# ZLAB ### Malware Analysis Report A long-term espionage campaign in Syria. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ##### 23/07/2018 ----- ## Table of Contents ##### The Open Repository and the Fake Promotional Site ....................................................................................... 2 The malicious apk files ....................................................................................................................................... 6 A suspicious windows executable hidden inside the apk ................................................................................ 11 The Command and Control Infrastructure ...................................................................................................... 14 Yara rules ......................................................................................................................................................... 22 ## The Open Repository and the Fake Promotional Site **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ### A few days ago, the security researcher Lukas Stefanko from Eset discovered an open repository containing some Android applications. _Figure 1 - Lukas Stefanko's Twitter about the open reporitory._ ### The folder was found on a compromised website at the following URL: hxxp://chatsecurelite.uk[.]to. This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 2 - Screens of the fake security website_ ### The content on the website says that most common messaging applications are vulnerable and attackers can compromise them to spy on the users. The author claims to have developed an app called “ChatSecure” to mitigate security vulnerabilities that have been reported in popular messaging apps, including WhatsApp and Telegram. ChatSecure is the name of a legitimate free and open source iOS messaging app that features OMEMO encryption and OTR encryption over XMPP. The content of the bogus website explains that also Office applications are vulnerable to cyber attacks and offers patches to address the vulnerabilities exploited by the hackers. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 3 - ChatSecure legitimate iOS app._ ### Threat actors exploited the interest in the ChatSecure, currently available only for Apple iOS device, to trick Android users into believe that the Android version of the app is not available. The Android app poses itself as fake update for the legit app. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 4 - Example of installation_ ## The malicious apk files ### In this paragraph, we’ll report the gathered samples that were stored in the open repository. ##### “AndroidOfficeUpdate2018.apk” “تحديث أوفيس للجوال.apk” ("UpdateOfficeforMobile.apk") “chatsecure2018.apk” “OfficeUpdate.apk” MD5 6296586cf9a59b25d1b8ab3eeb0c2a33 SHA-1 5d9c175d8b84c03c7e656e5b29a7b9ab69e5a17b SHA-256 54d6dc8300fad699c3fdfaa6614250f1151208dc6c5a4ede6097470e4af7817b File Size 1517 KB Icon - “telegram2018.apk” MD5 c741c654198a900653163ca7e9c5158c SHA-1 0c5611b383537faa715c31fa182cff92b73c97db SHA-256 db70c8d699a3173028e768914b297a4c0c3a96c457845b38dfac535bc1b48eb3 File Size 1613 KB Icon “whatsapp2018.apk” **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |MD5|6296586cf9a59b25d1b8ab3eeb0c2a33| |---|---| |SHA-1|5d9c175d8b84c03c7e656e5b29a7b9ab69e5a17b| |SHA-256|54d6dc8300fad699c3fdfaa6614250f1151208dc6c5a4ede6097470e4af7817b| |File Size|1517 KB| |Icon|--| |MD5|c741c654198a900653163ca7e9c5158c| |---|---| |SHA-1|0c5611b383537faa715c31fa182cff92b73c97db| |SHA-256|db70c8d699a3173028e768914b297a4c0c3a96c457845b38dfac535bc1b48eb3| |File Size|1613 KB| |Icon|| ----- |MD5|cf5e62ebbf4be2417b9d3849c3c3f9c9| |---|---| |SHA-1|fcc38a0acdfcde59bf1bc4b4227feb47b5f71ad4| |SHA-256|041b9066f42b78c5f2c9ff25a3bba3155a21c21fa0ee55aea510f456b3bc1847| |File Size|1675 KB| |Icon|| ##### “chatsecure2018.apk” MD5 f59cfb0b972fdf65baad7c37681d49ef SHA-1 eace586f5b1a4eae6d1e0503e079753e0ac88176 SHA-256 caf0f58ebe2fa540942edac641d34bbc8983ee924fd6a60f42642574bbcd3987 File Size 1518 KB Icon - “telegram2018.apk” MD5 5de80e4b174f17776b07193a2280b252 SHA-1 6867eff4edc425606ac746e87a9df1b7424a1e49 SHA-256 2d0a56a347779ffdc3250deadda50008d6fae9b080c20892714348f8a44fca4b File Size 1613 KB Icon “whatsapp2018.apk” MD5 f0d240bac174e38c831afdd80e50a992 SHA-1 f4cc667a05fb478b126207848a8da340327d3329 SHA-256 b15b5a1a120302f32c40c7c7532581ee932859fdfb5f1b3018de679646b8c972 File Size 1675 KB Icon ### Actually, the above apk files contain the same malicious code, they differ the used icons of the application and the variable package name in which is written the code. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |MD5|f59cfb0b972fdf65baad7c37681d49ef| |---|---| |SHA-1|eace586f5b1a4eae6d1e0503e079753e0ac88176| |SHA-256|caf0f58ebe2fa540942edac641d34bbc8983ee924fd6a60f42642574bbcd3987| |File Size|1518 KB| |Icon|--| |MD5|5de80e4b174f17776b07193a2280b252| |---|---| |SHA-1|6867eff4edc425606ac746e87a9df1b7424a1e49| |SHA-256|2d0a56a347779ffdc3250deadda50008d6fae9b080c20892714348f8a44fca4b| |File Size|1613 KB| |Icon|| |MD5|f0d240bac174e38c831afdd80e50a992| |---|---| |SHA-1|f4cc667a05fb478b126207848a8da340327d3329| |SHA-256|b15b5a1a120302f32c40c7c7532581ee932859fdfb5f1b3018de679646b8c972| |File Size|1675 KB| |Icon|| ----- ### The malware shows a classical RAT behavior, it includes a series of hard- coded commands that the C2 can send to the bot. The list of accepted commands, with the relative opcodes is the following: _Figure 5 - Command list_ ### After installation and according to the list of commands, the first opcode captured during the analysis is “Connect to Server”, associated with the 17 opcode, in order to register the new bot on the Command and Control (Figure 6). As we can see in the Figure, the new bot sends to the Command and Control other information about the compromised device, such as: • Which apk starts the infection • Android version of the device • Wifi or mobile internet network • Installation of the bot date • Device Name • IMEI • Mobile operator • Root permissions enabled check **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 6 - Registration of the infected device on the C2C_ ### Subsequently, the malware starts to ping periodically the C2C using the opcode 30. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 7 - Ping command_ ### The hardcoded port used in the malware is 1740, but during the analysis, it was changed by the command and control in 11950 with another opcode provided in the list, the opcode 39. This command is able to change the IP and the port of the Command and Control. In our case: _Figure 8 - The Opcode 39_ **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ## A suspicious windows executable hidden inside the apk ### Inspecting the Apk file, we found an anomalous file in the path “/res/raw” called “hmzvbs”. Conducting a deep analysis of the suspicious file, we have noticed that this is an executable windows file written in C# .NET language, as reported in following figure: _Figure 9 - hmzvbs executable windows file description_ ### The reason why this executable file is hidden inside of the apk is still unknown, we have found no track of any exploit code that could be used by the malware to perform lateral movements to deliver the executable to a Windows machine. ##### “hmzvbs.exe” MD5 bd251ce0f81089ceb6db6c5ead43cb8e SHA-1 9eb517b231786f34d70ccfe9dda2f33252eece86 SHA-256 9616976a2f1c753c5fc7338944ccf9c2cfedf9a9856f8ea40cb182a6b102aa6a File Size 459.06 KB **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |“hmzvbs.exe”|Col2| |---|---| |MD5|bd251ce0f81089ceb6db6c5ead43cb8e| |SHA-1|9eb517b231786f34d70ccfe9dda2f33252eece86| |SHA-256|9616976a2f1c753c5fc7338944ccf9c2cfedf9a9856f8ea40cb182a6b102aa6a| |File Size|459.06 KB| ----- ### This file is a dropper file for an embedded DLL, that is encrypted with a custom routine and that it is decoded at runtime. So, inserting a breakpoint after the routine it was simple to retrieve the real payload of the malware. _Figure 10 - Piece of the encrypted real payload embedded in hmzvbs file_ ##### DLL file MD5 ee65368ee4da769245cde7022bd910a4 SHA-1 4e6fc7ab754be0957449d9782d7e280c09c1c98d SHA-256 0fd267388d7c221ab8dd450ef271f21ac6e3b5cdfef23b1456084744f9b13fc0 File Size 97 KB ### After totally decrypting the DLL, the “hmzvbs” file copies itself in the path “\%APPDATA%\Local\Temp” with the name “cebto_task_64.exe” and executes this new file. _Figure 11 - real payload created by hmzvbs file_ ### The behavior of the DLL payload contained in “cebto_task_64.exe” file is similar to the Android malware, but in this case, the communication is based **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |DLL file|Col2| |---|---| |MD5|ee65368ee4da769245cde7022bd910a4| |SHA-1|4e6fc7ab754be0957449d9782d7e280c09c1c98d| |SHA-256|0fd267388d7c221ab8dd450ef271f21ac6e3b5cdfef23b1456084744f9b13fc0| |File Size|97 KB| ----- ### on the port 5005 instead of 1740, how visible in the following figure: _Figure 12 - started communication on 5005 port_ ### At this moment, the computer victim is a bot and it can communicate with C2C throw a series of hardcoded commands, that are very similar to the list previously showed for Android malware. In particular, the list of commands is here reported”: **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 13 - Accepted command by the bot_ ### To ensure persistence after rebooting the system, “cebto_task_64.exe” file execute a scheduling command as follow: _Figure 14 - Persistence mechanism of the malware_ ## The Command and Control Infrastructure ### An unusual characteristic of this malware attacks is the use of the Command and Control server. The C2 it is located in the same area under attack while usually threat actors hide and locate their servers in places different to those attacked, in order to make hard the investigations. Another characteristic of the malware is that the C2 has an impressive number of open, the complete list is reported in the following table: 82/tcp open xfer 4033/tcp open sanavigator 4093/tcp open pvxpluscs 1719/tc open h323gatestat 4034/tcp open ubxd 4094/tcp open sysrqd p 1721/tc open caicci 4035/tcp open wap-push-http 4095/tcp open xtgui p 1740/tc open encore 4036/tcp open wap-push-https 4096/tcp open bre p 1741/tc open cisco-net-mgmt 4037/tcp open ravehd 4097/tcp open patrolview p 1742/tc open 3Com-nsd 4038/tcp open fazzt-ptp 4098/tcp open drmsfsd p 1743/tc open cinegrfx-lm 4039/tcp open fazzt-admin 4099/tcp open dpcp p 1744/tc open ncpm-ft 4040/tcp open yo-main 4100/tcp open igo-incognito p 1745/tc open remote- 4041/tcp open houston 4101/tcp open brlp-0 p winsock 1746/tc open ftrapid-1 4042/tcp open ldxp 4102/tcp open brlp-1 p 1747/tc open ftrapid-2 4043/tcp open nirp 4103/tcp open brlp-2 p 1748/tc open oracle-em1 4044/tcp open ltp 4104/tcp open brlp-3 p 1749/tc open aspen-services 4045/tcp open lockd 4105/tcp open shofarplayer p **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |82/tcp|open|xfer|4033/tcp|open|sanavigator|4093/tcp|open|pvxpluscs| |---|---|---|---|---|---|---|---|---| |1719/tc p|open|h323gatestat|4034/tcp|open|ubxd|4094/tcp|open|sysrqd| |1721/tc p|open|caicci|4035/tcp|open|wap-push-http|4095/tcp|open|xtgui| |1740/tc p|open|encore|4036/tcp|open|wap-push-https|4096/tcp|open|bre| |1741/tc p|open|cisco-net-mgmt|4037/tcp|open|ravehd|4097/tcp|open|patrolview| |1742/tc p|open|3Com-nsd|4038/tcp|open|fazzt-ptp|4098/tcp|open|drmsfsd| |1743/tc p|open|cinegrfx-lm|4039/tcp|open|fazzt-admin|4099/tcp|open|dpcp| |1744/tc p|open|ncpm-ft|4040/tcp|open|yo-main|4100/tcp|open|igo-incognito| |1745/tc p|open|remote- winsock|4041/tcp|open|houston|4101/tcp|open|brlp-0| |1746/tc p|open|ftrapid-1|4042/tcp|open|ldxp|4102/tcp|open|brlp-1| |1747/tc p|open|ftrapid-2|4043/tcp|open|nirp|4103/tcp|open|brlp-2| |1748/tc p|open|oracle-em1|4044/tcp|open|ltp|4104/tcp|open|brlp-3| |1749/tc p|open|aspen-services|4045/tcp|open|lockd|4105/tcp|open|shofarplayer| ----- |1750/tc p|open|sslp|4046/tcp|open|acp-proto|4106/tcp|open|synchronite| |---|---|---|---|---|---|---|---|---| |1791/tc p|open|ea1|4047/tcp|open|ctp-state|4107/tcp|open|j-ac| |1792/tc p|open|ibm-dt-2|4048/tcp|open|unknown|4108/tcp|open|accel| |1793/tc p|open|rsc-robot|4049/tcp|open|wafs|4109/tcp|open|izm| |1794/tc p|open|cera-bcm|4050/tcp|open|cisco-wafs|4110/tcp|open|g2tag| |1795/tc p|open|dpi-proxy|4051/tcp|open|cppdp|4111/tcp|open|xgrid| |1797/tc p|open|uma|4052/tcp|open|interact|4112/tcp|open|apple-vpns-rp| |1798/tc p|open|etp|4053/tcp|open|ccu-comm-1|4113/tcp|open|aipn-reg| |1799/tc p|open|netrisk|4054/tcp|open|ccu-comm-2|4114/tcp|open|jomamqmonitor| |1800/tc p|open|ansys-lm|4055/tcp|open|ccu-comm-3|4115/tcp|open|cds| |1801/tc p|open|msmq|4056/tcp|open|lms|4116/tcp|open|smartcard-tls| |1802/tc p|open|concomp1|4057/tcp|open|wfm|4117/tcp|open|hillrserv| |1803/tc p|open|hp-hcip-gwy|4058/tcp|open|kingfisher|4118/tcp|open|netscript| |1804/tc p|open|enl|4059/tcp|open|dlms-cosem|4119/tcp|open|assuria-slm| |4000/tc p|open|remoteanythin g|4060/tcp|open|dsmeter_iatc|4120/tcp|open|minirem| |4001/tc p|open|newoak|4061/tcp|open|ice-location|4121/tcp|open|e-builder| |4002/tc p|open|mlchat-proxy|4062/tcp|open|ice-slocation|4122/tcp|open|fprams| |4003/tc p|open|pxc-splr-ft|4063/tcp|open|ice-router|4123/tcp|open|z-wave| |4004/tc p|open|pxc-roid|4064/tcp|open|ice-srouter|4124/tcp|open|tigv2| |4005/tc p|open|pxc-pin|4065/tcp|open|avanti_cdp|4125/tcp|open|rww| |4006/tc p|open|pxc-spvr|4066/tcp|open|pmas|4126/tcp|open|ddrepl| |4007/tc p|open|pxc-splr|4067/tcp|open|idp|4127/tcp|open|unikeypro| |4008/tc p|open|netcheque|4068/tcp|open|ipfltbcst|4128/tcp|open|nufw| |4009/tc p|open|chimera-hwm|4069/tcp|open|minger|4129/tcp|open|nuauth| |4010/tc p|open|samsung- unidex|4070/tcp|open|tripe|4130/tcp|open|fronet| |4011/tc p|open|altserviceboot|4071/tcp|open|aibkup|4131/tcp|open|stars| **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- |4012/tc p|open|pda-gate|4072/tcp|open|zieto-sock|4132/tcp|open|nuts_dem| |---|---|---|---|---|---|---|---|---| |4013/tc p|open|acl-manager|4073/tcp|open|iRAPP|4133/tcp|open|nuts_bootp| |4014/tc p|open|taiclock|4074/tcp|open|cequint-cityid|4134/tcp|open|nifty-hmi| |4015/tc p|open|talarian-mcast1|4075/tcp|open|perimlan|4135/tcp|open|cl-db-attach| |4016/tc p|open|talarian-mcast2|4076/tcp|open|seraph|4136/tcp|open|cl-db-request| |4017/tc p|open|talarian-mcast3|4077/tcp|open|ascomalarm|4137/tcp|open|cl-db-remote| |4018/tc p|open|talarian-mcast4|4078/tcp|open|cssp|4138/tcp|open|nettest| |4019/tc p|open|talarian-mcast5|4079/tcp|open|santools|4139/tcp|open|thrtx| |4020/tc p|open|trap|4080/tcp|open|lorica-in|4140/tcp|open|cedros_fds| |4021/tc p|open|nexus-portal|4081/tcp|open|lorica-in-sec|4141/tcp|open|oirtgsvc| |4022/tc p|open|dnox|4082/tcp|open|lorica-out|4142/tcp|open|oidocsvc| |4023/tc p|open|esnm-zoning|4083/tcp|open|lorica-out-sec|4143/tcp|open|oidsr| |4024/tc p|open|tnp1-port|4084/tcp|open|fortisphere-vm|4144/tcp|open|wincim| |4025/tc p|open|partimage|4085/tcp|open|ezmessagesrv|4145/tcp|open|vvr-control| |4026/tc p|open|as-debug|4086/tcp|open|ftsync|4146/tcp|open|tgcconnect| |4027/tc p|open|bxp|4087/tcp|open|applusservice|4147/tcp|open|vrxpservman| |4028/tc p|open|dtserver-port|4088/tcp|open|npsp|4148/tcp|open|hhb-handheld| |4029/tc p|open|ip-qsig|4089/tcp|open|opencore|4149/tcp|open|agslb| |4030/tc p|open|jdmn-port|4090/tcp|open|omasgport|4150/tcp|open|PowerAlert-nsa| |4031/tc p|open|suucp|4091/tcp|open|ewinstaller|4151/tcp|open|menandmice_no h| |4032/tc p|open|vrts-auth-port|4092/tcp|open|ewdgs|4152/tcp|open|idig_mux| |4153/tc p|open|mbl-battd|4213/tcp|open|vrml-multi-use|4273/tcp|open|vrml-multi-use| |4154/tc p|open|atlinks|4214/tcp|open|vrml-multi-use|4274/tcp|open|vrml-multi-use| |4155/tc p|open|bzr|4215/tcp|open|vrml-multi-use|4275/tcp|open|vrml-multi-use| |4156/tc p|open|stat-results|4216/tcp|open|vrml-multi-use|4276/tcp|open|vrml-multi-use| |4157/tc p|open|stat-scanner|4217/tcp|open|vrml-multi-use|4277/tcp|open|vrml-multi-use| **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- |4158/tc p|open|stat-cc|4218/tcp|open|vrml-multi-use|4278/tcp|open|vrml-multi-use| |---|---|---|---|---|---|---|---|---| |4159/tc p|open|nss|4219/tcp|open|vrml-multi-use|4279/tcp|open|vrml-multi-use| |4160/tc p|open|jini-discovery|4220/tcp|open|vrml-multi-use|4280/tcp|open|vrml-multi-use| |4161/tc p|open|omscontact|4221/tcp|open|vrml-multi-use|4281/tcp|open|vrml-multi-use| |4162/tc p|open|omstopology|4222/tcp|open|vrml-multi-use|4282/tcp|open|vrml-multi-use| |4163/tc p|open|silverpeakpeer|4223/tcp|open|vrml-multi-use|4283/tcp|open|vrml-multi-use| |4164/tc p|open|silverpeakcom m|4224/tcp|open|xtell|4284/tcp|open|vrml-multi-use| |4165/tc p|open|altcp|4225/tcp|open|vrml-multi-use|4285/tcp|open|vrml-multi-use| |4166/tc p|open|joost|4226/tcp|open|vrml-multi-use|4286/tcp|open|vrml-multi-use| |4167/tc p|open|ddgn|4227/tcp|open|vrml-multi-use|4287/tcp|open|vrml-multi-use| |4168/tc p|open|pslicser|4228/tcp|open|vrml-multi-use|4288/tcp|open|vrml-multi-use| |4169/tc p|open|iadt|4229/tcp|open|vrml-multi-use|4289/tcp|open|vrml-multi-use| |4170/tc p|open|d-cinema-csp|4230/tcp|open|vrml-multi-use|4290/tcp|open|vrml-multi-use| |4171/tc p|open|ml-svnet|4231/tcp|open|vrml-multi-use|4291/tcp|open|vrml-multi-use| |4172/tc p|open|pcoip|4232/tcp|open|vrml-multi-use|4292/tcp|open|vrml-multi-use| |4173/tc p|open|mma-discovery|4233/tcp|open|vrml-multi-use|4293/tcp|open|vrml-multi-use| |4174/tc p|open|smcluster|4234/tcp|open|vrml-multi-use|4294/tcp|open|vrml-multi-use| |4175/tc p|open|bccp|4235/tcp|open|vrml-multi-use|4295/tcp|open|vrml-multi-use| |4176/tc p|open|tl-ipcproxy|4236/tcp|open|vrml-multi-use|4296/tcp|open|vrml-multi-use| |4177/tc p|open|wello|4237/tcp|open|vrml-multi-use|4297/tcp|open|vrml-multi-use| |4178/tc p|open|storman|4238/tcp|open|vrml-multi-use|4298/tcp|open|vrml-multi-use| |4179/tc p|open|MaxumSP|4239/tcp|open|vrml-multi-use|4299/tcp|open|vrml-multi-use| |4180/tc p|open|httpx|4240/tcp|open|vrml-multi-use|4300/tcp|open|corelccam| |4181/tc p|open|macbak|4241/tcp|open|vrml-multi-use|4301/tcp|open|d-data| |4182/tc p|open|pcptcpservice|4242/tcp|open|vrml-multi-use|4302/tcp|open|d-data-control| |4183/tc p|open|gmmp|4243/tcp|open|vrml-multi-use|4303/tcp|open|srcp| **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- |4184/tc p|open|universe_suite|4244/tcp|open|vrml-multi-use|4304/tcp|open|owserver| |---|---|---|---|---|---|---|---|---| |4185/tc p|open|wcpp|4245/tcp|open|vrml-multi-use|4305/tcp|open|batman| |4186/tc p|open|boxbackupstor e|4246/tcp|open|vrml-multi-use|4306/tcp|open|pinghgl| |4187/tc p|open|csc_proxy|4247/tcp|open|vrml-multi-use|4307/tcp|open|visicron-vs| |4188/tc p|open|vatata|4248/tcp|open|vrml-multi-use|4308/tcp|open|compx-lockview| |4189/tc p|open|pcep|4249/tcp|open|vrml-multi-use|4309/tcp|open|dserver| |4190/tc p|open|sieve|4250/tcp|open|vrml-multi-use|4310/tcp|open|mirrtex| |4191/tc p|open|dsmipv6|4251/tcp|open|vrml-multi-use|4311/tcp|open|p6ssmc| |4192/tc p|open|azeti|4252/tcp|open|vrml-multi-use|4312/tcp|open|pscl-mgt| |4193/tc p|open|pvxplusio|4253/tcp|open|vrml-multi-use|4313/tcp|open|perrla| |4194/tc p|open|unknown|4254/tcp|open|vrml-multi-use|4314/tcp|open|choiceview-agt| |4195/tc p|open|unknown|4255/tcp|open|vrml-multi-use|4315/tcp|open|unknown| |4196/tc p|open|unknown|4256/tcp|open|vrml-multi-use|4316/tcp|open|choiceview-clt| |4197/tc p|open|hctl|4257/tcp|open|vrml-multi-use|4317/tcp|open|unknown| |4198/tc p|open|unknown|4258/tcp|open|vrml-multi-use|4318/tcp|open|unknown| |4199/tc p|open|eims-admin|4259/tcp|open|vrml-multi-use|4319/tcp|open|unknown| |4200/tc p|open|vrml-multi-use|4260/tcp|open|vrml-multi-use|4320/tcp|open|fdt-rcatp| |4201/tc p|open|vrml-multi-use|4261/tcp|open|vrml-multi-use|4321/tcp|open|rwhois| |4202/tc p|open|vrml-multi-use|4262/tcp|open|vrml-multi-use|4322/tcp|open|trim-event| |4203/tc p|open|vrml-multi-use|4263/tcp|open|vrml-multi-use|4323/tcp|open|trim-ice| |4204/tc p|open|vrml-multi-use|4264/tcp|open|vrml-multi-use|4324/tcp|open|balour| |4205/tc p|open|vrml-multi-use|4265/tcp|open|vrml-multi-use|4325/tcp|open|geognosisman| |4206/tc p|open|vrml-multi-use|4266/tcp|open|vrml-multi-use|4326/tcp|open|geognosis| |4207/tc p|open|vrml-multi-use|4267/tcp|open|vrml-multi-use|4327/tcp|open|jaxer-web| |4208/tc p|open|vrml-multi-use|4268/tcp|open|vrml-multi-use|4328/tcp|open|jaxer-manager| |4209/tc p|open|vrml-multi-use|4269/tcp|open|vrml-multi-use|4329/tcp|open|publiqare-sync| **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- |4210/tc p|open|vrml-multi-use|4270/tcp|open|vrml-multi-use|4330/tcp|open|dey-sapi| |---|---|---|---|---|---|---|---|---| |4211/tc p|open|vrml-multi-use|4271/tcp|open|vrml-multi-use|4331/tcp|open|ktickets-rest| |4212/tc p|open|vrml-multi-use|4272/tcp|open|vrml-multi-use|4332/tcp|open|unknown| |4333/tc p|open|msql|4393/tcp|open|apwi-rxspooler|4453/tcp|open|nssalertmgr| |4334/tc p|open|netconf-ch-ssh|4394/tcp|open|apwi-disc|4454/tcp|open|nssagentmgr| |4335/tc p|open|netconf-ch-tls|4395/tcp|open|omnivisionesx|4455/tcp|open|prchat-user| |4336/tc p|open|restconf-ch-tls|4396/tcp|open|fly|4456/tcp|open|prchat-server| |4337/tc p|open|unknown|4397/tcp|open|unknown|4457/tcp|open|prRegister| |4338/tc p|open|unknown|4398/tcp|open|unknown|4458/tcp|open|mcp| |4339/tc p|open|unknown|4399/tcp|open|unknown|4459/tcp|open|unknown| |4340/tc p|open|gaia|4400/tcp|open|ds-srv|4460/tcp|open|unknown| |4341/tc p|open|lisp-data|4401/tcp|open|ds-srvr|4461/tcp|open|unknown| |4342/tc p|open|lisp-cons|4402/tcp|open|ds-clnt|4462/tcp|open|unknown| |4343/tc p|open|unicall|4403/tcp|open|ds-user|4463/tcp|open|unknown| |4344/tc p|open|vinainstall|4404/tcp|open|ds-admin|4464/tcp|open|unknown| |4345/tc p|open|m4-network-as|4405/tcp|open|ds-mail|4465/tcp|open|unknown| |4346/tc p|open|elanlm|4406/tcp|open|ds-slp|4466/tcp|open|unknown| |4347/tc p|open|lansurveyor|4407/tcp|open|nacagent|4467/tcp|open|unknown| |4348/tc p|open|itose|4408/tcp|open|slscc|4468/tcp|open|unknown| |4349/tc p|open|fsportmap|4409/tcp|open|netcabinet-com|4469/tcp|open|unknown| |4350/tc p|open|net-device|4410/tcp|open|itwo-server|4470/tcp|open|unknown| |4351/tc p|open|plcy-net-svcs|4411/tcp|open|found|4471/tcp|open|unknown| |4352/tc p|open|pjlink|4412/tcp|open|smallchat|4472/tcp|open|unknown| |4353/tc p|open|f5-iquery|4413/tcp|open|avi-nms|4473/tcp|open|unknown| |4354/tc p|open|qsnet-trans|4414/tcp|open|updog|4474/tcp|open|unknown| |4355/tc p|open|qsnet-workst|4415/tcp|open|brcd-vr-req|4475/tcp|open|unknown| **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- |4356/tc p|open|qsnet-assist|4416/tcp|open|pjj-player|4476/tcp|open|unknown| |---|---|---|---|---|---|---|---|---| |4357/tc p|open|qsnet-cond|4417/tcp|open|workflowdir|4477/tcp|open|unknown| |4358/tc p|open|qsnet-nucl|4418/tcp|open|axysbridge|4478/tcp|open|unknown| |4359/tc p|open|omabcastltkm|4419/tcp|open|cbp|4479/tcp|open|unknown| |4360/tc p|open|matrix_vnet|4420/tcp|open|nvm-express|4480/tcp|open|proxy-plus| |4361/tc p|open|nacnl|4421/tcp|open|scaleft|4481/tcp|open|unknown| |4362/tc p|open|afore-vdp-disc|4422/tcp|open|tsepisp|4482/tcp|open|unknown| |4363/tc p|open|unknown|4423/tcp|open|thingkit|4483/tcp|open|unknown| |4364/tc p|open|unknown|4424/tcp|open|unknown|4484/tcp|open|hpssmgmt| |4365/tc p|open|unknown|4425/tcp|open|netrockey6|4485/tcp|open|assyst-dr| |4366/tc p|open|shadowstream|4426/tcp|open|beacon-port-2|4486/tcp|open|icms| |4367/tc p|open|unknown|4427/tcp|open|drizzle|4487/tcp|open|prex-tcp| |4368/tc p|open|wxbrief|4428/tcp|open|omviserver|4488/tcp|open|awacs-ice| |4369/tc p|open|epmd|4429/tcp|open|omviagent|4489/tcp|open|unknown| |4370/tc p|open|elpro_tunnel|4430/tcp|open|rsqlserver|4490/tcp|open|unknown| |4371/tc p|open|l2c-control|4431/tcp|open|wspipe|4491/tcp|open|unknown| |4372/tc p|open|l2c-data|4432/tcp|open|l-acoustics|4492/tcp|open|unknown| |4373/tc p|open|remctl|4433/tcp|open|vop|4493/tcp|open|unknown| |4374/tc p|open|psi-ptt|4434/tcp|open|unknown|4494/tcp|open|unknown| |4375/tc p|open|tolteces|4435/tcp|open|unknown|4495/tcp|open|unknown| |4376/tc p|open|bip|4436/tcp|open|unknown|4496/tcp|open|unknown| |4377/tc p|open|cp-spxsvr|4437/tcp|open|unknown|4497/tcp|open|unknown| |4378/tc p|open|cp-spxdpy|4438/tcp|open|unknown|4498/tcp|open|unknown| |4379/tc p|open|ctdb|4439/tcp|open|unknown|4499/tcp|open|unknown| |4380/tc p|open|unknown|4440/tcp|open|unknown|4500/tcp|open|sae-urn| |4381/tc p|open|unknown|4441/tcp|open|netblox|8291/tcp|open|unknown| **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- |4382/tc p|open|unknown|4442/tcp|open|saris|17000/tc p|open|unknown| |---|---|---|---|---|---|---|---|---| |4383/tc p|open|unknown|4443/tcp|open|pharos|17001/tc p|open|unknown| |4384/tc p|open|unknown|4444/tcp|open|krb524|17002/tc p|open|unknown| |4385/tc p|open|unknown|4445/tcp|open|upnotifyp|17003/tc p|open|unknown| |4386/tc p|open|unknown|4446/tcp|open|n1-fwp|17010/tc p|open|unknown| |4387/tc p|open|unknown|4447/tcp|open|n1-rmgmt|20003/tc p|open|commtact-https| |4388/tc p|open|unknown|4448/tcp|open|asc-slmd|60010/tc p|open|unknown| |4389/tc p|open|xandros-cms|4449/tcp|open||||| |4390/tc p|open|wiegand|4450/tcp|open||||| |4391/tc p|open|apwi-imserver|4451/tcp|open||||| |4392/tc p|open|apwi-rxserver|4452/tcp|open||||| ### The high number of opened ports suggests us two possible scenarios: • Attackers are enlarging the surface of attack to make hard into discovering which are the real ports used for the malware communication. • The server works also as a honeypot. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ## Yara rules ``` import "pe" rule androidMalware { meta: description = "Yara Rule for APT-C-27 Android malware" author = "CSE CybSec Enterprise - Z-Lab" last_updated = "2018-07-20" tlp = "white" category = "informational" strings: $a = "hmzvbs" $b = { ?8 ?D ?A } condition: all of them } rule windowsExecutableMalware { meta: description = "Yara Rule for APT-C-27 Windows malware" author = "CSE CybSec Enterprise - Z-Lab" last_updated = "2018-07-20" tlp = "white" category = "informational" condition: pe.version_info["InternalName"] contains "WiNANd5ro16XP" and pe.imports("mscoree.dll") } rule embeddedDLL { meta: description = "Yara Rule for APT-C-27 Embedded DLL" author = "CSE CybSec Enterprise - Z-Lab" last_updated = "2018-07-20" tlp = "white" category = "informational" condition: pe.version_info["InternalName"] contains "Win64AndoX" and pe.imports("mscoree.dll") } ``` **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** -----