Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to realize the analysis of APT34 leaking weapons report. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

APT34 is an APT organization from Iran. Since 2014, it has continued to launch APT attacks in the Middle East and Asia, mainly in the government, finance, energy, telecommunications and so on. Over the years, the attack arsenal has been upgraded, the attack methods have been constantly innovated, and the attack will not be terminated because of the exposure.

APT34 organizational background

On April 17th, foreign media reported that a user named "Lab Dookhtegan" had exposed an attack kit from APT34 on Telegram, and some APT34 victim data were also exposed. This incident is as explosive as previous source code leaks. Since at least 2014, APT34 has continued to launch multiple attacks on some countries in the Middle East and Asia, targeting government, finance, energy, telecommunications and other industries. The organization is generally aimed at opposing countries in Iran, so there is speculation that the organization is a security service in Iran, or a security company that has worked with the Iranian government for a long time. The group is adept at using social media, forging Internet accounts with different identities on social platforms and approaching their targets through social workers. At the same time, the organization's attack arsenal is constantly upgrading, and the attack techniques are becoming more and more skillful. They combine harpoon fishing and other attack methods with new attack technologies, and continue to expand the scope of penetration of existing targets.

Members of the exposed APT34 organization

From the leaked Webshell list, it is not difficult to see that the organization has carried out large-scale attacks against China in the past. The following figure lists more than 10 captured WEB sites identified as China, which can be used as evidence of domestic attacks.

Lab Dookhtegan once claimed that the personal information of an organization member was exposed every few days, but now accounts on Telegram and Twitter have been blocked.

Introduction to leakage tools

This source code leak event contains a large number of important attack weapons commonly used by APT34 organizations, such as Webshells_and_Panel, posion frog, Webmask, Glimpse. Dongxun Technology 2046Lab used the "Iron Dome Advanced persistent threat early warning system" to detect the threat of these attack weapons and made an in-depth analysis from the technical level.

Test results 1.Webshell early warning: [high risk]

two。 Document sandbox detection and early warning: [high risk]

3.DNS covert channel detection early warning: discovery of covert tunnels using abnormally long domain name transmission in DNS

Analysis of attack weapons

1.Webshells_and_Panel

The Webshells_and_Panel directory mainly contains a variety of Webshell tools written by C #, and the Webshell directory contains two main folders, HighShell and HyperShell.

1.1 HighShell

There is only HighShell.aspx in the HighShell directory, which is the WebShell for the Windows server. The default interface after opening is shown below:

As can be seen from the above picture, this version is version 5.0 and has many functions such as authentication, file upload, command execution, database operation and so on.

To use the Webshell, you need to enter the connection password (ThanksN0tF0rFAN) in the red input box after the "Login" label, and then click the "Do it" button. When the input box turns green, you can perform relevant operations on the server through the Webshell. The following is an operation diagram for operating the "command" command and getting server information:

1.2 HyperShell

HyperShell contains multiple files, including source files for multiple webshell. Here are a few features of webshell that you can use.

Simple.aspx

Simple.aspx is a simple webshell, which includes authentication, command execution and file upload functions. After opening it, it is shown in the figure:

Enter the connection password (MkRg5dm8MOk) in the Password input box and click the "Login" button to control the server and upload files. The password connection is shown below:

The following is an operation diagram for operating the "command" command and getting server information:

SimpleDownload.aspx

SimpleDownload.aspx has only one upload function, as shown below:

HighShelllocal.aspx

HighShelllocal.aspx is an upgraded version of HighShell with version number 8.6.2.The function of this version is roughly the same as that of the independent version 5.0. the interface and functions are optimized as follows:

2.poison frog

2.1 Agent

2.1.1 poisonfrog.ps1

Agent has only one file, which is used to plant the backdoor program on the fallen host, and its name is poisonfrog.ps1. After the file runs, it leaves three files, dUpdater.ps1, hUpdater.ps1, and UpdateTask.vbs, in the C:\ Users\ Public\ Public directory of the fallen host.

This UpdateTask.vbs script is the backdoor left on the host and runs every 10 minutes by scheduling the task. Its function is to execute dUpdater.ps1 and hUpdater.ps1 scripts.

2.1.2 dUpdater.ps1

This script is a remote control script that generates the DNS domain name and accesses the control server, receives remote control instructions, sends and receives files. When generating the DNS domain name, the DGA.Changer algorithm is used to calculate the server domain name dynamically. 2046Lab restores the DGA.Changer algorithm:

Receive function:

Run the EEA function to get the VVA domain name, and the JJA parameter is set to r

Attempt to resolve the VVA domain name, if failed, throw an exception, regenerate the new domain name and try to resolve the new domain name, repeat the operation until the domain name resolution is successful; if successful, take the first successfully resolved IP and take out each segment of the IP separately

If IP is 1.2.3.please set NNA to false, write the value of RRA to the file of PPA, and exit the main function

If NNA is true, modify the value of RRA to the first three segments of IP, and continue to loop the main function

If IP is 24.125.room.segment, then concatenate the third and fourth segments of IP as C:\ Users\ Public\ Public\ $DDA\ receivebox subfolder name (PPA), set GGA to 1, set NNA to true, and continue to loop the main function.

If IP is 11.24.237.110, stop parsing and exit the main function, which is the IP that OilRig used to use.

Send function:

Run Slaber to check the sent files, run the EEA function to get the VVA domain name, and set the JJA parameter to s

Attempt to resolve the VVA domain name, if failed, throw an exception, regenerate the new domain name and try to resolve the new domain name, repeat the operation until the domain name resolution is successful; if successful, take the first successfully resolved IP and take out each segment of the IP separately

If IP is 1.2.3.times, then take the value of the fourth segment of IP and loop the main function.

If IP is 11.24.237.110, stop parsing and exit the function, while deleting the file to be sent.

Slaber function:

Check the size of the file sent. If it exceeds 600kb, an error will be reported. Otherwise, run the resolver function.

Resolver function:

Parse the sent file in a set of 30 characters.

Processor function:

Processing received files, MMB is the file in the "sendbox" folder

If the received file name ends with "0", write the received file into the "sendbox" folder and use UTF-8 encoding, then remove the previously received file

If the received file name ends with "1", if there is a path in the contents of the received file, the path will be used as the sending path.

If it does not exist, write the "File not exist" string to the MMB file, and then remove the previously received file

If the received file name ends with "2", set RRB to the file in the "done" folder, move the received file to the "done" folder, write the contents of the file to the MMB file, and then remove the previously received file.

2.1.3 hUpdater.ps1

Parse the IP of "myleftheart.com" and try to connect

If there is a file C:\ Users\ Public\ Public\ files\ cfg.ini, take the corresponding parameter fields such as srv, usr, pas, prt, dom. Concatenate the values of srv and prt into a new string through ":", and set the string as the proxy server using http, and use the values of usr, pas and dom as the proxy server's credentials; if it does not exist, get the default proxy server

OOA: randomly select several integers from 0 to 9, select the number from 1 to 9 randomly, and concatenate the numbers taken out.

DDA: the DDA in the dUpdater.ps1 script

The 5th bit of PPA:DDA is inserted into OOA.

Download the file from "http://myleftheart.com/co/$PPA", set the content of the downloaded file to QQA, and change the QQA to"

"to separate the array, set to SSA.

P is the path C:\ Users\ Public\ Public\ files\ $SSA [0].

If the length of SSA [2] is greater than 0 and the "not" string does not exist in SSA [2], download the file from http://myleftheart.com/fil/SSA[3] to C:\ Users\ Public\ Public\ files\ $SSA [2] and write the content to path p

If the length of SSA [1] is greater than 0 and the "not" string does not exist in SSA [1], the file of the upload path p is uploaded to http://myleftheart.com/res/$PPA$SSA[0]

If the length of SSA [4] is greater than 0 and the "not" string does not exist in SSA [4], the file in the upload path SSA [4] d is uploaded to http://myleftheart.com/res/$PPA$SSA[0]

If the value of the last data in SSA is "1", the main function runs in a loop

If the length of SSA [0] is greater than 0 and the "not" string does not exist in SSA [1], the file of path p is uploaded to http://myleftheart.com/res/$PPA$SSA[0] and the file of path p is deleted.

2.2 Server Side

The server side is the total control terminal used by APT34 to manage the collapsed host. It can download files from the collapsed host and upload files to the collapsed host.

This server provides a simple login interface.

The management of users and passwords is very simple, only through a json configuration file. In the leaked file, a simple user name (blacktusk) and password (fireinthehole) are used.

The GUID (/ 7345SDFHSALKJDFHNASLFSDA3423423SAD22) in the following figure is used to guide the browser to the login page, and this GUID can be said to be very important.

On the server side, a list of hosts for HTTP Agent and DNS Agent is also provided. From this list, you can easily see which hosts are now under control.

Each HTTP Agent and DNS Agent page with detailed information, here, you can issue ClearC commands to the fallen host, upload or download files. The DNS Agent here may incorporate some of the features of Glimpse, which Glimpse describes in detail below.

For sunken hosts, APT34 uses a default BAT remote control script to obtain host information, which is very detailed, including systems, users, groups, domains, specific registries, scheduled tasks, antivirus software, and so on.

3.Webmask

The tool is mainly deployed on the attacker's server to implement DNS proxy, hijack a specific DNS domain name, point the domain name to the local server by default, implement HTTP/HTTPS proxy through Squid3+ICAP, and steal sensitive information such as the victim's account password.

Dns-redir directory:

Dnsd.py:DNS Agent forwarding script

Config.json: configuration fil

Dnsd.js: a DNS proxy script of type JS, which is similar in function to dnsd.py.

The screenshot of the local simulation DNS agent feature is shown as follows:

Icap directory:

Icap.py: it needs to be used in conjunction with Squid3 to build a http/https agent and record sensitive data in the agent locally.

Squid.conf profile:

Squid3+ICAP implements a transparent proxy server, and icap.py scripts extract passwords and other sensitive data and record them in the local log file.

The hijacking code is added in the icap script file for the reply response_body section to load the specified picture element in the victim browser.

4.Glimpse

Glimpse is a DNS remote control tool, which is mainly divided into three parts: Agent, Panel and Server. Judging from some code in Glimpse Server, some of its functions may coincide with poison frog, such as the way commands are issued.

In general, Glimpse is very similar to the poison frog described above. In the leaked information, we are also given the use of Glimpse.

4.1 Agent

Similarly, Agent in Glimpse is a backdoor program that runs on a sunken host, and its main function is to accept orders, upload and download files.

Agent uses the C:\ Users\ Public\ Libraries directory on the host as its working directory. Sending and receiving files will be done in a subdirectory under this directory.

Agent can work in two modes, one is ping mode, the other is text mode.

Ping mode is mainly used to exchange host information. The text mode is equivalent to the internal protocol mode of Agent and Server, and can accept internal instructions.

4.2 Panel

Panel is used to check the status of the master control, you can see how many fallen hosts are controlled, and commands can be sent to the fallen hosts here.

As you can see, a command is sent to the sunken host through panel, and the result is returned.

4.3 Server

Server is the main control terminal, which communicates through DNS tunneling protocol and can respond to ping mode messages or TXT mode commands sent by Agent. At the same time, it also sends commands to Agent in TXT mode. Judging from the code style in some places, Glimpse and poison frog should be the work of the same team.

The Server side supports more TXT mode protocol commands, and we can briefly take a look at the meaning of these commands.

If (action = ='M') {/ / in this place we check the request for type of connection ping or text type if (action = ='W') {/ / in this place we check the request type if its text we response it else if (action = ='D') {else if (action = ='0') {/ / ctrl [0] = > action, if 0 = is there any file else if (action = ='1') {/ / ctrl [0] = > action If 1 = sending the file else if (action = ='2') {/ / ctrl [0] = > action, if 2 = receiveing the fileIOCsMD5:cd0bbff03ce7946cd7c9dc339726d90a9d3d8fe14927172ca5546bdb95d947625e17061bf2dce87d402ddd8531abb49f domain name: myleftheart.comIP:11.24.237.110 protection measures

1. Do not easily open suspicious files, such as emails, suspicious links, suspicious documents, and so on.

two。 Install system patches in time and use the latest version of the software.

3. Install antivirus software and update virus database in time.

The above is how to achieve APT34 leak weapon report analysis, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.