Background on gangs
The Donot group is tracked internally by Qi'anxin under the number APT-Q-38, which mainly targets countries in South Asia, such as Pakistan, Bangladesh, and Sri Lanka, to carry out cyber-espionage activities against government agencies, the defense and military, the diplomatic sector, and important people in the business field, and steal sensitive information. The Donot group has Windows and Android dual-platform attack capabilities, and often spreads malicious code through harpoon emails and Android APKs carrying Office vulnerabilities or malicious macro documents in past attack campaigns.
Summary of events
Qi'anxin Threat Intelligence Center recently found that the Donot group to use PDF documents as bait for attack activities, may affect Pakistan, Bangladesh and other countries in South Asia. Attackers use attack techniques specifically two: the first is a malicious EXE file directly disguised with PDF icons, so that the victim mistakenly think that it is a PDF document so as to open and run; another way to be relatively more cumbersome, the bait PDF document built in to get the malicious PPT phishing link, the malicious PPT was downloaded by the victim and start the execution of the macro code will be. The second attack in addition to the initial stage of the use of PDF bait, the rest of the links with the previous belly-brain worm directly delivered malicious macro document attack activities consistent.
The decoy PDF document intentionally obscures the content and tells the victim through a fake alert message that if they want to view the document content, they need to click "Download" to access it online. Once the victim follows the instructions and clicks on the specified area of the PDF, network access will be triggered and the link will eventually redirect to the webpage where the malicious PPT is downloaded.
EXE disguised as PDF
The basic information of the EXE malware program directly disguised as a PDF document is as follows, and the preliminary information of the sample is obtained with the help of Qi'anxin Intelligence Sandbox (https://sandbox.ti.qianxin.com/sandbox/page) before detailed analysis.
| - | - |
|---|---|
| Link to Qi'anxin Intelligence Sandbox Report | https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZT5fv50h6wn_HCy8ts6 |
| Sample file name | - |
| Sample MD5 | 893561ff6d17f1e95897b894dde29a2a |
| Sample type | PE32 EXE |
| Sample size | 1.85 MB (1942112 bytes) |
Sandbox analysis
After uploading this sample to the Qi'anxin Intelligence Sandbox for analysis, the sandbox gave a malice score of 10 based on an intelligent comprehensive judgment of malicious behavior.
The Behavioral Exceptions section shows some suspicious behavior of the sample, including sending POST requests to totalservices[.] info to send a POST request that releases a BAT file named djkggosj.bat and executes it with cmd.exe.
The sample is an EXE, but uses a PDF icon, which the attackers clearly intended to use as a disguise. In addition, the file metadata of the sample uses information about the game program and carries a digital signature called "Ebo Sky Tech Inc".
The Host Behavior section of the sandbox run results shows that the sample process derives the cmd.exe child process to execute the BAT file, which is stored in the FROX directory created by the sample. The BAT file appears in both the sample process's list of freed files and the list of deleted files, indicating that the BAT file is deleted after execution.
The network behavior shows that the sample communicates with the remote server totalservices[.]info generates HTTPS communication, sending POST requests.
Detailed analysis
A large number of 01 strings appear in the sample, which actually consist of the binary form of the ASCII code for every characters in the original string.
Part of the string encoded in this way is the key used for heterogeneous decryption, and these keys are used to restore strings such as the API name imported by the sample.
The sample first creates the directory "%LocalAppdata%\\\TEMP\\\FROX\\\" and releases djkggosj.bat in that directory. The code in the BAT file sets up a scheduled task called PerformTaskMaintain, which implements the sample's own persistence.
Then create the mutex "08808" and collect device information, including: CPU model, OS product name and build number, user name, host name, CPU ProcessorID, and list of installed software.
The collected information is processed with AES encryption and Base64 encoding, and after splicing it into "batac= ", it is sent as data in a POST request to "hxxps://totalservices.info/WxporesjaTexopManor/ptomekasresdkolertys".
The malware decides whether to download the follow-on payload based on the response from the C2 server. The follow-on payload is named socker.dll, which is encrypted and spliced with a string identifying the victim ID (consisting of username, hostname, and ProcessorID), and is used as the data in the "data" field of the POST request. The URL to download the follow-up is "hxxps://totalservices.info/vrptpvabkokamekastra/N1/SA".
The downloaded DLL is saved as "%LocalAppdata%\\moshtmlclip\\socker.dll", release another BAT file "%LocalAppdata%\\Temp\\FROX\\sfs.bat" to create a scheduled task to start socker.dll. The name of the scheduled task is MicrosoftVelocity, execute the socker.dll export function "?ejjwed@@YAHXZ". MicrosoftVelocity, execute the export function "?ejjwed@@YAHXZ" of socker.dll.
Since socker.dll is not captured at this time, further analysis of subsequent load functions cannot be performed at this time.
PDF phishing attack chain
Belly brain worm organization using PDF bait another attack is the use of PDF contains phishing links to deliver with malicious macros PPT, the relevant sample information is as follows.
| - | - | - |
|---|---|---|
| MD5 | filename | clarification |
| 5af77f4a63089011563bd3fcd02d56e0 | NDC-Course.pdf | PDF with link to download malicious PPT |
| eb5d23a6a200016ba9b2d0085e58b586 | Assets 2024.pdf | PDF with link to download malicious PPT |
| 0f4f32b97c7bde0824b0fd27fe3ec4b0 | NDC-Course.ppt | PPT with malicious macros |
| d3ff126dc3e69d7f2d660a504b499cc4 | - | PPT with malicious macros |
| a0dbb4f8dbc5df628f03d60ed4a79d29 | Assets 2024.ppt | PPT with malicious macros |
| bcc0f690f330be4321365f6fd1330d95 | PLAIN.dll | DLL, return collected information to the C&C server, and download subsequent loads |
| 2c2176d9a74851dd30525a87bf0794ca | PLAIN.dll | DLL, return collected information to the C&C server, and download subsequent loads |
| bdc40a26cd02e33e5b83a9573125793e | PLAIN.dll | DLL, return collected information to the C&C server, and download subsequent loads |
| 8e91d5ab926daca6f4db41ba8a918ffd | PLAIN.dll | DLL, return collected information to the C&C server, and download subsequent loads |
| fa6cd1543db5156e7063db87b3241f26 | PLAIN.dll | DLL, return collected information to the C&C server, and download subsequent loads |
| df2ef826d0a398772f2373cd7303d58b | PLAIN.dll | DLL, return collected information to the C&C server, and download subsequent loads |
Take the sample Assets 2024.pdf (MD5: eb5d23a6a200016ba9b2d0085e58b586) as an example, which contains the link to download the PPT as "hxxps://sharetobijoy.buzz/2024/filez/uploadz/invite25.php ?id=19112".
The malicious macros in the PPT execute different shellcode depending on whether it is a 64-bit system or not.
Shellcode is a two-stage downloader commonly used by bellybrain bugs. Take 32-bit shellcode as an example, the first stage shellcode gets the subsequent from "hxxp://diffgrinder.info/PNubW5l8DVqKlNbo/ zFsDitREUBbsbeB815VkWnKpuXN4bhXUg3MFC7txkrV5beqf.png", and then decrypted and executed as the second stage shellcode.
The second stage of shellcode from the "hxxp://diffgrinder.info/PNubW5l8DVqKlNbo/zFsDitREUBbsbeB815VkWnKpuXN4bhXUg3MFC7txkrV5beqf.mp3" to download the subsequent, saved as "%temp%\\\ meaBRlIGkgtELpU\\\ksHWqKqg.dll". Then write "4D 5A 90 00" four bytes to repair the DOS header, and then load the DLL into memory and call its export function "LOPP".
ksHWqKqg.dll (MD5: 2c2176d9a74851dd30525a87bf0794ca) with LOPP and VelocitySpeed two export functions, the DLL function with the above description of the direct disguised as a PDF of the malicious behavior of the EXE program consistent.
(1) LOPP
This function is mainly responsible for persistence operations. Releases the cross.bat file, creates the PerformTaskMaintain scheduled task, executes the export function VelocitySpeed from "%temp%\\FROX\\\PLAIN.dll" and copies the DLL file itself to "%temp%\\FROX\\\PLAIN.dll".
(2) VelocitySpeed
This function is responsible for interacting with the C&C server and obtaining subsequent payloads. Information about the infected device (CPU model, OS product name and build number, username, hostname, ProcessorID of the CPU, list of installed software) is collected, encrypted and sent to the C&C server.The IV and key used for the AES encryption are shown below, which are consistent with the EXE sample.
The server response, if qualified, continues to obtain the subsequent payload socker.dll from the C&C server, saves it as "%LocalAppdata%\\\moshtmlclip\\\socker.dll", and releases the sfs.dat to create a scheduled task for starting socker.dll.
Traceability links
The phishing attack chain that started with the PDF document bait was highly consistent with the past attack techniques of the Donot group[1], with similarities including the code characteristics of the shellcode, the URL format for obtaining subsequent payloads, the use of 01 encoding for the strings, and the setting of a scheduled task to run the other components through the BAT file.
EXE disguised as PDF and PLAIN.dll both in the code and malicious behavior is almost exactly the same, while the EXE also retains the "PLAIN.dll" 01 code, and EXE compilation time and digital signature time in the PLAIN.dll put into the attack after the activity. Therefore, it can be assumed that the EXE rewritten from PLAIN.dll, the attacker directly disguised as PDF with EXE, may be to simplify the attack process, change the attack method of an attempt.
Summary
The captured attack samples belong to the Donot group's attack process in the early stages of the components, from the C&C server to obtain the subsequent payload (such as socker.dll) is likely to perform further intelligence collection work. PDF as bait in the Donot group's previous attacks are not common, but the attack process of this activity is still a continuation of the Donot group's usual methods, from an overall view of the change is not significant, which also indicates that this set of attack chain in the Donot implementation of cyber-espionage in the process of the tried and true.
VII. Protection recommendations
Qi'anxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.
If you need to run or install an application of unknown origin, you can first use the Qi'anxin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.
IOC
MD5
(EXE)
893561ff6d17f1e95897b894dde29a2a
(PDF)
eb5d23a6a200016ba9b2d0085e58b586
5af77f4a63089011563bd3fcd02d56e0
(PPT)
0f4f32b97c7bde0824b0fd27fe3ec4b0
d3ff126dc3e69d7f2d660a504b499cc4
a0dbb4f8dbc5df628f03d60ed4a79d29
(DLL)
bcc0f690f330be4321365f6fd1330d95
2c2176d9a74851dd30525a87bf0794ca
bdc40a26cd02e33e5b83a9573125793e
8e91d5ab926daca6f4db41ba8a918ffd
fa6cd1543db5156e7063db87b3241f26
df2ef826d0a398772f2373cd7303d58b
C&C
bijoyshare.buzz
sharetobijoy.buzz
diffgrinder.info
totalservices.info
theoyservices.info
URL
hxxps://bijoyshare.buzz/2024/filez/uploads/invite25.php?id=10515
hxxps://sharetobijoy.buzz/2024/filez/uploadz/invite25.php?id=19112
hxxp://diffgrinder.info/PNubW5l8DVqKlNbo/zFsDitREUBbsbeB815VkWnKpuXN4bhXUg3MFC7txkrV5beqf.
hxxp://diffgrinder.info/4us2rZQSxKVHgbyW/iAILc6MjCh4QEXTJWmKyY8r4DaoKRwkQ3yjlf0evOOO9vIdh.
hxxps://totalservices.info/WxporesjaTexopManor/ptomekasresdkolertys
hxxps://totalservices.info/WxporesjaTexopManor/vrptpvabkokamekastra/N1/SA
hxxps://theoyservices.info/WxporesjaTexopManor/ptomekasresdkolertys
hxxps://theoyservices.info/WxporesjaTexopManor/vrptpvabkokamekastra/N1/SA
Reference links
[1]. https://ti.qianxin.com/blog/articles/Heavy-Shadows:Summary-of-Recent-Attack-Techniques-Used-by-Donot-Group-CN/