Overview

QiAnXin Threat Intelligence Center has been continuously tracking numerous APT attack collections in the direction of South Asia, and published several systematic technical reports: Operation Magichm^[1],Operation Angi^[2],operation Tejas^[3], etc. The tactics of these groups have hardly changed much from 2019 to the present, and the attack technology The upper limit is low, but the phishing mode by casting a wide net can still affect government and enterprise customers to a certain extent.

How to avoid killing is the Bitter group (APT-Q-37) has always been the primary goal of the struggle for, putting aside the initial attack payload chm, lnk and other outdated technologies, only the subsequent issuance of wmrat and .net Trojans are very difficult to bypass the characteristics of the checking and killing function, the attackers in this year has been to try a variety of methods: in June, through the powershell loading havoc frame In July, the steganography plugin, which was in use in 2018, was directly issued, and the effect was not very satisfactory, and ultimately distributing a brand new trojan horse, MiyaRat, in September. it was still was successfully captured by us.

We recommend our clients to deploy QAX Endpoint Detection and Response (EDR) in both office area and server area, which can realize the discovery and blocking of generic threats such as chm and lnk with the cloud checking function enabled.

MiyaRat Directive Analysis

The basic information about the new Trojan used by Bitter is as follows, and the PDB shows that the Trojan has been named "Miya" by the attackers, and the current version is 1.1.

The Trojan is released by an MSI file with the following MSI file information:

The Trojan first decrypts the C2 domain name "samsnewlooker.com".

Decryption is done by subtracting the key bytes, and the key used for decryption is set to "doobiedoodoozie".

The main function of the Trojan is in the function sub_406960, which calls WSAConnectByNameW to connect to port 56172 of the C2 server.

Collects a series of information to send to the C2 server, including: disk information, machine name, username, path to Trojan horse file, %userprofile% environment variable, and system version.

After sending the collected information, the Trojan enters a cyclic process of waiting to receive commands from the C2 server. Functions supported by the Trojan include: file information enumeration, command execution, file upload and download, and screenshot. The commands involved in this Trojan horse are described in the following.

The Trojan horse commands are organized as follows:

(1) GDIR

Lists files and subdirectories in a specified directory, similar to the Windows dir command or the Linux ls command. The enumeration information includes file and subdirectory names, last modification time and file size. Directory enumeration information ends with "[END]~! @".

(2) DELz

Deletes the specified file.

(3) GFS

Recursively enumerates all files in the specified directory, including the path and size of each file. The total size of all files is included in the first line of the message sent to the C2 server, and the output is identified by "@@GFS".

(4) SH1cmd

Creates a cmd.exe process as a shell that executes the cmd commands passed in by the pipeline and returns the execution results to the C2 server.

(5) SH1 & SH2

The SH1 and SH2 commands function almost identically, writing the cmd instructions carried by the arguments to the command pipe for shell execution.

(6) SFS

The SFS directive is used to upload and download files, but the directive does not directly perform file transfer operations. The parameter of this directive is the port number, and WSAConnectByNameW is called in the sub_404640 (MwFileOp) function to connect to another specified port of the same C2 server, with which the Trojan performs the file transfer.

MwFileOp function has two secondary instructions "UPL1" and "DWNL", respectively, to complete the file upload and download operations.

During the file download process, if the C2 server sends "CANCEL2", the Trojan horse can end the file download in advance, without waiting for the receipt of the specified number of file data.

(7) GSS

Get screenshot, the parameter of this command can choose the resolution of the saved image of the screenshot. The output message is displayed with "~! @SSS" and "~! @SSS" and "~!

(8) SH1exit_client

Exit the Trojan horse process.

Summarize

Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), QAX Endpoint Detection and Response (EDR) , SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.

IOC

MD5:

6edc889abbc186fbd5e187818d916dee

b45c97ae0af336048529b8a3ef1749a5

0b8a556b9ce94a0559f153bf62ba2693

d9159838e82ea73effc18ef5b958dacd

26ed92fef383dfea8c40e4fd38668379

CC:

23.26.55.9:443 (havoc)

samsnewlooker.com

96.9.215.155:56172

wmiapcservice.com

185.106.123.198:40269

locklearhealthapp.com

URL:

https://maxnursesolutions.com/cssvr.jpg

https://nurekleindesign.com/toronto.bin

https://viyoappmapper.com/flv.ol

https://locklearhealthapp.com/mspnx.msi

https://locklearhealthapp.com/mayred.msi

Reference Links

[1]. https://ti.qianxin.com/blog/articles/%22operation-magichm%22:CHM-file-release-and-subsequent-operation-of-BITTER-organization/ [2]. https://www.secrss.com/articles/31785 [3]. https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/