返回 TI 主页

Background

Recently, QiAnXin Threat Intelligence Center is investigating one email phishing attack which is targeting one Pakistani businessman who is working in China. First attack of this campaign took place in May 2018. Attackers have taken over of target machines over months. TTP of this targeting attack will be introduced, as well as remediation advice.

We identified this APT group coded as ‘APT-C-35’ in 2017, who is mainly targeting Pakistan and other South Asian countries for cyber espionage[1]. Arbor also published APT research on this group, and named it ‘Donot’[2]. The group attacked government agencies, aiming for classified intelligence. At least 4 attack campaigns against Pakistan have been observed by us since 2017. Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims. Two unique malware frameworks, EHDevel and yty, are developed by attackers. In the latest attack, Donot group is targeting Pakistani businessman working in China.

Fishing Attack

The process of attacking target is as following:

Malware Analysis

Dropper - Excel Macros

Attackers lure victim to open decoy Excel file with malicious macro which is sent as attachment in a phishing email. While macro code is running, office_update.exe is dropped at C:\micro and run. The decoy Excel document pretends to be pricing list of one BMW car, which is easy to have trust of the victim:

Downloader - office_update. exe

filename office_update.exe
MD5 2320ca79f627232979314c974e602d3a

Office_updata.exe is a downloader, which is able to download a BAT file by http://bigdata.akamaihub.stream/pushBatch:

The BAT file is mainly to modify registry for persistence, and create a directory with hidden property, etc. It can also download wlidsvcc.exe from http://bigdata.akamaihub.stream/pushAgent, then save it in %USERPROFILE%\BackConfig\BackUp directory:

After that, Office_updata.exe will remove itself from system.

Plugin - Downloader - wlidsvcc.exe

Filename wlidsvcc.exe
MD5 68e8c2314c2b1c43709269acd7c8726c

Wlidsvcc.exe is also a downloader. It downloads 3 plugins from C2 server, naming wuaupdt.exe, kylgr.exe, and svchots.exe. Mutex "wlidsvcc" is created to ensure that only one instance runs in system:

Then, it determines if the current process path is %USERPROFILE%BackConfig\BackUp\wlidsvcc.exe:

If the path meets condition, wlidsvcc.exe communicates with C2 (bigdata.akamaihub.stream) by POST, which is to retrieve remote commands

If C2 sends ‘no’ command, wlidsvcc.exe will retry to contact C2 after sleeping for 90 seconds:

If ‘cmdline’ command is received, wlidsvcc.exe runs plug-in %USERPROFILE%\BackConfig\BackUp\wuaupdt.exe, and then listens for follow-up commands:

If commands are neither ‘no’ nor ‘cmdline’, wlidsvcc.exe downloads http://bigdata.akamaihub.stream/orderMe to C:\Users\%s\BackConfig\BigData, then puts itself into waiting mode:

Plugin executor - wuaupdt.exe

Filename Wuaupdt.exe
MD5 35ec92dbd07f1ca38ec2ed4c4893f7ed

wuaupdt.exe is a CMD backdoor, which can receive and execute CMD commands sent from C2. It can also execute other plugins if commands are issued by attackers. The analysis of all backdoor plugins is shown in the following section.

Execute C2 commands:

Backdoor - Plugins

wuaupdt.exe will execute corresponding plug-ins according to the commands issued by attackers. All plugins’ details are as following.

Keylogger - Kylgr.exe

Filename Kylgr.exe
MD5 88f244356fdaddd5087475968d9ac9bf
PDB path c:\users\user\documents\visualstudio2010\Projects\newkeylogger\Release\new keylogger.pdb

This plugin is a keylogger. It firstly creates a file inc3++.txt in current directory and check whether a keylogging file exists in %USERPROFILE%\Printers\Neighbourhood directory. If yes, it saves log file name and its last modification time to inc3++.txt:

If keylogging file is found in %USERPROFILE%\Printers\Neighbourhood, the log file is moved to directory %USERPROFILE%\Printers\Neighbourhood\Spools:

A new keylogging file is created in %USERPROFILE%\Printers\Neighbourhood, with filename ‘username_year_month_day(hour_minute_second)’. Then, it monitors activities of mouse and keyboard constantly.

If window name is obtained, the name and pressed keys are logged:

File - listing - svchots.exe

Filename svchots.exe
MD5 14eda0837105510da8beba4430615bce

This plugin traverses disk C, D, E, F, G and H to collect filenames:

Following directories are excluded:

The, files with following extensions are collected:

If files matching above criteria are found, file names and last modification date of them are written into test.txt file in the current directory, and they are copied to %USERPROFILE%\Printers\Spools directory, with appending ‘txt’ as new extension name:

Systeminfo – spsvc.exe

Filename Spsvc.exe
MD5 2565215d2bd8b76b4bff00cd52ca81be

This plugin, packed by UPX and written by Go Language, aims to collect various system information. It creates several CMD processes for information collection. Information is saved to a file located in directory %USERPROFILE%\Printers\Spools:

Uploader – lssm.exe

Filename Lssm.exe
Md5 23386af8fd04c25dcc4fdbbeed68f8d4

The purpose of this plugin is to upload collected information and files, stored in %USERPROFILE%Printers\Spools directory, to C2 bigdata.akamaihub.stream

Uploader – lssmp.exe

Filename lssmp.exe
MD5 b47386657563c4be9cec0c2f2c5f2f55
Digital signature COMODO CA Limited

Similar to lssm.exe, lssmp.exe uploads collected info and files to C2. It has a digital signature:

The plugin searches for explorer.exe in process list:

Then, it extracted out a PE file from its resource section:

The PE file is injected into explorer.exe process for running:

The injected PE file has similar functionalities as lssm.exe, since it uploads keystroke log to C2 server:

Pivoting

Some other decoy documents and plugins are found to have connections with the files in this attack.

CSD_Promotion_Scheme_2018. XLS

Filename CSD_Promotion_Scheme_2018. XLS
MD5 82a5b24fddc40006396f5e1e453dc256

The decoy document is an Excel file with malicious macros. When it is opened, a window of Excel security disclamation pop up, warning user that this file has risky macros:

The main function of malicious macro code is to drop skypet.exe in the directory %APPDATA%, and to drop skype.bat in the directory C:\Skype. skypet.bat is executed after that:

Same pricing list of a BMW car is content of the Excel file:

Skyep.bat

Skyep.bat creates 3 directories %USERPROFILE%Printers\Spools, %USERPROFILE%BackConfig\BackUp and %USERPROFILE%BackConfig\BigData , and then sets these folder properties to hidden:

The BAT file also gets the computer name, and save it into %USERPROFILE%\BackConfig\Backup\pcap.txt:

And it creates multiple registry entries for persistence. Then, it starts skyep.exe and deletes itself:

Skyep.exe

Filename Skyep.exe
MD5 f67595d5176de241538c03be83d8d9a1
PDB C:\Users\spartan\Documents\Visual Studio 2010\Projects\downloader new 22 jun use\downloader\Release\downloader.pdb

Skyep.exe, disguising as a voice software Skype, downloads csrsses.exe from http://databig.akamaihub.stream/pushBatch (it is still alive) to the \BackConfig\BackUp\ for running:

Csrsses.exe

The file name Csrsses.exe.
MD5 e0c0148ca11f988f292f527733e54fca

This file, similar to wlidsvcc.exe, is to execute commands from C2 server. Firstly, it reads computer name from \\BackConfig\\BackUp\\pcap.txt

The computer name is then processed to a string: "orderme/computer name - random number". It contacts C2 databig.akamaihub.stream for commands:

It check value of Content-Type to determine next operation. If the value is "application", it downloads file from C2 to \\BackConfig\\BigData\\ directory:

If the value is "cmdline", \\BackConfig\\BigData\\wuaupdt.exe is executed:

If command is"batcmd", \\BackConfig\\BigData\\test.bat is started:

Attribution -- Donot (APT-C-35)

By analyzing the macro code, plugins, domain name /IP correlation in the attack, we confirm that Donot APT Group (APT-C-35) is behind the attack.

Similarity of Macro Code

ASERT disclosed one macro sample linking to DONOT APT Group in March 2018[2]. That macro sample is very similar to the sample in this attack: a decoy picture is pop up after macro runs.

Similarity of Plug-ins

Similar to previous Donot samples, new sample downloads plugins from C2. It is also packed by UPX and is written in Go language. Furthermore, it has similar code logic as previous ones

wuaupdt.exe in this attack appears in previous Donot attack[1], and C2 addresses are same to previous ones.

Conclusion

From the attack activity captured this time, it is obvious that Donot APT group is still keen on Pakistan as primary target of attack, and even expands scope of attack to include Pakistani staffs and institutions in China. There is a sign that the Donot group has never stopped its attacks and another cyber espionage attack could be launched soon.

QiAnXin Threat Intelligence Center suggests enterprises to improve employees' security awareness by provide them sufficient security training, especially anti-phishing training. Situational awareness, asset management, and threat intelligence can prevent such attacks significantly.

For 360 ESG customers, detection to Donot group and related IOCs are supported by products integrated with threat intelligence, including QiAnXin Threat Intelligence Platform, SkyEye Advance Threat Detection System, NGSOC.

IOC

MD5
82a5b24fddc40006396f5e1e453dc256
f67595d5176de241538c03be83d8d9a1
e0c0148ca11f988f292f527733e54fca
2320ca79f627232979314c974e602d3a
68e8c2314c2b1c43709269acd7c8726c
35ec92dbd07f1ca38ec2ed4c4893f7ed
88f244356fdaddd5087475968d9ac9bf
14eda0837105510da8beba4430615bce
2565215d2bd8b76b4bff00cd52ca81be
23386af8fd04c25dcc4fdbbeed68f8d4
b47386657563c4be9cec0c2f2c5f2f55
C&C
databig.akamaihub.stream
bigdata.akamaihub.stream
185.236.203.236
unique.fontsupdate.com
PDB path
C:\Users\spartan\Documents\Visual Studio 2010\Projects\downloader new 22 jun use\downloader\Release\downloader.pdb
C:\users\user\documents\visualstudio2010\Projects\newkeylogger\Release\new keylogger.pdb

Reference

  1. https://ti.qianxin.com/blog/articles/latest-activity-of-APT-C-35/

  2. https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/

DONOT APT-C-35 APT