返回 TI 主页

Background

On March 17, 2019, 360 Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250[6]), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device.

After conducting correlation analysis, we suspect the Goldmouse APT group (APT-C-27) may have a hand behind the attack. In addition, we discover multiple related Android samples that disguised as common applications to attack specific targets after performing further investigations. Considering the language being used in the malicious code is Arabic, it seems that the attacker is familiar with Arabic language as well.

Detection of the Backdoor (Telegram Desktop.exe) on VirusTotal

Sample Analysis

Below analysis is based on the sample that exploiting the WinRAR vulnerability.

Lure to Decompress

MD5 314e8105f28530eb0bf54891b9b3ff69
File Name

The compressed archive contains a decoy Word document with contents regarding to a terrorist attack. People in some place of the Middle East area suffer a lot from terrorist attacks, which make them sensitive to such incidents and may increase the possibility of decompression.

Translation of the Bait Document

When the archive gets decompressed on the vulnerable computer, the embedded backdoor will be extracted to the startup folder:

The backdoor (Telegram Desktop.exe) will be triggered into execution if the victim restarts the computer or performs re-login.

Backdoor(Telegram Desktop.exe)

File Name Telegram Desktop.exe
MD5 36027a4abfb702107a103478f6af49be
SHA256 76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689
Compiler .NET

The backdoor will extract resource data to file %TEMP%\Telegram Desktop.vbs and then launch the extracted script:

The VBS script decodes hard coded Base64 string and writes decoded PE binaries to file %TEMP%\Process.exe:

Process.exe would create file 1717.txt in the %TEMP% folder and write data that subsequently will be used by the backdoor (Telegram Desktop.exe).

The backdoor (Telegram Desktop.exe) would replace special characters read from file 1717.txt:

Then decodes the data through Base64 and executes the decoded binaries directly in memory:

The final payload is a njRAT backdoor with below configurations:

njRAT

The RAT first creates a mutex to ensure only one instance is running:

Then copies itself to the path provided in the configuration when needed:

Setups environment variable and shutdowns firewall:

Starts the keylogger thread and writes output into registry:

After that, it communicates with C&C in another separate thread:

The njRAT provides functions such as remote SHELL, plug-in support, remote desktop, file management, etc.

Android Sample Analysis

Multiple related Android samples with the same C&C (82.137.255.56) are discovered by 360 Threat Intelligence Center as well:

Those recent Android backdoors are disguised as commonly used applications such as Android system and Office software update program. The analysis below is based on the one camouflaged as Office update software:

File MD5 1cc32f2a351927777fc3b2ae5639f4d5
File Name OfficeUpdate2019.apk

The malware will induce the user to activate the device manager, then hide the icon and run in the background:

Below image will be displayed after inducing the user to complete the installation:

Then the sample will get the C&C IP address and port number through the Android default SharedPreferences storage interface. If unavailable, it decodes the hard coded one:

The decoding algorithm of the above IP address:

The hard coded IP address is 82.137.255.56 and related port number is 1740:

When connects to C&C successfully, it waits for commands from remote to perform corresponding functions such as recording, photographing, GPS positioning, etc.

Below is a breakdown of supported commands:

Command ID Function
16 Heartbeat
17 Connect
18 Acquire information of a specified file
19 Download file
20 Upload file
21 Delete file
22 Copy file
23 Move file
24 Rename file
25 Execute file
28 Create directory
29 Execute command from cloud
30 Execute ping command
31 Upload contact information
32 Upload short messages
33 Upload call records
34 Start recording
35 Stop recording and upload records
36 Take a photograph
37 Start GPS positioning
38 Stop GPS positioning and upload records
39 Use IP/Port from cloud
40 Report current IP/Port
41 Acquire information of installed apps

It is worth to note that there are some Arabic strings in the code which may indicate the attackers are familiar with Arabic language as well:

Attribution

The C&C server (82.137.255.56) used by the above backdoors was used by APT-C-27 (Goldmouse) many times since 2017. We could see this through 360 Netlab’s Big Data Platform:

The C&C server is also tagged as APT-C-27 by 360 Threat Intelligence Platform (ti.360.net):

Considering there are some more similarities, such as those in module functionality, code logic, built-in language and the target population, we suspect the above samples are related to the Goldmouse APT group (APT-C-27).

Conclusion

As we have predicted, there are more and more samples leveraging the WinRAR exploit (CVE-2018-20250) and the recently captured target attack is just a tiny tip of the iceberg. We would like to remind users once again to make timely and effective measures and please refer to the below section for approaches in detail.

Mitigation Approaches

  1. The software vendor has released the latest version of WinRAR and we recommend users upgrade to the latest one (WinRAR 5.70 beta 1):

    32 Bits:http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe

    64 Bits:http://win-rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe

  2. If the patch cannot be installed at this moment, you can directly delete the vulnerable DLL (UNACEV2.DLL). This does not affect the normal usage, but just reports error when encountering ACE archives.

Products of 360 ESG can protect users from these new attacks, including 360 Threat Intelligence Platform, SkyEye APT Detection and 360 NGSOC.

IOCs

Malicious ACE Archive
314e8105f28530eb0bf54891b9b3ff69
Backdoor (Telegram Desktop.exe)
36027a4abfb702107a103478f6af49be
Process.exe
ec69819462f2c844255248bb90cae801
Backdoor MD5s
83483a2ca251ac498aac2abe682063da
9dafb0f428ef660d4923fe9f4f53bfc0
2bdf97da0a1b3a40d12bf65f361e3baa
1d3493a727c3bf3c93d8fd941ff8accd
6e36f8ab2bbbba5b027ae3347029d1a3
72df8c8bab5196ef4dce0dadd4c0887e
Android Sample
5bc2de103000ca1495d4254b6608967f(بو أيوب - القريتين أبو محمد.apk)
ed81446dd50034258e5ead2aa34b33ed(chatsecureupdate2019.apk)
1cc32f2a351927777fc3b2ae5639f4d5(OfficeUpdate2019.apk)
PDB Path
C:\Users\Albany\documents\visual studio 2012\Projects\New March\New March\obj\Debug\New March.pdb
C:\Users\Albany\documents\visual studio 2012\Projects\March\March\obj\Debug\March.pdb
C:\Users\Albany\documents\visual studio 2012\Projects\December\December\obj\Debug\December.pdb
C&C
82.137.255.56:1921
82.137.255.56:1994
82.137.255.56:1740

References

  1. https://twitter.com/360TIC
  2. https://ti.360.net/blog/articles/analysis-of-apt-c-27/
  3. https://mp.weixin.qq.com/s/dkyD2k6dqt5SYS7qLPOqfw (Unable to decrypt! Probably the first unknown ransomware (JNEC) with WinRAR exploit)
  4. https://ti.360.net/blog/articles/upgrades-in-winrar-exploit-with-social-engineering-and-encryption/
  5. https://mp.weixin.qq.com/s/Hz-uN9VEejYN6IHFBtUSRQ (Analysis of the first WinRAR exploit sample captured in the wild)
  6. https://research.checkpoint.com/extracting-code-execution-from-winrar/
  7. https://ti.360.net/advisory/articles/360ti-sv-2019-0009-winrar-rce/
APT-C-27 GOLDMOUSE TARGET ATTACK WINRAR EXPLOIT APT