欢迎光临 我们一直在努力

APT-C-27利用WinRAR漏洞的定向攻击活动分析

作者:admin日期:

分类:六哥SEO/网络安全/

background

On March 17, 2019, the 360 ​​Threat Intelligence Center intercepted a sample of targeted attacks targeting the Middle East using the suspected "Golden Rat" APT organization (APT-C-27) using the WinRAR vulnerability (CVE-2018-20250[6]). The malicious ACE compression package contains an Office Word document that uses a terrorist attack as a bait to induce the victim to decompress the file. When the victim unpacks the file on the local computer through WinRAR, the vulnerability is triggered. After the exploit is successful, the vulnerability will be built in. The backdoor program (Telegram Desktop.exe) is released to the user's computer startup directory, and the remote control Trojan is executed when the user reboots or logs in to control the victim computer.

Through 360 correlation analysis, the 360 ​​Threat Intelligence Center found that the attack was suspected to be related to the “Golden Rat” APT organization (APT-C-27), and after further traceability and correlation, we also found several Android platforms related to the organization. The malicious sample, which is mainly disguised as some common software to attack a specific target group, combined with the text content related to the attacker in the malicious code, can guess that the attacker is also familiar with Arabic.

Image.png

Detection of the backdoor program (TelegramDesktop.exe) on VirusTotal
Sample analysis

The 360 ​​Threat Intelligence Center conducted an analysis of the sample using the WinRAR vulnerability. The relevant analysis is as follows.
Inducing decompression using a terrorist attack
 MD5 314e8105f28530eb0bf54891b9b3ff69
 file name

The malicious compressed file contains an OfficeWord document with a content related to a terrorist attack. Due to its political, geographical and other specialities, the Middle East has suffered from numerous terrorist attacks and people's suffering. Therefore, people in the region are sensitive to incidents such as terrorist attacks, which increases the possibility of victims decompressing documents:

Image.png

Bait document translation content

If the user unpacks the malicious archive, it will trigger the WinRAR vulnerability, which will release the built-in backdoor to the user startup directory:

Image.png

The released backdoor program Telegram Desktop.exe is executed when the user restarts the computer or logs in to the system.
Backdoor(Telegram Desktop.exe)
 File name Telegram Desktop.exe
 MD5 36027a4abfb702107a103478f6af49be
 SHA256 76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689
 Compile information .NET

The backdoor program TelegramDesktop.exe reads the data from the PE resource and writes it to: %TEMP%\Telegram Desktop.vbs, then executes the VBS script and sleeps for 17 seconds until the VBS script finishes running:

Image.png

The main function of the VBS script is to decode the built-in string through Base64, and write the decoded string to the file: %TEMP%\Process.exe, and finally execute Process.exe:

Image.png

After Process.exe is executed, the file 1717.txt is created in the %TEMP% directory, and the data related to the final execution of the backdoor program is written for subsequent use by Telegram Desktop.exe:

Image.png

TelegramDesktop.exe will then read the contents of the 1717.txt file and replace the special characters in it:

Image.png

Then decode the data through Base64 and load the decoded data in memory:

Image.png

Finally, the executed data is loaded in the memory as the njRAT backdoor program. The related configuration information is as follows:

Image.png
NjRAT

The njRAT backdoor program that executes the memory load first creates a mutex to ensure that only one instance runs:

Image.png

And determine whether the current running path is the path set in the configuration file, if not, copy itself to the path to start execution:

Image.png

Then close the attachment checker and firewall:

Image.png

And open the keyboard record thread, write the results of the key record to the registry:

Image.png

Turn on the communication thread, establish communication with the C&C address and accept command execution:

Image.png

The njRAT remote control also has remote SHELL, plug-in download execution, remote desktop, file management and other functions:

Image.png
Android platform sample analysis

The 360 ​​Threat Intelligence Center is also linked to the malicious sample of several Android platforms recently used by the APT-C-27 APT organization through VirusTotal, which also uses 82.137.255.56 as the C&C address (82.137.255.56:1740). :

Image.png

The recent backdoor samples of the Android platform are mainly disguised as commonly used software such as Android system update and Office upgrade program. We analyzed the Android sample disguised as the Office upgrade program as an example. The relevant analysis is as follows:
 File MD5 1cc32f2a351927777fc3b2ae5639f4d5
 File name OfficeUpdate2019.apk

After the Android sample is launched, it will induce the user to activate the device manager, then hide the icon and run it in the background:

Image.png

After inducing the user to complete the installation, the sample will display the following interface:

Image.png

Then the sample will get the online IP address and port through the Android default SharedPreferences storage interface. If it is not available, decode the default hard-coded IP address and the port is online:

Image.png

Image.png

The decoding algorithm of the relevant IP address:

Image.png

The final decoded IP address is: 82.137.255.56, and the port also needs to add 100 to the hard-coded port to get the final port 1740:

Image.png

When the C&C address is successfully connected, the online package is sent, the controller's command is accepted, and execution is performed. The sample has the functions of recording, taking photos, GPS positioning, uploading contacts/call records/sms/files, executing cloud commands, etc.

Image.png

The list of related commands and functions of the Android backdoor sample is as follows:
 Command function
 16 heart beats
 17 connect
 18 Get basic information about the specified file
 19 Download file
 20 Uploading files
 21 Delete files
 22 Copy files according to cloud instructions
 23 Move files according to cloud instructions
 24 Rename files according to cloud instructions
 25 Running files
 28 Create a directory according to the cloud instructions
 29 Executing Cloud Commands
 30 Execute a ping command
 31 Get and upload contact information
 32 Get and upload text messages
 33 Get and upload call history
 34 Start recording
 35 Stop and upload the recording file
 36 taking pictures
 37 Start GPS positioning
 38 Stop GPS positioning and upload location information
 39 Using the ip/port from the cloud
 40 Report the currently used ip/port to the cloud
 41 Get information about installed apps

It is worth noting that the command information returned by the sample contains information about Arabic, so we speculate that the attacker is more likely to be familiar with the use of Arabic:

Image.png
Traceability and association

By querying the C&C address of the captured backdoor program (82.137.255.56:1921), the IP address has been used by the APT-C-27 (Golden Rat) organization for many times since 2017. The IP address is suspected to be the organization's Inherent IP assets. Multiple sample information associated with the IP address can be seen through the 360 ​​Network Research Institute Big Data Association Platform:

Image.png

The C&C address is queried through the 360 ​​Threat Intelligence Center Threat Analysis Platform (ti.360.net) and is also tagged with the APT-C-27:

Image.png

And from the captured Trojan sample (Windows and Android platform) functional modules, code logic, built-in information language, target population, network assets and other information and the previously exposed APT-C-27 [2] Trojan sample information is highly similar. Therefore, the 360 ​​Threat Intelligence Center believes that the relevant samples intercepted this time are also related to the "Golden Rat" APT organization (APT-C-27).
to sum up

As we predicted, the attack behavior of spreading malicious programs using the WinRAR vulnerability (CVE-2018-20250) is in the outbreak phase. The 360 ​​threat intelligence center has previously observed multiple APT attacks using this vulnerability, and this interception The targeted attack on the suspected "Golden Rat" APT organization (APT-C-27) using the WinRAR vulnerability is just one of many examples of using this vulnerability to implement targeted attacks. Therefore, the 360 ​​Threat Intelligence Center once again reminded users to do the vulnerability protection measures in a timely manner. (See section "Relief measures")
Mitigation measures

1. The software vendor has released the latest WinRAR version. The 360 ​​Threat Intelligence Center recommends that users update and upgrade WinRAR (5.70 beta 1) to the latest version in time. The download address is as follows:

32-bit: http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe

64-bit: http://win-rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe

2. If the patch cannot be installed temporarily, you can directly delete the vulnerability DLL (UNACEV2.DLL). This does not affect the general use, but the file that encounters the ACE will report an error.

At present, 360-threat intelligence center's full range of threat intelligence data, including 360 Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, 360 NGSOC, etc., have already supported accurate detection of such attacks.
IOCs
 Malicious ACE file MD5
 314e8105f28530eb0bf54891b9b3ff69
 Backdoor(Telegram Desktop.exe) MD5
 36027a4abfb702107a103478f6af49be
 Process.exe
 Ec69819462f2c844255248bb90cae801
 Backdoor MD5
 83483a2ca251ac498aac2abe682063da
 9dafb0f428ef660d4923fe9f4f53bfc0
 2bdf97da0a1b3a40d12bf65f361e3baa
 1d3493a727c3bf3c93d8fd941ff8accd
 6e36f8ab2bbbba5b027ae3347029d1a3
 72df8c8bab5196ef4dce0dadd4c0887e
 Android sample
 5bc2de103000ca1495d4254b6608967f(بو أيوب – القريتين أبو محمد.apk)
 Ed81446dd50034258e5ead2aa34b33ed(chatsecureupdate2019.apk)
 1cc32f2a351927777fc3b2ae5639f4d5 (OfficeUpdate2019.apk)
 PDB path
 C:\Users\Albany\documents\visual studio 2012\Projects\New March\New March\obj\Debug\New March.pdb
 C:\Users\Albany\documents\visual studio 2012\Projects\March\March\obj\Debug\March.pdb
 C:\Users\Albany\documents\visual studio 2012\Projects\December\December\obj\Debug\December.pdb
 C&C
 82.137.255.56:1921
 82.137.255.56:1994
 82.137.255.56:1740
本文标签:
关键词不能为空
极力推荐

聚合标签