Shulou(Shulou.com)06/02 Report--

APT-C-12 's latest attack samples and example analysis of ClearC mechanism, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Background

After the company disclosed the relevant background of the APT-C-12 attack organization and more technical details of targeted attacks, the threat Intelligence Center recently monitored new attacks carried out by the organization. This article is a detailed analysis of the relevant technical details.

Sample analysis bait file

In the recent attack activities of the APT-C-12 organization, it used an induction document disguised as a "brief introduction to the investment status and cooperation intention of the China Federation of Light Industry". Combined with the organization's past attack methods, the bait document was delivered with harpoon mail.

As shown in the following figure, the bait file is disguised as the icon of the folder, and after execution, the folder containing the bait document and pictures will be opened, while the actual malicious payload has been executed in the background.

When the bait file is run, it will decrypt and release four files, two of which are the above induced documents and images, and the other two malicious tmp files.

The path to the released malicious tmp file is:

% temp%\ unicode32.tmp

% appdata%\ WinRAR\ update.tmp

Finally, the released unicode32.tmp file is loaded through LoadLibraryW.

Unicode32.tmp

Unicode32.tmp is a loader, which is mainly used to load update.tmp, as shown in the following figure, it loads update.tmp through rundll32.exe and calls its export function jj.

When update.tmp is loaded, the loaded exe program file and itself are deleted.

Update.tmp

The file is a DLL and has an export function named jj.

It first collects information from the target host.

Get the system version information:

Call CreateToolhelp32Snapshot to get the system process information:

Call GetAdaptersInfo to obtain the MAC address of the network card:

Determine whether the current system environment is 32-or 64-bit:

Get the installed program information through the registry, and format the installer information with the prefix "ISL":

Get the information for DisplayName and DisplayVersion through the registry, and format DisplayName and DisplayVersion as "% s": {"ND": "% s", "DV": "% s"}.

After the information is collected, the online information is first sent to the remote control server.

Get the tmp directory, create the AdobeNW directory, and download AdobeUpdate.tmp from the control server as the load for the second phase, which is actually a DLL file.

Finally, call rundll32 to start the export function MainFun of the DLL file, and return information to the server if the process is created successfully.

AdobeUpdate.tmp

AdobeUpdate.tmp is a DLL file, and its export method MainFun is executed by the first stage Trojan DLL call.

It first traverses the tmp suffix file under the% USERPROFILE%\ AppData path and deletes it.

Then read the configuration information from the tail of the file itself and decrypt it in the following format:

Encrypted configuration information, including identification ID, control server address, encrypted IV and KEY, and Mutex information

4-byte encryption configuration information length

17-byte decryption key

For example, the KEY of the decryption configuration file shown above is sobcsnkciatwiffi, and the decryption algorithm is as follows:

The decrypted configuration file is as follows:

Query the MyApp registry under HKEY_CURRENT_USER to see if there is a FirstExec, and determine whether the DLL is executed for the first time by the string "no".

If DLL is not executed for the first time, it polls for control server commands, otherwise traverses the document file information in disk C: to F: and saves it in list_tmp.txt under the temp folder.

The types of documents found include documents of .ppt .pptx .pdf.xls .xlsx .doc .docx .txt .wps .rtf, saving document file path, creation time, and file size information.

The following figure shows the sample write data format (file path creation time file size):

And upload the list_tmp.txt to the control server after aes encryption:

Then set the registry FirstExec flag:

The AdobeUpdate.dll Trojan implements a wealth of command control instructions, which obtains files containing control commands through the access control domain name and executes them after local decryption and parsing.

The instruction is composed of * and corresponding instruction digits. The following is a list of control instruction functions:

* 1 execute cmd command * 2 Update AppName configuration * 3 File upload * * 4 File download * * 5 Update Control Domain * * 7 upload document File list Information * 8 execute dll file or exe***9 file deletion * 10 specified file list information upload * * 11 retain control infrastructure

The malicious code used in the recent activities of the APT-C-12 organization uses the secondary domain name under the applinzi.com domain name as the control domain name, which is hosted by the cloud service of Sina App Engine.

We tested a registered SAE account, which creates applications that can be used for more than 10 days free of charge, and supports deployment in multiple development languages.

We tried to connect to its control server, but its background handler has gone wrong. Through the error message returned, we can find the background application deployed by the organization using Python and using flask as its Web service implementation.

SAE control protocol

The organization implements a set of access protocols for the deployment of SAE applications, which is divided into four functions of put,info,get,del.

Put is used to upload files:

Get is used to obtain files:

Info is used to obtain information:

Del is used to delete files:

After the threat Intelligence Center found that the organization uses Digital Ocean cloud service as a command control and backhaul communication channel, we also found that the organization uses domestic cloud service SAE to build its control backhaul infrastructure, which reduces the cost of attack utilization to a certain extent, but also increases the difficulty of analyzing backtracking.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.