Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the latest 0day vulnerability case analysis of the Buhtrap hacker organization. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Buhtrap has long been known for targeting Russian financial institutions and companies. In the course of our tracking, we found and analyzed the main backdoors and other tools of the organization.

Since the end of 2015, the organization has become a cyber criminal organization for the purpose of economic interests, and its malware has appeared in espionage in Eastern Europe and Central Asia.

We first found Buhtrap using 0day attacks in June 2019. At the same time, we find that Buhtrap uses the local rights raising vulnerability CVE-2019-1132 during the attack.

The local privilege escalation vulnerability in Microsoft Windows exploits a problem caused by dereferencing of the NULL pointer in the win32k.sys component. After the vulnerability was discovered, it was reported to the Microsoft Security response Center, which fixed the vulnerability in time and released patches.

Historical activities

The timeline in the following figure reflects some of the most important development nodes in Buhtrap activities.

At a time when their tools were open source online, it was difficult to associate the organization's activities with cyber attacks. However, due to the source code leakage of the organization after the change of targets, we quickly and efficiently analyzed the malware attacked by the organization and identified the corporate and bank targets targeted by the organization. at the same time, it confirmed that the organization was involved in the attack on government agencies.

Although new tools have been added to their arsenals and old versions have been replaced the strategies techniques and procedures used in different periods of Buhtrap activities have not changed significantly. They mainly use malicious documents as carriers and widely use the NSIS installer as droppers. In addition, some of their tools use valid code signing certificates to sign and use known legitimate applications as attack vectors.

The files used to pass the attack payload are usually designed phishing files to avoid suspicion when the victim opens them. These fishing documents provide reliable clues for our analysis. When the Buhtrap target is an enterprise, the phishing file is usually a contract or invoice. The following figure is an example of a general invoice used by the organization in its attacks in 2014.

When the group targets banks, phishing documents are usually related to financial system regulations or advice from Fincert, an organization created by the Russian government to provide help and guidance to its financial institutions.

So when we first saw fishing documents related to government actions, we immediately began to track these actions. In December 2015, the first malicious samples were found, and it downloaded a NSIS installer to install the buhtrap back door, as shown in the following phishing document:

The URL in the text is very characteristic, and it is very similar to the website dmsu.gov.ua of the Ukrainian State Immigration Service. The text asks employees in Ukrainian to provide their contact information, especially their e-mail addresses, and tries to persuade them to click on malicious links in the text.

This is the first of many malicious samples we have encountered, which are used by Buhtrap to attack government agencies. We believe that another more recent fishing document, which is also designed by the Buhtrap organization, can attract another group of government-related groups, as shown in the picture.

0day attack analysis

The tools used by the organization in 0day attacks are very similar to those used by enterprises and financial institutions. The hash of the first batch of malicious samples against government organizations that we analyzed is 2F2640720CCE2F83CA2F0633330F13651384DD6A. This NSIS installer downloads a regular package containing Buhtrap backdoors and displays phishing documents from December 2015 as mentioned above.

Since then, we have seen numerous attacks against this group of government organizations. Vulnerabilities are often used to elevate privileges in attacks to install malware. They took advantage of old vulnerabilities such as CVE-2015-2387. Their recent use of 0day follows the same pattern: exploiting vulnerabilities to run malware with the highest privileges.

Over the years, the organization has used software packaging with different functions. Recently, we discovered and analyzed two new software packages in detail because they have changed compared to the typical toolset of the organization.

The phishing document contains a malicious macro that removes the NSIS installer when enabled. The task of the NSIS installer is to install the main back door. However, unlike the earlier version used by this organization, this NSIS installer is simpler and is only used to set up and start the two malicious modules embedded in it.

Back door analysis

The first module, called the "crawler", is a separate password theft program. It tries to get passwords from mail clients, browsers and send them to the ClearC server. This module uses standard Windows API to communicate with its ClearC server.

The second module is what we got from the Buhtrap operator: a NSIS installer with legitimate applications that will be used to install the Buhtrap main backdoor. Using AVZ, a free anti-virus scanner.

Meterpreter and DNS tunnels

This document contains a malicious macro that, when enabled, removes the NSIS installer whose task is to prepare to install the main backdoor. Part of the installation process is to set up firewall rules to allow malicious components to communicate with the ClearC server. Next is an example of the command that the NSIS installer uses to set up these rules:

`

Cmd.exe / c netsh advfirewall firewall add rule name=\ "Realtek HD Audio Update Utility\" dir=in action=allow program=\ "\ RtlUpd.exe\" enable=yes profile=any

`

The final payload is something completely different from the traditional Buhtrap tools. Two payloads are encrypted in its body. The first is a very small shellcode downloader, while the second is Metasploit's Meterpreter. Meterpreter is a reverse shell that allows its operators full access to the attacked system.

Meterpreter reverse shell actually uses DNS tunnels to communicate with its client C server. It can be difficult for defenders to detect DNS tunnels because all malicious traffic is done through the DNS protocol rather than the regular TCP protocol. The following is the initial communication segment of this malicious module.

````7812.reg0.4621.toor.win10.ipv6-microsoft [.] org7812.reg0.5173.toor.win10.ipv6-microsoft [.] org7812.reg0.5204.toor.win10.ipv6-microsoft [.] org7812.reg0.5267.toor.win10.ipv6-microsoft [.] org7812.reg0.5314.toor.win10.ipv6-microsoft [.] org7812.reg0.5361.toor.win10.ipv6-microsoft [.] org […] `

The ClearC server domain name in this example mimics Microsoft. In fact, the attacker registered different domain names, most of which imitated Microsoft domain names.

Summary

Although we do not know why the organization suddenly changed its goals, it shows that the line between cyber espionage groups and cybercrime is increasingly blurred. It is not clear why one or more members of the group have changed their targets, but there will be more attacks in the future.

# # IOC

# ESET detection name

VBA/TrojanDropper.Agent.ABMVBA/TrojanDropper.Agent.AGKWin32/Spy.Buhtrap.WWin32/Spy.Buhtrap.AKWin32/RiskWare.Meterpreter.G

# malware samples

Main packages SHA-1:

2F2640720CCE2F83CA2F0633330F13651384DD6A

E0F3557EA9F2BA4F7074CAA0D0CF3B187C4472FF

C17C335B7DDB5C8979444EC36AB668AE8E4E0A72

Grabber SHA-1:

9c3434ebdf29e5a4762afb610ea59714d8be2392

# ClearC server

Https://hdfilm-seyret[.]com/help/index.php

Https://redmond.corp-microsoft[.]com/help/index.php

Dns://win10.ipv6-microsoft [.] org

Https://services-glbdns2[.]com/FIGm6uJx0MhjJ2ImOVurJQTs0rRv5Ef2UGoSc

Https://secure-telemetry[.]net/wp-login.php

# Certificates

Company nameFingerprintYUVA-TRAVEL5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5SET&CO LIMITEDb25def9ac34f31b84062a8e8626b2f0ef589921f

# MITRE ATT&CK techniques

TacticIDNameDescriptionExecutionT1204User executionThe user must run the executable.T1106Execution through APIExecutes additional malware through CreateProcess.T1059Command-Line InterfaceSome packages provide Meterpreter shell access.PersistenceT1053Scheduled TaskSome of the packages create a scheduled task to be executed periodically.Defense evasionT1116Code SigningSome of the samples are signed.Credential AccessT1056Input CaptureBackdoor contains a keylogger.T1111Two-Factor Authentication InterceptionBackdoor actively searches for a connected smart card.CollectionT1115Clipboard DataBackdoor logs clipboard content.ExfiltrationT1020Automated ExfiltrationLog files are automatically exfiltrated.T1022Data EncryptedData sent to client C is encrypted.T1041Exfiltration Over Command and Control ChannelExfiltrated data is sent to a server.Command and ControlT1043Commonly Used PortCommunicates with a server using HTTPS.T1071Standard Application Layer ProtocolHTTPS Is used.T1094Custom Command and Control ProtocolMeterpreter is using DNS tunneling to communicate.T1105Remote File CopyBackdoor can download and execute file from C server. After reading the above, do you have any further understanding of the latest 0day vulnerability case analysis of the Buhtrap hacker organization? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.