### THE NEXT-GEN PLUGX/SHADOWPAD? A DIVE INTO THE EMERGING CHINA-NEXUS MODULAR TROJAN, PANGOLIN8RAT ###### Silvia Yeh / Leon Chang ----- # Speaker ###### Silvia Yeh • Threat Intelligence Analyst • OSINT, APT, InfoOps in APAC • 2022 SANS CTI Summit, 2021 CODE BLUE, 2021 HITCON Pacific, etc. Leon Chang • Threat Intelligence Researcher • Reverse engineering, APT campaign tracking in APAC, IoT security • 2022 JSAC, 2021 JSAC ----- ##### Outline ###### 1. Intro: Modular shared tools among Chinese APTs 2. Anatomy of Pangolin8RAT 3. APT Tianwu: Activity Timeline, Target, Attribution 4. Conclusion and outlook ----- ## 1. Background Information ###### PlugX, ShadowPad, and modular tools shared among Chinese APTs ----- ###### PlugX • First Seen: 2008 • A RAT with modular plugins • Used by many Chinese APT groups: • Amoeba/APT41, APT27, DragonOK, Polaris, menuPass, LuoYu, and more… • “PlugX” → plugin and malware module features • Various PlugX variants (Some have other communication protocols, including P2P and DNS Tunneling.) ----- ###### ShadowPad • First Seen: 2015 • A RAT with modular plugins • Used by many Chinese APT groups (respectively limited): • Amoeba/APT41, Fishmaster, Sanyo, LuoYu, Naikon, more… • Its functions are provided by interchangeable modules • Protected by layers of encryption and heavy obfuscation • The modular design resembles PlugX ----- ##### Related malware families ###### • PlugX • ShadowPad • Pangolin8RAT • FFRAT • KeyPlug • Winnti 2.0 • FunnySwitch • Natwalk (Sidewalk) • Crosswalk • … ----- ###### - Modular malware ##### Amoeba, Fishmaster, and Tianwu ###### - KCP protocol - Multiple C2 protocol supported - CobaltStrike technique Amoeba Tianwu Fishmaster aka APT41, Barium - Tool: Pangolin8RAT aka Lusca Earth, - Notorious Chinese TAG-22 APT group - An emerging China-nexus group - Amoeba’s subgroup - Chengdu404 that has been active - Civilian hackers since late-2020 ----- ###### Origin ##### Tianwu Profile ###### Tools • Pangolin8RAT • Custom CobaltStrike Beacon TTPs • Modular malware • KCP protocols • Phantom DLL hollowing Target Region Target Industry • Gambling, Gaming, IT, Telecom, Gov, Transport, ----- ## 2. Anatomy of Pangolin8RAT ###### Pangolin8RAT’s evolution and its similarities with other malware families ----- |Category|Description| |---|---| |Type|Modular backdoor| |Naming|The PDB string contains “pangolin” and its RTTI contains “p8rat”| |First seen|2019/11| |Function|supported 8 communication protocols, including TCP, HTTPS, UDP, DNS, ICMP, HTTPSIPV6, WEB, and SSH| |Target industry|Online gaming, gambling, IT, Telecom, Transportation, Gov, Dissident NE| |Linked APT|W Tianwu| ###### Malware Profile: Pangolin8RAT Category Description Type Modular backdoor Naming The PDB string contains “pangolin” and its RTTI contains “p8rat” First seen 2019/11 supported 8 communication protocols, including TCP, HTTPS, UDP, Function DNS, ICMP, HTTPSIPV6, WEB, and SSH Target industry Online gaming, gambling, IT, Telecom, Transportation, Gov, Dissident NE W Linked APT Tianwu ----- ###### Naming The PDB string • Z:\Disk\pangolin_reload\Release\core\ldr\Mfcldrx64.pdb • D:\PangolinRev\Release\core\LiteCorex64.pdb • D:\PangolinRev\Release\core\corex64.pdb The RTTI • P8RatCore • P8CorePluginManager ----- ###### In-Depth Analysis of Pangolin8RAT • The installer/dropper of Pangolin8RAT • The evolution of Pangolin8RAT • The code similarity with FFRAT and Winnti 2.0 • TTPs overlap with Amoeba group malware family ----- ###### The installer of Pangolin8RAT • It’s written in C++ using MFC application framework • The pdb string: • Z:\Disk\pangolin_reload\Release\core\ldr\Mfcldrx64.pdb • Used COM Session Moniker Privilege Escalation (MS17-012) ----- ###### The installer of Pangolin8RAT The installer contains an additional encrypted/encoded module in the resource section. ----- #### Resource format ###### 0x0:Module_size(4 bytes) 0x4:CRC_Checksum (4 bytes) 0x8:AES_KEY Resource Decrypted module BLOB Pkgx64.PkgPackage() 0x210:Encrypted BLOB Pangolin8RAT Installer ----- ###### Execution Procedure ----- ###### Module Decryption Procedure Pkgx64.PkgPackage() CryptAcquireContextW CryptCreateHash(CALG_SHA_256) Decrypt function CryptHashData(AES_KEY) CryptDeriveKey CryptSetKeyParam RtlDecompressBuffer() (hardcoded IV -> “0123456789abcdef”) CryptDecrypt(Encrypted_BLOB) Check CRC_Checksum Version change in 2021 installer of pangolin8RAT 1. merge PkgPackage() into installer 2. Set KeyParam using hardcoded IV Decrypted module ----- |Resource ID|Filename or in-memory module name|Description| |---|---|---| |1809|N/A|must exist, check size >= 24 bytes| |1817|inst.dat|persistence path| |1825|smcache.dat|C2 config| |1826|newuac.dll|UAC bypass module| |1829|newwhite.dll|Drop files(launcher, loader, config) for loading Pangolin8RAT core NE| |1830|pkgx64.dll|W Decrypt and decompress modules| ###### The summary of resource ID Resource ID Filename or in-memory module name Description 1809 N/A must exist, check size >= 24 bytes 1817 inst.dat persistence path 1825 smcache.dat C2 config 1826 newuac.dll UAC bypass module Drop files(launcher, loader, config) for 1829 newwhite.dll loading Pangolin8RAT core NE W 1830 pkgx64.dll Decrypt and decompress modules ----- |Resource ID|Filename or in-memory module name|Description| |---|---|---| |1832|log.dll|Loader(corex64.dll, MainLdr.dll)| |1840|bdservicehost.exe|Legitimated launcher for dll hijacking| |1841|N/A|Filenames for DLL hijacking| |*1816|hostcfg.dat|Used in the Host header, in C&C communication| |*1833|bdservicehost.exe|Signed PE for sideloading 32bit – N/A| |*1831|log.dll|NE Loader (32bitW)| ###### The summary of resource ID Resource ID Filename or in-memory module name Description 1832 log.dll Loader(corex64.dll, MainLdr.dll) 1840 bdservicehost.exe Legitimated launcher for dll hijacking 1841 N/A Filenames for DLL hijacking Used in the Host header, in C&C *1816 hostcfg.dat communication *1833 bdservicehost.exe Signed PE for sideloading 32bit – N/A NE *1831 log.dll Loader (32bit) W ----- ###### The evolution of Pangolin8RAT – Timeline Case1 Case3 Local Shellcode Injection Kill EDR process PE2Shellcode Anti IDA Pro decompiler Mar. 2021 Dec. 2021 Before 2021 Sep. 2021 DLL injection Case2 Phantom DLL hollowing*1 Check loaded security product drivers*2 Code refactoring Exploiting vulnerable driver (CVE-2019-16098) The timeline of TTPs used by Pangolin8RAT ----- ###### The evolution of Pangolin8RAT - Case1 1. No longer uses hardcoded AES IV • The Resource_BLOB/payload contains the AES KEY and IV value (use “#” as delimiter) 2. Used shellcode injection technique* to bypass EDR detection • Call windows API EnumSystemCodePagesW 3. PE2Shellcode: Convert corex64.dll to shellcode • PDB: ----- ###### The evolution of Pangolin8RAT - Case1 • Extracted from process dwm.exe • Download from C2 Server The workflow of Pangolin8RAT in Mar. 2021 ----- ###### The evolution of Pangolin8RAT - Case2 (workflow) The workflow of Pangolin8RAT in June 2021 ----- ###### The evolution of Pangolin8RAT - Case2 (workflow) - Extracted from process kwsprotect64.exe - Download from C2 Server The workflow of Pangolin8RAT in June 2021 ----- ###### The evolution of Pangolin8RAT - Case1 vs. Case2 1. Code refactoring ----- ###### The evolution of Pangolin8RAT - Case1 vs. Case2 2. C2 config stored in resource ID:2321 and config is encoded. 3. Add persistence path in c2 config structure ----- ###### The evolution of Pangolin8RAT - Case1 vs. Case2 4. New module ----- ###### The evolution of Pangolin8RAT - Case2 (persistence) 1. Uses known persistence method*: • HKLM\Software\Microsoft\Cryptography\Offload\ExpoOffload = C:\ProgramData\SppTools\ess4c85b739.dll 2. Same shellcode injection technique 3. Uses Tiny-AES algorithm to decrypt the payload 4. Local privilege escalation through CVE-2019-16098 ----- |Category|Description| |---|---| |Type|Loader| |Naming|Ketugya is named after its PDB string of final stage dll "E:\fud2\Ketugya\bin\x64\test_msg.pdb".| |First seen|2022/02| |Functions|- Uses Tiny-AES algorithm to decrypt payload in-memory - Kills EDR process - Patches ETW, UAC bypass - Anti-IDA Pro decompiler - Searches NortonSecurity.exe, avp.exe| ###### The evolution of Pangolin8RAT - Case3 (Ketugya) Ketugya: Malware Profile Category Description Type Loader Ketugya is named after its PDB string of final stage dll Naming "E:\fud2\Ketugya\bin\x64\test_msg.pdb". First seen 2022/02 - Uses Tiny-AES algorithm to decrypt payload in-memory - Kills EDR process Functions - Patches ETW, UAC bypass - Anti-IDA Pro decompiler - Searches NortonSecurity.exe, avp.exe ----- ###### The evolution of Pangolin8RAT - Case3 (Ketugya) The workflow of Ketugya • Same decryption method with Case 2 • Step1: Read payload from resource ID:1905 • Step2: Uses Tiny-AES algorithm to decrypt the payload • Step3: Unzip the decrypted payload -> shellcode • Step4: shellcode will use Tiny-AES algorithm to decrypt payload again -> in-memory dll (first stage DLL) • Step5: run first-stage DLL in memory via reflective DLL injection techniques • Step6: go-to Step1 until the final-stage DLL/payload is running in-memory ----- ###### The evolution of Pangolin8RAT - Case3 (Ketugya) TTPs used by Ketugya • Kill EDR process* • Modify the token Integrity of the PPL (Protected Process Light) process to Untrusted • Kill Windows defender process (MsMpEng.exe) • Anti IDA Pro decompiler • Junk code will cause decompilation failure (stack frame is too big) ----- ###### Code similarity with FFRAT and Winnti 2.0 Sample MD5 hash • Pangolin8RAT.FileMgr • 0879125ed34df60a70ed5bb8d58f3a19 • FFRAT • 1962a69c204289cb8214a30c15f05609 • Winnti 2.0 • 5778178a1b259c3127b678a49cd23e53 ----- ###### Code similarity with FFRAT and Winnti 2.0 Code overlap/reuse 1. Pangolin8RAT.FileMgr vs. FFRAT • Code overlap just change XOR key: 0xBC vs. 0x57 • Same debug string and proxy connector class reused 2. FFRAT vs. Winnti 2.0 • Same debug string • "m_ServerComplete Continue\n” • ”SrvCode”, “DrvCode” ----- ###### Code similarity with FFRAT and Winnti 2.0 Pangolin8RAT.FileMgr vs. FFRAT ----- ###### Code similarity with FFRAT and Winnti 2.0 Code similarity - Dead Drop Resolver technique • Step1: Get response from web server (first-stage c2) • Step2: Parse encrypted/encoded string with hardcoded delimiters • Format: binary_data • Step3: covert data to bytes and decode string • C2 Format: ”:” • Step4: resolve the second-stage C2 ip address ----- ###### Code similarity with FFRAT and Winnti 2.0 Pangolin8RAT.FileMgr vs. FFRAT ----- ###### TTPs overlap with Amoeba malware family Phantom DLL Hollowing Dead Drop Resolver KCP Protocol Multiple C2 Protocol Supported & Anti IDA Pro Decompiler Modular Designed ----- ###### TTPs overlap with Amoeba malware family Phantom DLL hollowing • ChatLoader[[2]] (aka. StealthVector) Anti IDA Pro decompiler • The linux variant of Natwalk ○ Specter botnet[[3]] is the predecessor of Natwalk.linux Dead Drop Resolver • Natwalk [[2]] (aka. Sidewalk [[5]], ScrambleCross [[9]][)] • Natwalk is one of the backdoors loaded by the ChatLoader • KeyPlug[[4]] (tech community forums) • ShadowPad (MSDN forums, github), PlugX(MSDN forums, pastebin) • Winnti[[13]] (MSDN forums), FFRAT • 9002 RAT ----- ###### TTPs overlap with Amoeba malware family KCP Protocol • KeyPlug • Crosswalk [[6] [7]] • FunnySwitch [[6]] (unused) • PseudoManuscrypt [[8]](unknown adversary) Multiple c2 protocol supported & Modular designed • KeyPlug (HTTP, KCP, TCP, WSS) • Crosswalk (TCP, HTTP, KCP) • FunySwitch (RPC, TCP, HTTP) • Winnti (ICMP, UDP, TCP, Reuse port) • PlugX [[7]] (DNS, ICMP, HTTP, TCP, UDP), ShadowPad[[7] ](TCP, UDP, HTTP, DNS) ----- ###### TTPs overlap with Amoeba malware family ----- ###### TTPs overlap with Amoeba malware family Targets online gaming/gambling industry • Natwalk, Crosswalk, FunnySwitch, Spyder • ShadowPad, Winnti, PlugX • KeyPlug CobaltStrike technique • Abusing Cloudflare Workers to hide the real IP address • Modify XOR-key • Early bird code injection ----- ###### The timeline of malware family (Shared or KCP Protocol) PlugX ShadowPad KeyPlug FunnySwitch Pangolin8RAT Crosswalk 2019/01 2019/07 2020/01 2020/07 2021/01 2021/07 2022/01 Malware activity timeline based on sample compile timestamp ----- ###### The New Era of Chinese APT analysis? • Increasing intricacy of malware families • Increasing tendency of malware sharing Malware-as-a-Service among APT groups? ----- ## 3. Tianwu ###### TTPs, Activity Timeline, Target, Attribution ----- ###### • A beast with 8 human heads, 8 feet and 8 tails • Modular features of Pangolin8RAT • Amalgamation of different groups of actors • The Classic of Mountains and Seas (山海經) ##### Tianwu (天吳) ----- ##### Target Industry and Region ###### Target Industry Target Region ----- ##### Activity Timeline ###### 2021/3 2021/8 - - 2021/10 2022/2 - 2021/3 2021/4 2021/10 2022/3 - - 2021/4 - 2022/01 - 2021/9 ----- ##### TTPs ###### Delivery Method • Social engineering, forum phishing, planting backdoor in NAS server Malware abused • Pangolin8RAT, custom CobaltStrike Beacon C2 • C2 disguised as legitimate websites • C2 hosted on VPS • Recent C2 activity indicated possible abuse of Log4j Exploit • CVE-2022-24934 • Exploit of WPS Office updater (wide Chinese user base) ----- ###### Case Study: Months-long campaign against KZ Telecom Victim • Kazakhstan telecom First attack spotted in 2021/10, latest attack spotted in 2022/01 Tools • Pangolin8RAT • CobaltStrike Beacon with specific watermark C2 • C2 domain disguised as the victim’s domain • VPS provided by Leaseweb ----- ###### Case Study: Months-long campaign against TW gambling firm Victim • Taiwanese gambling firm First attack spotted in 2021/04, latest attack spotted in 2022/02 Tools • Pangolin8RAT • hijacking, pipeline operation, local shellcode injection • Evaded detection of multiple anti-virus software • CobaltStrike Beacon with specific watermark • Hacking tool • Attempts to collect info of victims’ browser and messaging software ----- ###### Case Study: Attack against TW transport industry Victim • Taiwanese public transport-related firm Time: 2021/08 Tools • Pangolin8RAT • 8 C2 configs were populated in the RAT C2 • Disguised as the enterprise management software used by the victim • Registered with TUCOWS and shielded by privacy protection • C2 infra also used in attack against PH gambling firms ----- ###### Case Study: Campaign against Chinese-speaking dissident Victim • Chinese-speaking dissident Time: 2021/03-2021/04 Delivery “How to put ads on • Phishing via Forum abuoluowang.com” • Disguised as TW IT Company ----- ###### Campaign against Chinese-speaking dissident (cont.) Exploit • Possible Chromium exploit targeting Chromium-based browser users • eg: QQ browser Tools • Malicious WeChat CRX (Chrome extension) • Pangolin8RAT • CobaltStrike C2 with an open directory ----- ##### Tianwu and Amoeba overlaps ###### • Delivery Method • Forum phishing, planting backdoor in NAS devices • Malware feature • KCP protocol • Utilization of multiple C2 protocols • Phantom DLL hollowing • C2 • Abusing Cloudflare Workers to hide the real IP address • Target Scope • Interests in online gaming/gambling industry ----- ##### Attribution: Another Amoeba? ###### Possible scenarios: Amalgamation of civilian hackers • Operation mode like Chengdu404 • Operate bid projects of the national/public security agencies • Motive: espionage, domestic surveillance Subgroup of Amoeba • No shared infra and tools detected so far ----- ##### Open Directory ###### Information collected • Staffs and operators’ personal info • Credentials • Software source code • Business info ----- ##### Threat Landscape: New APT Operation Mode ###### Difficulty of pinning down actors’ motive • Target scope spans different industry • Espionage operations outsourced by MSS/MPS? Chinese authorities’ crackdown on online gaming/gambling industry • Abundant money and data (personal info and cash flow) • Data collection for authorities’ crackdown campaign Civilian hacker/front company aiming for personal gain • Participation in cybercrime • Software source code for sale in underground market ----- ##### Tianwu’s Operations in Diamond Model ###### Adversary Technical Axis • Tianwu Social-Political Axis • Tools and TTPs resemble APT41 • Origin:China • China’s crackdown on its domestic • Proprietary malware possibly gaming industry developed by the developers of Winnti • Data collection of service and FFRAT providers • China’s crackdown on Macau gambling industry forced gambler move online • Data collection of gamblers and cash flow Infrastructure Capability Tools: • C2 disguised as legitimate websites • Pangolin8RAT • C2 hosted on VPS • Custom CobaltStrike Beacon • Abused Cloudflare Workers to hide the TTPs: real IP address • Social Engineering • Recent C2 activity indicated possible • Planting backdoor in NAS server abuse of Log4j • Malware with modular feature and KCP protocol • Exploit: WPS Office Chromium ----- ## 4. Conclusion ###### Outlook and suggestions ----- ##### Conclusion and Outlook ###### Pangolin8RAT could be the next gen PlugX/ShadowPad • Modular-featured RATs become more popular • Highly possible to be shared or even sold among Chinese threat groups • Both espionage and financially driven operations ----- ##### Conclusion and Outlook ###### New mode of APT operations • Trends of malware sharing • Malware with similar structure and techniques • Malware-as-a-Service among APT groups Tianwu might operate as: a collaborator of APT41, a subgroup of APT41, or a digital quartermaster of Chinese APTs ----- ##### Countermeasures ###### Defend your organization with all-level Intelligence • Tactical - Feed CTI vendor’s IoCs to cybersecurity infra • Operational - Patch servers in timely manner - Beware of new social engineering tactics - Apply in-memory detection • Strategic - New operation mode of Chinese APTs makes attribution/group tracking more difficult - China’s policies/crackdown heavily affects cyberspace ----- ##### IoC ###### Pangolin8RAT CobaltStrike • 0f44724d498f77a59bc542be7d17dc89 • 3e08c0e69fc1bbd36b2bb09086fd30ad • 47b3627c3900e29bdef6d36cfdf61bbf • c4e31051dc80d87927d15d0fbed704d0 • ea76ad28a3916f52a748a4f475700987 • 544a7746c87698665744520820551750 • cfae9252291fdf63f0c3d485a162a444 • bfa657d3eca9df2b122d0908ac23c1ed • 4fb9b38e9c4b3c98b6f13c153bbe6f6a • bf421d42174edb2f31007cbede9cf5b9 • 8b6a63e522fd6b3f23f476a101720bf9 • ea2e29b351d4e07460e5955b8e1b4d5d • 641d23463a53bcb29673d179379e1a8f • 81d9be954a09774887eb75b5a23db9b4 ----- ##### IoC ###### • 23.106.122[.]171 • www.tiger266[.]com • static.daytodayup[.]com • help.tiger266[.]com • mirrors.centos.8788912[.]com • 23.106.123[.]134 • new.mkdjgame[.]com • stat.8788912[.]com • 23.106.124[.]156 • help.mkdjgame[.]com • login.good-enough-8fe4[.]com • 23.106.125[.]132 • www.ffyl-bet[.]com • cdn2.twmicrosoft[.]com • 45.153.242[.]41 • help.ffyl-bet[.]com • cdn.1685810[.]com • 74.119.193[.]139 • zk.full-subscription[.]com • static.1685810[.]com • cs.full-subscription[.]com • cachedownload.goldenrose88[.]com • yd.full-subscription[.]com • backup.microsupdate[.]com • www.animal777[.]com • api.gpk-demo[.]com • time.daytimegamers[.]com • static.gpk-demo[.]com • themerecord[.]com • api.geming8888[.]com ----- ##### Reference ###### 1. Operation Dragon Castling: APT group targeting betting companies, March 22, 2022 https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting- companies/ 2. Evolution after prosecution: Psychedelic APT41, November 27, 2021 https://vblocalhost.com/uploads/2021/09/VB2021-12.pdf 3. Ghost in action: the Specter botnet, September 25, 2020 https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ 4. Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments, March 08, 2022 https://www.mandiant.com/resources/apt41-us-state-governments 5. The SideWalk may be as dangerous as the CROSSWALK, August 24, 2021 https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/ 6. Higaisa or Winnti? APT41 backdoors, old and new, January 14, 2021 https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41- backdoors-old-and-new/ 7. SHADOWPAD: A MASTERPIECE OF PRIVATELY SOLD MALWARE IN CHINESE ESPIONAG, August, 2021 https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese- espionage/ ----- ##### Reference ###### 8. PseudoManuscrypt: a mass-scale spyware attack campaign, December 16, 2021 https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware- attack-campaign/ 9. Earth Baku Returns, August 24, 2021 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns 10. Delving Deep: An Analysis of Earth Lusca’s Operations , January 17, 2022 https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs- sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of- earth-lusca-operations.pdf 11. This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits, March 25, 2020 https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits 12. LOWKEY: Hunting for the Missing Volume Serial ID, October 15, 2019 https://www.mandiant.com/resources/lowkey-hunting-missing-volume-serial-id 13. “Winnti” More than just a game, April 11, 2013 https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than- ----- ## Thank you! -----