In late June, multiple researchers and security entities (including researchers from ClearSky, FireEye, and U.S. Cybercom) highlighted APT33 activity in public outlets. Several of these files have already been identified and analyzed as part of ongoing discussions on Twitter regarding this activity.
This blog post examines a file identified through public resources with infrastructure links to these attacks that has not been widely examined.
As part of this activity, researchers identified the C2 domain “backupaccount[.]net” as a C2 used within a malicious HTA file hosted on attacker infrastructure. A PassiveTotal pivot at the time of this writing highlights 11 hashes associated with this domain. PassiveTotal accounts are free, but also do not offer the context behind these hash associations.
Author: norfolk
The Lazarus Injector
In May and June, two files were submitted to VirusTotal that were signed with the same digital certificate and were connected to the SWIFT-heist wing of the DPRK. One file is re-themed version of the fake resume creating tool used in the Redbanc and Pakistan attacks. The second file is a tool used to inject and run payloads inside of explorer.exe.
This brief post documents the capabilities of this second tool.
MD5: b9ad0cc2a2e0f513ce716cdf037da907
SHA1: 1a50a7ea5ca105df504c33af1c0329d36f03715b
SAH256: db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e
Emissary Panda DLL Backdoor
Last month’s post on this blog examined a backdoor previously thought to be associated with Emissary Panda (APT27). Recent reporting has instead shown that the HTTP listener examined is likely affiliated with Turla. That post has been updated with the corresponding corrections.
This post is a granular examination of a payload alluded to in a Palo Alto report that is tied to Emissary Panda with much higher confidence. While the payload wasn’t available for analysis in that report, VirusTotal pivoting at the time produced the matching file.
Filename: PYTHON33.hlp
MD5: 19c46d01685c463f21ef200e81cb1cf1
SHA1: ac4a264a76ba22e21876f7233cbdbe3e89b6fe9d
SHA256: 3e21e7ea119a7d461c3e47f50164451f73d5237f24208432f50e025e1760d428
This file is expected to be part of a DLL side-loading chain that involves a component of the legitimate Sublime text editor (plugin_host.exe, also available on VirusTotal: f0b05f101da059a6666ad579a035d7b6) and a malicious DLL that this file will sideload:
Filename: PYTHON33.dll
MD5: bc1305a6ca71d8bdb3961bfd4e2b3565
SHA1: f189d63bae50fc7c6194395b2389f9c2a453312e
SHA256: 2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528
Possible Turla HTTP Listener
Updated 19 July with Attribution Comments
Recently, Palo Alto’s Unit42 and Saudi NCSC detailed multiple intrusions against Middle Eastern government targets in which an attacker (purportedly Emissary Panda, a suspected Chinese state-sponsored adversary) compromised vulnerable Microsoft SharePoint servers and deployed a variety of intrusion tools, both public and custom.** Subsequent public reporting, however, attributed a portion of this activity to the Turla group. This post focuses on the details of the malware rather than the attribution itself.
This blog post briefly documents characteristics and capabilities of one such tool, an HTTP listener (first identified by NCSC-SA), deployed at several of these sites. There are multiple versions of this listener with different command names; however, the functionality of each command is the same in each file.
**Note: As noted in the original version of this post, Unit42 reporting did not definitively state that the activity belongs to a single threat actor given the use of publicly available tools but rather offered this as a possible assessment.
“Filesnfer” Tool (C#, Python)
On 6 May 2019, Symantec published reporting on a series of tools possibly used by APT3 (or a broader China-based espionage apparatus), including a previously publicly unreported backdoor dubbed “Filesnfer.”* Several hashes were made available for this malware, including one for a variant written in C++, one for a variant written in Python (compiled via Py2Exe), and one purportedly written in PowerShell.
The hash for the PowerShell file is unavailable on VirusTotal; however, analysis of the Python code can be used to identify a different file uploaded to the Hybrid Analysis platform that is delivered via a PowerShell loader, written in C#, and contains significant code-level and unique-string overlaps with the Python variant. This file was also not made available for download on the platform, but the strings for the loaded C# code in this sandbox run are enough to find an additional sample of the entire decompiled code on VirusTotal.
This blog contains a brief technical overview of each of these variants, and the pivoting method described. If you’re just here for the C# (“PowerShell”) hash: 8de3b2eac3fa25e2cf9042d1b952f0d9. For analysis of these files, keep reading.
* (Symantec notes that the connection between this backdoor and APT3 was provided to them through collaboration with another vendor).
OSINT Reporting Regarding DPRK and TA505 Overlap
Yesterday, at SAS2019, BAE Systems presented findings related to DPRK SWIFT heist activity that took place in 2018. As part of this research (a leaked video of the presentation is available online), BAE included two key points not previously disclosed in the public domain:
– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace
– A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the two groups.
This blog will leave a full analysis of those two points and the supporting context to the people that found them, as it’s theirs to share; however, data that may support such conclusions have been available in open source for quite some time.
In early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of DPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs (previously published by 360 TIC), and a handful of PowerShell scripts that are generally identical aside from a handful of configuration changes. Furthermore, the aforementioned keylogger was first uploaded by a submitter (fabd7a52) in Pakistan in December 2018. That same submitter acted as the first uploader for one of the PowerShell samples identified below (b88d4d72fdabfc040ac7fb768bf72dcd), further corroborating a possible link.
Given the multi-sourced reporting overlaps and the additional Pakistan findings mentioned above, this blog assesses that the PowerShell scripts in question likely belong to the same family of DPRK-attributable malware reported by BAE systems.
A listing of selected IOCs is below the fold, alongside a few brief notes (and a script) for how to analyze the PowerShell malware.
Possible ShadowHammer Targeting (Low Confidence)
Update: The conclusions drawn below are likely incorrect (or, at the least, presented incorrectly). The post will remain up to preserve the data collected and in case additional OSINT information becomes available.
——–
Last week, this blog examined the first stage of an infection chain deployed through a supply chain attack. The malware involved in this phase of the infection chain performed an MD5 hash of infected devices’ MAC addresses and compared them to MD5s in a hardcoded database. If a match was found, the malware called out to a hardcoded C2. Since then, multiple researchers have cracked these hashes and generated the underlying plaintext MACs.
The objectives of this supply chain attack remain unknown; however, this blog has identified one (low-confidence) possibility by comparing the plaintext MAC addresses with the Wigle database, a publicly available network data repository: The MAC addresses involved may be associated with industrial processes, logistics, and technology.
The supporting data for this assessment is below, and this blog emphasizes that these are low-confidence findings based on a limited dataset; should more specific targeting and victimology become available, this post will be revised (with the original content remaining intact for retrospective analysis).
The First Stage of ShadowHammer
On 25 March, Kaspersky researchers published details of a supply chain compromise involving ASUS, a Taiwan-based computer manufacturer. As part of this compromise, a threat actor pushed malicious code to victims who connected to the company’s servers using the ASUS Live Update feature used to deliver drivers and other updates (this blog notes that such update platforms are common across all manufacturers).
The malicious code in question is a first-stage triage tool, and details of the second-stage code have not yet been uncovered. This post documents this first-stage functionality of one of the identified variants, which compares the victim’s MAC address to a hardcoded list prior to communicating with a C2.
JEShell: An OceanLotus (APT32) Backdoor
Recently, various industry and media sources have publicly reported that OceanLotus, a suspected Vietnam state-sponsored adversary, has conducted multiple targeted intrusions against auto manufacturers. This post examines a second-stage tool, JEShell, used during one such intrusion.
JEShell contains code-level overlaps with the OceanLotus KerrDown malware first publicly described in a Medium post and a Palo Alto Unit42 post. At a high level, JEShell is functionally similar to the KerrDown malware: both families decode and run layers of shellcode with the intention of downloading or directly installing a Cobalt Strike Beacon implant. Unlike KerrDown (a Windows DLL), JEShell is written in Java. JEShell is delivered alongside (rather than instead of) KerrDown and other implants and in some cases shares the same C2, likely as a measure of redundancy for the attacker.
How To: Analyzing a Malicious Hangul Word Processor Document from a DPRK Threat Actor Group
A few days ago, ESTsecurity published a post detailing a newly identified malicious Hangul Word Processor (HWP) document that shared technical characteristics with previously reported malicious activity attributed to North Korean threat actors (an important note: this particular group is not typically associated with or clustered with the SWIFT/ATM adversary detailed in other posts on this blog, although this blog avoids using specific vendor naming classifications where possible).
The Hangul Office suite is widely used in South Korea; in the West, it’s significantly less common. As a result of this, there is limited public documentation regarding how to analyze exploit-laden HWP documents. This blog post is intended to provide additional documentation from start to finish of the file identified by ESTsecurity. As such, the language used will be somewhat less formal than the content typically posted here.