# “LuoYu” ###### The eavesdropper sneaking in multiple platforms Leon & Shui ----- ###### Speakers’ Bio ###### Shui is a cyber threat Analyst working for TeamT5. Holding a master’s degree from Johns Hopkins SAIS, she has a keen eye for international affairs. She mainly works on Cyber Espionage campaign tracking and involves in the underground market research. ###### Leon is a cyber threat analyst in the Cyber Threat Intelligence team at TeamT5. His major areas of research include APT campaign tracking, malware analysis. He has participated in information security diagnosis services for government and financial institutions and research on vulnerabilities in IoT devices in the past. ----- ### AGENDA ###### 01 The Luoyu Threat Group Overview 02 Activity Timeline 03 ReverseWindow Analysis 04 Case Study 05 Key Takeaway ----- ###### The Luoyu Group Overview ----- ### The name: 蠃魚(Luoyu) u ###### 蠃魚(LuoYu) a Chinese mythological creature u ###### 蠃魚,魚身而鳥翼,音如鴛鴦,見則其邑大水。 u ###### Translation: Fish with a pair of wings; When it appears, floods always follow. ----- ###### Origin China Malware ReverseWindow ###### WinDealer SpyDealer ###### Target Industry Profile Technology Media Education Target Areas **China** **Hong Kong** **Japan** **Korea** **Taiwan** ----- ### Goal ###### Attack ###### Message Apps Collecting information from dissidents? ----- ###### Activity Timeline ----- ### 2014-2017 China focused ###### 2016 2017 2014 2015 ###### Spying apps circulating in the wild ###### Android malware spying on Apps A d ----- ### 2017- now: Expand to East Asia ###### Jun. 2017 May. 2019 ###### IT company in China ###### Apr. 2017 ###### University in Hong Kong 2019 ###### IT company in Taiwan, Japan, and South Korea ###### Watering Hole Attack against Chinese Website ----- ###### Malware profile: ReverseWindow ----- ###### Malware profile: ReverseWindow u ReverseWindow(aka sysetmd, OSX.Demsty) is a multi-platform malware, ###### it supports Windows, Linux, Mac, Android. u Create mutex string prefix “LOOTWODNIW” is the reverse of “WINDOWTOOL”. u Use DES algorithm for configuration decryption and data encryption. u Uses TLV(type-length-value) protocol to send and receive data. ----- ###### Evolution of ReverseWindow ----- ###### Evolution of ReverseWindow IT company in Taiwan, Japan, IT company in China and South Korea University researcher in Hong Kong Android app ###### 1.1.6 1.1.7 Apr. 2017 ###### 1.2.1 1.2.27 0.997 1.3.3d ###### 2.2.1905131 Nov. 2019 ###### 2.2.1911271 Mar. 2020 ###### May. 2017 Jul. 2017 ###### Jan. 2019 May. 2019 ###### 2.2.19102123 Aug. 2019 ###### 2.2.2006131 Dec. 2020 ----- ###### In-Depth Analysis of ReverseWindow ----- ###### Hide the malicious traces u At first run, ReverseWindow will make the user think that the file was corrupted. u Persistence method: u Copy self to ” ~/.local/bin/sysetmd”, write .bashrc and create cronjob. ###### OSX Linux ----- ###### Decrypt malware C&C configuration ###### Config head signature (16 bytes) ###### Encrypted Malware Encrypted Config block Config ###### malware Configuration ###### DES_ECB_decrypt ###### ReverseWindow ###### config size (2 Bytes) AA BB CC DD |w|Col2| |---|---| ----- ###### Decrypt malware C&C configuration u ###### Test Sample C2:192.168.8.107:10443 type length value ###### malware Configuration ----- ###### Collecting host information u Hostname u Operating System Version u User name u MAC address and IP address (IPv6,IPv4) u CPU info u the amount of physical RAM u External IP address u Hard drive volume name (Windows only) u Removable device file (Windows only) ----- ###### Collecting host information u The victim information is arranged by TLV(type-length-value) format. u ###### ReverseWindow encrypts victim data using DES algorithm with hard-coded key table. head signature Index Size Data Index Size Data ###### 1 byte 4 bytes ###### . . . ###### DES_encrypt ###### Encrypted victim data ----- ###### Collecting host information Send Beacon response Send victim infomation ReverseWindow Send command ###### C2 Server ###### C2 Server ----- ###### Custom ReverseWindow Android APK u In 2019, LuoYu actor developed an Android variant of ReverseWindow. u We found that the attacker disguised the apk as a popular messaging app. u The actor also added another custom-developed spying library to the apk. u Unfortunately, currently, we are unsure how the actor spread the malware. ----- ###### Custom ReverseWindow Android APK ###### Install ###### Load library Connect to C2 Malicious APK ReverseWindow ELF ###### C2 Server ###### C2 Server ###### decrypt config ###### Collect sensitive data Custom spying library ###### Config file ----- ###### Version changes ###### Windows 1.2.27 OSX 1.2.1 Windows 2.2.* Windows 2.2.1905131 Windows 2.2.2006131 ###### The command Protocol 0x0100(install Persistence) was only supported in Windows(1.2.27) Support proxy setting String obfuscation Stack string & GetProcessAddress to get WinAPI ReverseWindow interest in two popular messaging app and three popular browsers in China (360SE, 360chrome, SougouExplorer) Support networking status ----- ###### Command Details ###### Common |etails|Col2| |---|---| |Command code|Description| |0x0200|File Operations| |0x0300|Shell Command| |0x0400|update RAT| |0x0500|Uninstall RAT| ###### 0x0800 Update malware Config ----- ###### Command Details ###### Common |etails|Col2| |---|---| |Command code|Description| |0x0900|(Linux)install plug-in | (Windows)execute a file| |0x0A00|(Windows only) Screenshot| |0x0B00|Proxy| |0x1200|(Windows only) Enumerate process, Netstat| ----- ###### Command Details |d Details|Col2|Col3| |---|---|---| |Command code|Description|| |0x0900|(Windows) execute a file|| |0x0A00|Screenshot|| ###### Common ###### expatriate dissident ----- ###### Command Details ###### Android |etails|Col2| |---|---| |Command code|Description| |0x0700|setTransType| |0x0A00|setCaptureScreen| |0x0F00|setRecordConfig| |0x1000|setSMSConfig| ###### 0x1100 setCallLogConfig ----- ###### Targeted attack Collect data ReverseWindow Over the wall Chi G i ll ###### Control C2 Server ###### dissident Chinese Victim host ###### Monitor Notify ###### Check installed app 1. Three popular browsers in China 2. Two messaging apps 3. Proxy Setting ----- ###### Targeted attack implant ReverseWindow ###### Expatriate Victim host ###### upload VPN profiles ###### Control C2 Server lateral movement ###### Collect VPN profiles connect ----- ###### Case Study ----- ### Watering hole attack u ###### Compromised a Chinese news site based in the US ###### Compromised a Chinese news site based in the US ----- ### Watering hole attack u ###### Malicious Files disguised as legitimate programs qq.exe youku.exe ###### WinDealer ----- ### More APKs found ###### C2 Server ----- ### IT company in East Asia ###### 2017 2019 ReverseWindow ReverseWindow ----- ### Messaging Apps Focused ###### 2017&2019 Attack IT companies in East Asia ----- ##### g messaging apps u ###### The 2019 attack overlapped with Hong Kong anti-extradition bill protest To collect protesters’ information? ----- ###### Before 2017 u ###### Monitoring messaging apps of individual users ###### After 2017 u Monitoring messaging apps of individual ###### users u Attack the IT company which develops apps ###### for direct user information? ----- ##### Threat for both users and company ###### Installed ReverseWindow apk Personal Mobile & SpyDealer Installed ReverseWindow ###### Collect personal messages Collect user information ----- #### Key Takeaway ----- ###### Key Takeaway u Luoyu is a well-developed Chinese APT. u Its cyber attacks have started since 2014 u Keep developing malware crossing multi-platform u Monitoring expatriate and dissident ###### u It has expanded its target scope. u China’s neighbor countries u Against IT companies ----- ## THANK YOU! -----