5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 1/12 Saber Lions Organization (APT-C-38) Attacks Uncovered blogs.360.cn/post/analysis-of-APT-C-38.html May 27, 2019 Saber lion organization (APT-C-38) attack activity revealed I. Overview Since July 2015, the Army Lions Organization (APT-C-38) has launched an organized, planned and targeted uninterrupted attack in the Middle East. Its attack platform is Windows and Android. Up to now, 360 Beaconlab has captured 25 Android platform attack samples, 4 Windows platform attack samples, and 16 C2 domain names. In May 2018, Kaspersky security vendor published the report " Who's who in the Zoo ", the first time to disclose the organization as an unaffiliated espionage organization focused on the Middle East target, and named ZooPark, the attack weapon involved contains four iterations The version of the Android-side RAT, load delivery methods include puddles and Telegram channels. In 2019, 360 Campfire Lab captured the latest attack activity of the Saber Lions organization. In addition to discovering Android-side attacks, it also found that the organization had Windows-side attacks, and the Android-side RAT still belongs to the fourth generation. We combine the geopolitical factors of the APT attack, the language used by the attacking organization, and the historical attack activities initiated by the organization. The analysis considers the organization to be an APT organization in the background of a country in the Middle East in West Asia. In addition, we would like to thank our brother team----360 Advanced Threat Response Team for the completion of the Windows side RAT content of this report. Because of the main target of the Saber-Like organization, the Kurdish target is a Kurdish country in the Middle East and West Asia. In addition, the Windows side RAT contains multiple "Saber" under the PDB path, and the Asian lion is the representative animal of the Middle East. Some of the other characteristics of the organization and the 360 naming rules for the APT organization, we named the organization the Saber Lion (APT-C-38). http://blogs.360.cn/post/analysis-of-APT-C-38.html https://securelist.com/whos-who-in-the-zoo/85394/ 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 2/12 Figure 1.1 The time of the key attack activity of the saber lion Second, load delivery and network infrastructure The way the saber lion organizes the payload delivery is mainly the puddle attack and the Telegram channel. It should be noted that after the organization was first leaked in early May 2018, the attacking organization used a new batch of network infrastructure at the end of the month. - Puddle attack Two Arab news newspaper websites (Annahar, Kuwait and Al-Nahar, Egypt), which are popular in the Middle East, have been found to have been used by the organization for puddle attacks. 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 3/12 Figure 2.1 Egypt Al-Nahar website - Telegram channel In addition to the above two puddle attacks against the designated Arab countries in the Middle East, we also found that the organization used the Telegram channel to spread the Kurdish people in the Middle East when attacking its main target (such as the election of the Kurdistan Province before the Islamic Parliament). Attacks and attacks in the Kurwana Nanda quarter of Kurdistan Province, etc.). Figure 2.2 Telegram channel against the Kurdish provincial elections before the Islamic Parliament - Network infrastructure To date, the Saber Lions organization has used multiple network infrastructures. Table 1 Network infrastructure used by the Army Lions organization Rhubarb2.com C2 server IR'Sanan daj +98.9303938251 Pilton86 @yahoo.‐ com 6614478527 Rhubarb3.com C2 server Privacy‐ Protect PrivacyProtect Privacy‐ Protect PrivacyPro‐ tect Androidup‐ daters.com Intermediate service(im‐ age) IR'Tehran +98.2188561212 Asghark‐ hof@gma il.com 9865214523 Dlgmail.com Intermediate service(im‐ age) IR'Tehran +98.2188888299 Silent.c‐ ity2020@ mail.com 1663976888 mailto:pilton86@yahoo.com mailto:asgharkhof@gmail.com mailto:silent.city2020@mail.com 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 4/12 Dlstubes.com Intermediate service(im‐ age) IR +98.8877588798 Bold‐ man.sam @mail.‐ com 1558738817 Googleupda‐ tors.com Intermediate service(im‐ age) IR +98.8877588798 Bold‐ man.sam @mail.‐ com 1558738817 Adobeactive‐ updates.com Intermediate service(im‐ age) IR +98.8877588798 Bold‐ man.sam @mail.‐ com 1558738817 Adobeseup‐ dater.com Intermediate service(im‐ age) IR'Tehran +98.2177888991 Bold‐ man.sam @mail.‐ com 11155679 Dlstube.com Intermediate service(im‐ age) IR'Tehran +98.2122694575 Kimkallia n@gmail. com 1771798635 Adobeactive‐ update.com Intermediate service(im‐ age) IR'Tehran +98.9106145178 Sirus_viru s6688@y ahoo.com 2417682380 5.61.27.154 Null Null Null Null Null 5.61.27.157 Null Null Null Null Null 5.61.27.173 Null Null Null Null Null 91.109.23.175 Null Null Null Null Null It should be noted that on May 23, 2018, a new batch of network infrastructure was applied. The latest mobile attack load was deployed in one of the servers in March 2019. There are 4 intermediate servers and 3 of them. It still survives and resolves to the same IP, and these servers act as intermediate servers for the PC and mobile RATs. mailto:boldman.sam@mail.com mailto:boldman.sam@mail.com mailto:boldman.sam@mail.com mailto:boldman.sam@mail.com mailto:kimkallian@gmail.com mailto:sirus_virus6688@yahoo.com 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 5/12 Figure 2.3 A batch of network infrastructure newly deployed by the Saber Lions organization in the month after being disclosed Third, the way of induction The Saber lion organization mainly uses the following two induction methods in this operation: - Camouflage with normal APP function For better avoidance, it is noticed that in addition to masquerading the file icon, the normal APP interface will be displayed when the RAT starts. Currently, the four-initiative version of the Android RAT will display the normal interface after running, but Espionage in the background is turned on at runtime or when a specified broadcast is received. 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 6/12 Figure 3.1 Second and fourth generation Android RAT post-run demonstration examples - File icon camouflage Figure 3.2 Disguised application software icon Fourth, RAT attack sample analysis As of now, the Saber has been using different RATs for Android and Windows platforms. After analysis, we believe that the latest Android RAT and PC RAT should be purchased from the same commercial development organization, one of the developers nicknamed "Apasec ". - Android The Android side uses a total of four iterations of the RAT. In this report, we only introduce the fourth-generation RAT used by the latest attack activities. We are called UnitMM. The RAT is currently only available in the saber lion organization. For other versions of the RAT, refer to the information. The Kaspersky Security Vendor Report mentioned earlier in this report. 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 7/12 The fourth generation RAT of the UnitMM Saber Lion organization. We named it UnitMM based on the class name and database name used by the RAT. The latest version of UnitMM controls dozens of feature configurations to steal SMS, contacts, geolocation, browser bookmarks and search history, clipboard information, externally specified application data, capture photos/video/audio A variety of malicious behaviors. In addition, UnitMM can also interact in response to specified instructions from C2. Table 2 C2 instruction and function correspondence table 2 Update malicious feature configuration 4 Execute shell command 6 Compress and save the specified file/folder to the default directory 8 Write the task content to a temporary zip file, extract all the content from it and delete it 10 Copy the specified file/folder to the specified directory 12 Move the specified file/folder to the specified directory 14 Rename the specified file/folder 16 Delete specified file/folder 18 Create the specified directory 20 Silently send the specified content message to the specified number twenty two Dial the specified number twenty four Get the file list information under the specified path and save it to the default directory 26 Update intermediate server (C2 steganographic picture) list - Windows A RAT has been discovered on the Windows side. We have been named SpecialSaber. The RAT is currently only available in the Army Lions organization, with a total of four. SpecialSaber This is a RAT that has not been exposed before. According to the directory name under the latest version of the PDB path, we are named SpecialSaber. It has detection and killing (including Bitdefender, Kaspersky, Avira, Avast, AVG, ClamWin, ESET, Norton, McAfee, Panda, Symantec), stealing a variety of browser information, a variety of mailbox information, user account information, disk file information, etc. With a variety of malicious behaviors such as keyloggers and screenshots. After stealing various information, it will be saved in the file's own working directory. The file name is randomly generated š string, and the file is stored in the specified format. 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 8/12 Figure 4.1 Example of a screenshot file stored in a uniform format Table 3 Table of some file type values and file meanings 1 Screenshot, jpeg format 2 A list of all files for each drive, including directory, file name, file size information 3 Keylogger 4 Account password information for FireFox, Chrome, IE, Opera, Safari, Thunder‐ bird, Outlook 5 History of FireFox, Chrome, IE, Opera, Safari 6 Bookmark information for FireFox, Chrome, IE, Opera, Safari 7 Yahoo Messenger account password information 8 User account list and details for each account 9 Logical drive size, free space and drive letter 10 Complete TCP/IP configuration for all adapters 14 Zip compressed file twenty four Detailed configuration information of the operating system, including soft kill in‐ formation, product ID, hardware attributes, etc. In addition, SpecialSaber can also interact in response to specified instructions from C2. Table 4 Part C2 instruction and function correspondence table 3 Create the specified directory 4 Rename the specified file/folder 6 file download 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 9/12 7 File compression encryption (Zip, AES) 10 Get account password information for FireFox, Chrome, IE, Opera, Safari, Thunder‐ bird, Outlook 11 Get bookmark information for FireFox, Chrome, IE, Opera, Safari 12 Get the history of FireFox, Chrome, IE, Opera, Safari 14 Get the name of the uninstaller list 16 Get the size of the logical drive, the remaining space and the drive letter 17 Get full TCP/IP configuration for all adapters 18 Get a list of user accounts and details for each account 25 Get Yahoo Messenger account password information - Suspected to be purchased from the same commercial development company By comparing the UnitMM RAT on the Android side with the SpecialSaber RAT on the Windows side, we see that the two adopt a similar approach in the C2 communication link, and the information stolen by the two has a special commonality. We think that the two should come from the same business. Development organization. In addition, we found a developer named "Apasec" in the path of a PDB. We found that the name appeared in the C2 panels of the organization's mobile terminal many times. This finding further verifies our judgment. V. Distribution of the attacked area Up to now, 360 Campfire Labs has found that there are 7 countries affected by the attack of the Saber Lions, of which Iran is the most affected. This is related to the attack on the Kurds who found the country during our analysis. It doesn't matter. Figure 5.1 Distribution of the attacked area 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 10/12 Sixth, the attacker portrait Based on the attacker's special attacks on the attack, the language used, and the geopolitical factors of the APT attack, we summarized the following views of the attack organization: Familiar with Persian, Arabic, with Persian being the most frequently used. It is mainly aimed at Kurdish people in a certain province in the Middle East in West Asia. It can deploy attacks on activities at certain moments in real time and even in advance, and it also targets several Arab countries in the Middle East. APT attacks are mostly based on internal and geopolitical factors (national or hostile). From the perspective of the victim's background and the duration of the attack, the target of the attacker's focus is significant at the political and strategic level and lasts longer. In summary, 360 Campfire Lab believes that the attacker is an APT organization from a country in the Middle East in West Asia. Seven, summary In recent years, we have seen that APT attacks have evolved with the times. The PC side is no longer a unique target. More and more attack organizations will also use the mobile end as another necessary target for attacks, and even invest frequently. The cyber war under the background of some countries in the Middle East and the Asia- Pacific region. APT attacks are developing rapidly, especially the development of mobile attacks. We have seen that some of the attacking organizations in the past few years are still relatively rudimentary. Even some security vendors use kittens and other names to name them to show low respect for the attacking capabilities of the corresponding attacking organizations. However, as the attack gains value and the attack organization increases its investment, we see that the attack is more and more complex, and the pertinence and effectiveness are getting stronger. If the former kitten is used as an example, it is like a young one. The kitten gradually became a mature lion. This saber lion organization is undoubtedly a typical representative of the development of APT attacks. Based on the special background of the organization and the current situation of its affiliated countries, we believe that the organization's attack may have a new round of changes. Appendix A: Sample MD5 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 11/12 Android攻击样本MD5 Windows攻击样本MD5 0745b0957aab92b6a09645e076b4f339 5b0431bbebdc48d2fa37882f7343b011 1874aa71c9b13eec5b587e8ed6a71606 31edb7591bfeeb72e0652c17781640af 191cc5d165472ae19e665821be71c282 58cc3935fbfdb2990304b99fbb919dad 232bd3dde6914db0a3dbfc21ed178887 848193568a48f5742135667e9842890a 2d91f7d1eb0d32ece0a8b1715a70b4cd 345c2325dd633099f29b6d7141a4703d 451ff729eaa1cf26943a812cd37eb4ac 4d8ddec9243bc6ac0419c561fe413cfc 519018ecfc50c0cf6cd0c88cc41b2a69 5ad36f6dd060e52771a8e4a1dd90c50c 5efddd7f0fc2125e78a2ca18b68464ec 699a7eedd244f402303bcffdee1f0ed1 6a388edbce88bb0331ae875ceeb2f319 73b0a3cae8510dd2efeca7d22f730706 7b530999847bbf43e7d6cbb76da684ae 7d7ad116e6a42d4e518378e2313e9392 a7d00c8629079f944b61c4dd5c77c8fb a856f9de281cadad7142828dda3843b4 ac4402e04de0949d7beed975db84e594 b44b91b14f176fbf93d998141931a4aa b714b092d2f28fcf78ef8d02b46dbf9c c7e4d75caa8e07847e47eadce229c288 cb67abd070ae188390fc040cbe60e677 e2f62b5acf3795a62e9d54e1301c4e7b ec5a6f0e743f4b858aba9de96a33fb0c Appendix B: C&C rhubarb2.com rhubarb3.com androidupdaters.com dlgmail.com dlstubes.com googleupdators.com adobeactiveupdates.com adobeseupdater.com dlstube.com adobeactiveupdate.com 5.61.27.154 5.61.27.157 5.61.27.173 91.109.23.175 solar64.xp3.biz entekhab10.xp3.biz Appendix C: PDB C:\Users\apasec110\Desktop\Saber1\client\Saber1-Develop\Release\Saber1- Dev.pdb C:\Users\apasec110\Desktop\Saber1\client\editing saber\Saber1-Develop- changed\Release\Saber1-Dev.pdb C:\Users\M&M\Desktop\Saber1\Special-Saber1-Windows-Client- binder_backup(last stable socket communication)\Release\Saber1-Dev.pdb C:\Users\M&M\Desktop\Saber1\Special-Saber1-Windows-Client- binder_backup\Release\Saber1-Dev.pdb Appendix D: Reference Links 5/27/2019 Saber Lions Organization (APT-C-38) Attacks Uncovered - 360 Core Security Technology Blog blogs.360.cn/post/analysis-of-APT-C-38.html 12/12 [1] https: [2] https: [3] https: [4] https: [5] https: This article links: http://blogs.360.cn/post/analysis-of-APT-C-38.html -- EOF -- Author published in 2019-05-27 10:15:30 , added classification under and added ' ' label, last modified 2019-05-27 11:04:14 360烽火实验室(360 Beaconlab) 移动端技术 android 平台 APT Android 360mobile http://blogs.360.cn/post/analysis-of-APT-C-38.html http://blogs.360.cn/author/zhanghao-ms http://blogs.360.cn/cate/%E7%A7%BB%E5%8A%A8%E7%AB%AF%E6%8A%80%E6%9C%AF http://blogs.360.cn/cate/android%E5%B9%B3%E5%8F%B0 http://blogs.360.cn/cate/apt-report http://blogs.360.cn/cate/Android http://blogs.360.cn/tag/360mobile