|Col1|Home|Categories|Col4| |---|---|---|---| Search: #### Home Categories [Home » Targeted Attacks » ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/) #### Featured Stories # ChessMaster Adds Updated Tools to Its Arsenal systemd Vulnerability Leads to Denial of Service on Linux **[Posted on: March 29, 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/03/)** at 5:00 am **[Posted in: Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** **[Author: Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/)** qkG Filecoder: Self-Replicating, Document- **_by Tamada Kiyotaka and MingYen Hsieh_** Encrypting Ransomware [Trend Micro discovered the ChessMaster campaign back in July](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) Mitigating CVE-2017-5689, an Intel Management 2017 as part of our monitoring efforts to protect our customers. Engine Vulnerability At the time, we found ChessMaster targeting different sectors [A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques [From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) to spy on their target organizations. Back then, we noted that ChessMaster’s sophisticated nature #### Security Predictions for 2018 implied that the campaign could evolve, before finding changes in the tools and tactics used in the campaign a few months later. While the original campaign was comprehensive and used remote access Trojans (RATs) such as ChChes and RedLeaves, this new campaign used a new backdoor (Detected by Trend [Micro as BKDR_ANEL.ZKEI) that leverages the CVE-2017-8759 vulnerability for its](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759) cyberespionage activities. ----- |Col1|Campaign|ChessMaster Campaign|Campaign| |---|---|---|---| |Point of Entry|Spear-phishing emails containing decoy documents Malicious shortcut (LNK) files and PowerShell Self-extracting archive (SFX) Runtime packers|Spear-phishing emails containing decoy documents exploiting CVE- 2017-8759|Spear-phishing emails containing decoy documents exploiting CVE- 2017-11882, DDEAUTO, Microsoft Office Frameset and Link auto update| |Notable Tools|Hacking Tools Second-stage payloads|Koadic Hacking Tools Second-stage payloads|Koadic Hacking Tools Second-stage payloads| |Backdoor|ChChes|ANEL|ANEL| users and enterprises to catch up with **Campaign** their security. [Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018) Point of Entry Spear-phishing Spear-phishing Spear-phishing emails containing emails containing emails containing #### Business Process Compromise decoy documents decoy documents decoy documents exploiting CVE- exploiting CVE- Malicious 2017-8759 2017-11882, shortcut (LNK) DDEAUTO, Microsoft files and Office Frameset and PowerShell Link auto update Self-extracting archive (SFX) Attackers are starting to invest in long- Runtime packers term operations that target specific processes enterprises rely on. They scout for vulnerable practices, Notable Tools Hacking Tools Koadic Koadic susceptible systems and operational loopholes that they can leverage or Second-stage Hacking Tools Hacking Tools abuse. To learn more, read our Security 101: payloads Second-stage Second-stage Business Process Compromise. payloads payloads #### Latest Ransomware Posts Backdoor ChChes ANEL ANEL #### Digital Extortion: A Forward-looking View **_Technical Analysis_** [qkG Filecoder: Self-Replicating,](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/) #### Document-Encrypting Ransomware Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia A Look at Locky Ransomware’s Recent Spam Activities ----- ChessMaster Adds Updated Tools to Its Arsenal campaigns that involved the use of an email with an attached malicious document using the doc, docx, rtf, csv and msg formats. The email title and attached file name were written in Japanese and Monero-Mining HiddenMiner Android Malware Can contain general business, political, and economy-themed phrases such as Potentially Cause Device Failure 世界経済(World economy) A Closer Look at Unpopular Software Downloads 経済政策(economic policy) and the Risks They Pose to Organizations 予算概算要求(budget estimation request) Cluster of Coins: How Machine Learning Detects 日米対話(Japan-US dialogue) Cryptocurrency-mining Malware 安倍再任(re-appointment of Prime Minister Abe) Pop-up Ads and Over a Hundred Sites are Helping 連絡網(contact network) [Distribute Botnets, Cryptocurrency Miners and](https://blog.trendmicro.com/trendlabs-security-intelligence/pop-up-ads-and-over-a-hundred-sites-are-helping-distribute-botnets-cryptocurrency-miners-and-ransomware/) Ransomware 職員採用案(staff recruitment plan) 会議(meeting) #### Ransomware 101 However, there is a change in the exploit document. When we tracked ChessMaster back in [November, we noted that it exploited the SOAP WSDL parser vulnerability CVE-2017-8759](https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-office-zero-day-vulnerability-addressed-september-patch-tuesday/) (patched in September 2017) within the Microsoft .NET framework to download additional malware. While ChessMaster still uses the previous exploit, it also added more methods to its arsenal: one [exploits another vulnerability, CVE-2017-11882 (patched in November 2017), which was also](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild) [exploited to deliver illegal versions of the Loki infostealer.](https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-11882-exploited-deliver-cracked-version-loki-infostealer/) This infographic shows how ransomware has evolved, how big the problem has become, and ways to avoid being a ransomware victim. [Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works) #### Popular Posts Homemade Browser Targeting Banco do Brasil Users Campaign Possibly Connected to “MuddyWater” ----- |Function|Purpose|Affected MS Office Formats we found in the wild| |---|---|---| |Automatic Dynamic Data Exchange (DDEAUTO)|A legitimate Microsoft Office function used in an Office file to retrieve data from another Office file|.doc .rtf .msg| Potentially Cause Device Failure Cryptocurrency-Mining Malware: 2018’s New Menace? #### Stay Updated Email Subscription Your email here Subscribe _Figure 2. Exploitation of CVE-2017-11882_ It also abuses three legitimate MS Office functions: **Function** **Purpose** **Affected MS Office** **Formats we found in the** **wild** **Automatic Dynamic Data** A legitimate Microsoft Office **.doc** **Exchange (DDEAUTO)** function used in an Office file **.rtf** to retrieve data from another **.msg** Office file **Link Auto Update** An Office function used for **.csv** automatic and user-free updates for embedded links ----- frame within Microsoft Word. _Figure 3. Exploitation of DDEAUTO_ _Figure 4. Abusing Microsoft Word’s “Frames/Frameset”_ _Figure 5. Exploitation of Link Auto Update_ ChessMaster can utilize any of these methods to download the next malware in the chain, the open source post-exploitation tool known as “Koadic,” which the previous campaign also used. This tool is responsible for stealing information — specifically the environment information — within the target system. Koadic executes the following command: %comspec% /q /c 1> 2>&1 The commands and output of Koadic will change according to the ANEL version used in the attack. The table below lists examples of the commands and outputs for ANEL versions 5.1.1 rc and 5.1.2 ----- _Figure 6. Koadic commands and output when ANEL 5.1.1 rc is used_ _Figure 7. Koadic commands and output when ANEL 5.1.2 rc1 is used_ The table below lists all of Koadic’s functions: {Variable}.user User-related functions ----- |Col1|{Variable}.user.DC|Get DCName from Registry| |---|---|---| |||| ||{Variable}.user.Arch|Get Architecture| ||{Variable}.user.info|Get User Information| |{Variable}.work|Main Routine functions|| ||{Variable}.work.report|Reports to server| ||{Variable}.work.error|Returns error| ||{Variable}.work.make_url|Alters/Modifies URL (C&C)| ||{Variable}.work.get|Get the return of POST Header| ||{Variable}.work.fork|Creates rundll32.exe process| ||HTTP Connection functions|| ||{Variable}.http.create|Creates initial HTTP objects| ||{Variable}.http.post|POST header| ||{Variable}.http.addHeaders|Adds HTTP Headers| ||{Variable}.http.get|GET Header| ||{Variable}.http.upload|Uploads binaries/data| ||{Variable}.http.bin2str|String manipulation| {Variable}.user.DC Get DCName from Registry {Variable}.user.Arch Get Architecture {Variable}.user.info Get User Information {Variable}.work Main Routine functions {Variable}.work.report Reports to server {Variable}.work.error Returns error {Variable}.work.make_url Alters/Modifies URL (C&C) {Variable}.work.get Get the return of POST Header {Variable}.work.fork Creates rundll32.exe process {Variable}.http HTTP Connection functions {Variable}.http.create Creates initial HTTP objects {Variable}.http.post POST header {Variable}.http.addHeaders Adds HTTP Headers {Variable}.http.get GET Header {Variable}.http.upload Uploads binaries/data {Variable}.http.bin2str String manipulation {Variable}.http.downloadEx Downloads response ----- |Col1|{Variable}.process.currentPID|Get Current Process ID| |---|---|---| ||{Variable}.process.list|Enumerates Process| ||{Variable}.process.kill|Terminates Process| |{Variable}.registry|Registry-related functions|| ||{Variable}.registry.HKCR|Set HKEY_CLASSES_ROOT| ||{Variable}.registry.HKCU|Set HKEY_CURRENT_USER| ||{Variable}.registry.HKLM|Set HKEY_LOCAL_MACHINE| ||{Variable}.registry.STRING|Set String Value| ||{Variable}.registry.BINARY|Set Binary Value| ||{Variable}.registry.DWORD|Set DWORD Value| ||{Variable}.registry.QWORD|Set QWORD Value| ||{Variable}.registry.write|Write/Add Registry| ||{Variable}.registry.provider|Create Registry Handle| ||{Variable}.registry.destroy|Deletes Registry Key| ||{Variable}.registry.read|Get/Read Registry Entries| |{Variable}.WMI|WMI-related functions|| ||{Variable}.WMI.createProcess|Creates specified process| {Variable}.process.currentPID Get Current Process ID {Variable}.process.list Enumerates Process {Variable}.process.kill Terminates Process {Variable}.registry Registry-related functions {Variable}.registry.HKCR Set HKEY_CLASSES_ROOT {Variable}.registry.HKCU Set HKEY_CURRENT_USER {Variable}.registry.HKLM Set HKEY_LOCAL_MACHINE {Variable}.registry.STRING Set String Value {Variable}.registry.BINARY Set Binary Value {Variable}.registry.DWORD Set DWORD Value {Variable}.registry.QWORD Set QWORD Value {Variable}.registry.write Write/Add Registry {Variable}.registry.provider Create Registry Handle {Variable}.registry.destroy Deletes Registry Key {Variable}.registry.read Get/Read Registry Entries {Variable}.WMI WMI-related functions {Variable}.WMI.createProcess Creates specified process ----- |{Variable}.file|File-related functions|Col3| |---|---|---| ||{Variable}.file.getPath|Get specified file path| ||{Variable}.file.readText|Reads specified text file| ||{Variable}.file.get32BitFolder|Get System Folder (32/64-bit)| ||{Variable}.file.writol|Writes on specified file| ||{Variable}.file.deleteFile|Deletes specified file| ||{Variable}.file.readBinary|Reads specified binary file.| {Variable}.shell.exec Executes process {Variable}.file File-related functions {Variable}.file.getPath Get specified file path {Variable}.file.readText Reads specified text file {Variable}.file.get32BitFolder Get System Folder (32/64-bit) {Variable}.file.writol Writes on specified file {Variable}.file.deleteFile Deletes specified file {Variable}.file.readBinary Reads specified binary file. _Figure 8. Command added when the Koadic RAT is downloaded (use of {Variable}.shell.exec_ _command)_ If Koadic finds that the system is conducive to the attacker’s interests, it downloads a base64- encrypted version of the ANEL malware from the Command-and-Control (C&C) server and executes it. Encrypted ANEL is decrypted using the “certutil -docode” command. When ANEL executes, a decrypted DLL file with the filename “lena_http_dll.dll” is expanded in memory. This file contains one export function — either “crt_main” or “lena_main” ----- _Figure 9. Base64 encoded ANEL downloaded by Koadic_ ANEL will send the infected environment’s information to the C&C server. When sending the information, ANEL encrypts the data using blowfish, XOR, and Base64-based encryption methods. The format ANEL uses to send data is similar to ChChes, but ANEL’s encryption method is easier to use. ----- _Figure 10. Encryption key using blowfish_ We initially discovered the malware known as ANEL back in November 2017. At that time, ChessMaster was using ANEL as a backdoor into the target system then injects code into svchost.exe, which then decrypts and activates the embedded backdoor. This initial version of ANEL had a hardcoded version labeled “5.0.0 beta1” that contained incomplete code. We noted that this might signify the release of a future variant. Instead of just one new variant, we discovered four different versions of ANEL: 5.0.0 beta1 5.1.1 rc 5.1.2 rc1 5.2.0 rev1 ----- |CMD ID|5.0.0 beta1/5.1.1 rc/5.1.2 rc1|5.2.0 rev1| |---|---|---| |0x97A168D9697D40DD|Save File|| |0x7CF812296CCC68D5|Upload File|| |0x652CB1CEFF1C0A00|NA|Load New PE file| |0x27595F1F74B55278|Save File and Execute|| |If no match above|Execute Command or File|| _Figure 11. Summary of the changes between each version of ANEL_ Differences with regards to Backdoor commands: CMD ID 5.0.0 beta1/5.1.1 rc/5.1.2 5.2.0 rev1 rc1 0x97A168D9697D40DD Save File 0x7CF812296CCC68D5 Upload File 0x652CB1CEFF1C0A00 NA Load New PE file 0x27595F1F74B55278 Save File and Execute If no match above Execute Command or File The differences shown in the table above are subtle but present. For example, the initial ANEL version, “5.0.0 beta1,” uses a different C&C server compared to the other versions. Once ANEL evolved to “5.1.1 rc,” it changed its file type to an executable, while also changing the C&C server. The third version we found (5.1.2 rc1) reverts to a DLL file type but retains the C&C server. The fourth version of ANEL (5.2.0 rev1) changes both the export function in the expanded main ANEL DLL and uses a different C&C server. Overall, we can see subtle changes, which indicate that the threat actors behind ANEL are making incremental improvements to the malware to refine it. ----- _Figure 12. Backdoor function differences between ANEL 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 (left) and_ _ANEL 5.2.0 rev1 (right)_ Once ANEL enters the user’s system, it will download various tools that could be used for malicious purposes, including password retrieval tools as well as malicious mail services and accessibility tools that will allow it to gather information about the system. These include Getpass.exe and Mail.exe, which are password and information stealers. It also downloads the following: _Accevent exe <-> Microsoft Accessible Event Watcher 7 2 0 0_ ----- Hijacking. In this scenario, accevent.exe is the primary executable, which is usually legitimate. After the execution of accevent.exe, it loads event.dll, which will be placed in the same folder (so it takes loading priority), after which event.dll decrypts and loads the encrypted backdoor _ssssss.ddd, which is BKDR_ANEL. When we analyzed ANEL 5.1.1 rc, encrypted ANEL 5.1.2 rc1_ was downloaded and executed. **_Short-term mitigation_** When the user opens the document DDEAUTO or Link Auto Update, Office will display a message. If the user clicks on the “No” button, malicious activity will not initiate. _Figure 13: Popup message when users open the document that abuses DDEAUTO_ ----- the traffic. _Figure 15. Koadic’s communication traffic_ **_Medium- to long-term mitigation_** At first glance, it seems ChessMaster’s evolution over the past few months involves subtle changes. However, the constant addition and changing of features and attack vectors indicate that the attackers behind the campaign are unlikely to stop and are constantly looking to evolve their tools and tactics. Organizations can implement various techniques and best practices to defend against targeted attacks, such as regular patching to prevent vulnerability exploitation and using tools that provide protection across different network levels. Solutions that feature behavior monitoring, application [control, email gateway monitoring, and intrusion/detection systems can help with this.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/infosec-guide-email-threats) Given how cybercriminal tools, tactics and procedures are evolving, organizations will have to go ----- system. A proactive strategy can be much more effective for targeted attacks, as these kinds of attacks are often designed to be elusive and difficult to detect, thus the need to scope them out. A comprehensive security strategy that involves proactive incident response will need the input of both decision makers and tech-savvy personnel, as they will need to be on the same page for it to be effective. In addition to implementing both mitigation techniques and proactive strategies, organizations can also strengthen their security by employing solutions such Trend Micro™ Deep [Security™, Vulnerability Protection, and TippingPoint, which protects endpoints from threats that](https://www.trendmicro.com/us/enterprise/product-security/vulnerability-protection/) abuse vulnerabilities. In addition, comprehensive security solutions can be used to protect organizations from attacks. [These include Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites](http://www.trendmicro.com/us/business/complete-user-protection/index.html) [and Worry-Free™ Business Security, which can protect users and businesses from these threats](http://www.trendmicro.com/us/small-business/product-security/) [by detecting malicious files, well as blocking all related malicious URLs. Trend Micro](http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) Deep Discovery™ can protect enterprises by detecting malicious attachment and URLs. [Trend Micro](http://www.trendmicro.com/us/enterprise/product-security/officescan/) [OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning](http://www.trendmicro.com/us/enterprise/product-security/officescan/) with other detection technologies and global threat intelligence for comprehensive protection against all kinds of threats. A more detailed analysis of the Command-and-Control communication flow of ANEL can be found [in this >technical brief.](https://documents.trendmicro.com/assets/technical-brief-chessmaster-adds-updated-tools-to-its-arsenal.pdf) **Indicators of Compromise** Hash Downloader used in the campaign: _76b1f75ee15273d1226392db3d8f1b2aed467c2875e11d9c14fd18120afc223a_ _4edcff56f586bd69585e0c9d1d7ff4bfb1a2dac6e2a9588f155015ececbe1275_ _1b5a1751960b2c08631601b07e3294e4c84dfd71896453b65a45e4396a6377cc_ Hashes detected as part of the BKDR_ANEL Family: _5.0.0 beta1_ ----- _5.1.2 rc1_ _05dd407018bd316090adaea0855bd7f7c72d9ce4380dd4bc0feadc6566a36170_ _5.2.0 rev1_ _00030ec8cce1f21120ebf5b90ec408b59166bbc3fba17ebae0fc23b3ca27bf4f_ _lena_http.bin_ _303f9c00edb4c6082542e456a30a2446a259b8bb9fb6b0f76ff318d5905e429c_ Tools used in the campaign: _Getpass.exe_ _52a8557c8cdd5d925453383934cb10a85b117522b95c6d28ca097632ac8bc10d_ _event.dll_ _6c3224dbf6bbabe058b0ab46233c9d35c970aa83e8c4bdffb85d78e31159d489_ _mail.exe_ _2f76c9242d5ad2b1f941fb47c94c80c1ce647df4d2d37ca2351864286b0bb3d8_ URLs and IP Addresses related to the campaign: _www[.]nasnnones[.]com_ _trems[.]rvenee[.]com_ _contacts[.]rvenee[.]com_ _91[.]207[.]7[.]91_ _89[.]18[.]27[.]159_ _89[.]37[.]226[.]108_ _185[.]25[.]51[.]116_ _185[.]81[.]113[.]95_ _185[.]144[.]83[.]82_ _185[.]153[.]198[.]58_ ----- **ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage** **Arsenal** **[ChessMaster’s New Strategy: Evolving Tools and Tactics](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)** **[From Cybercrime to Cyberpropaganda](https://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/)** **Apps Disguised as Security Tools Bombard Users With Ads and Track Users’** **Location** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [ChessMaster](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/chessmaster/) [targeted attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/targeted-attacks/) ----- [HOME AND HOME OFFICE |](http://www.trendmicro.com/us/home/index.html) [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE |](http://www.trendmicro.com/us/security-intelligence/index.html) [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schw eiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2018 Trend Micro Incorporated. All rights reserved. -----