###### WHITE PAPER # APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure ### Malwarebytes Threat Intelligence April 2020 ----- #### Table of contents ###### Introduction: APT groups using COVID-19...........................................................3 Template injection................................................................................................4 Kimsuky.....................................................................................................................4 Gamaredon...............................................................................................................8 Malicious macros................................................................................................ 10 Kimsuky...................................................................................................................10 Konni (APT37)...........................................................................................................11 APT36...................................................................................................................... 13 Patchwork............................................................................................................... 13 Hades...................................................................................................................... 15 TA505.......................................................................................................................17 TA542...................................................................................................................... 19 Bitter........................................................................................................................ 19 Ocean Lotus............................................................................................................ 19 RTF exploit..........................................................................................................20 Calypso Group....................................................................................................... 20 Chinese actor (Winnti)............................................................................................ 21 Malicious LNK files.............................................................................................22 Mustang Panada.....................................................................................................22 Higaisia....................................................................................................................23 Conclusion..........................................................................................................24 Sources...................................................................................................................24 ----- #### Introduction: APT groups using COVID-19 ##### Coronavirus (COVID-19) has become a global pandemic, upending economies, livelihoods, schools and hospital systems—nearly every facet of everyday life has been touched. Such uncertainty and fear surrounding the virus and its impact represents a golden opportunity for threat actors to exploit the situation. By using social engineering tactics such as spam and spear phishing campaigns with COVID-19 as a lure, cybercriminals and threat actors increase the likelihood of successful attack. From late January on, several cybercriminal and statesponsored groups have been doing just that, using coronavirus-themed phishing emails as their infection vector to gain a foothold on victim machines. Just like the coronavirus itself, China was the first target of Advanced Persistent Threat ( APT) groups, and as the virus spread worldwide, so did the cyberattacks. Once their victims’ attention was captured by social engineering, threat actors used various techniques to deploy malware, such as embedding macros in Microsoft documents attached to phishing emails or exploiting system or browser vulnerabilities to drop malicious software. In this paper, we provide an overview of several different APT groups using coronavirus as a lure, as well as a description of their varied attack vectors. We categorize the APT groups according to the technique they used to send spam or phishing emails: Template injection, Malicious macros, RTF exploits, and malicious LNK files. ----- #### Template injection ##### Template injection refers to a technique in which threat actors embed a script moniker in the lure document—usually a Microsoft Office document—that contains a link to a malicious Office template via an XML setting. Upon opening the document, the remote template is dropped and executed. Kimsuky and Gamaredon are examples of APTs using template injection. Kimsuky Kimsuky (also known as Velvet Chollima) is a NorthKorean threat actor group that has been active since 2013 and is known to be behind the KHNP (Korea Hydro & Nuclear Power) cyber terrorism attacks of 2014[1]. The group mainly targets Korean think tanks, DPRK/nuclearrelated targets, and several US firms with the main goal of delivering malicious payloads to its targets and stealing web application accounts. Starting in early March 2020, Kimsuky began using spear phishing emails with COVID-19 in the subject line as its initial infection vector. The emails contain malicious documents weaponized with CVE-2017-0199[2]. This vulnerability allows remote code execution by exploiting a flaw in the Microsoft Office OLE interface to deliver malware. Figure 2: Malcious document after enabling content Upon opening the document, a prompt asks victims to “enable content” to show information about the coronavirus. After enabaling the content, a script moniker “in word/_rels/setting[.]xml[.]rels” is triggered and drops a Microsoft document template called web.dotm from the following url: **http://crphone[.]mireene[.]com/plugin/editor/** **Templetes/normal.php?name=web** Figure 3: setting.xml.rels content Figure 1: Malicious document used as a lure ----- The “web.dotm” has an embedded macro which is designed to target Mac users (Figure 4). This macro also runs on Windows OS, however, it only executes its main malicious functionality on a Mac. There is an “If statement” that checks the operating system and executes a remote Python script called “Secured.APP”. Figure 4: Malicious macro embedded in web.dotm Figure 5 shows the content of “Secured.APP”, which executes the second stage Python script. Based on the directory information provided in this script, it seems it is targeting users with Microsoft Office version 2016 or earlier. Figure 5: Secured.APP ----- The second payload, as depicted in Figure 7, is spyware that collects information by running several commands and sending the collected data to its C&C server. The main function is “SpyLoop”, which collects and sends device/user information in an infinite while loop. The list of collected information, stored in separate files (Figure 6), is as follows: - Architecture info - System info - Apple Pay - Audio - Bluetooth - Camera - External network info - Firewall - Hardware info - Language and region - List of running processes - List of installed Applications - List of files in Documents/Downloads/Desktop directory - List of volumes - List of users Figure 6: Content of collected information The directory is then compressed with a password (“doxujoijcs0qei09213@#$@”) and uploaded as a zip file in an http request as shown in Figure 7. ----- Figure 7: Second Python script The next function in the loop is “ExecNewCommand”, which is likely used to download additional content. It then sleeps for five minutes and repeats the same process. At time of writing, it only responded with a “200 OK”. ----- ##### Gamaredon Gamaredon is a Russian APT that primarily performs cyber espionage operations against Ukrainian military forces, as well as individuals related to the Ukrainian government. Gamaredon has been active since 2013 and often uses spear phishing as its initial infection vector. Between March 23 and 25, Gamaredon sent phishing emails using the COVID-19 theme and employed remote template injection within their lure, a Microsoft Word document written in Russian. (Figure 8). Upon opening the document, a remote template is dropped from the link provided in the XML setting (Figure 9). We were not able to retrieve this template at time of publishing, but found other similar templates used by this APT days before this campaign and realized they are using similar malicious macros. Figure 10 shows an example of such a macro. Instead of executing the malicious behavior upon opening the document (using the “auto_open” function), the malicious macro in this document is executed in the “Document_close” function. This could be to bypass dynamic analysis if the document is not closed before the sandbox times out. The macro collects the computer name, home drive’s label/serial number, and BIOS information (using WMI) and sends it to a hardcoded C2 server with this format: **http://Server/ComputerName_DriveSerialNumber/** **BiosVersionInfo** Figure 9: Template injection Figure 8: Lure document ----- It then creates a VBS script in the %APPDATA% directory and makes it persistent by copying it into the startup directory. In addition to the mentioned items, the script also collects keyboard layout and country code and checks whether Process explorer or Wireshark are running on the system. Figure 10: Macro embedded in template The APT group then drops its custom backdoor “Pterodo” that is capable of downloading other malware variants and collecting sensitive information[3]. ----- ## Malicious Macros ##### Embedding malicious macros is the most popular method of infection used by APTs. In this attack vector, a macro is embedded in the lure document that will be activated upon its opening. In the following sections, we look at APTs using this method in their COVID-19 lure. Kimsuky In the previous section, we mentioned that Kimsuky is using template injection to infect Mac users. We also observed this actor using COVID-19-themed malicious macros to target Windows users mostly in South Korea[4]. (Figure 11): Figure 11: Malicious document targeting Windows users ----- The malicious macro is obfuscated, as shown in Figure 12: Figure 12: Malicious obfuscated macro After de-obfuscating the script, we can see the value stored in the content variable as: This uses “mshta” to execute a malicious search.hta file from its server. The content variable is then executed by Wscript. The “Search.hta” contains a script that downloads another script. The downloaded script is spyware that collects sensitive information, such as IP addresses, usernames, list of processes, RDP information, and Outlook information and sends it back to the server. ##### Konni (APT37) Konni is a North Korean APT that has been active since 2012 and is known to target South Korean organizations in the chemicals, electronics, manufacturing, aerospace, automotive, and healthcare industries. In 2017, the group expanded its operations, targeting organizations in several other countries, such as the US, Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and countries in the Middle East. Recently, researchers found several communalities between this APT and Kimsuky, showing there is a close tie between these two groups[5]. Konni is known to use spear phishing emails, strategic web compromises, and torrent file-sharing sites to compromise its victims. In mid-March, they began sending spear phishes with COVID-19 warnings, ironically advising readers to watch out for North Korean cybercrime spikes related to the spread of the virus. Figure 13 shows the lure document, named “Keep an eye on North Korean cyber.doc”: Figure 13: Lure document ----- The embedded macro in this document includes an encrypted executable code that is XOR decoded and stored in the “C\Users\UserName\” directory (Figure 14). The dropped executable is a downloader for their popular Konni Remote Access Trojan (RAT) downloaded from[6]: **http://phpview[.]mygamesonline[.]org/3.dat** Figure 14: Embedded macro ----- ##### APT36 APT36 is another threat group that has employed macro-embedded COVID-19 themes in their recent campaigns. The group is believed to be Pakistani state-sponsored, mainly targeting the defense, embassies, and government of India.[7] Their coronavirus attacks began on March 12 and included phishing emails with attached malicious documents, which dropped Crimson RAT payloads on victim machines. ##### Patchwork Patchwork, also known as Dropping Elephant, Chinastrats, APT-C-09, and Quilted Tiger, is an Indian threat actor that has been active since 2013. The primary targets of this APT are organizations related to diplomatic and government agencies in China, Japan, the Middle East, the UK, the US, Bangladesh, Sri Lanka, and Pakistan. Patchwork mainly uses spear phishing methods to gain access to victims’ machines. In early February, Patchwork began sending phishing emails with a COVID-19 theme, using malicious Excel documents to target Chinese organizations (Figure 15). Figure 15: Lure document ----- The embedded macro (Figure 17) is simple: It downloads a script from the URL embedded as a formula in column “X”, row “100”. (Figure 16). Figure 16: Url embedded in the cell Figure 17: Macro The downloaded Scriptlet “window.scr” (Figure 18) is responsible for dropping and executing another payload, which is a custom backdoor developed by the actor. Figure 18 window.scr ----- ##### Hades Hades is the APT group behind the attack against the Pyeongchang Winter Olympics. Evidence suggests that this group is connected to the well-known Russian threat actor APT28[8]. In their recent campaign called Tricky Mouse, Hades targeted Ukrainian users using COVID-19 lures[9, 10]. The attack started by sending a macro-embedded document to victims (Figure 19). The embedded macro (Figure 20) decodes and drops a RAT executable into the victim’s machine. Figure 20: Embedded macro Figure 19: Hades lure document ----- The RAT is dropped in the local user directory as “conhost.exe”. That RAT is a .NET executable obfuscated by “Eazfuscator.net” (Figure 21): Figure 21: Hades RAT After de-obfuscation. we saw that the RAT had several functionalities, such as collecting system and user information, taking screenshots, and logging keystrokes. The “Kdaapk” module is responsible for performing C&C communications. The C&C URL is hardcoded within this module as you can see in Figure 22: Figure 22: Hades RAT after deobfuscation ----- ##### TA505 TA505 is an APT group that started its activity by distributing the Dridex banking Trojan on mass scale in 2014[11]. The group is considered unique, as it’s a financially-motivated team of threat actors that uses a wide variety of malware families. Starting on March 9th, TA505 used malicious macros in their COVID-19 themed documents, which included Microsoft Excel spreadsheets. Figure 23 show such a document after enabling its content: Figure 23: Lure document As you can see in Figure 24, upon opening the document, a progress bar dialog box pops up (UserForm1_show). The dialog box is used to confuse the user while the main malicious functionality is located in the popped-up dialog box activate function (Figure 25). Figure 24: Embedded macro ----- Activate()” function is executed, which calls “Nlgebredneh()” function: Figure 25: Trigger function of the dialog box The “Nlgebredneh()” function drops “paper.xls” in the “%APPDATA%” temp directory and extracts “oleobject1. bin” from “paper.xls”. In the next step, it decrypts the content of “oleobject1.bin” into “reinforce.dll” in the “%APPDATA%/Microsoft/Windows/Templates” directory. Finally, it executes the DLL file. Figure 26: The “Nlgebredneh” function The DLL file is a small downloader that decrypts the next payload into memory. The downloader drops additional malware families associated with TA505, such as banking Trojans and RATs. ----- ##### TA542 TA542 (Mummy Spider) is a Russian-speaking threat actor group behind the distribution of Emotet, which was first seen in the wild in 2014[12]. At first, TA542 used modules from the Feodo banking Trojan, but over time developed their malware with modular architecture adding new capabilities. Since the emergence of COVID-19, TA542 has started using coronavirus themes in various email distribution campaigns. Malicious documents distributed by the actor have embedded macros that act as a downloader for Emotet malware[13]. ##### Bitter Bitter is suspected to be a south Asian APT group targeting Pakistan and China since 2015[14]. According to other security researchers, this group has also used COVID-19 themes to target China[15]. Macro-embedded documents distributed by this group download and drop a variant of its custom RAT that has been written in .Net. Unfortunately, we were not able to retrieve any sample related to this campaign. ##### Ocean Lotus APT32 (Ocean lotus, Sea Lotus) is a Vietnamese APT that has been active since 2014. The group has targeted private sectors as well as governments and journalists from Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, the US, and Vietnam. Ocean Lotus has used strategic web compromises and spear phishing to gain foothold into victims’ machines[16]. Ocean Lotus also used malicious macro-embedded documents with COVID-19 themes to target China, starting February 19. In this attack, the malicious document dropped the “Denis” Trojan, a malware family that has been developed by this group[17]. ----- #### RTF exploit ##### RTF is a flexible text format that was introduced by Microsoft a long time ago. The flexibility of embedding any object type within makes RTF files vulnerable to many OLE objects related vulnerabilities. Several threat actors, especially Chinese ones, use RTF files in their campaigns. Among them are the Calypso group and Winnti threat actors who have used RTF files in their COVID-19 campaigns. Calypso Group Calypso is a Chinese APT group that has been performing cyber espionage operations since 2016[18, 19]. The group has targeted governments in Brazil, India, Kazakhstan, Russia, Thailand, Belarus, Mongolia, and Turkey. In the new campaign, called Vicious Panada, Calypso Group has targeted the Mongolian public sector by sending malicious RTF files to victims disguised as COVID-19 related documents[20]. The RTF file has been weaponized with the Royal Road RTF weaponization tool. The tool is known to be used by several Chinese actors and has the capability to embed objects within RTF files that exploit vulnerabilities related to Microsoft Equation Editor. (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802)[21]. In this campaign, the RTF file exploits the equation editor vulnerability to drop “intel.wll” into the “AppData/ Roaming/Microsoft/Word/STARTUP/” directory (Figure 27). “intel.wll” is then executed each time the Microsoft Word application is launched. This DLL downloads additional payloads, including a backdoor with several capabilities, such as taking screen shots, executing new processes, or collecting system information. Figure 28: RTF file embedding k.dll ----- Looking at the Equation Native Stream, we can see that this DLL is made persistent by using the run registry key “Microsoft\Windows\CurrentVersion\Run” (Figure 29). In this case, “k.dll” is executed each time the system reboots. Figure 29: Equation native stream A code similarity check between “k.dll” and “intel.wll” showed that both have similar functionalities and the same exported function named “Engdic”. ##### Chinese actor (Winnti) Another Chinese threat actor that used the Royal Road weaponization framework with a COVID-19 theme recently dropped a backdoor variant named Chinoxy by exploiting the equation editor vulnerability[22, 23]. Some evidence suggests that Winnti is the actor behind this campaign, but we cannot confirm it[22, 24, 25]. ----- #### Malicious LNK files ##### LNK files are shortcut files used by Microsoft Windows. They are considered a Shell item type that can be executed. From 2013 on, attackers have used malicious LNK files to infect their victims. A few APTs started using malicious LNK with COVID-19 themes from late February to mid-March to ensnare victims. Mustang Panada Mustang Panda is a Chinese threat actor that has targeted NGOs (non-government organizations) since 2017. The group’s main targets are US think tanks and NGO organizations in Mongolia. Mustang Panda uses spear phishing emails to initiate its attacks and usually drops either Poison Ivy or the PlugX RAT[26, 27]. In their COVID-19 phishing campaign, Mustang Panda sent an LNK file containing a malicious HTA application, which contained a VB script (Figure 30). Figure 30: HTA file ----- In the properties of this LNK file, there is a command that will be executed when the file is opened (Figure 31). Figure 31: Command The command calls “mshta.exe” to execute the HTA application that drops and runs a payload. The payload has a resource that is dropped in the victim’s machine. The final payload in this campaign is either a variant of PlugX RAT or Cobalt Strike. ##### Higaisia Anomali has reported another threat group called Higaisia using malicious LNK files to perform malicious operations using COVID-19 themes. The actor sends an LNK file disguised as a PDF via spam campaigns. After opening the LNK file, an actual PDF file is opened[28]. It is assumed that the group behind this campaign is a North Korean actor targeting English speaking people/ organizations[28]. Opening the LNK file leads to execution of the command embedded in the property section (Figure 32). The command decodes an embedded base64 payload and drops it into the victim’s machine. Figure 32: Command The dropped payload is a cabinet file that contains multiple files. The content of the cabinet file is extracted using the legitimate Windows executable “extract.exe”. From there, multiple stages are executed and finally, a variant of the PlugX RAT is dropped. ----- #### Conclusion ##### In this report, we provided an overview of various APT groups using the COVID-19 pandemic as a theme in several different types of malicious campaigns to increase the odds of their attacks’ success. This shows that threat actors are closely monitoring public events happening around the world, and quickly employing those themes in attack vectors to take advantage of the opportunity. We expect that in the coming weeks and months, APT threat actors will continue to leverage this crisis to craft phishing campaigns using social engineering techniques and other malicious tactics embedded into lure documents to compromise their targets. The Malwarebytes Threat Intelligence team is monitoring the threat landscape and paying particular attention to attacks trying to abuse the public’s fear of the COVID-19 crisis. Our business and consumer customers are protected from these attacks and more, thanks to our multi-layered detection engines. For more information about the threat landscape or how our products thwart advanced attacks, feel free to get in [touch with us at intel@malwarebytes.com.](mailto:intel%40malwarebytes.com?subject=) ##### Sources 1. [Online]. Available: https://www.virusbulletin.com/conference/vb2019/ abstracts/kimsuky-group-tracking-king-spear-phishing. 2. [Online]. Available: https://blog.trendmicro.com/trendlabs-securityintelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/. 3. [Online]. Available: https://www.scmagazine.com/home/security-news/ gamaredon-like-fancy-bear-and-cozy-bear-steps-up-cyberattacks-againstukraine-others/. 4. [Online]. Available: https://mp.weixin.qq.com/s/ZpNK_ACZSa8HD75z8wIBgw. 5. [Online]. Available: https://blog.alyac.co.kr/2347. 6. [Online]. Available: https://blog.talosintelligence.com/2017/05/konni-malwareunder-radar-for-years.html. 7. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2020/03/ apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/. 8. [Online]. Available: https://securelist.com/apt-trends-report-q2-2019/91897/. 9. [Online]. Available: https://mp.weixin.qq.com/s/o6KC0k43AuOY5F8FKGbmMg. 10. [Online]. Available: https://ti.qianxin.com/blog/articles/coronavirus-analysisof-global-outbreak-related-cyber-attacks/. 11. [Online]. Available: https://www.proofpoint.com/us/threat-insight/post/threatactor-profile-ta505-dridex-globeimposter. 12. [Online]. Available: https://www.proofpoint.com/us/threat-insight/post/ threat-actor-profile-ta542-banker-malware-distribution-service. 13. [Online]. Available: https://www.tenable.com/blog/covid-19-coronavirusfears-seized-by-cybercriminals. 14. [Online]. Available: https://www.anomali.com/blog/suspected-bitter-aptcontinues-targeting-government-of-china-and-chinese-organizations. 15. [Online]. Available: https://s.tencent.com/research/report/944.html. 16. [Online]. Available: https://s.tencent.com/research/report/860.html. 17. [Online]. Available: https://attack.mitre.org/software/S0354/. 18. [Online]. Available: https://www.ptsecurity.com/ww-en/analytics/calypso-apt2019/#id1. 19. [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/actor/calypso_ group. 20. [Online]. Available: https://research.checkpoint.com/2020/vicious-panda-thecovid-campaign/. 21. [Online]. Available: https://nao-sec.org/2020/01/an-overhead-view-of-theroyal-road.html. 22. [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win. chinoxy. 23. [Online]. Available: https://medium.com/@Sebdraven/new-version-of-chinoxybackdoor-using-covid19-document-lure-83fa294c0746. 24. [Online]. Available: https://www.virustotal.com/gui/ file/30115717d20e469e7c4bf45489f6c6d8810f32b1b68b6aa4b0ffcb21764ea99c/ community. 25. [Online]. Available: https://blog.cyberint.com/covid-19-ongoing-cyberupdates. 26. [Online]. Available: https://attack.mitre.org/software/S0012/. 27. [Online]. Available: https://attack.mitre.org/software/S0013/. 28. [Online]. Available: https://www.anomali.com/blog/covid-19-themes-arebeing-utilized-by-threat-actors-of-varying-sophistication. malwarebytes.com/business corporate-sales@malwarebytes.com 1.800.520.2796 Malwarebytes is a cybersecurity company that millions worldwide trust. Malwarebytes proactively protects people and businesses against malicious threats, including ransomware, that traditional antivirus solutions miss. The company’s flagship product uses signature-less technologies to detect and [stop a cyberattack before damage occurs. Learn more at www.malwarebytes.com.](http://www.malwarebytes.com/business) -----