### December 2020 ----- ##### Forward Earlier this year, Security Joes and Profero responded to an incident involving ransomware and the encryption of several core servers. After an extensive investigation, our team was able to discover samples of malware linked to a campaign reported on by TrendMicro[1], known as DRBControl, with links to both APT groups: APT27 and Winnti. This particular campaign revolves around attacks on major gaming companies, worldwide. **DRBControl was first reported on by TrendMicro and Talent-Jump Technologies** at the beginning of 2020 and covered an incident they responded to back in July 2019. What was interesting about this backdoor was its utilization of Dropbox as a Command and Control (C2) server. Our team discovered a very similar sample that we were able to identify as a variant of Clambling, however the sample lacked any Dropbox capabilities. As a result, it could be considered an older variant; or that the threat actors have different variants for different use cases. Alongside the discovered backdoor, we located the ASPXSpy webshell, a sample of PlugX, and Mimikatz. The initial infection vector was through a 3rd party service provider, that had been previously infected through another 3rd party service provider. ----- With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs. **APT27 is believed to be a state-sponsored Chinese APT group, focused on** cyberespionage and theft of information and data. What stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows. This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools. Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising. Upon writing this report, a report was released by PTSecurity[2], which covered an incident linked to APT27 where the Polar ransomware was dropped to systems, validating our belief APT27 has become more financially focused. ###### Chinese APT refocus efforts on financial gain ----- ##### INFECTION CHAIN As mentioned previously, the threat actors gained a foothold onto the company systems through a 3rd party compromise. An ASPXSpy webshell was also deployed, to assist in lateral movement. The PlugX and Clambling samples were both loaded into memory using a Google Updater executable vulnerable to DLL Side-Loading. For each of the two samples, there was a legitimate executable, a malicious DLL, and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory. Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, however the PlugX binary file was named license.rtf, and the Clambling binary file was named English.rtf. We also discovered a generic Mimikatz sample on the infected machine, that was not modified by the attackers before distributing it onto the machines. Additionally, we located a binary responsible for escalating privileges by exploiting CVE-2017-0213, for which the source code is publicly available. This lines up with the TrendMicro report, which mentions the discovery of the same exploit being used. APT27 has been known to use this exploit to escalate privileges in the past; with one incident resulting in a CryptoMiner being dropped to the system. This shows us that this is not the first time APT27 has turned into financially motivated attackers. ###### Links between APT27 and Winnti ----- ##### TOOL ANALYSIS Due to the extensive nature of PlugX usage among Chinese threat actors, we chose to focus our efforts on analysing the Clambling implant, as it seems to be somewhat unique to this campaign. Specifically, we discovered a different variant of the Type 2 Backdoor, confirmed initially through the exposed RTTI information – the only difference is the lack of the CMuture class in the sample we discovered. Figure 1 - VFTable Upon being loaded into memory through DLL Side-Loading, the flow of execution at first is determined by the number of arguments, rather than the content of the arguments. Before the program even queries the number of arguments, it writes the encrypted on-board configuration to the registry. In the sample we discovered, it writes it to [HKLM/HKCU]\\Software\\RCS\\Software\\ **CPanels. After the configuration has been written to the registry, the sample will** decrypt it in memory, for later use in the sample. ----- Figure 2 - Code sample Onto the argument parsing, there are a total of 4 pathways. The first pathway to execute will setup persistence and execute the DLL Side-Loading vulnerable executable with the argument 16. This triggers execution of the second pathway, which will result in the sample spawning msiexec.exe, with the argument 17, and injecting itself into it. As a result, pathway 3 will execute inside the msiexec.exe process, and this will initiate communications with the C2 server, and spawn svchost.exe with an argument based on the current process identifier, once again injecting itself into the newly created process. The 4th and final pathway will execute in svchost.exe. This pathway involves setting up a pipe between the msiexec.exe and svchost.exe process, and initializing the main backdoor features such as the keylogger, screen capture, file manager, etc. This pipe allows the attacker to send commands to the svchost.exe process, to request log files, screen captures, etc. ----- Figure 3 - Argument parsing Persistence is set up through the system services if the sample has the correct privileges, otherwise it utilizes the Run key in the registry. Once persistence has been set up, the sample will spawn another instance of itself, with the argument **16, as mentioned previously.** ----- Figure 4 - Persistence through a vulnerable executable, google update executable The injection into msiexec.exe is fairly simple, with the sample simply allocating memory in the remote suspended process, writing itself to memory, and patching the entry point to call the entry point of its injected code, passing in the argument **0x120000. Once the overwrite has been completed, the main thread will be** resumed, executing the malicious injected payload. Figure 5 - Memory allocation for the process ----- The injection into svchost.exe operates similarly, overwriting the entry point with a push and a call to the entry point of the malicious code. Inside the second msiexec.exe process, communication with the C2 server will begin. The sample of Clambling we analysed contained 3 main communication protocols: raw UDP, raw TCP and HTTP. During the investigation, we focused our analysis efforts on the TCP protocol primarily. This utilized WinSock API for communication, including WSASend and WSARecv. Figure 6 - Process injection The communication-linked function will loop until a command is received to clean up any traces from the machine, at which point the implant will remove any linked files and terminate itself. Figure 7 - Cleaning up after execution ----- There are several commands available to an attacker inside the second **msiexec.exe process. These include gathering system information such as the** current privileges (user privileges, administrator privileges, etc.) and the operating system version information, dropping/updating the current implant, and cleaning any traces of the malware from the infected machine. The clean-up functionality will remove any dropped files to the machine, remove any added registry keys, as well as services if it was running with administrator privileges. Figure 8 - Communication methods ----- **0X108** Update a value in the configuration, encrypt it, and store it in the registry While it does not utilize Dropbox as a C2 server, it is still extremely modular and allows the attacker to drop additional samples of malware to an infected machine or execute commands through a reverse shell – such as executing BitLocker to encrypt core servers. There are definitely some code overlaps between Clambling and PlugX, such as the usage of what seems to be a campaign identifier in the packets sent to and from the C2 server: 0x20160101. This same structure can be seen in PlugX samples, which could indicate the developers used source code from the PlugX remote access tool while developing Clambling. Additionally, it seems like the actors behind this particular strain are constantly updating and reworking their tools, as it is a fairly new campaign yet there are several different variants of a specific tool. ----- ##### LINKS TO THREAT ACTORS Reading through the TrendMicro report, there were 2 possible groups linked to the DRBControl campaign. APT27 and Winnti. APT27 was linked to the campaign due to the usage of the HyperBro backdoor in one of the incidents. HyperBro is typically considered to be unique to APT27, rather than a commonly shared tool such as PlugX. This could indicate that APT27 is responsible for the campaign, or that they are beginning to share tools with other cybercrime groups. **Winnti had a much stronger link to the campaign, based on similar mutexes,** and the post exploitation commands run by the attackers. The post exploitation commands included a bitsadmin call, which reached out to an IP address linked to Winnti infrastructure. bitsadmin is another Windows tool that allows for file transfers and can be used to download remote files. Additionally, Winnti are known to target computer gaming companies, so the switch from that to gambling companies is not too farfetched to believe - compared to APT27, who commonly target government organisations, defence sectors, and more. In our analysis, we found similarities between our Clambling sample, and older confirmed APT27 implants; specifically, the method of using the number of arguments to execute different functions, and the usage of DLL Side-Loading with the main payload stored in a separate file. Unfortunately, this was not enough to confirm the hypothesis that APT27 was behind this campaign, and as we did not have any other samples such as HyperBro, we decided to focus on the possibility of a Winnti link. ----- After searching for code overlap between Winnti samples and our Clambling sample, we discovered a report by Command54 on an incident that took place back in 2011, that targeted SK Communications, a South Korean tech company. The incident involved the theft of personal information of up to 35 million records and occurred due to the hijacking of a third-party server belonging to ESTSoft[5]. The server in question provided automatic updates to ESTSoft’s archive software, and when hijacked by attackers, provided an update to SK Communications systems that would enable an attacker to perform DLL Side-Loading through the legitimate archive software. Interestingly, one of the Clambling implants discovered by TrendMicro involved a patched copy of HaoZip, a Chinese alternative to WinRAR and WinZIP. ###### Relations between our findings and previous reports ----- We investigated further and came across an excerpt of the configuration block in the main sample used to infiltrate SK Communications. Figure 9 – Configuration block from SK Communication incident While it is a weak link, we discovered similarities between this configuration block and the configuration block in the Clambling backdoor. This link could indicate possible configuration structure reuse between the two samples. The main similarities between the 2 configuration blocks lie in the storage of the port just before the IP address, as well as the use of a potential time stamp and timer value. Above you can see an image of the configuration block from the SK _Communications hack, and below you can see an excerpt from the Clambling_ configuration block. Figure 10 - Clambling configuration ----- After discovering this link, we investigated the SK Communications incident a bit further. Uploading the Clambling backdoor to Intezer[6] yielded strong links to the PlugX strain of malware, and interestingly, very weak links to the SK _Communications sample._ Figure 11 - SK Configuration Structure Figure 12 - Configuration structure From there, we discovered a blog post by Kaspersky[7] which mentioned _ESTSoft had been penetrated by Winnti around the same time SK_ _Communications were hacked. As Winnti are known for compromising_ certificates for signing malware, and the SK Communications incident occurred due to a signed malicious update, it is not farfetched to believe **Winnti were responsible for the breach of SK Communications, which in turn** could hint towards Winnti being behind the Clambling backdoor. While there certainly is not as much string encryption or API obfuscation occurring in this new backdoor, it is odd that the configurations are very similar in terms of structure, and therefore we decided to share this point regardless, in hopes it can lead to further research. ----- Combining all the links we discovered during our analysis of our incident, it is not out of the question that Winnti is behind the Clambling backdoor, or at least a sub-group operating under the Winnti umbrella. The target in question is not a common target for APT27, however Winnti is known to target more niche companies such as video game development companies[8]. The configuration block itself has links to an incident back in 2011 that can be linked to Winnti through TTPs and the fact they had infiltrated the company which had their software altered and dropped onto SK Communications systems resulting in the compromise. Additionally, looking at the Winnti infrastructure overlap TrendMicro were able to identify in their report, it is even clearer. However, attribution is not simple to do. Based on the small number of samples we found in the incident, we are only able to speculate at this point. Aside from a sample of PlugX, MimiKatz, Clambling, and two UAC bypass exploits used by the attackers, we did not have much more to go on in terms of Post Exploitation tools. We hope by sharing our research, we can help generate more research on this particular group, and any links they may have to other campaigns, both new and old. ----- ##### REFERENCES 1. https://documents.trendmicro.com/assets/white_papers/wp-uncoveringDRBcontrol.pdf [2. https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransom) [incident-response-polar-ransomware-apt27/](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransom) [3. https://labs.k7computing.com/?p=20808](https://labs.k7computing.com/?p=20808 ) 4. https://media.kasperskycontenthub.com/wp-content/uploads/ sites/43/2013/04/20082912/C5_APT_SKHack.pdf [5. http://www.estsoftinc.com/](http://www.estsoftinc.com/ ) 6. https://analyze.intezer.com/analyses/be4ba3bc-70a2-43ba-b4c91f0818fde8c9 7. https://securelist.com/winnti-faq-more-than-just-a-game/57585/ 8. https://attack.mitre.org/groups/G0044/ ----- ##### IOCs **Binaries** **TYPE** **FILE** **NAME** **LEGITIMATE SIGNED** **GOOGLEUPDATE** debug.exe **SIDELOADED MALICIOUS** goopdate.dll **GOOPDATE.DLL** **ENCRYPTED CLAMBLING** English.rtf **PAYLOAD** **ENCRYPTED PLUGX** license.rtf **PAYLOAD** **C2s** **http://www.kkxx888666[.]com** **http://www.betwln520[.]com** ----- ##### YARA Rules Our YARA rules are publicly available at: [https://github.com/Profero-SecurityJoes/yara](https://github.com/Profero-SecurityJoes/yara) ``` rule clambling_backdoor { meta: author = "Daniel Bunce | SecurityJoes" description = "Detect Clambling Backdoor through Strings and Keylogger Encryption Algorithm" ``` strings: $str0 = "[%02d:%02d:%02d %04d-%02d-%02d ] |%s | %s | %s" wide $str1 = "%s | [%04d-%02d-%02d %02d:%02d:%02d] | %s | %s " wide $str2 = "%s\\*.log" wide $str3 = "GetRawInputData" $str4 = "RegisterRawInputDevices" $str5 = "WTSEnumerateSessionsW" $str6 = "CreateEnvironmentBlock" $str7 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" $str8 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide $rtti1 = "PortMap" nocase $rtti2 = "KeyLog" nocase $rtti3 = "Telnet" nocase $rtti4 = "Screen" nocase $rtti5 = "Shell" nocase $rtti6 = "FileManager" nocase $rtti7 = "Plugin" nocase $re1 = /\x80([\xC0-\xFF])(.)\x80([\xC0-\xFF])(.)\x80([\xC0-\xFF]) (.)/ ``` condition: ``` uint16(0) == 0x5A4D and 3 of ($str*) and any of ($rtti*) and $re1 ``` } ``` ----- ###### APT27 Turns to Ransomware | ###### Global Threat Center, Intelligence Team -----