Shulou(Shulou.com)06/02 Report--

An APT organization uses harpoon mail to infiltrate multiple industries to steal sensitive data. It is believed that many inexperienced people are at a loss about this. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

0x0 background

Convinced that the security team has continuously tracked an APT organization targeting domestic coastal electronics manufacturing, energy industry, large import and export enterprises, scientific research institutions, etc., through security awareness platform, the organization has continued to launch targeted attacks on at least 60 domestic targets in the past three months through spear phishing emails. Confuse the target by falsifying the PE file of office and pdf icons, release the AutoIt script executor after the target is clicked, and then transfer the highly confused AutoIt script code to the script executor to release Nanocore RAT to steal sensitive data on the victim's host and act as a springboard for intranet penetration.

0x1 detailed analysis

The APT organization uses bait documents to entice users to click to run, execute self-extracting programs, and complete the release of attacks and Trojans. In this process, an AutoIt script interpreter with a normal digital signature is used to execute a confused script that detects the "security" of the current system environment before decrypting and installing .net programs, and then carrying out real malicious behavior, the script has the ability to bypass most security software detection. The specific behavior is analyzed in detail below.

Attack flow chart

The APT group used a sales@globaltrade.com email address to send an exe file that was faked as an icon of an pdf document and named the attachment Payment Slip (payment slip) to entice the victim to click to run. In order to reduce the vigilance of users, the organization has also constructed a mailbox with the theme RE:FWD:PROFORMA INVOICE / / OverDue Payment Update (late payment updates) to paralyze victims.

The body of the email is as follows:

Virus self-decompression

The virus disguises itself as a PDF file and induces the user to click to run. Through Exeinfo PE viewing, you can find that the sample is a SFX file.

After it is double-clicked to run, the self-extracting dialog box is skipped, the file is released to the% temp%\ 08419794 folder, and the rml.vbs script is executed automatically.

In the rml.vbs script, run dsh.exe pwl=xui using WshShell.Run.

Dsh.exe is a script interpreter for Autolt with a normal signature file to execute .au3 scripts.

Pwl=xui is a 300m-sized file with a large number of useless comments added to the script to prevent it from detecting this malicious script, which can bypass most anti-software detection.

To make it easier to read, remove some useless comments from the script and get the purified script as follows:

The script has the following functions:

1. Virtual machine detection

2. Disable UAC policy

3. Disable Task Manager

4. Register the boot self-startup program

5. Decrypt the .NET program

6. Start the .NET program

Script core function

The script implements these functions on the following principles:

1. Virtual machine detection: anti-virtual machine detection is realized by judging the process name, the existence of D disk and other operations.

2. Disable the UAC policy: disable the UAC policy by modifying the registry key.

3. Disable the task manager: disable the task management function by modifying the registry key.

4. Register the boot self-startup program: realize the boot self-startup by adding the registry self-startup key.

5. Decrypt the .net program: decrypt the program by means of regular matching replacement, character reversal, CryptDecrypt () function and so on.

(1) regular matching replacement:

(2) character reversal

(3) CryptDecrypt decryption

6. Start the .NET program: find the native .NET service installer to install the .NET service program.

NanoCore RAT

NanoCore RAT is developed in the .net framework, and the latest version is "1.2.2.0". Its author, Taylor Huddleston, was captured by the Federal Bureau of investigation in early 2018 and is now serving a prison sentence. The remote control can perform many malicious operations on the victim's computer, such as registry editing, process control, upgrade, file transfer, keylogger, password theft, etc.

According to some current information on the Internet, it costs only $20 to get the latest version of the source code.

The. Net program released through the script is the remote control program of nano core client 1.2.2.0. The ClearC address of the remote connection is 185.244.31.203 and the communication port is 8484.

The IP home place is bound to a meter.ddns.net domain name in the Netherlands.

0x2 security recommendations

No matter how meticulous the attacker's intrusion plan is, there will always be some clues due to technical limitations, such as the implantation of software and the generation of network traffic. These traces may not be enough to be used as evidence of APT attacks, but once found, we must be vigilant, keep the scene in time, notify security personnel, and isolate and check suspected infected hosts. At the same time, we should also pay attention to daily preventive measures, both ideologically and technically:

1. Strengthen personnel's awareness of safety and prevention. Do not open email attachments of unknown origin. Run the files in email attachments carefully. If you find scripts or other executable files, you can scan them with antivirus software first.

2. Upgrade office series software to the latest version. Do not run macros in untrusted documents at will.

3. Deploy hierarchical control, realize in-depth network security defense, and build an end-to-end three-dimensional security protection network. In network planning, many dimensions such as terminal access security, intranet security and application system security need to be fully considered, and reasonable partition isolation should be carried out according to different business requirements and security levels.

4. Pay attention to the audit and analysis of network data and system running state. Strictly control the access rights of the system, continuously and effectively monitor the entry and exit of data flow, update security patches in time, examine the security configuration baseline and assess the system security risks regularly, discover the behavior in time and kill the possible security risks in the cradle through effective technical means such as communication line encryption, application layer security scanning and protection, isolation and so on.

5. We are convinced to launch security operation services to help users quickly expand their security capabilities through the service model of "man-machine intelligence". In view of this kind of threat security operation service, we provide equipment security equipment policy check, security threat check, related vulnerability check and other services to ensure that risks are detected and policies are updated at the first time to prevent such threats.

6. Use convincing security products, connect to security cloud brain, use cloud search service, start artificial intelligence engine, detect new threats in time, and defend against APT attacks.

7. You can instantly detect new threats and defend against APT attacks by using convincing security products, connecting to security cloud brain, using cloud search service, and enabling anti-virus function of security intelligent detection engine.

After reading the above, have you mastered the method of example analysis of an APT organization using harpoon mail to infiltrate multiple industries to steal sensitive data? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.