### Fighting to LODEINFO ###### Investigation for Continuous Cyberespionage Based on Open Source Ryo Minakawa, Daisuke Saika, Hiroki Kubokawa @ NFLaboratories. ----- ###### Who we are Ryo Minakawa Daisuke Saika Hiroki Kubokawa APT / Malware Hunter Malware Analyst CTI Analyst ----- ###### Agenda ###### Introduction Continuous LODEINFO Campaign Research and Hunting Methodologies New TTPs Observed in 2022 Insight into Threat Actor Limitation and Conclusion ----- ###### Introduction ----- ###### Overview n Campaign using LODEINFO malware p Continuously observed ###### for about 3 years since Dec. 2019 p Chinese state-backed APT group ###### is behind (APT10?) n What we talk about today p Features of the latest LODEINFO malware p How to hunt and defense against threats ###### based on open-source intelligence p New insight on threat actor attribution [https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html](https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html) ----- ###### Overview ###### n Campaign using LODEINFO malware p Continuously observed ###### for about 3 years since Dec. 2019 p Focus on two topics!Chinese State-backed APT group ###### is behind (APT10?) ###### n What we talk about today p Features of latest LODEINFO malware p How to hunt and defense against threats ###### ☛ based on open-source intelligence p New insight on threat actor attribution ###### ☛ [https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html](https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html) ----- ###### Continuous LODEINFO Campaign ----- ###### Outline of LODEINFO n Fileless RAT used for campaigns targeting JAPAN p Target sectors: defense sector, ###### international politics, diplomatic, media p Delivered by spearphishing mails p Continuously updated since Dec. 2019 p Malware version information is hardcorded inside RAT p CnC servers deployed on Japan-located VPS, ###### hosting services (Vultr, CHOOPA, LINODE ...) n APT10 is said to be behind the campaigns p Code similarity with BISONAL malware (hardcorded version information) p Similarity in TTPs (spearphishing, DLL Side-Loading) ----- ###### Timeline up to 2022 First observed in Dec. 2019, Continuously updated and used (unconfirmed) ###### v0.1.2 v0.2.7 v0.3.5 v0.4.6 v0.4.9 n first observed n CnC n rm command n ransom, n mv, cp, communication implemented keylog mkdir n load malicious data format command command DLL using changed n ransom, implemented implemented Rundll32.exe keylog (LOLBAS) v0.3.2 command n ps, pkill command added but n 11 commands n print not implemented command implemented implemented n infection flow changed: DLL Side-Loading ###### 2020 2021 Dec Apr. May. Dec. Apr. Nov. comc command implemented n config command implemented (not available) n commands list obfuscated n CnC communication is more encrypted ----- ###### Execution flow n Malicious VBA drops DLL, execute via RunDll32.exe (LOLBAS) n Malicious shellcode embedded in LODEPNG (open-source PNG encoder/decoder) p [https://github.com/lvandeve/lodepng](https://github.com/lvandeve/lodepng) p pdb information remains ###### n shellcode is encrypted by single byte XOR key: trailing 1 byte p Encryption method remains unchanged today ###### v0.1.2 ###### drop LODEINFO ###### load inject ###### execute RunDll32.exe ###### svchost.exe ----- ###### v0.1.2 ###### CnC communication data format Header and Main Data part are created in separate formats, and encoded with custom Base64 CnC verifies communications with the first 16 bytes of Header (SHA512/128) Customized Base64 Encode Customized Base64 Encode ###### Data format Raw AES Key Data AES Key N/A data SHA512/128 size SHA512/384 size ###### offset size (byte) description 0x00 16 SHA512 of AES key (first 16 bytes) Header 0x10 4 size of base64-encoded main data part 0x14 1 N/A 0x15 48 SHA512 of Raw Data (first 48 bytes) Main Data 0x45 4 payload size |AES Key SHA512/128|Data size|N/A| |---|---|---| |AES Key SHA512/384|Raw data size|Payload| |---|---|---| |offset|size (byte)|description| |---|---|---| |0x00|16|SHA512 of AES key (first 16 bytes)| |0x10|4|size of base64-encoded main data part| |0x14|1|N/A| |0x15|48|SHA512 of Raw Data (first 48 bytes)| |0x45|4|payload size| |0x49|variable length|payload (encrypted Raw Data)| ----- ###### v0.1.2 ###### CnC communication data format Header and Main Data part are created in separate formats, and encoded with custom Base64 CnC verifies communications with the first 16 bytes of Header (SHA512/128) Customized Base64 Encode Customized Base64 Encode ###### Process data in order of Data format Raw AES Key Data AES Key ###### Raw Data => QuickLZ compress => AES256 (CBC) N/A data Payload SHA512/128 size SHA512/384 size ###### offset size (byte) description unique AES key and IV 0x00 are hardcoded in each 16 SHA512 of AES key (first 16 bytes) Header 0x10 samples 4 size of base64-encoded main data part 0x14 1 N/A 0x15 48 SHA512 of Raw Data (first 48 bytes) Main Data 0x45 4 payload size |AAEESS KKeeyy Ra SSHHAA551122//112288|w DDDaaattaat a ssiizzee|=> Q NN//AA| |---|---|---| |ickLZ coAAmEESS pKKeeryye ss => A SSHHAA551122//338844|RRaaww ES256 ddaattaa ssiizzee|(CBC) PPaayyllooaadd| |---|---|---| |CCuussttoommiizzeedd BBaassee6644 EEnnccooddee CCuussttoommiizzeedd BBaassee6644 EEnnccooddee Process data in order of RRaaww AAEESS KKeeyy Raw DDDaaattaat a => QuickLZ coAAmEESS pKKeeryye ss => AES256 (CBC) NN//AA ddaattaa PPaayyllooaadd SSHHAA551122//112288 ssiizzee SSHHAA551122//338844 ssiizzee|Col2|Col3|Col4| |---|---|---|---| ||||| |offset|size (byte) unique AES k|description ey and IV KEY|| |0x00|are h1a6rdcode|dS HinA 5e1a2c ohf AES key (first 16 bytes)|| |0x10|samp4les|size of base64-encoded main data part|| |0x14|1|IV N/A|| |0x15|48|SHA512 of Raw Data (first 48 bytes)|| |0x45|4|payload size|| |0x49|variable length|payload (encrypted Raw Data)|| ###### description size of base64-encoded main data part ----- ###### v0.1.2 ###### Beacon data sample Header Main Data POST parameter name is hardcoded in shellcode Payload plain text = “UNIXTIME of execution|ANSI code|MAC Address|Computer Name” ###### Header Main Data ----- ###### RAT commands list ###### v0.1.2 |command|description| |---|---| |MZ|execute PE file| |0xE9|execute shellcode| |command|return available commands list| |cd|change current directory| |ls|list files and directories| |send|download file| |recv|upload file to CnC server| |cat|upload file to CnC Server| |memory|inject shellcode into svchost.exe| |kill|kill process| |ver|return version information| ----- ###### Changes in CnC communication data format n JPCERT released the decryption script for v0.1.2 but the next version (0.2.7) changed its data format ☛ [former script no longer work] n v0.2.7 is not found on open-source, but we confirmed the new script works well for v0.3.2 and later versions ###### v0.2.7 ----- ###### Changes in CnC communication data format payload size is XORed and key added ###### v0.2.7 Customized Base64 Encode Customized Base64 Encode ###### Data format Enc. AES Key Data AES Key N/A data SHA512/128 size SHA512/384 size ###### offset size (byte) description 0x00 16 SHA512 of AES key (first 16 bytes) Header 0x10 4 size pf base64-encoded main data part 0x14 1 N/A 0x15 48 SHA512 of Raw Data (first 48 bytes) 0x45 4 payload size XORed by single byte key Main Data |AES Key SHA512/128|Data size|N/A| |---|---|---| |AES Key SHA512/384|Enc. data size|XOR Key|Payload| |---|---|---|---| |offset|size (byte)|description| |---|---|---| |0x00|16|SHA512 of AES key (first 16 bytes)| |0x10|4|size pf base64-encoded main data part| |0x14|1|N/A| |0x15|48|SHA512 of Raw Data (first 48 bytes)| |0x45|4|payload size XORed by single byte key| |0x49|1|single byte XOR key| |0x4A|variable length|payload (encrypted Raw Data)| ----- ###### Change in execution flow n malicious VBA drops signed executable and DLL shellcode loader n DLL is loaded by DLL Side-Loading technique p Chinese state-backed APT groups often use DLL ###### Side-Loading for defense evasion p legit. exe: 1871402d3c83b2e15bf516d754458bd4 (md5) ###### v0.3.2 ###### drop ###### This signed exe continuously used for side- loading ###### loading ----- ###### Changes in CnC communication data format ###### v0.5.6 ###### before v0.5.6 v0.5.6 and later |AES Key SHA512/384|Enc. data size|XOR Key|Payload| |---|---|---|---| |Customized Base64 Encode|Col2|Col3| |---|---|---| |AES Key SHA512/128|Data size|N/A| |||| Customized Base64 Encode Customized Base64 Encode Encryption Enc. AES Key Data AES Key N/A data SHA512/128 size SHA512/384 size Customized Base64 Encode Customized Base64 Encode Enc. AES Key Data AES Key N/A data SHA512/128 size SHA512/384 size |AES Key SHA512/384|Enc. data size|XOR Key|Payload| |---|---|---|---| |Customized Base64 Encode|Col2|Col3| |---|---|---| |Encryption||| |AES Key SHA512/128|Data size|N/A| |||| ###### Former header fields are encrypted Former script no longer work again... ☛ ----- ###### Change in beacon data ###### v0.5.6 |offset|size (byte)|description| |---|---|---| |0|4|data size| |4|4|size of dummy data| |0x11|variable length|collected system information “UNIXTIME of execution|ANSI code|MAC Address|Computer Name#key for substitution cypher”| |data size + 27|variable length|unused Base64 (dummy) data| ###### Header Main Data ----- ###### Header encryption procedure ###### v0.5.6 ###### unique value (hardcoded) ###### set as the POST parameter name, and used as a key for header encryption header is encrypted by the same substitution cipher ###### Header Main Data ###### string index-based substitution cipher (decryption script → Appendix D) ----- ###### RAT commands list obfuscation ###### v0.5.6 ###### command strings stored in a shellcode are 2bytes XORed (keys are unique for each command) create commands list compare command (ls) compare command (command) ----- ###### RAT commands list obfuscation ###### v0.5.6 ###### command strings stored in a shellcode are 2bytes XORed (keys are unique for each command) create commands list YARA signatures based on compare command (ls) compare command (command) commands list are no longer work [https://github.com/JPCERTCC/jpcert-yara/blob/main/other/lodeinfo.yara](https://github.com/JPCERTCC/jpcert-yara/blob/main/other/lodeinfo.yara) ###### YARA signatures based on ----- ###### Summary n The operation is highly motivated to attack Japan, as evidenced by the well-crafted decoy documents and its CnC servers' location n LODEINFO malware is continuously updated and used for campaigns targeting JAPAN p Very likely to be used after 2022 ###### n TTPs change frequently p Efforts to avoid analysis by tools and signature matching have been ###### continuously carried out p Cannot hunt and defense from threats simply by applying threat ###### intelligence from others as it is ----- ###### Research and Hunting Methodologies ----- ###### Motivation of research n Countering potential threats to your organization p In addition to reading threat reports, ###### we need to continuously observe threats and track the latest attacks. p A representative example is the campaigns using LODEINFO. ###### n But it is difficult for us to handle raw incident cases... Aim to detect glimpses of threats with open-source intelligence !! ☛ n Actions we can take based on open-source threat intelligence p Continuous observation from externally published IoCs p Digging deeper into reports and creating specific detection logics p Collecting and sharing threat intelligence actively ----- ###### Sources of threat intelligence Twitter ANY.RUN & Hybrid Analysis VirusTotal ###### Various intelligence is in here. Objectives: n Broad information gathering n Get the first report quickly ###### Famous online sandboxes. Objectives: n Searching for valuable artifacts n Conducting YARA rule hunting ###### Objective: n Real-time YARA rule hunting n Downloading artifacts ###### (Price: 2 million yen/year +) ###### VirusTotal Online analysis service with large data sets. ----- ###### Threat intelligence monitoring on Twitter The official Twitter client is too difficult to use in this purpose, so use TweetDeck to monitor key accounts and keywords. ----- ###### Utilizing VirusTotal Collect artifacts from VirusTotal based on threat reports and IoCs Analyze malwares and create YARA rules -> using Livehunt to hunt matched artifact real-time #### ☛ [Rules with good accuracy -> import into your organizations' detection logic] [https://www.virustotal.com/](https://www.virustotal.com/) ----- ###### Is it possible to create YARA rule for loaders ? Implementation of Shellcode loader (SfsDll32.dll) changed greatly XOR decryption v0.3.5 v0.5.6 Easy to change implementation because loader works with a simple logic (sometimes) cannot catch updated loaders by rules created for former samples hunting 1 byte XOR shellcodes by brute force rules is not going to work when encryption method changes (like RAT command 2 byte XOR) ###### XOR decryption v0.3.5 v0.5.6 ----- ###### Find TTPs that rarely change based on reports n LODEINFO’s loader is side-loaded from default execution flow of legitimate executable n Only two legitimate executables observed so far p SfsDllSample.exe: 2020/05 ~ 2021/12 p K7SysMon.exe: 2022/03 ~ ----- ###### Find TTPs that rarely change based on reports n LODEINFO’s loader is side-loaded from assumption: default execution flow of legitimate "It is more difficult to change legitimate executable executable than change implementation of loader" ###### n Only two legitimate executables observed so far p SfsDllSample.exe: 2020/05 ~ 2021/12 ###### hunting all files to be Side-loaded p K7SysMon.exe: 2022/03 ~ ----- ###### Find function called from default execution flow n analyze legitimate executable ###### statically ###### n “StartSystemMonitor” is the only loaded function called from the default execution flow ###### malicious DLL Loader must have StartSystemMonitor in export table ! ----- ###### Using File search modifiers Files with ”StartSystemMonitor” in export table -> only 4 samples / 3 months #### ☛ [manageable amount !] ###### entity: search type exports: function name in export table of PE fs: first submission ----- ###### Creating YARA rule and hunt Cheap but enough rule to hunt potential threats of LODEINFO #### ☛ [Enabling since v0.5.9 observed, detect samples to v0.6.3] ###### starts with ”MZ” and ”StartSystemMonitor” in export table -> v0.5.9 and later LODEINFO ----- ###### Semi-automation of analysis (Hunt => Store) ###### Manual Part ----- ###### Storing intelligence Automated analysis and manual analysis results are stored in OpenCTI and converted to a format that allows correlation analysis. ----- ###### Storing intelligence Automated analysis and manual analysis results are stored in OpenCTI and converted to a format that allows correlation analysis. ----- ###### Utilizing Hybrid Analysis Testing accuracy of self-made rules / simple hunting without VirusTotal. ###### Testing YARA rule Accuracy ----- ###### Utilizing ANY.RUN ###### ANY.RUN has detailed search options and allow to download artifacts. It may be possible to observe artifacts used in targeted attacks (need skill). Runtype Country Verdict Extension [https://app.any.run/](https://app.any.run/) ----- ###### Utilizing ANY.RUN ###### LODEINFO posted to ANY.RUN ----- ###### Utilizing ANY.RUN ###### LODEINFO posted to ANY.RUN screenshot gives a sense of the oddity of decoy file. ----- ###### New TTPs Observed in 2022 ----- ###### Timeline and trends in 2022 n No significant change in Initial Access methodology and target sectors p Spearphishing emails with malware attached p Main targets are media and defense sector ###### n Change legitimate executable file to side-load malicious DLL p “SfsDllSample.exe” => “K7SysMon.exe” ###### n some of commands and execution flow changed v0.6.5 v0.6.3 v0.6.2 v0.5.9 age_report_2021_6.pdf 2021 Mar. Apr. Jun. 2022 2023 |v0.6.3 v0.6.5|Col2| |---|---| |v0.6.3 v0.6.2 0.5.9|| ||| ----- ###### CnC server infrastructure for LODEINFO n No change in infrastructure trends p Using hosting service such as Vultr, CHOOPA and LINODE p IP Geolocation is mostly Japan |CnC server|version|Hosting service|location| |---|---|---|---| |45.77.28[.]124|v0.5.9, v0.6.2|Vultr|Ōi, Saitama, Japan| |172.105.223[.]216|v0.6.2, v0.6.5|LINODE|Tokyo, Tokyo, Japan| |202.182.108[.]127|v0.6.2, v0.6.5|CHOOPA|Ōi, Saitama, Japan| |103.175.16[.]39|v0.6.3|Mondoze|Kuala Lumpur, Kuala Lumpur, Malaysia| |5.8.95[.]174|v0.6.3|G-Core Labs S.A.|Urayasu, Tokyo, Japan| |172.104.112[.]218|v0.6.5|LINODE|Ōi, Saitama, Japan| ----- ###### Changes in API hash algorithm (2022/3) ###### v0.5.9 ###### API hashing algorithm changed to JSHash-based algorithm & 2 bytes XOR Extraction of XOR Key is now required for malware analysis. #### ☛ ###### Before v0.5.9 v0.5.9 and after CRC32 Justin Sobel hash Based Hashing ###### CRC32 ----- ###### Changes in beacon payload (2022/4) ###### v0.6.2 snip. ###### Header Main Data ###### The version information added to Beacon format ###### The code exists in v0.5.9, but it does not work, probably due to a memory manipulation error. |offset|size (byte)|description| |---|---|---| |0|4|Data size| |4|4|The vers Dummy data size to| |0x11|variable length|Collected system information “UNIXTIME of execution|ANSI code|MAC Address| Computer Name#key for substitution cypher-Version”| |Data size + 27|variable length|unused Base64 (dummy) data| ----- ###### Updates for memory command (2022/4) Support for 64-bit shellcode n Check the first byte of shellcode n In case of 0x8D, replace with 0xE9 and execute as 64bit shellcode ###### v0.6.2 ----- ###### Locale environment check (2022/4) ###### v0.6.2 ###### ja-JP check snip. snip. snip. ###### Behavior varies between v0.6.2 samples ## ☛ |No Locale check|Col2|ja-JP check|en-US check| |---|---|---|---| |Code|Later v0.6.2|snip. snip.|snip. snip.| |MD5 hash|016a974e70bbce6161862e0ac01a0211|da1c9006b493d7e95db4d354c5f0e99f|ff71fadc33b883de934e632ddb4c6b78| |Summary|Execute subsequent processes without checking locale information|If the locale is not ja-JP, this function loops infinitely.|If the locale is en-US, this function loops infinitely. (also used in v0.6.3 ~)| snip. snip. ###### Same version does not always work the same ###### en-US check snip. ----- ###### Changes in commands (2022/6) ###### v0.6.3 ###### Removed commands from this version Implemented commands commands description commands description list files and directories command return available commands list remove file config not implemented (return "Not available") move file cd change current directory copy file send download file upload file to CnC recv upload file to CnC mkdir make directory memory inject shellcode into svchost.exe keylog enable keylogger kill kill process get process information ver return version information kill target process print take screenshot autorun enable/disable persistence ransom encrypt file comc execute command using WMI ###### Available commands: 21 => 11 |commands|description| |---|---| |ls|list files and directories| |rm|remove file| |mv|move file| |cp|copy file| |cat|upload file to CnC| |mkdir|make directory| |keylog|enable keylogger| |ps|get process information| |pkill|kill target process| |autorun|enable/disable persistence| |commands|description| |---|---| |command|return available commands list| |config|not implemented (return "Not available")| |cd|change current directory| |send|download file| |recv|upload file to CnC| |memory|inject shellcode into svchost.exe| |kill|kill process| |ver|return version information| |print|take screenshot| |ransom|encrypt file| |comc|execute command using WMI| ----- ###### Changes in execution flow 1 (2022/6) ###### v0.6.3 ###### SFX & DLL Side-Loading ###### Side-Loading XOR Decode ----- ###### Changes in execution flow 2 (2022/6) ###### v0.6.3 ###### SFX & DLL Side-Loading & BLOB ###### Side-Loading ----- ###### Detailed changes for v0.6.5 (2022/6) v0.6.3 v0.6.5 ###### v0.6.5 ###### Implementation of pseudo sleep function by inserting useless code ----- ###### Detailed changes for v0.6.5 (2022/6) ###### v0.6.5 ###### v0.6.3 ###### Keep calculating SHA256 of random string until random time elapses ###### Implementation of pseudo sleep function by inserting useless code ----- ###### New execution flow (2022/6) ###### v0.6.5 [https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/](https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i) ----- ###### New execution flow (2022/6) Exec. Download Start. winword.exe CnC sever blob.tmp msiexec.exe Read & Exec. 11554.htm Decode on memory on memory decoy.doc ###### v0.6.5 ###### blob.tmp Read & Decode ###### Side-Loading is no longer done, and it fails to achieve persistence of LODEINFO RAT These changes seem to be spur-of-the-moment rather than permanent #### ☛ [Phase of trial for evasion, the TTPs can change significantly in the future.] ###### Read & Decode ----- ###### Insight into Threat Actor ----- ###### Insights from TTPs changes in v0.6.3 n Evolved to a 3-point set method frequently used by Chinese APT groups 『Legitimate executable + DLL shellcode loader + Encrypted BLOB』 ☛ p PlugX p ShadowPad p HUI Loader ###### n In particular, the attack technique using sfx files is very similar to the APT10 attack case reported in May 2018 ###### 』 ----- ###### Insights from TTPs changes in v0.6.3 ###### 』 Ref.: Decoy file for v0.5.9 ###### Evolved to a 3-point set method frequently used by Chinese APT groups Legitimate executable + DLL shellcode loader + Encrypted BLOB ----- ###### Investigation of decoy file information We found 6 LODEINFO decoy files from VirusTotal. |#|DLL shellcode loader|Col3|Decoy file|Col5| |---|---|---|---|---| ||MD5|Version|MD5|Remark| |1|e7c9d5568ed5c646c410e3928ab9a093|v0.3.5|c031b786cb0a7479cc72d299dab2f0e3|N/A| |2|327d8070a583bdecc349275b1f018dce|v0.3.6|bca533b3336240bc5cc68117408debdf|N/A| |3|e6979fdd5f92d68cbbf06889f52f4f32|v0.5.6|1871402d3c83b2e15bf516d754458bd4|N/A| |4|cb2fcd4fd44a7b98af37c6542b198f8d|v0.5.9|da20ff8988198063b56680833c298113|N/A| |5|a8220a76c2fe3f505a7561c3adba5d4a|v0.6.3|bfb70a586ad1a60509dcea8839132662|Enclosed in sfx file| |6|26892038ab19c44ba55c84b20083cdbd|v0.6.3|025aa0aeb7ed182321bc21e5c9f44fc4|Enclosed in sfx file| ----- ###### Investigation of decoy file information show only timestamps of each file |#|First Submission Time for DLL (JST)|DLL shellcode loader|Col4|Decoy file|Col6| |---|---|---|---|---|---| |||Compilation Timestamp (JST)|Version|Creation Time (JST)|Last Modified Time (JST)| |1|2020/05/20 (Wed) 14:49|2009/02/20 (Fri) 23:27|v0.3.5|2020/05/18 (Mon) 11:08|2020/05/19 (Tue) 12:07| |2|2020/05/26 (Tue) 18:00|2009/02/21 (Sat) 03:25|v0.3.6|2020/05/25 (Mon) 12:25|2020/05/26 (Tue) 16:20| |3|2021/11/09 (Tue) 14:55|2019/01/04 (Fri) 17:18|v0.5.6|2021/08/26 (Thu) 15:37|2021/11/06 (Sat) 05:31| |4|2022/03/07 (Mon) 16:15|2021/04/16 (Fri) 02:40|v0.5.9|2021/08/26 (Thu) 15:37|2022/03/03 (Thu) 21:21| |5|2022/06/17 (Fri) 20:53|2021/08/19 (Thu) 02:58|v0.6.3|2022/06/14 (Tue) 11:43|2022/06/14 (Tue) 11:47| |6|2022/07/07 (Thu) 21:00|2021/10/24 (Sun) 01:46|v0.6.3|2022/07/04 (Mon) 14:01|2022/07/04 (Mon) 14:01| ----- ###### Investigation of decoy file information The date and time of the first observation in VirusTotal and the last modified time of the decoy file are almost identical. |#|First Submission Time for DLL (JST)|DLL shellcode loader|Col4|Decoy file|Col6| |---|---|---|---|---|---| |||Compilation Timestamp (JST)|Version|Creation Time (JST)|Last Modified Time (JST)| |1|2020/05/20 (Wed) 14:49|2009/02/20 (Fri) 23:27|v0.3.5|2020/05/18 (Mon) 11:08|2020/05/19 (Tue) 12:07| |2|2020/05/26 (Tue) 18:00|2009/02/21 (Sat) 03:25|v0.3.6|2020/05/25 (Mon) 12:25|2020/05/26 (Tue) 16:20| |3|2021/11/09 (Tue) 14:55|2019/01/04 (Fri) 17:18|v0.5.6|2021/08/26 (Thu) 15:37|2021/11/06 (Sat) 05:31| |4|2022/03/07 (Mon) 16:15|2021/04/16 (Fri) 02:40|v0.5.9|2021/08/26 (Thu) 15:37|2022/03/03 (Thu) 21:21| |5|2022/06/17 (Fri) 20:53|2021/08/19 (Thu) 02:58|v0.6.3|2022/06/14 (Tue) 11:43|2022/06/14 (Tue) 11:47| |6|2022/07/07 (Thu) 21:00|2021/10/24 (Sun) 01:46|v0.6.3|2022/07/04 (Mon) 14:01|2022/07/04 (Mon) 14:01| ----- ###### Investigation of decoy file information The date and time of the first observation in VirusTotal and the last modified time of the decoy file are almost identical. |#|First Submission Time for DLL (JST)|DLL shellcode loader|Col4|Decoy file|Col6| |---|---|---|---|---|---| |||Compilation Timestamp (JST)|Version|Creation Time (JST)|Last Modified Time (JST)| |1|2020/05/20 (Wed) 14:49|2009/02/20 (Fri) 23:27|v0.3.5|2020/05/18 (Mon) 11:08|2020/05/19 (Tue) 12:07| |2|Seems to be c 2020/05/26 (Tue) 18:00|oncentrated in th 2009/02/21 (Sat) 03:25|e time v0.3.6|2020/05/25 (Mon) 12:25|2020/05/26 (Tue) 16:20| |3|range which h 2021/11/09 (Tue) 14:55|umans are awake. 2019/01/04 (Fri) 17:18|v0.5.6|2021/08/26 (Thu) 15:37|2021/11/06 (Sat) 05:31| |4|Surfa ☛ 2022/03/07 (Mon) 16:15 decoy|ce information 2021/04/16 (Fri) 02:40 s has not been|of v0.5.9|2021/08/26 (Thu) 15:37|2022/03/03 (Thu) 21:21| |5|falsifi 2022/06/17 (Fri) 20:53|ed !? 2021/08/19 (Thu) 02:58|v0.6.3|2022/06/14 (Tue) 11:43|2022/06/14 (Tue) 11:47| |6|Potential for u 2022/07/07 (Thu) 21:00|se in analysis 2021/10/24 (Sun) 01:46|v0.6.3|2022/07/04 (Mon) 14:01|2022/07/04 (Mon) 14:01| ----- ###### Investigation of author/editor of decoy file Authors and editors vary across decoys, and It is assumed that several people are |Col1|creating information in different environments.|Col3|Col4|Col5| |---|---|---|---|---| |#|Decoy file|||| ||Creation Time (JST)|Author|Last Modified Time (JST)|LastModifiedBy| |1|2020/05/18 (Mon) 11:08|John|2020/05/19 (Tue) 12:07|D3vle0| |2|2020/05/25 (Mon) 12:25|D3vle0|2020/05/26 (Tue) 16:20|user| |3|2021/08/26 (Thu) 15:37|D3vle0pc|2021/11/06 (Sat) 05:31|D3vle0pc| |4|2021/08/26 (Thu) 15:37|D3vle0pc|2022/03/03 (Thu) 21:21|D3vle0pc| |5|2022/06/14 (Tue) 11:43|Windows ユーザー|2022/06/14 (Tue) 11:47|Windows ユーザー| |6|2022/07/04 (Mon) 14:01|user|2022/07/04 (Mon) 14:01|user| ----- ###### Investigation of author/editor of decoy file n The decoy file used in v0.6.3 (*1) has the string “Windows ユーザー”(*2) in the office document property p It seems to be the default value, but rare ###### because usually the host's username is to be set (*1) MD5: bfb70a586ad1a60509dcea8839132662 (*2) the word “ユーザー” is "user" in English ###### n “ property p ----- ###### Search and check with VirusTotal Only 30 docx files with ”Windows ユーザー” in the surface information in 3 months ###### tag: Specifying docx files by tag metadata: Searching against file metadata After about 6 months of monitoring, only 94 files were found, indicating that this initial value is unusual ----- ###### Environments where “Windows ユーザー” appear ----- ###### Further investigation with VirusTotal When limited to those judged to be malicious by AV scans, the number of cases decreased to 2 in 3 months. p: The number of malicious judgements by AV scan Attack groups using old Office versions in Japanese language environments to create decoy files could be very rare. ###### p: The number of malicious judgements by AV scan ----- ###### Further investigation with VirusTotal When limited to those judged to be malicious by AV scans, the number of cases decreased to 2 in 3 months. p: The number of malicious judgements by AV scan APT10’s decoy files reported in May 2018 ###### p: The number of malicious judgements by AV scan ----- ###### Collection of samples containing “Windows ユーザー” 13 samples were observed under the conditions described above, 11 of which were attributed to APT groups. |First Submission MD5 Submission Filename Time for VT (JST)|Col2|Col3|Creation Time (JST)|Last Modified Time (JST)| |---|---|---|---|---| |c965bcc3b2bc3d54bc93121ae46eb0b0|2017/11/29 (Wed) 15:33|防衛省からの情報提供(最新版) 2.docm|2017/11/29 (Wed) 15:33|2017/11/29 (Wed) 15:33| |797b450509e9cad63d30cd596ac8b608|2018/01/10 (Wed) 16:18|2018年度(平成30年度)税制改正につ いて.doc, 1.docx|2018/01/09 (Tue) 12:56|2018/01/09 (Tue) 13:25| |57228e857180205643a0e1c1b43a5c3f|2018/01/23 (Tue) 13:45|test.doc|2018/1/18 (Thu) 13:45|2018/01/18 (Thu) 13:50| |fefaa0df12195fc3d90d9393ad3a7840|2018/01/30 (Tue) 13:55|世界経済アウトルック.doc|2018/01/29 (Mon) 18:41|2018/01/29 (Mon) 18:55| |9706c9b6c5133c2a9be5a67da069b97f|2018/02/01 (Thu) 13:41|[MD5 hash value]|2017/11/29 (Wed) 15:33|2017/11/29 (Wed) 15:33| |b7b97eb5a297e8371b6964a83f4650da|2018/02/01 (Thu) 13:45|lmane.doc|2017/11/29 (Wed) 15:33|2017/11/29 (Wed) 15:33| |95b862f508bd2473012065947abc2eb3|2018/03/12 (Mon) 18:36|新旧参与会議意見書の比較.doc|2018/03/09 (Fri) 18:05|2018/03/09 (Fri) 18:09| |e0b9a79d594e5a05a83e450e7a27637b|2018/04/03 (Tue) 17:08|test.doc|2018/04/03 (Tue) 16:47|2018/04/03 (Tue) 16:47| |f82fbfb10958eb37e0d570c66c180c1b|2018/04/03 (Tue) 19:03|1.docx|2018/01/09 (Tue) 12:56|2018/01/09 (Tue) 13:25| |82f65647ff02fb0f13880f9158acfbcd|2018/04/26 (Thu) 18:50|【6月26日(火)】 「三極委員会東京 地域会合」ご案内2.doc.docm|2018/04/26 (Thu) 18:49|2018/04/26 (Thu) 18:49| |56cbbea8535c0e8ae967fcdec17db491|2018/05/24 (Thu) 08:02|確認資料 国際法務.doc|2018/05/15 (Tue) 09:45|2018/05/15 (Tue) 13:06| ----- ###### Collection of samples containing “Windows ユーザー” 13 samples were observed under the conditions described above, 11 of which were attributed to APT groups. |First Submission MD5 Submission Filename Time for VT (JST)|Col2|Col3|Creation Time (JST)|Last Modified Time (JST)| |---|---|---|---|---| |c965bcc3b2bc3d54bc93121ae46eb0b0|2017/11/29 (Wed) 15:33|防衛省からの情報提供(最新版) 2.docm|2017/11/29 (Wed) 15:33|2017/11/29 (Wed) 15:33| |797b45A05l0l9 e19ca1d6 3dd3e0ccd5o96ayc8 bf6i0l8e|s2 0u18s/e01d/1 0i n(Wed) 16:18|2018年度(平成30年度)税制改正につ いて.doc, 1.docx|2018/01/09 (Tue) 12:56|2018/01/09 (Tue) 13:25| |APT10 operatio 57228e857180205643a0e1c1b43a5c3f|n2s0 1r8e/0p1o/2r3t (eTude ) i1n3 :45|test.doc|2018/1/18 (Thu) 13:45|2018/01/18 (Thu) 13:50| |May 2018 fefaa0df12195fc3d90d9393ad3a7840|2018/01/30 (Tue) 13:55|世界経済アウトルック.doc|2018/01/29 (Mon) 18:41|2018/01/29 (Mon) 18:55| |9706c9b6c5133c2a9be5a67da069b97f|2018/02/01 (Thu) 13:41|[MD5 hash value]|2017/11/29 (Wed) 15:33|2017/11/29 (Wed) 15:33| |☛ b7b97eb5a297e8371b6964a83f4650da|2018/02/01 (Thu) 13:45|lmane.doc|2017/11/29 (Wed) 15:33|2017/11/29 (Wed) 15:33| |95b862Pf5o08sbds24i7b30l1y20 6r59e47uabsc2eebd3|2018/03/12 (Mon) 18:36 environment|新旧参与会議意見書の比較.doc|2018/03/09 (Fri) 18:05|2018/03/09 (Fri) 18:09| |e0b9a7u9ds59e4ed5a 0b5a8y3e 4A50Pe7aT2716307b|in20 t1h8/e04 /p03a (sTute ) 17:08|test.doc|2018/04/03 (Tue) 16:47|2018/04/03 (Tue) 16:47| |f82fbfdb1u09e58 etb3o7e 0cd5h70ac6n6c1g80ec1sb|in20 1T8T/0P4/03 (Tue) 19:03|1.docx|2018/01/09 (Tue) 12:56|2018/01/09 (Tue) 13:25| |82f656(4M7ffo02dfb0ef1r38a80tfe91 5C8acofbncdf|id20e1n8/c04e/)2 6 (Thu) 18:50|【6月26日(火)】 「三極委員会東京 地域会合」ご案内2.doc.docm|2018/04/26 (Thu) 18:49|2018/04/26 (Thu) 18:49| |56cbbea8535c0e8ae967fcdec17db491|2018/05/24 (Thu) 08:02|確認資料 国際法務.doc|2018/05/15 (Tue) 09:45|2018/05/15 (Tue) 13:06| ----- ###### Diamond model for LODEINFO campaign Adversary ###### Social-Politics Axis p Motivated to Attack Japanese ###### Economic Organizations ###### Capabilities p Believed to be China state-backed p There are likely to be members ###### associated with APT10 p Custom Malware ###### (LODEINFO/ MirrorFace) Technical Axis p Spear-phishing ###### Infrastructure p VPS/Hosting service ###### (Vultr/CHOOPA/LINODE) Victims p Japanese defense, diplomatic, politics and media p DLL Side-Loading p Japanese decoy file p Using custom RAT p Use of IPs belonging to Japan ----- ###### Relation to Operation RestyLink n Attack campaigns targeting Japan observed since around Oct. 2021 p Target sectors: academic (energy), think-tank p spearphishing emails lead to a URL with a ###### malicious file p The attacker is not attributed. ###### n J-CRAT reported LODEINFO emails spoofing the organization attacked by Operation RestyLink ###### “2.1” => Operation RestyLink ----- ###### Spearphishing emails that may be relevant ###### Japan Productivity Center (Aug. 4th, 2022) ###### Center for International Economic Collaboration(Aug. 10th, 2022) ###### Center for International Economic Collaboration(Aug. 10th, 2022) snip. ###### We guess that the attacker are sending emails to people and organizations interested in economics, defense, and diplomacy. ###### snip. [https://www.cfiec.jp/2022-08-07/](https://www.cfiec.jp/2022-08-07/) ###### . ----- ###### Comparison of Diamond Models ###### LODEINFO Campaign ###### Operation RestyLink ([11]) ###### Social-Politics Axis p Japanese diplomacy in East Asia (Also interested in politics and defense?) ###### Adversary p Believed to be based in East Asia? ###### Infrastructure p VPS/Hosting service (Vultr/CHOOPA/LINODE) p OpenResty p Mimicking domain name ###### Capabilities p Custom Malware (LODEINFO/ MirrorFace) ###### Technical Axis p Spear-phishing p DLL Side-Loading p Japanese decoy file p Using custom RAT p Use of IPs belonging to Japan ###### Social-Politics Axis p Interest in a wide range of Japanese foundations ###### Adversary p Believed to be China state-backed p There are likely to be members associated with APT10 ###### Infrastructure p VPS/Hosting service (Vultr/CHOOPA/LINODE) ###### Victims ###### Capabilities p Downloader (LNK file, Multiple document, Golang binary) p Cobalt Strike ###### Technical Axis p Spear-phishing p DLL Side-Loading ###### Victims p Japanese company p Diplomatic field (academic, think-tank) p Japanese defense, diplomatic, politics and media p Microsoft word startup p Japanese decoy file p Use of IPs belonging to Japan ----- ###### Comparison of Diamond Models p Use of IPs belonging to Japan ###### Social-Politics Axis p Japanese diplomacy in East Asia (Also interested in politics and defense?) ###### Adversary p Believed to be based in East Asia? ###### Infrastructure p VPS/Hosting service (Vultr/CHOOPA/LINODE) p OpenResty p Mimicking domain name ###### Victims p Japanese company ###### LODEINFO Campaign ###### Operation RestyLink ([11]) ###### Capabilities p Custom Malware (LODEINFO/ MirrorFace) ###### Technical Axis p Spear-phishing ##### ☛ p DLL Side-Loading p Japanese decoy file p Using custom RAT p Use of IPs belonging to Japan ###### Social-Politics Axis p Interest in a wide range of Japanese foundations ###### Adversary p Believed to be China state-backed p There are likely to be ###### While the specific tools used are different, members associated ###### similarities can be seen in the TTPs and areas of target interestwith APT10 Infrastructure p VPS/Hosting service (Vultr/CHOOPA/LINODE) ###### Victims p Japanese defense, diplomatic, politics and media p Diplomatic field (academic, think-tank) ----- ###### Limitation and Conclusion ----- ###### Limitation for open-source based research ###### n Fall behind p Malware samples must be posted on the Internet to be investigated p In many cases context is lost. p Difficult to follow if TTPs change significantly ###### n Without external intelligence source and contacts to gather and analyze information, only piecemeal research is possible. p It is essential to try to understand the entire campaign as much as possible. p There is a limit to what one organization can do... ----- ###### Difficulty in takedown Taking down the attacker infrastructure is the preferred means of getting ahead of attackers. ......but very difficult n Attackers choose infrastructures that are difficult to take down. n Even in cases where the message was received from LINODE, the case did not result in a takedown. ----- ###### Difficulty in takedown n Difficult to prove that it is a Localized Targeted RAT infrastructure in the first place p Even if the service providers are positive ###### about takedown, they cannot take actions without hard evidences p What is the evidence of LODEINFO CnC ###### server that even a layman can understand 🤔 n We will continue to report of abuse, but the effect of such reports is unknown. ----- ###### What we can do against the LODEINFO threat n Generators of Intelligence: provide real-time threat intelligence by monitoring open-source p Reproducible IoCs and signatures (“ACT”) ###### n Consumers of Intelligence: Build an organization for effective use of intelligence p Can you detect intrusion based on hash values or network artifacts? p Can you evaluate signatures in your organization? Can it be incorporated? p What type of logs are being obtained? p How long can the investigation be traced back to? ----- ###### Tips: Control DLLs by AppLocker n Useful as a means of preventing DLL Side-Loading from signed executables p Methodology for users who ###### do not add software frequently n DLL execution by LOLBAS can also be prevented p rundll32.exe p regsvr32.exe ----- ###### Conclusion n Sharing about the latest LODEINFO campaign p The TTPs have been changed to those frequently used by Chinese APT groups ###### in v0.6.3 p New insight into attribution analyzed from a decoy file perspective ###### n Introduction of CTI and analysis methods based on open-source p Despite the limitations of the research, threat intelligence relevant to your ###### organization may be available more quickly than in vendor reports. n Necessary of building an organization for effective use of intelligence p Efforts to take the best possible steps p Know your organization properly ----- # Any Questions? ----- ###### References (1) n [1] JPCERT 『Malware “LODEINFO” Targeting Japan』(2020/02/27) ###### https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html n [2] JPCERT 『Evolution of Malware LODEINFO』(2020/06/19) ###### https://blogs.jpcert.or.jp/en/2020/06/evolution-of-malware-lodeinfo.html n [3] JPCERT 『Further Updates in LODEINFO Malware』(2021/02/18) ###### https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html n [4] macnica & T5 『標的型攻撃の実態と対策アプローチ第5版日本を狙うサイバーエスピオナージの動向2020 年度』 ###### (2021/05/21) https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf n [5] macnica, 『Tracking rapid evolution? Copycat? of An APT RAT in Asia』, VB2020, (2020/09) ###### https://vb2020.vblocalhost.com/uploads/VB2020-66.pdf ----- ###### References (2) n [6] kaspersky 『APT10 HUNTER RISE ver3.0: Repel new malware LODEINFO, DOWNJPIT and LilimRAT』, ###### HITCON 2021, (2021/11) https://hitcon.org/2021/agenda/6d88317b-4d90-4249-ba87- d81c80a21382/APT10%20HUNTER%20RISE%20ver3.0%20Repel%20new%20malware%20LODEINFO%20DO WNJPIT%20and%20LilimRAT.pdf n [7] macnica & T5 『標的型攻撃の実態と対策アプローチ第6版日本を狙うサイバーエスピオナージの動向2021年度』 ###### (2022/06/15) https://www.macnica.co.jp/business/security/cyberespionage_report_2021_6.pdf n [8] kaspersky, 『APT10: Tracking down LODEINFO 2022, part I』(2022/10/31) ###### https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i n [9] kaspersky, 『APT10: Tracking down LODEINFO 2022, part II』(2022/10/31) ###### https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii n [10] eset 『Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities』(2022/12/14) ###### https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese- political-entities/ ----- ###### References (3) n [11] NTT Security 『Operation RestyLink: APT campaign targeting Japanese companies』(2022/5/13) ###### https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese- companies n [12] IPA『サイバーレスキュー隊(J-CRAT)活動状況[2022年度上半期] 』(2022/12/28) ###### https://www.ipa.go.jp/files/000106897.pdf n [13] LAC, 『APT攻撃者グループmenuPass(APT10) による新たな攻撃を確認』(2018/5/21) ###### https://www.lac.co.jp/lacwatch/people/20180521_001638.html ----- ###### Appendix A: IoC - file hash (1) |SHA-256 Type|Col2|Version| |---|---|---| |b50d83820a5704522fee59164d7bc69bea5c834ebd9be7fd8ad35b040910807f|dll|v0.1.2| |1cc809788663e6491fce42c758ca3e52e35177b83c6f3d1b3ab0d319a350d77d|shellcode|v0.3.2| |8c062fef5a04f34f4553b5db57cd1a56df8a667260d6ff741f67583aed0d4701|dll|v0.3.5| |65433fd59c87acb8d55ea4f90a47e07fea86222795d015fe03fba18717700849|dll|v0.3.6| |641d1e752250d27556de774dbb3692d24c4236595ee0e26cc055d4ab5e9cdbe0|doc|v0.3.5| |73470ea496126133fd025cfa9b3599bea9550abe2c8d065de11afb6f7aa6b5df|doc|v0.3.6| |3fda6fd600b4892bda1d28c1835811a139615db41c99a37747954dcccaebff6e|dll|v0.4.6| |f142eecf2defc53a310b3b00ae39ffecc1c345527fdfbfea8ccccd0d69276b41|dll|v0.4.9| |2169d93f344e3f353444557b9009aef27f1b0a0a8aa3d947b5b8f0b36ef20672|dll|v0.5.6| |d75537d59954ec3cc092378f00b16b6c9935590ef1074cb308e1ed65e922762c|dll|v0.5.6| |1dbf67d7dadba5505073aaf3e4478dd295b074bddf10ac5ac7b80d7fc14bea63|dll|v0.5.6| |fc602ebcf5f9697bedae0e641adfc16985058212f7b9e69dad0f1bf53daf93f9|doc|v0.5.6| ----- ###### Appendix A: IoC - file hash (2) |SHA-256 Type|Col2|Version| |---|---|---| |978ba248c02eb9c130c1459b767527f8a3a9714c6686c12432e027da56f6c553|dll|v0.5.9| |dab7d79644453a7ca61b9b585c1081167dbe5df0da398df2458c1081295f68e6|dll|v0.5.9| |50cf6841cbc0ce395a23b9a4d2ddac77b11a376929878717e90c9a7430feddc3|dll|v0.5.9| |88efbc6e883336a0b910b7bcf0ef5c2172d913371db511a59a4a525811173bf1|dll|v0.5.9| |e764f26c3e5bf8467da51fbb33c3d80f026b8fe5bd5a6b84318b3f0aedb667cd|dll|v0.5.9| |fde82dcccd471b63f511c6f76dc04e12334818cda8b38f5048b8ad85c9357089|doc|v0.5.9| |a5cf580c1768bb8d28716978fa026b7e2dec4eb5a9c4396ede0c704bfe09ed36|dll|v0.5.9| ----- ###### Appendix A: IoC - file hash (3) |SHA-256 Type|Col2|Version| |---|---|---| |40a650488e94455b181716efba43f082e891e1c6e45d3f1e5ab827de319276c9|dll|v0.6.2| |5738bf7b27c61c1421b08be98143ab3bc32b779a45d5350f40f689bf268489ed|dll|v0.6.2| |9af72a598dc4a1e10265dcf7da20d6433a9473a338e2fc012f4e490ad721d871|dll|v0.6.2| |7f32df11846b0a5b4d43d8ce1f7ddcebf9aef6d568ba210534a0b9e246d6561e|dll|v0.6.2| |0abbdee5d3c5191bfb9a3a91712d8b538d6d8a0cc0489b3e5aa10034b2fccd3c|dll|v0.6.2| |5faa813b811236f14fec8e0e7ee9d0135efaf296d6dcb4bd2be8cf3165fa940d|dll|v0.6.2| |31c87d9a84c7996a56024c93787de9332099faf707cd8d0166e5af9d491977b8|dll|v0.6.2| |f53c5fd78000755ccfff11d2f1b7d659f4a71c887083697d54b8fe8cf905ef6a|sfx|v0.6.3| |a8ec766eee6cc3c6416519f8407ac534f088637ed1a6bc05ed0596d8a0237548|sfx|v0.6.3| |a5ce5a179ec56aa6e2bc86be77df07b15650cdbcbca046515263fe16b8e2a036|dll|v0.6.3| |8260b1e80eeff2e0b39f782eebfa9460b00ebef480c3fed6fbccf8cfc67dbef9|loader|v0.6.3| |ed82f4fff39fbdcbefdbcb0a9c9ae6fb689f6db64f94bd8eb6c924fd0409792c|XORed shellcode|v0.6.3| |8f51b5bdb9b7234426fa8fdfbfac9eb46d650c6a22c9ed49ab8f0fc09e5d76a5|XORed shellcode|v0.6.5| ----- ###### Appendix A: IoC - network |LODEINFO CnC Server|Col2|Col3| |---|---|---| |45.67.231[.]169|45.76.216[.]40|45.77.28[.]124| |162.244.32[.]148|103.140.45[.]71|172.105.223[.]216| |193.228.52[.]57|139.180.192[.]19|103.175.16[.]39| |103.27.184[.]27|167.179.84[.]162|172.104.112[.]218| |103.140.187[.]183|167.179.65[.]11|202.182.108[.]127| |103.204.172[.]210|130.130.121[.]44|5.8.95[.]174| |133.130.121[.]44|118.107.11[.]135|172.104.72[.]4| |167.179.101[.]46|172.105.230[.]196|www.amebaoor[.]net| |167.179.112[.]74|172.104.78[.]44|www.evonzae[.]com| |172.105.232[.]89|108.61.201[.]135|www.dvdsesso[.]com| |194.68.27[.]49|139.162.112[.]40|| ----- ###### Appendix B: MITRE ATT&CK (1) |Tactic Technique|Col2|ID|Procedure| |---|---|---|---| |Resource Development|Acquire Infrastructure: Server|T1583.004|Using Hosting service for CnC server.| |Initial Access|Phishing: Spearphishing Attachment|T1566.001|Delivery by spearphishing email.| |Execution|Windows Management Instrumentation|T1047|Execute commands using wmi (comc command)| |Execution|Command and Scripting Interpreter: Visual Basic|T1059.005|VBA Macro embedded in documents are executed and malicious DLL was dropped.| |Execution|User Execution: Malicious File|T1204.002|User opens malicious document and infected| |Persistence|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|T1547.001|Sets a value in Registry Run Keys.| ----- ###### Appendix B: MITRE ATT&CK (2) |Tactic Technique|Col2|ID|Procedure| |---|---|---|---| |Defense Evasion|Hijack Execution Flow: DLL Side- Loading|T1574.002|Legitimate executables Side-Load LODEINFO DLL file.| |Defense Evasion|Obfuscated Files or Information: Dynamic API Resolution|T1027.007|Windows API was resolved by hash such as CRC32 and JShash.| |Defense Evasion|Obfuscated Files or Information: Embedded Payloads|T1027.009|Encrypted shellcode was embedded in malicious DLL file.| |Defense Evasion|Deobfuscate/Decode Files or Information|T1140|Encrypted configuration was embedded in LODEINFO malware.| |Defense Evasion|Process Injection|T1055|Injects shellcode into svchost.exe. (memory command)| ----- ###### Appendix B: MITRE ATT&CK (3) |Tactic Technique|Col2|ID|Procedure| |---|---|---|---| |Discovery|System Location Discovery: System Language Discovery|T1614.001|Got language information about the target's environment and modify its behavior.| |Discovery|System Information Discovery|T1082|Steals system information such as MAC address, ANSI code and computer name.| |Discovery|File and Directory Discovery|T1083|The ability to list files and directories is implemented. (ls command)| |Collection|Archive Collected Data: Archive via Library|T1560.002|Collected data was compressed with QuickLZ.| |Collection|Screen Capture|T1113|Take snapshots. (print command)| |Collection|Input Capture: Keylogging|T1056.001|Keylogging functionality has been implemented. (keylog command)| ----- ###### Appendix B: MITRE ATT&CK (4) |Tactic Technique|Col2|ID|Procedure| |---|---|---|---| |Command and Control|Application Layer Protocol: Web Protocols|T1071.001|Using HTTP for communication with the CnC server| |Command and Control|Encrypted Channel: Symmetric Cryptography|T1573.001|Communication with the CnC server was encrypted by AES.| |Command and Control|Data Encoding: Non-Standard Encoding|T1132.002|Using customized Base64 algorithm for communication.| |Exfiltration|Exfiltration Over C2 Channel|T1041|Uploads any file to CnC server. (recv command)| |Impact|Data Encrypted for Impact|T1486|Encrypts files and directories. (ransom command)| |Impact|Data Destruction|T1485|Deletes any directory or file. (rm command)| ----- ###### Appendix C: RAT Commands list (~ 2022) command description v0.3.2 v0.3.5 v0.3.6 v0.4.6 v0.4.9 v0.5.6 print Take a screenshot 〇 〇 〇 〇 〇 〇 rm Delete file 〇 〇 〇 〇 〇 ransom Encrypt file - - 〇 〇 〇 keylog Enable keylogging - - 〇 〇 〇 ps Get process list 〇 〇 〇 pkill Kill process 〇 〇 〇 mv Move file 〇 〇 cp Copy file 〇 〇 mkdir Make Directory 〇 〇 autorun Sets persistence setting 〇 comc Executes OS commands using wmi 〇 config Not yet implemented - Not yet implemented(return strings, “Not Available”) |command|description|v0.3.2|v0.3.5|v0.3.6|v0.4.6|v0.4.9|v0.5.6| |---|---|---|---|---|---|---|---| |print|Take a screenshot|〇|〇|〇|〇|〇|〇| |rm|Delete file||〇|〇|〇|〇|〇| |ransom|Encrypt file||△|△|〇|〇|〇| |keylog|Enable keylogging||△|△|〇|〇|〇| |ps|Get process list||||〇|〇|〇| |pkill|Kill process||||〇|〇|〇| |mv|Move file|||||〇|〇| |cp|Copy file|||||〇|〇| |mkdir|Make Directory|||||〇|〇| |autorun|Sets persistence setting||||||〇| |comc|Executes OS commands using wmi||||||〇| |config|Not yet implemented||||||△| ----- ###### Appendix D: Scripts ###### n + n -----