Ka poso ena re tla u joetsa hore na sehlopha sa marang-rang sa OceanLotus (APT32 le APT-C-00) haufinyane se sebelisitse e 'ngoe ea lintho tse fumanehang phatlalatsa bakeng sa
OceanLotus e sebetsa ka ho khetheha ho cyber espionage, 'me sepheo sa eona se tlang pele ke linaha tse Asia Boroa-bochabela. Bahlaseli ba etsa litokomane tse hohelang tlhokomelo ea batho bao e ka bang bahlaseluoa ho ba kholisa hore ba phethise ka morao, 'me ba ntse ba sebeletsa ho nts'etsapele lisebelisoa. Mekhoa e sebelisetsoang ho etsa lipitsa tsa mahe a linotsi e fapana ho pholletsa le litlhaselo, ho tloha ho lifaele tsa "double-extension", li-archive tsa ho itokolla, litokomane tse nang le macros, ho ea ho mesebetsi e tsebahalang.
Ho sebelisa exploit ho Microsoft Equation Editor
Bohareng ba 2018, OceanLotus e ile ea etsa lets'olo la ho sebelisa monyetla oa ho ba kotsing ea CVE-2017-11882. E 'ngoe ea litokomane tse mpe tsa sehlopha sa cyber e ile ea hlahlojoa ke litsebi tsa 360 Threat Intelligence Center (
Mohato oa pele
Tokomane FW Report on demonstration of former CNRP in Republic of Korea.doc
(SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3
) e tšoana le e boletsoeng thutong e ka holimo. Hoa thahasellisa hobane e lebisitsoe ho basebelisi ba thahasellang lipolotiking tsa Cambodia (CNRP - Cambodia National Rescue Party, e qhibilihisitsoeng qetellong ea 2017). Ho sa tsotellehe katoloso ea .doc, tokomane e ka sebopeho sa RTF (sheba setšoantšo se ka tlase), e na le khoutu ea litšila, hape e sothehile.
Setšoantšo sa 1. "Lithōle" ho RTF
Leha ho na le likarolo tse senyehileng, Word e bula faele ena ea RTF ka katleho. Joalokaha u bona ho Setšoantšo sa 2, ho na le sebopeho sa EQNOLEFILEHDR ho offset 0xC00, se lateloa ke hlooho ea MTEF, ebe ho kenngoa MTEF (Setšoantšo sa 3) bakeng sa fonte.
Setšoantšo sa 2. FONT litekanyetso tsa ho kena
Setšoantšo sa 3.
Ho ka etsahala ho khaphatseha tšimong lebitso, hobane boholo ba eona ha bo hlahlojoe pele bo kopitsoa. Lebitso le lelelele haholo le etsa hore motho a be kotsing. Joalokaha u bona ho tsoa ho tse ka har'a faele ea RTF (offset 0xC26 ho Setšoantšo sa 2), buffer e tletse shellcode e lateloang ke taelo ea dummy (0x90
) le aterese ea ho khutlisa 0x402114
. Aterese ke karolo ea puisano EQNEDT32.exe
, e bontšang litaelo RET
. Sena se etsa hore EIP e supe qalong ea tšimo lebitsoe nang le shellcode.
Setšoantšo sa 4. Qalo ea khetla ea ts'ebeliso
Aterese 0x45BD3C
e boloka e feto-fetohang e qheletsoeng ka thoko ho fihlela e fihla pontshi ho sebopeho se laetsoeng hajoale MTEFData
. Karolo e setseng ea shellcode e teng mona.
Sepheo sa shellcode ke ho phethahatsa karolo ea bobeli ea shellcode e kentsoeng tokomaneng e bulehileng. Shellcode ea pele e leka ho fumana tlhaloso ea faele ea tokomane e bulehileng ka ho pheta-pheta litlhaloso tsohle tsa sistimi (NtQuerySystemInformation
ka khang SystemExtendedHandleInformation
) le ho hlahloba hore na lia lumellana PID mohlalosi le PID tshebetso WinWord
le hore na tokomane e butsoe ka maske a phihlello - 0x12019F
.
Ho netefatsa hore ho na le sebapa se nepahetseng se fumanoeng (eseng ho sebetsana le tokomane e 'ngoe e bulehileng), litaba tsa faele li hlahisoa ho sebelisoa mosebetsi. CreateFileMapping
, 'me shellcode e hlahloba hore na li-byte tse 'nè tsa ho qetela tsa tokomane li lumellana "yyyy
"(Mokhoa oa ho tsoma mahe). Hang ha papali e fumanoa, tokomane e kopitsoa foldareng ea nakoana (GetTempPath
) Joang ole.dll
. Ebe ho baloa li-byte tse 12 tsa ho qetela tsa tokomane.
Setšoantšo sa 5. Qetello ea Matšoao a Tokomane
Boleng ba 32-bit lipakeng tsa matšoao AABBCCDD
и yyyy
ke phetiso ea shellcode e latelang. E bitsoa ho sebelisa ts'ebetso CreateThread
. E ntšitse shellcode e tšoanang e neng e sebelisoa ke sehlopha sa OceanLotus pejana.
Mohato oa bobeli
Ho Tlosa Likaroloana
Mabitso a faele le a directory a khethoa ka matla. Khoutu e khetha ka mokhoa o sa reroang lebitso la faele e phethisoang kapa ea DLL ho C:Windowssystem32
. E ntan'o etsa kopo ho lisebelisoa tsa eona ebe e khutlisa tšimo FileDescription
ho sebelisa joalo ka lebitso la foldara. Haeba sena se sa sebetse, khoutu e khetha lebitso la foldara ho tsoa ho li-directory %ProgramFiles%
kapa C:Windows
(ho tloha GetWindowsDirectoryW). E qoba ho sebelisa lebitso le ka 'nang la thulana le lifaele tse teng' me e netefatsa hore ha e na mantsoe a latelang: windows
, Microsoft
, desktop
, system
, system32
kapa syswow64
. Haeba bukana e se e ntse e le teng, "NLS_{6 characters}" e kenyellelitsoe lebitsong.
mohlodi 0x102
e ea hlahlojoa 'me lifaele li lahleloa ka har'a %ProgramFiles%
kapa %AppData%
, ho sephutheli se khethiloeng ka tšohanyetso. Nako e fetotsoeng ea pōpo hore e be le litekanyetso tse tšoanang le kernel32.dll
.
Mohlala, mona ke foldara le lenane la lifaele tse entsoeng ka ho khetha tse phethiloeng C:Windowssystem32TCPSVCS.exe
joalo ka mohloli oa data.
Setšoantšo sa 6. Ho ntša likarolo tse sa tšoaneng
Sebopeho sa lisebelisoa 0x102
ka dropper e rarahane haholo. Ka bokhutšoanyane, e na le:
— Mabitso a faele
- Boholo ba faele le dikahare
- Sebopeho sa compression (COMPRESSION_FORMAT_LZNT1
, e sebelisoang ke mosebetsi RtlDecompressBuffer
)
Faele ea pele e setiloe bocha joalo ka TCPSVCS.exe
, e leng se nepahetseng AcroTranscoder.exe
(ho latela FileDescription
, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3
).
Mohlomong u hlokometse hore lifaele tse ling tsa DLL li kholo ho feta 11 MB. Sena ke hobane "buffer" e kholo ea data e sa reroang e behiloe ka har'a faele e sebetsang. Ho ka etsahala hore ena ke mokhoa oa ho qoba ho bonoa ke lihlahisoa tse ling tsa ts'ireletso.
Ho netefatsa ho phehella
mohlodi 0x101
ka har'a dropper e na le linomoro tse peli tsa 32-bit tse hlalosang hore na phehello e lokela ho fanoa joang. Boleng ba ea pele bo bolela hore na malware a tla tsoelapele joang ntle le litokelo tsa motsamaisi.
Lethathamo la 1. Mokhoa oa ho phehella ntle le litokelo tsa batsamaisi
Boleng ba nomoro ea bobeli bo totobatsa hore na malware a lokela ho fumana phehello joang ha a sebelisa litokelo tsa batsamaisi.
Lethathamo la 2. Mokhoa oa ho phehella o nang le litokelo tsa batsamaisi
Lebitso la tshebeletso ke lebitso la faele ntle le katoloso; lebitso la ponts'o ke lebitso la foldara, empa haeba e se e ntse e le teng, khoele " e kenyellelitsoe ho eonaRevision 1
” (palo e eketseha ho fihlela ho fumanoa lebitso le sa sebelisoeng). Basebetsi ba ile ba etsa bonnete ba hore ho phehella ka ts'ebeletso ho ne ho le matla - haeba ho hloleha, ts'ebeletso e lokela ho qala hape kamora motsotso o le mong. Ebe boleng WOW64
Senotlolo sa registry se secha se behiloe ho 4, ho bonts'a hore ke ts'ebeletso ea 32-bit.
Mosebetsi o hlophisitsoeng o etsoa ka li-interfaces tse 'maloa tsa COM: ITaskScheduler
, ITask
, ITaskTrigger
, IPersistFile
и ITaskScheduler
. Ha e le hantle, malware e etsa mosebetsi o patiloeng, e beha tlhahisoleseding ea akhaonto hammoho le tlhahisoleseding ea hona joale ea mosebedisi kapa mookameli, ebe e beha sesosa.
Ona ke mosebetsi oa letsatsi le letsatsi o nkang nako ea lihora tse 24 le likhao lipakeng tsa ho bolaoa habeli ka metsotso e 10, ho bolelang hore o tla tsoela pele.
Ntho e kotsi
Mohlala oa rona, faele e phethiloeng TCPSVCS.exe
(AcroTranscoder.exe
) ke software e molaong e jarisang li-DLL tse setang bocha hammoho le eona. Tabeng ena, hoa thahasellisa Flash Video Extension.dll
.
Mosebetsi oa eona DLLMain
e bitsa mosebetsi o mong feela. Ho na le li-predicate tse sa utloahaleng:
Setšoantšo sa 7. Maele a makatsang
Ka mor'a licheke tsena tse khelosang, khoutu e fumana karolo .text
faele TCPSVCS.exe
, e fetola tšireletso ea eona ho PAGE_EXECUTE_READWRITE
ebe o e ngola hape ka ho eketsa litaelo tsa dummy:
Setšoantšo sa 8. Tatellano ea litaelo
Qetellong ea aterese ea tšebetso FLVCore::Uninitialize(void)
, e rometsoeng Flash Video Extension.dll
, taeo ea eketsoa CALL
. Sena se bolela hore ka mor'a hore DLL e mpe e kenngoe, ha nako ea ho sebetsa e bitsa WinMain
в TCPSVCS.exe
, pointer ea litaelo e tla supa NOP, e bakang FLVCore::Uninitialize(void)
, mokhahlelo o latelang.
Ts'ebetso e mpa e theha mutex ho qala ka {181C8480-A975-411C-AB0A-630DB8B0A221}
e lateloe ke lebitso la mosebelisi la hajoale. E ntan'o bala faele e lahliloeng ea * .db3, e nang le khoutu e ikemetseng, 'me e sebelisoa CreateThread
ho phethahatsa dikahare.
Likahare tsa faele ea *.db3 ke shellcode eo sehlopha sa OceanLotus se e sebelisang ka tloaelo. Re boetse re atlehile ho manolla moputso oa eona re sebelisa mongolo oa emulator oo re o phatlalalitseng
Sengoliloeng se ntša mokhahlelo oa ho qetela. Karolo ena ke backdoor, eo re seng re e hlahlobile {A96B020F-0000-466F-A96D-A91BBF8EAC96}
binary file. Tokiso ea malware e ntse e patiloe mohloling oa PE. E na le tlhophiso e batlang e tšoana, empa li-server tsa C&C li fapane le tse fetileng:
- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
Sehlopha sa OceanLotus se boetse se bontša motsoako oa mekhoa e fapaneng ea ho qoba ho fumanoa. Ba ile ba khutla ka setšoantšo se "hloekisitsoeng" sa ts'ebetso ea ts'oaetso. Ka ho khetha mabitso a sa reroang le ho tlatsa li-executable ka data e sa reroang, ba fokotsa palo ea li-IoC tse tšepahalang (tse ipapisitseng le li-hashes le mabitso a lifaele). Ho feta moo, ka lebaka la ts'ebeliso ea DLL ea motho oa boraro, bahlaseli ba hloka feela ho tlosa binary e nepahetseng. AcroTranscoder
.
Li-archives tse itokollang
Ka mor'a lifaele tsa RTF, sehlopha se ile sa fallela ho li-archives tsa "self-extracting" (SFX) tse nang le litšoantšo tse tloaelehileng tsa litokomane ho ferekanya mosebedisi le ho feta. Threatbook e ngotse ka sena ({A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
. Ho tloha bohareng ba Pherekhong 2019, OceanLotus esale e sebelisa mokhoa ona hape, empa e fetola litlhophiso tse ling ha nako e ntse e ea. Karolong ena re tla bua ka thekeniki le liphetoho.
Ho theha Leraba
Tokomane THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE
(SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB
) e ile ea fumanoa ka lekhetlo la pele ka 2018. Faele ena ea SFX e entsoe ka bohlale - ka tlhaloso (Tlhahisoleseling ea Version) e re sena ke setšoantšo sa JPEG. Sengoloa sa SFX se shebahala tjena:
Setšoantšo sa 9. Litaelo tsa SFX
Malware e qala hape {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx
(SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC
), hammoho le setšoantšo 2018 thich thong lac.jpg.
Setšoantšo sa decoy se shebahala tjena:
Setšoantšo sa 10. Setšoantšo sa decoy
Mohlomong u hlokometse hore mela e 'meli ea pele ho SFX script e bitsa faele ea OCX habeli, empa sena ha se phoso.
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)
Phallo ea taolo ea faele ea OCX e tšoana haholo le likarolo tse ling tsa OceanLotus - tatellano e mengata ea litaelo JZ/JNZ
и PUSH/RET
, ho fapanyetsana le khoutu ea litšila.
Setšoantšo sa 11. Khoutu e hlakileng
Kamora ho sefa khoutu ea junk, romella kantle ho naha DllRegisterServer
, bitsoa regsvr32.exe
, ka mokoa o latelang:
Setšoantšo sa 12. Khoutu ea motheo ea ho kenya
Ha e le hantle, pitsong ea pele DllRegisterServer
export seta boleng ba registry HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Model
bakeng sa offset e encrypted ho DLL (0x10001DE0
).
Ha ts'ebetso e bitsoa lekhetlo la bobeli, e bala boleng bo tšoanang ebe e phethahatsa atereseng eo. Ho tloha mona sesebelisoa le liketso tse ngata ho RAM li baloa le ho etsoa.
Shellcode ke eona PE loader e sebelisitsoeng matšolong a fetileng a OceanLotus. E ka etsisoa ho sebelisoa db293b825dcc419ba7dc2c49fa2757ee.dll
, e e kenya mohopolong ebe e ea phetha DllEntry
.
DLL e ntša litaba tse ka hare ho mohloli oa eona, e senya (AES-256-CBC) le ho e senya (LZMA) eona. Sesebelisoa se na le sebopeho se ikhethileng seo ho leng bonolo ho se arola.
Setšoantšo sa 13. Sebopeho sa tlhophiso ea mochine (KaitaiStruct Visualizer)
Tlhophiso e hlalositsoe ka ho hlaka - ho latela boemo ba tokelo, data ea binary e tla ngolloa %appdata%IntellogsBackgroundUploadTask.cpl
kapa %windir%System32BackgroundUploadTask.cpl
(kapa SysWOW64
bakeng sa litsamaiso tsa 64-bit).
Ho phehella ho eketsehileng ho netefatsoa ka ho theha mosebetsi ka lebitso BackgroundUploadTask[junk].job
kae [junk]
e emela sehlopha sa li-byte 0x9D
и 0xA0
.
Lebitso la Kopo ea Mosebetsi %windir%System32control.exe
, mme boleng ba paramethara ke tsela e lebang faeleng ea binary e jarollotsoeng. Mosebetsi o patiloeng o etsoa letsatsi le leng le le leng.
Ka mokhoa o hlophisitsoeng, faele ea CPL ke DLL e nang le lebitso la ka hare ac8e06de0a6c4483af9837d96504127e.dll
, e romelang mosebetsi CPlApplet
. Faele ena e hlakola mohloli oa eona feela {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
, ebe e laela DLL ena mme e bitsa thomello ea eona feela DllEntry
.
Faele ea tlhophiso ea Backdoor
Tlhophiso ea backdoor e patiloe mme e kentsoe mehloling ea eona. Sebopeho sa faele ea tlhophiso se tšoana haholo le se fetileng.
Setšoantšo sa 14. Sebopeho sa tlhophiso ea ka morao (KaitaiStruct Visualizer)
Leha sebopeho se ts'oana, boholo ba boleng ba tšimo bo ntlafalitsoe ho tsoa ho bo bonts'itsoeng ho
Karolo ea pele ea lenane la binary e na le DLL (HttpProv.dll
MD5: 2559738D1BD4A999126F900C7357B759
),
Lipatlisiso tse Eketsehileng
Ha re ntse re bokella lisampole, re ile ra hlokomela litšobotsi tse ling. Mohlala o sa tsoa hlalosoa o hlahile hoo e ka bang Phupu 2018, 'me tse ling tse joalo li hlahile morao tjena bohareng ba Pherekhong ho isa qalong ea Pherekhong 2019. Sengoliloeng sa SFX se ne se sebelisoa joalo ka vector ea ts'oaetso, ho lahlela tokomane e nepahetseng ea bolotsana le faele e mpe ea OSX.
Leha OceanLotus e sebelisa litempe tsa linako tse seng tsa nnete, re hlokometse hore linako tsa lifaele tsa SFX le OCX li lula li tšoana (0x57B0C36A
(08/14/2016 @ 7:15pm UTC) le 0x498BE80F
(02/06/2009 @ 7:34am UTC) ka ho latellana). Mohlomong sena se bontša hore bangoli ba na le mofuta o itseng oa "moqapi" ea sebelisang li-template tse tšoanang le ho fetola litšobotsi tse itseng feela.
Har'a litokomane tseo re ithutileng tsona ho tloha qalong ea 2018, ho na le mabitso a fapa-fapaneng a bontšang linaha tse thahasellisang ho bahlaseli:
— The New Contact Information Of Cambodia Media(New).xls.exe
— 李建香 (个人简历).exe (tokomane ea fake ea CV)
- maikutlo, Rally in USA ho tloha ka July 28-29, 2018.exe
Ho tloha ha backdoor e ile ea sibolloa {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
le phatlalatso ea tlhahlobo ea eona ke bafuputsi ba 'maloa, re bone liphetoho tse ling ho data ea malware.
Taba ea pele, bangoli ba ile ba qala ho tlosa mabitso ho li-DLL tsa mothusi (DNSprov.dll
le liphetolelo tse peli HttpProv.dll
). Basebelisi ba ile ba emisa ho paka DLL ea boraro (mofuta oa bobeli HttpProv.dll
), ho khetha ho kenya e le 'ngoe feela.
Taba ea bobeli, masimo a mangata a tlhophiso a ka morao a fetotsoe, mohlomong ho qoba ho bonoa ha li-IoC tse ngata li fumaneha. Libaka tsa bohlokoa tse fetotsoeng ke bangoli li kenyelletsa:
- Senotlolo sa ngoliso sa AppX se fetotsoe (bona li-IoCs)
- khoele ea khouto ea mutex ("def", "abc", "ghi")
- nomoro ea boema-kepe
Qetellong, liphetolelo tsohle tse ncha tse hlahlobiloeng li na le li-C&C tse ncha tse thathamisitsoeng karolong ea IoCs.
fumanoeng ke
OceanLotus e ntse e tsoela pele ho hola. Sehlopha sa cyber se tsepamisitse maikutlo ho ntlafatseng le ho holisa lisebelisoa le maqheka. Bangoli ba pata meputso e kotsi ba sebelisa litokomane tse hapang tlhokomelo tseo sehlooho sa tsona se amanang le bahlaseluoa ba reretsoeng. Ba theha maano a macha hape ba sebelisa lisebelisoa tse fumanehang phatlalatsa, joalo ka Equation Editor exploit. Ho feta moo, ba ntse ba ntlafatsa lisebelisoa tsa ho fokotsa palo ea lintho tsa khale tse setseng mochining oa bahlaseluoa, ka hona ba fokotsa monyetla oa ho fumanoa ke software ea antivirus.
Lipontšo tsa ho sekisetsa
Lipontšo tsa ho inehela hammoho le litšoaneleho tsa MITER ATT&CK lia fumaneha
Source: www.habr.com