summarize
Recently, QiAnXin Threat Intelligence Center captured a phishing sample in CHM format targeting financial personnel, which first releases and loads a dotnet module after double-clicking to run, which loads different shellcodes according to different system architectures, and then downloads loads such as svchost.exe, libcef.dll, and libcef.png remotely from the server to execute the core malicious code in svchost.exe and load libcef.dll by simulating the click-break technique. The shellcode downloads svchost.exe, libcef.dll and libcef.png from the server remotely and executes the core malicious code in libcef.dll by simulating the click-break technique to collect host information, browser history, and self-startup.
The purpose of the blackmail attack on finance is mainly to pull the accounts of finance and high-flying leaders into the same group chat, and induce the finance to transfer the money to the designated account, thus realizing the purpose of profit.
Sample analysis
The blackmail bait document delivered via email or WeChat is titled "October 2023 Corporate Tax Audit Content Notice.zip (only 7 days left to purchase license).zip
When the user double-clicks on the CHM sample, a Windows warning will pop up.
After the user clicks "Yes", the malicious code starts to run.
0x01 Basic Information
| - | - |
|---|---|
| MD5 | 06ed2c30954614fe1e8e9e8bd4619510 |
| SHA256 | 172dcc050fd15c75b6e03ed55c67871d9197cf4b3b337c89623d2be41b9850c4 |
| Document type | CHM |
Test.html begins by defining a function that converts base64 encoding to a binary stream using JS at the beginning:
The contents and sizes of the stage_1, stage_2, and stage_3 variables are then defined:
Finally try to create a WScript.Shell object for manipulating the Windows Shell. read the .NET Framework version number from the registry through the shell, and if the read fails assign stage_3 to stage_1 and set the version number to v2.0.50727. subsequently set the process environment variable COMPLUS_Version to the .NET Framework version number. Attempt to deserialize stage_1 (Base64 encoded binary data) into an object.
If any exception occurs in the above steps, an attempt is made to deserialize stage_2 (another binary data encoded in Base64) into an object, but no exception is thrown.
A base64 string converted to a binary stream will have its code executed directly after deserialization with the BinaryFormatter.Deserialize function.
0x02 Phase I
The code for stage_1 is shown below:
Stage_2 and stage_3 code are similar in function, starting with loading a .NET module into memory:
The program first adds the task to the keyValuePairs dictionary, where the key is https://muchengoss.oss-cn-hongkong.aliyuncs.com/+ remotePath and the value is a randomly generated folder under "C:\Users[current username]\Searches". The value is a randomly generated folder under "C:\ Users[current username]\Searches". + fileName. Place https://muchengoss.oss-cn-hongkong.aliyuncs.com/与 "svchost.exe", "libcef.dll ", "libcef.png", "decod.exe", "cache.dat".
The Load2 method of the Shellcode class is then called to load the shellcode.
First determine the system architecture is 64-bit/32-bit, and load different shellcode for each of the two cases.
0x03 Phase II
Shellcode will dynamically decrypt Urlmon.dll and call the UrlOpenBlockStreamW function to remotely download svchost.exe, libcef.dll, and libcef.png from the stitched URL string.
First open the folder with Shellexecute and then hide the folder's window
Then look through findwindows to locate this directory windows this shortcut file
Finally SendMessage click to run this lnk file.
The purpose of the simulated click execution is to break the process chain and prevent EDR from monitoring subsequent behavior.
0x04 Phase III
The Lnk file serves to start svchost.exe.
There are a dozen or so exported functions in Svchost.exe that call libcef.dll, but in reality, all of these functions internally jump to sub_691550E0.
0x05 Phase IV
Analyze sub_691550E0:
Decrypt libcef.png into a dll file and create a new thread to start executing the fuckyou function in the dll:
According to the string information in the dll, it should be modified from the Ghost remote control source code.
The data transfer protocol used is also IOCP.
Get the GUID of the computer
Monitoring of some applications and collection of user data, including Chrome, QQ browser, Firefox, 360 Safe Browser, Sogou Browser, Skype
Detecting and closing antivirus processes
Modify the registry to add self-startup
Release the file_update file and load it into memory and run it
Setting UAC Access Policies
Document traversal
Disguises itself as Windows update.exe.
keylogger
Get systeminfo
Get computer username
Communicate with ipconfig.cc to obtain local IP address
Communication with C2: 103.210.237.33:65422
The last heartbeat packet is sent once a minute to confirm that the host is alive.
summarize
Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.
IOCs
MD5
06ed2c30954614fe1e8e9e8bd4619510
d1a88258376133409e0df56740683d30
0a5b0607f6db1e8c9e3d2ca0da5c8d58
b2d085ab9171d577f8b36cf58090278b
URL
https://muchengoss.oss-cn-hongkong.aliyuncs.com/
https://muchengoss.oss-cn-hongkong.aliyuncs.com/TG.exe
https://muchengoss.oss-cn-hongkong.aliyuncs.com/cache.dat
https://muchengoss.oss-cn-hongkong.aliyuncs.com/decod.exe
https://muchengoss.oss-cn-hongkong.aliyuncs.com/libcef.dll
https://muchengoss.oss-cn-hongkong.aliyuncs.com/libcef.png
C2
103.210.237[.] 33:65422