ESET: New OceanLotus Cybergroup Backdoor Delivery Schemes

    In a post, we will describe how the OceanLotus cybergroup (APT32 and APT-C-00) recently used one of the public exploits for CVE-2017-11882 , the memory corruption vulnerability in Microsoft Office, and how the malware of the group provides persistence in compromised systems without leaving any traces . Next, we describe how, from the beginning of 2019, the group used self-extracting archives to run the code.

    OceanLotus specializes in cyber espionage, with priority goals in Southeast Asia. Attackers forge documents that attract the attention of potential victims in order to convince them to perform a backdoor, and also work on the development of tools. The methods used to create decoys vary in different attacks - from files with "double extension", self-extracting archives, documents with macros to well-known exploits.

    Using an exploit in Microsoft Equation Editor

    In mid-2018, OceanLotus launched a campaign using the CVE-2017-11882 vulnerability. One of the cybergroup's malicious documents was analyzed by 360 Threat Intelligence Center experts (a study in Chinese ), including a detailed description of the exploit. In the post below, an overview of such a malicious document.

    First stage

    The document FW Report on demonstration of former CNRP in Republic of Korea.doc(SHA-1:) is D1357B284C951470066AAA7A8228190B88A5C7C3similar to that mentioned in the study above. It is interesting in that it targets users interested in Cambodian politics (CNRP - Cambodia's National Salvation Party, dissolved at the end of 2017). Despite the extension .doc, the document has the RTF format (see the figure below), contains junk code, and is also distorted.

    Figure 1. Garbage in RTF

    Despite the presence of distorted elements, Word successfully opens this RTF file. As can be seen from Figure 2, here is the EQNOLEFILEHDR structure with an offset of 0xC00, followed by the MTEF header, and then the MTEF entry (Figure 3) for the font.

    Figure 2. The values ​​of the FONT record.

    Figure 3. The format of the FONT record.

    Overflow in the name field is possible.because its size is not checked before copying. Too long a name triggers a vulnerability. As can be seen from the contents of the RTF file (offset 0xC26 in Figure 2), the buffer is filled with shellcode, followed by a dummy command ( 0x90) and the return address 0x402114. An address is a dialog element in EQNEDT32.exeindicating an instruction RET. This causes EIP to point to the beginning of the name field containing the shellcode.

    Figure 4. The beginning of the exploit shellcode. The

    address 0x45BD3Cstores a variable that is dereferenced until it reaches the pointer to the currently loaded structure MTEFData. Here is the rest of the shellcode.

    The purpose of the shell code is to execute the second fragment of the shell code embedded in an open document. First, the original shellcode tries to find a file descriptor open document, going through all the descriptors of the system ( NtQuerySystemInformationthe argument SystemExtendedHandleInformation) and check whether the PID tag and PID of the process WinWordand whether the document is opened with a mask access - 0x12019F.

    To confirm the detection of the correct descriptor (and not the descriptor of another open document), the contents of the file are displayed using the function CreateFileMapping, and the shell code checks if the last four bytes of the document match " yyyy" (Egg Hunting method). As soon as a match is found, the document is copied to a temporary folder ( GetTempPath) asole.dll. Then the last 12 bytes of the document are read.

    Figure 5. End-of-document markers The

    32-bit value between the AABBCCDDand markers yyyyis the offset of the next shellcode. It is called using a function CreateThread. Extracted the same shellcode used by OceanLotus before. The Python emulation script we released in March 2018 still works to dump the second stage.

    Second phase

    Component Retrieval

    File and directory names are selected dynamically. The code randomly selects the name of the executable or .dll file in C:\Windows\system32. He then makes a request to his resources and retrieves the field FileDescriptionto use as the folder name. If this does not work, the code randomly selects the folder name from directories %ProgramFiles%or C:\Windows(from GetWindowsDirectoryW). It avoids the use of the name, which may conflict with an existing file, and ensures that it does not contain the following words: windows, Microsoft, desktop, system, system32or syswow64. If the directory already exists, "NLS_ {6 characters}" is added to the name.

    The resource is 0x102analyzed and the files are dumped in %ProgramFiles%or%AppData%to a folder selected at random. Creation time changed to have the same values ​​as y kernel32.dll.

    For example, here is a folder and a list of files created by selecting an executable file C:\Windows\system32\TCPSVCS.exeas a data source.

    Figure 6. Extraction of various components

    The resource structure 0x102in the dropper is quite complicated. In a nutshell, it contains:
    - File names - File
    size and content
    - Compression format ( COMPRESSION_FORMAT_LZNT1used by the function RtlDecompressBuffer)

    The first file is reset as TCPSVCS.exebeing legitimate AcroTranscoder.exe(according to FileDescriptionSHA-1:) 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3.

    You may have noticed that some DLL files are larger than 11 MB. This is because a large contiguous buffer of random data is located inside the executable file. It is possible that this is a way to avoid detection by some security products.


    A resource 0x101in the dropper contains two 32-bit integers that determine how to ensure persistence. The value of the first indicates how the malware will maintain persistence without administrator rights.

    Table 1. Persistence mechanism without administrator rights

    The value of the second integer indicates how the malware should ensure persistence while working with administrator rights.

    Table 2. Persistence mechanism with administrator rights

    Service name - this is the name of the file without the extension; display name is the name of the folder, but if it already exists, the string “is added to it”Revision 1”(The number increases until an unused name is found). The operators made sure that the persistence through the service was stable - in the event of a failure, the service should be restarted after 1 second. Then, the value of the WOW64new service registry key is set to 4, which indicates that it is a 32-bit service.

    Scheduled task is created in a few COM interfaces: ITaskScheduler, ITask, ITaskTrigger, IPersistFileand ITaskScheduler. In essence, the malicious program creates a hidden task, sets account information along with information about the current user or administrator, and then sets the trigger.

    This is a daily task with a duration of 24 hours and intervals between two runs of 10 minutes, which means that it will be performed continuously.

    Malicious bit

    In our example, the executable TCPSVCS.exe( AcroTranscoder.exe) is legitimate software that loads the DLLs that are dumped with it. In this case, it is of interest Flash Video Extension.dll.

    Its function DLLMainsimply calls another function. Some fuzzy predicates are present:

    Figure 7. Fuzzy predicates

    After these misleading checks, the code receives the .textfile section TCPSVCS.exe, changes its protection to PAGE_EXECUTE_READWRITEand overwrites it by adding dummy instructions:

    Figure 8. Sequence of instructions

    At the end , the instruction is added to the address of the function FLVCore::Uninitialize(void)being exported . This means that after downloading a malicious DLL, when the runtime calls inFlash Video Extension.dllCALLWinMainTCPSVCS.exe, the instruction pointer will point to the NOP, resulting in the FLVCore::Uninitialize(void)next step.

    The function simply creates a mutex starting with {181C8480-A975-411C-AB0A-630DB8B0A221}followed by the current username. She then reads the dumped file with the * .db3 extension, which contains position-independent code, and uses it CreateThreadto execute the contents.

    The contents of the * .db3 file is the shellcode commonly used by the OceanLotus group. Once again, we successfully unpacked its payload using the emulator script that we published on GitHub .

    The script retrieves the final stage. This component is a backdoor that we already analyzed in a previous OceanLotus study . This can be determined by the GUID.{A96B020F-0000-466F-A96D-A91BBF8EAC96}binary file. The malware configuration is still encrypted in the PE resource. It has roughly the same configuration, but the C&C servers are different from the previous ones: the OceanLotus group again demonstrates a combination of different techniques to avoid detection. They returned with a “refined” outline of the infection process. By choosing random names and populating executable files with random data, they reduce the number of trusted IoCs (based on hashes and file names). Moreover, thanks to the use of third-party DLL loading, attackers only need to remove the legitimate binary .

    - andreagahuvrauvin[.]com
    - byronorenstein[.]com
    - stienollmache[.]xyz


    Self-extracting archives

    After RTF files, the group switched to self-extracting (SFX) archives with common document icons to further confuse the user. This was written by Threatbook ( link in Chinese ). After starting, self-extracting RAR files are dumped and DLLs with the extension .ocx are executed, the final payload of which was previously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. Since mid-January 2019, OceanLotus has reused this technique, but over time, some configurations have changed. In this section we will talk about technology and changes.

    Bait creation

    The document THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE(SHA-1:) was AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEABfirst found in 2018. This SFX file was created wisely - the description ( Version Info ) says that this is a JPEG image. The SFX script looks like this:

    Figure 9. SFX commands The

    malware resets {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx(SHA-1:) EFAC23B0E6395B1178BCF7086F72344B24C04DCC, as well as the 2018 thich thong lac.jpg.

    Picture-Bait picture as follows:

    Figure 10. Picture-Bait You

    may have noticed that the first two lines in the SFX script are twice cause the OSX file, but this is not an error.

    {9ec60ada-a200-4159-b310-8071892ed0c3} .ocx (ShLd.dll)

    The OSX file control flow is very similar to other OceanLotus components - there are many sequences of commands JZ/JNZand PUSH/RETalternating with junk code.

    Figure 11. Obfuscated code

    After filtering the garbage code, the export DllRegisterServerthat is called regsvr32.exelooks like this:

    Figure 12. The main installer code

    In fact, the first time the DllRegisterServerexport is called, it sets the registry value HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Modelfor the encrypted offset in DLL ( 0x10001DE0).

    When a function is called a second time, it reads the same value and runs at that address. From here, a resource is read and executed and many actions in RAM.

    The shellcode is the same PE loader used in previous OceanLotus campaigns. It can be emulated using our script . As a result, it resets db293b825dcc419ba7dc2c49fa2757ee.dll, loads it into memory, and executes DllEntry.

    The DLL extracts the contents of its resource, decrypts (AES-256-CBC) and unpacks (LZMA) it. The resource has a specific format that is easy to decompile.

    Figure 13. Installer configuration structure (KaitaiStruct Visualizer) The

    configuration is set explicitly - depending on the privilege level, binary data will be written to %appdata%\Intel\logs\BackgroundUploadTask.cplor %windir%\System32\BackgroundUploadTask.cpl(or SysWOW64for 64-bit systems).

    Further, persistence is provided by creating a task with a name BackgroundUploadTask[junk].job, where [junk]is a set of bytes0x9Dand 0xA0.

    The name of the task application %windir%\System32\control.exe, and the parameter value is the path to the uploaded binary file. The hidden task runs every day.

    Structurally, the CPL file is a DLL with an internal name ac8e06de0a6c4483af9837d96504127e.dllthat exports the function CPlApplet. This file decrypts its only resource {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll, then loads this DLL and calls its only export DllEntry.

    Backdoor configuration file

    The backdoor configuration is encrypted and embedded in its resources. The structure of the configuration file is very similar to the previous one.

    Figure 14. Backdoor configuration structure (KaitaiStruct Visualizer)

    Despite the similar structure, the values ​​of many fields were updated compared to the data presented in our old report .

    The first element of the array contains a binary DLL ( HttpProv.dllMD5: 2559738D1BD4A999126F900C7357B759), identified Tencent . But since the export name has been removed from the binary, the hashes do not match.

    Additional research

    Collecting samples, we drew attention to some characteristics. The sample just described appeared around July 2018, and others like it just recently, in mid-January - early February 2019. An SFX archive was used as an infection vector, dumping a legitimate bait document and a malicious OSX file.

    Despite the fact that OceanLotus uses fake timestamps, we noticed that the timestamps of SFX and OCX files are always the same ( 0x57B0C36A(08/14/2016 @ 7:15 pm UTC) and 0x498BE80F(02/06/2009 @ 7:34 am UTC) respectively ) This probably indicates that the authors have a certain “constructor” that uses the same templates and simply changes some characteristics.

    Among the documents that we have studied since the beginning of 2018, there are various names indicating the attacking countries of interest:

    - The New Contact Information Of Cambodia Media (New) .xls.exe
    - 李建 香 (个人 简历) .exe (fake pdf document of a CV)
    - feedback, Rally in USA from July 28-29, 2018.exe

    Since the discovery of the backdoor {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dlland the publication of its analysis by several researchers, we have observed some changes in the malware configuration data.

    First, authors began to remove names from auxiliary DLLs ( DNSprov.dlland two versions HttpProv.dll). Then the operators stopped packing the third DLL (second version HttpProv.dll), choosing to embed only one.

    Secondly, many backdoor configuration fields were changed, probably to avoid detection, as many IoCs became available. Among the important fields modified by the authors are the following:

    • AppX registry key changed (see IoCs)
    • mutex encoding string ("def", "abc", "ghi")
    • port number

    Finally, in all new analyzed versions, new C&Cs are listed in the IoCs section.


    OceanLotus continues to evolve. The cybergroup is focused on the refinement and expansion of tools and lures. Authors mask malicious payloads with the help of attention-grabbing documents that are relevant to alleged victims. They develop new designs and also use publicly available tools, such as the Equation Editor exploit. Moreover, they are perfecting tools to reduce the number of artifacts remaining on victims' machines, thereby reducing the chance of detection by antivirus software.

    Compromise indicators

    Compromise indicators as well as MITER ATT & CK attributes are available on Welivesecurity and on GitHub .

    Also popular now: