## Evasive Panda ###### A new Chinese APT “Evasive Panda” group targets India and Hong Kong using a variant of MgBot malware By Hossein Jazi and Jérôme Segura September 2020 ----- #### Hossein Jazi ###### Senior Threat Intelligence Analyst Special interest in tracking APT campaigns Twitter: @h2jazi ----- #### Jérôme Segura ###### Director Threat Intelligence Special interest in web threats Twitter: @jeromesegura ----- ### Agenda ###### Introduction Discovery Campaign Analysis Analysis of discovered campaign Attribution Tracking and Attribution TTPs and Toolsets Overview of TTPs and tools Conclusion ----- ##### Discovery ###### • July 2[nd]: – Found the first mal doc dropping Cobalt Strike • July 3[rd]: – Same document dropped MgBot • July 5[th]: – New mal doc dropped MgBot ----- ## Campaign Analysis ###### Targeting Hong Kong and India ----- ##### Variant 1: Cobalt Strike ----- ##### Variant 1: Cobalt Strike ###### Malicious document injecting Cobalt Strike into Rundll32.exe ----- ##### Variant 1: Cobalt Strike ###### Injects CobaltStrike into rundll32.exe using reflective DLL injection • Remote template: Dynamic Data Exchange ----- ##### Variant 1: Cobalt Strike (cont.) ###### • Squiblydoo (MITRE T1218) • Payload injection ----- ##### Variant 2: MgBot ----- ###### Malicious document dropping a new variant of ##### Variant 2: MgBot ###### MgBot ----- ##### Variant 2: MgBot ###### Dropping new variant of MgBot ###### • Malicious document: Template Injection • Remote template: Dynamic Data Exchange ----- ## MgBot ###### MgBot Overview ----- # Loader ----- ##### Privilege Escalation UAC Bypass ###### • Auto-elevated COM interface Name CLSID DLL CMSTPLUA {3E5FC7F9-9A51-4367-9063-A120244FBEC7} system32\cmstplua.dll Color Management {D2E7041B-2927-42fb-8E9F-7CE93B6DC937} system32\colorui.dll • COM interface IARPUninstallStringLauncher (Appwiz.cpl) – Uses windows uninstall interface to bypass UAC ----- ##### Anti Analysis ###### • Self-modification • VM detection • AV detection ----- ##### Resolve API calls ###### • builds a function pointer table ----- ##### Process ###### • Calls CreateFileW to create iot7D6E.tmp • Calls WriteFile to populate its content • Calls CreateProcessInternalW to invoke expand.exe • Calls CopyFileW to copy tmp.dat into pMsrvd.dll • Calls DeleteFileW to delete tmp.dat • Drops DBEngin.EXE and WUAUCTL.EXE in • Modifies the registry hive of of HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt ----- ##### APP management ###### • svchost.exe -k netsvcs -p -s AppMgmt ###### • Net start AppMgmt • net start StiSvc ----- ##### Clean up ###### • Change codepage (1252 – Windows Western) • Ping 127.0.0.1 –n 5 -> Wait for 5 seconds • Delete ----- # Final payload ###### pMsrvd.dll (VideoTeam.dll) ----- ##### Final Payload ###### • C2 communications • Screen capture • File and directory management • Process management • Get drive type – FAT, FAT32, NTFS, CDFS – Free space ----- ##### String obfuscation ----- ##### API Calls ----- ##### API Calls ----- ##### System Services ----- ##### Screen Capture ----- ##### Injection ----- ##### C2 Communications ----- ## Attribution ###### Evasive Panda ----- ##### Attribution ###### • TTPs • Document contents • Past campaigns • Toolsets ----- ##### Evasive Panda Campaigns history Identified several variant of KsRemote Android Rat Identified several new variants of MgBot CVE-2018-8174 Identified several different variants of MgBot Needle in haystack Identified several variant of CVE-2012-0158 KsRemote Android Rat ###### 2016- Jan 2012 2014 2018 2019 2020 Distributed several MgBot pretended to be legit AV related files and other applications such as Google Chrome Target India and Hong Kong Template injection, DDE **Use of Covid19 pandemic to distribute MgBot** 疫情下勞工生生存現狀文章視頻匯總.rar **"list of texts and videos regarding the current situation of workers during the** **pandemic"** **Target: Hong Kong, Taiwan, and Malaysia** ----- ##### TTPs ###### Initial Access Execution Persistence Privilege Escalation Defense Evasion Command line Windows service Phishing New service File deletion interface ###### Execution through module load ###### Modify existing services ###### Bypass UAC Run32.dll ###### Rundll32 Bypass UAC ###### Virtualization/Sandbox Scripting evasion Service execution Template injection Signed Binary Proxy Mshta Execution ###### PowerShell ###### Inter-Process communication ----- ##### TTPs ###### Lateral Discovery C&C Collection Exfiltration Impact Movement ###### Automatic Screen Capture Exfiltration Exfiltration Over C2 Channel ###### Remote File Query Registry Copy System Information Discovery ###### Application Layer Protocol ###### Non- Standard Ports ###### System Service Discovery ----- ##### Evasive Panda ###### • Initial infection vector – Documents • Template injection • Exploit vulnerabilities (CVE-2012-0158) – Archive file – VB script vulnerability (CVE-2018-8174) • Toolsets – MgBot – KsRemote Android Rat – Cobalt Strike ----- ##### CVE-2012-0158 ###### • One of the most exploited vulnerabilities at its time • Buffer overflow vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library. • Binary data appended to the end of the Word file. ----- ##### CVE 2018 8174 ----- ----- # KsRemote Android Rat ----- ##### KsRemote Android Rat ----- ----- ###### KsRemote Android Rat • Recording screen and audio using the phone’s camera/mic • Locating phone with coordinates • Stealing phone contacts, call log, SMS, web history • Sending SMS messages ###### Recording screen and audio using the phone’s Locating phone with Stealing phone contacts, call log, SMS, web history Sending SMS messages ----- ##### Conclusion ###### • Uncovered a new Chinese APT group that has been active at least since 2012 • Targets: Hong Kong, Taiwan, India and Malaysia • Initial infection vector: Spear phishing • Main tool: MgBot • Capable of targeting Android users ----- # Questions? -----