Shulou(Shulou.com)05/31 Report--

This article is about how to conduct a new sample and association analysis of the CVE-2017-8570 loophole exploited by the Hailianhua APT gang. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Without saying much, let's take a look at it.

Preface

OceanLotus APT gang is a highly organized and professional overseas national hacker organization, which was first discovered and disclosed by 360Tian Eye Lab. Since at least April 2012, the organization has launched organized, planned and targeted long-term and uninterrupted attacks against the Chinese government, scientific research institutes, maritime agencies, maritime construction, shipping enterprises and other important areas.

Recently, the threat Intelligence Center captured a latest attack sample of the group, and the analysis showed that it used Microsoft Office-related vulnerabilities to deliver malicious code. after a detailed analysis of the samples and association expansion of the relevant communication infrastructure, we found a number of new samples and domain names / IP, based on this information. We will eventually provide some information from the 360 threat Intelligence Center to form a larger jigsaw puzzle.

Sample analysis

MD5:72bebba3542bd86dc68a36fda5dbae76

File name: MonthlyReport 03.2018.doc

The sample is a RTF document that uses the OfficeCVE-2017-8570 vulnerability to trigger the execution of the VBS script, which further decrypts and executes the DLL file and ShellCode,ShellCode will eventually decrypt the Trojan master module and implement memory loading execution.

CVE-2017-8570

There are three Package objects embedded in the RTF document, corresponding to VXO53WRTNO.000, fonts.vbs, and 3N79JI0QRZHGYFP.sct:

And an OLE2Link object that contains the CVE-2017-8570 vulnerability. After removing confusion, it is as follows:

The Package object contains the original path information of the file: C:\ Users\ HNHRMC\ AppData\ Local\ Temp\ VXO53WRTNO.000

Launch 3N79JI0QRZHGYFP.sct after the vulnerability is triggered, and the script is used to execute the fonts.vbs script through CMD.EXE:

Fonts.vbs

The fonts.vbs file actually acts as the function of Loader. When fonts.vbs is executed, it will first read the contents of VXO53WRTNO.000 in the Temp directory into memory, then decode it through Base64 and then decrypt it through AES to get ShellCode. Finally, decrypt its own hard-coded Load_dll in the same way, load the Load_dll dynamically, instantiate the sHElla object, and finally execute the ShellCode by calling the sHElla.forebodinG (shellcode) method:

Load_dll

The function of the forebodinG method in Load_dll is to copy the received ShellCode into a newly allocated memory, and convert the memory address to the corresponding delegate for call execution:

ShellCode

The function of the ShellCode part is to extract a PE file from itself, and then load the PE file into memory for execution. The export name of the PE file is: {A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll. The following figure shows the revised PE header data:

Export name information of Dump's DLL file:

{A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll

There is an encrypted resource file in the decrypted DLL resource:

When the DLL is running, first get the resource file and decrypt it with RC4:

The decrypted resource file contains Trojan configuration information and three DLL files related to network communication, which are used to support HTTP, HTTPS and UDP protocol communication. The following figure shows the decrypted resource file information:

After analysis, the relevant data structure of the configuration file is as follows:

Then the DLL loads the three network-related DLL decrypted in the resource file in memory, and then obtains the local information and combines it with the three domain names icmannaws.com, orinneamoure.com and ochefort.com to form a second-level domain name for network communication. Finally, it accepts the instructions from the controller to achieve the following remote control functions:

L file management

L create process

L run shellcode

L registry management

L set environment variables

Sample of combined secondary domain names:

Nnggmpggmeggidggnjggnjggjnggmfggmfggnhggjpggmfggmmggmhggmfgg.ijmlajok.icmannaws.com

DNS communication request sent by the sample:

Online domain name generation algorithm

The online domain name string of the sample consists of two parts, one generated by the host name of the computer and the other a 4-byte sample version of ID:0x2365a384. The domain name generation algorithm first converts the computer name (Unicode encoding) into lowercase letters, then converts the lowercase letters of the memory into a HEX string, and then determines every byte of the HEX string. If it is between 0x2f and 0x3a, the byte is subtracted from 0x30 as the index value of the coding table (ghijklmnop), and then the final encoding of the byte is obtained in the coding table through the index value, such as not between 0x2f and 0x3a. Will not be processed.

Using Python to restore its generation algorithm is as follows:

Generate the online domain name of the test machine:

Development

Based on the three C2 addresses obtained from the above sample analysis, we confirm that this is an attack from the Hailianhua APT gang. Using the data platform of the 360threat Intelligence Center, we further expand the relevant information and mine more intelligence information. (for all related information on the extension, see the IOC section)

Use 360 threat intelligence platform to expand attack clues

Search for one of the ClearC addresses in the threat intelligence analysis platform: icmannaws.com, and we get the following output page:

The information in the upper left corner shows that the domain name has been labeled Hailianhua by the threat Intelligence Center, while the lower left corner shows the security report related to the domain name. Click in and you can see that this is the analysis report of the antivirus software company ESET on the new sample of Hailianhua in March this year, including 2 of the 3 C2 domain names in this sample.

We casually use an IP address shared by ESET: 164.132.45.67 to search again, and we can find a large number of domain names related to Hailianhua. Some domain names cannot be found on various threat intelligence platforms, and all of them have resolved to IP 164.132.45.67:

In this way, we start from the domain name in a sample, through the threat information associated with the threat intelligence platform, and finally dig to some previously unknown samples or ClearC infrastructure.

IOCC&Cicmannaws.comochefort.comorinneamoure.com164.132.45.67:46405alyerrac.comarkolau.comavidorber.comeabend.comeoneorbin.comhouseoasa.commaerferd.comoftonlos.comollyirth.comrtrand.comvieoulden.comaddrolven.comadisonas.comairthorne.comajeunes.comalabrese.comameronda.comansomesa.comaressers.comarhcharad.comatharin.comatriciasert.combernadethilipp.comcaitlisserand.comcolettrombly.comcosetarber.comdenones.comderaller.comdericalb.comearlase.comeoilson.comernieras.comforteauld.comharlierase.comharlottedf.comhustertea.comimberly.comindianmpkinson.comintyretre.comitchelloth.comjereisenberg.comkarernier.comlausarieur.comlexishaves.comlicailliam.comlicaolf.comlijahrey.comllarduchar.comlleneuve.comlteraycock.comlyolbert.commartindicken. Commesacha.commesarigna.comnamshionline.comnaudeafre.comnormolen.comnteagleori.comobillard.comoderic.comodyluet.comoftsoa.comoltzmann.comonnoriegler.comosephes.comothschild.comouxacob.compeverereal.comphieuckson.comrcheterre.comriceinton.comrieuenc.comrighteneug.comrigitteais.comrookersa.comrosveno.comryeisasw.comsaachumpert.comshuareu.comstellefaff.comstianois.comsvenayten.comteffenick.comucharme.comucinda.comugdale.comvaupry.com sample MD56ecb19b51d50af36179c870f3504c623 (Report 06-03-2018.exe) 109cd896f8e13f925584dbbad400b338 (02 Meeting Report for Mar-2018 Cambodia.xls.exe) 72bebba3542bd86dc68a36fda5dbae76 (Monthly Report 03.2018.doc) a08b9a984b28e520cbde839d83db2d14 (AcroRd32.exe) 877ecaa43243f6b57745f72278965467 (WinWord.exe ) 87d108b2763ce08d3f611f7d240597ec (GoogleUpdateSetup.exe) 5f69999d8f1fa69b57b6e14ab4730edd (Invitation for CTTIC khmer.docx.exe)

Since 2015, the threat Intelligence Center has intercepted and analyzed new samples of several Hailianhua gangs and corresponding communication infrastructure. The relevant information can be seen on the data platform of the threat Intelligence Center (https://ti.360.net/). Registered users can immediately see the tag information output by the platform if they query the relevant IOC elements. It is helpful for security analysts to discover and correlate valuable intelligence information in APT attacks in time.

The above is how to conduct Hailianhua APT gang to take advantage of the CVE-2017-8570 loophole of the new sample and correlation analysis, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.