Shulou(Shulou.com)06/01 Report--

This article mainly explains the "how to hide the Python remote control in the document picture", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "how to hide the Python remote control in the document picture" bar!

1. Overview

Recently, Antian CERT found a malicious document to release the remote control Trojan written by Python through network security monitoring. Based on the organizational information involved in the document and the inducement hints set by the attacker, Antian CERT determined that the incident was a targeted attack against the National Oil Company of the Republic of Azerbaijan. In this incident, the attacker made full use of the technology to circumvent the detection and killing of anti-virus software, specifically using steganography to store the remote-controlled Trojan horse-related files in the pictures in the malicious document in a compressed package format for later extraction. First of all, save the malicious document as a docx file, the file format has the characteristics of ZIP file, and then save as ZIP format to decompress and obtain the picture, and finally extract the remote control Trojan file in the picture. This remote control Trojan is written in Python language and has the functions of upload, download and command execution of general remote control.

2. ATT&CK mapping map corresponding to events.

This report involves an event in which an attacker releases malicious documents against the target system and releases and runs a remote-controlled Trojan horse. By combing the ATT&CK map corresponding to the event, reveal the technical points used by the attacker in the event, as shown in the following figure:

Figure 2-1 ATT&CK map of this attack

The specific description of ATT&CK technology behavior is shown in the following table:

Table 2-1 description table of ATT&CK technology behavior corresponding to events

3. Sample analysis 3.1 sample label

Table 3-1 sample label

3.2 sample run process

When the macro code in a malicious document runs, there are two automatic execution functions that trigger execution in different states. One is to trigger execution when the document state is open, and obtain the remote control Trojan horse written by Python embedded in the picture by creating directory, copying, saving ZIP format, decompressing and other operations. The other is when the document state is closed, call shell to hide the window to execute the bat remote control startup script, and then run the remote control Trojan script, the main function of the script is to release the vbs script file (the content is to call the bat remote control startup script), and use the script as the carrier to create a planned task, while establishing a circular loading configuration file to establish a connection with C2, get instructions, and perform the corresponding operation.

Figure 3-1 related files for macro code creation and release

Figure 3-2 sample run flow

3.3 malicious document analysis

The sample is a Word document with malicious macro code. From the content point of view, it is a document "about the export of catalysts for analysis" forged in the name of SOCAR Company. At the same time, by means of fuzzy effect and prompt information, the decoy target can view the details of the document by clicking the "start Macro" button. SOCAR is the abbreviation of the National Oil Company of the Republic of Azerbaijan, combined with the contents of the document, it is determined that this is a malicious document delivery activity against the employees of the National Oil Company of the Republic of Azerbaijan.

Figure 3-3 document content

Through the analysis of the macro code extracted from the document, there are mainly two functions that trigger the operation, "Document_Open ()" and "Document_Close ()". At the same time, there is a lot of confusion in the macro code, specifically, a large number of "rqxjx", "RXQYE" and "_ RXQYE_20210329_092748_rqxjx_" characters are embedded into custom variables and functions, which can avoid anti-virus software and interference analysis to some extent.

Figure 3-4 automatic execution of related functions

Figure 3-5 confusing macro code

After solving the confusion, you can see from the Document_Open () function that some file path variables are defined, decrypt the relevant paths through the MyFunc23 function, create corresponding directories and files according to these variables, and extract the remote control Trojan horse related files saved in the picture by steganography in malicious documents.

Figure 3-6 content of Document_Open function

Table 3-2 variable information

Figure 3-7 remote control related files written by Python

The Document_Close function is to run the remote control Trojan startup script in a hidden way, and the script file is the runner.bat file in the "C:\ Users\ MA\ AppData\ Roaming\ nettools48\" directory. The script file initially sets a delay for a certain period of time, and then runs the remote control Trojan script "vabsheche.py" under the current folder.

Figure 3-8 run the remote control Trojan startup script

The script reads as follows:

The content of remote control Trojan script is mainly divided into three parts: 3.4 Analysis of remote control Trojan horse released.

The first part defines a number of system judgment functions, including Windows, Linux and Mac OS X, and reads the C2 address configuration file to obtain the corresponding domain name and port. From the perspective of the system judgment function, although the script found this time only calls the Windows system judgment function, and the subsequent content can only be executed on the Windows system, it does not rule out the possibility that the attacker will develop scripts for Linux and Mac OS X systems in the later stage.

Figure 3-9 the first part of the remote control script

The second part defines a task_registration function, the main function is to write the path of the startup script runner.bat into the vbs script to realize the remote control of the vbs script call, while the call of vbs is to create a scheduled task by calling the schtasks command to run the vbs script every 30 minutes. Finally, the Windows system is used to judge the running result of the function to trigger the task_registration function.

Figure 3-10 the second part of the remote control script

The last part of the function is the C2 command processing process, as follows: through the certificate file "cert.pem" in the same directory combined with the domain name and port obtained earlier, establish a connection with C2 and obtain C2 return information.

Figure 3-11 connection C2 code

Loop and fault-tolerant processing are added to the whole code. If the connection is successful, the information returned by C2 is parsed and different instructions are performed according to the specific data. If the connection fails, the delay is 120 seconds. Continue to try to connect to C2 and continue to run the process. Remote control Trojan C2 address: pook.mywire.org port: 220.

Table 3-3 remote control Trojan instruction table

4. Summary

Because the remote control Trojan horse is written in Python, the corresponding file has script file characteristics, and its actual file format is a text file. Compared with PE files, this file format can reduce the possibility of being killed by anti-virus software to a certain extent. At the same time, combined with the VT detection results of remote control Trojan horse, Antian CERT believes that this script form of remote control Trojan horse will be used more frequently by attackers, or even combined with confusion coding.

Thank you for your reading, the above is the content of "how to hide Python remote control in the document picture". After the study of this article, I believe you have a deeper understanding of how to hide the Python remote control in the document picture. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.