Emissary Panda HTTP Listener

Recently, Palo Alto’s Unit42 and Saudi NCSC detailed multiple intrusions against Middle Eastern government targets in which an attacker (purportedly Emissary Panda, a suspected Chinese state-sponsored adversary) compromised vulnerable Microsoft SharePoint servers and deployed a variety of intrusion tools, both public and custom.**

This blog post briefly documents characteristics and capabilities of one such tool, an HTTP listener (first identified by NCSC-SA), deployed at several of these sites. There are multiple versions of this listener with different command names; however, the functionality of each command is the same in each file.


**Note: Unit42 reporting does not definitively state that this activity belongs to a single threat actor given the use of publicly available tools but rather offers this as a possible assessment; for simplicity, this blog post treats this activity as belonging to a single attacker but acknowledges that this is an important analytical caveat.

Read more “Emissary Panda HTTP Listener”

“Filesnfer” Tool (C#, Python)

On 6 May 2019, Symantec published reporting on a series of tools possibly used by APT3 (or a broader China-based espionage apparatus), including a previously publicly unreported backdoor dubbed “Filesnfer.”* Several hashes were made available for this malware, including one for a variant written in C++, one for a variant written in Python (compiled via Py2Exe), and one purportedly written in PowerShell.

The hash for the PowerShell file is unavailable on VirusTotal; however, analysis of the Python code can be used to identify a different file uploaded to the Hybrid Analysis platform that is delivered via a PowerShell loader, written in C#, and contains significant code-level and unique-string overlaps with the Python variant. This file was also not made available for download on the platform, but the strings for the loaded C# code in this sandbox run are enough to find an additional sample of the entire decompiled code on VirusTotal.

This blog contains a brief technical overview of each of these variants, and the pivoting method described. If you’re just here for the C# (“PowerShell”) hash: 8de3b2eac3fa25e2cf9042d1b952f0d9. For analysis of these files, keep reading.


* (Symantec notes that the connection between this backdoor and APT3 was provided to them through collaboration with another vendor).

Read more ““Filesnfer” Tool (C#, Python)”

OSINT Reporting Regarding DPRK and TA505 Overlap

Yesterday, at SAS2019, BAE Systems presented findings related to DPRK SWIFT heist activity that took place in 2018. As part of this research (a leaked video of the presentation is available online), BAE included two key points not previously disclosed in the public domain:

– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace
– A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the two groups.

This blog will leave a full analysis of those two points and the supporting context to the people that found them, as it’s theirs to share; however, data that may support such conclusions have been available in open source for quite some time.

In early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of DPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs (previously published by 360 TIC), and a handful of PowerShell scripts that are generally identical aside from a handful of configuration changes. Furthermore, the aforementioned keylogger was first uploaded by a submitter (fabd7a52) in Pakistan in December 2018. That same submitter acted as the first uploader for one of the PowerShell samples identified below (b88d4d72fdabfc040ac7fb768bf72dcd), further corroborating a possible link.

Given the multi-sourced reporting overlaps and the additional Pakistan findings mentioned above, this blog assesses that the PowerShell scripts in question likely belong to the same family of DPRK-attributable malware reported by BAE systems.

A listing of selected IOCs is below the fold, alongside a few brief notes (and a script) for how to analyze the PowerShell malware.

Read more “OSINT Reporting Regarding DPRK and TA505 Overlap”

Possible ShadowHammer Targeting (Low Confidence)

Update: The conclusions drawn below are likely incorrect (or, at the least, presented incorrectly). The post will remain up to preserve the data collected and in case additional OSINT information becomes available.
——–

Last week, this blog examined the first stage of an infection chain deployed through a supply chain attack. The malware involved in this phase of the infection chain performed an MD5 hash of infected devices’ MAC addresses and compared them to MD5s in a hardcoded database. If a match was found, the malware called out to a hardcoded C2. Since then, multiple researchers have cracked these hashes and generated the underlying plaintext MACs.

The objectives of this supply chain attack remain unknown; however, this blog has identified one (low-confidence) possibility by comparing the plaintext MAC addresses with the Wigle database, a publicly available network data repository: The MAC addresses involved may be associated with industrial processes, logistics, and technology.

The supporting data for this assessment is below, and this blog emphasizes that these are low-confidence findings based on a limited dataset; should more specific targeting and victimology become available, this post will be revised (with the original content remaining intact for retrospective analysis).

Read more

The First Stage of ShadowHammer

On 25 March, Kaspersky researchers published details of a supply chain compromise involving ASUS, a Taiwan-based computer manufacturer. As part of this compromise, a threat actor pushed malicious code to victims who connected to the company’s servers using the ASUS Live Update feature used to deliver drivers and other updates (this blog notes that such update platforms are common across all manufacturers).

The malicious code in question is a first-stage triage tool, and details of the second-stage code have not yet been uncovered. This post documents this first-stage functionality of one of the identified variants, which compares the victim’s MAC address to a hardcoded list prior to communicating with a C2.

Read more

JEShell: An OceanLotus (APT32) Backdoor

Recently, various industry and media sources have publicly reported that OceanLotus, a suspected Vietnam state-sponsored adversary, has conducted multiple targeted intrusions against auto manufacturers. This post examines a second-stage tool, JEShell, used during one such intrusion.

JEShell contains code-level overlaps with the OceanLotus KerrDown malware first publicly described in a Medium post and a Palo Alto Unit42 post. At a high level, JEShell is functionally similar to the KerrDown malware: both families decode and run layers of shellcode with the intention of downloading or directly installing a Cobalt Strike Beacon implant. Unlike KerrDown (a Windows DLL), JEShell is written in Java. JEShell is delivered alongside (rather than instead of) KerrDown and other implants and in some cases shares the same C2, likely as a measure of redundancy for the attacker.

Read more “JEShell: An OceanLotus (APT32) Backdoor”

How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group

A few days ago, ESTsecurity published a post detailing a newly identified malicious Hangul Word Processor (HWP) document that shared technical characteristics with previously reported malicious activity attributed to North Korean threat actors (an important note: this particular group is not typically associated with or clustered with the SWIFT/ATM adversary detailed in other posts on this blog, although this blog avoids using specific vendor naming classifications where possible).

The Hangul Office suite is widely used in South Korea; in the West, it’s significantly less common. As a result of this, there is limited public documentation regarding how to analyze exploit-laden HWP documents. This blog post is intended to provide additional documentation from start to finish of the file identified by ESTsecurity. As such, the language used will be somewhat less formal than the content typically posted here.

Read more “How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group”

How the Silence Downloader Has Evolved Over Time

In a previous post this blog briefly compared two versions of the Silence group’s proxy malware, a post-intrusion tool used to relay network traffic between a C2 endpoint and a non-internet facing device. This post examines three versions of the group’s downloader and documents how it has changed over the last eighteen months. While some characteristics have persisted, several notable functions have been removed, added, or modified in newer versions of this tool.

Tracking such changes helps analysts determine whether or not a newly discovered sample (on the network or in an online repository) is truly new; in the event that the sample is older and forensic data is missing, it can help approximate when the sample might have been deployed.

Read more “How the Silence Downloader Has Evolved Over Time”

Some Notes on the Silence Proxy

In August 2018, Group-IB published research (available in translated form here) regarding a financially-motivated group referred to by the community as Silence. Included in this report is the mention of a proxy tool that the group uses to route traffic to and from devices on an infected network that are normally isolated from the Internet.

Although the tool is simple (and in development), it has not yet been well-documented in the public space. This may partly be because the tool is relatively rare: Group-IB describes Silence as a small group performing a limited set of activities. For researchers to obtain a copy, the Silence proxy would have to be deployed post-compromise, identified during incident response, and uploaded online. Given the rarity, some notes on the .NET version of this tool are below as a reference to future analysts.

Technical Details

Read more “Some Notes on the Silence Proxy”

A Lazarus Keylogger- PSLogger

This blog recently referenced a late July VNCert report containing file-based IOCs affiliated with attempted intrusions against financial organizations in Vietnam. Several contextual and technical characteristics of these files tie them to recent activity typically attributed to North Korean adversaries with a specific interest in the financial sector.

This post explores the technical characteristics of one of these files, a keylogging and screengrabbing utility. Two versions of this utility have appeared in-the-wild. The first is directly identified in the VNCert alert and is a DLL injected via a modified version of the open-source PowerSploit framework. The second is a standalone executable submitted to VirusTotal by a user in Pakistan (and possibly used in an intrusion in that region).

syschk.ps1 (Vietnam)

MD5: 26466867557f84dd4784845280da1f27
SHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a
SHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6

Syschk.ps1 contains three primary components: (1) A Base64 encoded DLL, (2) a Base64 encoded variant of PowerSploit’s Invoke-ReflectivePEInjection, and (3) a routine for decoding and executing these components. This script also contains references to “c:\windows\temp\TMP0389A.tmp” (noted in the previous post for its similarity to another DPRK file path and directory) and “c:\programdata\1.dat” as part of a “remove-item” cmdlet routine. The Base64 DLL can be copied, converted, and saved to another file for analysis.

Extracted DLL
MD5: d45931632ed9e11476325189ccb6b530
SHA1: 081d5bd155916f8a7236c1ea2148513c0c2c9a33
SHA256: efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

The extracted malware is designed for 64-bit operating systems and contains an export named “Process.” The malware has two primary functions: grabbing keystroke (and clipboard) data, and grabbing screen captures of the user’s desktop. At launch, the malware creates a file at “c:\windows\temp\TMP0389A.tmp” containing the directory that the malware will save files in.

Next, the file begins monitoring keystrokes. These are logged and saved to a hardcoded path (visible in plaintext) within the user’s “AppData\Local\Temp” directory under a folder named “GoogleChrome” in a file named “chromeupdater_pk.” The keylogging routine uses the GetKeyState and GetAsyncKeyState APIs and is not sophisticated, and logged keystroke and clipboard context is saved in plaintext.

The malware’s other functionality is to capture the desktop, compressing the images and saving them in the same directory. These files are saved with the filename format chromeupdater_ps_[timestamp]. Notably, the malware uses two open-source implementations to achieve this. To capture the desktop, it uses code likely derived from this example (or code from which that example was derived). To perform compression, the malware uses the XZip library, a derivation of the Info-Zip project. The combination of these characteristics is useful for identifying an additional variant of this malware.

Open-source screengrabbing implementation (left) and disassembled code graph (right).
Open-source XZip code implementation.

HSMBalance.exe

MD5 34404a3fb9804977c6ab86cb991fb130
SHA1 b345e6fae155bfaf79c67b38cf488bb17d5be56d
SHA256 c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

The open-source screengrabbing code used in the keylogger from the Vietnam incident is relatively uncommon: while a basic VirusTotal pivot on one of the more distinct strings from this code identifies dozens of additional files that use it, most belong to a benign screen-sharing package. On the other hand, the malicious files include the Vietnam keylogger and a second keylogger submitted by a user in Pakistan with strikingly similar static and dynamic properties (the hash of this file is listed above). A brief static analysis identifies the following strings:

CDisplayHandlesPool: GetDC failed
CDisplayHandlesPool: EnumDisplayMonitors failed
CreateBitmapFinal: GetDIBits failed
CaptureDesktop: CreateCompatibleDC failed
CaptureDesktop: CreateCompatibleBitmap failed
CaptureDesktop: SelectObject failed
CaptureDesktop: BitBlt failed
SpliceImages: CreateCompatibleDC failed
SpliceImages: CreateCompatibleBitmap failed
SpliceImages: SelectObject failed
SpliceImages: BitBlt failed
wild scan
more < 2
.zip
.zoo
.arc
.lzh
.arj
.tgz


As a triaging step, this strongly suggests the use of the same compression and screengrabbing libraries. In addition, there are several other string similarities:

Pakistan file:
%s%s
%s\tmp_%s
[%02d%02d-%02d:%02d:%02d]
[Num %d]
[ENTER]
[EX]
keycode = %ls keystatus = %d \n
%s\tmp_%s_%02d%02d_%02d%02d%02d
PSLogger.exe


Vietnam File:
%s\chromeupdater_pk
%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d
[%02d:%02d:%02d:%03d]
%s%s
[ENTER]
[EX]
[CTL]
PSLogger.dll


While some of these are not a 1:1 match, there are some clear similarities regarding the likely functionality of the file and the naming conventions. Notably, this “new” file also contains the same exported function name (“Process”) as the Vietnam DLL despite being an executable, suggesting that it may have been built using the same codebase. In addition, the file contains a reference to the same “TMP0389A.tmp” file and path as the Vietnam keylogger (though this is decoded at runtime). The combination of the shared strings, export, libraries (including XZip), and (as will be explored shortly) functionality strongly suggests that this file is likely attributable to the same threat actor.

Functionality

As mentioned, this file contains a decoding routine responsible for decrypting several strings, including:
“Downloads” – Appended to the user’s Appdata\Local\Temp path.
“c:\windows\temp\TMP0389A.tmp” – Intended to contain directory storing keylogs and screenshots.
“c:\windows\temp\tmp1105.tmp” – Unknown purpose

XOR decoding routines for several file paths within the malware

As with the Vietnam file, this file’s two core functions are screengrabbing (using the same library) and keylogging. Both files are stored at “Appdata\Local\Temp\Downloads.” Screenshots are generated as Bitmaps via CreateCompatibleBitmap, compressed, and saved in this directory as “tmp_[username][mmdd{time}]” (e.g. tmp_userA_0121_142748″). As additional screenshots are created, they are appended to the same file (although re-running the malware will create a new file). Kesystrokes (along with process data) are recorded in the same directory, under a file named “tmp_[user]” – unlike the Vietnam file, these keylogs are encrypted prior to storage.

While the malware author did take anti-analysis steps (including encoding several filepaths and keystroke logs), the malware as a whole remains generally unsophisticated.

Closing Thoughts

Neither variant of the malware is particularly sophisticated; in fact, key components of each rely on clunky implementations of open source tools and code (including screengrabbing, compression, and memory injection). This deficiency is most evident in the screenshot compression segment, in which new data is simply appended to an older file. A tool such as 7Zip cannot properly unpack every screenshot appended this way; instead, the adversary would need to manually carve these out (or write an additional tool to do so) given the fact that additional zip data is simply appended to the end of the file.

It is also worth noting that neither file contains a C2 mechanism, meaning that log files and compressed images would have to be extracted from the target device manually. This suggests that these tools are designed for post-compromise use, possibly on machines intended to be monitored for an extended period of time.