Shulou(Shulou.com)05/31 Report--

How to achieve APT28 sample analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

1 background

Fantasy Bear, also known as APT28, is a Russian spy organization. In 2019, Fantasy Bear was very active. APT28 has been seen from the invasion of the think tank at the beginning of this year to the subsequent attacks, big and small. Fantasy bears have a long history, and in 2016, the group became famous for hacking into emails from the Democratic National Committee in an attempt to influence the US presidential election. Spear phishing and 0Day attacks are commonly used by the organization, and the tools they use are updated very quickly. In 2015, no less than six different 0Day vulnerabilities were used, which is a considerable project that requires a large number of security personnel to look for a large number of unknown vulnerabilities in commonly used software.

The sample analysis of this sample comes from the sample data captured by our unit, which is analyzed as a Zepakab downloader. Do a simple analysis here to peep into the technical secrets of Zepakab.

2 sample analysis

First of all, we can know from a little analysis of the sample that the sample uses UPX to add a shell, but does not do more processing. Using UPX, you can decompress it normally and produce a normal sample.

In the extracted sample, we can see "AU3!" in the resource RCData/SCRIPT. And you can see a series of evidence in its code that the sample was compiled by AutoIt. AutoIt is a language similar to BASIC and is mainly used to design programs that automatically interact with Windows graphical interfaces. Using such a language to develop malicious programs, it is easy to avoid the detection of antivirus software.

Then, we decompile the AutoIt code in Zepakab to extract the source code. As you can see, the "main" function is the main routine of Zepakab. The main function of Zepakab is to continuously obtain system information in a loop, take screenshots, and send them to the server. And download malicious samples when needed to reside in the system.

The collection of system information is done within the "info" function, and info calls the "_ computergetoss" function. "_ computergetoss" uses the AutoIt interface of the Windows Management Specification (WMI) and the query statement "SELECT * FROM Win32_OperatingSystem" to query the system information.

The malware saves the desktop screenshot to "% TEMP%\ tmp.jpg" through the following scr function.

After downloading the payload from the server, Zepakab saves it with the "crocodile" function to "C:\ ProgramData\ Windows\ Microsoft\ Settings\ srhost.exe".

In addition to some of the main functions mentioned above, Zepakab also has some functions that can only be changed. For example, anti-virtual machine, it will find some important virtual machine files, processes and identities calculated by special algorithms, so as to achieve virtual machine escape.

In addition, the "_ sofware" function passes through the registry

"HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall"

Parse the installed software. At the same time, output the system information through the systeminfo system command, and retrieve the process and incorporate it into the system information.

This code does not use complex obfuscation techniques, so it is easy to see that the server address of Downloader is 185.236.203.53 and the URL is "locale/protocol/volume.php". Downloader communicates with the server using HTTP, and sends and receives data using base64 encoding and encryption.

3 Summary

Zepakab was extremely active throughout 2019, although its development method is very simple, but its harm is not low, and the APT28 organization also updates their weapons very quickly. It is because of the simple way of development that the update speed is faster. Fantasy bears still use more of their usual methods, spear attacks, 0Day vulnerabilities, and so on. In this low-cost development approach, Fantasy Bear is able to carry out their cyber attacks more effectively.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.