## LuoYu: Continuous Espionage Activities Targeting Japan with the new version of WinDealer in 2021 ###### Leon Chang, Yusuke Niwa, Suguru Ishimaru ----- ## Speakers’ Bio ###### Leon Chang Yusuke Niwa Suguru Ishimaru ###### Malware Researcher @ TeamT5 His major areas of research include APT campaign tracking, malware analysis. ###### Cybersecurity Researcher @ ITOCHU Corporation He tracks threat trends including malspam, APT, and CyberCrime. ###### Malware Researcher @ Kaspersky Lab He conducts research of the latest threat trends including APT at a global level. ----- ## AGENDA ###### 01 Summary of LuoYu campaign in 2021 02 Anatomy of WinDealer 03 Case Studies 04 Conclusions ----- ## AGENDA ###### 01 Summary of LuoYu campaign in 2021 02 Anatomy of WinDealer 03 Case Studies 04 Conclusions ----- #### Summary of LuoYu campaign in 2021 ######  The LuoYu Threat Group Overview  Motivation: Why do we research LuoYu activity?  Timeline of LuoYu campaign in 2021  Target regions and industries  Subsidiaries of Japanese organizations in China  The users of private Chinese bank ----- #### The LuoYu Threat Group Overview ----- ## The name: 蠃魚(LuoYu)  蠃魚(LuoYu) a Chinese mythological creature  蠃魚,魚身而鳥翼,音如鴛鴦,見則其邑大水。  Translation: Fish with a pair of wings; When it ###### appears, floods always follow. ----- #### LuoYu ###### Malware ###### Target Industry ###### ReverseWindow WinDealer Technology Media Education SpyDealer ###### XDealer ShadowPad ###### PlugX Financial MOFA Military Telecom Logistics Origin New updates New updates China ###### Target Areas ###### New updates ----- ## Goal ###### Collecting information from dissidents Chinese branches of Japanese company ----- #### Timeline of LuoYu Campaign in 2021 ----- #### Timeline of LuoYu campaign in 2021 ###### Case1 Case2 ###### The users of Identify new cross-platform private Chinese bank backdoor “XDealer” ###### Dropper of ReveseWindow & ShadowPad ----- ## AGENDA ###### 01 Summary of LuoYu campaign in 2021 02 Anatomy of WinDealer 03 Case Studies 04 Conclusions ----- ##### Malware profile: WinDealer ###### Category Type Modular backdoor Naming string prefix “Deal” in its export function First seen 2008 function Getting victim label from - C2 config C2 - IP address generation algorithm (IPGA) Linked APT LuoYu |Category|Description| |---|---| |Type|Modular backdoor| |Naming|string prefix “Deal” in its export function| |First seen|2008| |function|Getting victim label from non-exist URL or non-exist domain| |C2|- C2 config - IP address generation algorithm (IPGA) NEW| ----- ##### Hardcoded version of WinDealer  The hardcoded version of WinDealer probably comes from the built date.  Version format: {Main_version}.{year}.{month+day}  We observed four versions from collected samples:  16.18.1030  17.19.0505  18.19.0628  18.20.1225 NEW ----- ##### Hardcoded version of WinDealer  Before 2016, WinDealer used hardcoded development timestamp string as ###### mutex string  We use the mutex string prefix to distinguish the backdoor version  WORK_20080729400351362402 →WinDealer 2008  MANAGE_20130831175600761943 →WinDealer 2013 ----- #### Evolution of WinDealer ----- ##### Evolution of WinDealer ###### WinDealer 2008 WinDealer 2013 WinDealer 16.18.1030 WinDealer 17.19.0505 WinDealer 18.19.0628 WinDealer 18.20.1225 ###### At first, the malware is designed to collect the sensitive data from popular messaging application in China. (support 15 command) In 2013, it supported more spying function. (support 26 command) The non-exist URL: "http://www.360.cn/status/getsign.asp" Since 2016, There’s hardcode version in WinDealer which contains the feature to steal shadowsocks profile. The non-exist URL was changed to "http://www.360.cn/status/getonefile.asp" The non-exist URL was changed to non-exist domain: http://www.microsoftcom/status/getsign.asp, 48 command The latest version of WinDealer ----- #### In-Depth Analysis of WinDealer ----- #### In-Depth Analysis of WinDealer ######  Steganography Technique  Embedded DLL  Collecting host information  C2 communications  WinDealer Related Component ----- ## Steganography Technique ######  The malware contains an additional module in the resource “Bitmap” using steganography technique to evade security products.  The encrypted DLL in res ID:129 ###### Md5:76ba5272a17fdab7521ea21a57d23591 ----- ## Decrypt the embedded DLL ###### Embedded DLL ###### XOR (10 bytes key) AES (16 bytes key) ----- ## How to find BLOB and decrypt  The search method is to add 0x3000 bytes from the beginning of the ###### image, then advances 1 byte at a time and compares the magic hex pattern to find the desired location. ----- #### The functionality of embedded DLL |Export function name|Description| |---|---| |partInitOpt|Mapping embedded functions on VFT for using from main module as initialization| |GetConfigInfo|Mapping embedded malware configuration data from the DLL| |AutoGetSystemInfo|Creating many threads to get infected device information| ----- #### Generated victim ID set in a reg key  The victim ID format: MD5(“”)  The malware creates a specific registry key to store the generated victim ID to use ###### in the next execution.  As a unique hidden trick, the victim ID is not stored raw data, the malware ###### converts the 4 bytes victim ID to an IP address style ----- ##### Collecting host information  Computer name  Username  CPU info  OS version  Network interface  External IP address  User account  Screenshots ----- #### C2 communications  Before sending the victim data, the malware will add a custom header to the ###### data  Interesting features:  Getting victim label from non-exist domain or non-exist URL based on WinDealer version  http://www.360[.]cn/status/getsign.asp  http://www.360[.]cn/status/getonefile.asp  NXDOMAIN: http://www[.]microsoftcom/status/getsign.asp  C2 anti-tracking mechanism ###### NEW  IP address generation algorithm (IPGA) ###### NEW ----- #### Getting victim label from NXDOMAIN ----- #### C2 anti-tracking mechanism  Use IPGA (IP Generation Algorithm) to generate a random C2 IP address ###### when backdoor does not have C2 config  The randomly generated IP will exist within specific IP address ranges  Ex: 113.62.0.0 - 113.63.255.255 or 111.120.0.0 - 111.123.255.255  This mechanism will prevent researchers from tracking down the real C2 IP ----- #### C2 communications ###### Custom header RSA encrypted Generated AES Key TCP/UDP socket WinDealer Custom header AES encrypted Victim data C2 Server ----- ###### Data format of c2 communications (first connection) |Offset|Description|Example(hex)| |---|---|---| |0x00|Magic header|06 81 DA 91 CE C7 9F 43| |0x08|Generated Victim ID|| |0x0C|Victim label|00 or 01 or 02| |0x0D|Connection type or Backdoor command ID|00 = initial connection 01 = after initial connection Others = backdoor command ID| |0x0E|Unknown static value|11 or 14| |0x0F|Unknown static value|00| ----- ##### y y encrypt C2 communication ----- #### Sending AES key crypted RSA ----- ##### C2 communication encrypted by AES ----- ##### 1 byte command in custom header+0xD ----- ###### Divided backdoor in EXE and Embedded DLL ----- #### WinDealer Related Component  We have found the downloader of WinDealer in the wild since 2013.  In addition, we found old Windows kernel module downloader (2015 ~ 2017)  PDB string: “Z:¥O¥植入相关¥本地溢出¥downexecdriver¥bin¥FAT32.pdb” ----- #### WinDealer Related Component  We discovered a WinDealer downloader which contains a legitimate domain but the URL path ###### is non-existing. (DNS hijacking or network hijacking)  User-agent is an unique "BBB," which also appears in WinDealer RAT ###### WinDealer ----- #### WinDealer Related Component  There’re multiple dropper/loader samples related to WinDealer.  The malware resource “AAA” contains an encrypted payload  The encrypted payload in res ID:103  Ex. The malware uses XOR to decrypt the payload, then loads the decrypted payload ###### (WinDealer) in-memory. decrypt and load WinDealer ----- ## AGENDA ###### 01 Summary of LuoYu campaign in 2021 02 Anatomy of WinDealer 03 Case Studies 04 Conclusions ----- #### Case Study 1: Fake site and app  Phishing site and trojanized installer impersonate private Chinese online ###### banking app Download Connect ###### Phishing site ReverseWindow Trojanized installer (mirrored the bank’s (Windows, Android) of the banking app legitimate webpage) ###### C2 Server ----- #### Case Study 2: Drop error image for distraction ###### Connect ###### C2 Server ###### Drop & Execute ###### ReverseWindow version: 2.2.2006131 Bash Script (C:¥ProgramData¥u.bat) ###### The dropper of ReverseWindow (.error.exe) ###### Drop & Open Directory ###### Decoy (.¥Error.jpg) ###### Deceive & Distract ----- #### Case Study 2: ###### Combine use of both proprietary and shared backdoors  Recently, We found that LuoYu is using Shadowpad to attack unknown targets ###### ReverseWindow version: 2.2.2006131 ###### C2 Server ###### Unknown target ###### ShadowPad ----- #### Case Study 3 ###### Ver. 18.20.1225 TIM.exe WinDealer (qbupd.exe) Victim Host LuoYu TIM ( a legitimate communication tool) tried to download the WinDealer, qbupd.exe somehow even though accessing a legitimate destination of updater. C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows ¥Start Menu¥Programs¥Startup¥qbupd.exe After created WinDealer on the startup folder, once victim user logged in this host, WinDealer is executed and sends stolen data over 6999/UDP to backbone router. ----- #### Case Study 4 ###### Ver. 18.19.0628 YoudaoDict.exe WinDealer (version.dll) LuoYu Victim Host YoudaoDict(legitimate tool) tried to download the WinDealer, version.dll, then dll- sideloading it and executed embedded dll at the end of June 2021. AV has detected this version’s WinDealer several times though, due to the replacement of AV in this organization, the victim host resulted in compromised. ###### Victim Host ----- #### Public info research (Chinese BBS ) ###### Chinese blog post from Feb 2019 describes a WinDealer-related infection and involving an executable with the same file name (pptv(pplive)_forap_1084_9993.exe) which we’ve observed. ----- #### Details of Infection flow  Legitimate EXE ###### downloads a WinDealer in the specific conditions. ----- ##### WinDealer’s Initial Vector & Communication Flow ###### Legitimate Apps ###### Initial Vector ###### Victim Host with a legitimate tool And its updater ###### Backbone Router(CN) ###### WinDealer or Dropper ###### Step1: query a non-exist domain for labeling victims Step2: send victim data to backbone router by IPGA ###### Legitimate Update Server Malware hosted Server ###### LuoYu ###### Post Exploitation ###### Infected victim host with WinDealer ###### Invisible Area LuoYu‘s C2 ----- ## AGENDA ###### 01 Summary of LuoYu campaign in 2021 02 Anatomy of WinDealer 03 Case Studies 04 Conclusions ----- ###### ADVERSARY CAPABILITY  LuoYu: Chinese-speaking actor - SIGINT Technique (N/A) - Manipulating a legitimate software - Update mechanism - Leverage IPGA - Usage of DLL-Sideloading - Send stolen data with UDP protocol ###### TARGET - Target area: Wide range, mainly East Asia ###### (including Chinese branches of Japanese companies) - Target industries: Wide range  Possible collaboration with the other Chinese APT ###### group INFRASTRUCTURE  CHINANET-BACKBONE ###### 113.62.0.0/15 or 111.120.0.0/14 (random IP addresses) ###### group ----- ###### MITRE ATT&CK Mapping |Tactics|Techniques|Col3| |---|---|---| |Initial Access|T1199|Trusted Relationship: Leverage SIGINT to tamper with traffic at the ISP level| |Execution|T1059.003|Command and Scripting Interpreter: Windows Command Shell WinDealer creates a pipe with cmd.exe| |Persistence|T1547.001|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder WinDealer sets a value in the registry “HKEY_CURRENT_USER¥Software¥Microsoft¥Windows¥Currentversion¥Run” for startup. WinDealer has been created on startup folder below. C:¥Users¥¥AppData¥Roaming¥Microsoft¥Windows¥Start Menu¥Programs¥Startup¥qbupd.exe| ||T1027.002|Obfuscated Files or Information: Software Packing WinDealer’s functions are divided between the EXE and DLL. The DLL is implemented in its own resource with encryption. Hardcoded strings / data are obfuscated in some WinDealer samples. Gathered data is XORed using a one-byte key “Y”.| ###### Hijack Execution Flow: DLL Side Loading: ----- ###### MITRE ATT&CK Mapping |MITRE|ATT&CK Mapping|Col3| |---|---|---| |Tactics|Techniques|| ||T1012|Query Registry: WinDealer lists installed applications and stores configuration information in the registry.| ||T1016|System Network Configuration Discovery: WinDealer lists networks adapters and their addresses| ||T1016.001|System Network Configuration Discovery: Internet Connection Discovery WinDealer gets the public IP via “http://icanhazip.com/”.| ||T1049|System Network Connections Discovery: WinDealer scans the hosts in the LAN using ICMP.| ||T1057|Process Discovery: WinDealer gets the process list.| ||T1082|System Information Discovery: WinDealer gets hostname, CPU info, OS version, mac address and username. The backdoor command 0xD obtains the keyboard layout.| ||T1083|File and Directory Discovery: WinDealer gets a file list and metadata of specified files.| ||T1120|Peripheral Device Discovery: WinDealer gets system disk information and USB drive information.| ###### S ft Di Wi D l li t i t ll d li ti Wi D l t fi ti fil ----- ###### MITRE ATT&CK Mapping |Tactics|Techniques|Col3| |---|---|---| |Collection|T1113|Screen Capture: WinDealer can take screen captures.| |Command and Control|T1568|Dynamic Resolution: WinDealer dynamically generates C2 IP using IPGA.| ||T1573.001|Encrypted Channel: Symmetric Cryptography Further communications are encrypted by AES-128 in ECB mode.| ||T1573.002|Encrypted Channel: Asymmetric Cryptography WinDealer uses RSA-2048 during its key exchange phase.| |Exfiltration|T1041|Exfiltration Over C2 Channel: WinDealer exfiltrates the gathered data over C2 channels.| ----- #### Countermeasures against this campaign ######  Cyber Hygiene Matters!  Check before clicking links and downloading files  While preventing malware downloads with SIGINT is very difficult, detecting and dealing with them is relatively easy.  Deployment of AV and continuous its alert monitoring  Firewall implicit denial setting, and in the case of WFH, Windows Firewall setting is recommended on the host side as well. ----- ### Conclusions ######  LuoYu is increasing its attack scope to companies and users in East Asia, including Japan (and their branches in China).  Notable TTPs  Arsenals having capabilities to attack multiple platforms  Utilization of popular shared tools (i.e., ShadowPad, PlugX)  Various attack vector such as SIGINT, watering hole attacks, etc.  LuoYu’s evolution throughout 2021 indicates its potential in developing into a more sophisticated group in the future ----- ## Reference  https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf  https://www.fortinet.com/blog/threat-research/chinese-targeted-trojan-analysis  https://blogs.jpcert.or.jp/ja/2021/10/windealer.html  https://www.shuzhiduo.com/A/8Bz8k3Pxdx/  https://bbs.kafan.cn/thread-2157062-1-1.html ----- #### IoCs |No|Malware Type|Version|File Name|MD5| |---|---|---|---|---| |1|WinDealer|18.19.0628|version.dll|6102f77c85541d00b4c3bc95f100febc| |2||18.20.1225|qbupd.exe|D9A6725B6A2B38F96974518EC9E361AB| |3||18.20.1225|NewsClientPlugin.exe|76ba5272a17fdab7521ea21a57d23591| |4||18.20.1225|RuntimeBroker.exe|cc7207f09a6fe41c71626ad4d3f127ce| |C2|Domain/IP|Remarks| |---|---|---| |WinDealer|113.62.0.0/15 111.120.0.0/14|Using 55556/TCP, 6999/UDP| ||221.195.68.71/32|| ||122.112.245.55/32|| ----- # THANK YOU! Any Questions? -----