Kulokhu okuthunyelwe sizokutshela ukuthi iqembu le-inthanethi i-OceanLotus (APT32 kanye ne-APT-C-00) lisanda kusebenzisa kanjani okunye okutholakala esidlangalaleni
I-OceanLotus igxile kakhulu kubunhloli be-cyber, okuhloswe kuyo kuqala kube amazwe aseNingizimu-mpumalanga ye-Asia. Abahlaseli benza amadokhumenti omgunyathi aheha ukunaka kwabangase babe izisulu ukuze bakholwe ukuthi bakhiphe i-backdoor, futhi basebenzela nokuthuthukisa amathuluzi. Izindlela ezisetshenziselwa ukudala izimbiza zoju ziyahlukahluka kukho konke ukuhlaselwa, kusukela kumafayela "esandiso esikabili", izingobo zomlando ezizikhiphela ngokwazo, amadokhumenti anama-macros, kuya emisebenzini eyaziwayo.
Ukusebenzisa i-exploit ku-Microsoft Equation Editor
Maphakathi no-2018, i-OceanLotus yenze umkhankaso ixhaphaza ukuba sengozini kwe-CVE-2017-11882. Eminye yemibhalo enonya yeqembu le-cyber yahlaziywa ngochwepheshe be-360 Threat Intelligence Center (
Isigaba sokuqala
Idokhumenti FW Report on demonstration of former CNRP in Republic of Korea.doc
(SHA-1: D1357B284C951470066AAA7A8228190B88A5C7C3
) iyafana naleyo ebalulwe ocwaningweni olungenhla. Kuyathakazelisa ngoba kuhloswe kubasebenzisi abathanda ipolitiki yase-Cambodia (CNRP - I-Cambodia National Rescue Party, ehlakazwe ekupheleni kuka-2017). Ngaphandle kwesandiso se-.doc, idokhumenti ikufomethi ye-RTF (bona isithombe ngezansi), iqukethe ikhodi kadoti, futhi iphinde ihlanekezelwe.
Umfanekiso 1. "Udoti" ku-RTF
Noma kunezinto ezibolile, i-Word ivula leli fayela le-RTF ngempumelelo. Njengoba ungabona kuMfanekiso 2, kukhona ukwakheka kwe-EQNOLEFILEHDR ku-offset 0xC00, kulandelwa unhlokweni we-MTEF, bese kuba okufakiwe kwe-MTEF (Umfanekiso 3) wefonti.
Umfanekiso 2. Amanani wokufaka we-FONT
Isithombe 3.
Ukuchichima okungenzeka ensimini Igama, ngoba usayizi wayo awuhlolisiswa ngaphambi kokukopishwa. Igama elide kakhulu libangela ukuba sengozini. Njengoba ubona kokuqukethwe kwefayela le-RTF (i-offset 0xC26 ku-Figure 2), i-buffer igcwele i-shellcode elandelwa umyalo we-dummy (0x90
) kanye nekheli lokubuyisela 0x402114
. Ikheli liyingxenye yengxoxo EQNEDT32.exe
, ekhombisa imiyalelo RET
. Lokhu kubangela i-EIP ukuthi ikhombe ekuqaleni kwenkambu Igamaequkethe i-shellcode.
Umfanekiso 4. Ukuqala kwe-exploit shellcode
Ikheli 0x45BD3C
igcina okuguquguqukayo okuhoxisiwe kuze kube yilapho ifinyelela isikhombi esakhiweni esilayishiwe njengamanje MTEFData
. Enye i-shellcode ilapha.
Inhloso ye-shellcode ukwenza ingxenye yesibili ye-shellcode eshumekwe kudokhumenti evuliwe. I-shellcode yasekuqaleni izama ukuthola isichazi sefayela sedokhumenti evuliwe ngokuphindaphinda kuzo zonke izincazelo zesistimu (NtQuerySystemInformation
ngengxabano SystemExtendedHandleInformation
) nokuhlola ukuthi ziyahambisana yini PID umchazi kanye PID inqubo WinWord
nokuthi ingabe idokhumenti yavulwa ngemaski yokufinyelela - 0x12019F
.
Ukuqinisekisa ukuthi isibambo esilungile sitholakele (hhayi isibambo kwenye idokhumenti evuliwe), okuqukethwe kwefayela kuboniswa kusetshenziswa umsebenzi. CreateFileMapping
, futhi i-shellcode ihlola ukuthi amabhayithi amane okugcina edokhumenti ayahambisana yini "yyyy
"(Indlela yokuzingela amaqanda). Uma okufanayo sekutholakele, idokhumenti ikopishelwa kufolda yesikhashana (GetTempPath
) Kanjani ole.dll
. Bese kufundwa amabhayithi angu-12 okugcina edokhumenti.
Umfanekiso 5. Ukuphela kwezimaka zedokhumenti
Inani lamabhithi angu-32 phakathi komaka AABBCCDD
и yyyy
iyi-offset ye-shellcode elandelayo. Kubizwa ngokuthi ukusebenzisa umsebenzi CreateThread
. Kukhishwe i-shellcode efanayo eyayisetshenziswa iqembu le-OceanLotus ngaphambilini.
Isigaba sesibili
Ukukhipha Izingxenye
Amagama wefayela nemibhalo akhethwa ngendlela eguquguqukayo. Ikhodi ikhetha ngokungahleliwe igama lefayela elisebenzisekayo noma le-DLL C:Windowssystem32
. Ibese yenza isicelo ezinsizeni zayo futhi ibuyise inkambu FileDescription
ukusebenzisa njengegama lefolda. Uma lokhu kungasebenzi, ikhodi ikhetha ngokungahleliwe igama lefolda ohlwini lwemibhalo %ProgramFiles%
noma C:Windows
(kusuka ku-GetWindowsDirectoryW). Igwema ukusebenzisa igama elingase lingqubuzane namafayela akhona futhi iqinisekisa ukuthi alinawo amagama alandelayo: windows
, Microsoft
, desktop
, system
, system32
noma syswow64
. Uma uhla lwemibhalo seluvele lukhona, "izinhlamvu ze-NLS_{6}" zengezwe egameni.
resource 0x102
iyahlaziywa futhi amafayela aphonswa kuwo %ProgramFiles%
noma %AppData%
, kufolda ekhethwe ngokungahleliwe. Kushintshwe isikhathi sokudala ukuze sibe namanani afanayo ne kernel32.dll
.
Isibonelo, nali ifolda nohlu lwamafayela adalwe ngokukhetha asebenzisekayo C:Windowssystem32TCPSVCS.exe
njengomthombo wedatha.
Umfanekiso 6. Ukukhipha izingxenye ezihlukahlukene
Isakhiwo sensiza 0x102
ku-dropper kuyinkimbinkimbi. Kafushane, iqukethe:
— Amagama amafayela
— Usayizi wefayela nokuqukethwe
- Ifomethi yokucindezela (COMPRESSION_FORMAT_LZNT1
, esetshenziswa umsebenzi RtlDecompressBuffer
)
Ifayela lokuqala lisethwe kabusha njenge TCPSVCS.exe
, okusemthethweni AcroTranscoder.exe
(ngokuvumelana ne FileDescription
, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3
).
Kungenzeka ukuthi uqaphele ukuthi amanye amafayela e-DLL makhulu kuno-11 MB. Lokhu kungenxa yokuthi isilondolozi esikhulu sedatha esingahleliwe sibekwe ngaphakathi kwefayela elisebenzisekayo. Kungenzeka ukuthi lena indlela yokugwema ukutholwa eminye imikhiqizo yezokuphepha.
Ukuqinisekisa ukuphikelela
resource 0x101
ku-dropper iqukethe izinombolo ezimbili ze-32-bit ezicacisa ukuthi ukuphikelela kufanele kunikezwe kanjani. Inani elokuqala licacisa ukuthi uhlelo olungayilungele ikhompuyutha luzoqhubeka kanjani ngaphandle kwamalungelo omlawuli.
Ithebula 1. Indlela yokuphikelela ngaphandle kwamalungelo omlawuli
Inani lenombolo yesibili licacisa ukuthi uhlelo olungayilungele ikhompuyutha kufanele lufinyelele kanjani ukuphikelela lapho lusebenza ngamalungelo omlawuli.
Ithebula 2. Indlela yokuphikelela enamalungelo omlawuli
Igama lesevisi yigama lefayela ngaphandle kwesandiso; igama lesibonisi yigama lefolda, kodwa uma selivele likhona, iyunithi yezinhlamvu “ yenezelwa kuyoRevision 1
” (inombolo iyanda kuze kutholakale igama elingasetshenzisiwe). Ama-opharetha aqinisekisa ukuthi ukuphikelela ngesevisi kwakuqinile - uma kwenzeka ukwehluleka, isevisi kufanele iqalwe kabusha ngemva kwesekhondi elingu-1. Bese kuba inani WOW64
Ukhiye wokubhalisa wesevisi omusha usethelwe ku-4, okubonisa ukuthi iyisevisi ye-32-bit.
Umsebenzi ohleliwe udalwe ngokusebenzisa ukuxhumana kwe-COM okuningana: ITaskScheduler
, ITask
, ITaskTrigger
, IPersistFile
и ITaskScheduler
. Empeleni, uhlelo olungayilungele ikhompuyutha ludala umsebenzi ofihliwe, lusethe imininingwane ye-akhawunti kanye nolwazi lwamanje lomsebenzisi noma lomlawuli, bese lusetha isibangeli.
Lona umsebenzi wansuku zonke onobude bamahora angu-24 nezikhawu phakathi kokubulawa okubili kwemizuzu eyi-10, okusho ukuthi uzosebenza ngokuqhubekayo.
Isiqephu esinonya
Esibonelweni sethu, ifayela elisebenzisekayo TCPSVCS.exe
(AcroTranscoder.exe
) isofthiwe esemthethweni elayisha ama-DLL asethwe kabusha kanye nayo. Kulokhu, kuyathakazelisa Flash Video Extension.dll
.
Umsebenzi wayo DLLMain
vele ubiza omunye umsebenzi. Ezinye izilandiso ezingacacile zikhona:
Umfanekiso 7. Izilandiso ezingaqondakali
Ngemva kwalokhu kuhlola okudukisayo, ikhodi ithola isigaba .text
ifayela TCPSVCS.exe
, ishintsha ukuzivikela kwayo kube PAGE_EXECUTE_READWRITE
futhi uyibhale kabusha ngokwengeza imiyalelo eyi-dummy:
Umfanekiso 8. Ukulandelana kwemiyalelo
Ekupheleni kwekheli lomsebenzi FLVCore::Uninitialize(void)
, ithunyelwe Flash Video Extension.dll
, kuyanezelwa CALL
. Lokhu kusho ukuthi ngemuva kokuthi i-DLL enonya ilayishiwe, lapho isikhathi sokusebenza sibiza WinMain
в TCPSVCS.exe
, isikhombisi semiyalo sizokhomba ku-NOP, okubangela FLVCore::Uninitialize(void)
, isigaba esilandelayo.
Umsebenzi umane udale i-mutex eqala ngayo {181C8480-A975-411C-AB0A-630DB8B0A221}
kulandelwa igama lomsebenzisi lamanje. Ibese ifunda ifayela elilahliwe *.db3, eliqukethe ikhodi ezimele, kanye nokusetshenziswa CreateThread
ukwenza okuqukethwe.
Okuqukethwe kwefayela *.db3 igobolondo elivame ukusetshenziswa yiqembu le-OceanLotus. Siphinde sathula ngempumelelo umthwalo wayo okhokhelwayo sisebenzisa umbhalo wesilingisi esiwushicilele
Umbhalo ukhipha isigaba sokugcina. Le ngxenye iyi-backdoor, esesivele siyihlaziyile {A96B020F-0000-466F-A96D-A91BBF8EAC96}
ifayela kanambambili. Ukulungiselelwa kohlelo olungayilungele ikhompuyutha kusabethelwe kusisetshenziswa se-PE. Cishe inokucushwa okufanayo, kodwa amaseva e-C&C ahlukile kunawangaphambilini:
- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
Ithimba le-OceanLotus liphinde libonise inhlanganisela yamasu ahlukene ukugwema ukutholwa. Babuya nomdwebo “ocwengiwe” wenqubo yokutheleleka. Ngokukhetha amagama angahleliwe nokugcwalisa okusebenzisekayo ngedatha engahleliwe, banciphisa inani lama-IoC athembekile (ngokusekelwe kuma-hashes namagama wamafayela). Ngaphezu kwalokho, ngenxa yokusetshenziswa kokulayisha kwe-DLL yenkampani yangaphandle, abahlaseli badinga kuphela ukususa kanambambili esemthethweni. AcroTranscoder
.
Izingobo zomlando ozikhiphelayo
Ngemva kwamafayela e-RTF, iqembu lithuthele ekuzikhipheni kwakho kungobo yomlando (SFX) ezinezithonjana zedokhumenti evamile ukuze kuthuthukiswe ukudida umsebenzisi. I-Threatbook ibhale ngalokhu ({A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
. Kusukela maphakathi noJanuwari 2019, i-OceanLotus ibilokhu isebenzisa kabusha le ndlela, kodwa ishintsha ukulungiselelwa okuthile ngokuhamba kwesikhathi. Kulesi sigaba sizokhuluma ngamasu kanye nezinguquko.
Ukudala I-Lure
Idokhumenti THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE
(SHA-1: AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB
) yatholwa okokuqala ngo-2018. Leli fayela le-SFX lakhiwe ngobuhlakani - encazelweni (Imininingwane Yenguqulo) ithi lesi yisithombe se-JPEG. Iskripthi se-SFX sibukeka kanje:
Umfanekiso 9. Imiyalo ye-SFX
Uhlelo olungayilungele ikhompuyutha lusethwa kabusha {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx
(SHA-1: EFAC23B0E6395B1178BCF7086F72344B24C04DCC
), kanye nesithombe 2018 thich thong lac.jpg.
Isithombe se-decoy sibukeka kanje:
Umfanekiso 10. Isithombe se-Decoy
Kungenzeka ukuthi uqaphele ukuthi imigqa emibili yokuqala kusikripthi se-SFX ibiza ifayela le-OCX kabili, kodwa lokhu akulona iphutha.
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)
Ukugeleza kokulawula kwefayela le-OCX kufana kakhulu nezinye izingxenye ze-OceanLotus - ukulandelana kwemiyalo eminingi JZ/JNZ
и PUSH/RET
, ukushintshanisa nekhodi kadoti.
Umfanekiso 11. Ikhodi ene-obfuscated
Ngemva kokuhlunga ikhodi kadoti, thekelisa DllRegisterServer
, kubizwe regsvr32.exe
, Ngokulandelayo:
Umfanekiso 12. Ikhodi yesifaki eyisisekelo
Ngokuyisisekelo, ocingweni lokuqala DllRegisterServer
ukuthekelisa kusetha inani lokubhalisa HKCUSOFTWAREClassesCLSID{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}Model
ngokubethelwa kwe-DLL (0x10001DE0
).
Uma umsebenzi ubizwa okwesibili, ufunda inani elifanayo futhi wenze kulelo kheli. Kusuka lapha insiza nezenzo eziningi ku-RAM ziyafundwa futhi zenziwa.
I-shellcode iyisilayishi se-PE esifanayo esisetshenziswe emikhankasweni edlule ye-OceanLotus. Ingalingiswa ngokusebenzisa db293b825dcc419ba7dc2c49fa2757ee.dll
, ilayishe kumemori futhi isebenzise DllEntry
.
I-DLL ikhipha okuqukethwe yinsiza yayo, isuse ukubethela (AES-256-CBC) futhi iyikhiphe (LZMA). Insiza inefomethi ethile okulula ukuyihlukanisa.
Umfanekiso 13. Isakhiwo sokumisa isifaki (I-KaitaiStruct Visualizer)
Ukucushwa kucaciswe ngokucacile - kuye ngezinga lelungelo, idatha kanambambili izobhalelwa %appdata%IntellogsBackgroundUploadTask.cpl
noma %windir%System32BackgroundUploadTask.cpl
(noma SysWOW64
kumasistimu angama-64-bit).
Ukuphikelela okuqhubekayo kuqinisekiswa ngokudala umsebenzi ngegama BackgroundUploadTask[junk].job
kuphi [junk]
imele isethi yamabhayithi 0x9D
и 0xA0
.
Igama lesicelo somsebenzi %windir%System32control.exe
, futhi inani lepharamitha liyindlela eya kufayela kanambambili elilandiwe. Umsebenzi ofihliwe usebenza nsuku zonke.
Ngokwesakhiwo, ifayela le-CPL yi-DLL enegama langaphakathi ac8e06de0a6c4483af9837d96504127e.dll
, ethumela umsebenzi ngaphandle CPlApplet
. Leli fayela lisusa ukubethela okuwukuphela kwensiza yalo {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
, bese ilayisha le DLL futhi ibize ukuthunyelwa kwayo kuphela DllEntry
.
Ifayela lokucushwa kwe-Backdoor
Ukucushwa kwe-backdoor kubethelwe futhi kushumekwe kuzisetshenziswa zakhona. Isakhiwo sefayela lokumisa sifana kakhulu nedlule.
Umfanekiso 14. Isakhiwo sokucushwa kwe-Backdoor (KaitaiStruct Visualizer)
Yize isakhiwo sifana, amanani amaningi enkundla abuyekeziwe kusukela kulawo aboniswe ku
Ingxenye yokuqala ye-array kanambambili iqukethe i-DLL (HttpProv.dll
I-MD5: 2559738D1BD4A999126F900C7357B759
),
Ucwaningo Olwengeziwe
Ngenkathi siqoqa amasampuli, siqaphele izici ezithile. Isifanekiso esisanda kuchazwa sivele ngoJulayi 2018, kanti ezinye ezifana naso zivele muva nje maphakathi noJanuwari kuya ekuqaleni kukaFebhuwari 2019. Ingobo yomlando ye-SFX isetshenziswe njenge-vector yokutheleleka, iwisa idokhumenti yenkohliso esemthethweni kanye nefayela elinonya le-OSX.
Noma i-OceanLotus isebenzisa izitembu zesikhathi ezingamanga, sibonile ukuthi izitembu zesikhathi ze-SFX ne-OCX zihlale zifana (0x57B0C36A
(08/14/2016 @ 7:15pm UTC) kanye 0x498BE80F
(02/06/2009 @ 7:34am UTC) ngokulandelana). Lokhu cishe kubonisa ukuthi ababhali banohlobo oluthile "lomklami" osebenzisa izifanekiso ezifanayo futhi aguqule izici ezithile.
Phakathi kwemibhalo esiyifundile kusukela ekuqaleni kuka-2018, kunamagama ahlukahlukene abonisa amazwe anentshisekelo kubahlaseli:
— Ulwazi Olusha Lokuxhumana Lwe-Cambodia Media(Okusha).xls.exe
— 李建香 (个人简历).exe (idokhumenti le-pdf elingelona iqiniso le-CV)
- impendulo, i-Rally e-USA kusukela ngomhlaka-28-29 Julayi 2018.exe
Kusukela kwatholakala i-backdoor {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
kanye nokushicilelwa kokuhlaziywa kwayo ngabacwaningi abaningana, sibone izinguquko ezithile kudatha yokumisa uhlelo olungayilungele ikhompuyutha.
Okokuqala, ababhali baqala ukususa amagama kuma-DLL omsizi (DNSprov.dll
nezinguqulo ezimbili HttpProv.dll
). Ama-opharetha abe eseyeka ukupakisha i-DLL yesithathu (inguqulo yesibili HttpProv.dll
), ukukhetha ukushumeka eyodwa kuphela.
Okwesibili, izinkambu eziningi zokucushwa kwe-backdoor zashintshwa, okungenzeka zigweme ukutholwa njengoba ama-IoC amaningi etholakala. Izinkambu ezibalulekile ezilungiswe ababhali zifaka:
- Ukhiye wokubhalisa we-AppX ushintshile (bona ama-IoCs)
- umucu wombhalo wekhodi we-mutex ("def", "abc", "ghi")
- inombolo yechweba
Ekugcineni, zonke izinguqulo ezintsha ezihlaziywe zinama-C&C amasha asohlwini lwesigaba sama-IoC.
okutholakele
I-OceanLotus iyaqhubeka nokuthuthuka. Iqembu le-inthanethi ligxile ekucwengisiseni nasekukhuliseni amathuluzi namaqili. Ababhali bafihla imithwalo ekhokhelwayo enonya besebenzisa amadokhumenti abamba ukunaka isihloko sawo esihambisana nezisulu ezihlosiwe. Bakha izikimu ezintsha futhi basebenzise amathuluzi atholakala esidlangalaleni, njenge-Equation Editor exploit. Ngaphezu kwalokho, bathuthukisa amathuluzi okunciphisa inani lezinto zobuciko ezisele emishinini yezisulu, ngaleyo ndlela kuncishiswe ithuba lokutholwa yisoftware elwa namagciwane.
Izinkomba zokuyekethisa
Izinkomba zokuyekethisa kanye nezibaluli ze-MITER ATT&CK ziyatholakala
Source: www.habr.com