On March 17, 2019, 360 Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device.
After conducting correlation analysis, we suspect the Goldmouse APT group (APT-C-27) may have a hand behind the attack. In addition, we discover multiple related Android samples that disguised as common applications to attack specific targets after performing further investigations. Considering the language being used in the malicious code is Arabic, it seems that the attacker is familiar with Arabic language as well.
Detection of the Backdoor (Telegram Desktop.exe) on VirusTotal
Below analysis is based on the sample that exploiting the WinRAR vulnerability.
Lure to Decompress
The compressed archive contains a decoy Word document with contents regarding to a terrorist attack. People in some place of the Middle East area suffer a lot from terrorist attacks, which make them sensitive to such incidents and may increase the possibility of decompression.
Translation of the Bait Document
When the archive gets decompressed on the vulnerable computer, the embedded backdoor will be extracted to the startup folder:
The backdoor (Telegram Desktop.exe) will be triggered into execution if the victim restarts the computer or performs re-login.
|File Name||Telegram Desktop.exe|
The backdoor will extract resource data to file %TEMP%\Telegram Desktop.vbs and then launch the extracted script:
The VBS script decodes hard coded Base64 string and writes decoded PE binaries to file %TEMP%\Process.exe:
Process.exe would create file 1717.txt in the %TEMP% folder and write data that subsequently will be used by the backdoor (Telegram Desktop.exe).
The backdoor (Telegram Desktop.exe) would replace special characters read from file 1717.txt:
Then decodes the data through Base64 and executes the decoded binaries directly in memory:
The final payload is a njRAT backdoor with below configurations:
The RAT first creates a mutex to ensure only one instance is running:
Then copies itself to the path provided in the configuration when needed:
Setups environment variable and shutdowns firewall:
Starts the keylogger thread and writes output into registry:
After that, it communicates with C&C in another separate thread:
The njRAT provides functions such as remote SHELL, plug-in support, remote desktop, file management, etc.
Android Sample Analysis
Multiple related Android samples with the same C&C (220.127.116.11) are discovered by 360 Threat Intelligence Center as well:
Those recent Android backdoors are disguised as commonly used applications such as Android system and Office software update program. The analysis below is based on the one camouflaged as Office update software:
The malware will induce the user to activate the device manager, then hide the icon and run in the background:
Below image will be displayed after inducing the user to complete the installation:
Then the sample will get the C&C IP address and port number through the Android default SharedPreferences storage interface. If unavailable, it decodes the hard coded one:
The decoding algorithm of the above IP address:
The hard coded IP address is 18.104.22.168 and related port number is 1740:
When connects to C&C successfully, it waits for commands from remote to perform corresponding functions such as recording, photographing, GPS positioning, etc.
Below is a breakdown of supported commands:
|18||Acquire information of a specified file|
|29||Execute command from cloud|
|30||Execute ping command|
|31||Upload contact information|
|32||Upload short messages|
|33||Upload call records|
|35||Stop recording and upload records|
|36||Take a photograph|
|37||Start GPS positioning|
|38||Stop GPS positioning and upload records|
|39||Use IP/Port from cloud|
|40||Report current IP/Port|
|41||Acquire information of installed apps|
It is worth to note that there are some Arabic strings in the code which may indicate the attackers are familiar with Arabic language as well:
The C&C server (22.214.171.124) used by the above backdoors was used by APT-C-27 (Goldmouse) many times since 2017. We could see this through 360 Netlab’s Big Data Platform:
The C&C server is also tagged as APT-C-27 by 360 Threat Intelligence Platform (ti.360.net):
Considering there are some more similarities, such as those in module functionality, code logic, built-in language and the target population, we suspect the above samples are related to the Goldmouse APT group (APT-C-27).
As we have predicted, there are more and more samples leveraging the WinRAR exploit (CVE-2018-20250) and the recently captured target attack is just a tiny tip of the iceberg. We would like to remind users once again to make timely and effective measures and please refer to the below section for approaches in detail.
The software vendor has released the latest version of WinRAR and we recommend users upgrade to the latest one (WinRAR 5.70 beta 1):
If the patch cannot be installed at this moment, you can directly delete the vulnerable DLL (UNACEV2.DLL). This does not affect the normal usage, but just reports error when encountering ACE archives.
Products of 360 ESG can protect users from these new attacks, including 360 Threat Intelligence Platform, SkyEye APT Detection and 360 NGSOC.
|Malicious ACE Archive|
|Backdoor (Telegram Desktop.exe)|
|5bc2de103000ca1495d4254b6608967f（بو أيوب - القريتين أبو محمد.apk）|
|C:\Users\Albany\documents\visual studio 2012\Projects\New March\New March\obj\Debug\New March.pdb|
|C:\Users\Albany\documents\visual studio 2012\Projects\March\March\obj\Debug\March.pdb|
|C:\Users\Albany\documents\visual studio 2012\Projects\December\December\obj\Debug\December.pdb|
- https://mp.weixin.qq.com/s/dkyD2k6dqt5SYS7qLPOqfw (Unable to decrypt! Probably the first unknown ransomware (JNEC) with WinRAR exploit)
- https://mp.weixin.qq.com/s/Hz-uN9VEejYN6IHFBtUSRQ (Analysis of the first WinRAR exploit sample captured in the wild)