----- ----- ----- ----- ## •Threat actor “Earth Yako” has been operating Operation RestyLink #### −Operation RestyLinkis the espionage campaign targeting mainly Japan ###### • ショートカットと ファイルを悪用する攻撃キャンペーン −https://security.macnica.co.jp/blog/2022/05/iso.html •Operation RestyLink: 日本企業を狙った標的型攻撃キャンペーン −https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink • サイバーレスキュー隊 活動状況 −https://www.ipa.go.jp/files/000099786.pdf −https://www.ipa.go.jp/files/000106897.pdfEarth YakoOperation RestyLinkoperate ----- ## •Observed since Juanuary in 2022 at least •Targeting academic/thinktank industries in Japan and Taiwan #### −Not confirmed by ourselves, but possible incident in October in 2021 ###### −Target sectors are Economic Security, Energy, Economy or Public2022Incident targeting academic industry in JPIncident targeting academic industry in JPIncident targeting academic industry in TWIncident targeting academic industry in JPIncident targeting academic industry in JPJanMarJulAugTaiwanJapanOctPossible incident targeting JPAprIncident targeting academic industry in JPFebPossible incident targeting JPRegionEconomic SecurityEnergyEconomyOtherSector2023Incident targeting Public sector in JPJanPublic ----- ## •Sophisticated writing with URL in email targeting specific target person •URL leads to download ISO or ZIPType 1Type 2 ###### T TextractDownload .dot in Word statupDownload .dot and executeextractLegitimate EXE (renamed Word.exe) loads malicious DLL in ISO by SideloadingOpen decoyOpen decoyCobalt Strike on memory ###### T ----- ----- #### •Observed around March in 2022 •Targeting academic sector in JP • • ###### −MIRRORKEY −TRANSBOX −DLL Sideloading −Abuse of MS13-098/CVE-2013-3900 −Abuse of cloud service (Dropbox) ###### ???Get command & upload fileRun on memory ``` OFFCLN.EXE OCLEAN.DLLSideload DWINTL.DLLDecryptMIRRORKEYTRANSBOX (enc) FILETRANDLL.dllTRANSBOX ``` ----- ## •Custom on-memory DLL loader #### −Encrypted payload is embedded in another component “DWINTL.DLL”, which is originally legitimate DLL but abusing MS13-098/CVE-2013-3900 to embed the encrypted payload in its certificate Property of DWINT.DLLAppended encrypted payload in certificate by abusing MS13-098 ----- ## •Custom on-memory DLL loader #### −the base key, offset and size which are required for decryption are embedded at the end of “DWINTL.DLL” −AES key to decrypt payload will be generated by custom algorithmPayload decryption routine ----- ### •Dropbox API based backdoor/infostealer, which has following capabilities •Internally named as “FILETRANDLL.dll” ##### −Upload files with specified extensions to Dropbox −Upload specified file −Show specified directories −Download and execute additional plug-in on memory ###### •.doc / .docx / .xls / .xlsx / .ppt / .pptx / .pdf / .rtf /.odt / .jsd / .jtd / .jst / .7z / .zip / .rar ----- #### •Observed around June in 2022 •Targeting academic sector in JP • • ###### −MIRRORKEY −PLUGBOX −DLL Sideloading −Abuse of MS13-098/CVE-2013-3900 −Abuse of cloud service (Dropbox) ``` GoogleToolbar Notifier.exe ``` ###### ??? ``` GTN.dll ``` ``` espui.dll espui.dllDecryptDecryptMIRRORKEYPLUGBOX (enc)PLUGBOX (enc)MIRRORKEYRun on memory LoadPlgFromR emote.dllPLUGBOX Get command ``` ###### %appdata%\NVIDIA ``` cttune.exe DWrite.dllSideloadCopySideload ``` ----- ## •Custom on-memory DLL loader #### −Comparing MIRRORKEY in AES mode, this one is totally different implementation but similar TTPs ###### •Loaded by DLL Sideloading •Decrypt the payload which is embedded in another component “espui.dll” by using MS13-098/CVE-2013-3900 •But the decryption algorithm is TEA (Tiny Encryption Algorithm) ----- ## •Dropbox API based backdoor, which has following capabilities •Internally named as “LoadPlgFromRemote.dll” #### −Download and execute additional plug-in on memory −Run arbitrary command ----- ## •Both malware abuses Dropbox API to receive a command, but the codebase is totally differentTRANSBOX: Access token key is hardcoded in custom-base64PLUGBOX: Access token will be retrieved by using hardcoded refresh token ----- ----- ``` ***** Participant Invitation Letter_Prof.***.iso ###### ExtractLoadOpenLoad wwlib.dll Wordcnv.dll 123.docx Statup %appdata%\Microsoft\IntelCreate ``` |ExtractLoadOpenLoad|Col2| |---|---| #### •Observed around June/July in 2022 •Targeting academic sector in JP • • ###### −DULLOAD (generic loader name) −PULINK −SHELLBOX −DLL Sideloading ###### Email ??? ``` ***** Participant Invitation Letter_Prof.***.docx.EXE ``` ``` iGfx.lnkShortcut ``` ``` igfxxe.exe igfx.dllSideloadDrop ``` ###### hxxp://45[.]32[.]13[.]214/readme_v1.1.txt hxxps://github.com/lettermaker/ topsuggestions/blob/main/README.mdGet token-hosted serverGet Dropbox tokenGet Assembly ----- ## •“wwlib.dll” (DULLOAD) is a loader of “Wordcnv.dll” (PULINK), written in C++/CLR ###### MS_word.release_file() exported in Wordcnv.dllInvoking MS_word.release_file()method implemented in Wordcnv.dll (PULINK) ----- ## •PULINK is a dropper of SHELLBOX, written in C# #### −Decrypt encrypted SHELLBOX (igfx.dll) and its loader (igfxx.exe), which are embedded in its resource, by AES128-CBC with hardcoded base key −Drop the payloads in %APPDATA%\Microsoft\Intel ``` Key = hexstring(MD5(“sidhioos*#hfFD23b!9”)) IV = Key[8:24] ``` ----- ## •Then achieve persistence by creating a shortcut in Startup with following parameter ``` %appdata%\Microsoft\Intel\igfxxe.exe run %appdata%\Microsoft\Intel\igfx.dll 0 C:\AppData\Local\Intel\Games\123;Intel’s legitimate app originally named “GfxDownloadWrapper.exe” ``` ###### Check if the first param is “run”Path to SHELLBOX DLL“GfxDownloadWrapper.exe” will run given DLL with correct params If third param is 0, then invoke given DLL’s ApplyRecommendedSettings function ----- ## •Yet another Dropbox API based stager but written in C# #### −In this case, SHELLBOX tries to obtain access token for Dropbox via two servers ###### •At first, access the hardcoded GitHub’s repo to obtain token-hosting URL •Then access the obtained URL to receive access token for Dropbox ###### −hxxps://github[.]com/lettermaker/topsuggestions/blob/main/README.md −hxxp://45[.]32[.]13[.]214/readme_v1.1.txt (current location, but innaccesible)Download encrypted URL string from hardcoded GitHub repo, then decrypt by AES128-CBC with hardcoded base keyCurrent encrypted string in GitHub ----- ## •Once successfully received access token, then download the encrypted .NET assembly and execute it by Assembly.LoadDownload encrypted payload from Dropbox with path “d1/m1”, then decrypt and run on memory ----- ----- ## •Digging the commit log more! ----- ----- ######     ######   ######     ######   ----- ## •We don’t have strong evidence linking to an existing actors so far •But based on the NTT Security Japan’s report, following actors are possible candidates for Operation RestyLink •Adding to them, although with low credibility, we introduce another possible candidates ###### −Darkhotel −Kimusky −APT29 −TA426 ###### −This should not be considered as a definitive conclusion, we just suggest more possibilities ----- #### • • ###### −APT10 is a threat actor believed to be based in China, targeting various sectors around the world including JP −MIRROKEY’s AES implementation in payload decryption is mostly matched to AES implementation in ChChes/RedLeaves ###### •But this implementation could possibly be publicly available library so this could not be strong evidence ``` b1bf4111980cf3eaf33433914de10dd6f39f8602 ``` ----- #### • • ###### −APT29 is believed to be based in Russia, mainly targeting Western governments and related organizations −As long as we know, Japan and Taiwan are not target so far −Cluster25 and Unit42 published a report of campaign by APT29, which TTPs (Use of ISO, LNK and Dropbox API) are quite similar to the one used in this campaign ###### •https://blog.cluster25.duskrise.com/2022/05/13/cozy-smuggled-into-the-box •https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/ •But the codebase was totally different ----- ----- ##     ----- ## •Research on Earth Yako is still in progress, but we believe that sharing intelligence is the fast and powerful way to proceed our research •We also believe that continuous attribution is important, because threat actors are not a monolithic/static group anymore and they might keep changing members and tools over time •Thank you! ----- # Thank you ----- |sha1|detection| |---|---| |2b6133d54caa9d9b34d5ba9385ed1e8f6c22642c|Trojan.Win32.MIRRORKEY.ZJJH| |c1a2799d4f3e4caf62a6e9aa58ea4b8592493221|TrojanSpy.Win32.TRANSBOX.ZJJH.enc| ``` 45[.]32[.]13[.]214 hxxps://github[ ]com/lettermaker/topsuggestions/blob/main/README md ``` -----