Lead Author: Yonathan Klijnsma Co-authors: Danny Heppener, Mitchel Sahertian, Krijn de Mik, Maarten van Dantzig, Yun Zheng Hu, Lennart Haagsma, Martin van Hensbergen, Erik de Jong # Mofang #### A politically motivated information stealing adversary ###### Version 1.0 May 17, 2016 ----- ## Executive Summary ###### Mofang (模仿, Mófa ̌ng, to imitate) is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with invest ###### ments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government ###### and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automo tive and weapon industries) in multiple countries. The following countries have, in the above named sectors, been affected, although Fox-IT suspects there to be more: India, Germany, United States, Canada, Singapore, South Korea. Despite its diverse set of targets Mofang is probably one group. This is based on the fact that its tools (ShimRat and ShimRatReporter) are not widely used, and that campaigns are not usually observed in parallel. ###### Technically, the group uses distinct tools that date back to at least February 2012: ShimRat and ShimRatReporter. The mofang group does not use exploits to infect targets, they rely on social engineering and their attacks are carried out in three stages: 1 Compromise for reconnaissance, aiming to extract key information about the target infrastructure. 2 Faux infrastructure setup, designed to avoid attracting attention. 3 The main compromise, to carry out actions on the objective. The name ShimRat is based on how its persistence is build up. It uses the so-called shims in Windows to become persistent. Shims are simply hot patching processes on the fly, to ensure backward compatibility of software on the Microsoft Windows platform. ----- As far as known, the Mofang group has never used exploits to infect targets, instead ###### relying heavily on social engineering in order to successfully infect targets. The only exploits the group uses are privilege elevation exploits built into their own malware. The vulnerabilities that were being exploited were already known about at the time of use. ###### The full report contains contextual as well as technical information about the group and its activities. These can be used, for example, for threat assessments, compromise assessments, incident response and forensics activities. ###### Should you have any additional information or questions about this group or its activities, please get in touch with Fox-IT through info@fox-it.com. ----- ###### Table of Contents **Executive Summary** **2** **1** **Introduction** **5** **2 Who is Mofang and who do they attack?** **6** 2.1 About the Mofang group 6 2.2 Mofang’s targets: a diverse set of entities 9 **3** **The distinct modus operandi of Mofang** **10** 3.1 Stage 1: Initial reconnoitering compromise 10 3.2 Stage 2: Faux infrastructure setup 12 3.3 Stage 3: The main compromise 12 **4 A history of past attacks** **14** **5** **Campaigns in Myanmar** **18** 5.1 Activities related to the Kyaukphyu Special Economic Zone 18 5.2 Earlier campaigns in Myanmar 20 **6 Other notable campaigns and attacks** **22** 6.1 Attack on Indian defense expo exhibitors 22 6.2 Attack on ‘seg’ 24 6.3 Attack using a Citrix lure 24 6.4 The global campaign 25 **7** **Preferred tools** **26** 7.1 ShimRat 26 7.2 ShimRatReporter 33 **8 Network based detection (IOCs)** **36** 8.1 Snort signatures 36 8.2 Domains & IP addresses 37 **9 Host based detection (IOCs)** **38** 9.1 yara rules 38 9.2 ShimRat samples 40 9.3 ShimRatReporter samples 47 9.4 Antivirus hijacking components 49 9.5 Observed services 50 9.6 Observed shims 51 ----- ## 1 Introduction ### Imitation, in this case imitation of a target’s infrastructure, is a defining feature of their modus operandi. ###### This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows, called Mofang. The name Mofang is based on the Mandarin verb 模仿 (Mófa ̌ng), which means to imitate. Imitation, in this case imitation of a target’s infrastructure, is a defining feature of their modus operandi. ###### It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated. Among others, one of their focus areas is the government and critical infrastructure sector of Myanmar. Additional information was used to contextualize and explain the observed attacks and campaigns, since there is obviously no easy insight in their actual agenda and goals. The additional research into geopolitical and economic factors resulted in the hypotheses about the ‘why’ of these campaigns. The full picture, however, will probably remain unknown. ###### Fox-IT has chosen to release this report now, for additional context to the changing political landscape in Myanmar. This report contains contextual as well as technical information about the group and its activities. These can be used, for example, for threat assessments, compromise assessments, incident response and forensics activities. Should you have any additional information or questions about this group or its activities, please get in touch with Fox-IT through info@fox-it.com. ###### Chapter 2 through 6 deals with Mofang, the group, its targets and some of their most notable campaigns and attacks. These chapters also contain geopolitical and economic context. Chapter 7 explains the working of Mofang’s preferred tools: ShimRat ###### and SimRatReporter. The final two chapters of this report, chapter 8 and 9, provide technical Indicators of Compromise for use in detecting and hunting, both at a host and at a network level. ----- ## 2 Who is Mofang and who do they attack? 2.1 **About the Mofang group** Despite its diverse set of targets (described in paragraph 2.2), Mofang is probably one group. This is based on the fact that its tools (ShimRat and ShimRatReporter) are not widely used, and that campaigns are not usually observed in parallel. ###### Based on a numbers of factors that will be explained in more detail in this Chapter, it is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated. The most compelling evidence that supports this hypothesis is the fact that the targets and campaigns known so far can be persuasively correlated to important geopolitical events and investment opportunities that align with Chinese interests. The most notable ###### of these will be described in chapter 5, which describes systematic espionage in the government and critical infrastructure sector of Myanmar. It describes: **•** Companies that are involved with investment possibilities that also involve Chinese state owned organizations, become targets; **•** Government agencies or companies that play a role in deciding about Chinese investments, become targets; In addition to the above, there are four notable technical facts. Details such as these can, of course, be changed and manipulated without material impact to attacks, which makes them weaker indicators of attribution than contextual evidence derived from likely campaign goals. In this case, the technical facts support the hypothesis for attribution. ### Based on a numbers of factors that will be explained in more detail in this Chapter, it is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated. ----- 1 There are many similarities at the code level between the stager used by Mofang ###### and others stagers attributed to Chinese groups. Also striking is the method of hijacking Antivirus Products to run the malware, which Fox-IT calls ShimRat, as described in chapter chapter 7.1. This has been seen in multiple espionage cam paigns attributed to Chinese groups. In fact the similarities are so strong that some investigators have mistaken ShimRat to be another widely known piece of malware: PlugX. Based on in-depth investigation of both, Fox-IT has come to the conclusion ###### that they are not the same. ShimRat is probably t is used by a separate group. 2 All the documents that were used for the initial attacks contain meta- data that suggests they were created with WPS Office. This product, also known as Kingsoft Office, is a Chinese product comparable to Microsoft Office. Artifacts can be seen in document metadata as shown in Figure 1. 3 Simplified Chinese is set as the character set in many of the resources inside various malware samples, as shown in Figure 2. _Figure 1 detail of decoy document metadata_ _Figure 2 Resource information inside a malware sample_ ----- _Figure 3 郁, 郁! used in the 1991 Hong Kong comedy Tricky Brains_ 4 An earlier version of ShimRat’s C2 communication protocol used two very specific words as keywords for requests and responses: Yuok and Yerr. Although the meaning ###### is not directly obvious, it may be an approximate phonetic representation of the Cantonese 郁 **佢, beat him or kill him. If this is true, it would suggest at least passive** knowledge of Cantonese on the part of the malware author. The use of Yuok and _Yerr was discontinued and replaced by ataD or Data in 2013, as shown in the side by_ side comparison in Figure 4. The current communication protocol is documented in paragraph 7.1.6. _Figure 4 Side by side comparison of previous and current C2 communication_ ----- ###### Canada Germany United States South Korea India Myanmar Singapore Government Military Critical Infrastructure Automotive Industry* Weapon Industry* *R&D departments specifically _Figure 5 Countries and sectors targeted by Mofang_ 2.2 Mofang’s targets: a diverse set of entities ###### On analysis of the organizations that were attacked by Mofang in the past, at first glance it appears that there is no particular sector or country that it targets. Figure 5 shows aggregate information about known attacks from the past four years. Looking at the attacks, it is highly likely that targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the ###### Chinese sphere of influence. This is most clearly the case in the campaign focusing on Myanmar. In it, a company was attacked that was involved in a special economic zone[1 ]in Myanmar, which would be of specific interest to China’s National Petroleum Corporation’s investments. It is highly likely that they were targeted because of this, ###### as new waves of attacks can be correlated with events surrounding the investments in that area. _1_ _Special economic zones, of_ _which Myanmar currently_ _has three, are specific areas_ _within a country where_ _certain laws and regulations_ _are different from the rest of_ _the country, usually with the_ _aim of furthering the ‘host’_ _country’s economy._ ----- ## 3 The distinct modus operandi of Mofang ###### The Mofang group uses distinct malware that dates back to at least February 2012. The two tools used in their campaigns are: 1 **ShimRat** 2 **ShimRatReporter** As far as known, the Mofang group has never used exploits to infect targets, instead ###### relying heavily on social engineering in order to successfully infect targets. The only exploits the group uses are privilege elevation exploits built into their own malware. The vulnerabilities that were being exploited were already known about at the time of use. A more detailed description of the malware can be found in paragraph 7.1 and 7.2. The Mofang group has a distinct method of carrying out attacks using these two tools, with the goal of stealing information. In short, their method, which is described below, can be summarized as follows: 1 Initial reconnoitering compromise: an initial compromise is performed on specific employees of a targeted organization with the aim of extracting key information about the target infrastructure to be used in stage 2; 2 Faux infrastructure setup: the group sets up (external) infrastructure designed to avoid attracting attention; 3 The main compromise. 3.1 **Stage 1: Initial reconnoitering compromise** For the initial compromise, an ‘environment mapping tool’ known as ShimRatReporter, is delivered to suitable targets. ShimRatReporter can extract a wealth of information ###### about an infrastructure, but the most pertinent data needed for the next stage in their attack are: **•** Local privileges for the infected user; **•** Local domain; **•** Local proxy setup; **•** Installed software. ShimRatReporter is fully explained in chapter 7.2. The delivery method of ShimRatReporter is most likely through emails pointing to an executable placed on a compromised (and trusted) website. Fox-IT has observed targeted and untargeted variations of the initial stage of the attack: 1 Untargeted: the ShimRatReporter sends out the report with the information and ###### immediately downloads the ShimRat malware from a hardcoded location. This variation is probably less targeted, with victims added to the global campaign C2 for check-in and control. For more information about the global campaign, see paragraph 6.4. ###### 2 Targeted: the ShimRatReporter sends out the report and exits afterwards. The ShimRatReporter tool was only used to map out the victim but in no way to auto mate further infection (yet). ----- ###### Modus operandi of the Mofang group Targeted campaign Global campaign in in Spear phishing attack with ShimRatReporter ###### Target organization Target 1 2 2 ###### Operators Setting up the customized Setting up the infrastructure 3 infrastructure control information The main attack with a customized ShimRat version The main attack with ShimRat Victim’s PCs and servers with classified information ----- 3.2 Stage 2: Faux infrastructure setup The second stage of an attack is setting up a faux infrastructure, specifically to mimic ###### the anti-virus products used by the target or the target itself. The ShimRat malware then communicates over HTTP with preconfigured command and control servers. A combination of typo-squatting and closely related names are used to register domains under the same or different tlds. This method of setting up command and control infrastructure is customized for each ###### target and campaign. Anything outside of campaigns targeting specific companies is added to the ‘global campaign’ which is described in paragraph 6.4. The global campaign infrastructure mimics the Microsoft Windows or Microsoft Office software. 3.3 **Stage 3: The main compromise** After having gathered all necessary information about the locally configured proxies ###### and having set up a faux infrastructure, a custom built version of the ShimRat mal ware will be deployed to infect users with preconfigured local proxies, C2 servers and persistence information. As mentioned before, delivery of ShimRat relies heavily on social engineering, through the use of emails enticing targets to open an attached (decoy) document. These doc uments contain actual text to make the target think it was indeed a legitimate Word ###### document, pdf file or Excel sheet. When the document is opened, an executable is dropped which decompresses the final payload and places it on disk. The final payload consists of ShimRat bundled with extra files: legitimate application files which suffer from dll hijacking vulnerabilities. These vulnerabilities are used to launch the actual malware. The legitimate application is started which in turn runs the actual malware. A benefit of this method is that the malware runs under the process of a legitimate application. When it requests higher privileges via uac, the uac warning screen will show this legitimate application. Also, anyone inspecting running applica tions, would see legitimate software running. ###### It is worthy to note that the Mofang group commonly exploits dll hijacking vulner abilities in anti-virus products for persistence purposes, presumably in order to look ###### as harmless as possible. Over the years they’ve used application components from Norman, McAfee and Norton. A complete list of the used applications can be found in paragraph 9.4. The methods of persistence (described in paragraph 7.1.1) are sometimes ###### adapted depending on the target. Rather than using generic texts in the persistent services, customized names and descriptions are used, based on the installed software information that was extracted with the ShimRatReporter tool previously. ###### Follow up actions in the attacks, such as stealing information or lateral movement through the network, are possible with the capabilities of the ShimRat malware as described in paragraph 7.1.5. ----- ### As far as known, the Mofang group has never used exploits to infect targets, instead relying heavily on social engineering in order to successfully infect targets. ----- ## 4 A history of past attacks ###### The first activity of the Mofang group was seen in February 2012, when the first version(s) of their malware, ShimRat, was seen in attacks. Based on compile time artifacts in the first versions of the malware, it is likely that the project had started 2012. A program database path, a file present on the authors’ ###### machine used to aid in debugging the malware, present in early samples gives more indication that the project started in 2012: ``` z:\project2012\remotecontrol\winhttpnet\amcy\app\win7\installscript\objfre_wxp_x86\i386\InstallScript.pdb z:\project2012\remotecontrol\winhttpnet\amcy\app\win7\serviceapp\objfre_wxp_x86\i386\ServiceApp.pdb z:\project2012\remotecontrol\winhttpnet\cqgaen\app\installscript\objfre_wxp_x86\i386\InstallScript.pdb z:\project2012\remotecontrol\winhttpnet\cqgaen\app\serviceapp\objfre_wxp_x86\i386\ServiceApp.pdb ###### The following is a timeline from early 2012 through to 2016. This timeline contains ``` development information and a small subsection of the incidents that Fox-IT is aware of related to this group. The Mofang group is currently still active. |Col1|Col2|z:\ z:\ z:\ z:\|p p p pr|ro ro ro o|je je je je|ct ct ct ct|20 20 20 20|12 12 12 12|\r \r \r \r|em em em em|o o o ot|te te te ec|co co co o|nt nt nt nt|ro ro ro ro|l\ l\ l\ l\|w w w wi|in in in nh|ht ht ht tt|tp tp tp pn|ne ne ne e|t\ t\ t\ t\c|a a cq q|mc mc g ga|y\ y\ ae en|ap ap n\ \a|p\ p\ ap pp|wi wi p\ \s|n7 n7 in er|\installscript\objfre_wxp_x86\i386\InstallScript.pdb \serviceapp\objfre_wxp_x86\i386\ServiceApp.pdb stallscript\objfre_wxp_x86\i386\InstallScript.pdb viceapp\objfre_wxp_x86\i386\ServiceApp.pdb| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ----- ----- |Col1|Col2|Col3|Col4|Col5|Sh|im|Ra|t|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|S| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||An un zat ho Sh|at kn io ste im|ta ow n. d R|ck n Th on at|w So e a Re|as ut C2 co po|st h in m rt|art Ko fra pr er|ed re st om|a an ru is|ga or ct ed|in ga ur se|st ni e w rv|an - as er|.||| ||||||Fir sa Sh|st mp im|ev le Ra|er ob t|Sh se|im rv|R ed|ep in|or a|te n a|r m tt|al ac|wa k.|re|||| |||||f|An an C2 co ak Sh|at un in mp ed im|ta kn fr ro p Ra|ck o ast m ay t|w wn ru ise m|as U ct d en|la S ur se t d|un or e w rv oc|ch ga as er. u|ed niz h Th me|a at os e nt|gai io te lur s.|ns n. d o e|t Th n wa|e a s||| ----- |Col1|Col2|Col3|Col4|Col5|S|hi|mR|at|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |ad po|w rt|as||||||||||||||||||| ----- ## 5 Campaigns in Myanmar 5.1 **Activities related to the Kyaukphyu Special Economic Zone** ###### Since 2009, foreign investment in Myanmar has increased substantially. While it amounted to around usd 300 million in 2009–2010, it grew to usd 20 billion in the period ###### of 2010–2011. To further increase and facilitate foreign investment, the government of Myanmar established special economic zones (sezs). These zones are supposed to ###### encourage economic growth and foreign investments even more. These sezs would give investors a variation of tax reliefs, 5 year tax holidays as well as longer land leases. In 2011 Myanmar established the Central Body for the Myanmar Special Economic Zones, a regulatory body which would oversee foreign investments in the sezs. In the same ###### year the sez law and Dawei law were also passed, establishing a set of three sezs in Myanmar. The current sezs under development in Myanmar are the Dawei sez, Thilawa sez and the Kyaukphyu sez[2]. The Mofang group has been active in relation to the Kyaukphyu sez. The state owned ###### China National Petroleum Corporation (cnpc) has been investing in this sez since early 2009 after signing a memorandum of understanding (MoU) with the Myanmar government. This MoU, not legally binding, established the development, operation and management of an oil and gas pipeline by the cnpc. This investment by the cnpc ###### ensured their position to get these pipelines running from the Kyaukphyu sez to mainland China. This pipeline would be completed in combination with a seaport to be built in the sez as well. This port, and pipeline, would save the cnpc about 5,000 kilometers of sailing and eliminate the need to go through the Strait of Malacca. While ###### an agreement was signed, an MoU is not legally binding in any way and either party can always step out. This was perhaps a fear on the Chinese part when the government of Myanmar started ###### a consulting tender for the Kyaukphyu sez in 2013. The idea behind this tender was Dawei SEZ _2_ _http://www.aseanbriefing._ _com/news/2013/06/28/spe-_ _cial-economic-zones-in-myan-_ _mar.html_ _3_ _http://consult-myanmar._ _com/2013/10/21/kyauk-_ _pyu-special-economic-zone/_ _4_ _ http://www.irrawaddy.com/_ _business/singapore-led-con-_ _sortium-wins-kyauk-_ _phyu-sez-consulting-tender._ _html_ _5_ _http://consult-myanmar._ _com/2015/06/19/lawmakers-_ _to-seek-answers-on-stalled-_ _kyaukphyu-sez/_ to pick a consortium that would become the advisor for the Kyaukphyu sez, meaning ###### they would oversee operations and make decisions on certain investments. In late September 2013 this tender closed[3] and in early March the results were presented[4]. A consortium led by the cpg Corporation, a company originating from Singapore, was the winner and would become the sez consultant. In 2014 the Myanmar government with the help of cpg Corporation initiated another tender, this time to set up infrastructure in the sez. This tender closed in November and results would be put out early 2015. The date of the publication of the tender outcome passed but no information was published. In late June the Myanmar government still had not put out any word who would win infrastructure investments for the sez[5]. One of the contenders for this tender was China’s citic group. At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs: the cpg Corporation. The first attack started in early July with a ShimRatReporter payload. ----- ###### The lure used in this attack is interesting and specific to this attack and location. Burmese characters are not representable in the current Unicode character sets. The Zawgyi font[6] was created to accommodate for this. One can download special appli cations to support this font. This is usually required when submitting information on websites using the Burmese character set. The locations where these applications are downloaded from are public blogs and other public download locations. ###### This need to install the Zawgyi fonts by cpg employees is what Mofang used to infect initial cpg targets: the ShimRatReporter was presented as AlphaZawgyl_ font.exe. The reporter would call back to a domain set-up to mimic the official cpg domain cpgcorp.com.sg. The C2 server for the initial ShimRatReporter payload was _cpgcorp.org with the reporting gate being located at library.cpgcorp.org/links/images/_ file/blanks.php. There were a few attacks with ShimRatReporter using the above mentioned C2 domain. However, a later sample showed how the Mofang group used the information gathered by the reporter for follow up attacks. Another C2 domain, secure2.sophosrv.com, was set up, which mimicked the official secure2.sophos.com domain. This is presumably based on information from the reports that the cpg Corporation internally used the Sophos Antivirus products. This ShimRatReporter sample was preconfigured to download the 2[nd] stage payload, ShimRat, from the following two locations: ``` library.cpgcorp.org/links/images/blanks.jpg secure2.sophosrv.com/en-us/support/blanks.jpg ``` The downloaded ShimRat payload contacted its C2 server gate at secure2.sophosrv. ###### com/en-us/support/ms-cache_check.php. One thing to note is that while all of the communications by ShimRat to its C2 server used HTTPS, ShimRatReporter operates under plain HTTP. The actual publication of the outcome of the infrastructure tender was postponed until the start of 2016. Early 2016 the results came in and China’s citic group had won the tender[7]. This allowed China to continue building upon their gas and oil infrastructure as well as the seaport. |library.cpgcorp.org/links/images/blanks.jpg secure2.sophosrv.com/en-us/support/blanks.jpg|Col2|Col3|Col4|Col5| |---|---|---|---|---| _Figure 6 Satellite images showing_ _Kyaukphyu SEZ developments._ _Image © 2016 Google Earth._ _6_ _https://my.wikipedia.org/_ _wiki/Wikipedia:Font#Why__ _not_Zawgyi.3F_ _7_ _http://thediplomat._ _com/2016/01/chinese-com-_ _pany-wins-contract-for-deep-_ _sea-port-in-myanmar/_ ----- 5.2 Earlier campaigns in Myanmar Myanmar has been the target of Mofang’s attacks for years before the campaign related to the sez. Throughout the years, the Mofang group has compromised countless servers ###### belonging to government or other Myanmar related organizations, in order to stage attacks. A few notable ones are described below. ###### The earliest activity from Mofang in Myanmar dates back to around May 2012 when they attacked a government entity. Interestingly they abused a Myanmar government server they had compromised earlier, to function as the C2 server. It was the website of the Ministry of Commerce located at commerce.gov.mm. The C2 gate was located at /templates/css1/logon.php. Another compromised server from the Myanmar government used to stage a ShimRat payload that was seen around early June 2015. The payload for this campaign was located ###### at 203.81.162.178/text.txt. The ip address noted here hosted the official government website of the Myanmar port authorities at the time. The C2 server for this campaign was dns.undpus.com. _Figure 7 The Myanma Port Authority website was used to stage at attack in June 2015_ In late September 2015 Mofang used the website of Myanmar’s national airline hosted at www.flymna.com for an attack against an organization in Myanmar. The payload was ###### located at www.flymna.com/sites/photo.tar and contained ShimRatReporter. After executing it would send its report to a C2 server at dns.undpus.com but also download a payload from a preconfigured location. This location was: dns.undpus.com/myanmar.jpg. ----- _Figure 8 The website of Myanmar’s national airline was used to stage an attack in September 2015_ ----- ## 6 Other notable campaigns and attacks ###### This chapter highlights a few campaigns and attacks that provide further illustration to Mofang’s motives and attack method. 6.1 **Attack on Indian defense expo exhibitors** The ‘International MSME Sub-Contracting & Supply exhibition for Defence – Aerospace ###### – Homeland Security’ (MSME DEFEXPO) is an annual Indian exhibition and confer ence. It allows MSMEs[8] to show their current and new capabilities in the defense and aerospace technology to various government agencies. Over the years, its exhibitors have been a continuing target for the Mofang Group. ###### In 1991 India initiated its Look East policy[9] aiming to strengthen their relations with Southeast Asian countries, and to become a counterweight against the influences of ###### China in the region. In addition, India, just like China, has a strategic interest in and strong relations with Myanmar. For example, the countries hold joint military exercises. Additional insight into the activities and capabilities of the MSMEs at the expo would _Figure 9 Exhibitors at the Indian MSME_ _DEFEXPO are routinely attacked_ _8_ _Micro, Small and Medium_ _sized Enterprises_ _9_ _https://en.wikipedia.org/wiki/_ _Look_East_policy_ be strategically advantageous for China. Please note that there might be other reasons, why the Mofang Group was interested in this expo. The changes are about even that the targets for the MSME DEFEXPO campaign were a selected group of exhibitors. They were targeted with spear phishing emails containing ###### Word documents or Excel sheets enticing them to install the ShimRat malware. An example of the 2013 lure is shown in Figure 10. ###### In 1991 India initiated its Look East policy[9] aiming to strengthen their relations with Southeast Asian countries, and to become a counterweight against the influences of ###### China in the region. In addition, India, just like China, has a strategic interest in and strong relations with Myanmar. For example, the countries hold joint military exercises. Additional insight into the activities and capabilities of the MSMEs at the expo would be strategically advantageous for China. Please note that there might be other reasons, why the Mofang Group was interested in this expo. _Figure 10 Excel document used to infect Defexpo 2013 exhibitors_ ----- ###### The Excel sheet in the 2013 campaign contained an embedded ShimRat sample bea- coning out to a C2 server hosted at store.outlook-microsoft.net with the panel gate being located at /en-us/c/index.php. The 2013 campaign didn’t feature a target specific C2 infrastructure, but actually used infrastructure from the global campaign written about in paragraph 6.4. The probable reason for this becomes clear when looking at a campaign that was running at the same time as the MSME DEFEXPO 2013. The attendees of the ESSENTIALS OF 21[st] CENTURY ELECTRONIC WARFARE COURSE, ###### a training course for government employees in the US, held in Alexandria, Virginia were also targeted. The lure in this case was the official registration form send out to attendees as shown in Figure 11. The infrastructure was set up to aid in two campaigns taking place at the same time. _Figure 11 Document used to infect attendees of the Essentials of 21st Century Electronic Warfare_ _Course held in Virginia, US_ A year later, the MSME DEFEXPO 2014 was scheduled and again exhibitors were being ###### targeted. This time the campaign and infrastructure was setup specifically for this attack. Lures were send out via mail once again, similar to the 2013 campaign. This time the C2 domain followed their general methods as described in chapter 3: it mimicked ###### the MSME DEFEXPO website. They used images.defexpoindia14.com for their C2 communication and the panel gate was hosted on /se/index.php. ----- 6.2 Attack on ‘seg’ In December 2012 Mofang started a campaign against a new target, called ‘seg’ for the purpose of this report. The victim was compromised with at least ShimRatReporter as the 2[nd] stage ShimRat payload was preconfigured with the local proxy of this organization. The configuration for this build was interesting and reflects the method as described in chapter 3. Table 1 contains a subsection of the configuration for this build. **Configuration items** **Configuration values** Campaign ID `SCH` C2 Password `SCH2233` C2 Domain `support.f--secure.com` C2 Gate location `/cache/cache.php` Proxy type `HTTP` Proxy `proxy.seg.local:8080` Service name `mshelpsrvs` Service title `Windows Help Services` Service description `Enables Help and Support Center to run` ``` on this computer. If this service is stopped, Help and Support Center will be unavailable. ``` _Table 1 A subsection of the configuration build for the ‘seg’ attack_ From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious. The preconfig ured proxy and the C2 domain shows the targeted nature of this campaign. The fake ###### F-Secure domain was in control of Mofang until March 2014, when they transferred the domain to a domain broker. F-Secure’s brand monitoring picked up on the domain and bought it from this domain broker after it became available. 6.3 Attack using a Citrix lure ###### In September 2015 Mofang launched another attack. As per their usual modus operandi, this attack relied on social engineering to infected targets. For this campaign the Mofang group used a domain that used to belong to a company called Citrix. The website citrixmeeting.com was under control of Citrix until they let it expire on April 3rd, 2015. The website used to hold information about the conferencing products from Citrix. Almost 4 months after the domain expired, on July the 27[th], the Mofang group regis tered the domain and set it up for their newest campaign. A new version of ShimRat was built on the 7[th] of September, uploaded to the server and only days later used in a new campaign. The payload was hosted at http://www.citrixmeeting.com/download/ livechat.exe and contained a newly packaged ShimRat sample and a new dll hijacked program. They upgraded their dll hijacking program away from Norman and McAfee, ###### which may be because they realized that a component of Norton Security (version |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |C2|D|om|ain|||||||| |C2|G|ate|lo|ca|tio|n||||| |Pr|oxy|ty|pe|||||||| |Pr|oxy|||||||||| |Se|rvi|ce|na|me||||||| |Se|rvi|ce|titl|e||||||| |Se|rvi|ce|de|scr|ipt|io|n|||| |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9| |---|---|---|---|---|---|---|---|---| |s|u|pp|or|t.|f-|-s|e|cu| |/|ca|c|he|/c|ac|he|.p|h| |H|T|TP||||||| |p|r|ox|y.|se|g.|lo|c|al| |m|s|he|lp|sr|v|s||| |W|i|nd|ow|s|H|el|p|Se| |E o s b|n n t e|ab t op u|le hi pe na|s s d, va|He co H il|lp m e a|pu lp bl|an te a e.| ----- 22.2.0.31 specifically) was vulnerable to dll hijacking of the ‘msvcr110.dll’ dll which is part of the C++ runtime provided by Microsoft. ###### The ShimRat sample contacted a C2 server located at api.officeonlinetool.com, the panel gate was hosted on /index.php. 6.4 The global campaign ###### While the Mofang group has specific targets and runs campaigns focused on them, they also run something that Fox-IT calls the global campaign. This global campaign is a set of servers functioning as infrastructure with domains impersonating Microsoft and Google services to which a wide variety of victims is connected. The global campaign ###### was observed before the ShimRatReporter tool and this makes sense given that the reporter is used to gather specific information about target infrastructures. Prior to its availability, the group could only use more generic C2 domains. While many attacks can be traced back to the exact targets because Mofang emulates ###### a target’s environment, the exact victims of the global campaign are much more difficult to identify. It appears Mofang uses the more generic service domains to play ###### it safe. The global campaigns also share a lot of infrastructure across the different domains. Looking at the C2 domains in Table 2 that Fox-IT has classified as the global ###### campaign, it becomes clear that the domains of Microsoft and Google services are used for imitation purposes: **Typosquad Google domains** **Typosquad Microsoft domains** ``` account.google.com.gmgoogle.com ie.update-windows-microsoft.com mail.upgoogle.com support.outlook-microsoft.com help.outlook-microsoft.com oem.outlook-microsoft.com windws-microsoft.com store.outlook-microsoft.com ``` |ft|.c|om| |---|---|---| |o|m|| |om||| |||| |.c|om|| _Table 2 Global campaign C2 domains_ ----- ## 7 Preferred tools 7.1 **ShimRat** ###### ShimRat is a custom developed piece of malware known as a ‘RAT’, Remote Administration Tool. It has among others standard capabilities for filesystem interaction. The malware was originally built in 2012 and its features were expanded over the years. ###### The artifacts left in the first samples, are a good indicator that the project has been started in 2012. Multiple PDB paths were seen in the early versions of ShimRat. These PDB paths are not visible in the latest versions of ShimRat, due to how the samples are prepared. The PDB paths are either stripped or filled with different paths. ``` z:\project2012\remotecontrol\winhttpnet\amcy\app\win7\installscript\objfre_wxp_x86\i386\InstallScript.pdb z:\project2012\remotecontrol\winhttpnet\amcy\app\win7\serviceapp\objfre_wxp_x86\i386\ServiceApp.pdb z:\project2012\remotecontrol\winhttpnet\cqgaen\app\installscript\objfre_wxp_x86\i386\InstallScript.pdb z:\project2012\remotecontrol\winhttpnet\cqgaen\app\serviceapp\objfre_wxp_x86\i386\ServiceApp.pdb ``` _10_ _http://blog.cobaltstrike._ _com/2014/03/20/user-ac-_ _count-control-what-penetra-_ _tion-testers-should-know/_ _11_ _http://www.labofapenetra-_ _tiontester.com/2015/09/_ _bypassing-uac-with-power-_ _shell.html_ The terms InstallScript and ServiceApp in the PDB paths are the two parts that malware ###### consists of. InstallScript is the first stage of ShimRat which takes care of persistence, while ServiceApp is the second stage of the malware which performs C2 communication and exposes the infected machine to the operator. Over the years the developers of ShimRat have extended the malware with additional functionality, such as: **•** Persistence: originally ShimRat only supported registry startup keys and service creation in order to become persistent. Additionally, the authors developed the capability of installing a shim database for persistence in 2015. **•** Privilege elevation: a method to bypass Windows UAC to gain higher privileges was implemented. The technique relied on the Migwiz Windows component. Migwiz is an application used in Windows which automatically runs in high integrity mode[10]. The hijacked DLL will also run in this mode allowing a UAC bypass, one of many methods that exists[11]. This method was not developed by the ShimRat authors, but was public and the changes are even they simply copied it into their malware. One interesting technique they’ve been using is dll hijacking of antivirus components. ###### ShimRat samples delivered from around end 2013/start 2014 on, abused legitimate antivirus applications to hijack. The reason for this is to hide itself even more. When a user would check the running process list, a legitimate Antivirus process would appear to be running. The exact list of applications is available in paragraph 9.4. The Mofang group has a preference for Antivirus products only. Fox-IT has not observed any other vulnerable application except for antivirus products being used. ----- Mofang packages the anti-virus components with 2 files in order to run ShimRat. One is the dll to hijack. The second file is a compressed ShimRat core dll with shellcode in a .dat file. When the antivirus component is started the dll is loaded which in turn ###### maps the .dat file in memory. The shellcode subsequently decompresses the core of ShimRat which comes in the form of a dll and executes it. Usually the .dat file has the same name as the dll file. _Figure 12 Shimrat and anti-virus components_ The way samples arrive at targets is usually in a packed form containing a lure document. ###### The initial payload a target receives, will extract a lure document, present the user with this, but also extracts and runs a 2[nd] stage loader which will drop ShimRat on the target system. This 2[nd] stage loader in the current version of ShimRat and contains the antivirus component and as well as the two auxiliary files containing the ShimRat core. 7.1.1 Installation & Persistence One of the first things ShimRat does while active is making sure it becomes persistent on the system. Before actually activating any methods of persistence it will try to elevate privileges if needed it is not running with administrative privileges. ###### ShimRat elevates its privileges by performing a dll hijacking attack on vulnerable Windows components. Specifically, it abuses the migwiz.exe program by hijacking cryptbase.dll. ShimRat will try to gain higher privileges, but will continue to execute whether the elevation was successful or not. This elevation would make sure no uac ###### popups would be shown to the victim. Would the user get uac popups they would appear to be coming from the antivirus product ShimRat hijacked, as mentioned before. ShimRat has three methods of becoming persistent on a system: 1 Installing a registry startup key 2 Installing a service 3 Install a shim ----- ###### Internally ShimRat uses an installation configuration which is set by the builder. The persistence configuration structure looks as follows (see Table 3): **Configuration items** |Col1|Col2|H|KC|U\|So|f|tw|ar|e\|m|ic|ro|so|f|t\|wi|nd|o|ws|\C|ur|rentVersion\Run| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| _12_ _https://msdn.microsoft._ _com/en-us/library/_ _windows/desktop/_ _ms685141(v=vs.85).aspx_ _13_ _https://technet.microsoft._ _com/en-us/en-en/library/_ _dd837644%28v=ws.10%29._ _aspx_ Service name Service description Service title Installation folder Installation filename Injection target process _Table 3: Persistence configuration structure._ The installation mode in the configuration structure, is a switch to decide which per sistence method to use. If the switch is set to 1 it will become persistent by installing a service. If it is set to 2 it will install a shim to become persistent. As a fall back method, if either installing a service or installing a shim would fail, it will use a registry startup key for persistence. 7.1.2 Persistence through a registry startup key ###### As explained, when persistence through a service or shim fails, ShimRat falls back to a registry based startup-key. It takes the installation filename variable from the configuration and uses this as the key name. The file path is based on the installation file path variable in the configuration. The key is registered under: ``` HKCU\Software\microsoft\windows\CurrentVersion\Run ``` 7.1.3 Persistence through a service ShimRat will create a new service under Windows using the information from the instal lation configuration shown in paragraph 7.1.1 above. This operation is performed through the Windows API functions available for registering, updating and starting of services[12]. It will start by stopping and removing any old service (if any exist). ShimRat will register ###### a new service using the information from the persistence configuration and start it, after checking and removing any old services. 7.1.4 Persistence through shims[13] ###### Over the years Microsoft has gone to extraordinary lengths to ensure backward compatibility on its Windows platform. One of the outcomes of this process was the ###### creation of the Application Compatibility Framework (ACF) which helps ensure this compatibility. Through this framework, special fixes known as Microsoft Fix It’s or just fixes can be run which can help mitigate security or compatibility problems. ----- ###### The way the ACF works is that when a process is started, it will determine if the newly created process needs to be shimmed. If this is the case, a special flag is raised to indicate this. Based on this flag the operating system will load the installed Shims and apply the required fixes. This means shims are simply hot patching processes on the fly. Most predefined fixes released by Microsoft are stored in: ``` %WINDIR%\AppPatch\sysmain.sdb ``` Any fix not defined in this sdb file, is called a ‘Custom Fix’ and can be installed by anyone with knowledge of the workings of this system. |Col1|Col2|Col3|nje he fo L f or is mp t i in or n m|ct dl r b ix, pa me on ns sta ms a|DL l t ot bu tc an en tal lle th kin|L o h t h s t ls r e g e|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |%WINDIR%\AppPatch\Custom\ (32 bit) %WINDIR%\AppPatch\AppPatch64\Custom\ (64 bit)|||||||||||||||||||||||| |||m igu|dat re|ab 13|as .||||||||||||||||||| |HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ap HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ap|p p|Co Co|mp mp|a a|tF tF|la la|gs gs|\C \I|us ns|t t|om al|le|dS|D|B||||||||| ----- _Figure 13 An example of a 32-bit ShimRat infection with shims_ ###### After filling the registry keys, ShimRat calls SdbRegisterDatabaseEx to register the database and finally ShimFlushCache to flush the cache and enable the shim. From this ###### point on, every newly started instance of svchost.exe will be shimmed and ShimRat will be. It locks itself with the use of mutexes, to ensure there aren’t multiple copies of ShimRat running. ShimRat mutexes are a combination of the string Global\\qwe followed by one or more numbers. 7.1.5 Built-in capabilities of ShimRat ShimRat has a set of inbuilt capabilities to give the operators control over their victim. The following is a list of capabilities seen in one of the most recent samples. The operators are currently able to use ShimRat for among others: **•** Enumerate connected drives **•** List, create and modify directories **•** Upload and download files **•** Delete, move, copy and rename files **•** Execute programs **•** Execute commands **•** Uninstall itself 7.1.6 Command and control communication ShimRat communicates over HTTP to its C2 server. While versions since 2015 have seen the introduction of HTTPS usage, ShimRat does not appear to verify the SSL certificate of C2 servers, which are generally self-signed certificates. ShimRat does have the ability ###### to use pre-configured HTTP proxies, which is useful in situations where a victim has forced local proxies in the network with authentication. ----- ###### Like with persistence, ShimRat holds a C2 communication configuration internally. The structure of the configuration looks as follows (see Table 4): **Configuration items** Primary C2 location Secondary C2 location Campaign ID C2 server password Proxy Proxy username Proxy password _Table 4: C2 communication configuration._ ShimRat communicates with its C2 server through a pull and push mechanism. ShimRat ###### constantly asks its C2 server for commands and once it has executed a command, it will send back the result. The structure of the commands exchanged with the C2 server is quite simple: **•** Every command is encapsulated within two tags, currently these tags are the word ‘Data’ which is added in front of and at the end of the command string. In the past this used to be the string ‘Yuok’ as described in paragraph 2.1. **•** Every command has a unique ‘ID’. These IDs are notated as $$ **•** The final structure of the commands send to and from the C2 server is: For example, when ShimRat first connects to a C2 server it registers itself. This initial registration looks like this: ``` Data$$00#DEMO-PC-0800232979FD-SYSTEM.test.0.0.01.1#WinXP Profes ``` The aforementioned example shows the two Data tags at the start and at the end. The command id is 00, the registration command, followed by the associated data. In this ###### case, the data comprises basic information including the machine name, DEMO-PC, system information, 0800232979FD-SYSTEM, the C2 password, test, its version and the operating system version and whether it is a 32 or 64bit operating system in the last part. ###### ShimRat will continue sending the initial check-in data until the C2 server responds with Data. Once it has received this response, which indicates it registered successfully, it will start polling for new commands to execute. |Data$$00#DEMO-PC-0800232979FD-SYSTEM.test.0.0.01.1#WinXP|Pr|o|fe|ss|io|n|al|S|P3|(|26|0|0)|(|x8|6)|Da|t|a|Col21|Col22| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ----- ###### It polls the C2 for commands by sending command id 02 in combination with its system information: ``` Data$$02#DEMO-PC-0800232979FD-SYSTEMData ``` The C2 server will respond with one of 3 possible tags: **•** **Atad: returned when there is nothing to do for the malware. ShimRat will sleep** for a specified time period before polling again. **•** **Aatd: returned when the C2 does not recognize the system information. It forces** ShimRat to register itself again. After registering itself again ShimRat will continue polling the C2 server for commands. **•** **Data: returned when a command is available. The whole response string would** actually be Data$$ where ShimRat would parse the command ID, execute the desired command and send the result back to the C2. Details of which command ID maps to which command can be found in Table 5. ###### Table 5 lists the possible command ids that a C2 server could send (the Initiating _command id) and the corresponding responses by ShimRat (the Responding command_ id). Some commands will result in one or more different responding ids based on the data ShimRat has to send back. ###### Please note, that there are checks when executing these commands where the key words Atad _Aatd and Data are used to evaluate the outcome of the command. These_ ###### states are not described or shown in the table, nor does the table include command ids 00 and 01 which are used for initial registration and command polling respectively. **Function** **Initiating command ID** **Responding command ID(s)** Enumerate drives 03 04 List directory 06 07 Download file 09 0b, 24 Upload file 0c Delete file 16 Create directory 31 Copy file 29 32 Move file 26 32 Rename file 28 Execute file 17 Command shell 11 12, 15 Uninstall 22 _Table 5 Overview of ShimRat functions mapped to command IDs_ |• Tab com d). dat Ple wo sta ds Fu En|Sh co D ac ID w le m S a S as rd te 00 nc um|im nt at tu , e hic 5 an om hi e n s A s a a tio er|R in a: all xe h lis d e m ot ta re nd n ate|at ue ret y cu co ts id) co Ra e, d no 0 d|to p ur be te m th a m t h th Aa t 1 w riv|re olli ne D th ma e nd ma as at td de hi es|gi ng d ata e n po th nd to th an scr ch|ste t wh $$ de d I ss e c s s er d ib ar|r i he e d ch d i re ne wh to n t al ng|te co s a wh an co ds sp or en ev he re co|r r m va er d s m th on m e al ta gis m|eg ma ila e S en m at se or xe ua bl tr m|ist nd bl hi d an a s e cu te e, ati an|eri s. e. m th d c C by dif tin th no on d I|ng it The Rat w e resu an b 2 ser Shim feren g the e out r do and D|Col11| |---|---|---|---|---|---|---|---|---|---|---| |0|6|||||||||| |0|9|||||||||| |0|c|||||||||| |16||||||||||| |31||||||||||| |29||||||||||| |26||||||||||| |28||||||||||| |17||||||||||| |11||||||||||| |22||||||||||| ----- 7.2 **ShimRatReporter** 7.2.1 Summary ###### ShimRatReporter is a tool first seen in late 2014. The goal of this tool is to gather important information about the target infrastructure. More details about this are available in paragraph 7.2.2. ###### Additionally the tool can be configured to download a 2[nd] stage payload from 1 or 2 preconfigured locations. The idea behind ShimRatReporter is to be able to deliver customized ShimRat builds. This can be seen in the preconfigured proxy configura tion in some of the attacks. In these attacks, the ShimRat builds that were sent to the ###### target machines were already configured with the credentials for the local proxy in the target network. 7.2.2 Report generation ShimRatReporter generates a text based report to send out to its C2 server. The report is constructed with the following sections. **Section** **Contents** Report header The header contains a timestamp at which the report was made and the local computer name. Network information Operating system information Active processes information Browser and proxy configuration The first section is titled IP-INFO and contains information about the Windows IP configuration. This includes local IP information, routing tables, mac address, gateway, DNS servers and whether the network has DHCP enabled. The second section is titled Network-INFO and contains a list of all the TCP and UDP endpoints (similar to the output of the Netstat command) by formatting the output of the GetExtendedUdpTable and _GetExtendedUdpTable Windows API functions._ This section is titled OS-INFO and contains the operating system name and specific windows version including any service packs if they are installed. This section is titled Process-INFO and contains a list of all the running process on the machine including their PID and parent PID. This section is titled Browser-INFO and contains the User-Agent of the default browser as well as any proxy configurations set in the registry. Active user sessions This section is titled QueryUser-INFO and contains a list of active sessions on the machine enumerated with the WTSEnumerateSessions Windows API function. User accounts This section is titled Users-INFO and contains a list of the non-privileged and privileged accounts that are available on the machine. Installed software This section is titled Software-INFO and contains a list of all the installed software on the machine excluding any Windows updates / components. Report footer The footer of the report contains some additional information on whether the 2[nd] stage payloads, if configured, were successfully downloaded and executed. |Col1|Col2|Col3|tio ay c at|n a , D ont tin|bo NS ain g t|ut ser s a he|th ve lis ou|e W rs t o tpu|in an f a t o|do d w ll t f t|ws he he he|IP th TCP Ge|co er t a tEx|nfi he nd te|gu ne UD nde|rat tw P e dU|ion or nd dp|. T k h po Ta|his as int ble|in DH s an|clu CP d|de| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||ati|ng|sy|st|em|na|m|e a|nd|sp|ec|ific|w|ind|o|ws|ve|rsi|on|| ||||st o|f a|ll t|he|ru|nn|in|g p|ro|ces|s o|n|the|m|ac|hin|e i|nc|lud|in| ||||e U|se|r-A|ge|nt|of|th|e d|ef|aul|t b|ro|ws|er|as|we|ll a|s a|ny|| |||ns tio|a l n.|ist|of|ac|tiv|e s|es|sio|ns|on|th|e|ma|chi|ne|en|u|me|rat|ed| |||st|of|the|n|on|-pr|ivi|leg|ed|an|d|pri|vil|eg|ed|acc|ou|nt|s t|ha|t| ||in|s a|lis|t o|f al|l t|he|ins|tal|led|s|oft|wa|re|on|th|e|ma|chi|ne||| |ion an|al d e|inf xe|or cu|ma ted|tio .|n|on|wh|et|he|r t|he|2nd|st|ag|e p|ay|loa|ds|,||| ----- 7.2.3 Command and control communication ShimRatReporter communicates over HTTP with a preconfigured C2 server. The gener ated report is first compressed using lz compression applied with the RtlCompressBuffer Windows API function. After compression, the data is encrypted with a combination ###### of shifting and xor using a static key. The key hardcoded in all versions seen in the wild is ‘NetMeter’. After a report is generated, the raw buffer with the data is taken and iterated through using an index. If the index is divisible by two, the value in the buffer is xor-ed. If it’s not divisible by two, the value of the key is added to the value in the buffer. This is probably best explained by showing the code for the decryption tool that Fox-IT has created: ###### For every element in the encrypted report data, the index is checked to be divisible by two, using the modulo operation to wrap the key. If this is true, the value in the encrypted report is xor-ed with a value from the static key. If it is not divisible, it will ###### subtract the ordinal key value from the current element in the encrypted report. In the encryption process the subtraction is just an addition. The report is then sent out in a post request to a preconfigured C2 server and a gate path. The url parameter filename is added to the post url. Its value is the computer name, also listed in the report, and an id. The C2 servers responds with a 200 ok when the report has been successfully received. _Figure 14 Example ShimRat report upload_ |b|es|t e|xp|la|in|ed|by|s|ho|wi|ng|th|e|co|de|fo|r t|he|d|ec|ry|Col23| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||||| |F b e s t T p n t|or y nc ub he he at a he|e tw ry tr e r h. me re|ver o, pt ac ncr ep Th , a po|y us ed t t yp or e lso rt|el in re he ti t is ur li h|em g t po or on th l p ste as|en he rt di pr e ar d be|t i m is na oc n s a in en|n o xo l k es en me th s|th du r ey s t t o te e r uc|e e lo -ed v he ut r fi ep ces|nc op w alu s in le or sf|ry er it e ub a na t, a ull|pt at h a fro tra po me n y r|ed io v m ct s is d a ec|re n t alu th io t r a n i ei|p o e e n i eq dd d. ve|ort wr fro cu s j ue ed Th d.|d ap m rr us st to e|at t th en t a to t C2|a, t he e t e n a a he se|| |||||||||||||||||||||||| ----- ###### Additionally, ShimRatReporter can be configured to download a payload. Reporting is default but payload downloading is optional. Payloads are downloaded from preconfigured locations. The payloads are encrypted in a similar way. Figure 15 shows an example payload download from the same campaign as shown in Figure 14. _Figure 15 Example ShimRat payload download_ ----- ## 8 Network based detection (IOCs) The following sections contain iocs for infrastructure communication from the Mofang group from 2012 until the end of 2015. There are duplicate domains and ips in the list, due to an overlap in domains for the ips and a domain having pointed at multiple ips. 8.1 **Snort signatures** The following Snort signatures provide coverage for the known HTTP based ShimRat and ShimRatReporter C2 communication protocols. One thing to keep in mind is that some variants of ShimRat communicate over HTTPS, which these rules will not cover. ###### These IOCs are also available from our Github repository located at: https://github. [com/fox-it/mofang/](https://github.com/fox-it/mofang/) |c|om|/f|ox|-it|/m|o|fa|ng|/|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||||| |||a c p c c 6 m a ( c c a s a c H c i c m a c u Ty r a|le he hp on on 00 ot le ph on on ct te le he TT on sd la ot le he ri p ef dv|rt ck H te te ; iv rt p) te te iv al rt ck P/ te at ss iv rt ck co e" er er|t -i TT nt nt cl at t "; nt nt it in t -i 1. nt aa ty at t -i nt ; en sa|cp n P/ :! :" as ed cp fl :" :! y; g- cp n 1|0 :! t: pe ed cp n" en th ce ry|$ (D 1. "R Da st -i $ ow |0 "C r ad $ (Y d "C !1 :t -i $ ; t: re :u /;|HO at "; ef ta yp nf HO :e d0 oo ef ve HO uo 0a oo ,r ro nf HO co ". sh rl s|M a) c er "; e: o M st a0 ki e r M k) |U ki el ja o M nt ph ol ,b id|E_ "; on er i tr rm E_ ab d0 e: re sa E_ "; se e: at n rm E_ en p? d: lo :2|NE fl te :" sd o at NE li a| "; nc ry NE f r- "; iv -a at NE t: fli t g. 10|T ow nt ; a ja io T sh ph t e: /; T ol w Ag c e; ct io T "P en y fo 01|an :e :" co ta n- n- an e p hr ur s an :e en on t iv n- an OS a pe x- 85|y st |0 nt at ac st y d,t "; es l, id y st t: te hr it st y T" me l it 7;|-> ab d0 e :!1 ti e -> o f h bl :2 -> ab " n e y; e -> ; =" im .c|$ li a0 nt ,r vi al $ _s as ol og 10 $ l ; t:" sh r al $ ht ; it om re|E s d :!" e ty in E er t_ d: .f 01 E is fa |0 ol ef in E t co , /2 v:|XT he 0a Co la ; g- XT ve pa t ox 85 XT he s d0 d: e g- XT p_ nt tr 0 4;)|ER d, |D o ti re ad ER r; tt yp -i 5; ER d, t_ a t re ad ER me en ac 16|NA to at ki ve f ve NA c e e t. r NA to pa 0d yp nc ve NA th t: k /0|L_ _s a$ e: ; er rs L_ on rn li co ev L_ _s tt 0a e e: rs L_ o "A b 6/|NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - ShimRat erver; content:"POST"; http_method; content:". $"; fast_pattern:only; content:!"Content-Type"; "; content:"|0d0a0d0a|"; pcre:"/Data\$\$\d\d/R"; threshold: type limit, track by_src, count 1, seconds ence:url,blog.fox-it.com/2016/06/15/mofang-a-politically- ary/; sid:21001854; rev:4;) NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - ShimRat check-in tent:"POST"; http_method; content:".php HTTP/1."; :only; content:!"Content-Type"; content:!"Referer:"; mit, track by_src, count 1, seconds 600; classtype:trojan- m/2016/06/15/mofang-a-politically-motivated-information- :4;) NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - ShimRat erver; content:"POST"; http_method; content:".php ern:only; content:!"Content-Type"; content:!"Referer:"; |"; pcre:"/(php)?Yuok\$\$\d\d/R"; content:"Yuok"; limit, track by_src, count 1, seconds 600; url,blog.fox-it.com/2016/06/15/mofang-a-politically- ary/; sid:21001856; rev:4;) NET $HTTP_PORTS (msg:"FOX-SRT - Trojan - ShimRatReporter d; content:"Accept-Encoding: utf-8|0d0a|"; fast_pattern; ccept: */*"; content:!"Referer"; content:!"Content- y_src, count 1, seconds 600; classtype:trojan-activity; 15/mofang-a-politically-motivated-information-stealing-| ----- 8.2 Domains & IP addresses ###### The following domains and associated ips have a lot of historical data. Keep in mind the listed domains could be on shared hosting machines or compromised websites. Please make sure to correlate any hits from the table below with the listed samples and their configurations in section 10.1. This table only contains domains setup by the Mofang group themselves, it does not contain some of the compromised shared hosting domains listed in some samples in paragraphs 9.2 and 9.3. Domain 116.251.216.227 October 2014 video.today-nytimes.com 178.209.52.72 May 2014 116.251.216.227 December 2013 23.89.200.128 October 2013 23.89.201.173 October 2013 api.officeonlinetool.com 176.31.220.160 September 2015 ie.update-windows-microsoft.com 116.251.219.142 November 2015 116.251.216.72 October 2015 49.213.18.15 June 2015 116.251.210.77 March 2015 116.251.216.227 July 2014 178.209.52.72 May 2014 travel.tripmans.com 38.109.190.55 November 2014 dns.undpus.com 107.191.61.105 May 2015 secure2.sophosrv.com 178.209.52.72 May 2015 update.nfkllyuisyahooapis.com 117.17.10.10 November 2012 www.go-gga.com 61.250.92.79 January 2013 images.defexpoindia14.com 178.209.51.164 August 2013 update.micrdsoft.com 151.236.14.53 July 2013 support.f--secure.com - December 2012 store.outlook-microsoft.net 116.251.216.227 October 2014 178.209.52.72 April 2014 151.236.14.53 September 2013 b.support.outlook-microsoft.net 178.209.52.72 Augustus 2013 logon.had-one-job.com - September 2013 www.avgfree.us 210.245.85.83 April 2013 mail.upgoogle.com 116.251.219.142 December 2015 116.251.210.77 March 2015 116.251.216.227 Augustus 2014 178.209.52.72 July 2014 50.117.47.66 June 2014 50.117.47.67 June 2014 192.157.229.164 March 2014 198.98.103.7 Augustus 2013 wbmail.city-library.com 103.229.124.1 June 2015 112.213.117.52 May 2015 116.251.216.165 September 2014 103.39.78.131 April 2014 192.157.229.164 March 2014 library.cpgcorp.org 38.109.190.55 May 2015 |ne|t|Col3| |---|---|---| |||| |||| |||| |||| |||| |I 1|P 78.|20|9.5|2.|72|Col7|Col8| |---|---|---|---|---|---|---|---| |-|||||||| |2|10.|24|5.8|5.|83||| |11|6.|251|.21|9.1|42||| |11|6.|251|.21|0.|77||| |11|6.|251|.21|6.|22|7|| |1|78.|20|9.5|2.|72||| |5|0.1|17.|47.|66|||| |5|0.1|17.|47.|67|||| |1|92.|157|.2|29.|16|4|| |1|98.|98|.10|3.|7||| |1|03.|22|9.1|24|.1||| |11|2.|213|.11|7.5|2||| |11|6.|251|.21|6.1|65||| |1|03.|39|.78|.13|1||| |1|92.|157|.2|29.|16|4|| |3|8.1|09|.19|0.|55||| |Fi A|rst ug|se ust|en us|20|13|Col7|Col8| |---|---|---|---|---|---|---|---| |S|ept|em|b|er|201|3|| |A|pri|l 2|013||||| |D|ec|em|be|r 2|01|5|| |M|ar|ch|20|15|||| |A|ug|ust|us|20|14||| |Ju|ly|20|14||||| |Ju|ne|20|14||||| |Ju|ne|20|14||||| |M|ar|ch|20|14|||| |A|ug|ust|us|20|13||| |Ju|ne|20|15||||| |M|ay|20|15||||| |S|ept|em|b|er|201|4|| |A|pri|l 2|014||||| |M|ar|ch|20|14|||| |M|ay|20|15||||| ----- ## 9 Host based detection (IOCs) 9.1 **yara rules** ###### The following yara rules can be used to detect the ShimRat and ShimRatReporter samples. ###### These IOCs are also available from our Github repository located at: https://github. [com/fox-it/mofang/](https://github.com/fox-it/mofang/) ShimRat ``` rule shimrat { meta: ``` description = "Detects ShimRat and the ShimRat loader" author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)" date = "20/11/2015" ``` strings: ``` $dll = ".dll" $dat = ".dat" $headersig = "QWERTYUIOPLKJHG" $datasig = "MNBVCXZLKJHGFDS" $datamarker1 = "Data$$00" $datamarker2 = "Data$$01%c%sData" $cmdlineformat = "ping localhost -n 9 /c %s > nul" $demoproject_keyword1 = "Demo" $demoproject_keyword2 = "Win32App" $comspec = "COMSPEC" $shim_func1 = "ShimMain" $shim_func2 = "NotifyShims" $shim_func3 = "GetHookAPIs" ``` condition: ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3) } ``` ----- ShimRatReporter ``` rule shimratreporter { meta: ``` description = "Detects ShimRatReporter" author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)" date = "20/11/2015" ``` strings: ``` $IpInfo = "IP-INFO" $NetworkInfo = "Network-INFO" $OsInfo = "OS-INFO" $ProcessInfo = "Process-INFO" $BrowserInfo = "Browser-INFO" $QueryUserInfo = "QueryUser-INFO" $UsersInfo = "Users-INFO" $SoftwareInfo = "Software-INFO" $AddressFormat = "%02X-%02X-%02X-%02X-%02X-%02X" $proxy_str = "(from environment) = %s" $netuserfun = "NetUserEnum" $networkparams = "GetNetworkParams" ``` condition: all of them } ``` ----- 9.2 ShimRat samples The following list of samples includes the core of ShimRat as well as the loader dll in the cases where ShimRat relied on dll hijacking to start. **ShimRat core** Filename(s) `vmware-vmx.exe` Related campaign `-` C2 URL `http://www.goodlook.sg/po/index.php` MD5 `e79b2d2934e5525e7a40d74875f9d761` SHA256 `a835baa7ffc265346443b5d6f4828d7221594bd91be8afc08152f3d68698b672` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9| |---|---|---|---|---|---|---|---|---| |v|m|wa|re|-v|m|x.|ex|e| |-||||||||| |h|t|tp|:/|/w|ww|.g|o|od| |e|79|b|2d|29|34|e|55|25| |a|8|35|ba|a7|ff|c|26|53| |m|s|vc|r1|10|.d|at||| |“|C|it|ri|x|lu|r|e”|,| |h|t|tp|s:|//|ap|i.|of|fci| |6 0|b 4|12 8c|6c ae|d9 f9|a5 2|f ce|2a b5|f3 1| |2 b d|65 e 8|3 76 e6|ec bd 8d|c3 dd 2d|ea e 51|17 a6 4|e c1 1a|0d 08 4a| ----- **ShimRat core** **ShimRat core loader DLL** Filename(s) `elogger.dat` Filename(s) `elogger.dll` Related campaign `-` C2 URL `http://travel.tripmans.com/links/images/links.php` MD5 `23a1a7f0f30f-` MD5 `b4554c52f708154e529f-` ``` 62ba8e0de084 ``` SHA256 `0cc1660e384683f2147e02ff-` SHA256 ``` 18ba4d0461829eb46766 d834e70a524a87945f7a8880b78f5e10460c1d2b60f3e487cb6f05c8221aa4f8 ``` **ShimRat core** **ShimRat core loader DLL** Filename(s) `elogger.dat` Filename(s) `elogger.dll` Related campaign `“Myanmar”, see section 5` C2 URL `http://dns.undpus.com/index.php` MD5 `8c85d527340a17d267379bc-` MD5 `26ff9e2da06b7e90443d-` ``` 6190388581ab ``` SHA256 `5dc3f4a067ae125f-` SHA256 ``` d9e5e5b1f f71025d47105dcd674a0b9ef0c83a83854ba20cb0eb8168da36a7908d150e44f ``` |co (s)|re|lo|ad|er|DL|L el|og|g|er|.d|ll|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||| |es|/|li|nk|s.|ph|p||||||||||||||| |||||||b4 62|55 ba|4 8|c5 e0|2f de|70 08|81 4|5|4e|52|9f|-|||| |||||||0c 76 98 82|c1 c6 43 58|66 98 3c d|0 2 3 a3|e3 2e a3 8|84 e2 61|68 b- 3b|3 b|f2 d2|14 8b|7e 9d|02 -|f|f-|| |co (s)|re|lo|ad|er|DL|L el|og|g|er|.d|ll|||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||26 61|ff 90|9 38|e2 8|da 58|06 1a|b7 b|e|90|44|3d|-|||| |||||||5d 99 c7 da|c3 fa ef 5b|f 9 66 71|4a 08 7 c|06 44 35|7a bb 3e|e1 a 28|2 66 2f|5f 72 f|- 35 29|e- 71|2d|-||| ----- **ShimRat core** Filename(s) `vmware-vmx.exe` Related campaign “Global campaign”, see section 6.4 C2 URL `https://ie.update-windows-microsoft.com/my/js/index.php` MD5 `2cc5bc69e24a13bfc8ea3dc679ab0efc` SHA256 `36422e6ccaa50a9ecceb7fb709a9e383552732525cb579f8438237d87aaf8377` **ShimRat core** Filename(s) `svchost.exe` Related campaign `-` C2 URL `http://update.nfkllyuisyahooapis.com/js/js/js.php` MD5 `f9c14a8e9ceb143d959743ad8c09fdc4` SHA256 `b53b27bb3e9d02e3ec5404cf3e67debb90d9337dbb570ca8b8cfce1054428466` |Sh Fil|im en|Ra am|t c e(s|or )|e|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |v|m|wa|re|-v|m|x.|ex|e|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |“|G|lo|ba|l|ca|m|pa|ig||| |h|t|tp|s:|//|ie|.u|pd|at||| |2|c|c5|bc|69|e2|4|a1|3b||| |3|6|42|2e|6c|ca|a|50|a9||| |e|l|og|ge|r.|da|t||||| |-||||||||||| |h|t|tp|://|ww|w|.t|in|ro||| |a d|3 35|f7 9|89 5c|5f 36|ae 6|0|5f|a1||| |3 f 1 a|c e d 6|5c 6a 6a 34|4d 70 73 4e|68 97 8b 8d|d ec b|0f 7d 00|a6 0 64|52 f- bb||| |s|v|ch|os|t.|ex|e||||| |-||||||||||| |h|t|tp|:/|/u|pd|at|e.|n|fk|ll| |f|9|c1|4a|8e|9|ce|b1|43|d9|59| |b|53|b|27|bb|3e|9|d0|2e|3e|c5| ----- **ShimRat core** Filename(s) `svchost.exe` Related campaign `“Myanmar”, see section 5` C2 URL `http://www.commerce.gov.mm/templates/css1/logon.php` MD5 `a4da3b820883e9808bd3ca2e02437a25` SHA256 `2b111e287d356ac4561ba4f56135b7c1361b7da32e5825028a5e300e44b05579` **ShimRat core** Filename(s) `vmware-vmx.exe` Related campaign `-` C2 URL `http://www.ipacking.co.kr/ez/admin/data/403.php` MD5 `ca41c19366bee737fe5bc5008250976a` SHA256 `029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e` **ShimRat core** Filename(s) `-` Related campaign `“MSME DEFEXPO”, see section 6.1` C2 URL `http://images.defexpoindia14.com/se/index.php` MD5 `25e87e846bb969802e8db9b36d6cf67c` SHA256 `33b288455c12bf7678fb5fd028ff3d42fcaf33cf833a147cb7f0f89f7dad0d8f` **ShimRat core** Filename(s) `helpservice.exe` Related campaign “Global Campaign”, see section 6.4 C2 URL `http://update.micrdsoft.com/image/image.php` MD5 `cf883d04762b868b450275017ab3ccfa` SHA256 `eb2d3c9e15b189dd02f753f805e90493254e17d40db6f1228a4e4095c5f260c1` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||/c|s|s1|/l|og|on|.p|h|p||||||||||||| ||||||||||||||||||||||||| ||||7d|a3|2e|5|82|50|28|a5|e|30|0e|44|b|05|57|9|||||| ||||||||||||||||||||||||| ||||||||||||||||||||||||| ||||at|a/|40|3.|ph|p|||||||||||||||| ||||||||||||||||||||||||| ||||c8|df|e2|98|b|9e|91|b1|2|7c|42|c7|f9|04|b|5e|||||| ||||||||||||||||||||||||| ||||||||||||||||||||||||| ||||in|de|x|.p|hp||||||||||||||||| ||||||||||||||||||||||||| ||||f3|3c|f8|3|3a|14|7c|b7|f0|f|89|f7|da|d|0d|8f|||||| ||||||||||||||||||||||||| ||.4||||||||||||||||||||||| ||e/|im|ag|e|.p|hp|||||||||||||||||| ||||||||||||||||||||||||| |93|25|4|e1|7d|40|db|6|f1|22|8a|4|e4|09|5c|5|f2|60|c1|||||| ----- **ShimRat core** Filename(s) `svchost.exe` Related campaign `“seg”, see section 6.2` C2 URL HTTP=proxy.seg.local:8080 MD5 `http://support.f--secure.com/cache/cache.php` SHA256 `4e22e8bc3034d0df1e902413c9cfefc9` ``` 577622fbf0a7bebc60844df808e75eef81a3d62ec6943f80168ac0d5ef39de5c ``` **ShimRat core** Filename(s) `Update.exe` Related campaign “Global campaign”, see section 6.4 C2 URL `http://store.outlook-microsoft.net/en-us/c/index.php` MD5 `2f14d8c3d4815436f806fc1a435e29e3` SHA256 `d2d4723f8c3bba910cade05c9ecea00cdcc647d42232bccc610d066792a95b15` **ShimRat core** Filename(s) `vmware-vmx.exe` Related campaign “Global campaign”, see section 6.4 C2 URL `https://ie.update-windows-microsoft.com/company/js/index.php` MD5 `36e057fa2020c65f2849d718f2bb90ad` SHA256 `dae17755e106be27ea4b97120906c46d4fcbb14cc8d9fc2c432f4c0cc74bb3fb` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12| |---|---|---|---|---|---|---|---|---|---|---|---| |h|t|tp|:/|/i|ma|ge|s.|d|||| |b|2|81|a2|e1|45|7c|d|5c|||| |2|4|1c|66|bb|54|b|d2|7a|||| |s|v|ch|os|t.|ex|e|||||| |“|s|eg|”,|s|ee|s|e|ct|||| |H|T|TP|=p|ro|x|y.|se|g.|||| |h|t|tp|:/|/s|up|po|r|t.f|||| |4|e|22|e8|bc|30|3|4d|0d|||| |5|7|76|22|fb|f0|a|7b|eb|||| |U|p|da|te|.e|xe||||||| |“|G|lo|ba|l|ca|m|pa|ig|||| |h|t|tp|:/|/s|to|re|.o|ut|||| |2|f|14|d8|c3|d|48|15|43|||| |d|2|d4|72|3f|8c|3|bb|a9|||| |v|m|wa|re|-v|m|x.|ex|e|||| |“|G|lo|ba|l|ca|m|pa|ig|n|”,|| |h|t|tp|s:|//|ie|.u|pd|at|e|-w|| |3|6|e0|57|fa|20|2|0c|65|f2|84|| |d|a|e1|77|55|e1|06|b|e2|7e|a4|b| ----- **ShimRat core** Filename(s) `svchost.exe` Related campaign `-` C2 URL `http://www.domesky.com/ez/admin/data/index.php` MD5 `a326e2abacc72c7a050ffe36e3d3d0eb` SHA256 `fa28559a4e0e920b70129cea95a98da9a409eaa093c63f341a7809692b31e723` **ShimRat core** Filename(s) `-` Related campaign `-` C2 URL `http://logon.had-one-job.com/2008/vcards/log/us/index.php` MD5 `d7a575895b07b007d0daf1f15bfb14a1` SHA256 `234d62ffd83c3972a32e89685787ff3aab4548cd16e4384c3c704a059ef731ce` **ShimRat core** Filename(s) `-` Related campaign “Global campaign”, see section 6.4 C2 URL `http://store.outlook-microsoft.net/en-us/c/index.php` MD5 `888cac09f613db4505c4ee8d01d4291b` SHA256 `e01aae93f68a84829fd8c0bc5ae923897d32af3a1d78623839fcfd18c99627cc` **ShimRat core** Filename(s) `-` Related campaign `-` C2 URL `http://www.psychologia.uni.wroc.pl/sites/default/bm.php` MD5 `916a2a20a447b10e379543a47a60b40f` SHA256 `2a1a0d8d81647c321759197a15f14091ab5e76b913eb2d7d28c6bb053166d882` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||/i|nd|e|x.|ph|p|||||||||||||||| ||||||||||||||||||||||||| ||||9e|aa|09|3|c6|3f|34|1a|7|80|96|92|b3|1e|7|23|||||| ||||||||||||||||||||||||| ||||||||||||||||||||||||| ||||ar|ds|/l|o|g/|us|/i|nd|e|x.|ph|p|||||||||| ||||||||||||||||||||||||| ||||54|8c|d1|6|e4|38|4c|3|c7|04|a0|59|e|f7|31|ce|||||| ||||||||||||||||||||||||| ||||||||||||||||||||||||| ||||n-|us|/c|/|in|de|x.|ph|p||||||||||||| ||||||||||||||||||||||||| ||||2a|f3|a1|d|78|62|38|39|f|cf|d1|8c|9|96|27|cc|||||| ||||||||||||||||||||||||| ||||||||||||||||||||||||| ||pl|/s|it|es|/d|ef|a|ul|t/|bm|.p|h|p||||||||||| ||||||||||||||||||||||||| |91|ab|5e|76|b|91|3e|b2|d|7d|28|c6|bb|0|53|16|6d|88|2|||||| ----- **ShimRat core** Filename(s) `-` Related campaign `-` C2 URL HTTP=150.207.1.67:80 MD5 `http://video.today-nytimes.com/en-us/b/index.php` SHA256 `f4b247a44be362898c4e587545c7653f` ``` 558461b6fb0441e7f70c4224963490ea49f44d40c5700a4c7fd19be4c62b3d6a ``` **ShimRat core** Filename(s) `-` Related campaign “Global campaign”, see section 6.4 C2 URL `http://mail.upgoogle.com/image/image.php` MD5 `5c00ccf456135514c591478904b146e3` SHA256 `1ca75e9b1761e15968d01a6e4f0a9f6ce47ba7ee4047d1533fb838f0f6ab28e2` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Fil|im en|Ra am|t c e(s|or )|e|||||| |Re|lat|ed|ca|mp|ai|gn||||| |C2|U|RL||||||||| |M|D5|||||||||| |SH|A2|56||||||||| |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9| |---|---|---|---|---|---|---|---|---| |h|t|tp|:/|/a|dv|en|tu|r| |4|8|4c|7f|9e|6|c9|23|3b| |1|92|2|27|3b|b3|6|ab|28| |-||||||||| |-||||||||| |H|T|TP|=1|50|.2|07|.1|.6| |h|t|tp|:/|/v|id|eo|.t|od| |f|4|b2|47|a4|4b|e|36|28| |5|58|4|61|b6|fb|04|4|1e| |-||||||||| |“|G|lo|ba|l|ca|m|pa|ig| |h|t|tp|:/|/m|ai|l.|up|g| |5|c|00|cc|f4|56|1|35|51| |1|c|a7|5e|9b|17|61|e|15| ----- 9.3 ShimRatReporter samples ###### The following samples are the core ShimRatReporter samples. Some of these were delivered in Zip archives or packaged in some form but those aren’t listed. ###### These table blocks contain parsed configuration data for the samples, the domains listed here are also present separately in the Network ioc paragraph 2, but added here to give an overview and outline the relationship between the iocs. **ShimRatReporter core** Observed filename(s) `vmware-vmx.exe` Related campaign `-` Configured C2 domain `www.ipacking.co.kr` Configured C2 reporting gate `http://www.ipacking.co.kr/ez/admin/data/403.php` MD5 `ca41c19366bee737fe5bc5008250976a` SHA256 `029e735581c38d66f03aa0e9d1c22959b0bc8dfe298b9e91b127c42c7f904b5e` **ShimRatReporter core** Observed filename(s) `photo.exe` Related campaign `-` Configured C2 domain `dns.undpus.com` Configured C2 reporting gate `http://dns.undpus.com/info.php` Configured 2[nd] stage payload `http://dns.undpus.com/myanmar.jpg` MD5 `9a6167cf7c180f15d8ae13f48d549d2e` SHA256 `b7edbe6aee1896a952fcce2305c2bb7d8e77162bb45e305c64c7f8c9f63b3ab5` **ShimRatReporter core** Observed filename(s) `loader.exe` Related campaign `-` Configured C2 domain `dns.undpus.com` Configured C2 reporting gate `http://dns.undpus.com/info.php` Configured 2[nd] stage payload `http://dns.undpus.com/info.txt` MD5 `0067bbd63db0a4f5662cdb1633d92444` SHA256 `ac3b42453fac93e575988ba73ab24311515b090d57b1ad9f27dcbae8363f2d99` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||||| |||at|a/|40|3.|ph|p|||||||||||||||| |||||||||||||||||||||||| |||c8|df|e2|98|b|9e|91|b1|2|7c|42|c7|f9|04|b|5e|||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||1|62|bb|45|e|30|5c|64|c7|f|8c|9f|63|b3|a|b5|||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |||||||||||||||||||||||| |51|5b|09|0|d5|7b|1a|d|9f|27|dc|ba|e|83|63|f2|d|99|||||| ----- **ShimRatReporter core** Observed filename(s) `-` Related campaign “Global campaign”, see section 6.4 Configured C2 domain `ie.update-windows-microsoft.com` Configured C2 reporting gate `http://ie.update-windows-microsoft.com/load/uplogo.php` Configured 2[nd] stage payload `http://ie.update-windows-microsoft.com/load/logo.gif` MD5 `582e4adddfd12f7d68035c3b8e2e3378` SHA256 `722f41aa2c7d670364b7a9bb683a0025aef5893b34af67873972cdaf09490ad2` **ShimRatReporter core** Observed filename(s) AlphaZawgyl_font.exe Related campaign `“Myanmar”, see section 5` Configured C2 domain `library.cpgcorp.org` ``` secure2.sophosrv.com ``` Configured C2 reporting gate http://library.cpgcorp.org/links/images/file/blanks.php Configured 2[nd] stage payload `http://library.cpgcorp.org/links/images/blanks.jpg` ``` https://secure2.sophosrv.com/en-us/support/blanks.jpg ``` MD5 `b43e5988bde7bb03133eec60daaf22d5` SHA256 `7deb75e95e8e22c6abb3b33c00b47a93122b8c744e8f66affd9748292e5a177f` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |Re|lat|ed|ca|mp|ai|gn||||| |Co|nfi|gu|re|d C|2 d|o|ma|in||| |Co|nfi|gu|red|C|2 re|po|rti|ng|ga|te| |Co|nfi|gu|red|2n|d s|tag|e p|ay|loa|d| |M|D5|||||||||| |SH|A2|56||||||||| |Sh Ob|im se|Ra rv|tR ed|ep file|or na|te m|r c e(s|ore )||| |Re|lat|ed|ca|mp|ai|gn||||| |Co|nfi|gu|re|d C|2 d|o|ma|in||| |Co|nfi|gu|red|C|2 re|po|rti|ng|ga|te| |Co|nfi|gu|red|2n|d s|tag|e p|ay|loa|d| |M|D5|||||||||| |SH|A2|56||||||||| |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9| |---|---|---|---|---|---|---|---|---| |“|G|lo|ba|l|ca|m|pa|ig| |i|e.|u|pd|at|e-|w|in|do| |h|t|tp|:/|/i|e.|up|da|te| |h|t|tp|:/|/i|e.|up|da|te| |5|8|2e|4a|dd|d|fd|12|f7| |7|2|2f|41|aa|2c|7d|6|70| |A|l|ph|aZ|aw|g|yl|_f|on| |“|M|ya|nm|a|r”|,|se|e| |l|i|br|ar|y.|cp|gc|o|rp| |s|e|cu|re|2.|so|p|ho|sr| |h|t|tp|:/|/l|ib|ra|ry|.c| |h|t|tp|:/|/l|ib|ra|ry|.c| |h|t|tp|s:|//|se|cu|re|2.| |b|4|3e|59|88|bd|e|7b|b0| |7|d|eb|75|e9|5e|8|e2|2c| ----- 9.4 Antivirus hijacking components As described in section 7.2 the ShimRat malware uses certain antivirus product compo nents that are vulnerable to dll hijacking in order to run. The following tables contain all the indicators for these components. Keep in mind that these indicators are only useful indicators if the antivirus product the component comes from is not installed. Company `Norman` Application name `Program Manager` Version (product specific) `10.0.0.0` Hijacked DLL `elogger.dll` First seen used `2014-04-30` MD5 `23a3f48df4b36e3d2e63cde4b85cf4fa` SHA256 `006c74c6813a6efeabea860b2718ed548eed216a319d76ceb178fc38cba458d1` Company `McAfee` Application name `McAfee Oem Module` Version (product specific) `2.1.0.0` Hijacked DLL `mcutil.dll` First seen used `2015-03-15` MD5 `884d46c01c762ad6ddd2759fd921bf71` SHA256 `3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe` Company `Symantec` Application name `Norton Identity Safe` Version (product specific) `2015.2.1.5` Hijacked DLL `msvcr110.dll` First seen used `2015-09-07` MD5 `1f330f00510866522f14790398a5be59` SHA256 `33fff13b0d0e76a09100efa0b407fe8cdfd0758500dad7cc59722bf3b537de62` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||d2|16|a|31|9d|76|ce|b|17|8f|c3|8c|b|a4|58|d1|||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||83|c1|c4|b|60|e3|8c|1|04|74|3b|e7|11|7|0e|fe|||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |fd|07|5|85|00|da|d|7c|c5|97|22|b|f3|b5|37|de|62|||||| ----- 9.5 Observed services ###### As explained in paragraph 7.1.3, ShimRat can become persistent through the use of services. The configuration of the service which includes the service name, title and description is configured inside the individual ShimRat samples. The list below are uniquely observed service configurations. Correlating these with the actual process the service starts, is a good indicator of the presence of ShimRat. Service name `WWebLogic` Service title `Windows WebLogic Service` Service description ``` DHCP service for windows networks.Provides Windows DHCP Net foundation frame support,through the framework, on servers that are also running the service. ``` Service name `WNetDHCP` Service title `Windows DHCP Service` ``` DHCP service for windows networks.Provides Windows DHCP Net foundation frame support,through the framework, on servers that are also running the service. ``` Service name `helpservices` Service title `Windows Help Services` Service description `Enables Help and Support Center to run on this computer. If this service` ``` is stopped, Help and Support Center will be unavailable. ``` Service name `mshelpsrvs` Service title `Windows Help Services` Service description `Enables Help and Support Center to run on this computer. If this service` ``` is stopped, Help and Support Center will be unavailable. ``` Service name `mshelpsrvsv` Service title `Windows Help Services` Service description `Enables Help and Support Center to run on this computer. If this service` ``` is stopped, Help and Support Center will be unavailable. ``` |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12| |---|---|---|---|---|---|---|---|---|---|---|---| |S|er|vic|e n|am|e||||||| |S|er|vic|e t|itle|||||||| |S|er|vic|e d|es|cri|pti|on||||| |S|er|vic|e n|am|e||||||| |S|er|vic|e t|itle|||||||| |S|er|vic|e d|es|cri|pti|on||||| |S|er|vic|e n|am|e||||||| |S|er|vic|e t|itle|||||||| |S|er|vic|e d|es|cri|pti|on||||| |S|er|vic|e n|am|e||||||| |S|er|vic|e t|itle|||||||| |S|er|vic|e d|es|cri|pti|on||||| |t r|i u|on nn|f in|ra g|m t|e he|su s|pp er|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| |W|N|et|DH|CP||||||| |W|i|nd|ow|s|D|HC|P|Se||| |D t r|H i u|CP on nn|s f in|er ra g|v m t|ic e he|e su s|fo pp er||| |h|e|lp|se|rv|i|ce|s|||| |W|i|nd|ow|s|H|el|p|Se||| |E i|n s|ab s|le to|s pp|He ed|lp ,|H|an el||| |m|s|he|lp|sr|v|s||||| |W|i|nd|ow|s|H|el|p|Se||| |E i|n s|ab s|le to|s pp|He ed|lp ,|H|an el||| |m|s|he|lp|sr|v|sv||||| |W|i|nd|ow|s|H|el|p|Se|r|vi| |E i|n s|ab s|le to|s pp|He ed|lp ,|H|an el|d p|Su an| ----- Service name `mshelplog` Service title `Windows Help log` Service description `Enables Help and Support Center to run on this computer. If this service` ``` is stopped, Help and Support Center will be unavailable. ``` Service name `avp2015` Service title `Kaspersky protect service` Service description `Kaspersky protect service` 9.6 Observed shims As discussed in paragraph 7.1.4, ShimRat can obtain persistence on systems by installing ###### shims. The following table contains the settings for these shims and some observed hashes. Checking for the configurations of these shims will be more effective than just checking the listed hashes. Platform `x86` Name `Clengine_Shim` Application name `Clengine_Apps` Database name `Clengine_Database` Type of fix `InjectDLL` Injection target `svchost.exe` Injection DLL `elogger.dll` Database GUID `{503ec3d3-165a-4770-b799-099d43b833ec}` Exe GUID `{e8cc2eb5-469c-43bd-9d69-de089e497302}` MD5 `cacbdf48a61ee0999da003f090027598` SHA256 `7c8f962129f9d8fef6df7ca29ee7672c30286660298e0ef8b40f6a17f029187f` Platform `x64` Name `Clengine_Shim` Application name `Clengine_Apps` Database name `Clengine_Database` Type of fix `InjectDLL` Injection target `svchost.exe` Injection DLL `eloggerx64.dll` Database GUID `{f8c4cc07-6dc4-418f-b72b-304fcdb64052}` Exe GUID `{7feee735-1296-4c40-bdd4-7d4f09acc2d0}` MD5 `5f287a8082df8ed7b081137507c03638` SHA256 `286616a5124f57f165ba2a1aa540200e103e976ce181dd61fe39faf05cf5378d` |Col1|Col2|Col3|Col4|ns bs th|tal er an|lin ve ju|g d st|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||c}||||||||||||||||||||| |||||2}||||||||||||||||||||| |||||||||||||||||||||||||| |||||86|66|02|98|e|0e|f8|b|40|f6|a1|7|f0|29|18|7f|||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| |||||||||||||||||||||||||| ||b|64|05|2}||||||||||||||||||||| ||9a|cc|2d|0}||||||||||||||||||||| ||38|||||||||||||||||||||||| |20|0e|10|3e|9|76|ce|18|1d|d|61|fe|39|fa|f|05|cf|53|78|d|||||| ----- ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25|Col26|Col27|Col28|Col29|Col30|Col31|Col32|Col33|Col34|Col35|Col36|Col37|Col38|Col39|Col40|Col41|Col42|Col43|Col44|Col45|Col46|Col47|Col48|Col49|Col50|Col51|Col52|Col53|Col54|Col55|Col56|Col57|Col58|Col59|Col60|Col61|Col62|Col63|Col64|Col65|Col66|Col67|Col68|Col69| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||fox-it • Was founded in 1999. • Established one of the first Cyber Security Operations Centers in Europe. • Is Europe’s largest specialized cyber security company. • Operates in three business areas: 1 Cyber Threat Management: a solution portfolio aimed at reducing the risks of cyber threats, and includes: professional services, managed security services, and technology; 2 Web and Mobile event analytics: a solution portfolio that is aimed at reducing financial risks in (online) payment transactions; 3 High Assurance: solutions that make trusted communication possible to the highest classification levels. • Has been involved in many high-profile Incident Response cases. Most of the cases we worked on are secret. An approved selection can be shared upon request. fox-it|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||ion possible to the highest levels. d in many high-profile Incident Most of the cases we worked on proved selection can be shared fox-it||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||possible to the highest|||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||vels. many high-profile Incident st of the cases we worked on ved selection can be shared fox-it|||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||ny high-profile Incident f the cases we worked on selection can be shared fox-it||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||e cases we worked on ection can be shared fox-it|||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||tion can be shared fox-it||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||fox-it|||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||fox-it|||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||fox-it||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||fox-it||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||fox-it|||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||fox-it||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||fox-it|||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||fox-it||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||fox-it|||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||fox-it||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||fox-it|||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||fox-it||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||O|lof Palmestraat 6, Del|||||||ft||t|+|31|(0|||||||||||||||||||||||||| |||||||||||||||||||||||||||||||p|o b|ox 638, 2600 ap De||||||lft||f|+|31||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||T|he|N||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| fox-it **•** Was founded in 1999. **•** Established one of the first Cyber Security Operations Centers in Europe. **•** Is Europe’s largest specialized cyber security company. **•** Operates in three business areas: 1 Cyber Threat Management: a solution portfolio aimed at reducing the risks of cyber threats, and includes: professional services, managed security services, and technology; 2 Web and Mobile event analytics: a solution portfolio that is aimed at reducing financial risks in (online) payment transactions; 3 High Assurance: solutions that make trusted communication possible to the highest classification levels. **•** Has been involved in many high-profile Incident Response cases. Most of the cases we worked on are secret. An approved selection can be shared upon request. **fox-it** Olof Palmestraat 6, Delft t +31 (0) 15 284 79 99 www.fox-it.com po box 638, 2600 ap Delft f +31 (0) 15 284 79 90 The Netherlands e fox@fox-it.com -----