Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points of how to use WinRAR loopholes to analyze targeted attacks in the Middle East, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about "how to use WinRAR vulnerabilities to analyze targeted attacks in the Middle East".

Background

On March 17, 2019, the threat Intelligence Center intercepted a sample of a suspected "Golden Mouse" APT (APT-C-27) targeted attack in the Middle East using the WinRAR vulnerability (CVE-2018-20250 [6]). The malicious ACE package contains an Office Word document that uses terrorist attacks as bait to induce the victim to extract the file. When the victim decompresses the file through WinRAR on the local computer, the vulnerability will be triggered. After successful exploitation, the built-in backdoor program (Telegram Desktop.exe) will be released to the user's computer startup project directory, and when the user restarts or logs in to the system, the remote control Trojan will be executed to control the victim's computer.

Through correlation analysis, the threat Intelligence Center found that the attack was suspected to be related to the "Golden Mouse" APT organization (APT-C-27), and after further tracing and association, we also found a number of malicious samples from the Android platform related to the organization, which were mainly disguised as some commonly used software to attack specific target groups, combined with the text related to the attacker in the malicious code. It can be guessed that the attacker is also familiar with Arabic.

Detection of backdoor Program (TelegramDesktop.exe) on VirusTotal

Sample analysis

The 360threat Intelligence Center analyzed the sample that exploited the WinRAR vulnerability, and the correlation analysis is as follows.

Decompress the MD5314e8105f28530eb0bf54891b9b3ff69 file name by using terrorist attacks

The maliciously compressed file contains an OfficeWord document about an incident related to a terrorist attack. Because of its political, geographical and other particularities, the Middle East has suffered a lot from terrorist attacks, so people in the region are sensitive to terrorist attacks and other events, making it more likely for victims to extract documents:

Bait document translation content

If the user decompresses the malicious package, the WinRAR vulnerability will be triggered, thus releasing the built-in backdoor to the user's startup directory:

When the user restarts the computer or logs in to the system, the released backdoor program Telegram Desktop.exe is executed.

Backdoor (Telegram Desktop.exe) filename Telegram Desktop.exeMD536027a4abfb702107a103478f6af49beSHA25676fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689 compilation Information .NET

The backdoor program TelegramDesktop.exe reads data from the PE resource and writes it to% TEMP%\ Telegram Desktop.vbs, then executes the VBS script and hibernates for 17 seconds until the VBS script finishes:

The main function of the VBS script is to decode the built-in string through Base64, write the decoded string to the file:% TEMP%\ Process.exe, and finally execute Process.exe:

After Process.exe executes, the file 1717.txt is created in the% TEMP% directory, and the data related to the final executed backdoor program is written for subsequent use by Telegram Desktop.exe:

TelegramDesktop.exe then reads the contents of the 1717.txt file and replaces the special characters in it:

The data is then decoded through Base64, and the decoded data is loaded in memory:

Finally, the data loaded and executed in memory is the njRAT backdoor, and the relevant configuration information is as follows:

NjRAT

The njRAT backdoor program executed by memory loading will first create a mutex to ensure that only one instance is running:

And determine whether the current running path is the path set in the configuration file, and if not, copy yourself to the path to start execution:

Then close the attachment inspector and firewall:

And open the keylogger thread to write the keylogged result to the registry:

Open the communication thread, establish communication with the ClearC address and accept the command to execute:

The njRAT remote control also has many functions such as remote SHELL, plug-in download and execution, remote desktop, file management and so on.

Sample Analysis of Android platform

The threat Intelligence Center also linked malicious samples from several Android platforms recently used by the APT-C-27 APT organization through VirusTotal, which also used 82.137.255.56 as the ClearC address (82.137.255.56 Android 1740):

The recent related Android platform backdoor samples are mainly disguised as Android system updates, Office upgrade programs and other commonly used software. We take the Android sample disguised as an Office upgrade program as an example, and the correlation analysis is as follows:

File MD51cc32f2a351927777fc3b2ae5639f4d5 file name OfficeUpdate2019.apk

When the Android sample starts, it induces the user to activate the device manager, then hides the icon and runs in the background:

After inducing the user to complete the installation, the sample will show the following interface:

Then the sample will obtain the online IP address and port through the default SharedPreferences storage interface of Android. If not, the default hard-coded IP address and port will be decoded:

Decoding algorithm of relevant IP address:

The final decoded IP address is 82.137.255.56, and the port also needs to add 100 to the hard-coded port to get the final port 1740:

When the connection to the ClearC address is successful, the online packet is sent, the command from the controller is accepted, and executed. The sample has the functions of recording, taking photos, GPS positioning, uploading contacts / phone records / SMS / files, executing cloud commands, and so on:

The relevant instructions and functions of the Android backdoor sample are listed below:

Instruction function 16 heartbeat 17connect18 to get the basic information of the specified file 19 download file 20 upload file 21 delete file 22 copy file 23 move file 24 according to cloud instruction 24 rename file 25 run file 28 create directory 29 execute cloud command 30 execute ping command 31 get and upload contact information 32 get and upload SMS 33 get and upload call records 34 start recording 35 stop and upload recording files 36 take pictures 37 start GPS positioning 38 stop GPS positioning and upload location information 39 use the ip/port40 sent from the cloud to report the current use of ip/port41 to the cloud to obtain information about installed applications

It is worth noting that the command information returned by this sample contains information about Arabic, so we speculate that attackers are more likely to be familiar with using Arabic:

Traceability and relevance

By querying the ClearC address of the backdoor program captured this time (82.137.255.56 IP 1921), we can see that the IP address has been used many times by the APT-C-27 (Golden Mouse) since 2017, and the IP address is suspected to be an inherent IP asset of the organization. Multiple sample information associated with the IP address can be seen through the big data association platform of the Network Research Institute:

The ClearC address was queried through the threat Intelligence Center threat Analysis platform (ti.360.net) and was also labeled APT-C-27-related:

And the function modules, code logic, built-in information language, target population, network assets and other information of the relevant Trojan horse samples captured from this time (Windows and Android platform) are highly similar to the Trojan horse sample information used by APT-C-27 [2] previously exposed. So the threat Intelligence Center believes that the relevant samples intercepted this time are also related to the "Golden Mouse" APT (APT-C-27).

As we predicted, the use of WinRAR vulnerability (CVE-2018-20250) to spread malicious programs is in the outbreak stage. 360threat Intelligence Center has previously observed a number of APT attacks using this vulnerability, and this intercepted targeted attack by the suspected "Golden Mouse" APT (APT-C-27) exploiting WinRAR vulnerability is just one of many cases of targeted attacks using this vulnerability. Therefore, 360 threat Intelligence Center once again reminds all users to take timely measures to protect against the vulnerability. (see section "Mitigation measures")

Mitigation measures

1. The software manufacturer has released the latest version of WinRAR. The threat Intelligence Center recommends that users update and upgrade WinRAR (5.70 beta 1) to the latest version at the following download address:

32-bit: http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe

64-bit: http://win-rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe

2. If the patch cannot be installed for the time being, you can delete the vulnerability DLL (UNACEV2.DLL) directly, which does not affect general use, but the file encountered with ACE will report an error.

At present, a full range of products based on threat intelligence data from the threat Intelligence Center, including the threat Intelligence platform (TIP), Sky Rock, Sky Eye Advanced threat Detection system, NGSOC, etc., have supported the accurate detection of such attacks.

On "how to use WinRAR loopholes in the Middle East targeted attack activity analysis" is introduced here, more relevant content can search previous articles, hope to help you answer questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.