###### CHA Minseok (Jacky Cha, 車珉錫) Senior Principal Malware Researcher ASEC | Analysis Research Team AVAR 2019 Osaka (November 7, 2019) ----- ----- ###### Lazarus ----- ----- ###### • Tick cyberespionage group (2016) - Tick == Bronze Butler == RedBaldKnight == Nian ----- Spear Phishing Watering Hole Vulnerability in asset USB Flash Driver management program Vulnerability in asset management program Political Organization Defense Industry IT Service Electronics Energy ----- |Date|Target|Details| |---|---|---| |• Mar. 2014|Korea - Defense Industry|Attacked with Netboy variant; Multiple infections by the same variant reported in Korea| |Jan. 2015|Korea - Major Company A|Attacked with Bisodown variant| |Apr. 2015|Korea - ?|Modified the EXE file in the USB Memory| |May 2015|Korea - Major Company B|Attacked with Netboy variant| |Feb. 2016|Korea - Marine Industry|Attacked with Daserf variant; Identical with Daserf malware found at the Korean telecommunications company in Jun. 2016| |Jun. 2016|Korea - Telecommunications Company|Attacked with Daserf variant| ###### Korea - Energy Sep. 2016 Attacked with Datper variant Industry ----- |Date|Target|Details| |---|---|---| |• Apr. 2017|Korea - ?|Attacked via a Korean secure USB reported by Palo Alto Unit 42 in 2018| |May 2018|Korea - Supposedly National Defense|Attacked with a variant of Bisodown With national defense documents shown as bait, national defense officials are assumed to have been the targets| |May 2018|Korea - Political Organization|Attacked with Bisodown| |Aug. 2018|Korea - National Defense|Attacked with Bisodown variant; Variant found with Keylogger, named Linkinfo.dll, on the infected system| |Sep. 2018|Korea - Political Organization|Attacked with Datper variant| |Jan. 2019|Korea - Information Security|Attacked with Datper variant reported by JPCERT in Feb. 2019| |Jan. 2019|Korea - Web Hosting|Identical with the malware found at a Korean information security compa ny in Jan. 2019| |Feb. 2019|Korea - Electronic Components|Attacked with Datper variant reported by JPCERT in Feb. 2019| ###### Feb. 2019 Korea - IT Service ###### Attacked with Datper variant; Identical to the malware that attacked a Korean electronic component ----- ----- ###### • Nforce11-02 v1.0 - MaliciousPDF created -CheCheCheChe2010 Prototype ----- ###### • Anti 1.03 -AntiAV ----- ###### • NetBoy1.21 (2011) - Builder/Controller ----- ###### • Xxmm v1.0 (2014) - Filename:gh0st.exe ----- ###### • NetShadowv1.0 (2015) ----- ###### • xxmm2_steganography.exe (2015) ----- ###### • xxmm2_build (2015) ----- ###### • ShadowDawn(2016) - filename : wali_build.exe, shadowDawn.exe ----- ###### • NetGhost v2.1 & v.2.41 (2017) -Some Variants Protected withPassword ----- ----- ###### Stage 2 ----- ###### • Bisodown(Cpycat, HomamDownloader) - Discovered between April 2014–Feb. 2019 - Downloader  Used by Tonto Group ----- ###### • GhostDown -Discovered between Feb. 2013–Feb. 2018 -Encrypted strings, such as API address, C&C degree etc.(GenerallyXOR 0xDF) ----- ###### • Created Domain at Certain Websites - dnseveretc. ----- ###### • Gofarer -Downloader -Digital Signature Details : Does HeruidaElectronic Technology Exist? -Infection found Only in Japan ----- ###### • Daserf (Muirim, Nioupale, Postbot) -First discovered in 2009 (in Apr. 2011 in Korea) -Mostly 30-40 KB (Some are 100 KB or more.) Versions exist in Delphi scripting language and C language -Main functions: View file lists, execute commands with cmd.exe, Upload/Download/Delete/Execute/Uninstall files -C&C information encrypted at the version information and the end of the file ----- ###### • Netboy (Domino, Invader, Kickesgo) -Actively discovered after 2010; Initial version of DLL format discovered from Korea in 2008 -Written in Delphi language -Encrypted major strings into XOR 0x7C -Injected within the process, such as Explorer.exe -Conduct functions including keylogging, screen capture, process list, and program execution -Code change (2012)  Disrupted analysis by adding garbage values (2013) ----- ###### • Ninezero (9002) -Discovered between 2012-2013 -Dropper 70 KB  Backdoor DLL 33 KB -Distinctive export function exists in the DLL file -Netboy also found in some systems ----- ###### • Xxmm (KVNDM, Minzen, Murim, ShadowWali, Wali, Wrim) -First discovered in 2015, Actively used from 2016 (Initial version includes xxmm string) -Initial version include a distinctive PDB ‘C:\Users\123\Desktop\shadowDoor\Release\loadSetup.pdb’ -> Excluded after Dec. 2015 -Consists of a Dropper, Loader, and Backdoor -Created files larger than 50 MB -Encrypted communications via one-time AES and RC4 key, active only at specific times ----- ###### • Xxmm ###### 2. Drop ----- ###### • Datper -Discovered between 2015 –March 2019 -Written in Delphi scripting language -Active in Korea and Japan -Garbage values embedded in the middle of the code -Keylogger, Mimikatz found in the infected systems ----- ###### • Keylogger A (2011) -Discovered between April –May 2011 -File name: keyll.exe -User input key content saved in c:\windows\log.txt -Daserffound in the infected system ----- ###### • Keylogger B (2017~2018) -Discovered between 2017–2018 -File name: apphelp.dll, k6.dll, linkinfo.dll etc(40-50 KB) -Bisodown, Datperfound in infected system ----- ###### • Keylogger C (2017~2018) -Discovered between Apr. 2017 –Feb. 2018  Mainly found in the Tickusb-infected systems -File name: linkinfo.dll, netutils.dll -Key input contents saved at Log file ----- ----- ###### • ScanLineby FoundStone -Filename : intelamt.tmp, l.dat, ls.tmp, msp.exe, sl-p.exe ----- ###### • Hijack v2.0 -Disguised as HancomHangul file(C:\HNC\Hwp70\hwp70.exe) -ArpspoofAttacker ----- ###### • WCE (Windows Credentials Editor) - File signed with HeruidaElectronic credential found (2016) ----- ###### • Mimikatz -mi.exe, mi2.exe, m3.exe, m32.exe, m6.exe, mim6.exe, mimi32.exe ----- ###### • NetTool(1,051,648 ~ 4,168,192 bytes) -Initially discovered in early September, 2018 -Major file names: comhost.exe, conh0st.exe, dllh0st.exe, dt.tmp, spoolsv.exe, taskh0st.exe, w3wp.exe ----- ###### • RAR v3.3 Command-line -Filename : tmp.dat ----- ----- ###### • Attacked using Korean Secure USB Flash Drive -Performs malware infection via variant-installing programs -Presumed to be an attempt to attack net isolation systems by using Korean Secure USB Drive ----- ###### • Tickusb (SymonLoader) -Found to be active from spring 2014 to Nov. 2017 (possibly even before Sep. 2012) -First analysis disclosed by Unit42 in Jun. 2018 -Saved information leaked and data modified when USB Flash Drive was connected -Some variants found in the Korean Secure USB Flash Drive  Execute by reading data from specific area  Execution code unchecked -Modified EXE file and patched ALYAC25.EXE file within some modified USB Flash Drive • Composition of Tickusb -Consists of EXE file including the essential code for DLL, which acts as the Loader -Main function of DLL (Loader): Executes Tickusb EXE when USB Flash Drive is connected, Downloads additional files -Main functions of EXE file: Collects information within the USB Flash Drive, Infects EXE file, and Patches ALYAC25.EXE -Modified EXE within a USB Flash Drive: Executes by creating Downloader or Tickusb variants ----- ###### • Dropper - Modified (Infected) by Tickusb  Create Downloader ----- ###### Stage 1 Stage 2 Stage 3 ----- |Discovered Date|File Content|Details| |---|---|---| |2014.03|?.exe|Disclosed by Unit42 in 2018. Standalone EXE. Presumed to be an earlier version before 2014| |2015.04|CRYPTBASE.dll|Assumed to have been created in December 2014. Independent DLL. Collect system information and file information within the USB flash drive.| |2015.06|BrWeb.dll, wsmt.exe|Loads “BrWeb.dll” by patching a Brother Printer-related file. Downloads files. ALYAC25.exe patch function. Scans *.hwp files. Infects EXE files. Additional malware is found.| |2015.06|CRYPTBASE.dll, svcmgr.exe|Bnb Solution comparison functions were added. The EXE modification function was added.| |2015.07|?.dll (Unconfirmed), ctfmon.exe|| |2015.07|CRYPTBASE.dll, svcmgr.exe (Not yet obtained)|| |2016.10|wincrypt.dll, wsmt.exe (Not yet obtained)|Export functions similar to that of CRYPTBASE.dll| |2017.01|wincrypt.dll|| ###### 2017.11 wincrypt.dll ----- ###### • EarlyTickusb -Built on Sept 27[th], 2012(!) -Reads data from a specific area when a Bnbsol secure USB flash drive is attached to the system  the code is not yet confirmed ----- ###### • CRYPTBASE.DLL (73,216 bytes) - Presumed to have been built on Dec. 29, 2014 - Independent DLL type (without EXE file execution function) • Function - Collects file list within USB Flash Drive -Deletes ‘C:\WINDOWS\system32\CatRoot\{375EA1F-1CD3-22D3-7602-00D04ED295CC}\TAG’ file -Checks the URL(.co, .net, .kr, .kt, .co, www.)  Checks ‘peacenet.go.kr ‘  Collects System Information -Searches for VPN Cliend.exe, IPPEManager.exe in processes  Collects System Data ----- ###### Stage 1 Brother Printer ###### Stage 2 ----- ###### • Patcher - iff.exe (24,576 bytes) - -b : Modifies and executes a specific EXE file (File size increases) - -l : Modifies an EXE file to load a specific DLL file (File size remains same) - Presumed to have been generated in a non-English speaking region, considering the awkward sentences and typos (“Suces” for “Success”) ----- ----- ###### • Key Malware -Entry Point  Get API Address  CreateFile  ReadFile  WinExec 00404342 > $ E9 884A0000 JMP md5sum_m.00408DCF ; JUMP Malware Entry Point ----- ###### • Patched – BrStMonW.exe (2,629,632 bytes) -Patched using iff.exe –l -Entry Point command patched (CALL command JMP command) -Adds code that load BrWeb.dll to an empty section of BrStMonW.exe ----- ###### • Loader – BrWeb.dll (79,360, 78,848 bytes) -Disguised as Brother Printer Driver -Keeps a log in Credentials.csv -If a USB flash drive is attached to the system, C:\WINDOWS\System32\migration\WSMT\wsmt.exe file is executed - Reads C:\Windows\schemas\AvailableNetwork\basev1.xsd file  File not yet obtained -On every Monday and Thursday, downloads code fromhttp://updata.saranmall.com/script/main.html to createMSUPDATA.EXE ----- ###### • Infector : wsmt.exe (25,088 bytes) - Keeps a log in FlashHistory.dat - Finds an EXE file in the USB flash drive and adds the data read from C:\Windows\AppPatch\Custom\Custom64\apihex.dat For ALYAC25.exe file, it patches a specific section ----- ###### • Modified (Infected) EXE 1. Jump Drop Code 3. Execute ###### Malware ----- ###### • Cryptbase.dll (51,712 bytes) - %ProgramFiles%\common files\java\java update\cryptbase.dll - InlcudesExport function in Cryptbase.dll file ----- ###### • Cryptbase.dll (51,712 bytes) - Main code strings ----- ###### • svcmgr.exe (32,768 bytes) -EXE file infected -ALYAC25.exe patched ----- ###### • wincrypt.dll (77,824 bytes ~ 1,589,760 bytes) - Discovered in 2016.10 ~ 2017.11 ----- ###### • Tickusb – wincrypt.dll (2016.10) - Run wsmt.exe when USB Flash Drive is connected to the system(EXE file was not identified) ----- ###### •Code comparison of a sample known as a Droppers with an infected sample - The sample appears to be a modified Tickusb file rather than a Dropper ----- ###### • Dropper -not only Dropper but also Modified PE ! ----- ----- ----- ###### • Correlations with C2 -amamihanahana.com : Xxmm, Datper -211.13.196.164 : Datper, Emdivi(campaign Blue termite) ----- ----- ###### File names Incorrect operation An executable file Suspicious file names System access to different from or interruption of larger than 50 MB recently registered normal file names security software (Especially if written in domain (WinRAR Console, Delphi) Port Scanner, etc.) ----- ###### Registers www.eneygylakes.com (61.111.255.225 – Korea) #### 2019. 01 ----- ###### •Tick Group is a threat actor that has been active in Korea and Japan for the past ten years! •Question 1. Are they the same group? - Existence of Malware Builder - Same code reused • Question 2. Connection to Tonto Team - Some malware are simultaneously used - Some infrastructures, such as C&C, are shared - What is the connection between these Groups? - Collaboration? Same Group? Coincidence? ----- ### Attacker ----- ###### • Necessity of Cooperation and Collaboration -Collaboration required between the researchers of Korea and Japan, who are experiencing similar active attacks. -It’s important to disclose and share information. -Cooperated with Japanese and Taiwanese analyst. (Thanks !) -AhnLab will share relevant information with the members of industry ----- # Thank you for your attention! ## CHA Minseok (Jacky) ### • minseok.cha@ahnlab.com • mstoned7@gmail.com • @mstoned7 ----- -----