## What We Can Do against the Chaotic A41APT Campaign ###### Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru 2022/01/27 ----- #### Who We Are ###### Hajime Kiyotaka You Suguru Yanagishita Tamada Nakatsuru Ishimaru Macnica Secureworks Kaspersky ----- #### Agenda ###### Recent A41APT campaign we've seen ● What A41APT Campaign is ● Continuous A41APT Campaign ○ Continued and Updated TTPs ○ News TTPs Observed in 2021 ○ Attribution of The Threat Actor ● What We Can Do against the Chaotic A41APT Campaign ----- # What A41APT Campaign is ----- ###### ○ Japan (Japanese companies and their overseas branches) ● Origin of the campaign name ○ Named after the actor's host name DESKTOP-A41UVJV used for remote connection ###### Distinguish attack campaign that threat actor intrudes via internet-facing system deploy malware such as SigLoader/Sodamaster from others ----- #### TTPs Reported at JSAC2021 ###### ● csvde ● AdFind ● Scanner ----- # Continuous A41APT Campaign in 2021 ----- #### Continuous A41APT Campaign in 2021 ###### ● Observed attacks against multiple organizations in Japan and branch offices ○ We investigated each different incident to disclose updated TTPs and discovered new TTPs ###### ● Pulse Connect Secure ● FortiGate ###### ● csvde ● Mimikatz ● Secretdump ----- #### Public Information by Trend Micro ###### https://blog.trendmicro.co.jp/archives/29842 ----- # Continued and Updated TTPs ###### Continuous A41APT Campaign in 2021 ----- #### Intrusion via VPN Devices ###### Observations in 2021 ● Using known vulnerabilities ○ Pulse Connect Secure ○ FortiGate: CVE-2018-13379 ○ Cisco AnyConnect: CVE-2020-3125 ● Even if it's patched now, the credentials from back then might have been leaked Note that we've only seen the host name "DESKTOP-O2KM1VL" already reported in 2021 ----- #### Tool Sets Used After Intrusion ###### ● Following tools were found in the lateral movement stage ○ Mimikatz ○ secretdump.py ○ PsExec ○ csvde ○ WinRAR ● The threat actor seems to use various tools as needed ----- #### Malware Updates ###### ● SigLoader and SodaMaster are still used in 2021 ○ Cobalt Strike, P8RAT and FYAntiLoader were not observed in 2021 ● With some changes: ○ Tampering compile time ■ SigLoader: e.g. 2021/?? -> 2017/05 ■ SodaMaster: e.g. 2021/04 -> 2012/10 ○ Updates on major functions ■ SigLoader: decryption process ----- #### SigLoader Execution Flow ###### DLL SigLoader Shellcode SigLoader Shellcode Payload Side-Loading ----- ###### Layer III ----- #### Decryption Process of SigLoader ###### ● The AES mode was changed from CBC to ECB ● The AES key is the first 16 bytes from the hardcoded 32 bytes string ###### nuWU1hZsNRptORhwI8iY4sYm0WQjbfjB ----- #### SodaMaster Evolution ###### We classified 20+ samples into 3 versions, and confirmed 6 activities from compile time and common features as follows Version 1 - 2 commands (d,s) - 32bit DLL - HTTPs commuincatin using wininet.dll - Original name was httpsWin32.dll Version 2 - 4 commands (d,f,l,s) - Communication using ws2_32.dll - Original DLL name was removed Version 2 - Encryption process for the first data was changed Version 1 - 4bit DLL - rignal DLL name was httpsX64_d.dll - ompile date tampering began Version 2 - Junk data has been added at the end of the first data - Original DLL name was tcpcX64.dll Version 3 - 22 commands (c-x) - VM detection has been removed - Magic number of loader shellcode is changed ----- #### Comparison for Each Version of SodaMaster ※ Light gray: Compile date might be tampered |Col1|Version 1|Col3|Version 2|Col5|Col6|Version 3| |---|---|---|---|---|---|---| |Compile Date (Export Date)|2019/01/07 10:33:18|2016/07/28 23:34:54|2019/06/10 16:58:10|2020/10/20 10:46:49|2016/07/28 19:07:26|2012/10/13 12:00:07| |File Type|x86 DLL|x64 DLL|x64 DLL|||x64 DLL| |Original DLL Name|httpsWin32.dll|httpsX64_d.dll|-|tcpcX64.dll||tcpcX64.dll| |Export Function|DLLEntry||-|DLLEntry||DLLEntry| |Network API|wininet||ws2_32|||ws2_32| |Command|d, s||d, f, l, s|||c - x| |Anti-VM|✓||✓|||-| Addition of junk data ###### Using string Using Using length of collected ----- #### Changes of Loader Shellcode for SodaMaster ###### The basic implementation was not changed ###### ●The magic bytes have been changed from version 3 ●The size of data was increased depending the payload which was the updated SodaMaster ----- #### Command List of SodaMaster Version 3 |Command|Description| |---|---| |c|Steals credentials of Outlook| |d|Executes DLL(Specified export function)| |f|Enables/Disables adding size info into sending data| |g|Executes shellcode(No function table)| |h|Repeats sending source spoofed packet to specified destination (DoS?)| |Col1|※ e, j, k, n-p, t-v are not Implemented ※ Red: Different analysis results from Trend Micro| |---|---| |Command|Description| |l|Configures interval of C2 communications| |m|Collects screenshot| |q|Enables key logging| |r|Disables key logging| |s|Executes shellcode (With function table)| |w|Shows string with MessageBox| ###### E it ----- ----- #### The First Data Format Sent to SodaMaster C2 ###### ● Data chunk format 1 Byte 1 Byte ID ● The raw data before encryption |● Data chunk format|Col2|Col3| |---|---|---| |1 Byte|1 Byte|Length of data| |ID|Size of data(If data length is variable)|Data| ----- #### The First Data Sent to SodaMaster C2 ###### Contains 7 types of data |ID|Length|Data| |---|---|---| |0x03|Variable|Username| |0x07|Variable|Computer name| |0x04|5 Bytes|PID, Privilege flag| |0x40|9 Bytes|Processor architecture (1 byte), OS major version (2 bytes), OS build number (2 bytes), Legacy OS flag (e.g., Win2003 x64 = 0xFF10) (2 bytes), OS product type (2 bytes)| |0x05|Variable|Date of execution (yyyy/mm/dd hh:mm:ss)| |0x06|Variable|RC4 encryption key for C2 communication| ###### 0 08 4 B t S k t ----- #### Encryption Process for The First Data ###### 1. RSA encryption ○ Base64 encoded public key is hardcoded ○ The public key is different in each sample 2. Inverting encrypted data 3. Adding junk data at the end (ver.2 or later) ○ Two types of calculation methods for the size of the junk data were observed: i. (address of encrypted data + address of collected data from victim) % 0x50 + 5 ii. (address of encrypted data + returned value of GetTickCount) % 0x50 + 5 ○ Add data extracted from encrypted data by unique algorithm to the end ###### Unnecessary data added to the end of data ----- # New TTPs Observed in 2021 ###### Continuous A41APT Campaign in 2021 ----- #### Jackpot Webshell ###### ● Webshell malware firstly reported by Trend Micro with their deep analysis ○ It was used as a payload of SigLoader in 2021 ● Works as a standalone HTTP sever ○ Jackpot receives commands via a POST request for the specific URL ■ A domain/IP address of victim organization is hardcoded ○ Jackpot tends to be found at the IIS servers, because the infected host must be the internet-facing server ■ Even if the IIS service is running, Jackpot works on the same port ----- #### Microsoft Exchange Server ###### Exploiting ProxyShell vulnerability ###### ● The following commands were observed on a PowerShell session obtained by the exploit ○ copy ○ ping ○ dir ○ query user ○ ipconfig /all ○ type ○ net user /domain ○ tasklist ○ net time /domain ○ whoami ○ wmic /node: process call create cmd /c Dnscmd /EnumZones > ○ [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('')) | Out-File -FilePath ● China Chopper webshell was installed after above activities ----- #### HUI Loader ###### ● We discovered another loader used for loading SodaMaster in 2021 ○ Unnamed loader that has been observed since 2015 for various payloads ○ Named after string "HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD" ###### HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD" ----- #### Execution Flow of HUI Loader ----- #### Decoding Process of HUI Loader ----- # Attribution of The Threat Actor ###### Continuous A41APT Campaign in 2021 ----- #### View of Trend Micro and Kaspersky ###### Linking to BRONZE RIVERSIDE (APT10) ? ----- #### A41APT, BRONZE RIVERSIDE and LockFile ###### In August 2021, The HUI Loader was pointed out to be used with BRONZE RIVERSIDE and LockFile ----- #### Redefinition of Chaotic A41APT Campaign ###### Attribution should not be done only by the malware/tools used - but it's likely that the actor is based in China VPN + RDP HUI Loader SigLoader ----- # What We Can Do against the Chaotic A41APT Campaign ----- ##### Challenge to Know Your Own Organization ###### Fighting against Opportunistic Compromise, Targeted Deployment ###### ● The actor attempts to compromise every organizations who seem to be related to their goals, then the actor will choose (an) organization(s) from among the victims as a start point ○ Not only HQ, subsidiaries and overseas branches will be affected ○ Incidents will happen at organizations who don't have enough security controls for internet-facing systems ● Do you have a true understanding of your organization from security perspective? ○ Infrastructure/Security controls of overseas branches, subsidiaries ■ Different systems from HQ ■ Low-budget security controls Nothing changed from ■ Network/System sharing between HQ and subsidiaries 2020 ○ Leave maintenance and operation of system SI vendors ----- #### Conclusion ###### ● Chaotic A41APT campaign ○ The campaign is still ongoing and expanding its TTPs ○ Multiple threat groups seem to be involved ○ The actor always intruded via Internet-facing systems ● Countermeasure should be the same with post-intrusion ransomware attacks ○ Protect internet-facing systems of whole your company including branch offices and subsidiaries - Cooperate with SI vendors ###### ○ Detect usage of hacking tools or AD related tools for lateral movement after establishing C2 ○ Hunt the threats by using EDR, auditing various logs, checking ASEP ● Information sharing like this would be helpful for everyone? ○ Difficult to reveal a whole picture of a campaign by a single vendor ----- #### Reference Regarding A41APT ###### 1. A41APT case ~ Analysis of the Stealth APT Campaign Threatening ○ https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf ○ https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_jp.pdf 2. APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign ○ https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campai gn/101519/ ○ https://blog.kaspersky.co.jp/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-c ampaign/30393/ 3. APT10: Tracking down the stealth activity of the A41APT campaign ○ https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1. 0.pdf 4. 標的型攻撃の実態と対策アプローチ 第5版 日本を狙うサイバーエスピオナージの動向2020年度 - Macnica Networks, TeamT5 ○ https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf 5. 「Earth Tengshe」によるマルウェア「SigLoader」を用いた攻撃キャンペーンで観測された新たなペイロード ○ https://blog trendmicro co jp/archives/29842 |PT case ~ Analysis of the Stealth APT Campaign Threatening|Col2| |---|---| |https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf|| |https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_jp.pdf|| |gn/101519/|Col2| |---|---| |ampaign/30393/|Col2| |---|---| |0.pdf|Col2| |---|---| ----- #### Other References ###### 1. Uncovering New Activity By APT10 | FortiGuard Labs ○ https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt- 2. Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2 - NSFOCUS, Inc., ○ https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabiliti es-1-2/ 3. Twitter ○ https://twitter.com/Manu_De_Lucia/status/1430115616862638080 ○ https://twitter.com/fr0gger_/status/1430213808434339842 4. Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability ○ https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and- hunting-for-cve-2021-44228-log4j-2-exploitation/ 5. AutoRuns ○ https://docs.microsoft.com/ja-jp/sysinternals/downloads/autoruns |es-1-2/|Col2| |---|---| |es-1-2/ er|Col2| |---|---| |https://twitter.com/Manu_De_Lucia/status/1430115616862638080|| |https://twitter.com/fr0gger_/status/1430213808434339842|| |hunting-for-cve-2021-44228-log4j-2-exploitation/|Col2| |---|---| ----- |IoCs|Col2|Col3| |---|---|---| |Value|Type|Description| |cf5ec3b803563d8ef68138f5303ebc362b72da36da29b9cba3062ae996db9234|SHA256|HUILoader| |c13f93b7bb1f8f5f9bd6dd4d25f7af873119c8b8248490de6bd9b29d0c68783e|SHA256|Encoded SodaMaster shellcode| |168.100.8.20|IP|SodaMaster C2| |9bec85e6a3d811826580540b541723c6b5236377a3a980b1ffa5bf5f749a99d4|SHA256|HUILoader| |7db327cc7bd622038f69b4df4178ca3145659a73cbcb10d0228e48f2ece60896|SHA256|Encoded SodaMaster shellcode| |www[.]monferriina[.]com|Domain|Sodamaster C2| |c0ed7939945726b61100009b926917723fdc5f9b2df0be070f2a500b6edf161c|SHA256|SigLoader (Layer I)| |0a570b32d14799f6351ee211093567450d41705ca79e236a38ca15f135d78bfd|SHA256|SigLoader (Layer I)| |2da5e37ec4c7059a7935165039ea31b0c9cc8f1bb0d0c620759776979158cf30|SHA256|SigLoader (Layer I)| |e8797b4334fbaa067d5f91d1481bd8f55bf2e45483a92a8ea7030c2c604dd273|SHA256|SigLoader (Layer I)| |68dd499bca62e004c97ccc17f68e3d6dde2885446924dabe8cc525763caa08a3|SHA256|Encrypted SodaMaster shellcode| |192.248.183.113|IP|SodaMaster C2| |1f1bcb03b008c4fdd462e7d2b5db5ca321ff6d56bbb22cddd39c82df1f6a038f|SHA256|DESLoader (1st Loader)| |7337071599eb49c75c63dff210aa516ea8dbbe99a8a66237f66f3f3c7f5aed31|SHA256|Encrypted SigLoader shellcode| |59986e20e03774c7d0f5adb4eca394f5f51b01a8c2ba9cb6c1ce30f9312b9566|SHA256|Encrypted SodaMaster shellcode| |185.10.16.115|IP|SodaMaster C2| 8 f 00763 9269 01d2b5918873144746 4b203b 28 92459f5301927961 SHA256 HUIL d i 2015 ----- #### FYI: Hunting Suspicious ASEP ###### When EDR and Forensic Tools are not ready ###### ● Audit ASEP by using tools such as Autoruns is effective ● In A41APT campaign, scheduled tasks are favor to be used ○ Investigating scheduled tasks with the following condition could be useful ■ 3rd party legitimate executables under C:\Windows\, C:\Intel\ ----- #### IOCs - Examples of Scheduled Task |Program|Descritpion|Publisher| |---|---|---| |C:\Windows\RoutineMaintenance.exe||D3L| |C:\Windows\ceiprole.exe|Malwarebytes Anti-Exploit 64bit tasks|Malwarebytes Corporation| |C:\Windows\Vss\Writers\System\FamilySafety.exe|Java(TM) Platform SE binary|International Business Machines Corporation| |C:\Windows\System32\winrm\0409\usoclient.exe|OpenSSL application|OpenVPN Inc.| |C:\Windows\System32\da-DK\DataProviders.exe|OpenSSL application|OpenVPN Inc.| ----- ### Thank you -----