Background on gangs
Sidewinder, is tracked internally by QiAnXin under tracking number APT-Q-39.The group, widely believed to have a South Asian regional background, was disclosed by domestic and international security vendors in 2018, and its earliest attack activity dates back to 2012. The group's attack targets are generally government and military departments in China and several South Asian countries, and some of its attack campaigns also involve universities and research institutions.
Summary of events
Recently, QiAnXin Threat Intelligence Center discovered malicious samples targeting Bhutan during its daily sample tracking and analysis. The bait content used by the samples came directly from a notice published on the Bhutanese government website.
The document carries macro code that ultimately executes the Nim-written backdoor through a series of VBS and BAT scripts. Based on the code signature of this Nim backdoor, we correlated samples of attacks against Nepal and Myanmar, with the attack against Myanmar dating back to November last year.
The Nim backdoor is actually a variant of the C++ backdoor [1] disclosed by domestic security vendors at the end of 2021. In February 2023, Group-IB released a report [2,3] disclosing spear phishing attacks by the Sidewinder group from June to November 2021, and the two attack groups are closely related. Based on the malware characteristics and network infrastructure researchers believe that the attack campaigns categorized as BabyElephant at that time were closely related to Sidewinder, and that the two attack groups are closely connected. Based on the above open source intelligence information, this paper unifies the attack activities found in this discovery into the Sidewinder group.
Detailed analysis
The basic information about the captured and associated malicious documents and Nim backdoor samples is as follows:
| - | - | - | - | - |
|---|---|---|---|---|
| MD5 | Creation time | VT Upload Time | filename | typology |
| 7bea8ea83d5b4fe5985172dbb4fa1468 | 2023-10-26 05:48:00 UTC | 2023-10-30 11:13:20 UTC | GlobalLeadershipProgram1.docm | macro document |
| 04e9ce276b3cd75fc2b20b9b33080f7e | - | 2022-11-16 12:24:46 UTC | Seniority_List.docm | Encrypting Macro Documents [5](Password:20221114PROM) |
| 92612dc223e8f0656512cd882d66f78b | 2023-10-26 05:20:38 UTC | 2023-10-30 16:08:58 UTC | svchost.exe | Nim Backdoor |
| c2184d8fd3dd3df9fd6cf7ff8e32a3a4 | 2023-07-21 06:55:47 UTC | 2023-10-16 02:13:41 UTC | sihosts.exe | Nim Backdoor |
| b2ab01d392d7d20a9261870e709b18d7 | 2022-12-02 06:35:39 UTC | 2023-03-08 04:11:57 UTC | conhost.exe | NimBackdoor |
| 30ddd9ebe00f34f131efcd8124462fe3 | 2022-09-15 10:06:04 UTC | 2022-11-16 12:53:12 UTC | sihosts.exe | Nim Backdoor |
Documentation macros
To analyze the sample 7bea8ea83d5b4fe5985172dbb4fa1468 as an example, the document is opened to entice the victim to enable macros.
The Sch_task function releases OCu3HBg7gyI9aUaB.vbs in the "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup" directory.
Hide_cons function releases "%LocalAppData%\skriven.vbs".
Read_shell function extracts zip data from the text of the document's UserForm1.TextBox1 object and saves it as "%LocalAppData%\Microsoft\svchost.zip".
The Vb_chain function releases "%LocalAppData%\8lGghf8kIPIuu3cM.bat". Finally the function calls ActiveDocument.Shapes twice to remove the "macro enabled" layer and display the decoy content.
Script chains
The macro code is only responsible for file release, and the malicious sample implements script startup through the boot startup file in the Startup directory, which can increase the stealthiness of the attack to a certain extent.
(1) OCu3HBg7gyI9aUaB.vbs
Launch "%LocalAppData%\8lGghf8kIPIuu3cM.bat" after the hibernation operation.
(2) skriven.vbs
This script runs the file specified by the parameter and hides the console window when the BAT script is run.
(3) 8lGghf8kIPIuu3cM.bat
The script releases a series of script files, and those released call the next file in sequence.
Information about the scripts involved is listed below:
| - | - |
|---|---|
| Script Path | clarification |
| %LocalAppData%\unzFile.vbs | Further release of%LocalAppData%\unz.vbs |
| %LocalAppData%\2L7uuZQboJBhTERK.bat | Calling%LocalAppData%\unzFile.vbs Calling%LocalAppData%\2BYretPBD4iSQKYS.bat |
| %LocalAppData%\2BYretPBD4iSQKYS.bat | Calling %LocalAppData%\unz.vbs to decompress svchost.zip |
| %LocalAppData%\d.bat | Create a scheduled task for svchost.exe extracted from svchost.zip Calling%LocalAppData%\e.bat |
| %LocalAppData%\e.bat | Delete all script files released by 8lGghf8kIPIuu3cM.bat |
Nim backdoor
The svchost.zip archive released by the macro documentation contains a backdoor svchost.exe written by Nim, which is run through a scheduled task created by the above script d.bat. The sample backdoor contains the string "Store\MACRO\
| - | - |
|---|---|
| MD5 | string |
| 92612dc223e8f0656512cd882d66f78b | "E:\\Store\\MACRO\\BT\\bt_apache.nim" |
| c2184d8fd3dd3df9fd6cf7ff8e32a3a4 | "E:\\Store\\MACRO\\NP\\np_apache.nim" |
| b2ab01d392d7d20a9261870e709b18d7 | "E:\\Store\\macro\\mm\\mm_apache.nim" |
| 30ddd9ebe00f34f131efcd8124462fe3 | "C:\\Users\\ProCoder\\Desktop\\Store\\MACRO\\MM\\mm_apache.nim" |
The backdoor first checks the operating environment, including:
(1) Check whether the current process list contains software processes related to debug analysis;
(2) Check the running time interval;
(3) In the early sample (MD5: 30ddd9ebe00f34f131efcd8124462fe3) there is also a CPU count check and a mouse movement distance check.
After the environment check passes, first copy the alternative few C&C server URLs.
Execute "cmd /c hostname" to get the hostname, then encrypt the hostname with a function called bakery, and then enter the command execution loop.
In the command execution loop, the command issued by the C&C server is first obtained through an HTTP GET request. The result of the encryption of the hostname is encoded in base64 and spliced to a randomly selected URL of the C&C server with a ".php" suffix at the end, thus obtaining the URL of the command.
If there is response data for the GET request and it is different from the response data you got the last time you got the command, it indicates that the C&C server has issued a new command, otherwise, it will be dormant for a period of time before requesting the command from the C&C server again.
The response data is decrypted in the function confectionary and spliced with "cmd /c" to execute the commands issued by the C&C server. The execution results are also sent back to the server through a GET request. As the result data may be a lot, the backdoor will encrypt the execution results in accordance with a group of 100 bytes to be sliced and then sent out.
The URL of the return result contains a randomly selected C&C server URL, but also adds several fields, and the data spliced into each field is as follows:
| - | - |
|---|---|
| field | Description of spliced data |
| id= | Infecting base64 encoding of hostname encrypted data |
| /session= | Serial number of the resulting encrypted data slice, counting from 0 |
| ?/value= | Base64 encoding of the resulting encrypted data slice |
| /return=true | none |
The Python equivalents of the encryption function bakery and the decryption function confectionary are implemented as follows. The keys used for encryption and decryption are slightly different in different Nim backdoor samples, and it is assumed that "BTA" may be an abbreviation for BT (Bhutan) Agent.
Traceability links
The samples discovered bear many similarities to the malware used in previously disclosed attacks by the Sidewinder and Cub Elephant groups (the following screenshots are derived from Antenna and Group-IB reports [1,3]):
(1) Macro code extracts zip archive data from the document's text box window;
(2) The script chain initiated by the macro code is essentially the same as the maneuver used in the rattlesnake HTA sample;
(3) Some Nim backdoors also have code that detects the runtime environment by mouse movement distance;
(4) Again, there are multiple alternative C&C server URLs, as well as using the same fields in the URL of the return message;
(5) The same data encryption and decryption algorithms.
Domestic and foreign security vendors have mentioned that the baby elephant is associated with the Sidewinder group [2,3,6] , and the C&C domain name built into the Nim backdoor is in line with the Sidewinder group's common practice of mimicking the domain name of the country being attacked, therefore, we will unify the samples we found this time to be attributed to the Sidewinder group.
Summary
The discovered malicious sample attacks targeted multiple South Asian countries including Myanmar, Nepal and Bhutan, spanning nearly a year. The Nim backdoor delivered via the malicious document is relatively simple in its functionality and is likely to be just one part of a long-term attack campaign. Both the document's macro code and the Nim backdoor follow the characteristics of the attacker's previous malicious code, possibly indicating that the tactics in question have been tried and true for the attacker.
Protection recommendations
Chianxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.
If you need to run and install applications of unknown origin, you can first use the Chianson Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on the threat intelligence data from the Chianxin Threat Intelligence Center, including the Chianxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Chianxin NGSOC, and Chianxin Situational Awareness, already support the accurate detection of such attacks.
IOC
MD5
7bea8ea83d5b4fe5985172dbb4fa1468
04e9ce276b3cd75fc2b20b9b33080f7e
92612dc223e8f0656512cd882d66f78b
c2184d8fd3dd3df9fd6cf7ff8e32a3a4
b2ab01d392d7d20a9261870e709b18d7
30ddd9ebe00f34f131efcd8124462fe3
C&C
dns-mofgovbt.ddns.net
mail-mofgovbt.hopto.org
microsoftupdte.redirectme.net
updatemanager.ddns.net
mx2.nepal.gavnp.org
cloud.nitc.gavnp.org
dns.nepal.gavnp.org
mx1.nepal.gavnp.org
asean-ajp.myftp.org
dof-govmm.sytes.net
mail-mohs.servehttp.com
drsasa.hopto.org
pdf-shanstate.serveftp.com
myanmar-apn.serveftp.com
mytel-mm.servehttp.com
pdf-shanstate.redirectme.net
URL
hxxp://dns-mofgovbt.ddns.net/update/
hxxp://mail-mofgovbt.hopto.org/update/
hxxp://microsoftupdte.redirectme.net/update/
hxxp://updatemanager.ddns.net/update/
hxxp://mx2.nepal.gavnp.org/mail/AFA/
hxxp://cloud.nitc.gavnp.org/mail/AFA/
hxxp://dns.nepal.gavnp.org/mail/AFA/
hxxp://mx1.nepal.gavnp.org/mail/AFA/
hxxp://asean-ajp.myftp.org/MOFA/
hxxp://dof-govmm.sytes.net/MOFA/
hxxp://mail-mohs.servehttp.com/MOFA/
hxxp://drsasa.hopto.org/MOFA/
hxxp://pdf-shanstate.serveftp.com/MOFA/
Reference links
[1]. https://www.antiy.com/response/20211119.html
[2]. https://www.group-ib.com/media-center/press-releases/sidewinder-apt-report/
[3]. https://www.group-ib.com/resources/research-hub/sidewinder-apt/
[4]. https://twitter.com/GroupIB_TI/status/1625762101758140416
[5]. https://www.virustotal.com/gui/file/1409f9d855c06f66fb7d7c7bf9f821b5d1631da926b07dcdb260606e09763ad3/community
[6]. https://www.antiy.cn/research/notice&report/research_report/20200115.html