Background
Recently, QiAnXin Threat Intelligence Center is investigating one email phishing attack which is targeting one Pakistani businessman who is working in China. First attack of this campaign took place in May 2018. Attackers have taken over of target machines over months. TTP of this targeting attack will be introduced, as well as remediation advice.
We identified this APT group coded as ‘APT-C-35’ in 2017, who is mainly targeting Pakistan and other South Asian countries for cyber espionage[1]. Arbor also published APT research on this group, and named it ‘Donot’[2]. The group attacked government agencies, aiming for classified intelligence. At least 4 attack campaigns against Pakistan have been observed by us since 2017. Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims. Two unique malware frameworks, EHDevel and yty, are developed by attackers. In the latest attack, Donot group is targeting Pakistani businessman working in China.
Fishing Attack
The process of attacking target is as following:
Malware Analysis
Dropper - Excel Macros
Attackers lure victim to open decoy Excel file with malicious macro which is sent as attachment in a phishing email. While macro code is running, office_update.exe is dropped at C:\micro and run. The decoy Excel document pretends to be pricing list of one BMW car, which is easy to have trust of the victim:
Downloader - office_update. exe
| filename | office_update.exe |
| MD5 | 2320ca79f627232979314c974e602d3a |
Office_updata.exe is a downloader, which is able to download a BAT file by http://bigdata.akamaihub.stream/pushBatch:
The BAT file is mainly to modify registry for persistence, and create a directory with hidden property, etc. It can also download wlidsvcc.exe from http://bigdata.akamaihub.stream/pushAgent, then save it in %USERPROFILE%\BackConfig\BackUp directory:
After that, Office_updata.exe will remove itself from system.
Plugin - Downloader - wlidsvcc.exe
| Filename | wlidsvcc.exe |
| MD5 | 68e8c2314c2b1c43709269acd7c8726c |
Wlidsvcc.exe is also a downloader. It downloads 3 plugins from C2 server, naming wuaupdt.exe, kylgr.exe, and svchots.exe. Mutex "wlidsvcc" is created to ensure that only one instance runs in system:
Then, it determines if the current process path is %USERPROFILE%BackConfig\BackUp\wlidsvcc.exe:
If the path meets condition, wlidsvcc.exe communicates with C2 (bigdata.akamaihub.stream) by POST, which is to retrieve remote commands
If C2 sends ‘no’ command, wlidsvcc.exe will retry to contact C2 after sleeping for 90 seconds:
If ‘cmdline’ command is received, wlidsvcc.exe runs plug-in %USERPROFILE%\BackConfig\BackUp\wuaupdt.exe, and then listens for follow-up commands:
If commands are neither ‘no’ nor ‘cmdline’, wlidsvcc.exe downloads http://bigdata.akamaihub.stream/orderMe to C:\Users\%s\BackConfig\BigData, then puts itself into waiting mode:
Plugin executor - wuaupdt.exe
| Filename | Wuaupdt.exe |
| MD5 | 35ec92dbd07f1ca38ec2ed4c4893f7ed |
wuaupdt.exe is a CMD backdoor, which can receive and execute CMD commands sent from C2. It can also execute other plugins if commands are issued by attackers. The analysis of all backdoor plugins is shown in the following section.
Execute C2 commands:
Backdoor - Plugins
wuaupdt.exe will execute corresponding plug-ins according to the commands issued by attackers. All plugins’ details are as following.
Keylogger - Kylgr.exe
| Filename | Kylgr.exe |
| MD5 | 88f244356fdaddd5087475968d9ac9bf |
| PDB path | c:\users\user\documents\visualstudio2010\Projects\newkeylogger\Release\new keylogger.pdb |
This plugin is a keylogger. It firstly creates a file inc3++.txt in current directory and check whether a keylogging file exists in %USERPROFILE%\Printers\Neighbourhood directory. If yes, it saves log file name and its last modification time to inc3++.txt:
If keylogging file is found in %USERPROFILE%\Printers\Neighbourhood, the log file is moved to directory %USERPROFILE%\Printers\Neighbourhood\Spools:
A new keylogging file is created in %USERPROFILE%\Printers\Neighbourhood, with filename ‘username_year_month_day(hour_minute_second)’. Then, it monitors activities of mouse and keyboard constantly.
If window name is obtained, the name and pressed keys are logged:
File - listing - svchots.exe
| Filename | svchots.exe |
| MD5 | 14eda0837105510da8beba4430615bce |
This plugin traverses disk C, D, E, F, G and H to collect filenames:
Following directories are excluded:
The, files with following extensions are collected:
If files matching above criteria are found, file names and last modification date of them are written into test.txt file in the current directory, and they are copied to %USERPROFILE%\Printers\Spools directory, with appending ‘txt’ as new extension name:
Systeminfo – spsvc.exe
| Filename | Spsvc.exe |
| MD5 | 2565215d2bd8b76b4bff00cd52ca81be |
This plugin, packed by UPX and written by Go Language, aims to collect various system information. It creates several CMD processes for information collection. Information is saved to a file located in directory %USERPROFILE%\Printers\Spools:
Uploader – lssm.exe
| Filename | Lssm.exe |
| Md5 | 23386af8fd04c25dcc4fdbbeed68f8d4 |
The purpose of this plugin is to upload collected information and files, stored in %USERPROFILE%Printers\Spools directory, to C2 bigdata.akamaihub.stream
Uploader – lssmp.exe
| Filename | lssmp.exe |
| MD5 | b47386657563c4be9cec0c2f2c5f2f55 |
| Digital signature | COMODO CA Limited |
Similar to lssm.exe, lssmp.exe uploads collected info and files to C2. It has a digital signature:
The plugin searches for explorer.exe in process list:
Then, it extracted out a PE file from its resource section:
The PE file is injected into explorer.exe process for running:
The injected PE file has similar functionalities as lssm.exe, since it uploads keystroke log to C2 server:
Pivoting
Some other decoy documents and plugins are found to have connections with the files in this attack.
CSD_Promotion_Scheme_2018. XLS
| Filename | CSD_Promotion_Scheme_2018. XLS |
| MD5 | 82a5b24fddc40006396f5e1e453dc256 |
The decoy document is an Excel file with malicious macros. When it is opened, a window of Excel security disclamation pop up, warning user that this file has risky macros:
The main function of malicious macro code is to drop skypet.exe in the directory %APPDATA%, and to drop skype.bat in the directory C:\Skype. skypet.bat is executed after that:
Same pricing list of a BMW car is content of the Excel file:
Skyep.bat
Skyep.bat creates 3 directories %USERPROFILE%Printers\Spools, %USERPROFILE%BackConfig\BackUp and %USERPROFILE%BackConfig\BigData , and then sets these folder properties to hidden:
The BAT file also gets the computer name, and save it into %USERPROFILE%\BackConfig\Backup\pcap.txt:
And it creates multiple registry entries for persistence. Then, it starts skyep.exe and deletes itself:
Skyep.exe
| Filename | Skyep.exe |
| MD5 | f67595d5176de241538c03be83d8d9a1 |
| PDB | C:\Users\spartan\Documents\Visual Studio 2010\Projects\downloader new 22 jun use\downloader\Release\downloader.pdb |
Skyep.exe, disguising as a voice software Skype, downloads csrsses.exe from http://databig.akamaihub.stream/pushBatch (it is still alive) to the \BackConfig\BackUp\ for running:
Csrsses.exe
| The file name | Csrsses.exe. |
| MD5 | e0c0148ca11f988f292f527733e54fca |
This file, similar to wlidsvcc.exe, is to execute commands from C2 server. Firstly, it reads computer name from \\BackConfig\\BackUp\\pcap.txt
The computer name is then processed to a string: "orderme/computer name - random number". It contacts C2 databig.akamaihub.stream for commands:
It check value of Content-Type to determine next operation. If the value is "application", it downloads file from C2 to \\BackConfig\\BigData\\ directory:
If the value is "cmdline", \\BackConfig\\BigData\\wuaupdt.exe is executed:
If command is"batcmd", \\BackConfig\\BigData\\test.bat is started:
Attribution -- Donot (APT-C-35)
By analyzing the macro code, plugins, domain name /IP correlation in the attack, we confirm that Donot APT Group (APT-C-35) is behind the attack.
Similarity of Macro Code
ASERT disclosed one macro sample linking to DONOT APT Group in March 2018[2]. That macro sample is very similar to the sample in this attack: a decoy picture is pop up after macro runs.
Similarity of Plug-ins
Similar to previous Donot samples, new sample downloads plugins from C2. It is also packed by UPX and is written in Go language. Furthermore, it has similar code logic as previous ones
wuaupdt.exe in this attack appears in previous Donot attack[1], and C2 addresses are same to previous ones.
Conclusion
From the attack activity captured this time, it is obvious that Donot APT group is still keen on Pakistan as primary target of attack, and even expands scope of attack to include Pakistani staffs and institutions in China. There is a sign that the Donot group has never stopped its attacks and another cyber espionage attack could be launched soon.
QiAnXin Threat Intelligence Center suggests enterprises to improve employees' security awareness by provide them sufficient security training, especially anti-phishing training. Situational awareness, asset management, and threat intelligence can prevent such attacks significantly.
For 360 ESG customers, detection to Donot group and related IOCs are supported by products integrated with threat intelligence, including QiAnXin Threat Intelligence Platform, SkyEye Advance Threat Detection System, NGSOC.
IOC
| MD5 |
| 82a5b24fddc40006396f5e1e453dc256 |
| f67595d5176de241538c03be83d8d9a1 |
| e0c0148ca11f988f292f527733e54fca |
| 2320ca79f627232979314c974e602d3a |
| 68e8c2314c2b1c43709269acd7c8726c |
| 35ec92dbd07f1ca38ec2ed4c4893f7ed |
| 88f244356fdaddd5087475968d9ac9bf |
| 14eda0837105510da8beba4430615bce |
| 2565215d2bd8b76b4bff00cd52ca81be |
| 23386af8fd04c25dcc4fdbbeed68f8d4 |
| b47386657563c4be9cec0c2f2c5f2f55 |
| C&C |
| databig.akamaihub.stream |
| bigdata.akamaihub.stream |
| 185.236.203.236 |
| unique.fontsupdate.com |
| PDB path |
| C:\Users\spartan\Documents\Visual Studio 2010\Projects\downloader new 22 jun use\downloader\Release\downloader.pdb |
| C:\users\user\documents\visualstudio2010\Projects\newkeylogger\Release\new keylogger.pdb |
Reference
-
https://ti.qianxin.com/blog/articles/latest-activity-of-APT-C-35/
-
https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/