ESET: New OceanLotus Cybergroup Backdoor Delivery Schemes
In a post, we will describe how the OceanLotus cybergroup (APT32 and APT-C-00) recently used one of the public exploits for CVE-2017-11882 , the memory corruption vulnerability in Microsoft Office, and how the malware of the group provides persistence in compromised systems without leaving any traces . Next, we describe how, from the beginning of 2019, the group used self-extracting archives to run the code.
OceanLotus specializes in cyber espionage, with priority goals in Southeast Asia. Attackers forge documents that attract the attention of potential victims in order to convince them to perform a backdoor, and also work on the development of tools. The methods used to create decoys vary in different attacks - from files with "double extension", self-extracting archives, documents with macros to well-known exploits.
In mid-2018, OceanLotus launched a campaign using the CVE-2017-11882 vulnerability. One of the cybergroup's malicious documents was analyzed by 360 Threat Intelligence Center experts (a study in Chinese ), including a detailed description of the exploit. In the post below, an overview of such a malicious document.
The document
Figure 1. Garbage in RTF
Despite the presence of distorted elements, Word successfully opens this RTF file. As can be seen from Figure 2, here is the EQNOLEFILEHDR structure with an offset of 0xC00, followed by the MTEF header, and then the MTEF entry (Figure 3) for the font.
Figure 2. The values of the FONT record.
Figure 3. The format of the FONT record.
Overflow in the name field is possible.because its size is not checked before copying. Too long a name triggers a vulnerability. As can be seen from the contents of the RTF file (offset 0xC26 in Figure 2), the buffer is filled with shellcode, followed by a dummy command (
Figure 4. The beginning of the exploit shellcode. The
address
The purpose of the shell code is to execute the second fragment of the shell code embedded in an open document. First, the original shellcode tries to find a file descriptor open document, going through all the descriptors of the system (
To confirm the detection of the correct descriptor (and not the descriptor of another open document), the contents of the file are displayed using the function
Figure 5. End-of-document markers The
32-bit value between the
File and directory names are selected dynamically. The code randomly selects the name of the executable or .dll file in
The resource is
For example, here is a folder and a list of files created by selecting an executable file
Figure 6. Extraction of various components
The resource structure
- File names - File
size and content
- Compression format (
The first file is reset as
You may have noticed that some DLL files are larger than 11 MB. This is because a large contiguous buffer of random data is located inside the executable file. It is possible that this is a way to avoid detection by some security products.
A resource
Table 1. Persistence mechanism without administrator rights
The value of the second integer indicates how the malware should ensure persistence while working with administrator rights.
Table 2. Persistence mechanism with administrator rights
Service name - this is the name of the file without the extension; display name is the name of the folder, but if it already exists, the string “is added to it”
Scheduled task is created in a few COM interfaces:
This is a daily task with a duration of 24 hours and intervals between two runs of 10 minutes, which means that it will be performed continuously.
In our example, the executable
Its function
Figure 7. Fuzzy predicates
After these misleading checks, the code receives the
Figure 8. Sequence of instructions
At the end , the instruction is added to the address of the function
The function simply creates a mutex starting with
The contents of the * .db3 file is the shellcode commonly used by the OceanLotus group. Once again, we successfully unpacked its payload using the emulator script that we published on GitHub .
The script retrieves the final stage. This component is a backdoor that we already analyzed in a previous OceanLotus study . This can be determined by the GUID.
After RTF files, the group switched to self-extracting (SFX) archives with common document icons to further confuse the user. This was written by Threatbook ( link in Chinese ). After starting, self-extracting RAR files are dumped and DLLs with the extension .ocx are executed, the final payload of which was previously documented
The document
Figure 9. SFX commands The
malware resets
Picture-Bait picture as follows:
Figure 10. Picture-Bait You
may have noticed that the first two lines in the SFX script are twice cause the OSX file, but this is not an error.
The OSX file control flow is very similar to other OceanLotus components - there are many sequences of commands
Figure 11. Obfuscated code
After filtering the garbage code, the export
Figure 12. The main installer code
In fact, the first time the
When a function is called a second time, it reads the same value and runs at that address. From here, a resource is read and executed and many actions in RAM.
The shellcode is the same PE loader used in previous OceanLotus campaigns. It can be emulated using our script . As a result, it resets
The DLL extracts the contents of its resource, decrypts (AES-256-CBC) and unpacks (LZMA) it. The resource has a specific format that is easy to decompile.
Figure 13. Installer configuration structure (KaitaiStruct Visualizer) The
configuration is set explicitly - depending on the privilege level, binary data will be written to
Further, persistence is provided by creating a task with a name
The name of the task application
Structurally, the CPL file is a DLL with an internal name
The backdoor configuration is encrypted and embedded in its resources. The structure of the configuration file is very similar to the previous one.
Figure 14. Backdoor configuration structure (KaitaiStruct Visualizer)
Despite the similar structure, the values of many fields were updated compared to the data presented in our old report .
The first element of the array contains a binary DLL (
Collecting samples, we drew attention to some characteristics. The sample just described appeared around July 2018, and others like it just recently, in mid-January - early February 2019. An SFX archive was used as an infection vector, dumping a legitimate bait document and a malicious OSX file.
Despite the fact that OceanLotus uses fake timestamps, we noticed that the timestamps of SFX and OCX files are always the same (
Among the documents that we have studied since the beginning of 2018, there are various names indicating the attacking countries of interest:
- The New Contact Information Of Cambodia Media (New) .xls.exe
- 李建 香 (个人 简历) .exe (fake pdf document of a CV)
- feedback, Rally in USA from July 28-29, 2018.exe
Since the discovery of the backdoor
First, authors began to remove names from auxiliary DLLs (
Secondly, many backdoor configuration fields were changed, probably to avoid detection, as many IoCs became available. Among the important fields modified by the authors are the following:
Finally, in all new analyzed versions, new C&Cs are listed in the IoCs section.
OceanLotus continues to evolve. The cybergroup is focused on the refinement and expansion of tools and lures. Authors mask malicious payloads with the help of attention-grabbing documents that are relevant to alleged victims. They develop new designs and also use publicly available tools, such as the Equation Editor exploit. Moreover, they are perfecting tools to reduce the number of artifacts remaining on victims' machines, thereby reducing the chance of detection by antivirus software.
Compromise indicators as well as MITER ATT & CK attributes are available on Welivesecurity and on GitHub .
OceanLotus specializes in cyber espionage, with priority goals in Southeast Asia. Attackers forge documents that attract the attention of potential victims in order to convince them to perform a backdoor, and also work on the development of tools. The methods used to create decoys vary in different attacks - from files with "double extension", self-extracting archives, documents with macros to well-known exploits.
Using an exploit in Microsoft Equation Editor
In mid-2018, OceanLotus launched a campaign using the CVE-2017-11882 vulnerability. One of the cybergroup's malicious documents was analyzed by 360 Threat Intelligence Center experts (a study in Chinese ), including a detailed description of the exploit. In the post below, an overview of such a malicious document.
First stage
The document
FW Report on demonstration of former CNRP in Republic of Korea.doc
(SHA-1:) is D1357B284C951470066AAA7A8228190B88A5C7C3
similar to that mentioned in the study above. It is interesting in that it targets users interested in Cambodian politics (CNRP - Cambodia's National Salvation Party, dissolved at the end of 2017). Despite the extension .doc, the document has the RTF format (see the figure below), contains junk code, and is also distorted. Figure 1. Garbage in RTF
Despite the presence of distorted elements, Word successfully opens this RTF file. As can be seen from Figure 2, here is the EQNOLEFILEHDR structure with an offset of 0xC00, followed by the MTEF header, and then the MTEF entry (Figure 3) for the font.
Figure 2. The values of the FONT record.
Figure 3. The format of the FONT record.
Overflow in the name field is possible.because its size is not checked before copying. Too long a name triggers a vulnerability. As can be seen from the contents of the RTF file (offset 0xC26 in Figure 2), the buffer is filled with shellcode, followed by a dummy command (
0x90
) and the return address 0x402114
. An address is a dialog element in EQNEDT32.exe
indicating an instruction RET
. This causes EIP to point to the beginning of the name field containing the shellcode. Figure 4. The beginning of the exploit shellcode. The
address
0x45BD3C
stores a variable that is dereferenced until it reaches the pointer to the currently loaded structure MTEFData
. Here is the rest of the shellcode.The purpose of the shell code is to execute the second fragment of the shell code embedded in an open document. First, the original shellcode tries to find a file descriptor open document, going through all the descriptors of the system (
NtQuerySystemInformation
the argument SystemExtendedHandleInformation
) and check whether the PID tag and PID of the process WinWord
and whether the document is opened with a mask access - 0x12019F
. To confirm the detection of the correct descriptor (and not the descriptor of another open document), the contents of the file are displayed using the function
CreateFileMapping
, and the shell code checks if the last four bytes of the document match " yyyy
" (Egg Hunting method). As soon as a match is found, the document is copied to a temporary folder ( GetTempPath
) asole.dll
. Then the last 12 bytes of the document are read. Figure 5. End-of-document markers The
32-bit value between the
AABBCCDD
and markers yyyy
is the offset of the next shellcode. It is called using a function CreateThread
. Extracted the same shellcode used by OceanLotus before. The Python emulation script we released in March 2018 still works to dump the second stage.Second phase
Component Retrieval
File and directory names are selected dynamically. The code randomly selects the name of the executable or .dll file in
C:\Windows\system32
. He then makes a request to his resources and retrieves the field FileDescription
to use as the folder name. If this does not work, the code randomly selects the folder name from directories %ProgramFiles%
or C:\Windows
(from GetWindowsDirectoryW). It avoids the use of the name, which may conflict with an existing file, and ensures that it does not contain the following words: windows
, Microsoft
, desktop
, system
, system32
or syswow64
. If the directory already exists, "NLS_ {6 characters}" is added to the name. The resource is
0x102
analyzed and the files are dumped in %ProgramFiles%
or%AppData%
to a folder selected at random. Creation time changed to have the same values as y kernel32.dll
. For example, here is a folder and a list of files created by selecting an executable file
C:\Windows\system32\TCPSVCS.exe
as a data source. Figure 6. Extraction of various components
The resource structure
0x102
in the dropper is quite complicated. In a nutshell, it contains: - File names - File
size and content
- Compression format (
COMPRESSION_FORMAT_LZNT1
used by the function RtlDecompressBuffer
) The first file is reset as
TCPSVCS.exe
being legitimate AcroTranscoder.exe
(according to FileDescription
SHA-1:) 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3
.You may have noticed that some DLL files are larger than 11 MB. This is because a large contiguous buffer of random data is located inside the executable file. It is possible that this is a way to avoid detection by some security products.
Persistence
A resource
0x101
in the dropper contains two 32-bit integers that determine how to ensure persistence. The value of the first indicates how the malware will maintain persistence without administrator rights. Table 1. Persistence mechanism without administrator rights
The value of the second integer indicates how the malware should ensure persistence while working with administrator rights.
Table 2. Persistence mechanism with administrator rights
Service name - this is the name of the file without the extension; display name is the name of the folder, but if it already exists, the string “is added to it”
Revision 1
”(The number increases until an unused name is found). The operators made sure that the persistence through the service was stable - in the event of a failure, the service should be restarted after 1 second. Then, the value of the WOW64
new service registry key is set to 4, which indicates that it is a 32-bit service. Scheduled task is created in a few COM interfaces:
ITaskScheduler
, ITask
, ITaskTrigger
, IPersistFile
and ITaskScheduler
. In essence, the malicious program creates a hidden task, sets account information along with information about the current user or administrator, and then sets the trigger.This is a daily task with a duration of 24 hours and intervals between two runs of 10 minutes, which means that it will be performed continuously.
Malicious bit
In our example, the executable
TCPSVCS.exe
( AcroTranscoder.exe
) is legitimate software that loads the DLLs that are dumped with it. In this case, it is of interest Flash Video Extension.dll
. Its function
DLLMain
simply calls another function. Some fuzzy predicates are present: Figure 7. Fuzzy predicates
After these misleading checks, the code receives the
.text
file section TCPSVCS.exe
, changes its protection to PAGE_EXECUTE_READWRITE
and overwrites it by adding dummy instructions: Figure 8. Sequence of instructions
At the end , the instruction is added to the address of the function
FLVCore::Uninitialize(void)
being exported . This means that after downloading a malicious DLL, when the runtime calls inFlash Video Extension.dll
CALL
WinMain
TCPSVCS.exe
, the instruction pointer will point to the NOP, resulting in the FLVCore::Uninitialize(void)
next step. The function simply creates a mutex starting with
{181C8480-A975-411C-AB0A-630DB8B0A221}
followed by the current username. She then reads the dumped file with the * .db3 extension, which contains position-independent code, and uses it CreateThread
to execute the contents. The contents of the * .db3 file is the shellcode commonly used by the OceanLotus group. Once again, we successfully unpacked its payload using the emulator script that we published on GitHub .
The script retrieves the final stage. This component is a backdoor that we already analyzed in a previous OceanLotus study . This can be determined by the GUID.
{A96B020F-0000-466F-A96D-A91BBF8EAC96}
binary file. The malware configuration is still encrypted in the PE resource. It has roughly the same configuration, but the C&C servers are different from the previous ones: the
OceanLotus group again demonstrates a combination of different techniques to avoid detection. They returned with a “refined” outline of the infection process. By choosing random names and populating executable files with random data, they reduce the number of trusted IoCs (based on hashes and file names). Moreover, thanks to the use of third-party DLL loading, attackers only need to remove the legitimate binary .- andreagahuvrauvin[.]com
- byronorenstein[.]com
- stienollmache[.]xyz
AcroTranscoder
Self-extracting archives
After RTF files, the group switched to self-extracting (SFX) archives with common document icons to further confuse the user. This was written by Threatbook ( link in Chinese ). After starting, self-extracting RAR files are dumped and DLLs with the extension .ocx are executed, the final payload of which was previously documented
{A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
. Since mid-January 2019, OceanLotus has reused this technique, but over time, some configurations have changed. In this section we will talk about technology and changes.Bait creation
The document
THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE
(SHA-1:) was AC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB
first found in 2018. This SFX file was created wisely - the description ( Version Info ) says that this is a JPEG image. The SFX script looks like this: Figure 9. SFX commands The
malware resets
{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx
(SHA-1:) EFAC23B0E6395B1178BCF7086F72344B24C04DCC
, as well as the 2018 thich thong lac.jpg.
Picture-Bait picture as follows:
Figure 10. Picture-Bait You
may have noticed that the first two lines in the SFX script are twice cause the OSX file, but this is not an error.
{9ec60ada-a200-4159-b310-8071892ed0c3} .ocx (ShLd.dll)
The OSX file control flow is very similar to other OceanLotus components - there are many sequences of commands
JZ/JNZ
and PUSH/RET
alternating with junk code. Figure 11. Obfuscated code
After filtering the garbage code, the export
DllRegisterServer
that is called regsvr32.exe
looks like this: Figure 12. The main installer code
In fact, the first time the
DllRegisterServer
export is called, it sets the registry value HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model
for the encrypted offset in DLL ( 0x10001DE0
). When a function is called a second time, it reads the same value and runs at that address. From here, a resource is read and executed and many actions in RAM.
The shellcode is the same PE loader used in previous OceanLotus campaigns. It can be emulated using our script . As a result, it resets
db293b825dcc419ba7dc2c49fa2757ee.dll
, loads it into memory, and executes DllEntry
. The DLL extracts the contents of its resource, decrypts (AES-256-CBC) and unpacks (LZMA) it. The resource has a specific format that is easy to decompile.
Figure 13. Installer configuration structure (KaitaiStruct Visualizer) The
configuration is set explicitly - depending on the privilege level, binary data will be written to
%appdata%\Intel\logs\BackgroundUploadTask.cpl
or %windir%\System32\BackgroundUploadTask.cpl
(or SysWOW64
for 64-bit systems). Further, persistence is provided by creating a task with a name
BackgroundUploadTask[junk].job
, where [junk]
is a set of bytes0x9D
and 0xA0
. The name of the task application
%windir%\System32\control.exe
, and the parameter value is the path to the uploaded binary file. The hidden task runs every day. Structurally, the CPL file is a DLL with an internal name
ac8e06de0a6c4483af9837d96504127e.dll
that exports the function CPlApplet
. This file decrypts its only resource {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
, then loads this DLL and calls its only export DllEntry
.Backdoor configuration file
The backdoor configuration is encrypted and embedded in its resources. The structure of the configuration file is very similar to the previous one.
Figure 14. Backdoor configuration structure (KaitaiStruct Visualizer)
Despite the similar structure, the values of many fields were updated compared to the data presented in our old report .
The first element of the array contains a binary DLL (
HttpProv.dll
MD5: 2559738D1BD4A999126F900C7357B759
), identified Tencent . But since the export name has been removed from the binary, the hashes do not match.Additional research
Collecting samples, we drew attention to some characteristics. The sample just described appeared around July 2018, and others like it just recently, in mid-January - early February 2019. An SFX archive was used as an infection vector, dumping a legitimate bait document and a malicious OSX file.
Despite the fact that OceanLotus uses fake timestamps, we noticed that the timestamps of SFX and OCX files are always the same (
0x57B0C36A
(08/14/2016 @ 7:15 pm UTC) and 0x498BE80F
(02/06/2009 @ 7:34 am UTC) respectively ) This probably indicates that the authors have a certain “constructor” that uses the same templates and simply changes some characteristics.Among the documents that we have studied since the beginning of 2018, there are various names indicating the attacking countries of interest:
- The New Contact Information Of Cambodia Media (New) .xls.exe
- 李建 香 (个人 简历) .exe (fake pdf document of a CV)
- feedback, Rally in USA from July 28-29, 2018.exe
Since the discovery of the backdoor
{A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
and the publication of its analysis by several researchers, we have observed some changes in the malware configuration data. First, authors began to remove names from auxiliary DLLs (
DNSprov.dll
and two versions HttpProv.dll
). Then the operators stopped packing the third DLL (second version HttpProv.dll
), choosing to embed only one.Secondly, many backdoor configuration fields were changed, probably to avoid detection, as many IoCs became available. Among the important fields modified by the authors are the following:
- AppX registry key changed (see IoCs)
- mutex encoding string ("def", "abc", "ghi")
- port number
Finally, in all new analyzed versions, new C&Cs are listed in the IoCs section.
conclusions
OceanLotus continues to evolve. The cybergroup is focused on the refinement and expansion of tools and lures. Authors mask malicious payloads with the help of attention-grabbing documents that are relevant to alleged victims. They develop new designs and also use publicly available tools, such as the Equation Editor exploit. Moreover, they are perfecting tools to reduce the number of artifacts remaining on victims' machines, thereby reducing the chance of detection by antivirus software.
Compromise indicators
Compromise indicators as well as MITER ATT & CK attributes are available on Welivesecurity and on GitHub .