# Threat Intelligence #### Winnti APT group docks in Sri Lanka for new campaign ###### TLP: CLEAR ----- ##### Table of Contents ## • [Overview] **The attack** ## • • [First stage - DBoxAgent] **Ofcpic.dll - DBoxAgent analysis** ## • • [Second stage - SerialVlogger] **libcef.dll - SeriallVlogger analysis** ## • • [Third stage - VLOG.IPDB] • [Fourth stage - KEYPLUG] • [Attribution] **Sri Lanka and China - A little bit of history** ## • **Sri Lanka and China - Current situation** ## • • [Conclusion] • [Indicators of Compromise (IOCs)] ###### 3 **4** ###### 5 **6** ###### 12 **12** ###### 15 17 18 **18** **19** ###### 21 22 ----- ### Overview _This blog post was authored by Roberto Santos, Hossein Jazi and Jérôme Segura_ In early August, the Malwarebytes Threat Intelligence team identified a new attack targeting government entities in Sri Lanka. The threat actors used multiple layers of protection and techniques to make analysis harder and hide their final payload. However, based on tactic, techniques and procedures (TTPs) as well as code similarities we believe that this attack falls under the Winnti umbrella. Winnti is a Chinese state-sponsored effort of different threat actors that have conducted cyber espionage and financially motivated operations since 2012. This new campaign started on August 4th and has been active since at least the middle of August. Interestingly during the same time, the Chinese vessel Yuan Wang 5 (which tracks rocket and spacecraft launches for China), arrived and docked at the naval port of Hambantota located in Sri Lanka. Neighboring India views the vessel as a risk to its national security and the US Department of Defense believes it is operated by China's People's Liberation Army Strategic Support Force (PLA-SSF division). All this situation happened during a very difficult time for Lankans. We will briefly analyze this situation at the end of the report. We identified several payloads being dropped in this campaign, including a backdoor that was new to us that we call DBoxAgent due to its use of Dropbox as a command and control server. Victimology analysis helped us to confirm our assumption of the Winnti threat group behind this attack with the KeyPlug malware used as final payload. In this blog post we will review the chain of events and go through the different layers of protection that make this attack stealthy and show that Winnti continues to be active and expand its reach in the South Asia region. We shared our initial findings with Dropbox who immediately took action to stop this malicious activity. We would like to thank the Dropbox threat intelligence team for their response. ----- ###### The attack Sri Lanka has been going through a number of crises during the past year including mass protests while the country's economy is collapsing. Indeed, the United Nation relayed a call from humanitarian agencies that **[Sri Lanka's economic crisis requires immediate global](https://news.un.org/en/story/2022/07/1122902)** **[attention .](https://news.un.org/en/story/2022/07/1122902)** Interestingly, the attack we observed is being distributed via an ISO image masquerading as a document containing information about economic assistance ( _economic assistance.iso_ ) [hosted on Google Drive. Metadata from VirusTotal indicates that this particular file was first and](https://www.malwarebytes.com/blog/threat-intelligence/2022/10/easset_upload_file76223_241204_e.png) subsequently uploaded from Sri Lanka (country code LK). We were also able to further confirm [that victims were in the (UTC+05:30) time zone, and more specifically in Sri Jayawardenepura](https://en.wikipedia.org/wiki/Sri_Jayawardenepura_Kotte) which is the country's administrative capital. An overview of the attack can be seen in the next image, revealing the use of Dropbox as command and control server to help distribute several payloads, including the KeyPlug [malware. Sandbox analysis of the sample can be found here .](https://app.any.run/tasks/d8328fee-39f0-4648-8ff3-9dfde7e20213/) _Killchain_ ----- ### First stage - DBoxAgent As stated, attackers used the ongoing situation in Sri Lanka to lure victims. The initial ISO file that victims have executed was named "economic assistance.iso". This ISO file contained 3 files: - A LNK file showing a folder icon that is a shortcut for the following command: "C: \Windows\System32\cmd.exe /c des.exe" - An executable named des.exe - A DLL file named ofcpipc.dll _Content for economic assistance.iso_ It would be easy for an unexperienced user to think that the LNK file is a folder. Instead, after clicking on the shortcut, _des.exe_ is executed. This binary appears legitimate as it has 0 detection in VirusTotal and is part of by Trend Micro AV. ----- _des.exe signature info_ ###### Ofcpic.dll - DBoxAgent analysis However, _ofcpipc.dll_ does have some detections and is the one containing malicious code. _des.exe_ is a legitimate executable used to perform DLL SIDELOADING in order to execute _ofcpipc.dll . This maliciously crafted DLL mimics the original DLL, containing all original exports_ and an additional one, named OIPC_InitPlus : ----- _Extra import in Ofcpic.dll_ Looking at DLL_Main, what we have in here are basic checks and initialization. The malware expects to be executed in a very specific way; it will skip execution when launched directly using rundll (to avoid being detected by some sandboxes) and also it expects to be located in the %PUBLIC% folder. _DLL skip execution generated by rundll_ Moving forward to the main functionality, when all the required conditions are satisfied a buffer contained in its data section will be decoded and allocated to a new memory region. This allocated memory will contain shellcode that implements the malicious functionality. The most common way to execute shellcode is directly using a jmp or a call instruction to the pointer. Instead, attackers placed a hook in the __security_init_cookie() function (a well known function in executables compiled with Visual Studio), part of des.exe . Remember that des.exe was the original signed executable. This is important, as using this technique may be not detected by many AV vendors. ----- The following diagram shows how the injection is performed: _DBoxAgent memory layout during injection process, step by step_ The shellcode is a backdoor that gives the ability for attackers to control the victim's machine. We named this new backdoor DBoxAgent as it uses Dropbox as C&C. This way, attackers are able to circumvent network protection tools, as all communications are sent and received through Dropbox API. They used the following authentication: **Bearer** **_ah6koSKE8UAAAAAAAAAAXV5lH_zm1T-xVCTqyhty3cq8U7kTb9E4y2XMPDdasKV .** ----- Inside Dropbox, attackers created a folder tree. In a nutshell, DboxAgent will be uploading stolen data to Dropbox and downloading code to execute, using polling. Dropbox folder created by the attackers could be something like that: _Attacker's view of files contained in Dropbox_ ----- Every folder under users represents a victim. The names were generated by using a concatenation of ethernet adapters MAC addresses found in their machines: _Attackers have used ETHERNET MAC Addresses to identify victims_ Here is a description for those files and folders that could be found at attackers Dropbox generated account: **info.txt** This file is created when the victim runs the malware, and contains the output generated by the command systeminfo . **down (folder)** Here, attackers will place files that will be dropped to the victim's machine. The malware will look for a special file called DownConfig.txt that contains the filename to download. ----- _Code responsible of fetching and dropping files to victims computers_ We have found 3 different files (payloads) in here named _jcef_helper.exe_, _libcef.dll_ and _vlog.ipdb ._ **upload (folder)** Used for recovering files from victims' computers. There is a special file called _UploadConfig.txt, where attackers place the names of the files to steal from victims._ **shell (folder)** Used to send and receive commands via CmdConfig.txt . Files with random numbers are the output generated by these commands. All communications are performed using the Dropbox API via the (encrypted) HTTPS protocol. However, attackers adde an extra security layer. All files, commands and outputs are stored and sent using custom encoding. Note that these tiny encoders are common signatures in Winnti attacks: _Algorithm used to protect files (DBoxAgent)_ ----- ### Second stage - SerialVlogger By using DBoxAgent, attackers had already full control of their victim's machine. They were able to steal information and also to deploy additional pieces of malware. In that regard, only selected victims received this second stage that used jcef_helper.exe, libcef.dll and vlog.ipdb files. _Jcef_helper_ is not malicious and, as with _des.exe_, it was used just as a means to execute _libcef.dll_ . This _jcef_helper_ is the legitimate Java Chromium Embedded Framework helper, **signed by JetBrains .** _Jcef_helper.exe signature info_ ###### libcef.dll - SeriallVlogger analysis In that case, the DLL was packed with VMProtect. As in the first stage, the same procedure is followed to execute this malicious DLL. Functionality in fact is pretty similar to the first bytes seen in DBoxAgent, where a buffer was decoded and then executed using a hook placed in the address for __security_init_cookie() . However, it has some interesting points to dig in. ----- First of these peculiarities is that SerialVlogger won t inject anything contained in any buffer inside it. Instead, SerialBlogger will look for a special file named _vlog.ipdb_ (remember that _vlog.ipdb was one of the files dropped along)._ _SerialVloger code extract, showing how it will open vlog.ipdb and terminate execution when not_ _found_ As it can be seen, execution will not continue in case vlog.ipdb does not exist. After that, the malware will use _GetVolumeInformationA_ to query properties about C:. Specifically, the SerialNumber of the drive is what attackers are interested in. They will use this serial number as a key to decrypt vlog.ipdb, using the following algorithm. ----- Similar algorithms have been found as part of past attacks attributed to Winnti: _Algorithm used to unprotect vlog.ipdb file_ That means that every victim will have its own different copy of the vlog.ipdb file. Attempts to run vlog.ipdb files in a different machine will result in a crash. Attackers have made a pretty good in disguising these files, as _vlog.ipdb_ files have an entropy close to 8. The decoding algorithm can be seen as follows in a Python implementation: _Algorithm used to unprotect vlog.ipdb file, in Python_ A quick note about the algorithm: part1 is not produced using the key or the buffer. After a few rounds it will tend to 7. Part1 will just add an extra rotation to the leading bytes (at the end, this does not affect the randomness). We don't know why attackers decided to go that way, but probably they wanted to add an extra protection layer to first bytes, as in first rounds complexity is a little higher. So, discarding this part1 as complexity source, the algorithm is pretty simple. It consists of multiplying the key with the iteration value, and simply xoring then with the encoded buffer. Finally, this file will decrypt vlog.ipdb contents and will place a hook in __security_init_cookie(), so the vlog.ipdb content will be executed later instead of the original jcef_helper.exe file. ----- ### Third stage - VLOG.IPDB _Vlog.ipdb is a tiny DLL loader, capable of running a DLL that is encrypted inside the shellcode_ itself. To do so, it will first locate its own address by using the well known call - pop scheme, shown in the next image: _Vlog.ipdb will first fetch RIP value_ After that, it will locate the DLL inside it using its relative offset. This time, attackers went more standard and encrypted the DLL using regular RC4: _RC4 decryption algorithm_ ----- The RC4 key is contained inside the vlog.ipdb shellcode. This key was found in our sample xored with the value 0x63. The used key was ytveX05lCYreUzo4 : _RC4 key was protected by a simple xor_ This loader will use some Windows APIs by first fetching the kernell32.dll location (using the PEB) and then fetching the required libraries using its name. Malicious shellcode uses hash algorithms or CRCs in order to hide these required function names to avoid triggering alarms. The malware hashes all function names (bruteforce style) and when one matches that means the required function has been found. The used hash algorithm has clear similarities with other known algorithms and was used once [before, in an old malware called Nuclear Bot (NukeBot) described here . It turns out that the](https://www.netscout.com/blog/asert/dismantling-nuclear-bot) source code was leaked at some point, so attackers could have developed this one inspired by the old Nuclear Bot. _NuclearBot hashing algorithm (source netscout.com) and vlog.ipdb's are identicalCaption_ ----- ### Fourth stage - KEYPLUG After all these steps, attackers managed to inject shellcode that was encrypted in a file called _vlog.ipdb . Every vlog.ipdb had a different hash (as these were encrypted using different serial_ numbers). However, after decoding them, we found that the injected file was the same for all victims. Interestingly, vlog.ipdb was found protected twice, one protection due to DBoxAgent and one due to SerialVloger and is a backdoor that matches the KEYPLUG family. This **[report](https://www.mandiant.com/resources/blog/apt41-us-state-governments)** also describes some of the functionality carried out by KEYPLUG at the end of it. The following configuration was used: **WSS://162** [.]159.200.0/24;162[.]159.36.0/24;172[.]67.192.0/24;104[.]27.96.0/24:443| **WSS://162** **[.]159.200.0/24;162[.]159.36.0/24;172[.]67.192.0/24;104[.]27.96.0/24:443** |360| **5** |1| **dash[.]lcmbk.com:443** The backdoor relies on the websocket protocol to carry out its activities: _Keyplug (Windows version) code fragment, establishing communication using websockets_ By using this backdoor, attackers were able to fully control victims' machines. We can see why attackers protected that final stage. Keyplug is a very complete and complex backdoor with 4 different modes (HTTP, TCP, UDP and Websockets). This sample is truly an advanced piece of malware, so we may cover it in a future report. ----- ### Attribution This whole attack has Winnti signatures fingerprints all over it. The most significant one probably is the use of KeyPlug malware, which is exclusively used by this group, and most likely developed by them. We have seen multiple custom encoding algorithms (as the one described in DBoxAgent or the one found in SerialVlogger) that are also a team signature. The usage of VMProtect in some of the intermediate files is a known TTP for Winnti. Finally, victimology also matches with the group's usual targets. It is true that attacks in Sri Lanka haven't been documented yet, but China's interests in this island is not something new. Next lines will cover these possible interests. ###### Sri Lanka and China - A little bit of history Sri Lankan recent history is defined by its long civil war. This war was almost 30 years long and ended in **[2009](https://hir.harvard.edu/sri-lankan-civil-war/)** . The main reasons were disputes between Tamils (with the LTTE group Liberation Tigers of Tamil Eelam) and the Sinhalese, which represented the majority of the population and the government. In 2005, Mahinda Rajapaksa won the national elections, and during his mandate LTTE was defeated. That increased the popularity of Rajapaksa's clan and [many of its family members where later included in political institutions .](https://zeenews.india.com/india/dna-exclusive-how-rajapaksa-family-exploited-sri-lanka-2485085.html) However, it is believed that Rajapaksa brought a secret ally that supported their victory. An interesting article **[Riding with the Devils: China’s Role in the Cambodian and Sri Lankan](https://www.jstor.org/stable/48505532)** **[Conflicts talks about Rajapaksa's victory " China became the most important military ally and aid](https://www.jstor.org/stable/48505532)** _provider [...] According to Stockholm International Peace Research Institute (SIPRI) data, China_ _has exported arms worth US$638 million to Sri Lanka [...] China clearly turned out to be the main_ _provider of weapons for Sri Lanka[...] ". We can see that China's interests in Sri Lanka began_ decades ago. After the war, China kept showing interests in the country. Rajapaksa leveraged that interest to finance numerous projects, like the Lotus Tower ($113 million), the Rajapaksa International Airport ($250 million) or the Hambantota International Port ($1.5 Billion). All of these were financed by China or Chinese companies. Moreover, Sri Lanka started to build a dangerous debt. ----- Columbus Lotus Tower In the case of Hambantota, CMPort (China Merchants Port) ended up obtaining a 99 year lease in 2017, as Sri Lanka couldn't afford the cost. Even though the use of the port was intended for commercial purposes, we can see how this agreement already triggered some alarms. For instance, Anjelina Patrick, Research Associate at the National Maritime Foundation (NMF) wrote _"[...] internal security of the port will be controlled only by the Chinese company, thus providing a_ _loophole to Chinese employ the military for the internal security role. Therefore, the Lankan_ _government has indicated that [...] it would neither affect the sovereignty of the country nor lead_ _to any inimical military presence" . She also expressed concerns about the Chinese debt trap._ [This debt trap has even been claimed by individuals like Richard Moore, the head of Britain's](https://www.bbc.com/news/59585507) foreign intelligence agency (MI6): "China lends money to other countries, which end up having _to cede control of key assets if they can't meet their debt repayments [...] One example often_ _cited by critics of China is Sri Lanka, which years ago embarked on a massive port project in_ _Hambantota with Chinese investment"._ ###### Sri Lanka and China - Current situation Sri Lanka's financial problems became worse over time. Corruption, COVID-19, terrorism, debts and wrong financial decisions ended up in a bankrupt country. Gotabaya Rajapaksa (Mahinda ----- Rajapaksa s brother and president at the time) finally left the country in July 2022. At the time of writing, the country faces an inflation of around 80%, and a debt near 120%. The population is experiencing serious troubles as basic needs are often not met and foreign aid to get out that situation is needed. We have seen how China has demonstrated interest about the island, and played an important role in its fate. Sri Lanka's location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India. Looking at this cyberattack, it happened in mid August just when the Yuan Wang 5 Chinese ship docked at Hambantota's port. _Sri Lanka's location is attractive due to its proximity to India and Indian Ocean_ ----- ### Conclusion Winnti remains active and its arsenal keeps growing as one of the most sophisticated groups nowadays. We have never seen Winnti use Dropbox as C&C before but it seems that using these cloud services for malicious purposes has become more popular among actors. Some may think that China is taking advantage of Sri Lanka's weaknesses and that the PLA could have in mind military activities at Hambantota. China's military expansion is something [that has already happened. Back in 2017, we saw how they opened the PLA Djibouti base, a](http://www.xinhuanet.com//english/2017-07/11/c_136435716.htm) [naval base located in the horn of Africa (Djibouti also has a big debt owed to China ).](https://www.forbes.com/sites/katharinabuchholz/2022/08/19/the-countries-most-in-debt-to-china-infographic/) China's version is that the ship " _was conducting scientific research in accordance with_ _international law"_ . On the other hand, _"US Defense Department says the ship is under the_ _command of the People's Liberation Army (PLA)[...]" and in particular, under Strategic Support_ Force (SSF) "a theater command-level organization established to centralize the PLA's strategic _space, cyber, electronic, information, communications, and psychological warfare missions and_ _[capabilities" More information here and here . Of course, we cannot state that both events](https://media.defense.gov/2021/Nov/03/2002885874/-1/-1/0/2021-CMPR-FINAL.PDF)_ (cyberattack and ship arrival) are related but we just point out how both happened at the same time along with China's existing interests in Sri Lanka. Western countries have also made some moves. Geopolitically, it would be a poor decision to leave Sri Lanka with China as the only alternative. The Indian and Sri Lanka governments have been in talks about debt restructuring and it is expected that the IMF will approve a $3 billion loan to the country in December. Once we identified this campaign, we reached out to Dropbox and they immediately disable the account that was used as a C&C server. Malwarebytes customers are protected against this attack; the new backdoor we found is detected as Trojan.DBoxAgent. ----- ### Indicators of Compromise (IOCs) ###### Indicator Type Description ###### hxxps:// drive[.]google[.]com/u/1/ uc? id=1BzqN5BUfLJ8a0LRfKNa RdL4e1jg8X2PU&export=do wnload ###### ISO download link on URL Google Drive ###### a9d967243678d31ba5027d 1802fbc1606c10b7743d6d SHA256 Hash ISO file 6851eddc32b9281eb2f6 1fd0018a96a1171470f84d4 d745cf11c246b785d3b60fb SHA256 Hash ISO file 957c0677399d597291 be7f7955a296874f238da6e c5b63ffec995429ee1833e7 SHA256 Hash Shortcut (LNK) file fbcc294e36eeacbca4 904189ef4cec6ad4603918 e63e0b2e477cb11503315a SHA256 Hash DBoxAgent d3822437ee75920793f4 8dc38dcd26c62e93c81e7f 4408b83ec4d2adfe9a06cf SHA256 Hash SerialVLogger ebef0de945b338ec3c8b 206e93703e8d518ebe750 593ff0c41b3c7ec3fd2fda2e SHA256 Hash Loader 107341ebc2889ee061c SHA256 Hash KeyPlug ----- ###### Indicator Type Description 67baf182cad7c65df8fe392 0d6b58293c5e0c9cb574d 43abd045077a1d33fc67 dash[.]lcmbk[.]com Domain Winnti-APT -----