Group Background
Lazarus is an APT group with suspected Northeast Asian origins, internally tracked by QiAnXin with the code APT-Q-1. This group gained widespread attention starting from the 2014 attack on Sony Pictures, with its earliest known activities dating back to 2007. Initially focusing on government institutions to steal sensitive intelligence, Lazarus shifted its targets after 2014 to include global financial institutions, virtual currency exchanges, and conducted attacks with financial gain as the objective. Additionally, the group targeted security researchers. In recent years, Lazarus has frequently initiated software supply chain attacks, with the 3CX supply chain attack event in the first half of this year believed to be attributed to this group.
Event Overview
QiAnXin Threat Intelligence Center recently discovered a batch of complex downloader samples. These samples, with multiple layers of nested PE file loading, ultimately download and execute subsequent payloads from a C2 server. One of the C2 server IP addresses was recently disclosed in connection with a software supply chain attack event [1], where attackers delivered malicious software by disguising it as npm packages related to encryption. Combining the information from the aforementioned report and the downloader samples themselves, it can be confirmed that these malicious downloader samples are related to the npm package supply chain attack event.
Based on the code characteristics of the downloader and other related samples, we have associated them with historical attack samples of the Lazarus group. Considering Lazarus's common supply chain attack methods, we believe that the attackers behind this npm package poisoning incident are likely associated with Lazarus.
Detailed Analysis
Basic information on the downloader samples is as follows:
| - | - |
|---|---|
| MD5 | d8a8cc25bf5ef5b96ff7a64f663cbd29 |
| File Name | sql.tmp |
| Creation Time | 2023-09-12 15:49:34 UTC |
| File Type | PE DLL, 64-bit |
| Size | 318.00 KB (325632 bytes) |
| PDB Path | F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb |
| C&C | hxxp://91.206.178.125/upload/upload.asp |
| - | - |
|---|---|
| MD5 | 46127a35b73b714a9c5c58aaa43cb51f |
| File Name | sql.tmp |
| Creation Time | 2023-10-24 09:35:01 UTC |
| File Type | PE DLL, 64-bit |
| Size | 334.50 KB (342528 bytes) |
| PDB Path | - |
| C&C | hxxps://blockchain-newtech.com/download/download.asp |
| - | - |
|---|---|
| MD5 | a6e7c231a699d4efe85080ce5fb36dfb |
| File Name | preinstall.db |
| Creation Time | 2023-11-23 16:07:22 UTC |
| File Type | PE DLL, 64-bit |
| Size | 386.00 KB (395264 bytes) |
| PDB Path | D:\workspace\CBG\Windows\Loader\npmLoaderDll\x64\Release\npmLoaderDll.pdb |
| C&C | hxxps://chaingrown.com/manage/manage.asp |
All samples undergo a multi-layer loading process, ultimately running the downloader's main module. The analysis will focus on the sample a6e7c231a699d4efe85080ce5fb36dfb.
Loading Process
Stage 1
The export function CalculateSumW of preinstall.db decrypts subsequent data from the file's own data and loads it into memory.
The key initialization process is as follows.
The decryption process is as follows, with encrypted data located at the address 0x18000BED0 in the .data segment, decrypted in-place.
The decrypted data is PE file data, loaded into memory and executed.
Stage 2
The PE loaded into memory is a DLL file, with its main functionality implemented in the sub_180002440 function. Firstly, the same decryption method is used to decrypt the embedded zip compressed data within the file.
Inside the zip compressed package, there is a PE file, which is released to the path "%AppData%\..\Roaming\Microsoft\IconCache.db."
Another segment of embedded data is released to the path "%AppData%\..\Roaming\Microsoft\Network\NTUSER.DAT."
Subsequently, persistence is established, attempting three methods in sequence: scheduled task, registry, and startup directory.
(1) .Scheduled Task
A scheduled task named "MicrosoftEdgeUpdate" is created through the COM interface, with the following execution command.
RUNDLL32.exe %APPDATA%\..\Roaming\Microsoft\IconCache.db,GetProcFunc %APPDATA%\..\Roaming\Microsoft\Network\NTUSER.DAT 8888
(2) Registry
If the scheduled task creation is unsuccessful, a key value named "GoogleUpdate" is added under "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" in the registry. The set execution command is as follows.
cmd /c start /b rundll32 %APPDATA%\..\Roaming\Microsoft\IconCache.db,GetProcFunc %APPDATA%\..\Roaming\Microsoft\Network\NTUSER.DAT 8888
(3) Startup Directory
If the registry key value is also not successfully set, the file is released in the startup directory, and the file attributes are set to system hidden. The file path is:"C:\\Users\\[user]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\check.cmd"。
Stage 3
IconCache.db has two export functions, where GetProcFunc is empty, and GetProcFuncW implements malicious functionality. Due to the characteristics of rundll32 calling functions [2], when passing wide string parameters, the call to GetProcFunc actually executes the GetProcFuncW function.
The GetProcFuncW function decrypts PE data from the NTUSER.DAT file passed as a parameter, then loads it into memory and calls its export function GetWindowSizedW.
Downloader Main Module
The PE file decrypted from NTUSER.DAT is the downloader's main module. It first retrieves basic information about the subsequent payload from the C&C server and then downloads and executes the subsequent payload based on this information.
Firstly, select a URL as the C&C server; the three sets of URL strings are, in fact, the same.
The POST request data sent to the C&C server includes 7 pairs of parameters, with randomly generated string parameter names, and the meanings of the parameter values are as follows.
| - | - |
|---|---|
| Parameter Number | Explanation |
| 1 | A random string of the length of the downloader operation command (see below) |
| 2 | Base64 encoding of the infected device ID string The infected device ID consists of three parts: the parameter passed to IconCache.db ("8888"), the string "64," and a random character, ultimately forming a 16-byte length string. |
| 3 | Base64 encoding of certain data, specific function currently unknown |
| 4 | Numeric value related to the operation command |
| 5 | Length of the string corresponding to parameter 6 |
| 6 | Base64 encoding of the string related to the operation command, including information passed to the C&C server |
| 7 | Random string for obfuscation |
The example of the request data sent is as follows:
The downloader has the following operation commands:
| - | - |
|---|---|
| Parameter Number | Explanation |
| 0xA | Initiates the request for subsequent payloads, retrieves basic information about the payload |
| 0x7 | Downloads the payload |
| 0xB | Reports error information |
| 0xC | Executes the payload |
| 0xD | Terminates the program |
When the downloader requests subsequent payloads from the C&C server, the C&C server replies with basic information about the payload, including the payload number, length, name of the exported function to be executed, incoming parameters, and the MD5 checksum value. During the phase of requesting subsequent payloads, the C&C server may also issue commands to terminate the downloader program.
After successfully obtaining payload information, the downloader uses the payload number to request the corresponding payload data from the C&C server, calculates the MD5 hash of the downloaded data, and compares it with the previously obtained checksum value. If the checksum fails, the downloader reports 'Hash error!' to the C&C server.
During the payload execution phase, the payload is decrypted using the same decryption algorithm as the downloader loading process. The decrypted data is checked for being a PE file, loaded into memory, and then the memory address of the specified exported function is found, and execution is carried out with the provided parameters.
Attribution and Association
Related Attack Activities
The C&C server IP address 91[.]206.178.125 of the sample d8a8cc25bf5ef5b96ff7a64f663cbd29 was mentioned in an analysis report on npm package poisoning released in November this year [1].
Security researchers also identified the downloader sample 46127a35b73b714a9c5c58aaa43cb51f appearing in this attack activity, but at the time of the report, they were still analyzing this sample. The sample names sql.tmp and preinstall.db, as well as the exported function name CalculateSum, all appear in the malicious script.
In addition, the PDB path npmLoaderDll.pdb of the downloader sample also indicates its connection to this npm package poisoning incident.
Associated Samples
Based on the string information found in the downloader sample above, we associate it with a Trojan sample.
| - | - |
|---|---|
| MD5 | 1c4227bf06121fe9c454a85ad9245b56 |
| File Name | T_DLL.dll |
| Creation Time | 2023-08-01 09:49:31 UTC |
| File Type | PE DLL, 64-bit |
| Size | 747.00 KB (764928 bytes) |
The C&C server for this Trojan sample is hxxp://156.236.76.9/faq/faq.asp. Additionally, the sample exhibits the decryption algorithm frequently used by the downloader malware.
Attribution
The method of loading PE into memory by the downloader is consistent with the Comebacker DLL sample previously used by Lazarus attackers [3].
The execution method involves rundll32 calling the exported function of the DLL and passing a numeric string ("2907") as a parameter. The exported function ASN2_TYPE_new of the DLL is empty, and the ASN2_TYPE_newW function implements malicious functionality.
The associated Trojan sample 1c4227bf06121fe9c454a85ad9245b56 uses the A5 encryption algorithm when decrypting strings, with constants 0xFE268455, 0xC2B45678, and 0x90ABCDEF also appearing in historical Lazarus attack samples [4].
In July of this year, GitHub officially issued a security warning [5], stating that attackers were using GitHub repositories and malicious npm packages in their operations, similar to the techniques described in the Phylum report [1]. Microsoft's report [7] mentions that Jade Sleet is an alias for Lazarus.
Summary
From the multi-layer loading method and C&C communication characteristics of this batch of downloader samples, it is evident that the attackers are making efforts to conceal their traces and reduce the risk of exposing subsequent payloads. Given the involvement of malware in npm package supply chain attacks, related attack activities can be traced back to before July of this year. Considering the association with the Lazarus group, it implies that attackers are likely to launch further attacks based on this foundation.
Protection Recommendations
QiAnXin Threat Intelligence Center advises users to be cautious of phishing attacks, avoid opening links of unknown origin shared on social media, refrain from executing email attachments from unknown sources, avoid running files with exaggerated titles, and avoid installing apps from non-official sources. It is recommended to regularly back up important files and keep software up to date with patches.
If there is a need to run an application of unknown origin, users can use the QiAnXin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for identification. Currently, various file formats on Windows and Android platforms are supported for in-depth analysis.
Currently, all products based on the threat intelligence data from QiAnXin Threat Intelligence Center, including QiAnXin Threat Intelligence Platform (TIP), TianYan, TianEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Threat Intelligence, support precise detection of such attacks.
IOC
MD5
d8a8cc25bf5ef5b96ff7a64f663cbd29
46127a35b73b714a9c5c58aaa43cb51f
a6e7c231a699d4efe85080ce5fb36dfb
7298b1f10ee6afab5e8bf648be1ca13b
420a13202d271babc32bf8259cdaddf3
1c4227bf06121fe9c454a85ad9245b56
C&C
91.206.178.125:80
156.236.76.9:80
blockchain-newtech.com
chaingrown.com
URL
hxxp://91.206.178.125/upload/upload.asp
hxxps://blockchain-newtech.com/download/download.asp
hxxps://chaingrown.com/manage/manage.asp
hxxp://156.236.76.9/faq/faq.asp
hxxp://103.179.142.171/npm/npm.mov
hxxp://103.179.142.171/files/npm.mov
hxxp://91.206.178.125/files/npm.mov
Reference Links
[1]. https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
[2]. https://www.attackify.com/blog/rundll32_execution_order/
[3]. https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
[4]. https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/
[5]. https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/
[6]. https://blog.phylum.io/junes-sophisticated-npm-attack-attributed-to-north-korea/
[7]. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW