Shulou(Shulou.com)05/31 Report--

Editor to share with you the example analysis of the new script attack samples of the APT gang. I hope you will gain something after reading this article. Let's discuss it together.

"Maha Grass" organization, also known as Hangover, Viceroy Tiger, Patchwork, Dropping Elephant, MONSOON, other domestic security manufacturers also call it White Elephant, Harvest Operation.

The organization is an APT organization that has long engaged in cyber espionage against China, Pakistan and other South Asian countries. Since it was first exposed by foreign security manufacturers Norman on May 16, 2013, the organization's network attacks have been extremely active, and many security manufacturers at home and abroad have found their attacks and malicious code.

The company also released the article "APT-C-09 targeted attack threat from South Asia" on August 4, 2016, detailing the four historical attacks launched by the organization, and comparing and summarizing the relevance of the attack tools and infrastructure used in its history.

The "Maha Grass" organization mainly attacks on government agencies, scientific research, education and military personnel in our country, mainly using harpoon attacks, and also uses instant messaging tools and social networks as delivery channels for malicious code. The malicious code used in its attacks is mainly aimed at Windows systems, and there has also been malicious code aimed at other platforms in history.

The 360 threat Intelligence Center found new attack samples that were put into use during its recent attack monitoring of Maha Grass. We decided to release this sub-analysis report to reveal the latest attack technical details of the organization.

Background Overview

Since the attack activities of Maha Grass were first exposed on May 16, 2013, its historical attacks and the attack tools and resources used have also been exposed many times by security manufacturers at home and abroad. However, the continuous monitoring of the organization from the 360 threat Intelligence Center shows that the organization's attacks have never stopped and have maintained a relatively high frequency of activity.

More than a year has passed since we publicly released a complete analysis of the organization, and we have found that the organization has continued some of its past attack patterns over the past year, but there have been some significant changes in the attack tools and malicious code used.

We found that Maha Grass recently launched an attack that may be aimed at some Eastern European countries, and used some of its newly created script-based attack malicious code files. there have been some significant changes in the payload methods of attacks using induced vulnerability document classes in the past, and some Ukrainian users have been subjected to such attacks and have been implanted into remote control Trojans.

At present, we are not sure about the attack motive behind the attack, but in order to prevent the organization from further large-scale use of malicious code in future attacks, we decided to disclose some of its technical details and early warning. In order to better defend against the use of this kind of attack technology in the future.

Below, we will focus on the latest scripting attack malicious code technology of the "Maha grass" organization.

Script-based attack payload delivery

In the latest attack malicious code produced by Maha Grass, we find that its main module is written with JS and PowerShell scripts, and uses multiple decryption and splicing to release and load the attack payload of the next stage.

The following figure shows the structure and execution flow of the malicious code.

Dropper JS-dog.js

Dropper JS is a 96KB script that releases an intermediate JS script. The additional data in the form of hex in front of it is stored as comment statements; the later script first gets the path of the currently executing script, reads its own file data, finds the additional data commented above, splices it together, converts it into binary form, saves it to "% temp%\ laksasokpaslkak.js", and finally executes the script through the WScript container.

Intermediate JS script-laksasokpaslkak.js

The script first determines whether the Kabbah and NOD32 programs exist on the target host, and if so, the script exits; if not, the "dllData" and "code" data in the script are written together into a PowerShell script file with the name of randomly generated 5 bytes. Finally, execute the PowerShell script.

Random name PowerShell script

The PowerShell script places the Base64-encoded data out of order in an array, decodes and decompresses it into a PowerShell script through Base64, and executes the script in the form of a Bypass UAC. The Bypass UAC technology it uses has also been used in the attack tools of another APT organization, Hailianhua. It hijacks eventvwr.exe by modifying the registry key value, calls the SC command to create a service, and points to the decrypted PowerShell script.

PowerShell Loader

PowerShell Loader script is also a randomly generated name, and its main function is to load the main remote control module.

The script loads payload from memory, as follows:

The file data saved by "strexp" is the remote control module. After base64decode decoding, the original file content is a DLL file, and its export module is called socksbot.dll. Finally, ReflectiveLoader technology is used to load.

Through the analysis of some of the loaded code, we speculate that it may refer to the open source code implementation [3] and add compatibility code on 64-bit Windows systems.

Remote Control Module Analysis and loading Portal-ReflectiveLoader

This function first gets the address of the current function, and then searches forward for the "MZ" flag in the PE header to locate the base address of the DLL module.

Get the addresses of three functions LoadLibrary, GetProcAddr, and VirtualAlloc through hash.

Then call VirtualAlloc to allocate a piece of memory space.

Copy the DLL module to the newly requested memory.

Then execute DllMain.

Execution Portal-DllMain

DllMain will first get some hardware information to calculate the machine code. The machine code is calculated based on the drive information, computer name, and user name:

The addresses of GetProcAddress and LoadLibraryA are then obtained, and the sub_1000234A code is injected into the svchost.exe host by copying the process, as shown in the figure:

The injected code initializes the network socket, sends the touch packet once, and then creates a main thread function, as follows:

In the main thread, you will connect to the ClearC server address 5.8.88.64frex80.

Control protocol

Here we analyze in detail the control communication protocol used by the remote control module, which realizes the control communication based on the HTTP protocol.

1. Touch package

The control module will send touch packets, which will generate the corresponding php path according to the machine code as the request path for HTTP access, and encrypt the machine code and the randomly generated key and attach the key information.

The specific algorithm is as follows:

The machine code string generated after calculation is put into the GET data of the HTTP packet. For example, if the generated string is j2ylvj50suxr8vzss17s3.php, then the encrypted machine code data is j2ylvj50suxr8vzss17s3. The first 16 bytes are machine code encrypted data, the key information is randomly generated from 16 bytes to the end, the key length is 5-16 bytes random, the numerical range is 0-35 random, and then encoded into visible characters.

When the server receives the string, it decrypts and restores the machine code as follows:

1) Segmentation of encrypted machine code and key

2) decrypt the previous 16 bytes of machine code through the decryption algorithm.

For example, j2ylvj50suxr8vzss17s3.php is decrypted here.

The split j2ylvj50suxr8vzs is encrypted 16-byte machine code, and the s17s3 is a randomly generated key. The decryption algorithm is as follows.

To decrypt and restore the original machine code:

It is then constructed to send data packets in HTTP format.

As shown in the figure, the function for constructing HTTP packets, the UserAgent is generated by the ObtainUserAgentString function.

two。 Send out instructions

The remote control server sends out control instructions through different HTTP status codes, and the controlled terminal will judge.

In the returned HTTP packet header, the Date field stores the machine code returned by the server.

The controlled end will decrypt the control information sent by the server. The decryption algorithm is as follows:

The decryption key is 136 bytes.

EC1ABCB66F641126C2250C5CF26C9902BD53043EAAF5FE0374597261674FD732E2C0498A9FA06203C5641323C3B4DDCB5CD8A22A0EDCAE39A11D7E98A2B1B6276C595E7CC1E1A0C743B8C075416C7DB3CB509AB5059556E99D2818BDDDEEE508AC871474239CC4B5527A8AED49949D5A421C785484ED084F1FCD3D3CFD1D8D8B

3. Return data

After receiving the instruction from the control server, the controlled terminal will determine the command to be executed according to the status code returned by HTTP. For example, the command will be uploaded and executed when the error code is 203.When the error code is 202, the screenshot will be taken and the process list will be obtained.

The uploaded data is constructed in the following format:

4 byte length + 1 byte token + encrypted content.

For example, it is performed here to obtain screenshot and process snapshot information and encrypt it to the control server.

Functional summary

The remote control module implements the following control commands, including:

Upload execution script

Upload and execute PE

Return screenshot

Return the list of processes

It uses HTTP protocol for control communication, and it is more convenient for attackers to use Web pages to visually control and manage fallen hosts. The HTTP protocol communication steps are as follows:

1) after the Trojan horse in the machine, it will connect to port 80 of Crunc server at indefinite time intervals, and send touch packets according to HTTP protocol. The GET data of the http packets sent include the machine code of random length after encoding.

2) after receiving the touch packet, the server will record the last active time to determine whether it is online.

3) if the server needs to control the controlled side, it will return a HTTP status code of 202or 203and issue instructions. The instruction issued is in the http data segment, the packet format is 4 bytes long + 1 byte token+ encrypted content.

4) after receiving the command, the controlled terminal will judge the http status code returned by the server, parse the packet according to different status code to perform different naming, and then send the result back to the server.

5) the controller can control the victim through the web interface of the server.

The interaction can be summarized as follows:

Correlation analysis and backtracking

By searching the keywords in the PowerShell Loader script, the threat Intelligence Center found the Web control page built on a VPS host.

The interface of the main console is as follows, and the last test should be in June 2017, nearly half a year ago.

Through the Web management background, the controlled machine can be controlled.

Another Loots page stores some log data after the control side sends control instructions, including the functions of executing commands, uploading files, taking screenshots, downloading files, and executing scripts.

We found a script file called setup.js from the log data, and its code is roughly the same as the laksasokpaslkak.js code we analyzed.

After decrypting the DLL data in the script with the same method, it is found that it is exactly the same as the remote control module socksbot.dll analyzed earlier, and its CleavC is 46.166.163.243, which belongs to the same network segment as the test machine IP 46.166.163.242.

Query 360 threat intelligence platform data to determine that it belongs to the "Maha Grass" organization.

We can see some result logs after the test machine executes the command.

The result of executing the ipconfig command

We also found that attackers had tested uploading their other remote-controlled Trojans and downloading malicious payloads from remote addresses on the test machine.

The IP address bound to the website domain name (yds.deckandpatio.ca) of this Web version of the Trojan control program is 91.235.129.203.

The alias of this IP is: vds8262.hyperhost.name.

We found that it is a VPS server that applied for registration with a Ukrainian service provider, and its official website is https://hyperhost.ua/ru. The domain name yds.deckandpatio.ca should be a free second-level domain name provided by it.

Summary

By analyzing the attack malicious code newly produced and put into use by the Maha Grass organization, the attacker chooses the script language to re-implement the delivery components of the attack payload, which may be due to its tendency towards the convenience and efficiency of the development tools.

Although we have no clear clue as to how this type of attack script induced trapped users to download and run in this attack on Ukrainians, based on its past attack patterns, we speculate that it may use the following ways.

Construct a self-extracting execution package containing malicious scripts

Harpoon attack with a zip file containing malicious scripts or a phishing link with downloads of malicious script compressors

Send phishing links on social networks with downloads of malicious script compressors

It also does not rule out the possibility that it may inject malicious script code into the page by invading the website.

Judging from the attack patterns and malicious code techniques used by Maha Grass in the past, the organization prefers to use scripts and C # to develop attack tools. We speculate that it is more likely to choose ways that can quickly develop and implement attacks, and to evade detection and hide their attacks through constantly updated and changing attack tools. The attacker also created a control daemon that can be used for Web management to facilitate large-scale management and control of compromised hosts.

From the VPS server and its Web control page that we found that attackers register, attackers launch new attacks and use new malicious code tools to prepare and test at least half a year in advance.

At present, we cannot speculate that the motive for launching this attack may be a targeted attack by the organization against some countries in Eastern Europe, nor can we rule out the possibility that it is a field exercise based on a newly produced attack weapon. Therefore, we disclose some of the technical details of this kind of malicious code in order to prevent the organization from using this kind of malicious code on a large scale in future attacks.

After reading this article, I believe you have a certain understanding of the "sample analysis of new script attack samples of the APT gang". If you want to know more about it, please follow the industry information channel and thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.