Operation Gambling Puppet Daniel Lunghi(@thehellu), Jaromir Horejsi (@JaromirHorejsi) Botconf, Nantes, France April 27th, 2022 https://twitter.com/thehellu/ https://twitter.com/jaromirhorejsi © 2022 Trend Micro Inc.2 Outline • Introduction • Infection vectors • Malware toolkits • Custom malware (PuppetLoader, oRAT) • Targets • Infrastructure • Attribution • Conclusion © 2022 Trend Micro Inc.3 Introduction • Investigation started from an Xnote sample connected to Operation DRBControl’s domain name • …found more samples, and different malware families • …noticed other platforms being targeted • …figured out some targets • …found some infection vectors • …etc etc • This talk is the result of this investigation https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia © 2022 Trend Micro Inc.4 Infection vectors © 2022 Trend Micro Inc.5 Infection vector – chat application • Website offering backdoored chat application In Chinese language mì mì (密密) means “secret” https://chinese.yabla.com/chinese-english-pinyin-dictionary.php?define=密 © 2022 Trend Micro Inc.6 Infection vector – chat application • Desktop chat application • Built with ElectronJS framework (multiplatform) • electron-main.js file references the malicious payload © 2022 Trend Micro Inc.7 Infection vector – chat application Target Chat app’s website PlugX malware visits delivers ElectronJS chat application oRAT malware Loads (if Windows OS) Loads (if Mac OS) © 2022 Trend Micro Inc.8 Infection vector – chat application • Registration page is limited to certain countries • +86: China • +1: Canada • +1: USA • +852: Hong Kong • +853: Macao • +886: Taiwan • +63: Philippines • +65: Singapore • +66: Thailand • +81: Japan • +82: South Korea © 2022 Trend Micro Inc.9 Infection vector – XSS and fake installer Target Legitimate website Fake Flash website XSS platform Malware C&C or download server visits Loads JS code & PHP script redirects falls for lure delivers connects to Threat actor Injects JS code © 2022 Trend Micro Inc.10 Infection vector – XSS and fake installer • Persistent cross-site scripting in legitimate website to load a Javascript script from a third-party server • The script does some checks and displays a message stating that the Flash player version is too old • Then it calls Xss.php script, and redirects to a website linking a malicious installer © 2022 Trend Micro Inc.11 Infection vector – XSS and fake installer • Xss.php script probably collects some statistics about the victims • Malicious installer’s website is in Chinese language © 2022 Trend Micro Inc.12 Infection vector – XSS and fake installer • Server hosting JS and PHP script also hosts a login page • “Xss平台” (Xss píng tái) means “XSS platform” • Message mentions XSS results and free online XSS platforms © 2022 Trend Micro Inc.13 Infection vector – XSS and fake installer • Two different legitimate websites exploited • A news website aimed at the Chinese community of a big US city • An unknown website (offline when we checked) © 2022 Trend Micro Inc.14 Infection vector – DMG file • Fake BitGet application (DMG file, MacOS) • Preinstall script downloads and executes malicious payload (oRAT) • BitGet is a Singapore-based cryptocurrency exchange application © 2022 Trend Micro Inc.15 Malware toolkits © 2022 Trend Micro Inc.16 Malware toolkit – Overview • Threat actor uses lot of malware families, across 3 different platforms • Windows • Linux • Mac • Some malware families were previously known, others have not been publicly reported © 2022 Trend Micro Inc.17 Malware toolkit – Windows • Known Windows malware families • PlugX • Gh0st • Cobalt Strike • Trochilus • Quasar RAT • Async RAT • DarkCrystal RAT (DC RAT) © 2022 Trend Micro Inc.18 Malware toolkit – Windows • New Windows malware families • PuppetLoader • PuppetDownloader • oRAT • MFC downloader • HelloBot (priorly not seen on Windows) © 2022 Trend Micro Inc.19 Malware toolkit – Linux • Known malware families • XNote • HelloBot • Pupy RAT • Reptile rootkit © 2022 Trend Micro Inc.20 Malware toolkit – Mac • Only malware found targeting Mac OS is oRAT • Also seen compiled for Windows platform © 2022 Trend Micro Inc.21 Malware toolkit – PuppetLoader • Custom malware (backdoor) • 5 stages • Flawed RC4 implementation © 2022 Trend Micro Inc.22 Malware toolkit – PuppetLoader Stealthy loader Dropper BasicLoader Core Client.MainConsole Loads Decrypts and loads Drops .BMP with Core .BMP with Client.MainConsole © 2022 Trend Micro Inc.23 Malware toolkit – PuppetLoader • Flawed RC4 (swap operation implementation) • Operation SWAP • implemented in 5 steps step operation 1 Tmp = S[i] + S[j] 2 S[i] = Tmp 3 Tmp = Tmp – S[j] 4 S[j] = Tmp 5 S[i] = S[i] – Tmp © 2022 Trend Micro Inc.24 Malware toolkit – PuppetLoader After step S[i] S[j] tmp 0 S[i] S[j] ??? 1 S[i] S[j] S[i]+S[j] 2 S[i]+S[j] S[j] S[i]+S[j] 3 S[i]+S[j] S[j] S[i] 4 S[i]+S[j] S[i] S[i] 5 S[j] S[i] S[i] step operation 1 Tmp = S[i] + S[j] 2 S[i] = Tmp 3 Tmp = Tmp – S[j] 4 S[j] = Tmp 5 S[i] = S[i] – Tmp © 2022 Trend Micro Inc.25 Malware toolkit – PuppetLoader • i == j; therefore S[i] and S[j] points to the same memory location After step S[i] S[j] tmp 0 S[i] = S[j] S[j] = S[i] ??? 1 S[i] = S[j] S[j] = S[i] S[i]+S[j] = 2*S[i] 2 2*S[i] 2*S[i] 2*S[i] 3 2*S[i] 2*S[i] 2*S[i]-2*S[i] = 0 4 0 0 0 5 0 0 0 step operation 1 Tmp = S[i] + S[j] 2 S[i] = Tmp 3 Tmp = Tmp – S[j] 4 S[j] = Tmp 5 S[i] = S[i] – Tmp © 2022 Trend Micro Inc.26 Malware toolkit – PuppetLoader • After each i==j RC4 internal state contains 1 more zero byte • RC4 internal state is not permutation of all 0x00-0xFF bytes anymore © 2022 Trend Micro Inc.27 Malware toolkit – PuppetLoader • 2 other malware families using the same flawed RC4 implementation • PuppetDownloader, C++ malware downloading second stage • TigerPlug, userland rootkit spreading PlugX via RDP https://twitter.com/ItsReallyNick/status/1261318098092724226 © 2022 Trend Micro Inc.28 Malware toolkit – PuppetLoader • Stage 1 – Stealthy Loader • Starts loading a legitimate DLL from Windows\System32 directory • Replace it with malicious code on the fly • Hook NTDLL’s: • NtQueryAttributesFile, NtOpenFile, NtCreateSection, NtMapViewOfSection, NtQuerySection and ZwClose • Use undocumented ntdll’s APIs – RtlPushFrame, RtlPopFrame and RtlGetFrame to avoid recursive hooking problem © 2022 Trend Micro Inc.29 Malware toolkit – PuppetLoader • ‘LDFM’ frame • Base address of malicious payload; buffer size; SizeOfImage; file name lz32.dll; file name asycfilt.dll; handle to open lz32.dll © 2022 Trend Micro Inc.30 Malware toolkit – PuppetLoader • LdrLoadDll asycfilt.dll • NtOpenFile: if asycfilt.dll is being open, then replace it with lz32.dll • NtCreateSection: if FileHandle matches to previously opened lz32.dll, then fix section’s MaximumSize to correspond the size of the malicious payload • NtMapViewOfSection: fix pViewSize to be the same as new SizeOfImage; copy malicious payload • NtQuerySection: compute the difference between loaded and preferred ImageBase; if not equal return STATUS_IMAGE_NOT_AT_BASE • LdrLoadDll rebases malicious payload, load all dependencies © 2022 Trend Micro Inc.31 Malware toolkit – PuppetLoader • Effects of stealthy loader on PEB_LDR_DATA and Process Monitor outputs © 2022 Trend Micro Inc.32 Malware toolkit – PuppetLoader • Stage 2 – dropper • Drops: • CPuppetProcessFileSharer • Config.ini • .DLL file, BasicLoader • .BMP file with encrypted Core • .BMP file with encrypted Client.MainConsole • Starts: BasicLoader © 2022 Trend Micro Inc.33 Malware toolkit – PuppetLoader • Stage 3 – BasicLoader • Search directories in Users\\Public (Desktop, Documents, Downloads, Music, Pictures, Videos) for .BMP files • Tiny BMP file (33x11 pixels) with overlay • Overlay encrypted wit the same flawed RC4 algorithm • RC4 password is hardcoded within overlay data • Both module name and module content are encrypted and stored in the overlay © 2022 Trend Micro Inc.34 Malware toolkit – PuppetLoader • Stage 4 – Core • Start system logger thread (RC4 encrypted, same algorithm) • Handle command line arguments Cmdline argument explanation -DisplayName -InokeMethodParam -InvokeMethodName -NoModuleLoadDLL Stealthy loader (like stage 1) -LoadShellcode Load binary blob © 2022 Trend Micro Inc.35 Malware toolkit – PuppetLoader • Stage 5 – Client.MainConsole • Interactive shell, Upload, Download, List files, Terminate process, List processes, Install module, Login callback, Enumerate RDP sessions • C&C communication, UDP with 16-byte RC4 encryption © 2022 Trend Micro Inc.36 Malware toolkit – oRAT • Multiplatform (Win, Mac) RAT written in Golang • AES-GCM encrypted configuration in overlay • Features: • Gateway (traffic forwarder) • Communication (tcp, stcp, sudp) • Runs local server, registers ‘routes’ • Attacker directly connects to the infected machine and executes commands via GET/POST requests © 2022 Trend Micro Inc.37 Malware toolkit – oRAT • Registered routes GET /agent/info GET /agent/ping POST /agent/upload GET /agent/download GET /agent/screenshot GET /agent/zip GET /agent/unzip GET /agent/kill-self GET /agent/portscan GET /agent/proxy GET /agent/ssh GET /agent/net https://gobyexample.com/http-servers © 2022 Trend Micro Inc.38 Malware toolkit – Xnote/HelloBot • Malware families reported in 2015 and 2018 • Not known to be used for espionage • Typical RAT features • Both families embed a XOR-encrypted configuration file • Contain campaign identifiers/notes • Some of them related to gambling • Contain Chinese comments (HelloBot) https://vms.drweb.com/virus/?i=4372602 https://imgur.com/a/lAQ1tMQ © 2022 Trend Micro Inc.39 Malware toolkit – Xnote/HelloBot • Command seen in multiple HelloBot configurations: cmd0=“fuser -k /tmp/.wq4sMLArXw” • Such command is run periodically by the malware’s monitoring process, and it kills every process accessing “/tmp/.wq4sMLArXw” file • “/tmp/.wq4sMLArXw” is a file created by Xnote malware to check if the system is already infected • Thus, HelloBot kills running Xnote instances © 2022 Trend Micro Inc.40 Targets © 2022 Trend Micro Inc.41 Targets • We used 3 sources to find targets • Our telemetry • Decrypted malware configurations • Keylogs found in the wild © 2022 Trend Micro Inc.42 Targets – Telemetry • 15 downloads of fake Flash downloader, all from China • 5 redirects from a legitimate news website, all from US • 3 redirects from an unknown website, 2 from HK, one from MY • 1 PlugX DLL detected in TW 15 5 2 1 1 1 2 3 4 5 © 2022 Trend Micro Inc.43 Targets – Keylogs • We found multiple keylog files of victims compromised by this threat actor • 2 Chinese gambling websites • 1 Malaysian hosting provider © 2022 Trend Micro Inc.44 Targets – Configuration files • Configuration files of Xnote/HelloBot contained some words that might refer to the targets • yabo -> gambling/betting website • W88 -> gambling/betting website • gamebox -> Shanghai-based gaming company • caipiao -> “lottery ticket” • CG -> a kind of lottery • jinbo -> 进宝 -> “Bring in wealth and treasure” • yeji -> “business success” http://www.kaijingmoud.com/rules.html © 2022 Trend Micro Inc.45 Targets • Targets are mainly in China, but also in Southeast Asian countries, and US • Main targeted industry is gambling • But also • 1 company in education • 2 companies in IT services • 1 company in electronics manufacturing © 2022 Trend Micro Inc.46 Infrastructure © 2022 Trend Micro Inc.47 Infrastructure • Big infrastructure • ~50 C&C • More than 150 related subdomains • 12 different RAT families -> 12 different backend • Many of the domain names use CloudFlare • Sometimes multiple subdomains of a root domain are linked to different malware families © 2022 Trend Micro Inc.48 Infrastructure github.wiki darwin.github.wiki bos.github.wiki dust.github.wiki Copy of docs.github.com d.github.wiki oRAT HelloBot Pupy ***.github.wiki Malware panel C&C C&C hosts hosts C&C displays displays © 2022 Trend Micro Inc.49 Infrastructure • Some domain names have a meaning in Chinese language • daj8.me • “daj8” (“大鸡巴”) means “big dick” • wocaonima.daj8.me • “wocaonima” (“我肏你媽”) means “I f*ck your mother” • shabi.daj8.me • “shabi” (“傻屄”) means “asshole” • Is the threat actor trying to pass a message ? © 2022 Trend Micro Inc.50 Attribution © 2022 Trend Micro Inc.51 Attribution • Threat actor speaks Chinese language • XSS platform offered in a Chinese forum, panel written in Chinese • Malware panel in Chinese • HelloBot decrypted configuration files contain comments in Chinese • Fake websites and chat application written in Chinese • PlugX and gh0st malwares known to originate from China 快递到家总控: “home delivery master controller” © 2022 Trend Micro Inc.52 Attribution – links to known groups C&C domain shopingchina.net Operation DRBControl HyperBro Iron Tiger XNote ChinaZ Operation PZChao Signing certificate from Gravity Winnti (CASPER/LEAD) Domain name (passive DNS) Connecting the dots WINNTI GROUP: Insights From the Past © 2022 Trend Micro Inc.53 Conclusion © 2022 Trend Micro Inc.54 Conclusion • Advanced threat actor with big infrastructure and development capabilities • Large toolkit of malware families working on multiple platforms • Targets mostly, but not limited to, gambling industry in Southeast Asia • Links to some known Chinese threat actors • Gambling is regulated in China © 2022 Trend Micro Inc.55 References • Blogpost on this threat actor https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html Threats detected and blocked globally by Trend Micro in 2018. Created with real data by artist Daniel Beauchamp.