----- # ASEC REPORT #### VOL.98 [Q1 2020] ###### ASEC (AhnLab Security Emergency-response Center) is a global security response group consisting of malware analysts and security experts. This report is published by ASEC and focuses on the most significant security threats and latest security technologies to guard against such threats. For further details, please visit AhnLab, Inc.’s homepage (www.ahnlab.com). Operation Ghost Union Analysis Report Table of Contents ###### Mastermind Behind Operation Ghost Union 1. Operation Ghost Union Overview 2. Malware Analysis and Profiling 3. Conclusion 4. Indicators of Compromise (IoC) ###### 03 04 06 31 32 ----- ###### Operation Ghost Union Analysis Report ### Mastermind Behind Operation Ghost Union ###### Kimsuky is one of the most notorious threat groups that have been actively attacking key organizations in the APAC region. Ever since its discovery in 2013, Kimsuky has been continuously performing malicious activities for data theft. Having started its cyberattack against military-related groups, Kimsuky has now expanded its target to organizations across various fields, including politics, economy, and even society. AhnLab has been analyzing cyberattack cases led by the Kimsuky group for the past several years. ASEC (AhnLab Security Emergency response Center) analysts have noticed that Kimsuky group has used Andariel group’s malware to distribute additional malware during the attack against South Korea in late 2019. Thus Kimsuky started using malware developed by other threat groups on top of developing its malware similar to the ones used in the previous attacks. In accordance to the change AhnLab has named the attack Operation Ghost Union. This analysis report will cover the profiling and analysis results on the malware used by Kimsuky during Operation Ghost Union in addition to examining the relationship between Kimsuky and the other threat groups. ----- ##### Operation Ghost Union Overview ## 1 ###### Let us first go over the attack stages of Operation Ghost Union conducted by Kimsuky. The attack stage begins with Kimsuky group sending an email with a malicious Macro attachment as part of the spearphishing campaign. Then for each attack stage, Kimsuky group modularized the malware in the form of a backdoor, system info-stealer, keylogger, UAC bypass, and RDP (Remote Desktop Protocol). The focal point of Operation Ghost Union is that Kimsuky utilized malware of other hacker groups to distribute its malware. Once the system was compromised, Kimsuky would collect and send sensitive data, such as system information and keylogging data, to the C&C server. Based on the analysis of the malware, the entire process tree of Operation Ghost Union can be summarized as shown in Figure 1. Figure 1 | Operation Ghost Union process tree ----- ###### Although the initial malicious excel file from Stage 1 could not be acquired, the creation of Andariel malware in Stage 2, following the execution of the malicious excel file, was confirmed by the evidence left in the compromised PC. Table 1 shows details of Andariel malware. Time Process Name Behavior Information Details 2019.12.05 10:34 excel.exe Creates executable file sen.a (Stage 2. Andariel) Table 1 | Details of excel.exe |Time|Process Name|Behavior Information|Details| |---|---|---|---| |2019.12.05 10:34|excel.exe|Creates executable file|sen.a (Stage 2. Andariel)| ----- ##### Malware Analysis and Profiling ## 2 ###### Now let us deep dive into the detailed analysis and profiling of the key malware used in the Operation Ghost Union attack. 2-1. sen.a / m1.a Malware 1) sen.a, m1.a Analysis From the analysis of sen.a, key features, such as C&C server communication and backdoor, were found in the Query(). Since sen.a is a DLL, it is executed by the following method using Rundll32.exe. [+] sen.a Run Example: Rundll32.exe sen.a, Query() C&C server of sen.a is navor-net.hol.es(185.224.138.29, NE) and is encrypted. During the dynamic analysis, as shown in Figure 2, sen.a was found regularly communicating with the C&C server. Also, the first command that sen.a received from the C&C server was also discovered. Although 1.png, mentioned in Figure 2, is recognized as an image file, it is actually a php file, which sends commands to the target PC and receives results. Figure 2 | Communication between sen.a and C&C server ----- ###### During the dynamic analysis, the first command received from the C&C server was encrypted to have been saved in the memory area. Following the first decryption (BASE64), it performs the second decryption to download and execute an additional malware. sen.a also performs features, such as sending data collected from the target PC. Figure 3 | Commands received from the C&C server and decryption results (details skipped) ###### sen.a also executes commands, as shown in Table 2. Command Details If time info received from C&C server < __time(): WakeTime incorrect! encrypts and sends to C&C server WAKE If time info received from C&C server > __time(): encrypts ‘i am Sleeping byebye!’ and sends to C&C server INTE Sets interval with time info received from C&C server "Set ---- interval %d OK\r\n" DOWNLOAD Calls HttpSendRequestExA() to download a specific file Saves the code below to “de325.bat” file, then calls ShellExecuteA() to run DELFILE "@echo off",LF,"reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run /v ""Windows Update"" /f",LF,":Repeat",LF,"del ",LF,"if exist """" goto Repeat",LF,"del %0" UPLOAD Calls HttpSendRequestExA() to send a specific file EXECMD Calls ShellExecuteA() to run a console application EXECPROG Calls ShellExecuteA() to run a specific program Table 2 | Command of sen.a |Command|Details| |---|---| |WAKE|If time info received from C&C server < __time(): WakeTime incorrect! encrypts and sends to C&C server If time info received from C&C server > __time(): encrypts ‘i am Sleeping byebye!’ and sends to C&C server| |INTE|Sets interval with time info received from C&C server "Set ---- interval %d OK\r\n"| |DOWNLOAD|Calls HttpSendRequestExA() to download a specific file| |DELFILE|Saves the code below to “de325.bat” file, then calls ShellExecuteA() to run "@echo off",LF,"reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run /v ""Windows Update"" /f",LF,":Repeat",LF,"del ",LF,"if exist """" goto Repeat",LF,"del %0"| |UPLOAD|Calls HttpSendRequestExA() to send a specific file| |EXECMD|Calls ShellExecuteA() to run a console application| |EXECPROG|Calls ShellExecuteA() to run a specific program| ----- ###### As shown in Figure 4, m1.a that sen.a downloads and runs only contains one feature, which records the list of all the folders and files on the target PC (excluding Windows and its subfolders) into tmp1.enc. Figure 4 | m1.a collecting a list of folders and files ###### After m1.a collects a list of folders and files, it saves them to tmp1.enc, as shown in Figure 4. sen.a then executes UPLOAD command, as shown in Figure 5, sending tmp1.enc to the C&C server. Figure 5 | Example of command execution: UPLOAD ###### It can be assumed that sen.a sends a list of folders and files collected from the target PC, analyzing the list of folders and files to determine if the PC is the actual target PC or a PC in an analysis environment. It then distributes the malware if the PC is recognized as the target PC. ----- ###### This process minimizes exposure and increases the success rate of hacking. Figure 6 is a diagram indicating the relationship between sen.a and the additional malware. As you can see, sen.a downloads and executes the malware or open-source hacking tools of Andariel and Kimsuky on the target PC. Figure 6 | Derivative relationship between sen.a and the additional malware ###### As shown in Figure 6, malware from both Andariel and Kimsuky were used together, but this fact alone is not enough to conclude that the two groups are related or have led this attack in joint forces. Instead, a conclusion was made that Kimsuky modified and used Andariel’s malware. The reasoning behind this conclusion will be explained in the following malware profiling results. 2) sen.a Profiling As shown in Figure 7, the left shows the malware developed by Andariel, and the right indicates the code used by sen.a. The two malware share surprising resemblance. ----- ###### And as shown in Figure 8, an identical string was found in both malware. Figure 8 | Malware strings used by Andariel (Left) vs. Kimsuky (Right) ###### As Figure 8 indicates, there is a boundary string of HTTP header that is configured by two malware to communicate with the C&C server via HTTP. And as shown in Figure 9, ‘fiveevif’ was used as a separator that defines the end of command during communication with the C&C server. ----- ###### With the comparison analysis results on the malware in Figure 7 and Figure 8, one may conclude that sen.a is a malware developed by Andariel, and related evidences are further explained on ‘2-2. Installer.exe Analysis and Profiling.’ But according to the analysis result, it was confirmed that sen.a is not a malware developed by Andariel, but instead developed by Kimsuky. There are two reasons. The first reason is that the Kimsuky group has used the C&C server (navor-net.hol.es, 185.224.138.29, NE) of sen.a in their most recent distribution of malware, C&C server operation, and phishing activities. The URL mapped based on the IP (185.224.138.29, NE) was confirmed to have been used by Kimsuky, and the existence of various URLs with similar patterns were also discovered. Figure 10 lists a few examples of the URLs. Figure 10 | Info of URLs mapped to the C&C server ----- ###### The second reason is m1.a, which sen.a downloaded and executed in Stage 2. The code comparison analysis confirmed that Kimsuky group had developed the malware. 3) m1.a Profiling list.dll, on the left of Figure 11, is a malware that Kimsuky used during Operation Kabar Cobra, the attack against the Ministry of Unification correspondents in January 2019. In comparison with the m1.a on the right, which sen.a downloaded and executed for the attack, the two malware were found to have many similarities. Figure 11 | Comparison collected codes via folder and file lists ###### For a detailed analysis of Operation Kabar Cobra, refer to the link below. [+] Operation Kabar Cobra [https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf](https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf) ----- ###### 2-2. Installer.exe / wstmmgr.dll Malware 1) Installer.exe Analysis and Profiling Installer.exe is a dropper that creates wstmmgr.dll, which carries out the same features as sen.a. The pattern (S^) and the decryption code, which was created by Andariel in the past, indicated the existence of malware within the strings of Installer.exe, as shown in Figure 12. Figure 12 | Comparison of pattern (S^) and decryption code ###### McafeeUpdate.exe was not included in Figure 6 due to an unclear derivative relationship, but it is identical to Installer.exe, and they both create wstmmgr.dll file. When NT_HEADER of both files is compared, as shown in Figure 14, all field values were identical except for Checksum and Certificate Table. Also, further comparison between the hash values for the two files confirmed that the files were identical. However, one difference is that McafeeUpdate.exe is signed with a currently valid certificate (Organization: Name NJRSA Limite). It was through this certificate that the connection with ----- ###### Kimsuky was discovered. Figure 14 | Comparison of NT_HEADER field values ###### Table 3 shows a list of malware that was signed with the identical certificate (Serial Number). All the field values are similar except for timestamp value, which does not exist in certain malware. Table 3 | Malware signed with the identical certificate ###### Among the retrieved malware, five were signed with the identical certificate. Because there are no reported cases of the certificates being used in other malware, such as ransomware, it ----- ###### is highly possible that Kimsuky uses the certificates exclusively. 2) wstmmgr.dll Analysis and Profiling Wstmmgr.dll, which Installer.exe created and executed, performs the same feature as sen.a. The only difference they have is their function structure. sen.a is structured to call Query() from ServiceMain(), but wstmmgr.dll has Query() integrated with ServiceMain(), as shown in Figure 13 and Figure 14. Figure 13 | 1st Comparison of function structure ----- ###### 2-3. winsec.dat / Winprim.dat Malware 1) winsec.dat Analysis According to the analysis, the method in which winsec.dat is executed is identical to that of sen.a. There are four functions in winsec.dat, and features of each function, as shown in Table 4. Function Name Details RealProc Checks OS, downloads 64-bit malware (winsec64), adds registry value (winsec), injects explorer.exe DllRegisterServer None DllInstall Calls RealProc() DllEntryPoint Injects explorer.exe, communicates with C&C server, downloads and loads Winprim.dat Table 4 | Features for each function of winsec.dat ###### It can be assumed that RealProc() and DllEntryPoint() functions from Table 4 are used when winsec.dat is executed, and DllInstall() is called when sen.a receives command from the C&C server, then downloads and executes winsec.dat. When RealProc() function is executed for the first time, it identifies the OS of the target PC to determine what to infect. If the OS of the PC is 64-bit, it additionally downloads and executes winsec64 for 64-bit, as shown in Figure 15. Figure 15 | Malware execution feature of RealProc |Function Name|Details| |---|---| |RealProc|Checks OS, downloads 64-bit malware (winsec64), adds registry value (winsec), injects explorer.exe| |DllRegisterServer|None| |DllInstall|Calls RealProc()| |DllEntryPoint|Injects explorer.exe, communicates with C&C server, downloads and loads Winprim.dat| ----- ###### Since winsec64 downloaded in 64-bit OS is encrypted, decryption code is used to decrypt winsec64 into an executable DLL, as shown in Figure 16. And as shown in Figure 15, the decrypted DLL runs with the method of calling RealProc() along with rundll32.exe. Kimsuky had developed the decryption code, which has been used for the past several years. Details regarding this are included in ‘3) winsec.dat / Winprim.dat profiling.’ Figure 16 | winsec64 Decryption process ###### winsec.dat, which has been injected to explorer.exe through the RealProc() call, communicates with the C&C server to send and execute additional files, and send time info. As mentioned previously, winsec.dat sends time info before communicating with the C&C server. The time info indicates the time created from related function produced before winsec.dat communicates with the C&C server. Figure 17 | Time-related function call and mix ----- ###### Time info created through Figure 17 is saved in [Mac address of target PC]_log.txt, and is sent to the C&C server, as shown in Figure 18. Figure 18 | Info of time sent to the C&C server ###### Once the processes, shown in Figure 17 and Figure 18, are completed, cmd.txt, which is assumed to contain the encrypted command, is downloaded from the C&C server and decrypted. Even though the C&C server communication was monitored at the time of analysis, the download of cmd.txt failed. Note that the file path of GET request to download cmd.txt shown in Figure 19 includes the Mac address of the target PC. It can be assumed that this is to ensure that the command is sent precisely to the range between winsec.dat and C&C server, and the target PC. This means that Kimsuky sends cmd.txt to its desired target, a target PC Kimsuky aims to hack. Figure 19 | cmd.txt Download attempt ###### Adding the Mac address of the target PC in the file path of the GET request is a method Kimsuky has been continuously using in the malware developed by Kimsuky. ----- ###### As shown in the left of Figure 20, the decrypted command is divided by a separator (|), and the right shows a code which winsec.dat conducts command comparison and matching features. This code downloads additional file (winsec.dat or Winprim.dat), deletes registry value (winsec), and executes the downloaded file. Figure 20 | Extraction, comparison, and execution of commands by winsec.dat ###### 2) Winprim.dat Analysis The file structure of Winprim.dat is strikingly similar to that of winsec.dat. Upon analyzing strings of the two malware shown in Figure 21, it was confirmed that while many identical strings exist in both malware, Winprim.dat has more features. It is assumed that when Kimsuky implements certain features while developing the malware, the group modifies and reuses the existing source to create features that fit the purpose of the malware. Figure 21 | String comparison ----- ###### There are three functions in Winprim.dat, which winsec.dat loads, and features of each function are listed in Table 5. According to the analysis of each function, Winprim.dat did not show much difference to private32.db, which Kimsuky used in Operation Kabar Cobra. The difference was found in the structure of codes due to code reuse and modification. Function Name Details RealProc Loads DLL & acquires function address, and injects to explorer.exe RealProc2 Collects file list for specific filename extension (hwp, doc, xls, txt, pdf) Captures screen, keylogs, and collects file list for specific filename extension (hwp, doc, xls, txt, pdf) DllEntryPoint Communicates with C&C server (downloads log.txt and cmd.txt, and sends collected info) Table 5 | Features of Winprim.dat functions ###### Winprim.dat, like winsec.dat, used method of including the Mac address of the target PC in the file path of GET request upon communication with the C&C server. However, the downloading of log.txt and cmd.txt, which is estimated to have saved the command during analysis, failed Figure 22 | Winprim.dat attempting to download command ###### 3) winsec.dat / Winprim.dat Profiling Upon the analysis of winsec.dat and Winprim.dat, many identical or similar features were discovered between the two malware developed by Kimsuky. As an example, Figure 23 shows the order of functions called to confirm if the process is explorer.exe, and to prevent duplicate execution despite different string of Mutex. From this analysis, we were able to find out that the structure of winsec.dat and Winprim.dat are identical. |Function Name|Details| |---|---| |RealProc|Loads DLL & acquires function address, and injects to explorer.exe| |RealProc2|Collects file list for specific filename extension (hwp, doc, xls, txt, pdf)| |DllEntryPoint|Captures screen, keylogs, and collects file list for specific filename extension (hwp, doc, xls, txt, pdf) Communicates with C&C server (downloads log.txt and cmd.txt, and sends collected info)| ----- ###### Furthermore, all three malware used identical code and key to encrypt/decrypt data. The HEX value inside the red box of Figure 24 is the encryption/decryption key. Figure 24 | Comparison of encryption/decryption code ###### As mentioned previously, it was confirmed that Winprim.dat used the same code for collecting folder and file lists from the target PC as private32.db, a malware developed by Kimsuky that was used in Operation Kabar Cobra. Figure 25 shows the comparison of the collected code between the folder and the file lists. ----- ###### C&C server of Winprim.dat and winsec.dat (happy-new-year.esy.es, 177.234.145.204, BR), along with the C&C server of sen.a, has been used by Kimsuky until present. It was confirmed that inside the URL mapped with IP as the base, various URLs of pattern similar or identical to the ones Kimsuky used were found, as listed in Figure 26. ----- ###### According to the information acquired through profiling, it can be assumed that winsec.dat and Winprim.dat are also malware developed by Kimsuky. Additionally, time.a, which was not included in Figure 6 due to derivative relationship being unclear, was found to be a malware developed by Kimsuky following the profiling. 2-4. time.a Malware 1). time.a Analysis As shown in Figure 27, time.a is a malware that steals URL, ID, PW, and other information that are saved in cookie and cache of Google Chrome browser. The stolen cookie info are saved in %ProgramData%\ntcookie, and cache info are saved in %ProgramData%\ntpwd in plaintext. Since time.a does not have a feature that allows communication with the C&C server, it can be assumed that stolen information is sent to the C&C server by another malware. Figure 27 | Info-stealer code for Chrome cookie and cache ###### Figure 28 is the cookie and cache info saved in a file. Figure 28 | Cookie and cache info saved in the file ----- ###### 2) time.a Profiling From the analysis on time.a and the variants, it was found that Query() function exist in all of the malware. An additional feature was discovered in the variant active since July 2019, which steals user account info saved in Chrome Cache. Table 6 is a comparison of features between time.a and variants. The three variants found in June 2019 possess features that allow sending of stolen cookie info to the C&C server, but the variant active since July 2019 does not have feature that allows malware to communicate with the C&C server. Based on this information, it can be assumed that another malware sends the Chrome cookie info and user account info to the C&C server. Detected Date File Name Function Name Main Function C&C Server Query Steals cookie info 2019.06 fxGpdu000.dat date0707.cafe24.com / date0707 / z1t5s5s7z PCheck Steals process info 2019.06 GooChk0000.dat Query Steals cookie info ondol.inodea.co.kr / ondol / od1213 2019.06 GooChk0.dat Query Steals cookie info ondol.inodea.co.kr / ondol / od1213 Steals cookie info 2019.07 Ntdlll.dll Query Steals cache info Steals cookie info 2019.12 time.a Query Steals cache info Table 6 | Comparison of features between time.a and variants |Detected Date|File Name|Function Name|Main Function|C&C Server| |---|---|---|---|---| |2019.06|fxGpdu000.dat|Query|Steals cookie info|date0707.cafe24.com / date0707 / z1t5s5s7z| |||PCheck|Steals process info|| |2019.06|GooChk0000.dat|Query|Steals cookie info|ondol.inodea.co.kr / ondol / od1213| |2019.06|GooChk0.dat|Query|Steals cookie info|ondol.inodea.co.kr / ondol / od1213| |2019.07|Ntdlll.dll|Query|Steals cookie info Steals cache info|-| |2019.12|time.a|Query|Steals cookie info Steals cache info|-| ###### The variant found in June 2019 saves Chrome cookie and other process info stolen from the target PC into a file, compresses and encrypts the file that contains stolen info before sending it to the C&C server. Afterward, the variant decrypts the encrypted C&C server info seen in Figure 30, sends the stolen info to the C&C server running on FTP, and deletes the stolen info. ----- Figure 30 | Info collection of fxGpdu000.dat, C&C server decryption, and sending the stolen info ###### The decryption code of fxGpdu000.dat shown in Figure 30 is identical to the C&C server decryption code of the malware, which Kimsuky used in their hack attempt, targeting South Korean government agency, on July 2019. Figure 31 shows a comparison of the decryption code. Figure 31 | Comparison of decryption code ###### The analysis on the code of the malware that steals cookie info, as shown in Table 6, revealed that the code structure and the called function were identical. However, as shown in Figure 32, the calling order of the function and the filename of stolen cookie info are different. ----- ###### 2-5. aka32.exe Malware To make sure the malware runs smoothly, Kimsuky downloaded an open-source UAC (User Account Control) bypass tool called aka32.exe to the target PC through sen.a. aka32.exe contains UAC bypass techniques, but since the success rate of UAC bypass technique changes depending on the build version of the operating system of the target PC, bypass method the attacker used remains unknown. Figure 33 shows the build version of the operating system and UAC option message. Figure 33 | Build version of the operating system and UAC option message ###### If the UAC bypass is a success, as shown in Figure 34, aka32.exe has a code that executes Installer.exe, which sen.a downloads by calling ShellExecuteA(). ----- ###### 2-6. v3rupdate.exe / v3rdupdate.exe Malware 1) v3rupdate.exe, v3rdupdate.exe Analysis According to the analysis on v3rupdate.exe and v3rdupdate.exe, encrypted RDP Wrapper exists on both malware. Also, it was found to have decrypted the executable using Figure 35. Figure 35 | Encrypted RDP Wrapper decryption code ###### Decrypted RDP Wrapper is injected into the memory of cmd.exe and is then promptly executed, which indicates that RDP Wrapper may be classified as a fileless malware. By activating the RDP service of the target PC without notifying the user, RDP Wrapper creates an environment which allows external sources to access the target PC. v3rdupdate.exe runs decrypted RDP Wrapper through -i –o option, and v3rupdate.exe runs decrypted RDP Wrapper through -w option. Figure 36 shows the code used for cmd.exe injection. ----- ###### 2) v3rupdate.exe, v3rdupdate.exe Profiling The two malware that activates RDP service in the target PC has the same PDB info, and through profiling, similar parts were also found in PDB of m1.a, which Kimsuky developed. Upon comparing PDB info of the three malware in Table 7, “E:\Dev\Rat\0_Troj\0_Ver” were found to have been included in all of them. According to this information, it can be assumed that the three malware was developed by the same sources. Thus, it can be concluded that Kimsuky had developed m1.a, along with v3rupdate.exe and v3rdupdate.exe. File Name MD5 PDB Info v3rupdate.exe 4d6832ddf9e5ca4ee90f72a4a7598e9f E:\Dev\Rat\0_Troj\0_Ver2\6_PE-Crypt\pecrypter\Release\pecrypter.pdb v3rdupdate.exe 44bc819f40cdb29be74901e2a6c77a0c E:\Dev\Rat\0_Troj\0_Ver2\6_PE-Crypt\pecrypter\Release\pecrypter.pdb m1.a 367d053efd3eaeefff3e7eb699da78fd E:\Dev\Rat\0_Troj\0_Ver3\Casper.dll\Release\AllFileList.pdb Table 7 | PDB Info comparison ###### 2-7. tlink.exe / cygwin1.dll Malware Kimsuky downloaded the open source-based relay tool named TCP Gender Changer to the target PC. It can be assumed that the tool was used to attempt a connection with other internal PC through the target PC. |File Name|MD5|PDB Info| |---|---|---| ----- ###### 2-8. Malware Header Analysis Features indicating the fabrication of the malware timestamps used during this attack have been discovered. Table 8 contains timestamps information of the malware. File Name Timestamp Time of Creation Threat Group sen.a 2013.01.01 00:28:28 2019.12.05 10:23:03 Andariel Installer.exe 2013.01.01 00:07:08 2019.12.05 16:49:09 Andariel wstmmgr.dll 2013.01.01 00:04:11 2019.12.10 17:55:01 Andariel m1.a 2013.01.01 00:01:18 2019.12.05 10:23:09 Kimsuky winsec.dat 2019.12.05 09:53:25 2019.12.05 11:18:47 Kimsuky Winprim.dat 2019.12.05 09:54:05 2019.12.05 16:24:53 Kimsuky v3rdupdate.exe 2013.01.01 01:21:59 2019.12.17 08:12:49 Kimsuky v3rupdate.exe 2013.01.01 01:28:37 2019.12.17 09:46:48 Kimsuky aka32.exe 2013.01.01 00:29:33 2019.12.05 16:49:08 Kimsuky time.a 2013.01.01 00:39:33 2019.12.05 11:48:54 Kimsuky Table 8 | Timestamp info of malware |File Name|Timestamp|Time of Creation|Threat Group| |---|---|---|---| |sen.a|2013.01.01 00:28:28|2019.12.05 10:23:03|Andariel| |Installer.exe|2013.01.01 00:07:08|2019.12.05 16:49:09|Andariel| |wstmmgr.dll|2013.01.01 00:04:11|2019.12.10 17:55:01|Andariel| |m1.a|2013.01.01 00:01:18|2019.12.05 10:23:09|Kimsuky| |winsec.dat|2019.12.05 09:53:25|2019.12.05 11:18:47|Kimsuky| |Winprim.dat|2019.12.05 09:54:05|2019.12.05 16:24:53|Kimsuky| |v3rdupdate.exe|2013.01.01 01:21:59|2019.12.17 08:12:49|Kimsuky| |v3rupdate.exe|2013.01.01 01:28:37|2019.12.17 09:46:48|Kimsuky| |aka32.exe|2013.01.01 00:29:33|2019.12.05 16:49:08|Kimsuky| |time.a|2013.01.01 00:39:33|2019.12.05 11:48:54|Kimsuky| ###### The point of interest is that while timestamps of other malware excluding winsed.dat and Winprim.dat are concentrated between 00:00 - 01:00 of January 1, 2013, as shown in Table 8, the actual time of malware creation on the target PC is concentrated on December, 2019. Additional features that indicate that the timestamp has been fabricated exist in aka32.exe. Upon connecting to the official website of aka32.exe (https://github.com/hfiref0x/UACME), ----- ###### one can find that the project started in 2014. Figure 38 | Official website of aka32.exe (https://github.com/hfiref0x/UACME) ###### The timestamp of aka32.exe, which was used for the Operation Ghost Union attack, goes further back than 2014, the confirmed date of the project commencement. According to this analysis, one can assume that the timestamp of aka32.exe was fabricated, and seeing how the timestamp of numerous malware also show a similar timeline to that of aka32.exe, it can be assumed that all the other timestamps were also fabricated. Furthermore, upon analysis of the rich header of malware included in Table, it was confirmed that the same compiler was used to develop each malware. However, as rich header is prone to fabrication, this data was used as a reference rather than the main indicator. Table 9 contains information regarding the md5 and the compiler of malware. |File Name|MD5|Compiler Information| |---|---|---| |aka32.exe|f2d2b7cba74421a490be78fa8cf7111d|Visual C++ 11.0 2012 (build 50727)| |v3rupdate.exe|4d6832ddf9e5ca4ee90f72a4a7598e9f|Visual C++ 11.0 2012 (build 50727)| |Winprim.dat|6dbc4dcd05a16d5c5bd431538969d3b8|Visual C++ 11.0 2012 (build 50727)| |winsec.dat|7b0c06c96caadbf6976aa1c97be1721c|Visual C++ 11.0 2012 (build 50727)| |wstmmgr.dll|7fd2e2e3c88675d877190abaa3002b55|Visual C++ 11.0 2012 (build 50727)| |sen.a|30bd4c48ccf59f419d489e71acd6bfca|Visual C++ 11.0 2012 (build 50727)| |v3rdupdate.exe|44bc819f40cdb29be74901e2a6c77a0c|Visual C++ 11.0 2012 (build 50727)| |m1.a|367d053efd3eaeefff3e7eb699da78fd|Visual C++ 11.0 2012 (build 50727)| |time.a|6671764638290bcb4aedd6c2e1ec1f45|Visual C++ 11.0 2012 (build 50727)| |Installer.exe|ac6f0f14c66043e5cfbc636ddec2d62c|Visual C++ 11.0 2012 (build 50727)| Table 9 | Compiler info of malware ----- ##### Conclusion ## 3 ###### After much research and analysis on relevant malware, Kimsuky group was found solely responsible for Operation Ghost Union. As for Andariel malware, it can be assumed that Kimsuky used the malware to bypass detection. The relationship between the two threat groups and the mastermind behind the operation was revealed by an analysis conducted on both malware simultaneously. Operation Ghost Union will be recorded as an example that reminds the industry that while detailed analysis on the malware is essential, deep profiling of all relevant information is equally important. Since profiling is a process of zeroing in from various factors, a conclusion must not be made hastily based on only a fragmentation of the information gathered. As seen from Operation Ghost Union, digital resources are easily mimicked. Thereby a considerable amount of time and effort must be put in sharing, merging, and linking information to determine the threat group. ----- ##### Indicators of Compromise (IoC) ## 4 ###### 4-1. MD5 [+] Main Sample |No.|MD5|V3 Alias|V3 Version| |---|---|---|---| |1|6dbc4dcd05a16d5c5bd431538969d3b8|Backdoor/Win32.Akdoor|2019.12.23.04| |2|7b0c06c96caadbf6976aa1c97be1721c|Backdoor/Win32.Akdoor|2019.12.23.04| |3|e00afffd48c789ea1b13a791476533b1|Dropper/Win32.Akdoor|2019.12.23.04| |4|f2d2b7cba74421a490be78fa8cf7111d|Trojan/Win32.BypassUAC|2019.12.23.04| |5|2dea7e6e64ca09a5fb045ef2578f98bc|Dropper/Win32.Akdoor|2019.12.23.04| |6|6671764638290bcb4aedd6c2e1ec1f45|Backdoor/Win32.Infostealer|2019.12.23.04| |7|c09a58890e6d35decf042381e8aec899|Normal File|| |8|367d053efd3eaeefff3e7eb699da78fd|Backdoor/Win32.Akdoor|2019.12.23.04| |9|5cddf08d10c2a8829a65d13ddf90e6e8|Trojan/Win32.Runner|2019.12.23.04| |10|4d6832ddf9e5ca4ee90f72a4a7598e9f|Backdoor/Win32.Akdoor|2019.12.23.04| |11|e1af9409d6a535e8f1a66ce8e6cea428|Normal File|| |12|44bc819f40cdb29be74901e2a6c77a0c|Backdoor/Win32.Akdoor|2019.12.23.04| |13|7fd2e2e3c88675d877190abaa3002b55|Backdoor/Win32.Akdoor|2019.12.23.04| |14|ac6f0f14c66043e5cfbc636ddec2d62c|Dropper/Win32.Akdoor|2019.12.23.04| |15|30bd4c48ccf59f419d489e71acd6bfca|Backdoor/Win32.Akdoor|2019.12.23.04| ----- ###### [+] Relevant Sample No. MD5 1 ce2c2d12ef77ef699e584b0735022e5d 2 12a8f8efe867c11837d4118318b0dc29 3 56522bba0ac19449643f7fceccf73bbe 4 b994bd755e034d2218f8a3f70e91a165 5 750924d47a75cc3310a4fea02c94a1ea 6 d6d9bcc4fb70f4b27e192f3bfe61837d 7 af3bdaa30662565e18e2959f5a35c882 8 e11fa6a944710d276a05f493d8b3dc8a 9 b8c63340b2fc466ea6fe168000fedf2d 10 719d0bf25d7a8f20f252034b6d3dbf74 11 9d685308d3125e14287ecb7fbe5fcd37 12 6574e952e2833625f68f4ebd9983b18e 13 a16d8af557e23f075a34feaf02047163 ###### 4-2. C&C Server / URL / IP navor-net.hol.es (185.224.138.29, NE) happy-new-year.esy.es (177.234.145.204, BR) [+] 185.224.138.29(NE) daum-mail-team.pe.hu daum-master-help.hol.es kakao-check.esy.es naver-user-center.pe.hu |No.|MD5|V3 Alias|V3 Version| |---|---|---|---| |1|ce2c2d12ef77ef699e584b0735022e5d|Trojan/Win32.Infostealer|2019.07.19.05| |2|12a8f8efe867c11837d4118318b0dc29|Trojan/Win32.Agent|2019.12.09.04| |3|56522bba0ac19449643f7fceccf73bbe|Trojan/Win32.Agent|2019.12.09.04| |4|b994bd755e034d2218f8a3f70e91a165|Backdoor/Win32.Agent|2019.01.07.09| |5|750924d47a75cc3310a4fea02c94a1ea|Backdoor/Win32.Akdoor|2017.06.05.06| |6|d6d9bcc4fb70f4b27e192f3bfe61837d|Trojan/Win32.Agent|2019.11.16.08| |7|af3bdaa30662565e18e2959f5a35c882|Trojan/Win32.Infostealer|2019.07.19.05| |8|e11fa6a944710d276a05f493d8b3dc8a|Trojan/Win32.Agent|2019.11.16.09| |9|b8c63340b2fc466ea6fe168000fedf2d|Downloader/Win32.Agent|2019.07.15.08| |10|719d0bf25d7a8f20f252034b6d3dbf74|Trojan/Win32.Phandoor|2016.01.13.03| |11|9d685308d3125e14287ecb7fbe5fcd37|Backdoor/Win32.Agent|2019.01.07.09| |12|6574e952e2833625f68f4ebd9983b18e|Trojan/Win32.Infostealer|2019.07.19.05| |13|a16d8af557e23f075a34feaf02047163|Win-Trojan/Dllbot.235520|2012.07.06.02| ----- ###### naver-user-help.pe.hu naver-user-team.pe.hu my-homework.890m.com myacccount-goggle.esy.es myaccounnts-goggle.esy.es acount-google-team.hol.es navor-net.hol.es [+] 177.234.145.204(BR) antichrist.hol.es military-website.96.lt happy-new-year.esy.es user-acounts-setting.pe.hu rnember-daurn-team.pe.hu nid-narver-team.hol.es newsea38-chol-com.esy.es myaccounts.goegle.16mb.com myaccounnt-google.esy.es myaccaunt-qoog1e-corn.pe.hu mernber-daum-net.96.lt mernber-daum.pe.hu member-manage-center.96.lt member-info.com member-daum.16mb.com ----- ###### main-darn-setting.16mb.com mail-manager-alert080.pe.hu kakao-daum-team.16mb.com kakao-daum-center.890m.com hamnail-form.890m.com ewha.16mb.com daum-sercurity-center.hol.es daum.member-info.com chollian.16mb.com accounnts-google-net.890m.com ----- -----