Shulou(Shulou.com)05/31 Report--

Today I will show you how to implement APT32 sample analysis. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

Basic information sample MD5bb3306543ff*9372bb3c72712 sample file size 3.29 MB (3449856 bytes) sample type backdoor program sample description using Office malicious macro loading Trojan module analysis time December 2, 2019

The malicious document is implanted with three pieces of malicious macro code. The main function of the macro is to load and execute the Shellcode code stored in hexadecimal stream in the malicious document in memory.

The function of the ShellCode part is to extract a DLL Trojan program {A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll from itself, and then execute the export function DllEntry of this Dll to release two DLL files related to network communication in memory. The network communication related files are used to support HTTP, HTTPS and UDP protocol communication, and finally establish a communication connection with the C2 side to receive control instructions.

Note: the name of {A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll is the same as the DLL name of a previously analyzed APT32 sample, and the confusion of Shellcode code is similar, the way of memory loading is similar, and the extracted IOC also belongs to the APT32 organization, so it is judged that this sample is related to APT32.

2.2 deceiving execution

In this attack, malicious macro code is used to load malicious modules, and social engineering is disguised as 360 prompts to win the trust of users, so as to trick users into enabling malicious macro code.

2.3 malicious macro analysis

A total of three pieces of malicious macro code are implanted in the malicious document, the first piece of code is saved in the default location of office, and the second and third pieces of malicious macro code are saved in the head of the document in the form of hexadecimal stream.

The first macro code (the initial macro code) reads the second macro code saved by the hexadecimal stream from the beginning of the document, dynamically loads and calls the entry function x_N0th2ngH3r3 ().

The second macro code reads the third macro code saved by the hexadecimal stream from the beginning of the document, dynamically loads and calls the entry function x_N0th2ngH3r3 ().

The third piece of macro code loads the Shellcode code stored in hexadecimal stream in the malicious document in memory by creating a remote thread for the WINWORD process.

Analysis of 2.4shellcode malicious Code

The core function of ShellCode is to extract a DLL file from itself, load the DLL in memory, and then execute the export function DllEntry of the dll. The following figure shows the revised PE header data:

After Dump the Shellcode file from memory, using LordPE, you can see that the export name of the file is: {A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll. As shown below:

2.5 analyze {A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll

There is an encrypted resource file in the decrypted DLL resource:

When the DLL is running, the resource file is first obtained and decrypted. The decrypted resource file contains Trojan configuration information and two DLL files related to network communication, which are used to support HTTP, HTTPS and UDP protocol communication. The following figure shows the decrypted resource file information:

The data structure of the resource is as follows:

2.6 Communication Analysis

The communication connection is established through the C2 domain name resolution address 45.122.138.31 decrypted from the {A96B020F-0000-466F-A96D-A91BBF8EAC96} .dll file resources, and the POST method in the HTTP protocol is used to send an online notification to the C2 end, and finally accept the control side instructions of the C2 side to control the target terminal.

2.7 functional analysis of the backdoor

Create process

Create a directory, delete a directory

File search, read and write, create, delete files, etc.

Registry read and write operation

2.8IOC

Cloud.360cn.info

Dns.chinanews.network

Aliexpresscn.net

Chinaport.org

III. Trend

APT32 is a Vietnamese hacker organization, also known as OceanLotus, which focuses on attacking foreign companies with close ties to Vietnam, mainly attacking companies related to cyber security, manufacturing, media, banks, hotels, technology infrastructure and consulting, and stealing information including trade secrets, confidential conversation logs and progress plans. The attack method is to send a well-designed phishing email to the target, which contains a puddle attack with seductive malicious attachments to implant backdoor or malware into the target to achieve the goal. The malicious document analyzed in this paper is the attachment in the phishing email received by the customer.

Through the tracking study of the APT32 organization, it is found that in order to monitor and track the distribution of mail, the organization has begun to use cloud-based mail analysis software, and gradually use the latest cutting-edge technology to achieve the purpose of attack. Therefore, people in special industries need to be vigilant and confirm the legal letter of the document when opening e-mail or sensitive information documents of unknown origin.

The above is how to achieve the full content of APT32 sample analysis, more content related to how to achieve APT32 sample analysis can search the previous articles or browse the following articles to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.