Hauv tsab ntawv tshaj tawm no peb yuav qhia koj li cas pawg cyber OceanLotus (APT32 thiab APT-C-00) tsis ntev los no tau siv ib qho ntawm kev siv pej xeem siv rau
OceanLotus tshwj xeeb hauv cyber espionage, nrog rau cov hom phiaj tseem ceeb yog cov tebchaws nyob rau sab hnub tuaj Asia. Cov neeg tawm tsam forge cov ntaub ntawv uas nyiam cov neeg raug tsim txom los ua kom lawv ua lub nraub qaum, thiab tseem ua haujlwm tsim cov cuab yeej. Cov txheej txheem siv los tsim cov honeypots sib txawv ntawm kev tawm tsam, los ntawm cov ntaub ntawv "ob npaug ntxiv", rho tawm cov ntaub ntawv tus kheej, cov ntaub ntawv nrog macros, kom paub txog kev siv.
Siv qhov kev siv hauv Microsoft Equation Editor
Hauv nruab nrab xyoo 2018, OceanLotus tau ua ib qho kev sib tw siv CVE-2017-11882 qhov tsis zoo. Ib qho ntawm cov ntaub ntawv tsis zoo ntawm pawg cyber raug tshuaj xyuas los ntawm cov kws tshaj lij los ntawm 360 Threat Intelligence Center (
Thawj theem
Daim ntawv FW Report on demonstration of former CNRP in Republic of Korea.doc
(SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3
) zoo ib yam li tau hais hauv txoj kev tshawb fawb saum toj no. Nws yog qhov nthuav vim tias nws yog tsom rau cov neeg siv kev xav hauv kev nom kev tswv hauv tebchaws Cambodia (CNRP - Cambodia National Rescue Party, yaj thaum kawg ntawm 2017). Txawm hais tias qhov .doc txuas ntxiv, cov ntaub ntawv yog nyob rau hauv RTF hom ntawv (saib daim duab hauv qab no), muaj cov cai khib nyiab, thiab kuj yog distorted.
Daim duab 1. "Garbage" hauv RTF
Txawm hais tias muaj cov ntsiab lus tsis txaus ntseeg, Lo Lus qhib cov ntaub ntawv RTF no ua tiav. Raws li koj tuaj yeem pom hauv daim duab 2, muaj cov qauv EQNOLEFILEHDR ntawm offset 0xC00, ua raws li MTEF header, thiab tom qab ntawd ib qho MTEF nkag (Daim duab 3) rau font.
Daim duab 2. FONT cov nqi nkag
Daim duab 3.
Muaj peev xwm overflow nyob rau hauv lub teb lub npe, vim nws qhov loj me tsis raug kuaj ua ntej luam tawm. Lub npe uas ntev dhau ua rau muaj qhov tsis zoo. Raws li koj tuaj yeem pom los ntawm cov ntsiab lus ntawm RTF cov ntaub ntawv (offset 0xC26 hauv daim duab 2), qhov tsis yog ntim nrog shellcode ua raws li cov lus txib dummy (0x90
) thiab xa rov qab chaw nyob 0x402114
. Qhov chaw nyob yog lub ntsiab lus dialog hauv EQNEDT32.exe
, qhia cov lus qhia RET
. Qhov no ua rau EIP taw tes rau qhov pib ntawm daim teb lub npemuaj cov shellcode.
Daim duab 4. Pib ntawm kev siv shellcode
Chaw nyob 0x45BD3C
khaws qhov sib txawv uas yog dereferenced kom txog thaum nws ncav cuag tus taw tes rau cov qauv tam sim no MTEFData
. Tus so ntawm shellcode nyob ntawm no.
Lub hom phiaj ntawm shellcode yog ua kom tiav daim thib ob ntawm shellcode kos rau hauv daim ntawv qhib. Tus thawj shellcode thawj zaug sim nrhiav cov ntaub ntawv piav qhia ntawm cov ntaub ntawv qhib los ntawm iterating tshaj txhua qhov system descriptors (NtQuerySystemInformation
nrog kev sib cav SystemExtendedHandleInformation
) thiab xyuas seb lawv sib phim disease PID tus piav thiab disease PID txoj kev WinWord
thiab seb cov ntaub ntawv puas tau qhib nrog lub npog ntsej muag - 0x12019F
.
Txhawm rau kom paub meej tias qhov tseeb kov tau pom (thiab tsis yog tus kov rau lwm cov ntaub ntawv qhib), cov ntsiab lus ntawm cov ntaub ntawv tau tshwm sim siv cov haujlwm CreateFileMapping
, thiab shellcode xyuas seb plaub bytes kawg ntawm daim ntawv phim "yyyy
"(Txoj Kev Yos Hav Zoov). Thaum pom qhov sib tw, cov ntaub ntawv raug theej mus rau ib ntus nplaub tshev (GetTempPath
) Ua li cas ole.dll
. Tom qab ntawd qhov kawg 12 bytes ntawm cov ntaub ntawv raug nyeem.
Daim duab 5. Qhov kawg ntawm cov ntawv cim
32-ntsis tus nqi ntawm cov cim AABBCCDD
и yyyy
yog qhov offset ntawm lub shellcode tom ntej. Nws yog hu ua siv lub luag haujlwm CreateThread
. Extracted tib shellcode uas tau siv los ntawm pawg OceanLotus ua ntej.
Thib theem ob
Tshem Cov Cheebtsam
Cov ntaub ntawv thiab cov npe npe raug xaiv dynamically. Txoj cai randomly xaiv lub npe ntawm executable lossis DLL cov ntaub ntawv hauv C:Windowssystem32
. Tom qab ntawd nws ua ib qho kev thov rau nws cov peev txheej thiab khaws cov teb FileDescription
siv raws li lub npe folder. Yog tias qhov no tsis ua haujlwm, cov cai xaiv xaiv lub npe nplaub tshev los ntawm cov npe %ProgramFiles%
los yog C:Windows
(los ntawm GetWindowsDirectoryW). Nws zam kev siv lub npe uas yuav cuam tshuam nrog cov ntaub ntawv uas twb muaj lawm thiab xyuas kom meej tias nws tsis muaj cov lus hauv qab no: windows
, Microsoft
, desktop
, system
, system32
los yog syswow64
. Yog tias muaj cov ntawv teev npe twb muaj lawm, "NLS_{6 cim}" ntxiv rau lub npe.
kev pab 0x102
yog soj ntsuam thiab cov ntaub ntawv pov tseg rau hauv %ProgramFiles%
los yog %AppData%
, mus rau ib tug randomly xaiv folder. Hloov lub sijhawm tsim kom muaj txiaj ntsig zoo ib yam kernel32.dll
.
Piv txwv li, ntawm no yog cov ntawv tais ceev tseg thiab cov npe ntawm cov ntaub ntawv tsim los ntawm kev xaiv cov executable C:Windowssystem32TCPSVCS.exe
raws li cov ntaub ntawv qhov chaw.
Daim duab 6. Extracting ntau yam khoom
Cov qauv kev pab cuam 0x102
nyob rau hauv ib tug dropper yog heev complex. Nyob rau hauv ib tug nutshell, nws muaj:
- Cov ntaub ntawv npe
- Cov ntaub ntawv loj thiab cov ntsiab lus
- Compression format (COMPRESSION_FORMAT_LZNT1
, siv los ntawm kev ua haujlwm RtlDecompressBuffer
)
Thawj cov ntaub ntawv rov pib dua li TCPSVCS.exe
, uas yog raug cai AcroTranscoder.exe
(raws li FileDescription
, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3
).
Tej zaum koj yuav tau pom tias qee cov ntaub ntawv DLL loj dua 11 MB. Qhov no yog vim muaj qhov sib txuas loj ntawm cov ntaub ntawv random muab tso rau hauv cov ntaub ntawv executable. Nws yog qhov ua tau tias qhov no yog ib txoj hauv kev kom tsis txhob muaj kev tshawb pom los ntawm qee yam khoom siv kev ruaj ntseg.
Xyuas kom ruaj khov
kev pab 0x101
nyob rau hauv lub dropper muaj ob 32-ntsis integers uas qhia meej yuav ua li cas persistence yuav tsum tau muab. Tus nqi ntawm thawj zaug qhia txog yuav ua li cas cov malware yuav pheej tsis muaj cai tswj hwm.
Table 1. Kev ua haujlwm ruaj khov tsis muaj cai tswj hwm
Tus nqi ntawm tus lej thib ob qhia txog yuav ua li cas tus malware yuav tsum ua kom muaj kev pheej hmoo thaum khiav nrog cov cai tswj hwm.
Table 2. Persistence mechanism nrog cov cai tswj hwm
Lub npe kev pabcuam yog lub npe cov ntaub ntawv tsis muaj txuas ntxiv; lub npe zaub yog lub npe ntawm daim nplaub tshev, tab sis yog tias nws twb muaj lawm, txoj hlua "yog ntxiv rau nwsRevision 1
” (tus lej nce mus txog thaum pom lub npe tsis siv). Cov neeg ua haujlwm tau ua kom ntseeg tau tias kev ua haujlwm tsis tu ncua los ntawm kev pabcuam yog qhov muaj zog - yog tias tsis ua haujlwm, kev pabcuam yuav tsum rov pib dua tom qab 1 thib ob. Ces tus nqi WOW64
Qhov kev pabcuam tshiab tus yuam sij rau npe yog teem rau 4, qhia tias nws yog 32-ntsis kev pabcuam.
Ib txoj haujlwm teem tseg yog tsim los ntawm ob peb COM interfaces: ITaskScheduler
, ITask
, ITaskTrigger
, IPersistFile
и ITaskScheduler
. Qhov tseem ceeb, tus malware tsim ib txoj haujlwm zais, teeb tsa cov ntaub ntawv tus account nrog rau cov neeg siv tam sim no lossis cov ntaub ntawv tswj hwm, thiab tom qab ntawd teeb tsa qhov tshwm sim.
Qhov no yog ib txoj haujlwm niaj hnub nrog lub sijhawm ntawm 24 teev thiab ntu nruab nrab ntawm ob qhov kev tua ntawm 10 feeb, uas txhais tau hais tias nws yuav khiav tsis tu ncua.
siab phem me ntsis
Hauv peb qhov piv txwv, cov ntaub ntawv executable TCPSVCS.exe
(AcroTranscoder.exe
) yog software tsim nyog uas thauj DLLs uas tau pib dua nrog nws. Hauv qhov no, nws yog qhov txaus siab Flash Video Extension.dll
.
Nws muaj nuj nqi DLLMain
tsuas yog hu rau lwm txoj haujlwm. Qee qhov kev tsis txaus ntseeg yog tam sim no:
Daim duab 7. Fuzzy predicates
Tom qab cov kev kuaj tsis raug no, cov cai tau txais ib ntu .text
ntaub ntawv TCPSVCS.exe
, hloov nws kev tiv thaiv rau PAGE_EXECUTE_READWRITE
thiab rov sau nws los ntawm kev ntxiv cov lus qhia dummy:
Daim duab 8. Cov lus qhia ua ntu zus
Thaum kawg mus rau qhov chaw nyob ua haujlwm FLVCore::Uninitialize(void)
, xa tawm Flash Video Extension.dll
, qhia ntxiv CALL
. Qhov no txhais tau tias tom qab lub siab phem DLL tau thauj khoom, thaum lub sijhawm hu xov tooj WinMain
в TCPSVCS.exe
, cov lus qhia pointer yuav taw tes rau NOP, ua rau FLVCore::Uninitialize(void)
, theem tom ntej.
Cov haujlwm tsuas yog tsim ib qho mutex pib nrog {181C8480-A975-411C-AB0A-630DB8B0A221}
ua raws li tus neeg siv lub npe tam sim no. Nws mam li nyeem cov ntaub ntawv pov tseg *.db3, uas muaj txoj haujlwm ywj pheej, thiab siv CreateThread
los ua cov ntsiab lus.
Cov ntsiab lus ntawm *.db3 cov ntaub ntawv yog lub plhaub code uas pawg OceanLotus feem ntau siv. Peb rov ua tiav unpacked nws payload siv cov ntawv emulator peb luam tawm
Tsab ntawv rho tawm cov theem kawg. Cov khoom no yog ib qho backdoor, uas peb twb tau txheeb xyuas hauv {A96B020F-0000-466F-A96D-A91BBF8EAC96}
binary ntaub ntawv. Kev teeb tsa malware tseem encrypted hauv PE cov peev txheej. Nws muaj kwv yees li kev teeb tsa tib yam, tab sis C&C servers txawv ntawm cov dhau los:
- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
Pab pawg OceanLotus rov ua kom pom kev sib xyaw ua ke ntawm cov txheej txheem sib txawv kom tsis txhob pom. Lawv rov qab los nrog "kho kom zoo" daim duab ntawm tus txheej txheem kis. Los ntawm xaiv cov npe random thiab sau cov ntawv ua tiav nrog cov ntaub ntawv random, lawv txo cov naj npawb ntawm IoCs ntseeg tau (raws li hashes thiab cov npe cov ntaub ntawv). Ntxiv mus, ua tsaug rau kev siv cov neeg thib peb DLL thauj khoom, cov neeg tawm tsam tsuas yog yuav tsum tau tshem tawm qhov raug cai binary AcroTranscoder
.
Self-extracting archives
Tom qab RTF cov ntaub ntawv, cov pab pawg tau tsiv mus rau kev rho tawm tus kheej (SFX) archives nrog cov ntaub ntawv icons kom ntxiv dag zog rau tus neeg siv. Threatbook sau txog qhov no ({A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
. Txij li thaum nruab nrab Lub Ib Hlis 2019, OceanLotus tau rov siv cov txheej txheem no, tab sis hloov qee qhov kev teeb tsa raws sijhawm. Hauv seem no peb yuav tham txog cov txheej txheem thiab kev hloov pauv.
Tsim ib tug Lure
Daim ntawv THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE
(SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB
) tau pom thawj zaug hauv 2018. Cov ntaub ntawv SFX no tau tsim muaj tswv yim - hauv cov lus piav qhia (Cov Lus Qhia Tawm) nws hais tias qhov no yog JPEG duab. SFX tsab ntawv zoo li no:
Daim duab 9. SFX Commands
Cov malware rov pib dua {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx
(SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC
), nrog rau daim duab 2018 thich thong lac.jpg.
Daim duab decoy zoo li no:
Daim duab 10. Decoy duab
Tej zaum koj yuav tau pom tias thawj ob kab hauv SFX tsab ntawv hu rau OCX cov ntaub ntawv ob zaug, tab sis qhov no tsis yog qhov yuam kev.
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)
Kev tswj hwm ntawm OCX cov ntaub ntawv zoo ib yam li lwm yam OceanLotus Cheebtsam - ntau cov lus txib JZ/JNZ
и PUSH/RET
, alternating nrog khib nyiab code.
Daim duab 11. Obfuscated code
Tom qab lim tawm junk code, export DllRegisterServer
, npe regsvr32.exe
, raws li nram no:
Daim duab 12. Basic installer code
Yeej, ntawm thawj hu DllRegisterServer
export teeb tsa tus nqi sau npe HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Model
rau encrypted offset hauv DLL (0x10001DE0
).
Thaum lub luag haujlwm raug hu ua zaum ob, nws nyeem tib tus nqi thiab ua tiav ntawm qhov chaw nyob ntawd. Los ntawm no cov peev txheej thiab ntau yam haujlwm hauv RAM tau nyeem thiab ua tiav.
Lub shellcode yog tib lub PE loader siv hauv kev sib tw OceanLotus yav dhau los. Nws tuaj yeem ua emulated siv db293b825dcc419ba7dc2c49fa2757ee.dll
, loads nws rau hauv nco thiab executes DllEntry
.
Lub DLL rho tawm cov ntsiab lus ntawm nws cov peev txheej, decrypts (AES-256-CBC) thiab decompresses (LZMA) nws. Cov peev txheej muaj ib hom ntawv tshwj xeeb uas yooj yim rau decompile.
Daim duab 13. Installer configuration structure (KaitaiStruct Visualizer)
Cov kev teeb tsa tau teev meej meej - nyob ntawm qhov muaj cai, cov ntaub ntawv binary yuav raug sau rau %appdata%IntellogsBackgroundUploadTask.cpl
los yog %windir%System32BackgroundUploadTask.cpl
(los yog SysWOW64
rau 64-ntsis systems).
Ntxiv persistence yog guaranteed los ntawm kev tsim ib txoj hauj lwm nrog lub npe BackgroundUploadTask[junk].job
qhov twg [junk]
sawv cev ib pawg ntawm bytes 0x9D
и 0xA0
.
Task Application Name %windir%System32control.exe
, thiab tus nqi parameter yog txoj hauv kev rau cov ntaub ntawv rub tawm binary. Cov haujlwm zais cia ua haujlwm txhua hnub.
Structureally, CPL cov ntaub ntawv yog DLL nrog lub npe sab hauv ac8e06de0a6c4483af9837d96504127e.dll
, uas exports muaj nuj nqi CPlApplet
. Cov ntaub ntawv no decrypts nws cov peev txheej nkaus xwb {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
, ces loads no DLL thiab hu nws xwb export DllEntry
.
Backdoor configuration file
Kev teeb tsa backdoor yog encrypted thiab embedded hauv nws cov peev txheej. Cov qauv ntawm cov ntaub ntawv configuration yog heev zoo ib yam li yav dhau los.
Daim duab 14. Backdoor configuration structure (KaitaiStruct Visualizer)
Txawm hais tias tus qauv zoo sib xws, ntau qhov txiaj ntsig ntawm thaj chaw tau raug kho tshiab los ntawm cov uas tau pom hauv
Thawj lub ntsiab ntawm binary array muaj DLL (HttpProv.dll
MD 5: 2559738D1BD4A999126F900C7357B759
),
Kev tshawb fawb ntxiv
Thaum sau cov qauv, peb pom qee tus yam ntxwv. Cov qauv tau piav qhia tsuas yog tshwm sim thaum Lub Xya Hli 2018, thiab lwm tus zoo li nws tau tshwm sim tsis ntev los no thaum nruab nrab Lub Ib Hlis mus txog Lub Ob Hlis 2019. SFX archive tau siv los ua tus kab mob kab mob, tso cov ntaub ntawv pov thawj raug cai thiab cov ntaub ntawv phem OSX.
Txawm hais tias OceanLotus siv cov ntawv teev sijhawm cuav, peb pom tias lub sijhawm ntawm SFX thiab OCX cov ntaub ntawv yeej ib txwm zoo ib yam (0x57B0C36A
(08/14/2016 @ 7:15pm UTC) thiab 0x498BE80F
(02/06/2009 @ 7:34am UTC) raws). Qhov no tej zaum yuav qhia tau tias cov kws sau ntawv muaj qee yam "tus tsim" uas siv tib cov qauv thiab tsuas yog hloov qee yam ntxwv.
Ntawm cov ntaub ntawv uas peb tau kawm txij thaum pib ntawm 2018, muaj ntau lub npe qhia lub teb chaws txaus siab rau cov neeg tawm tsam:
— Cov Xov Xwm Sib Txuas Tshiab Ntawm Cambodia Media(New).xls.exe
— 李建香 (个人简历).exe (fake pdf document of a CV)
- tawm tswv yim, Rally hauv Asmeskas los ntawm Lub Xya Hli 28-29, 2018.exe
Txij li thaum lub backdoor tau pom {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
thiab kev tshaj tawm ntawm nws qhov kev tshuaj xyuas los ntawm ntau tus kws tshawb fawb, peb tau pom qee qhov kev hloov pauv hauv cov ntaub ntawv teeb tsa malware.
Ua ntej, cov kws sau ntawv pib tshem cov npe los ntawm tus pab DLLs (DNSprov.dll
thiab ob versions HttpProv.dll
). Cov neeg ua haujlwm tom qab ntawd tso tseg qhov thib peb DLL (qhov thib ob version HttpProv.dll
), xaiv embed ib leeg xwb.
Thib ob, ntau qhov chaw teeb tsa sab nraum qab tau hloov pauv, yuav ua rau tsis pom kev tshawb pom raws li ntau IoCs tau dhau los. Cov teb tseem ceeb hloov kho los ntawm cov kws sau ntawv suav nrog:
- AppX kev sau npe yuam sij hloov (saib IoCs)
- mutex encoding hlua ("def", "abc", "ghi")
- chaw nres nkoj naj npawb
Thaum kawg, txhua qhov tshiab tau tshuaj xyuas muaj C&Cs tshiab tau teev tseg hauv ntu IoCs.
tshawb pom
OceanLotus tseem tab tom txhim kho. Pawg cyber yog tsom rau kev kho kom zoo thiab nthuav dav cov cuab yeej thiab cov khoom siv dag zog. Cov kws sau ntawv zais cov khoom tsis zoo siv cov ntaub ntawv khaws cia uas nws lub ntsiab lus cuam tshuam rau cov neeg raug tsim txom. Lawv tsim cov tswv yim tshiab thiab tseem siv cov cuab yeej siv rau pej xeem, xws li Equation Editor exploit. Ntxiv mus, lawv tab tom txhim kho cov cuab yeej los txo tus naj npawb ntawm cov khoom qub uas tseem tshuav ntawm cov neeg raug tsim txom 'cov tshuab, yog li txo qis txoj hauv kev tshawb pom los ntawm cov software antivirus.
Qhov taw qhia ntawm kev sib haum xeeb
Qhov taw qhia ntawm kev sib haum xeeb nrog rau MITER ATT&CK cov yam ntxwv muaj
Tau qhov twg los: www.hab.com