Hauv tsab xov xwm no, peb yuav tham txog seb pawg neeg OceanLotus cyber (APT32 thiab APT-C-00) nyuam qhuav siv ib qho ntawm cov kev siv dag zog uas pej xeem muaj los ua li cas , qhov tsis zoo ntawm kev nco qab hauv Microsoft Office, thiab pab pawg neeg cov malware tswj tau li cas rau ntawm cov kab ke uas raug cuam tshuam yam tsis tau tawm ib qho cim. Tom ntej no, peb yuav piav qhia txog li cas, txij li thaum pib xyoo 2019, pab pawg neeg tau siv cov ntaub ntawv khaws cia tus kheej los ua cov lej.
OceanLotus tshwj xeeb hauv kev tshawb nrhiav hauv cyber, feem ntau yog tsom mus rau cov tebchaws hauv Southeast Asia. Cov neeg tawm tsam tsim cov ntaub ntawv los ntxias cov neeg raug tsim txom kom ua lub qhov rooj tom qab, thiab lawv kuj tsim lawv cov cuab yeej. Cov txheej txheem siv los tsim cov decoys sib txawv ntawm kev tawm tsam, los ntawm cov ntaub ntawv nrog ob chav extensions, self-extracting archives, cov ntaub ntawv nrog macros, thiab txawm tias paub txog kev siv tsis raug.
Siv ib qho exploit hauv Microsoft Equation Editor
Thaum nruab nrab xyoo 2018, OceanLotus tau ua ib qho kev sib tw siv qhov tsis muaj zog CVE-2017-11882. Ib qho ntawm cov ntaub ntawv phem ntawm pawg neeg cyber tau raug tshuaj xyuas los ntawm cov kws tshaj lij los ntawm 360 Threat Intelligence Center (), suav nrog cov lus piav qhia ntxaws ntxaws ntawm qhov kev siv tsis raug. Cov ntawv hauv qab no muab cov lus piav qhia txog cov ntaub ntawv phem zoo sib xws.
Thawj theem
Daim ntawv FW Report on demonstration of former CNRP in Republic of Korea.doc (SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3) zoo ib yam li qhov tau hais hauv kev tshawb fawb saum toj no. Nws yog qhov nthuav vim nws tsom mus rau cov neeg siv uas xav paub txog kev nom kev tswv hauv tebchaws Cambodia (CNRP - Cambodia National Rescue Party, uas tau raug tshem tawm thaum kawg ntawm xyoo 2017). Txawm hais tias muaj qhov txuas ntxiv .doc, daim ntawv no yog hom ntawv RTF (saib daim duab hauv qab no), muaj cov lej tsis tsim nyog, thiab kuj raug puas tsuaj.
Daim Duab 1. "Khib nyiab" hauv RTF
Txawm hais tias muaj cov khoom puas tsuaj los xij, Word ua tiav qhib cov ntaub ntawv RTF no. Raws li Daim Duab 2 qhia, muaj cov qauv EQNOLEFILEHDR ntawm qhov offset 0xC00, ua raws li MTEF header, thiab tom qab ntawd cov ntaub ntawv MTEF (Daim Duab 3) rau cov ntawv.
Daim Duab 2. Cov nqi nkag FONT
Daim duab 3.
Tej zaum yuav muaj dej ntau dhau hauv thaj teb. lub npe, vim nws qhov loj tsis tau kuaj xyuas ua ntej luam theej. Lub npe ntev dhau ua rau muaj qhov tsis zoo. Raws li pom los ntawm cov ntsiab lus ntawm cov ntaub ntawv RTF (offset 0xC26 hauv Daim Duab 2), lub buffer puv nrog shellcode ua raws li cov lus txib dummy (0x90) thiab chaw nyob xa rov qab 0x402114Qhov chaw nyob yog ib qho kev sib tham hauv EQNEDT32.exe, taw tes rau cov lus qhia RETQhov no ua rau EIP taw tes rau qhov pib ntawm daim teb. lub npe, muaj shellcode.
Daim Duab 4. Qhov pib ntawm qhov exploit shellcode
Chaw nyob 0x45BD3C khaws cov variable uas raug dereferenced kom txog thaum nws mus txog tus pointer rau cov qauv tam sim no loaded MTEFDataTus so ntawm shellcode nyob ntawm no.
Lub hom phiaj ntawm shellcode yog ua kom tiav qhov thib ob ntawm shellcode uas tau muab tso rau hauv daim ntawv qhib. Ua ntej, tus shellcode qub sim nrhiav cov ntaub ntawv piav qhia ntawm daim ntawv qhib los ntawm kev rov ua dua txhua qhov system descriptors (NtQuerySystemInformation nrog kev sib cav SystemExtendedHandleInformation) thiab xyuas seb lawv puas phim disease PID piav qhia thiab disease PID txoj kev WinWord thiab seb daim ntawv puas tau qhib nrog lub ntsej muag nkag mus - 0x12019F.
Yuav kom paub tseeb tias qhov kov raug tau pom (thiab tsis yog qhov kov ntawm lwm daim ntawv qhib), cov ntsiab lus ntawm cov ntaub ntawv raug tso tawm siv cov haujlwm CreateFileMapping, thiab tus shellcode xyuas seb plaub lub bytes kawg ntawm daim ntawv puas phim "yyyy" (Txoj kev nrhiav qe). Thaum pom qhov sib phim lawm, daim ntawv yuav raug theej mus rau hauv ib daim nplaub tshev ib ntus (GetTempPath) Ua li cas ole.dllTom qab ntawd nyeem 12 bytes kawg ntawm daim ntawv.
Daim Duab 5. Qhov kawg ntawm cov cim ntawv
Tus nqi 32-ntsis ntawm cov cim AABBCCDD и yyyy - qhov no yog qhov offset ntawm shellcode tom ntej. Nws yog hu ua siv cov haujlwm CreateThreadTib lub shellcode uas tau siv los ntawm pawg OceanLotus yav dhau los tau raug rho tawm. , uas peb tau tso tawm thaum Lub Peb Hlis 2018, tseem ua haujlwm rau theem ob pov tseg.
Thib theem ob
Kev rho tawm cov khoom
Cov npe ntawm cov ntaub ntawv thiab cov npe nplaub tshev raug xaiv dynamically. Cov lej xaiv random lub npe ntawm cov ntaub ntawv executable lossis DLL hauv C:Windowssystem32Tom qab ntawd nws ua ib qho kev thov rau nws cov peev txheej thiab rov qab tau daim teb FileDescription siv ua lub npe nplaub tshev. Yog tias qhov ntawd tsis ua haujlwm, cov lej yuav xaiv lub npe nplaub tshev los ntawm cov npe nplaub tshev. %ProgramFiles% los yog C:Windows (los ntawm TauWindowsDirectoryW). Nws zam kev siv lub npe uas yuav tsis sib haum nrog cov ntaub ntawv uas twb muaj lawm thiab xyuas kom meej tias nws tsis muaj cov lus hauv qab no: windows, Microsoft, desktop, system, system32 los yog syswow64Yog tias daim nplaub tshev twb muaj lawm, "NLS_{6 tus cim}" yuav ntxiv rau lub npe.
kev pab 0x102 tshuaj xyuas thiab cov ntaub ntawv raug pov tseg rau hauv %ProgramFiles% los yog %AppData%, mus rau ib daim nplaub tshev xaiv tsis raws cai. Lub sijhawm tsim tau hloov pauv kom muaj tib tus nqi li kernel32.dll.
Piv txwv li, ntawm no yog daim nplaub tshev thiab daim ntawv teev cov ntaub ntawv tsim los ntawm kev xaiv cov ntaub ntawv executable C:Windowssystem32TCPSVCS.exe ua ib qho chaw khaws ntaub ntawv.
Daim Duab 6. Kev rho tawm ntawm ntau yam khoom sib txawv
Cov qauv ntawm cov peev txheej 0x102 Cov dropper no nyuaj heev. Hauv nutshell, nws muaj:
- Cov npe ntawm cov ntaub ntawv
— Qhov loj thiab cov ntsiab lus ntawm cov ntaub ntawv
— Hom ntawv nias (COMPRESSION_FORMAT_LZNT1, siv los ntawm lub luag haujlwm RtlDecompressBuffer)
Cov ntaub ntawv thawj zaug raug pov tseg raws li TCPSVCS.exe, uas yog qhov raug cai AcroTranscoder.exe (raws li FileDescription, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3).
Tej zaum koj yuav tau pom tias qee cov ntaub ntawv DLL loj tshaj 11 MB. Qhov no yog vim muaj cov ntaub ntawv loj heev uas nyob hauv cov ntaub ntawv random. Qhov no tej zaum yuav yog ib txoj hauv kev los zam kev ntes los ntawm qee cov khoom ruaj ntseg.
Kev ua kom muaj kev ruaj khov
kev pab 0x101 Cov dropper muaj ob lub 32-bit integers uas txiav txim siab seb yuav ua li cas thiaj ua tau kom muaj kev ruaj khov. Tus nqi ntawm thawj integer qhia txog seb malware yuav ua li cas thiaj tswj tau kev ruaj khov yam tsis muaj cai tswj hwm.
Rooj 1. Txoj kev ua kom ruaj khov yam tsis muaj cai ntawm tus thawj coj
Tus nqi ntawm tus lej thib ob qhia txog yuav ua li cas cov malware yuav tsum ua tiav kev nyob ruaj khov thaum khiav nrog cov cai ntawm tus thawj coj.
Rooj 2. Txoj kev ruaj khov nrog cov cai ntawm tus thawj coj
Lub npe kev pabcuam yog lub npe ntaub ntawv tsis muaj qhov txuas ntxiv; lub npe tso tawm yog lub npe nplaub tshev, tab sis yog tias nws twb muaj lawm, cov hlua "Revision 1"(tus lej nce ntxiv mus txog thaum pom lub npe tsis siv). Cov neeg teb xov tooj tau ua kom ntseeg tau tias kev ua haujlwm ruaj khov los ntawm kev pabcuam yog qhov ruaj khov - yog tias muaj kev ua tsis tiav, kev pabcuam yuav tsum rov pib dua hauv 1 vib nas this. Tom qab ntawd tus nqi WOW64 Tus yuam sij sau npe kev pabcuam tshiab tau muab tus nqi ntawm 4, qhia tias nws yog 32-ntsis kev pabcuam.
Ib txoj haujlwm teem sijhawm tau tsim los ntawm ntau lub COM interfaces: ITaskScheduler, ITask, ITaskTrigger, IPersistFile и ITaskSchedulerQhov tseem ceeb, tus malware tsim ib txoj haujlwm zais cia, teeb tsa cov ntaub ntawv tus account nrog rau cov ntaub ntawv tus neeg siv tam sim no lossis tus thawj coj, thiab tom qab ntawd teeb tsa qhov ua rau.
Qhov no yog ib txoj haujlwm txhua hnub nrog lub sijhawm 24 teev thiab lub sijhawm sib nrug ntawm ob qhov kev ua tiav ntawm 10 feeb, uas txhais tau tias nws yuav khiav tas li.
Qhov phem me ntsis
Hauv peb qhov piv txwv, cov ntaub ntawv executable TCPSVCS.exe (AcroTranscoder.exe) yog software raug cai uas thauj cov DLLs uas raug tso tseg nrog nws. Hauv qhov no, qhov txaus siab yog Flash Video Extension.dll.
Nws txoj haujlwm DLLMain tsuas yog hu lwm lub luag haujlwm. Muaj qee cov lus piav qhia tsis meej:
Daim Duab 7. Cov lus piav qhia tsis meej
Tom qab cov kev kuaj xyuas tsis tseeb no, cov lej tau txais ib ntu .text ntaub ntawv TCPSVCS.exe, hloov nws txoj kev tiv thaiv mus rau PAGE_EXECUTE_READWRITE thiab overwrites nws los ntawm kev ntxiv cov lus qhia dummy:
Daim Duab 8. Cov lus qhia ua ntu zus
Thaum kawg ntawm qhov chaw nyob ua haujlwm FLVCore::Uninitialize(void), xa tawm Flash Video Extension.dll, cov lus qhia raug ntxiv CALLQhov no txhais tau tias tom qab DLL phem raug thauj khoom, thaum lub sijhawm khiav hu WinMain в TCPSVCS.exe, tus pointer qhia yuav taw tes rau NOP, ua rau muaj FLVCore::Uninitialize(void), theem tom ntej.
Lub luag haujlwm tsuas yog tsim ib qho mutex pib nrog {181C8480-A975-411C-AB0A-630DB8B0A221}, ua raws li lub npe neeg siv tam sim no. Tom qab ntawd nws nyeem cov ntaub ntawv *.db3 uas tau muab pov tseg, uas muaj cov lej tsis nyob ntawm qhov chaw, thiab siv CreateThread kom ua tiav cov ntsiab lus.
Cov ntsiab lus ntawm cov ntaub ntawv *.db3 yog shellcode uas feem ntau siv los ntawm pawg OceanLotus. Peb tau ua tiav unpacked nws cov payload dua siv cov emulator script uas peb tau tshaj tawm. .
Cov ntawv sau rho tawm theem kawg. Cov khoom no yog lub qhov rooj tom qab, uas peb twb tau tshuaj xyuas hauv Qhov no tuaj yeem txiav txim siab los ntawm GUID. {A96B020F-0000-466F-A96D-A91BBF8EAC96} cov ntaub ntawv binary. Qhov kev teeb tsa malware tseem raug encrypted hauv PE resource. Nws muaj qhov kev teeb tsa zoo ib yam, tab sis cov C&C servers txawv:
- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
Pawg OceanLotus rov qab ua qauv qhia txog kev sib xyaw ua ke ntawm ntau txoj kev los zam kev kuaj pom. Lawv tau rov qab los nrog cov txheej txheem kev kis kab mob "zoo dua". Los ntawm kev xaiv cov npe random thiab sau cov ntaub ntawv random nrog cov ntaub ntawv random, lawv txo cov lej ntawm cov IoCs ntseeg siab (raws li hashes thiab filenames). Ntxiv mus, los ntawm kev siv DLL loading los ntawm lwm tus, cov neeg tawm tsam tsuas yog yuav tsum rho tawm cov binary raug cai. AcroTranscoder.
Cov ntaub ntawv khaws cia tus kheej
Tom qab cov ntaub ntawv RTF, pawg neeg tau hloov mus rau cov ntaub ntawv khaws cia tus kheej (SFX) nrog cov cim ntaub ntawv ib txwm ua rau tus neeg siv tsis meej pem ntxiv. Threatbook tau tshaj tawm txog qhov no (). Thaum pib siv, cov ntaub ntawv RAR uas rho tawm tus kheej yuav raug tso tseg thiab DLLs nrog rau qhov txuas ntxiv .ocx yuav raug ua haujlwm, qhov payload kawg uas tau sau tseg ua ntej lawm. {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dllTxij li thaum nruab nrab Lub Ib Hlis 2019, OceanLotus tau siv cov thev naus laus zis no dua, tab sis tau hloov qee qhov kev teeb tsa dhau sijhawm. Hauv seem no, peb yuav tham txog cov thev naus laus zis thiab kev hloov pauv.
Tsim ib lub cuab yeej
Daim ntawv THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE (SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB) tau pom thawj zaug hauv xyoo 2018. Cov ntaub ntawv SFX no tau tsim los ntawm kev txawj ntse - hauv cov lus piav qhia (Cov Ntaub Ntawv Txog Version) Nws hais tias nws yog ib daim duab JPEG. Daim ntawv SFX zoo li no:
Daim Duab 9. Cov lus txib SFX
Cov malware rov pib dua {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC), nrog rau ib daim duab 2018 thich thong lac.jpg.
Daim duab decoy zoo li no:
Daim Duab 10. Duab ntawm tus neeg dag ntxias
Tej zaum koj yuav tau pom tias ob kab thawj zaug hauv tsab ntawv SFX hu rau cov ntaub ntawv OCX ob zaug, tab sis qhov no tsis yog qhov yuam kev.
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)
Cov txheej txheem tswj hwm ntawm cov ntaub ntawv OCX zoo ib yam li lwm cov khoom OceanLotus - ntau cov lus txib ua ntu zus JZ/JNZ и PUSH/RET, hloov pauv nrog cov lej tsis raug.
Daim Duab 11. Cov lej zais tsis meej
Tom qab lim cov code tsis tsim nyog, export DllRegisterServer, hu ua regsvr32.exe, raws li nram no:
Daim Duab 12. Tus lej teeb tsa tseem ceeb
Yeej, ntawm thawj qhov kev hu xov tooj DllRegisterServer kev xa tawm teeb tsa tus nqi sau npe HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Model rau qhov kev sib txuas encrypted hauv DLL (0x10001DE0).
Thaum lub function raug hu ua zaum ob, nws nyeem tib tus nqi thiab ua haujlwm ntawm qhov chaw nyob ntawd. Los ntawm qhov ntawd, cov peev txheej raug nyeem thiab ua haujlwm, nrog rau ntau yam haujlwm hauv RAM.
Tus shellcode yog tib yam PE loader siv rau hauv OceanLotus campaigns yav dhau los. Nws tuaj yeem ua emulate siv Thaum kawg, nws rov pib dua db293b825dcc419ba7dc2c49fa2757ee.dll, thauj nws rau hauv lub cim xeeb thiab ua tiav DllEntry.
Lub DLL rho tawm cov ntsiab lus ntawm nws cov peev txheej, decrypt nws (AES-256-CBC), thiab unpack nws (LZMA). Cov peev txheej muaj ib hom ntawv tshwj xeeb uas yooj yim rau decompile.
Daim Duab 13. Cov qauv teeb tsa ntawm tus neeg teeb tsa (KaitaiStruct Visualizer)
Qhov kev teeb tsa tau teeb tsa meej meej - nyob ntawm qib cai, cov ntaub ntawv binary yuav raug sau rau %appdata%IntellogsBackgroundUploadTask.cpl los yog %windir%System32BackgroundUploadTask.cpl (los yog SysWOW64 rau 64-ntsis systems).
Tom ntej no, kev ua siab ntev yog ua kom ntseeg tau los ntawm kev tsim ib txoj haujlwm hu ua BackgroundUploadTask[junk].jobqhov twg [junk] yog ib pawg ntawm cov bytes 0x9D и 0xA0.
Lub npe ntawm daim ntawv thov haujlwm %windir%System32control.exe, thiab tus nqi parameter yog txoj kev mus rau cov ntaub ntawv binary uas tau rub tawm. Txoj haujlwm zais cia khiav txhua hnub.
Raws li kev tsim kho, cov ntaub ntawv CPL yog DLL nrog lub npe sab hauv ac8e06de0a6c4483af9837d96504127e.dll, uas xa tawm cov haujlwm CPlAppletCov ntaub ntawv no decrypts nws cov peev txheej nkaus xwb. {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll, ces loads ntawd DLL thiab hu nws tsuas yog export DllEntry.
Cov ntaub ntawv teeb tsa Backdoor
Lub qhov rooj tom qab qhov kev teeb tsa tau encrypted thiab embedded rau hauv nws cov peev txheej. Cov qauv ntaub ntawv teeb tsa zoo ib yam li yav dhau los.
Daim Duab 14. Cov qauv teeb tsa qhov rooj tom qab (KaitaiStruct Visualizer)
Txawm hais tias cov qauv zoo sib xws, cov nqi ntawm ntau daim teb tau hloov kho dua tshiab piv rau cov ntaub ntawv muab rau hauv .
Lub ntsiab lus thawj zaug ntawm cov binary array muaj DLL (HttpProv.dll MD 5: 2559738D1BD4A999126F900C7357B759), Tab sis txij li thaum lub npe xa tawm raug tshem tawm ntawm binary, cov hashes tsis sib xws.
Kev tshawb fawb ntxiv
Thaum peb sau cov qauv, peb pom ntau yam ntxwv. Cov qauv uas nyuam qhuav piav qhia tau tshwm sim nyob ib puag ncig Lub Xya Hli 2018, thaum lwm cov zoo sib xws li nws tau tshwm sim tsis ntev los no, thaum nruab nrab Lub Ib Hlis mus txog rau thaum pib Lub Ob Hlis 2019. Tus kab mob siv yog SFX archive, tso cov ntaub ntawv cuav raug cai thiab cov ntaub ntawv OCX phem.
Txawm hais tias OceanLotus siv cov timestamps cuav, peb pom tias cov timestamps ntawm SFX thiab OCX cov ntaub ntawv yeej ib txwm zoo ib yam (0x57B0C36A (08/14/2016 @ 7:15pm UTC) thiab 0x498BE80F (02/06/2009 @ 7:34am UTC) raws li). Qhov no yuav qhia tau tias cov kws sau ntawv muaj qee yam "constructor" uas siv cov qauv zoo ib yam thiab tsuas yog hloov qee yam ntxwv.
Ntawm cov ntaub ntawv uas peb tau tshuaj xyuas txij li thaum pib xyoo 2018, muaj ntau lub npe uas taw qhia rau cov tebchaws uas cov neeg tawm tsam xav paub:
— Cov Ntaub Ntawv Tiv Tauj Tshiab Ntawm Cambodia Media (Tshiab).xls.exe
— 李建香 (个人简历).exe (fake pdf document of a CV)
— cov lus tawm tswv yim, Kev Sib Tw Hauv Tebchaws Meskas txij Lub Xya Hli 28-29, 2018.exe
Txij li thaum pom lub qhov rooj tom qab {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll thiab kev tshaj tawm nws qhov kev tshuaj xyuas los ntawm ntau tus kws tshawb fawb, peb tau pom qee qhov kev hloov pauv hauv cov ntaub ntawv teeb tsa malware.
Ua ntej, cov kws sau ntawv tau pib tshem tawm cov npe ntawm cov DLLs pabcuam (DNSprov.dll thiab ob versions HttpProv.dll). Tom qab ntawd cov neeg teb xov tooj tau tso tseg kev ntim khoom DLL thib peb (qhov thib ob version HttpProv.dll), xaiv los muab ib qho xwb.
Qhov thib ob, ntau qhov chaw teeb tsa backdoor tau hloov kho, tej zaum yuav zam kev kuaj pom thaum ntau IoCs nkag tau. Cov chaw tseem ceeb uas cov kws sau ntawv tau hloov kho suav nrog cov hauv qab no:
- Tus yuam sij sau npe AppX tau hloov pauv lawm (saib IoCs)
- mutex encoding string ("def", "abc", "ghi")
- chaw nres nkoj naj npawb
Thaum kawg, txhua qhov version tshiab uas tau tshuaj xyuas muaj C&Cs tshiab teev nyob rau hauv seem IoCs.
tshawb pom
OceanLotus txuas ntxiv mus zuj zus. Pawg neeg ua txhaum cai hauv cyber tsom mus rau kev txhim kho thiab nthuav dav nws cov cuab yeej thiab cov lus ntxias. Cov kws sau ntawv zais cov payloads phem nrog cov ntaub ntawv uas muaj cov ncauj lus cuam tshuam rau cov neeg raug tsim txom. Lawv tsim cov phiaj xwm tshiab thiab siv cov cuab yeej muaj rau pej xeem, xws li Equation Editor exploit. Ntxiv mus, lawv txhim kho lawv cov cuab yeej kom txo cov khoom cuav uas tshuav rau ntawm cov tshuab raug tsim txom, yog li txo qhov muaj feem yuav pom los ntawm software antivirus.
Qhov taw qhia ntawm kev sib haum xeeb
Cov cim qhia txog kev cuam tshuam thiab MITRE ATT&CK cov yam ntxwv muaj и .
Tau qhov twg los: www.hab.com
