# Cyber Threat Intelligence Research

**threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/**

## Executive Summary


January 27, 2021


[CrimsonIAS is a Delphi-written backdoor dating back to at least 2017 that enables operators to run command line tools, exfiltrate files, and](https://app.threatconnect.com/auth/threat/threat.xhtml?threat=4628848921#/)
upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows
[backdoors that beacons out. The characteristics found in CrimsonIAS’s execution flow suggest a connection to Mustang Panda (aka BRONZE](https://threatconnect.com/blog/research-roundup-mustang-panda-and-reddelta-plugx-using-same-c2/)
PRESIDENT, RedDelta) PlugX samples. Based on those non-unique characteristics, ThreatConnect assesses with low confidence that
CrimsonIAS is an additional tool in Mustang Panda’s repertoire. Industry reporting assesses with varying levels of confidence that Mustang
[Panda is a Chinese espionage actor that has conducted operations in Mongolia,](https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/) [Vietnam, and Hong Kong among other locations. According](https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong)
to [fellow researchers, Mustang Panda targets non-government organizations (NGOs), law enforcement organizations, and political entities.](https://www.secureworks.com/research/bronze-president-targets-ngos)

## Discovery

ThreatConnect identified CrimsonIAS while hunting for XOR encrypted PlugX binaries. The CrimsonIAS backdoor is encrypted similarly to
recent MustangPanda PlugX samples, which piqued our interest.

Encrypted SHA256: acfd58369c0a7dbc866ad4ca9cb0fe69d017587af88297f1eaf62a9a8b1b74b4

Decrypted SHA256: 891ece4c40a7bf31f414200c8c2c31192fd159c1316012724f3013bd0ab2a68e

## CrimsonIAS Analysis

The developers behind CrimsonIAS wrote this backdoor using Delphi. They also added some features that changed the normal execution flow
starting with shell code embedded in the MZ header. Windows executables are not designed to execute code from the MZ header; they have a
dedicated section (outside of the MZ header) for executable code. The actor is able to work around this design choice to start execution in the
MZ header based on how we suspect the binary is loaded. This shell code calls a reflective loader function which resolves additional library
functions needed before jumping to the malware’s actual entrypoint. The binary was also XOR encrypted with a 10 byte XOR key prepended to
[the binary (T1140: Deobfuscate/Decode Files or Information). All of these are also seen in Mustang Panda’s PlugX samples.](https://attack.mitre.org/techniques/T1140/)

This backdoor spins up a listener and awaits the operator’s commands to run command line tools, exfiltrate files, and upload files to the
infected machine. Prior to spinning up the network listener, CrimsonIAS launches netsh.exe to open a port on the local machine (T1562.004:
Impair Defenses: Disable or Modify System Firewall). This sample opens port 80.


-----

## Command and Control

[When receiving network traffic, the listener’s handler first checks for the presence of the marker 0x33669966 (T1205: Traffic Signaling). If it](https://attack.mitre.org/techniques/T1205/)
matches, then the handler proceeds to parse the first 24 bytes.

The first 24 bytes make up the command header; however, only the first three DWORDs appear to be used.

The command buffer starts at offset 24 (0x18) and its content differs based upon the command code specified.

The three command codes are:

[0x6600 : Run Command (T1059.003: Command and Scripting Interpreter: Windows Command Shell)](https://attack.mitre.org/techniques/T1059/003/)
[0x7701 : Receive File (T1105: Ingress Tool Transfer)](https://attack.mitre.org/techniques/T1105/)
[0x7702 : Send File (T1041: Exfiltration Over C2 Channel)](https://attack.mitre.org/techniques/T1041/)

[A null preserving XOR encryption algorithm is used to hide the buffer’s contents (T1573.001: Encrypted Channel: Symmetric Cryptography).](https://attack.mitre.org/techniques/T1573/001/)
All of the samples found use the same single byte XOR key 0x85.


-----

## Command and Control Recreation

After reversing the backdoor’s network byte parser, we recreated parts of the command and control (C2) server to elicit responses from it. Here
the backdoor responds to our command telling it to execute “net user evil 3v1l /add”.

Notice both the sent and received responses start with 0x33669966 (0x66996633 on the network); enabling fingerprinting of the network traffic.
The response buffer reads: “The command completed successfully.”


-----

## Mustang Panda Connection

We assess with low confidence that CrimsonIAS is associated with Mustang Panda. The similarities with how the binary was packaged along
with how it’s launched are the basis for this connection.

Inspecting [Mustang Panda PlugX samples identified last year, we observed these three pertinent characteristics:](https://app.threatconnect.com/auth/threat/threat.xhtml?threat=3385723985#/)

**1 – Encrypted with a 10 byte XOR key prepended to the encrypted binary**

Figure 7 and 8 show a prepended XOR key separated by a null byte from the encrypted payload. Over the past 8 months we’ve been
monitoring this technique and, outside of this one CrimsonIAS sample, all the other uploaded samples have been the PlugX associated with
Mustang Panda. We acknowledge during the last two months of 2020 that two samples deviated from the 10 byte XOR key length; however,
the overwhelming majority used a 10 byte prepended XOR key.

**2 – Matching shell code at the start of the MZ header (minus the offset value)**

[Shell code in the MZ header is not exclusive to Mustang Panda, as tools like Cobalt Strike make use of this; however this set of bytes (shown](https://www.virustotal.com/gui/search/content%253A%257B4d%25205a%2520e8%252000%252000%252000%252000%25205B%252052%252045%252055%25208B%2520EC%252081%2520C3%2520%253F%253F%2520%253F%253F%2520%253F%253F%2520%253F%253F%2520FF%2520D3%2520C9%2520C3%2520%257D%25400/files)
in figures 9 and 10) we’ve only seen in files related to Mustang Panda over the past few months.

**3 – Exported Loader function**


-----

ot sa p es a so a e use o a e ect e oade tec que c t ey e po t u de t e a e oade Sea c g o t s e po ted
function leads to a fair number of results not tied to Mustang Panda samples; so the presence of this export is not unique enough.

Finally, we successfully launched CrimsonIAS by taking a Mustang Panda PlugX archive (complete with the DLL sideloading executable and
the sideloaded DLL) and swapping out the encrypted PlugX DLL with the encrypted CrimsonIAS DLL (T1574.002: Hijack Execution Flow: DLL
Side-Loading).

Grouping these characteristics together is the basis for the CrimsonIAS connection with Mustang Panda. The reasoning behind the low
confidence is the fact that the first two techniques should be trivial to implement/copy and that the third is not unique to Mustang Panda;
increasing the likelihood it could be a copycat, false flag, or inadvertent consistency. Additional information on organizations targeted, affected
regions, the complete payload, inbound communications, or any associated incidents would potentially help us reassess our confidence in
CrimsonIAS’ association to Mustang Panda.

## Evolution

VirusTotal shows that the first sample was uploaded back in 2018.


**DLL**
**Name** **Exports**

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41d100:
ServiceMain (3)

0x41d224: CPlApplet
(4)

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41d108:
ServiceMain (3)

0x41d22c: CPlApplet
(4)

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41d108:
ServiceMain (3)

0x41d22c: CPlApplet
(4)

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41d108:
ServiceMain (3)

0x41d22c: CPlApplet
(4)

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41d108:
ServiceMain (3)

0x41d22c: CPlApplet
(4)


**L**
**O**
**P**

6

6

1

5

1


**SHA256**


**Compile**
**Time**


3bc96b4cce0dd550eeb3a563f7ef203614e36fbbbf990726e1afd5d3dcec33e1 1511835471
(2017-11-28
02:17:51)

bde63cd5c3aefed249d2610ca2ee834bde0c0ec06193119363972e3761fb3c63 1527218355
(2018-05-25
03:19:15)

194c0f6c5001b929080d700362e8d8e8009973c82d9409094af2a7ad33506228 1527218355
(2018-05-25
03:19:15)

5021a19f439d31946e61b7529f8e930ebc9829b1ab1f2274b281b23124113cb1 1527218355
(2018-05-25
03:19:15)

306175ffc59091515a8a0b211c356843f09fcb65395decd9fe72c9807c17288a 1528707090
(2018-06-11
08:51:30)


**VT First**
**Submission**

2018-05-29
08:35:59

2019-04-28
07:50:41

2018-12-11
03:16:46

2018-07-23
01:02:09

2019-05-16
10:21:16


-----

**DLL**
**Name** **Exports**

Dll.dll 0x42562c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41cb80: CPlApplet
(3)

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41ccc8:
ServiceMain (3)

0x41cdec: CPlApplet
(4)

Dll.dll 0x42662c:
dbkFCallWrapperAddr
(1)

0x40bb34:
__dbk_fcall_wrapper
(2)

0x41cbc4: Loader (3)


**L**
**O**
**P**

1

6

8


**SHA256**


**Compile**
**Time**


63e144fbe0377e0c365c126d2c03ee5da215db275c5376e78187f0611234c9b0 1531455240
(2018-07-13
04:14:00)

b19fea36cb7ea1cf1663d59b6dcf51a14e207918c228b8b76f9a79ff3a8de36c 1539848755
(2018-10-18
07:45:55)

891ece4c40a7bf31f414200c8c2c31192fd159c1316012724f3013bd0ab2a68e 1582792200
(2020-02-27
08:30:00)


**VT First**
**Submission**

2018-08-04
07:57:02

2019-03-30
13:00:05

2020-08-09
06:29:04


The earliest compile time found suggests this backdoor has been around since at least 2017. The three samples with the compile time 201805-25 03:19:15 are the same sample with just the listen on port number changed; probably after compilation.

Overall CrimsonIAS’s primary functionality remains consistent over the years. The primary difference lies in how the malicious code is
executed. The earlier samples relied on calling the exported function CPlApplet that would register and launch a Windows service that then
[executes the backdoor functionality (T1569.002: System Services: Service Execution). The file](https://attack.mitre.org/techniques/T1569/002/)
63e144fbe0377e0c365c126d2c03ee5da215db275c5376e78187f0611234c9b0 is an exception as the exported function CPIApplet does not
create a service but it immediately starts up the backdoor.


-----

The latest sample moved away from this technique and it now makes use of a reflective loader technique that is seen across different malware
families. This change along with the prepended XOR key and the shellcode provide hints to who might be behind this backdoor.

## Conclusion

ThreatConnect believes that Mustang Panda will continue to be active and adapt their toolset as needed to meet their objectives against
largely near-abroad targets. The backdoor, CrimsonIAS, passively awaits commands, implying that the actor has some means of
proxying/accessing the target’s network or, more likely, that the machine targeted is exposed to the public Internet. We encourage entities who
think they might have been targeted by Mustang Panda to check for the presence of programs listening for external inbound connections and
inspect further if something is found. Verify carefully as the presence of programs listening for inbound connections does not necessarily mean
that the machine is compromised.

_Naming Convention Note_

We generally abstain from adding a new name for malware and threats where other industry reporting has already done so. Two exceptions
where we may use our own naming convention:

When we are unsure whether our findings are consistent with activity sets other organizations have described and named. In this case,
we will attempt to describe the overlap and differences between those previously named sets and the activity we’re describing.
When we are describing a previously unnamed malware or threat.

The latter is the case here. Our naming convention is intended to help describe the assessed origin of the threat or malware, along with
another identifier that is specific to the entity. In this case, we are using Crimson to refer to the malware’s assessed Chinese origin, and IAS to
refer to the Internet Authentication Service (IAS) binary string previously described.

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can
block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to
accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to
opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are
not able to show or modify cookies from other domains. You can check these in your browser security settings.

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to
enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of
cookies may impact your experience on our websites and the services we are able to offer.

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect
personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and
appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:


-----

eo a d outube deo e beds

CrimsonIAS: Listening for an 3v1l User

By ThreatConnect Research Team

ThreatConnect | Risk-Threat-Response

### Cookie and Privacy Settings

How we use cookies

Essential Website Cookies

Other external services


-----