Shulou(Shulou.com)05/31 Report--

This article is about how to conduct an in-depth analysis of APT attack samples in Vietnam. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

I. Preface

APT has become a hot topic in the security field.

Innovacio n y laboratorio, a subsidiary of Eleven Paths, released the Docless Vietnam APT report in April:

According to the above information, we have detected some malicious e-mails sent to the mailbox belonging to the Vietnamese government, which is dated March 13, 2019. This email may have come from within the Vietnamese government, and it cannot be ruled out that someone sent the email to the security services because there were suspicious factors in the email.

The TKCT quy I nam 2019.doc.lnk.malw sample information is as follows:

Photo 1: TKCT quy I nam 2019.doc.lnk.malw

II. Static analysis

1. After the TKCT quy I nam 2019.doc.lnk.malw sample is downloaded locally, it is subtly disguised as a Word shortcut to cheat the victim or habitually double-click to view it, as shown below:

Picture 2: camouflage doc shortcut

First of all, word documents are generally not .lnk links, the link size should be around 1kb, and the APT sample shortcut unexpectedly 126kb, obviously hiding something else, many viruses disguise the file name as .dat, .docx, etc., in fact, the suffix is .exe, open the file name extension can see.

two。 Extract the malicious code contained in the target in the sample attribute, find that it is a piece of cmd instruction that is obfuscated and encrypted, and execute powershell, as follows:

Picture 3: confusion instruction

APT attacks are very popular with vbs, powershell, js and other types of scripting languages, which are easy to confuse with encryption, and convenient to do kill-free processing.

So historically, viruses and malware have this kind of commonness. For example, people like to execute powershell as the first "payload" (payload) to the computer as a surprise.

3. Parse the obfuscation instruction and find that the TKCT quy I nam 2019.doc.lnk shortcut is redirected to the s.sp1 file. In fact, the desktop shortcut is a powershell script file. The obfuscation variables are sorted as follows:

Finally, redirect the TKCT quy I nam 2019.doc.lnk to the temp folder and execute the powershell named s.ps1, as follows:

Picture 4: to confuse

4. It is also possible to remove iex confusion manually. Open the file and remove the characters "iex". The powerhell command format is: file name (original) > > s.sp1 (new file name). The redirected file is as follows:

Picture 5: powershell malicious code

5. As shown in figure 5, two pieces of Base64-encoded data are found. Powershell intends to execute the encoded malicious data, add scheduled tasks, and execute creation every 9 minutes, making use of the InstallUtil service to achieve self-startup and persistence, and interesting execution using Wscript.Shell. The more unexpected the more unexpected, the more unexpected the effect is as follows:

Picture 6: s.sp1

6. After parsing the Base64 encoded data, there are actually two executable files, namely malicious .net and .doc, as shown in the following figure:

Picture 7: general tricks

7. Analysis of tmp_pFWwjd.dat.exe, after disassembly by the dnSpy tool, the code is clearly visible, although there is some confusion (you can use de4dot.exe to obfuscate), does not affect the level of the code.

Locate the key function Exec (), and find the data encoded by Base64String. According to the execution process, .NET delegates to call the function Call, and it is readable and writable, then you need to apply for memory VirtualAlloc (), copy the Base64shellcode to the application memory, get the CreateThread () pointer delegate to execute the callback pointer, and execute the malicious shellcode, as shown below:

Picture 8:. Net disassembly

How to understand shellcode or payload? In essence, it can be a pile of hexadecimal data, and for executables, it is data that can be interpreted and executed by the assembly engine.

Because the following will involve binary data extraction and assembly analysis, here is a simple diagram that introduces the basic concepts of shellcode or payload (for malicious code), as shown in the following figure:

Photo 9: payload

As shown in figure 9, for viruses, especially self-starting and persistent attacks, it is difficult to achieve without a back door (except for persistent exploitation of vulnerabilities, except for pulling a small amount of traffic each time for data theft, etc.).

For example, ASLR address randomization the base address will change every time the system is rebooted, or injected into a new process space, the function base address of the code itself is wrong, how to accurately obtain the function address? In order to achieve perfect operation, we need some extra operations, of course, these are not problems, the technology is relatively mature.

The content described in the following paragraph of knowledge assumes that the reader has a certain foundation of Windows PE format and compilation and kernel-related content. Will not popularize the basic knowledge, from the PE format and assembly level to analyze how to do these shellcode, how to dynamically obtain the module base address such as kernel32.dll, how to use hash values or Hash traversal to export tables, kill-free sensitive strings and sensitive functions such as API.

III. Talking about PE and virus

To take the above malicious code as an example, because. Net encountered many problems in the process of shellcode debugging, the tmp_pFWwjd.dat.exe sample was restored with cripple +.

Once again, OD is used for dynamic debugging. Of course, you can analyze it under Dump. According to your personal preference, you can directly break it under shellcode, as shown below:

Picture 10: Pointer

1. Entry point entry, followed by XOR decryption of the data, restores the malicious code that needs to be executed, as follows:

Picture 11: XOR decryption

two。 Hash values encrypt strings, which not only reduces the size of shellcode, but also conceals sensitive characters, which is not easy to be intercepted by antivirus software, as shown below:

Picture 12: hash value to get the address of the function

3. We enter the function 1E0A42 and find a bunch of seemingly common assignment operations, as follows:

Photo 13: fs: [0x30]

Fs is a register, the kernel state is fs = 0x30, the user state fs = 0x3B fs fs kernel state points to _ KPCR, the user state points to _ TEB.

TEB (Thread Environment Block), the thread environment block, that is, every thread will have TEB, which is used to store the data between the system and the thread, which is easy to operate and control. Then Fs: [0x30] is the PEB process environment block.

4. PEB is the current process environment. Shellcode can easily get PEB information and get _ PEB_LDR_DATA by offsetting 0xc. This structure contains information about the loaded modules of the process.

Obtain a bidirectional cyclic linked list by offsetting 0x1c. Each linked list points to the LDR_DATA_TABLE_ENTRY structure. This structure contains data. The above data offset is related to the operating system, as shown below:

Picture 14: get the module matrix

Picture 15: the step of getting the base address of the current environment module

5. Through the above process, you will successfully obtain ntdll.dll, as shown below:

Picture 16: get module Address

6. Continue to analyze the function 1E0B2A, two parameters. According to the function calling convention, parameter 1 is the kernel32 base address, parameter 2 is the function name hash value, and the function is a self-implemented GetProcAddress () function, as shown below:

Photo 17: GetProcAddress

7. This function determines whether it is in the PE standard format, then gets the NT header and gets the export table. The export table holds the addresses of the three tables. Let's take a look at the export table structure, as shown below:

Malicious code needs to locate the address of these three tables, traverse the function name table AddressOfName, and obtain the function name to calculate the hash value. If it is the same as the hash value of parameter 2, it means the same function.

Return the subscript of the current traversal, find the corresponding sequence number by removing the subscript from the function sequence table AddressOfNameOrdinals, obtain the value saved in the function number table, and obtain the AddressOfFunctions in the function address table. The relationship among the three is simply described as shown in the figure below:

Photo 18: the relationship between the three

As shown in the figure above, the serial number table corresponds to the name table one by one, and the subscript is associated with the values stored in the subscript. These three tables are cleverly designed to take advantage of the concept of relational database.

It should be noted that the serial number is not ordered, and there will be blanks. Some people in the address table do not have a function name, that is, the address table has an address but cannot be associated with the name table, so it is called with a sequence number, and the real call number is the sequence number content plus the base address of the Base sequence number.

8. When you have these perceptions, and then look at the malicious code in the sample, you will find that it is the same as the above description, as shown below:

Photo 19: GetProcAddress ()

9. Finally, verify whether the result is successful, as follows:

Picture 20: verification

11. After a new thread is created, the thread callback creates directories and files, but local verification fails to create files, as shown below:

Picture 21: create a directory

Create the file and directory name path c:\ User\.\ AppData\ Roaming\

11. The server responds and downloads malicious code, which starts a new journey, as follows:

Picture 22: DownLoader

Fourth, vkT2 module analysis

1. After following the function, we find a large number of hash values, and dynamically obtain the function address, which is consistent with the above function call. The name of the combing function is as follows:

The 1E0AAA function is decrypted as follows:

two。 After the warm-up operation is done, you should guess what will happen next according to the function name, as shown in the following figure:

Picture 23: InternetOpenA

Picture 24: InternetConnectA

Picture 25: HttpOpenRequestA

3. In the process of dynamic debugging, the request will be broken, the code will be statically analyzed, and lstrcmpiA will compare whether the text field of the fingerprint information of the download data is plain, and then use InternetReadFile to read and execute the download data, otherwise it will fall into sleep and request endless cycle.

Picture 26: request status

We visit the web page directly based on the known ip and request format, as shown below:

Picture 27: vkT2

Found that the parsing of Web is all garbled? Download to the local, according to the original code execution process, this is a piece of binary data, the old rule to write a program to debug this malicious code.

4. VkT2 analysis, first decrypting the data, and then dynamically obtaining the function address, the old routine of the sample.

Loop stitching the data of each section (section table). Here, according to VirtuallAddress, the address of each section after loading into memory is looped together, and the memory alignment granularity 0x1000 erases the DOS header signature to form a PE format file, as shown below:

Picture 28: memory expansion

5. Since the PE format is extended to memory, the next step is to fix the IAT table and relocation. There are many aspects involved here, and they also belong to PE format. You can refer to the "Windows authoritative Guide", as shown below:

Picture 29: fix IAT

6. Next, analyze the key points, obtain the system variables, and determine whether to run on the 64bit system, as follows:

Picture 30: identify the operating environment

8. Collect information such as system data, host ip, host name, and so on, as follows:

Picture 31: data collection

9. A new round of Cellular C communication begins, as shown in the following figure:

Picture 32: establishing a communication

9. Continue with the analysis and use the functions HttpOpenRequest and HttpSendRequest to open the file. HttpOpenRequest creates a request handle and stores the parameters in the handle, and HttpSendRequest sends the request parameters to the HTTP server, as shown below:

Picture 33: HttpOpenRequest

Picture 34: HttpSendRequestA

11. Unfortunately, HttpSendRequeSt has no response, statically analyze the remaining code (simulation execution) and read the malicious code returned by the server, which is useful in the thread safety context.

Intelligence analysis did not find more valuable data, but this kind of request is unique, and the constructed packet is also very special, the particularity of doing so will be discussed below.

Associated with the sample process, the carding execution flow chart is as follows:

Picture 35: TKCT quy I nam 2019.doc execution flow

As shown in figure 35, the servers for client communication should all be proxy servers. In fact, the real environment is much more complex than the above process, which is also the difficulty of tracing to the source.

As shown in figure 33, key data information is extracted from stack memory, which is different from the usual request data, as shown below:

The means of APT communication are becoming more and more cautious. If we do not carry out detailed sample analysis, sandbox simulation operation, memory forensics, and packet grabbing tools to analyze the network level, the results may be different from the desired data. When the samples communicate, the domain front-end network attack technology is actually used.

What is the domain front-end network attack technology? To put it simply, teams such as msf and cs (Cobalt Strike) can control server traffic in order to bypass a certain degree of firewalls and detectors. Some larger vendors will provide services, so they can be achieved with tools such as msf or cs.

We use Cobalt Strike as an example to integrate port forwarding, scanning multi-mode port Listener, Windows exe program generation, Windows dll dynamic link library generation, java program generation, office macro code generation, including site cloning to obtain browser-related information.

One of the more useful functions is the behavior of Beacon payload, which modifies the default attribute values of the framework, changes the frequency of check-in and modifies Beacon network traffic, and the configuration of these functions are all in the file Malleable C2.

The Malleable-C2-Profiles feature can construct a normal Web camouflage traffic, and finally achieve the effect of communication concealment. We take amazon.profile as an example, as shown below:

Set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"; http-get {Seturi "/ s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; client {header "Accept"* / *"; header "Host"www.amazon.com"; metadata {base64;prepend "session-token="; prepend "skin=noskin;"; append "csm-hit=s-24KU11BB82RZSYGJ3BDK | 1419899012996"; header "Cookie" } http-post {set uri "/ N4215/adj/amzn.us.sr.aps"; client {header "Accept"* / *"; header "Content-Type"text/xml"; header "X-Requested-With"XMLHttpRequest"; header "Host"www.amazon.com"; parameter "sz"160x600"; parameter "oe"oe=ISO-8859-1;"; id {parameter "sn";} parameter "s"3717" Parameter "dc_ref"http%3A%2F%2F www.amazon.com";}

The above code completely matches the communication characteristics of the sample vkT2.shellcode. By loading the corresponding profile file, we can change the traffic characteristics between the target host and the server, so as to hide the traffic, and finally achieve the purpose of communication concealment.

The above is how to conduct an in-depth analysis of APT attack samples in Vietnam. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.