only exported function of this DLL is to load itself reflectively in memory. After allocating memory to load the dll itself, the export function executes the DllMain function twice, and the second parameter of DllMain is 1 and 4, respectively. Malicious behavior in the Dll is only triggered when the parameter is 4. 12/20 Like background.dll, key strings and other configuration data are first saved in global variables. Create a subdirectory named "Microsoft Edge Download" in the "C:\ProgramData" directory to collect host information, including the MAC address of the network card, user name, host name, all current process names, and file and subdirectory names in the ProgramData directory. 13/20 The collected information is encrypted and sent back to the C2 service hosted by the Glitch platform in a POST request. The return URL is hxxps://elemental-future- cheetah.glitch.me/afe92a2bd2P . Then get the follow-up from the C2 with a GET request, and the follow-up payload is transmitted as a 7z compressed file. Get the subsequent URL as hxxps://elemental-future- cheetah.glitch.me/afe92a2bd2D. Subsequent payloads are saved in "C:\ProgramData\Microsoft Edge Download\properties.bin". The malware in the 7z archive is decompressed and saved in the "C:\ProgramData\Microsoft Edge Download" directory. The subsequent payload is executed by setting a scheduled task through the COM object, and the persistence of subsequent malware is achieved at the same time. The name of the scheduled task is "Chrome Update". 14/20 Since C2 is currently inaccessible, subsequent malware cannot be obtained for analysis. Use the calculator program (calc.exe) in the system to simulate the acquired subsequent loads to display the set scheduled tasks. The dll also has a feature that uses GetCurrentThread/ GetCurrentProcess and WaitForSingleObject instead of Sleep to perform hibernation operations. activity association early samples 15/20 The earliest such attack samples can be traced back to August 2021. The early sample information is as follows: MD5 file type file name VT upload time 6d0ab5f4586166ac3600863bc9ac493e Win32 DLLs 2zofrncu.dll 2021/08/23 12:52:31 UTC 0bd0f1dd8b03c11b3d59da2c5fba2e45 Win32 DLLs mslog.dll 2021/08/26 03:55:13 UTC cc4a9d5248095e64c1f22e8a439416cc Win64 DLLs mslog64.bin 2021/08/26 03:57:57 UTC mslog.dll and mslog64.bin correspond to the 32-bit dll and 64-bit dll released in the aforementioned attack process, respectively. 2zofrncu.dll is the PE that mslog.dll injects into the remote process. The structure and operation process of the three samples are the same as the dll samples involved in this attack. The relevant URLs are as follows: URL Function hxxps://immense-plastic-pullover.glitch.me/T812P Return collected information hxxps://immense-plastic-pullover.glitch.me/T812D download follow-up It is worth noting that the PE injected into the memory during the entire attack process does not land on the disk, but the sample 2zofrncu.dll uploads VT earlier than its superior sample mslog.dll. Furthermore, all three samples uploaded VT from Vietnam by the same uploader. Combining the above information, we guess that these three samples may be early test samples. Previously disclosed attack samples The samples involved in this attack are strongly related to the attack samples disclosed by the Qi Anxin Threat Intelligence Center in December last year , and can be considered to be from the same attack group. The first is a misinformation document with the same content used in both campaigns. [2] 16/20 Then the code obfuscation method used by the malicious dll is the same, and the running process is the same: (1) A subdirectory with a name related to Microsoft will be created in the "C:\ProgramData" directory; (2) Collect host information, encrypt it and send it back to the C2 service program hosted on the Glitch platform as a POST request. The returned URL format is hxxps://[xxx]-[xxx]- [xxx].glitch.me /[xxx]P; (3) Then obtain the subsequent payload compressed by 7z from C2 and execute it. The subsequent URL format is hxxps://[xxx]-[xxx]-[xxx].glitch.me/[xxx]D. Comparison with the historical attack method of Ocean Lotus The attack sample uses some historical attack methods of OceanLotus. OceanLotus has used mht files carrying malicious macros to release the KerrDown downloader in the past attacks . Similarly, the malicious macros will choose to release 32-bit dll or 64-bit dll according to the system version. The dll used as the KerrDown downloader also uses pictures The suffix of the format file is saved on disk. In addition, the instruction obfuscation method used by the malicious dll involved in this batch of attack samples is similar to that of Ocean Lotus, and the reflective loading method is also used to load the PE in the memory during the sample execution process. The differences from the previous attacks of Ocean Lotus are: (1) The file name of the error message displayed by the sample is inconsistent with the original mht file name, and it is impossible to determine whether the attacker is negligent or deliberate. And the file data to be released is directly spliced at the end of the mht file without encryption or encoding processing. OceanLotus often saves the file data to be released in an encrypted or encoded form. [3] 17/20 (2) The reflection loading method used by the sample is different from that of the sea lotus tissue. OceanLotus often uses shellcode as the loader for reflective loading of PE, and this batch of attack samples uses the exported function of the loaded dll as the loader. The above differences may be due to either the Ocean Lotus group trying new attack methods, or the attack activities carried out by other groups. Due to the lack of pertinence in the sample name, the C2 service is hosted on the public platform Glitch, and the URL fails to obtain subsequent malware. At present, the specific identity of the attacker cannot be clearly identified, and further clues and information are to be discovered later. Summarize This type of attack sample uses malicious macros carried by mht files to implant malicious software on the victim host. The methods used in the attack process are similar to those of the OceanLotus organization, but there are also some characteristics that are different from the historical attack activities of OceanLotus. Although it cannot be attributed to a specific attack group for the time being, by sorting out a series of related attack activities, it can be found that the attackers behind them are constantly improving their attack methods and updating attack weapons. No domestic users have been affected by this attack, but precautions are essential. The Qi'anxin Red Raindrop team reminds users not to open links of unknown origin shared on social media, not to click and execute email attachments from unknown sources, not to run unknown files with exaggerated titles, and not to install apps from informal sources. Do timely backup of important files, update and install patches. If you need to run and install applications of unknown origin, you can first use the Qianxin threat intelligence file in-depth analysis platform (https://sandbox.ti.qianxin.com/sandbox/page) to determine. Currently, it supports in- depth analysis of files in various formats including Windows and Android platforms. At present, the full line of products based on the threat intelligence data of Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., have already supported this Accurate detection of class attacks. 18/20 IOCs MD5 0ee738b3837bebb5ce93be890a196d3e 11d36c3b57d63ed9e2e91495dcda3655 204cb61fce8fc4ac912dcb3bcef910ad a7a30d88c84ff7abe373fa41c9f52422 b1475bdbe04659e62f3c94bfb4571394 b2eb3785e26c5f064b7d0c58bdd3abe0 d8fa458192539d848ee7bb171ebed6bd e7ce1874ab781c7a14019b6a6e206749 eb6cf9da476c821f4871905547e6a2b4 f5ea39b70f747e34ae024308298f70ac f8d30c45ed9d3c71ec0f8176ddd7fd8f 6d0ab5f4586166ac3600863bc9ac493e 0bd0f1dd8b03c11b3d59da2c5fba2e45 19/20 cc4a9d5248095e64c1f22e8a439416cc URL hxxps://elemental-future-cheetah.glitch.me/afe92a2bd2D hxxps://elemental-future-cheetah.glitch.me/afe92a2bd2P hxxps://elemental-future-cheetah.glitch.me/559084b660P hxxps://elemental-future-cheetah.glitch.me/02d9169d60D hxxps://elemental-future-cheetah.glitch.me/02d9169d60P hxxps://confusion-cerulean-samba.glitch.me/e1db93941c hxxps://confusion-cerulean-samba.glitch.me/0627f41878D hxxps://confusion-cerulean-samba.glitch.me/0627f41878P hxxps://confusion-cerulean-samba.glitch.me/192f188023 hxxps://confusion-cerulean-samba.glitch.me/2e06bb0ce9 hxxps://confusion-cerulean-samba.glitch.me/55da2c2031 hxxps://torpid-resisted-sugar.glitch.me/fb3b5e76b4D hxxps://torpid-resisted-sugar.glitch.me/fb3b5e76b4P hxxps://torpid-resisted-sugar.glitch.me/83a57b42f1D hxxps://torpid-resisted-sugar.glitch.me/83a57b42f1P hxxps://torpid-resisted-sugar.glitch.me/5db81501e9P hxxps://immense-plastic-pullover.glitch.me/T812D hxxps://immense-plastic-pullover.glitch.me/T812P Reference link [1] https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive- files 20/20 [2] https://ti.qianxin.com/blog/articles/Obfuscation-techniques-similar-to-OceanLotus/ [3] https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/