Background
Hangover, also known as Patchwork, White Elephant, Dropping Elephant, etc., is tracked internally by QiAnXin under tracking number APT-Q-36.The group is widely believed to have a South Asian regional background, with its earliest attack activity dating back to November 2009, and has been active for more than 10 years. The group mainly conducts cyber espionage activities against countries in the Asian region, targeting organizations in the fields of government, military, power, industry, research and education, diplomacy and economy.
Summary of events
The Spyder malware is associated with the Hangover group [1], and its main function is to download and run executables sent from C2 servers. QiAnXin Threat Intelligence Center observed that Spyder has gone through at least two rounds of updates since July, and found that attackers implanted Remcos Trojan to target hosts with the help of Spyder. According to the captured malicious samples, the related attack activities have the following characteristics:
(1) Some key strings in the Spyder downloader are no longer in plaintext, but are heterogeneously encrypted to avoid static detection, while the data format of the malware's communication with the C2 server has also been adjusted;
(2) The Remcos Trojans implanted used the latest version available at the time;
(3) With the name and configuration information of the Spyder sample, it can be hypothesized that the victims include targets from Pakistan, Bangladesh, Afghanistan, etc.
Detailed analysis
The basic information about the captured Spyder and Remcos samples is as follows:
| - | - | - | - |
|---|---|---|---|
| MD5 | Creation time | digitally signed timestamp | typology |
| 05e59dcc5f4b657696a92fd2b3eac90d | 2023-07-09 17:05:45 UTC | 2023-07-11 07:14:37 UTC | Spyder v1 |
| 2491942d8cd5807cd4615a07ad26a54a | 2023-08-11 13:57:16 UTC | 2023-08-14 09:59:22 UTC | Spyder v2 |
| 6699190f7f6574029432b2678e1f40ac | 2023-09-09 18:49:44 UTC | 2023-09-20 07:59:23 UTC | Spyder v3 |
| bc743f1b24e8e585e889d77099ad0ac2 | 2023-10-09 08:26:21 UTC | 2023-10-11 06:42:28 UTC | Spyder v3 |
| 656b523031d9ffda7b8b1740542b653c | 2023-10-09 08:26:21 UTC | 2023-10-11 07:08:13 UTC | Spyder v3 |
| 57b805f4c496c5d25acbe45bfaf7ee11 | 2023-06-24 16:04:14 UTC | 2023-07-04 07:12:16 UTC | Remcos v4.8.0 Pro |
| 5eae3dee275dbca878d145817707597f | 2023-06-15 17:58:26 UTC | 2023-08-31 10:27:56 UTC | Remcos v4.9.1 Pro |
There are 3 digital signatures used in the above sample:
| - | - |
|---|---|
| Name of signatory | product key |
| GREATIV LIMITED | 3B D9 2C E9 98 70 95 F7 46 23 D7 C3 7E 8D 34 4E |
| SYNTHETIC LABS LIMITED | 19 66 BC 76 BD A1 A7 08 33 47 92 DA 9A 33 6F 69 |
| RUNSWITHSCISSORS LTD | 42 4F 08 5F 42 16 FD 91 7A 4B 0B E9 69 82 A4 D9 |
Spyder updates
version2
Compared to version 1, version 2 encrypts some plaintext strings (such as API names and formatted strings for collecting host information) in a different-or encryption.
(1) API Name
(2) Formatted strings for collecting host information
Spyder will interact with the C2 server for the first time before sending back the collected host information. If the response data is "1", version 1 enters a hibernation dead loop, while version 2 exits the process instead.
In addition, version 2 adds "&ver=2" to the end of the data in the POST request. The following are the formatting strings used by versions 1 and 2 to construct the request data when the Spyder sample deploys subsequent executables according to the C2 directive.
| - | - | - |
|---|---|---|
| Spyder v1 | Spyder v2 | |
| Get C2 command | hwid=%s&deploy=1 | hwid=%s&deploy=1&ver=2 |
| Get information about the downloaded file | hwid=%s&deploy=%d&bakmout=1 | hwid=%s&deploy=2&type=%d&ver=2 |
| Deployment completed | hwid=%s&deploy=0 | hwid=%s&deploy=3&type=%d&ver=2 |
version3
The biggest change in version 3 is to represent the data interacting with the C2 server as a JSON string, and to add the version 3 information to it.
The JSON string is then base64 encoded and spliced into the string "data=", which is used as the data for the POST request.
Remcos Trojan Horse
In the command loop for requesting a C2 server, Spyder will pull an executable from a URL in the configuration data at the beginning of the loop, in addition to deploying subsequent executables based on the command issued.
We observed two Spyder samples downloading the Remcos Trojan in this way.
| - | - | - |
|---|---|---|
| Spyder MD5 | 05e59dcc5f4b657696a92fd2b3eac90d | 2491942d8cd5807cd4615a07ad26a54a |
| Download URL | hxxp://mfaturk.com/backup/inc.php | hxxp://mfaturk.com/hing9/dmw.php |
| Remcos MD5 | 68f4f27219840b4ba86462241f740bbd | 5eae3dee275dbca878d145817707597f |
Both Remcos Trojans are loaded in the same way. First, the .text segments of kernel32.dll and ntdll.dll are remapped in memory, unmonitoring the functions in these two modules by the protection software.
Send an HTTP request to "www[...] wingtiptoys.com" to obfuscate real world traffic.
Load the resource data, perform RC4 decryption to get the file data of Remcos Trojan, and then memory load it for execution. The decryption key used is as follows:
iXTYbfqt4v4xaFkXYrgP5gRNWEsttg1QKM6TNuP4hGG8T2TCcWSUtkNTgjA9LuFfKbiPjxajei8kFXeqgcS2O68bsZ
The C2 configuration information for the Remcos Trojan is as follows:
There are 3 groups separated by 0x1E, but the last two domains do not currently have corresponding resolving IPs, so the only one that actually works is morimocanab.com.
morimocanab\.com:443
grand123099ggcarnivol\.com:443
Omeri12oncloudd\.com:443
Summary
In just a few months, the Spyder downloader has undergone several updates, which shows the determination of the attack group to avoid detection by security protection software and accomplish the task of intelligence theft. From a functional point of view, Spyder, as a general-purpose downloader, can be used to deploy any executable file on the victim's host. The discovery of Spyder being used to deliver Remcos Trojans may just be the tip of the iceberg of the attack chain involving this downloader component, and the Chian Hsin Threat Intelligence Center will continue to keep an eye on the relevant APT groups' attack activities.
Protection recommendations
Chianxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.
If you need to run and install applications of unknown origin, you can first use the Chianson Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on the threat intelligence data from the Chianxin Threat Intelligence Center, including the Chianxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Chianxin NGSOC, and Chianxin Situational Awareness, already support the accurate detection of such attacks.
IOC
MD5
(Spyder)
05e59dcc5f4b657696a92fd2b3eac90d
2491942d8cd5807cd4615a07ad26a54a
6699190f7f6574029432b2678e1f40ac
bc743f1b24e8e585e889d77099ad0ac2
656b523031d9ffda7b8b1740542b653c
(Remcos)
57b805f4c496c5d25acbe45bfaf7ee11
68f4f27219840b4ba86462241f740bbd
5eae3dee275dbca878d145817707597f
C&C
mfaturk.com
firebasebackups.com
morimocanab.com:443
grand123099ggcarnivol.com:443
omeri12oncloudd.com:443
URL
hxxp://mfaturk.com/backup/manage.php
hxxp://mfaturk.com/backup/inc.php
hxxp://mfaturk.com/hing9/includes.php
hxxp://mfaturk.com/hing9/dmw.php
hxxp://mfaturk.com/hailo/stick.php
hxxp://mfaturk.com/hailo/dmw.php
hxxp://firebasebackups.com/hailo/load_img.php
hxxp://firebasebackups.com/hailo/pakart.php
Reference links
[1]. https://ti.qianxin.com/blog/articles/Suspected-Patchwork-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-on-Multiple- Nations-CN/