Fortiguard labs threat analysis report

Introduction

Fortiguard labs has discovered a new attack targeting users who use Chinese by exploiting known vulnerabilities present in the WinRAR file (cve-2018-20250) and RTF files (cve-2017-11882) and bypassing normal authentication. This is a strategic drinking place attack targeting Chinese users, spreading malware by hacking Chinese news sites. We analyze that there is an experimental attack in terms of using various techniques and tools to narrow down the end user community.

This backdoor malware attack has continued to upgrade features since it was discovered in 2017. In this blog article, the diffusion method of malware, the function, and the C2 connection are analyzed, and the development process is explained.

Hacking Chinese news sites

The hacked Chinese news site is originally in the United States and delivers Chinese news for Chinese users living abroad. In this article, to protect this site damaged, all relevant information that can be identified is displayed. After that, we will call this site 1 (victim 1).

Figure 1: red frame: linked blue frame to the impelled WinRAR Explorer: links to fake twitter login pages

Phishing links have already been committed when you first found a hacked site. This link is camouflaged to introduction information of committed 1. In addition, the "Twitter inquiry" link was phishing's Twitter login page.

Also, in malicious 1, malicious scripts are running.

Figure 2: malicious script running in

Figure 3: JS script with unreadability

As a result of normalization and obfuscation cancellation of JavaScript script of Figure 3, the following fact has been proven. First, check the cookie data to verify that it is access from the windows system. Next, we will check that there is an empty Toma. This is a cookie used to differentiate sessions with users in Google Analytics. If it exists, it means that it is a new access to destruc1. Next, download the script dynamically from hxxps: / / click. Clickanalytics 208 [.] COM / s code. CID = 239 v = 243 BCB 3D 3C0 ba83d41fc to hazaku1. This injection allows any JS script to run from the URL. We also found an analysis report showing fake updates related to this URL. However, the script attack could not be confirmed during the investigation.

Please see the report for details.

Malware Analysis

Exploit of multiple explosives

An attack starts with an exploit targeting the wurr file (cve-2018-20250) where the vulnerability exists. This extention extracts the extensibility of the RTF file (cve-2017-11882) where the vulnerability exists. The following is the flow of attack.

Figure 4: WinRAR extention (cve-2018-20250)

This backdoor malware infection path has two routes.

• WinRAR (cve-2018-20250) extention extract backdoor. This file. The blue frame shown in Figure 4 is its thawing path. This file extracts the conf.exe into the startup folder using the WinRAR extention and makes it executable when the system starts. However, since conf.exe is correctly extracted only if the user name is "test", it may be a mistake or a test purpose. Interestingly, conf.exe has been found to be infected with a malicious infection malware. When you run conf.exe, both the backdoor payload and the sality shell code in conf.exe are executed.

The file. The blue frame shown in Figure 4 is its thawing path. This file extracts the conf.exe into the startup folder using the WinRAR extention and makes it executable when the system starts.

However, since conf.exe is correctly extracted only if the user name is "test", it may be a mistake or a test purpose.

Interestingly, conf.exe has been found to be infected with a malicious infection malware. When you run conf.exe, both the backdoor payload and the sality shell code in conf.exe are executed.

• The RTF (cve-2017-11882) extention is an extract. This file triggers the Microsoft entropy editor, runs regsvr32exe and connects it to 154.222.140 [.] 49 and downloads 123.sct. This is a malicious script executed at the next stage. Figure 6: RTF Explorer (cve-2017-11882). Figure 6: download the following steps to download malware

The extracted. This file triggers the Microsoft entropy editor, runs regsvr32exe and connects it to 154.222.140 [.] 49 and downloads 123.sct. This is a malicious script executed at the next stage.

Figure 5: RTF extention (cve-2017-11882)

Figure 6: download the following stage malware script

The file. The blue frame shown in Figure 4 is its thawing path. This file extracts the conf.exe into the startup folder using the WinRAR extention and makes it executable when the system starts.

However, since conf.exe is correctly extracted only if the user name is "test", it may be a mistake or a test purpose.

Interestingly, conf.exe has been found to be infected with a malicious infection malware. When you run conf.exe, both the backdoor payload and the sality shell code in conf.exe are executed.

The extracted. This file triggers the Microsoft entropy editor, runs regsvr32exe and connects it to 154.222.140 [.] 49 and downloads 123.sct. This is a malicious script executed at the next stage.

Figure 5: RTF extention (cve-2017-11882)

Figure 6: download the following stage malware script

When the SCT script is executed, "hxxp: / / 154.222.140 [.] 49 / qq.exe" is downloaded to C: \ windows \ temp \ conf.exe. Conf.exe is a malware backdoor that is not infected with sality, unlike previous files.

Another download script to access ". This is to download a clean windows 64 bit file using this URL, and the developer could have been used to debug the entire infection flow.

Backdoor infected with sality

The backdoor payload infected with the sality is the same as the downloaded qq.exe. The backdoor malware code and the sality code are found to work on malware execution. Also, if you run this sample, no further behavior from the sality C2 server is found, but the next connection is detected.

Figure 7: "original" backdoor connection (green) and connection by sality infection (red)

Back door pay road

This section analyzes the backdoor payload in detail. The executable sample (drop and download) detected by this attack has the same backdoor function. Perform dynamic loading and malicious DLL Dynamic loading. As shown in the figure below, there are three export functions.

Figure 8: malicious DLL export function

The default "test. DLL" indicates that malware is being developed.

• Dealc this function collects system information and sends it to the C2 server repeatedly.

This function collects system information and sends it to the C2 server repeatedly.

• This function will install malware. There are two types of installation. One is to register the malware in HKCU \ software \ class \ folder \ shell \ test \ command, and add the malware shortcuts to the contextual menu. The other is to permanently register "hspcu \ software \ Microsoft \ windows \ CurrentVersion \ run" in the% [% traffic data%] \ mpclip.exe path. Interestingly, we check whether the name is kphonewiz (Kingsoft phone wizard) or kminisite (Kingsoft hot news mini site). These two are the names of Chinese software created by Kingsoft, so we can see that backdoor malware is targeting Chinese users. Figure 9: this interesting string indicates that malware targets Chinese users

This function installs malware. There are two types of installation. One is to register the malware in HKCU \ software \ class \ folder \ shell \ test \ command, and add the malware shortcuts to the contextual menu. The other is to permanently register "hspcu \ software \ Microsoft \ windows \ CurrentVersion \ run" in the% [% traffic data%] \ mpclip.exe path. Interestingly, we check whether the name is kphonewiz (Kingsoft phone wizard) or kminisite (Kingsoft hot news mini site). These two are the names of Chinese software created by Kingsoft, so we can see that backdoor malware is targeting Chinese users.

Figure 9: this interesting string indicates that malware targets Chinese users

• Dealstreams loads the windows library before performing the main processing of backdoor malware. This will collect the windows API call feature address and generate a function table in memory. With a particular index shift, the library name and function name are all encoded using a simple character type table. Figure 10: function table generation and function with the name string decoded

Data loads windows library before performing backdoor malware main processing. This will collect the windows API call feature address and generate a function table in memory. With a particular index shift, the library name and function name are all encoded using a simple character type table.

Figure 10: function table generation and function with the name string decoded

This function collects system information and sends it to the C2 server repeatedly.

This function installs malware. There are two types of installation. One is to register the malware in HKCU \ software \ class \ folder \ shell \ test \ command, and add the malware shortcuts to the contextual menu. The other is to permanently register "hspcu \ software \ Microsoft \ windows \ CurrentVersion \ run" in the% [% traffic data%] \ mpclip.exe path. Interestingly, we check whether the name is kphonewiz (Kingsoft phone wizard) or kminisite (Kingsoft hot news mini site). These two are the names of Chinese software created by Kingsoft, so we can see that backdoor malware is targeting Chinese users.

Figure 9: this interesting string indicates that malware targets Chinese users

Data loads windows library before performing backdoor malware main processing. This will collect the windows API call feature address and generate a function table in memory. With a particular index shift, the library name and function name are all encoded using a simple character type table.

Figure 10: function table generation and function with the name string decoded

Next, save the installation path from the registry "software \ Microsoft \ windows \ CurrentVersion \ run" to file [% profile data] / destro file.

Main features

This malware features a stealth feature designed to collect system information and send information to the C2 server. It is also possible to download a file and generate a reverse shell for further attacks.

Back door function:

• Collecting system information
• Disk hardware information collection
• Directory listing in a specific directory
• File list collection in a specific directory
• Collection of installed program lists
• List of process lists
• Data collection from various applications
• Collection of network adapter information
• File search
• Screenshots collection
• Generation of reverse shells
• File download
• Fetching the MD5 hash file
• Clipboard text collection
• Acquisition of CPU Information

C2 connection summary

This backdoor malware reads the c2ip address from a fixed RVA address. This attack will attempt to connect to the next C2 address. 122.112.245.

Figure 11: fixed IP address

This malware has two connection types: port 55556 and UDP port 8000.

Figure 12: data send decoding and checking right: C2 connection protocol configuration

Let's check the backdoor C2 connection of Figure 7.

First, malware connects to 360.cn and reads 100 bytes of data, but always gets the "404 not found" message. Figure 13 shows the content check. The top 5 bytes of the content are like 0x110x22 [data] 0x330x44. When you pass the content check, the data is saved and used in the C2 data header. However, this test is meaningless because the content check always fails.

Figure 13: failed to check content on www.360cn / status / getsign. ASP

RC4 encryption of data

The C2 door data for backdoor encrypts / decrypts by RC4. The encryption key used is hard coded.

Figure 14: RC4 encryption function and RC4 key

Next, the custom header is inserted into the data header. Furthermore, the RC4 algorithm encrypts the data and sends it to C2.

Figure 15: encrypted data examples and RC4 encryption signature check

The first 8 bytes of the header were found to be assigned as a constant value. Further analysis of the source revealed that the value was checked by the malware RC4 decoding function. Failure to check will not require data decoding. This is a way to reliably use the RC4 algorithm for data encryption. The next four bytes are generated by the MAC aggregate function. This may be used to identify targets.

C2 connection: content type

"Content type" is used for connection data from the target to the C2 server to distinguish the type of data or information. A thread is used for command acquisition / processing from the C2 server.

This malware contains the following content type.

Figure 16: content type list and its features

Figure 17 summarizes the use of content type. Another header is used for explanation of the content. Time is the time the data is generated. "Backfile" means the file used to store this data. The "content length" indicates the total length of the data.

Figure 17: content type usage

C2 connection: Processing C2 requests

The C2 command triggers the function using several methods to handle the request. The following figure shows an example of a request to change the file type to be monitored. Use 0x2e (the red frame of Figure 18) in the offset 0x0D of the C2 request data as a function index and call the corresponding function.

Figure 18: use of C2 commands to trigger functions

Back door development

This backdoor malware has been used since 2017. Below is the time series of development.

Figure 19: time series of backdoor development

Note that backdoor malware is always the use of native Chinese software names to attract targets. It was originally a simple execution file, but changed to the DLL version in 2018. The DLL version of the backdoor is encrypted and stored in the loader section's data section. When the loader is executed, the backdoor DLL is decrypted and loaded for execution.

The latest sample is found to be loaded with the name "xlaccount. DLL". Also, as an interesting feature, "shadowsocks" has been added to collect information about VPN tools. This is used in China for the purpose of exceeding the Great Firewall of China (calling the Internet's Internet control). Xlaccount.dll is a known module contained in the Xunlei game box, a web gaming platform developed by Xunlei.

Summary

Fortiguard labs has investigated an attack centered on hacking of the Chinese news site. The attacker hacks the news web site and injects false links. Phishing links were also included in this web site. At the time of creation of this article, malicious scripts are dynamically loaded and working.

The backdoor malware used in this attack has been active since 2017, and the sample uses the usual Chinese application name. In this attack campaign, backdoor malware exploits two vulnerabilities of cve-2018-20250 and cve-2017-11882, and forces the backdoor to force. This blog article analyzes malware's functions and C2 connections, but is currently being developed, adding new features that allow for further information and data collection.

Fortiguard labs will continue monitoring the malware development and related attacks.

Fortiguard lion team = -

Solution

Customers who use the forty net are protected from the above malicious threats mentioned above.

• Files are detected by fortiguard antivirus
• Malicious URLs and phishing URLs are blocked by fortiguard web filtering services

IOC

WinRAR Explorer sample:

EE -

RTF Explorer samples:

123.

4614 BBS / agent. NUC

Back door malware

7692617edaeb5598c8a3653c44ad85aca5cf61cd7effcd4ae88af1eb057d8f08 - W32/Malicious_Behavior.SBX6dc753cd93e1e5f205676b545dd1b9f81277f17c147a2e1bb5692560154f3ab9 - W32/Sality.E25a2dee5c5e9d537def7a9027a799815c5796fe7513978b0335ec46ea8ac6698 - GenericRXBJ.PX!tr46043089b8242b8b0066f7694faad8d353be1e564df1a28831102038b08859f8 - W32/Generic.AC.3F15F3!tre3 26393f0609c91a1c83b1a53c8be050966bf0d2414d0156476c27762214c752 - W32/GenKryptik.CTVY!tra66ec1ab17f71659965edd7aa4187ef776ca730a8c19439533c14f80ff6b45a8 - W32/GenKryptik.DGHA!tr93d3201a560b34613327af582c76bb08cea9e74d1e02f2915b76d901e0d0b98c - W32/GenKryptik.CANP!trdb1b203f2d169afadf026d470bc2d462ec13cfdf6fa4f3e990a460570188080e - W32/Kryptik.GHFL! Ad8c9192 tr1567b4c3f99f696999b

C2 URL:

123. Hxxp: / / 154.222.140 [.] 49 /

Fishing URL

Hxxps: / / www.twitter. Hnwfj [.] COM / login / - phishing

Sality C2 URL:

hxxp://althawry[.]org/images/xs.jpg?62ba3=3639483 - Malicioushxxp://althawry[.]org/images/xs.jpg?68697=2993697 - Malicioushxxp://www.careerdesk[.]org/images/xs.jpg?6b4db=2637090 - Malicioushxxp://www.careerdesk[.]org/images/xs.jpg?63cf2=3679362 - Malicioushxxp://arthur.niria[.]biz/xs.jpg?63d8b=1635884 - Malicioushxxp://arthur.niria[.]biz/xs.jpg?6983e=3889710 - Malicioushxxp://amsamex[.]com/xs.jpg?640d7=1229445 - Malicioushxxp://amsamex[.]com/xs.jpg?6a441=3046855 - Malicioushxxp://apple-pie[.]in/images/xs.jpg?6c18d=4427650 - Malicioushxxp://apple-pie[.]in/images/xs.jpg?2ae562=28112340 - Malicioushxxp://ahmediye[.]net/xs.jpg?67f06=4257340 - Malicioushxxp://ahmediye[.]net/xs.jpg?6b69d=3959685 - Malicioushxxp://ampyazilim.com[.]tr/images/xs2.jpg?67994=3394720 - Malicioushxxp://g2.arrowhitech[.]com/xs.jpg?66deb=421355 - Malicioushxxp://g2.arrowhitech[.]com/xs.jpg?6e6c8=2713776 - Malicious FortiGuard LabsおよびFortiGuardセキュリティサービスのポートフォリオの詳細については、こちらをご覧ください。FortiGuard Labsは、脅威インテリジェンスブリーフ（英文）を毎週お届けしています。ぜひご購読ください。 セキュリティ監査とベストプラクティスを提供するFortiGuard セキュリティレーティングサービスについては、こちらをご参照ください。