Hai Lotus apt Organization latest attack Sample Analysis _ Fishing

0x1 Overview

Sea Lotus (Oceanlotus) also known as APT32 or apt-c-00, is a long-term target for China and other East Asian countries (regions) of the Government, scientific research institutions, maritime enterprises and other areas of the APT organization attack. Tencent's recent threat Information center captured a recent attack sample from the organization. In this attack, the organization used the cve-2017-11882 vulnerability and combined white signature to maximize the hidden backdoor Trojan. Backdoor Trojan will be resident user computer, and according to cloud control instructions to steal confidential information or the second stage of attack.

(Attack flowchart) 0x2 load Delivery

This attack uses the CVE-2017-11882 vulnerability document, the decoy document file named "Document_gpi Invitation-unsooc China.doc", the content is a blurred picture.

(Decoy document)

After the vulnerability is triggered, the Equation Editor process will be in the "C:\Program files\microsoft-windows-diskdiagnosticresolver_2021325962" Release MicrosoftWindowsDiskDiagnosticResolver.exe, outlfltr in the directory. DAT, Rastls.dll 3 files. MicrosoftWindowsDiskDiagnosticResolver.exe has a valid signature, the original name is Dot1xtra.exe, this is a typical white and black use technology, with a valid signed EXE will automatically load Trojan file Rastls.dll.

(Signature information)

(file details) analysis of 1.rastls.dll behavior in 0x3 rats

The key module files that the organization uses in this attack add a lot of confusion, and the confusing code looks like this. This DLL loads the OUTLFLTR.DAT in the DllMain function to decrypt it and get a shellcode. A large piece of code that starts with the host EXE, the MicrosoftWindowsDiskDiagnosticResolver.exe 0x401000 (the default base address, 0x400000), is then modified to an action-free instruction that hosts EXE The instructions for the OEP position have also been modified. When the host EXE starts executing from the OEP location, it jumps to the shellcode part of the Trojan.

(Confusing code)

(The host EXE 0x401000 to be modified instruction)

(The host EXE is modified OEP near the code)

(Rastls.dll jump to Shellcode execution)

Outlfltr. After the shellcode in DAT is executed, one of the shellcode stored in the load is named {92ba1818-0119-4f79-874e-e3bf79c355b8}.dll. Then execute the exported function Dllentry of this DLL.

(DLL internal name and export function)

{92ba1818-0119-4f79-874e-e3bf79c355b8}.dll will also decrypt the Trojan feature file {A96b020f-0000-466f-a96d-a91bbf8eac96}.dll from the resource and load the DLL from it. Perform the export function Dllentry for this DLL.

(Trojan function file export function and internal file name) 2. {A96b020f-0000-466f-a96d-a91bbf8eac96}.dll Behavior analysis

After this DLL executes, will decrypt the resource to get the C2 and so on the Trojan the configuration information and 3 communication related DLL, the name is HttpProv.dll, DnsProvider.dll, HttpProv.dll respectively. Each communication DLL exports a "CreateInstance" function.

(Load Resources)

(Decryption Resource)

(function code fragment that decrypts the resource)

(PlainText content after the resource is decrypted)

After analyzing the decrypted resource, we get the value of each field in the resource and some meaning field ordinal field content 1 Unicode string "Ghijklmnop" 2 Unicode string, registry key "Software\app\" Appxbf13d4ea2945444d8b13e2121cb6b663\application "3 Unicode string, registry key" Software\app\ Appxbf13d4ea2945444d8b13e2121cb6b663\defaulticon ", storage package with the GUID 4 Unicode string" Data "5" Ghi "This value and computer user name to the mutex name 6 andreagahuvrauvin.com C2 7 byronorenstein.com C2 8 straliaenollma.xyz C2 9 0x54400 bytes of PE file with the name HttpProv.dll 0x35c00 byte PE file, the name is DnsProvider.dll 0x073a00 byte of the PE file, the name is also HttpProv.dll 12 4 bytes, the value is 0x88a36523, can be understood as version number 13 4 bytes, value is 0x13 Unicode string " 46405 ", that is, the C2 port number 15 8 bytes, hex value is" 2B CA. AF D7 One EA 59 ", the contract will take this value 16 8 bytes, hex value is" A9 03 00 30 75 00 ", according to this value sleep a certain time after the Trojan horse function

(Communication DLL Export function)

The DLL then starts the subsequent operation based on the configuration information in the resource after a certain amount of time. Subsequently, the 3 communication-related DLLs are loaded with the self loading. The functions used in self loading are mainly VirtualAlloc and rtlmovememory. The Trojan will also create a mission plan called "Microsoft-windows-diskdiagnosticresolver" to achieve permanent purpose.

(Sleep for a period of time according to the configuration information in the resource)

(allocating memory from load)

(fills memory from load)

Trojan Horse will be based on the resources of the C2, using DGA (Domain name generation algorithm) to generate communications when the domain name information, wood immediately line will be the user name, computer name, operating system and other information encrypted after the report to the C2.

(DGA the communication domain name obtained)

(first plaintext package on line)

Wood immediately after the line, according to the instructions issued by the server to perform the corresponding functions, the main functions are:

 file operations, such as creating files or directories, deleting files or directories, locating files

 Registration Table Read and write

Remote code execution, such as creating a process, executing a DLL, etc.

Setting environmental variable 0x4 traceability

From the rat communication c&c address 154.16.138.89 in the Tencent Royal Threat Information Center platform for the reverse investigation, the following results:

Select a domain name orinneamoure.com continue to check:

Can be found, the domain name by Tencent Royal threat information platform labeled Sea Lotus. and the domain name in the previous friends of the Sea Lotus report disclosed. In addition, the technology used in the attack, the network communication protocol, and the previous sea Lotus attack samples were also fully consistent. So we can confirm that the attack belonged to the Hoi Lotus apt team. 0X5 Summary

From the analysis above, we can see that the organization has deep technical accumulation in the areas of exploiting loopholes, Baigarhe using technology and code obfuscation. Backdoor Trojan not landing direct memory execution, signature program white use, Shellcode hidden executable files, changeable network communications and other technical means to greatly increase the difficulty of killing soft. Therefore, we remind the Government, enterprises and other users, do not arbitrarily open the documents of dubious origin, while installing security software.

At present, Tencent advanced threat detection system has been able to detect the connection behavior of this round attack. Imperial Advanced Threat Detection system is based on the security capabilities of Tencent Anti-Virus laboratory, relying on Tencent in the cloud and end of the massive data, developed a unique threat intelligence and malicious detection model system.

Based on the two core capabilities of behavioral protection and intelligent model, the Advanced threat detection system can detect unknown threats efficiently, and analyze the network traffic at the boundary of Intranet, and exploit and attack the vulnerabilities. Through the deployment of the Imperial Advanced Threat Detection system, the timely perception of malicious traffic, detection of phishing and remote control server address in the Enterprise network access situation, to protect the enterprise network security.

0x6 Appendix (IOCs) Hash:

02ae075da4fb2a6d38ce06f8f40e397e (DOCUMENT_GPI Invitation-unsooc China.doc)

D7C172D4A88573B7E373F2B666C011AC (GPI Invitation-unsooc China.doc)

72a5ad375401f33a5079caee18884c9d ({92ba1818-0119-4f79-874e-e3bf79c355b8}.dll)

79D06DD20768FD8CD4A043833C1F2D4B ({a96b020f-0000-466f-a96d-a91bbf8eac96}.dll) \

EC505565E4CB5A22BFD3F63E4AD83FF3 (HttpProv.dll)

2559738d1bd4a999126f900c7357b759 (HttpProv.dll)

2dfaedd9265642e430e6635f210fabb4 (DnsProvider.dll)

f775cc387a55831386e44dd00ef9723e (Rastls.dll)

B10f93cdbcdf43d4c5c5770872e239f4 (outlfltr. DAT) C&c:

Andreagahuvrauvin.com

Byronorenstein.com

Straliaenollma.xyz

Dieordaunt.com

Christienoll.xyz

Illagedrivestralia.xyz

154.16.99.85

154.16.47.41

154.16.138.89 Registration Form:

"Software\app\appxbf13d4ea2945444d8b13e2121cb6b663\defaulticon"

"Software\app\appxbf13d4ea2945444d8b13e2121cb6b663\application"

* The author: Tencent Computer Butler, reproduced please specify from freebuf.com Tencent computer Butler 119 article Grade: 7 | On an article: The Analysis and association mining of the new exploiting vulnerabilities of APT gang (apt-c-01) Next: A list of open-source software to create a SOC these comments light up OCEANLOTUSSCEO reply boring, research to study to or study our Sea lotus, have the ability to catch a ah, every day research annoying not annoying, And no technical content ... ) 67 (Lit) commented on 1 comments Oceanlotussceo 2018-05-02 reply 1 floor

Boring, research to study or to study our Sea lotus, have the ability to catch a ah, every day research boring, and no technical content ... Light Up (66)