# Russian Army Exhibition Decoy Leads to New BISKVIT Malware **[fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html](https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html)** August 20, 2018 Threat Research [By Jasper Manuel and Rommel Joven | August 20, 2018](https://www.fortinet.com/blog/search.html?author=Jasper+Manuel+and+Rommel+Joven) A few days ago, the FortiGuard Labs team found a malicious PPSX file exploiting CVE-20170199 that had been crafted for Russian speakers. The filename “Выставка” when translated means “Exhibition”. On further examination, the PPSX file seems to have been targeted at an exhibition being held annually in Russia called Army 2018 International Military and Technical _Forum. This is one of the largest exhibitions of military weapons and special equipment, not_ only in Russia, but also one of the outstanding events among similar exhibitions in the world. The discovery of this malicious document is very timely since the event is scheduled to be held August 21-26, 2018. Figure 01. Decoy file Another interesting element of this malware is the included paragraph, shown below. ----- Figure 02. Invitation in Russian This roughly translates to: **_Closed dynamic show of modern and prospective samples of military armament and_** **_special equipment for the “reconnaissance and raid action of combined-arms units”_** [While the event is open to anyone, organizers from last year have set up specialized](http://www.rusarmyexpo.com/) [expositions that include “demonstrations behind closed doors.” This caters to selected](https://www.ainonline.com/aviation-news/defense/2017-08-25/russias-army-show-may-eclipse-better-known-maks-event) guests, where pieces of classified equipment are being displayed, including large aerial vehicles and missiles. That being said, we believe that this malicious document is being targeted to those selected guests who want to be, or are already included in these closed [door invitations. This year’s event has already 66 official foreign delegations confirming their](http://tass.com/defense/1014966) participation. We will take a look on how a PPSX file could compromise an unpatched system. **Analysis** [We begin with the malicious PPSX file that exploits CVE-2017-0199 and opens a bait file. CVE-](https://www.fortinet.com/blog/threat-research/an-inside-look-at-cve-2017-0199-hta-and-scriptlet-file-handler-vulnerability.html) 2017-0199 is an HTA (HTML application) vulnerability that allows a malicious actor to download and execute a script containing PowerShell commands when a user opens a document containing an embedded exploit This is not the first time we have encountered an [APT abusing this vulnerability. In fact, previous attacks have targeted people from UN](https://www.fortinet.com/blog/threat-research/powerpoint-file-armed-with-cve-2017-0199-and-uac-bypass.html) agencies, Foreign Ministries, and people and organizations who interact with international governments. ----- Figure 03. Overview of attack Once the PPSX file is opened, it triggers a script in ppt/slides/_rels/slides1.xml.rels. The exploit then downloads additional code from the remote server, as shown in figure 04, and executes it using the PowerPoint Show animations feature. Figure 04. PPSX file exploiting CVE-2017-0199 Shown below is the code from the remote server after the PowerShell exploit embedded in the XML file is successfully executed and downloads an executable payload into %Temp%. ----- Figure 05. defender XML When executed, Defender.exe drops the following files: Figure 06. TMPEC4E directory - SynTPEnh – a directory with the BISKVIT malware package - Csrtd.db – an encrypted configuration file used by DevicePairing.exe for autorun installation Figure 07. Decrypted configuration - DevicePairing.exe – also identified in the code as "AutorunRegistrator", its function is to copy the SynTPEnh directory to %appdata% and add it to the autorun registry entry ----- - DevicePairing.exe.config – a runtime configuration file - Kernel32.dll – a common library of BISKVIT malware - Newtonsoft.Json.dll – a popular JSON serializer for .NET **BISKVIT** The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”. Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit. Figure 08. Biscuit modules Due to the modular nature of BISKVIT, it’s difficult to exactly determine all of its functionalities since components are only downloaded and loaded on the fly at the direction of the attacker. As of this writing, we have only been able to download one component. So far, based on the code of the components that we were able to acquire, this malware is capable of, but not limited to the following: - Downloading files and components - Hidden/stealthy execution of downloaded and local files - Downloading of dynamic configuration files - Updating itself - Deleting itself ----- The BISKVIT malware is copied to the %appdata%\ SynTPEnh from the %temp% folder, as mentioned above. These are the contents of the %appdata%\SynTPEnh folder: - SynTPEnh.exe – the main BISKVIT malware file - Csrtd.db – an encrypted configuration file - SynTPEnh.exe.config – a runtime configuration file - Kernel32.dll – a common library of BISKVIT malware - Newtonsoft.Json.dll – a popular JSON serializer for .NET The main BISKVIT file disguises itself as the legitimate Synaptics Pointing Device Driver file to avoid suspicion by the user. Figure 09. Information disguised as Synaptics When executed, it initializes its base configuration, which contains the following information: ----- Figure 10. Base configuration It then loads and decrypts its configuration file, named csrtd.db. This configuration file is encrypted with AES using the following keys: Figure 11. Default AES and IV key Once decrypted, this configuration file contains the command and control server, the time interval used by the malware to check for jobs from the command and control server, an API key, and RSA key information. We didn’t find code references to the RSA encryption method, so we think that’s being used by other components that we haven’t acquired as of this writing. ----- Figure 12. Decrypted configuration **Command and Control Communications** This malware communicates with the command and control server through REST APIs using the JSON format. The malware first gets an access token by sending an API key. If not specified in the configuration, the API key is generated from the CPU, disk drive, and MAC address information of the infected machine. This API key is a unique ID, which is also used to identify the machine. Figure 13. Unique Id composition The API key is sent to the command and control server via an HTTP POST request to the API _/api/auth/token._ Figure 14. POST ApiKey The server replies with access token information that will be used for the entire session. ----- Figure 15. Access token This malware then receives and executes commands from the attacker through a jobs API. It sends an HTTP GET request to the API /api/job to get a job after a certain time has lapsed, as indicated by the interval set in the configuration. Figure 16. GET api/job The response would be a job with four main keys: id, resultUri, tasks, and executionOptions. Figure 17. Job - id - is the job ID - _resultUri - is where the malware will HTTP POST the result of the job_ ----- - executionOptions - tells the malware if it will execute the package at certain time interval, and if it will be started at startup. - tasks – this key contains information about packages (components/other files) that the attacker wants downloaded to and executed on the infected machine. The executeMode in the key tasks tells the malware how to execute the package. Figure 18. Execute modes If the mode is 0, the package is treated as a component/library and is executed with the parameter indicated in the parameters key. If the mode is 1, the package is treated as a file and is executed by using either the ShellExecuteEx() or CreateProcess() Windows API, with WindowStyle set to Hidden and CreateNoWindow set to true. Figure 19. ExecuteHide If the mode is 2 the package is treated as file and is executed using the ----- CreateProcessAsUser() Windows API. Figure 20. StartAsUser Another interesting feature of this malware is that it saves jobs locally in a folder named _534faf1cb8c04dc881a3fbd69d4bc762._ Figure 21. Jobs Directory Jobs are encrypted using the same AES encryption as that of the configuration file, and are named with its job id with a .db extension. This means that it can continue executing the jobs on the next execution of the malware even when its current process is interrupted or terminated. After completing the job, this malware deletes the locally saved job. During our analysis, the malware received a job to download a package with executeMode set to 0. This means the package is a component/library that can be downloaded from _/api/package/5b61b91da99a25000198dfcc._ Figure 22. Job with packageId and executeMode ----- The package from the downloadUri specified in the job resulted to a zip file with a PK header. Figure 23. Get Package Packages are stored in the folder 083c57797944468895820bf711e3624f. Figure 24. Packages Directory After checking what component had been downloaded, we discovered that it was a component called FileExecutor, which just executes the files indicated in the parameters key. Figure 25. Job and Task’s parameters This FileExecutor component has the same functionality as the executeMode set to 1, which just executes a file using either the ShellExecuteEx() or CreateProcess() with WindowStyle set to Hidden and CreateNoWindow set to true In the above job it tells the malware to use the ----- _FileExecutor component to execute systeminfo with timeout set at 30 seconds, as indicated_ by the Waittime key. The command systeminfo displays detailed configuration information about a computer and its operating system, including its operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards). Figure 26. Systeminfo data POST to CC For the C&C to know the status of the jobs running, it also includes the key _State that has_ the values shown below. The data that was sent during our analysis included the State being equal to 2, meaning it is complete. ----- Figure 27. Job States After the systeminfo job, it seemed that the attacker noticed that the machine he/she sent the job to was an analysis machine, so the C&C stopped sending any jobs. This could only mean that the attacker behind this attack is being very careful to not infect computers that are not targets and to avoid alerts. While it is not new for C&C servers used in targeted attacks to suddenly stop responding after collecting the basic information of the victim’s computer, the C&C used here is not completely blocking its communication. Instead, it just stopped sending jobs. This enables researchers and analysts to still monitor the C&C. **Low AV Detection** Interestingly, even if the malware files are not packed or obfuscated, only a few AV vendors, including Fortinet, were able to detect the files. **Conclusion** The use of current and upcoming events as bait to target high profile targets is becoming more and more popular among attackers. Based on our findings, we believe that this is a well-planned attack, especially considering the timely distribution of the malicious decoy file and the use of a never-before-seen malware. These two ingredients provide the best chance for comprising their targets. **Solution** Fortinet detects all Biskvit malware components as W32/BiskvitLoader.A!tr, MSIL/BiskvitAutoRun.A!tr, MSIL/BiskvitLib.A!tr, MSIL/Biskvit.A!tr, MSOffice/Exploit.CVE20178570!tr. ----- Malicious URLs related to this malware are also blocked through the FortiGuard Web Filtering Service. [We recommend that all users apply the patch released by Microsoft for CVE-2017-0199.](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199?ranMID=24542&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-fM38F._e5Au85Ux1yEL84g&epi=je6NUbpObpQ-fM38F._e5Au85Ux1yEL84g&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=(ir_yDRz7:SXzRcdQETzRRXKnWbwUkg02FRhfQo-SM0)(7593)(1243925)(je6NUbpObpQ-fM38F._e5Au85Ux1yEL84g)()&irclickid=yDRz7:SXzRcdQETzRRXKnWbwUkg02FRhfQo-SM0) _Special thanks to Evgeny Ananin for translating the content of the exploit document from Russian_ _to English._ **IOC** be7459722bd25c5b4d57af0769cc708ebf3910648debc52be3929406609997cf a87daccbb260c5c68aaac3fcd6528f9ba16d4f284f94bc1b6307bbb3c6a2e379 b4a1f0603f49db9eea6bc98de24b6fc0034f3b374a00a815b5c906041028ddf3 934542905f018ecb495027906af13cc96e3f55e11751799f39ef4a3dceff562b 23a286d14de1f51c5073caf0fd40a7636c287f578f32ae5e05ed331741fde572 **CC** hxxp://bigboss.x24hr.com hxxp://secured-links.org/ _[Download our latest Global Threat Landscape Report.](https://secure.fortinet.com/LP=5223?utm_source=social&utm_medium=blog&utm_campaign=GEN-WP-Q2-2018-Threat-Landscape-Report&elq_src=Social&elq_cid=70134000001T67JAAS&elq_staid=10&elq_eid=11694&elq_sid=13232)_ [russia, APT Campaign](https://www.fortinet.com/blog/tags-search.html?tag=russia) Copyright © 2019 Fortinet, Inc. All Rights Reserved -----