Recently, an XLSM decoy document is captured by the RedDrip team of QiAnXin Threat Intelligence Center by utilizing public intelligence. After taking a deeper analysis, we figure out that the C2 configurations are located on Github and Feed43. Multiple Github spaces have been exposed through correlation analysis and the earliest one could trace back to July 2018. The relevant accounts were still in use when the report was completed.
Decryption algorithm for configurations retrieved from Github will be described in detail and the portrait of the attacker is partially based on statistics of the decrypted data.
The related attack vector is an XLSM file, created on August 8 and uploaded to VT on August 13, that leverages CVE-2017-11882 vulnerability to release MSBuild.exe to the %AppData% directory and then add registry Run key to stay persistent. To obtain C2 address, it reads data from Github and Feed43 where the content could be controlled by attackers. HTTP/HTTPS protocols are used while communicating with available C2s.
The sample was uploaded to VT at 5:05 on Aug 13, 2019 with below details:
|Name||India makes Kashmir Dangerous Place in the World.xlsm|
After opening, a blurred picture shows up to lure the victim to enable macro. After that, a clear picture titled "India has made Kashmir the most dangerous place in the world" gets displayed.
In fact, the clear picture is covered with a vague one. When macro is enabled, the above picture will be deleted so that the clear one will be displayed:
There is an OLE object embedded inside, and it seems that the attacker packed the .bak file by mistake:
Shellcode inside the OLE object performs below functions:
1.Correct the MZ header located at offset 0x558 of the shellcode entry point (add “MZ”)
2.Drop the PE file to "%AppData%\MSBuild.exe".
3.Add registry run key (key value: lollipop) to make "%AppData%\MSBuild.exe" persistent.
MSBuild.exe is released to the %AppData% directory, and the compilation time is August 8th, 2019 which coincides with the XML creation time on Github that will be described later on:
|Compile Time||2019-08-08 14:00:32|
The main purpose of this sample is to obtain C2 configuration from the attacker's Github and feed43 space, and then performs decryption and connects to C2 for further communications.
After the malicious code is executed, it will “sleep” for a period of time. This is implemented by executing function in a loop for 80,000 times, to delay execution in the sandbox:
It checks network connectivity by connecting to “https://en.wikipedia.org", then retrieves C2 configuration from two hard coded addresses (one works as a backup). The hard coded address is encrypted, each byte need to be subtracted by one to obtain the decrypted URL:
The Github account used by the attacker is created on August 7th, 2019, which matches the compilation time of the sample:
The C2 configuration is located inside the “description” field after encryption:
The Base64 encoded data get decoded first, then performs ROL1((v11 + 16 * v9) ^ 0x23, 3) operation. After that, Base64 decode again and finally uses Blowfish (older version without Blowfish decryption) by decryption key below:
F0 E1 D2 C3 B4 A5 96 87 78 69 5A 4B 3C 2D 1E 0F 00 11 22 33 44 55 66 77
The decrypted C2 address is 126.96.36.199 and the malware uses HTTP/HTTPS in network communication:
System information of the compromised computer will be collected and then exfiltrated, AES encryption and Base64 encoding will be performed before sending out the collected data:
|uuid||ID generated by GetCurrentHwProfile|
|ver||Malware version, here it is 1.0|
After that the malware enters a while loop, to perform actions according to HTTP response:
|/e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/ABDYot0NxyG.php||Online, message queue|
The following table is a comparison table of the received tokens and the functions to be performed:
|8||Upload keylog file|
|23||Upload screen capture file|
|13||Upload collected list of files for a specific suffix|
|5||Upload local file|
|33||Extract EXE download link from URL, then download and execute.|
The attacker uploads the files generated after executing remote commands to the C&C server. The following table is a comparison table of the cached files and the contents of the records:
|TPX499.dat||Screen capture file|
|AdbFle.tmp||Retrieved files specified by attacker|
|edg499.dat||Files with specific suffixes:
The malware collects a list of files with specific suffixes, stores them in a local file, and uploads to the C2 server:
After performing correlation analysis, we discovered 44 configuration files hosted on Github and utilized by this APT group. All C2s have been decrypted and extracted for investigation. From the time of file creation, the attacker started working at least as early as July 2018. The earliest created account was on July 3, 2018, and continued to August 2019 when the document was completed. In terms of the statistics of monthly creations, the number of creations in July 2018 is much higher than the follow-up. We give the following reasonable speculations based on the data distribution.
- The attacker may conduct a concentrated attack from July to September in 2018.
- Accounts are created on demand when the sample gets updated or related Github link is blocked.
Some extracted Github user names are listed as follows. We found that the names are generated based on some family names. So the attacks may be completed by multiple attackers considering the different names being used. Many IDs can be found on social media, and most of them are located in India and Pakistan:
Keywords such as “android” and “mobile” are used in the Github directory, perhaps it indicates there are samples for Android phones.
Most of the C2s are located in Ukraine, while there are 2 IPs in China:
Statistics of XML creation time is provided in the below (the horizontal axis is the time of UTC+0, and the vertical axis is the number of occurrences).
The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky’s report in the reference section, which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features.
In the perspective of cyber wars, the conflict between India and Pakistan over the territory of Kashmir has lasted for decades, which makes it a perfect topic in target attacks. For example, Donot and Bitter disguised as Kashmiri Voice to attack Pakistan, Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir. These combats have proved that national power plays an important role in defending the national sovereignty and in the mean while spying on the military intelligence.
India’s attempt to abolish India-controlled Kashmir is to detonate the conflict between the two countries. The two sides exchanged fire and some soldiers have died because of this. In terms of cyber attacks, related incidences will continue to rise up. Considering APT-C-09, Bitter and Donot have carried out targeted attacks against China, we must take actions in advance and keep a close eye on their recent activities.
QiAnXin Threat Intelligence Center will provide customers with the latest attack trends in the first time, helping government and enterprises to resist network intrusions from foreign enemies.
Appendix: Extracted C2 Information