## CRACKING A SOFT CELL IS HARDER THAN YOU THINK ###### Markus Neis / Swisscom Twitter: @markus_neis Keybase: yt0ng ----- ## Operation Soft Cell v1.0 ### • 3[rd] party collection campaign revealed by Cybereason in 2019 • Targeting Telco providers • with the goal of obtaining Caller Detail Records (CDR) • China-nexus state sponsored threat actor also known as Gallium (Microsoft) • Suspected APT10 ----- ## Operation Soft Cell v2.0 #### • 3[rd] party collection campaign also discovered by Cybereason • Targeting Telco providers • with the goal of obtaining Caller Detail Records (CDR) • Actors shared access to victim(s) with another CN actor • China-nexus state sponsored threat actor also known as Gallium (Microsoft) • Links to APT10 but also APT41 and LuckyMouse • Sloppy OPSEC Actor ----- ## How it all started ###### Jun 25th 2019: Checking the news in the morning ----- ## How it all started ###### Jun 25th 2019: Blog Post ----- ## Operation Soft Cell ----- ## The hidden clue ----- ## The hidden clue ----- ## The hidden clue ##### - Poison Ivy as described by Cybereason - Side-loaded via RunHelp.exe - persistence by scheduled task - C2 in Costins list  ----- ## Poison Ivy Builder ##### Found via hunting for Side-loading via RunHelp.exe Based on created samples - Phantom Creator is likely the builder used for samples mentioned by Cybereason ----- ## PlugX ##### Another side-loading technique found in PlugX sample: 7a1d592339db1f0d1e76294a62ec842b ###### self-extracting RAR PE File that extracts the files - mcoemcpy.exe - mcutil.dll - antivir.dat copies them into "C:\\ProgramData\SamSungHelp" uses mcoemcpy.exe, a legitimate McAfee binary to load mcutil.dll. ##### C2s: IPs Hosting in HK Domains aligned with Costins reply ----- ## PlugX ###### copies them into "C:\\ProgramData\SamSungHelp" uses mcoemcpy.exe, a legitimate McAfee binary to load mcutil.dll. C2s: - IPs Hosting in HK - Domains aligned with Costins reply Crowdstrike in 2018 ##### - CN Actor targeting Think Tanks and Asian Telco - Plugx and Trochilus - Hosting Infrastructure in HK - Same Side-loading also reported by ###### https://go.crowdstrike.com/rs/281-OBQ ----- ## Trochilus ###### Sample: a8366127d37ab82fa37b612b3bfd046e Nullsoft Installer dropping - ImagingDevices.exe (signed MS binary) - ImagingEngine.dll - activeds.dll - photo.dat into C:\\ProgramData\Windows Imaging Devices Network Sharing Service\" ##### Same C2 server ###### https://go crowdstrike com/rs/281 OBQ ----- ## Trochilus ###### - Similarity Engine by Kaspersky GReAT showed 99% similarity with RedLeaves - APT10 ? ----- ## Gh0st ###### C2 analysis identified a variant of Gh0st RAT - Sample: 9fda6a46c96a9ee0b87c2313ba04bf2b - Simple Installer drops Gh0st RAT into - C:\WINDOWS\system32\rmtClt.exe OR - C:\Windows\SysWOW64\rmtClt.exe ----- ## Gh0st ###### - Sample: 9fda6a46c96a9ee0b87c2313ba04bf2b - The config was stored in the overlay of the file consisting of 4 blocks - Simply base64 encoded increasing every byte value by 0x7A and XORed by 0x19 ###### 1. service creation details including service name and service description ###### 2. command and control ###### 3. Run options ###### 4. Installer Path ----- ## Gh0st ###### - Config Pattern at end of files was pretty unique - allowed to identify ~270 Gh0st samples on VT - Most were simply the actor testing detections ----- ## Gh0st ###### An interesting PDB Path in one of the Gh0st RATs pointed to various other samples E:\vs_proj\remoteManager\clientExe\clientExe\Debug\clientExe.pdb date submitted md5 PDB VT subm. id country 06.08.2018 1a7cbfae5796ebbef5c8c150e461f2e7 E:\vs_proj\gh0st3.6_src_Unicode\gh0st\Release\gh0st.pdb 552a02f1 HK 19.09.2018 2f089510d01ca58460d0debff4962700 E:\vs_proj\remoteServer\Release\remoteServer.pdb 552a02f1 HK 25.09.2018 648eee77fa92d07f4747a72970f944e9 E:\vs_proj\remoteManager\Release\remoteServer.pdb 53e18eaa HK 11.10.2018 d9c25f0c43ffc64a99ad709c8d8e9496 E:\vs_proj\remoteManager\server\Release\remoteServer.pdb 29cab6fa KR 22.10.2018 bc7bbeb92078f9289cfb94e3a6eb193a E:\vs_proj\remoteManager_new\server\Release\remoteServer.pdb 552a02f1 HK 20-11-2018 00a928b681e545c0ae859c56f2dfd160 E:\vs_proj\simplify_modify\Win32\simplify.pdb a493c16c HK Mimikatz ###### Gh0st Builder |date submitted|md5|PDB|VT subm. id|country| |---|---|---|---|---| |06.08.2018|1a7cbfae5796ebbef5c8c150e461f2e7|E:\vs_proj\gh0st3.6_src_Unicode\gh0st\Release\gh0st.pdb|552a02f1|HK| |19.09.2018|2f089510d01ca58460d0debff4962700|E:\vs_proj\remoteServer\Release\remoteServer.pdb|552a02f1|HK| |25.09.2018|648eee77fa92d07f4747a72970f944e9|E:\vs_proj\remoteManager\Release\remoteServer.pdb|53e18eaa|HK| |11.10.2018|d9c25f0c43ffc64a99ad709c8d8e9496|E:\vs_proj\remoteManager\server\Release\remoteServer.pdb|29cab6fa|KR| |22.10.2018|bc7bbeb92078f9289cfb94e3a6eb193a|E:\vs_proj\remoteManager_new\server\Release\remoteServer.pdb|552a02f1|HK| |20-11-2018|00a928b681e545c0ae859c56f2dfd160|E:\vs_proj\simplify_modify\Win32\simplify.pdb|a493c16c|HK| ----- ## Mimikatz |date submitted|name|md5|PDB|VT subm. id|country| |---|---|---|---|---|---| |20-11-2018|simplify_32.exe|00a928b681e545c0ae859c56f2dfd160|E:\vs_proj\simplify_modify\Win32\simplify.pdb|a493c16c|HK| ###### Mimikatz signed with stolen Whizzimo, LLC Certificate Only used by Soft Cell? ----- ## Mandiant IR: Grab a bag of Attacker Activity ###### Same certificate has been reported by Mandiant to be used by APT41 ----- ## Mimikatz ###### Same certificate has been reported to be used by APT41 More links to APT41 (as reported by Mandiant) - Same submitter on same day - Same naming convention - Slightly different PDB |date submitted|name|md5|PDB|VT subm. id|country| |---|---|---|---|---|---| |20-11-2018|simplify_32.exe|00a928b681e545c0ae859c56f2dfd160|E:\vs_proj\simplify_modify\Win32\simplify.pdb|a493c16c|HK| |18-07-2018|s_i64d.exe|2e834d8dde313e992997cbda050a15f1|E:\simplify_modify\x64\simplify.pdb|925c50f1|CN| |20-11-2018|simplify_i64d.exe|2e834d8dde313e992997cbda050a15f1|E:\simplify_modify\x64\simplify.pdb|a493c16c|HK| ###### http://www.sans.org/cyber-security-summit/archives/download/23430 ----- ## More links to APT41 **file names** **signer** **Thumbprint** **MD5** 39_64d.exe, 39_64d.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC fee9bc26f55c2049e1b64616a442dc7b a493c16c simplify_32.exe, simplify_32.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 426ce7bf9e1e7c43f6dc05438798be8c a493c16c configMoudle.exe, configMoudle.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC fbdc5eaa50c3f7c0439c51ba4e9841f7 a493c16c simplify_64.exe, simplify_64.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 24fc7f311ea28ffbb579a3aad486b61a a493c16c s32, s32 Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 034f46545c5b1112e03eb60e2c7670ce a493c16c 42_32.exe, 42_32.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 4534f50279f9e4d935c0423c654e9252 a493c16c simplify_32.exe, simplify_32.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 7351406c380d9e22d080a0ad509824de a493c16c sy32.exe, sy32.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 16485ff94213ab24a6bda3c16d47b348 925c50f1 s_x86d.exe, s_x86d.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC b429265c5678804ce6de0ecd9e6d205e 925c50f1 myfile.exe, myfile.exe, 39_32d.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 723a98a3b0f9db7e15533848abe1fdfb ef37c927 simplify_32.exe, simplify_32.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 00a928b681e545c0ae859c56f2dfd160 a493c16c simplify_x86d.exe, simplify_x86d.exe, 33333.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 4c3a453cda4f8a61f47fc80762d65f54 simplify_32.exe, simplify_32.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC abcffc85e306cb307d5a63602184acce a493c16c simplify_i64d.exe, simplify_i64d.exe, s_i64d.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 2e834d8dde313e992997cbda050a15f1 s64.exe, s64.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 67f68b8cf07fdc1f8d025a3b2774e7c7 925c50f1 sy64.exe, sy64.exe Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 64f8b0cc6cb16b7e57605813e3ce0a76 925c50f1 [simplify_32.exe](https://www.virustotal.com/gui/search/name%253Asimplify_32.exe) Whizzimo, LLC 32078AC8E12F61046AEC24F153B1E438A36100AC 00a928b681e545c0ae859c56f2dfd160 a493c16c ###### More links to APT41 - Hunting for Certificate - Found more - all Mimikatz apart from one - configMoudle was a web shell |file names|signer|Thumbprint|MD5|submitter| |---|---|---|---|---| |39_64d.exe, 39_64d.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|fee9bc26f55c2049e1b64616a442dc7b|a493c16c| |simplify_32.exe, simplify_32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|426ce7bf9e1e7c43f6dc05438798be8c|a493c16c| |configMoudle.exe, configMoudle.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|fbdc5eaa50c3f7c0439c51ba4e9841f7|a493c16c| |simplify_64.exe, simplify_64.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|24fc7f311ea28ffbb579a3aad486b61a|a493c16c| |s32, s32|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|034f46545c5b1112e03eb60e2c7670ce|a493c16c| |42_32.exe, 42_32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|4534f50279f9e4d935c0423c654e9252|a493c16c| |simplify_32.exe, simplify_32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|7351406c380d9e22d080a0ad509824de|a493c16c| |sy32.exe, sy32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|16485ff94213ab24a6bda3c16d47b348|925c50f1| |s_x86d.exe, s_x86d.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|b429265c5678804ce6de0ecd9e6d205e|925c50f1| |myfile.exe, myfile.exe, 39_32d.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|723a98a3b0f9db7e15533848abe1fdfb|a493c16c, 925c50f1, 130ce897, ef37c927| |simplify_32.exe, simplify_32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|00a928b681e545c0ae859c56f2dfd160|a493c16c| |simplify_x86d.exe, simplify_x86d.exe, 33333.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|4c3a453cda4f8a61f47fc80762d65f54|925c50f1, a493c16c| |simplify_32.exe, simplify_32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|abcffc85e306cb307d5a63602184acce|a493c16c| |simplify_i64d.exe, simplify_i64d.exe, s_i64d.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|2e834d8dde313e992997cbda050a15f1|925c50f1, a493c16c| |s64.exe, s64.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|67f68b8cf07fdc1f8d025a3b2774e7c7|925c50f1| |sy64.exe, sy64.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|64f8b0cc6cb16b7e57605813e3ce0a76|925c50f1| |simplify_32.exe|Whizzimo, LLC|32078AC8E12F61046AEC24F153B1E438A36100AC|00a928b681e545c0ae859c56f2dfd160|a493c16c| ----- ## More links to APT41 ###### configMoudle.exe - .NET dropper for a modified China Chopper we only have seen in Soft Cell activity (in our terms) - based on PDB we refer to as DeployFilter - Webshell is found in droppers resources - Module is then added to IIS as C:\\Windows\\System32\\inetsrv\\Config\\applicationHost.config ----- ## More links to APT41 ###### http://www.sans.org/cyber-security-summit/archives/download/23430 ###### configMoudle.exe - .NET dropper for a modified China Chopper - based on PDB we refer to as DeployFilter - Webshell is found in droppers resources - Module is then added as C:\\Windows\\System32\\inetsrv\\Config\\applicationHost.config ----- ## Soft Cell and Lucky Mouse ? ###### Based on VT Uploads we identified a victim - With DeployFilter / Chipshot uploaded to VT 4 months before the same victim - Uploaded a signed malicious NDISProxy driver attributed by Kaspersky to Lucky Mouse https://securelist.com/luckymouse-ndisproxy-driver/87914/ ----- ## Soft Cell, APT10, APT41 and Lucky Mouse ? ###### - Do Soft Cell, APT10, APT41 and Lucky Mouse share ##### - tools - capabilities - victims ??? - Are the Soft Cell actors part of any of these groups (subgroup / contractors ) ??? Simple answer: No Idea  ###### Soft Cell APT10 APT41 LuckyMouse ----- # Thank you -----