奇安信威胁情报中心

返回 TI 主页

BackgroundOn March 17, 2019, QiAnXin Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250[6]), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device.
After conducting correlation analysis, we suspect the Goldmouse APT group (APT-C-27) may have a hand behind the attack. In addition, we discover multiple related Android samples that disguised as common applications to attack specific targets after performing further investigations. Considering the language being used in the malicious code is Arabic, it seems that the attacker is familiar with Arabic language as well.
Detection of the Backdoor (Telegram Desktop.exe) on VirusTotal
Sample AnalysisBelow analysis is based on the sample that exploiting the WinRAR vulnerability.
Lure to Decompress

MD5
314e8105f28530eb0bf54891b9b3ff69

File Name

The compressed archive contains a decoy Word document with contents regarding to a terrorist attack. People in some place of the Middle East area suffer a lot from terrorist attacks, which make them sensitive to such incidents and may increase the possibility of decompression.
Translation of the Bait Document
When the archive gets decompressed on the vulnerable computer, the embedded backdoor will be extracted to the startup folder:
The backdoor (Telegram Desktop.exe) will be triggered into execution if the victim restarts the computer or performs re-login.
Backdoor（Telegram Desktop.exe）

File Name
Telegram Desktop.exe

MD5
36027a4abfb702107a103478f6af49be

SHA256
76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689

Compiler
.NET

The backdoor will extract resource data to file %TEMP%\Telegram Desktop.vbs and then launch the extracted script:
The VBS script decodes hard coded Base64 string and writes decoded PE binaries to file %TEMP%\Process.exe:
Process.exe would create file 1717.txt in the %TEMP% folder and write data that subsequently will be used by the backdoor (Telegram Desktop.exe).
The backdoor (Telegram Desktop.exe) would replace special characters read from file 1717.txt:
Then decodes the data through Base64 and executes the decoded binaries directly in memory:
The final payload is a njRAT backdoor with below configurations:
njRATThe RAT first creates a mutex to ensure only one instance is running:
Then copies itself to the path provided in the configuration when needed:
Setups environment variable and shutdowns firewall:
Starts the keylogger thread and writes output into registry:
After that, it communicates with C&C in another separate thread:
The njRAT provides functions such as remote SHELL, plug-in support, remote desktop, file management, etc.
Android Sample AnalysisMultiple related Android samples with the same C&C (82.137.255.56) are discovered by QiAnXin Threat Intelligence Center as well:
Those recent Android backdoors are disguised as commonly used applications such as Android system and Office software update program. The analysis below is based on the one camouflaged as Office update software:

File MD5
1cc32f2a351927777fc3b2ae5639f4d5

File Name
OfficeUpdate2019.apk

The malware will induce the user to activate the device manager, then hide the icon and run in the background:
Below image will be displayed after inducing the user to complete the installation:
Then the sample will get the C&C IP address and port number through the Android default SharedPreferences storage interface. If unavailable, it decodes the hard coded one:
The decoding algorithm of the above IP address:
The hard coded IP address is 82.137.255.56 and related port number is 1740:
When connects to C&C successfully, it waits for commands from remote to perform corresponding functions such as recording, photographing, GPS positioning, etc.
Below is a breakdown of supported commands:

Command ID
Function

16
Heartbeat

17
Connect

18
Acquire information of a specified file

19
Download file

20
Upload file

21
Delete file

22
Copy file

23
Move file

24
Rename file

25
Execute file

28
Create directory

29
Execute command from cloud

30
Execute ping command

31
Upload contact information

32
Upload short messages

33
Upload call records

34
Start recording

35
Stop recording and upload records

36
Take a photograph

37
Start GPS positioning

38
Stop GPS positioning and upload records

39
Use IP/Port from cloud

40
Report current IP/Port

41
Acquire information of installed apps

It is worth to note that there are some Arabic strings in the code which may indicate the attackers are familiar with Arabic language as well:
AttributionThe C&C server (82.137.255.56) used by the above backdoors was used by APT-C-27 (Goldmouse) many times since 2017. We could see this through 360 Netlab’s Big Data Platform:
The C&C server is also tagged as APT-C-27 by QiAnXin Threat Intelligence Platform (ti.qianxin.com):
Considering there are some more similarities, such as those in module functionality, code logic, built-in language and the target population, we suspect the above samples are related to the Goldmouse APT group (APT-C-27).
ConclusionAs we have predicted, there are more and more samples leveraging the WinRAR exploit (CVE-2018-20250) and the recently captured target attack is just a tiny tip of the iceberg. We would like to remind users once again to make timely and effective measures and please refer to the below section for approaches in detail.
Mitigation ApproachesThe software vendor has released the latest version of WinRAR and we recommend users upgrade to the latest one (WinRAR 5.70 beta 1):
32 Bits：http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe
64 Bits：http://win-rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe
If the patch cannot be installed at this moment, you can directly delete the vulnerable DLL (UNACEV2.DLL). This does not affect the normal usage, but just reports error when encountering ACE archives.
Products of 360 ESG can protect users from these new attacks, including QiAnXin Threat Intelligence Platform, SkyEye APT Detection and NGSOC.
IOCs

Malicious ACE Archive

314e8105f28530eb0bf54891b9b3ff69

Backdoor (Telegram Desktop.exe)

36027a4abfb702107a103478f6af49be

Process.exe

ec69819462f2c844255248bb90cae801

Backdoor MD5s

83483a2ca251ac498aac2abe682063da

9dafb0f428ef660d4923fe9f4f53bfc0

2bdf97da0a1b3a40d12bf65f361e3baa

1d3493a727c3bf3c93d8fd941ff8accd

6e36f8ab2bbbba5b027ae3347029d1a3

72df8c8bab5196ef4dce0dadd4c0887e

Android Sample

5bc2de103000ca1495d4254b6608967f（بو أيوب - القريتين أبو محمد.apk）

ed81446dd50034258e5ead2aa34b33ed（chatsecureupdate2019.apk）

1cc32f2a351927777fc3b2ae5639f4d5（OfficeUpdate2019.apk）

PDB Path

C:\Users\Albany\documents\visual studio 2012\Projects\New March\New March\obj\Debug\New March.pdb

C:\Users\Albany\documents\visual studio 2012\Projects\March\March\obj\Debug\March.pdb

C:\Users\Albany\documents\visual studio 2012\Projects\December\December\obj\Debug\December.pdb

C&C

82.137.255.56:1921

82.137.255.56:1994

82.137.255.56:1740

Referenceshttps://twitter.com/QiAnXinTIC
https://ti.qianxin.com/blog/articles/analysis-of-apt-c-27/
https://mp.weixin.qq.com/s/dkyD2k6dqt5SYS7qLPOqfw (Unable to decrypt! Probably the first unknown ransomware (JNEC) with WinRAR exploit)
https://ti.qianxin.com/blog/articles/upgrades-in-winrar-exploit-with-social-engineering-and-encryption/
https://mp.weixin.qq.com/s/Hz-uN9VEejYN6IHFBtUSRQ (Analysis of the first WinRAR exploit sample captured in the wild)
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://ti.qianxin.com/advisory/articles/360ti-sv-2019-0009-winrar-rce/


MD5	314e8105f28530eb0bf54891b9b3ff69
File Name


File Name	Telegram Desktop.exe
MD5	36027a4abfb702107a103478f6af49be
SHA256	76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689
Compiler	.NET


File MD5	1cc32f2a351927777fc3b2ae5639f4d5
File Name	OfficeUpdate2019.apk


Command ID	Function
16	Heartbeat
17	Connect
18	Acquire information of a specified file
19	Download file
20	Upload file
21	Delete file
22	Copy file
23	Move file
24	Rename file
25	Execute file
28	Create directory
29	Execute command from cloud
30	Execute ping command
31	Upload contact information
32	Upload short messages
33	Upload call records
34	Start recording
35	Stop recording and upload records
36	Take a photograph
37	Start GPS positioning
38	Stop GPS positioning and upload records
39	Use IP/Port from cloud
40	Report current IP/Port
41	Acquire information of installed apps


Malicious ACE Archive
314e8105f28530eb0bf54891b9b3ff69


Backdoor (Telegram Desktop.exe)
36027a4abfb702107a103478f6af49be


Process.exe
ec69819462f2c844255248bb90cae801


Backdoor MD5s
83483a2ca251ac498aac2abe682063da
9dafb0f428ef660d4923fe9f4f53bfc0
2bdf97da0a1b3a40d12bf65f361e3baa
1d3493a727c3bf3c93d8fd941ff8accd
6e36f8ab2bbbba5b027ae3347029d1a3
72df8c8bab5196ef4dce0dadd4c0887e


Android Sample
5bc2de103000ca1495d4254b6608967f（بو أيوب - القريتين أبو محمد.apk）
ed81446dd50034258e5ead2aa34b33ed（chatsecureupdate2019.apk）
1cc32f2a351927777fc3b2ae5639f4d5（OfficeUpdate2019.apk）


PDB Path
C:\Users\Albany\documents\visual studio 2012\Projects\New March\New March\obj\Debug\New March.pdb
C:\Users\Albany\documents\visual studio 2012\Projects\March\March\obj\Debug\March.pdb
C:\Users\Albany\documents\visual studio 2012\Projects\December\December\obj\Debug\December.pdb


C&C
82.137.255.56:1921
82.137.255.56:1994
82.137.255.56:1740

APT-C-27 GOLDMOUSE TARGET ATTACK WINRAR EXPLOIT APT