[Blog Home (https://researchcenter.paloaltonetworks.com/) > Unit 42 (https://researchcenter.paloaltonetworks.com/unit42/)](https://researchcenter.paloaltonetworks.com/) - Comnie Continues to Target Organizations in East Asia # Comnie Continues to Target Organizations in East Asia [By Josh Grunzweig (https://researchcenter.paloaltonetworks.com/author/josh-grunzweig/)](https://researchcenter.paloaltonetworks.com/author/josh-grunzweig/) January 31, 2018 at 5:00 AM [Category: Unit 42 (https://researchcenter.paloaltonetworks.com/unit42/)](https://researchcenter.paloaltonetworks.com/unit42/) [Tags: Comnie (https://researchcenter.paloaltonetworks.com/tag/comnie/)](https://researchcenter.paloaltonetworks.com/tag/comnie/)  1,606 (2) (https://twitter.com/home? [status=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F01%2Funit42-comnie-continues-](https://twitter.com/home?status=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F01%2Funit42-comnie-continues-target-organizations-east-asia%2F+Comnie+Continues+to+Target+Organizations+in+East+Asia) target-organizations-east-asia%2F+Comnie+Continues+to+Target+Organizations+in+East+Asia)  (https://www.facebook.com/sharer/sharer.php? u=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F01%2Funit42-comnie-continuestarget-organizations-east-asia%2F)  (https://www.linkedin.com/shareArticle? mini=true&url=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F01%2Funit42-comniecontinues-target-organizations-eastasia%2F&title=Comnie+Continues+to+Target+Organizations+in+East+Asia&summary=&source=) (//www.reddit.com/submit) Unit 42 has been tracking a series of attacks using a remote backdoor malware family named Comnie, which have been observed targeting organizations in the East Asia region. Comnie, first named by Sophos seemingly after the Windows LNK file name it created, is a custom malware family that is used in targeted attacks, and has been observed in the wild since at least April 2013. The Comnie malware family is notable in that it leverages online blogs and third-party services to obtain command and control (C2) information. Recent instances of the malware have been observed leveraging github.com, tumbler.com, and blogspot.com. Attackers using Comnie are leveraging malicious macros that initially hide decoy documents and shows them when the victim enables macros. These decoys documents pertain to various subject matters that the targets would be likely to be interested in. The contents of these documents suggest that the main interests of threat actor likely included the organizations in the following industries, located in Taiwan: Telecommunication Defense Government High Tech The most recent attacks, in November 2017, likely targeted organizations in the following industries, located in South Korea: Aerospace Defense Additionally, while researching this campaign, we identified historical attacks that appear to target the Taiwan government, an IT service vendor based in Asia, and a journalist of a Tibetan radio station. ### Activities Involving Comnie Beginning in mid of 2015, we observed the Comnie malware family delivered via malicious macros with various file names and decoy subject matters. Original file names, as well as information revealed within the decoy documents used by these samples provide clues as to who the targets may be. In the most recent attacks in November 2017, the information suggests that these attacks have most likely taken place against Aerospace and Defense industry targets in South Korea. ----- |Original File Name|Translation|Decoy|Location|Most Likely Target| |---|---|---|---|---| |관계기관번 호.xls|Affiliate numbers.xls|Affiliate phone numbers for a South Korean international airport|KR|Aerospace| |PBCS_관련 _현황_보 고.doc|PBCS_related_status_report.doc|Report on the status of Performance- Based Communication and Surveillance (PBCS)|KR|Aerospace Defense| The following decoy contents are only shown to the victim after macros have been enabled: _Figure 1 Decoy document discussing an airport contact list in Korean_ ----- Before the attacks against South Korean targets, the same malicious macros were used to deliver the Comnie malware family to targets in Taiwan as early as 2015. Again, based on the original file names and the decoy contents, the most commonly witnessed targets in attacks that occurred in 2017 included those involving the Telecommunication, Defense, and High-Tech industries in Taiwan. **Original File** **Translation** **Decoy** **Location Most Likely** **Name** **Target** 1060315 本部 1060315 Defense Industry TW Defense 發言參考.doc Headquarters Development Speech Strategy Reference.doc 轉給苦逼的網管 Passing to cool Network TW High Tech 兄弟.doc fellow network administration Telecommunication administrators.doc jokes 2.SC OAM 2.SC OAM Network topology TW High Tech Firewall Firewall diagrams Telecommunication Policy_0306.xls Policy_0306.xls _Figure 3 Decoy document discussing Taiwan’s defense industry development strategy_ |Original File Name|Translation|Decoy|Location|Most Likely Target| |---|---|---|---|---| |1060315 本部 發言參考.doc|1060315 Headquarters Speech Reference.doc|Defense Industry Development Strategy|TW|Defense| |轉給苦逼的網管 兄弟.doc|Passing to cool fellow network administrators.doc|Network administration jokes|TW|High Tech Telecommunication| |2.SC OAM Firewall Policy_0306.xls|2.SC OAM Firewall Policy_0306.xls|Network topology diagrams|TW|High Tech Telecommunication| ----- (https://researchcenter.paloaltonetworks.com/wp-content/uploads/2018/01/figure4_comnie.png) _Figure 4 Network firewall configuration description for a major telecommunication company in Taiwan_ _Figure 5 Decoy document providing network topology information_ It is worth noting that in the attack that made use of the decoy document in Figure 4, the attacker also included related firewall logs and appears to have originated from a compromised an IT service vendor. Looking at earlier attacks between 2013 and 2016, we believe Comnie was also used in targeted attacks against the following individuals or organizations: ----- Journalist of a Tibetan radio station (https://researchcenter.paloaltonetworks.com/wp-content/uploads/2018/01/figure6_comnie.png) _Figure 6 Email sent to Journalist of Tibetan radio station_ ### Malicious Macros The malicious macro documents used to deliver Comnie initially hide the content inside and requests that the user enables macros prior to viewing the document. Once the user enables macros, the macro will perform the following actions: 1. Displays decoy content 2. Checks for the existence of a file at %APPDATA%⧵wscript.exe 3. If %APPDATA%⧵wscript.exe does not exist, the macro converts an embedded hex-encoded string into bytes and saves this data to the %APPDATA%⧵wscript.exe. 4. Executes the newly created wscript.exe payload ----- _Figure 7 Example macro used to delivery Comnie_ An interesting discovery was made when examining the macros used to deliver Comnie. Based on evidence gleaned from both the macro and other data collected from the samples, it appears that the threat actor did not generate these documents from scratch. Instead, they appear to have been created based on an existing sample available via public sample repositories. The existing sample in question was created by a red team penetration tester at a financial institution for internal testing. The following image shows a comparison of macro code extracted from Comnie dropper and financial institution’s penetration test sample. _Figure 8 Comparison of macros extracted from Comnie dropper versus a pentest sample used by a financial organization_ ### Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. Additionally, the malware looks for multiple security products on victim machines and sometimes alters its behavior depending on the products present. More information about how Comnie handles identified security products may ----- Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine’s %APPDATA% directory. The built-in Windows utility rundll32.exe is then used to load this DLL by the original .lnk file. Unit 42 has observed a total of two variants of Comnie. One of the ways the variants differ is in how they obtain their command and control (C2) information. Both variants make use of third-party online services in an attempt to prevent DNS based blocking of their first stage communications. However, the obfuscation mechanism varies slightly. In older variants, Comnie was found to look for the ‘++a++’ markers. The example C2s used by older variants of Comnie demonstrates this: _Figure 9 Old Comnie variants collecting C2 information_ Please refer to the Appendix for a script that may be used to decode C2 information from the older Comnie variants. Newer Comnie variants, such as the ones witnessed in the most recent attacks, instead look for the ‘magnet:/’ and ‘?’ markers, such as in the following recent example: _Figure 10 New Comnie variants determining their C2 information via a GitHub profile._ After Comnie collects the remote C2 information, it will communicate with these remote servers using HTTP requests. These requests are encrypted using the RC4 algorithm. Comnie will upload information about the victim. It also allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). More detailed information about how C2 information is decoded and additional technical analysis of Comnie may be found in the Appendix. ----- ### Conclusion Comnie is far from a new threat, however, it continues to remain active. In the past year, we have observed multiple low volume attacks in various regions of East Asia. Based on clues provided by the malware’s original file names, as well as the decoy content embedded within these samples, we can make a reasonable estimation that these attacks targeted organizations in Taiwan in the Telecommunication, Defense, Government, and High-Tech industries. Additionally, those same estimations may be made for attacks in South Korea targeting the Aerospace and Defense industries. While we have witnessed modifications to the attacker’s toolsets, the overall architecture and operations of the Comnie malware family have remained consistent, suggesting that the attackers have been able to stay below the radar of the security community. The Comnie malware family is notable in that it leverages third-party online services to download and parse C2 information. Because these third-party online services are legitimate, it allows Comnie to circumvent a number of security preventions that may be present in the environment. This overall technique has previously been referred to as using a “Dead Drop [Resolver” or DDR. (https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Barlaiy.A!dha) Name=Trojan:Win32/Barlaiy.A!dha) Palo Alto Networks customers are protected from this threat in the following ways: All identified samples have been flagged as malicious by WildFire and Traps Customers may track this threat using the ‘Comnie’ AutoFocus tag Traps appropriately catches the macro execution from the malware and prevents it Additionally, blogspot, tumblr, and github have been alerted to the malicious activity discovered. ### Appendix Comnie Technical Analysis For the analysis of the Comnie malware family, we investigated the following sample: **SHA256** 18ec68e1bd9b11f22e481d48c415f8d80edb76e9032ba4e1d31d87e16eed9959 When the sample is initially executed, it will attempt to create a mutex with a name of ‘tmutexabc’ to ensure only a single instance of Comnie is running at a given time. Should this mutex already be found to exist, the malware will immediately exit. Comnie continues to load an embedded bitmap (BMP) file and decrypt data at offset 0x512. _Figure 11 Embedded BMP file containing encrypted string data_ RC4 is used to decrypt this data using a 16 byte key that is stored within the BMP file at offset 0x502 Once decrypted we |SHA256|18ec68e1bd9b11f22e481d48c415f8d80edb76e9032ba4e1d31d87e16eed9959| |---|---| ----- _Figure 12 Decrypted strings from embedded BMP file_ After these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later on. After these functions are loaded, Comnie determines if it is running within the %TEMP% directory of the victim machine. In the event it is not running within this directory, it will copy itself to %TEMP% and execute this newly created file with an argument of the original file’s path. A total of 64MB of garbage data is appended to this copied file, likely as a way to deter any security products in place that may be scanning files on disk. After running within the %TEMP% path, Comnie will delete the original file. After Comnie has been copied to the %TEMP% directory, it will look for the presence of the ‘DQuit.tmp’ file in this path. It is unclear how this file is used exactly, as it does not appear to ever be written during runtime by Comnie. Comnie continue to enter its installation routine. In doing so, it will attempt to detect the following Anti-Virus products via various techniques: Trend Micro Kaspersky Symantec Avira AVG ALYac Ahnlab Ahnlab and ALYac are the most widely used Anti-Virus solutions in South Korea (http://www.dt.co.kr/contents.html? article_no=2017102502101260041001), and Trend Micro and the rest are also known to be most widely used in Taiwan. These are in-line with the targeting of the victims witnessed by the attackers using Conmie. With a few exceptions, Comnie will perform the following actions regardless of what security product, if any, is discovered: Convert itself to a temporary DLL with a default export of ‘Dm’ in the %TEMP% directory. If running with administrator privileges on a 32-bit host: Copy the temporary DLL in %TEMP% to %WINDOWS%⧵LINKINFO.dll Otherwise: Copy the temporary DLL in %TEMP% to %APPDATA%⧵cnagnt.dll Delete the temporary DLL in %TEMP% Write a ‘Conime.lnk’ file in the user’s startup path. This shortcut file points to ‘C:⧵Windows⧵system32⧵rundll32.exe “%APPDATA%⧵cnagnt.dll”,Sd’ ----- p p y p Additionally, in the event Kaspersky is detected, the malware will immediately run the ‘Conime.lnk’ shortcut file in a new process after it is created. After the installation routine, the malware will decrypt an embedded blob of data using RC4 with an embedded 8-byte static key of ‘⧵x11⧵xcc⧵xd1⧵x32⧵x61⧵x21⧵xd1⧵xe2’. The results of the decoded data may be seen below: _Figure 13 Decrypted information_ The decrypted data contains URLs for various online services that will be used by the attacker for downloading data that will contain the command and control (C2) server(s) and port(s) to be used by Comnie. Comnie will make requests to these URLs, looking for base64-encoded data after an identifier of ‘magnet:/’, as seen in the example below: _Figure 14 GitHub storing Comnie C2 information_ In the example above, the C2 information is being stored within the user’s URL parameter within GitHub. In order to decode this data, Comnie first decodes it using base64 with the following non-standard alphabet (note that it is simply the original alphabet in reverse): /+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA ----- p y g g, g p p yp g mailto:121.126.211[.]94:8080;80;80 The following Python script may be used to decode the C2 data used by the newest Comnie variant: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 import base64 import sys import re from string import maketrans from struct import * import requests def rc4_crypt(data, key): S = range(256) j = 0 out = [] for i in range(256): j = (j + S[i] + ord( key[i % len(key)] )) % 256 S[i], S[j] = S[j], S[i] i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S[i] ) % 256 S[i], S[j] = S[j], S[i] out.append(chr(ord(char) ^ S[(S[j] + S[i]) % 256])) return ''.join(out) def decode(data): o = "" for d in data: od = ord(d) o += chr((4 * (16 * od | od & 0xC) | (((od >> 4 | od & 0x30) >> 2))) & 0xFF) return o base64fixTable = maketrans("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[::-1], "ABCDEFGHIJKLMNOP QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"); def trans(string): return str(string).translate(base64fixTable) def altdecode(string): return base64.b64decode(trans(string)) req = requests.get(sys.argv[1]) fd = req.text original_data = re.search("magnet:/\?([^\?]+)\?", fd).group(1) parsed_data = altdecode(original_data) dataLength = unpack(" %TEMP%\info.dat ipconfig /all >> %TEMP%\info.dat route PRINT >> %TEMP%\info.dat net view >> %TEMP%\info.dat tasklist >> %TEMP%\info.dat net user >> %TEMP%\info.dat net start >> %TEMP%\info.dat This script is written to a temporary file prior to be executed. The results of this BAT script are uploaded to the remote C2 server. ### Old Comnie Variant C2 Decoder 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 import requests import sys import re def decode(data): o = "" for c in data: if c == "*": o += "." elif c == "|": o += ":" elif c == "+": o += ";" else: o += chr(ord(c)-49) return o r = requests.get(sys.argv[1]) fd = r.text data = fd.split("++a++")[1].split("++a++")[0] print(decode(data)) ### Samples Analyzed eed5945c36ba22a2531dd2d9dd7bc4e17e68544d512be75670919caf287c1b4a 8026442b812469e48ccd11611ab6eacdcb312a8f1aabd563b7f4cb4868315e16 c8951038fd53321661274e5a12532c3fb6f73c75fd75503a1089c56990658fef 48a1ce103e5bf47c47cc5ed40b2dc687ebaf3674d667419287bcb1d0b8d8dda6 ----- bf6ee8426245b167a69292e513c0841d818b310dda87daea649221f4e0afd1b3 62b98dde60cb4dd0d0088bde222c5c2c4c92560cccf4753f1ce94e044093ab85 756952652290ad09fe03c8674d44eab2077b091398187c3abcb6f1ddc462c32d 639a49390c6f8597d36ec0bd245efa1b4a078c0506fb515e577a40389b39a614 29ed6eb3c882b018c2bb6bf2f8eb15069dc5510ca119abebf24f09e3c91f10aa 0e8a4e4d5ca501bad25a730fb5de534fa324c6ac23e0a573524693f2d996d105 316a0c6849f183a1a52d0c7648e722c4ca85bd57b0804a147c0c8656b84bbdb9 ### Identified C2s 121.126.211[.]94:8080 113.196.70[.]11:80,8080 133.130.101[.]47:443 123.51.208[.]157:443;8000;8080 ### C2 Hosting URLs (DDR URLs) github[.]com/korlee5643 itsmonsee.tumblr[.]com allworldnewsway.blogspot[.]com ##### Got something to say? Leave a comment... **Notify me of followup comments via e-mail** Name (required) Email (required) Website SUBMIT ----- Email SUBSCRIBE **COMPANY** [Company (https://www.paloaltonetworks.com/company)](https://www.paloaltonetworks.com/company) [Careers (https://www.paloaltonetworks.com/company/careers)](https://www.paloaltonetworks.com/company/careers) [Sitemap (https://www.paloaltonetworks.com/sitemap)](https://www.paloaltonetworks.com/sitemap) [Report a Vulnerability (https://www.paloaltonetworks.com/security-disclosure)](https://www.paloaltonetworks.com/security-disclosure) **LEGAL NOTICES** [Privacy Policy (https://www.paloaltonetworks.com/legal-notices/privacy)](https://www.paloaltonetworks.com/legal-notices/privacy) [Terms of Use (https://www.paloaltonetworks.com/legal-notices/terms-of-use)](https://www.paloaltonetworks.com/legal-notices/terms-of-use) **ACCOUNT** [Manage Subscription (https://www.paloaltonetworks.com/company/subscriptions)](https://www.paloaltonetworks.com/company/subscriptions) ##  (https://www.linkedin.com/company/palo-alto-networks)  (https://www.facebook.com/PaloAltoNetworks/)  (https://twitter.com/PaloAltoNtwks) (https://ignite.paloaltonetworks.com/usa/? CampaignId=7010g000001IH8U&utm_content=Ignite18USA&utm_medium=390x90banner&utm_source=website) © 2016 Palo Alto Networks, Inc. All rights reserved. SALES > 888.219.8447  SEE A DEMO  [TAKE A TEST DRIVE (HTTP://CONNECT.PALOALTONETWORKS.COM/VIRTUAL-UTD)](http://connect.paloaltonetworks.com/virtual-utd) ----- -----