While monitoring information security threats in May 2020, Positive Technologies experts discovered several new samples of malware (malware). At first glance, they should have been attributed to the Higaisa group, but detailed analysis showed that they should be associated with the Winnti group (also known as APT41, according to FireEye).
Detailed monitoring also revealed many other instances of the APT41 group malware, including backdoors, droppers, loaders, and injectors. We were also able to find samples of a previously unknown backdoor (we called it FunnySwitch) with atypical peer-to-peer messaging functionality. Detailed report presented by link, and in this article we will tell you about how our research began.
The first attack that attracted the attention of experts was dated May 12, 2020.
The malicious file used in it is an archive named Project link and New copyright policy.rar (c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04). The archive contains a decoy document in PDF format (Zeplin Copyright Policy.pdf), as well as a folder All tort’s projects – Web lnks with two shortcuts:
Conversations – iOS – Swipe Icons – Zeplin.lnk,
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk.
The structure of the malicious shortcuts is similar to sample 20200308-sitrep-48-covid-19.pdf.lnk, which distributed by the Higaisa group in March 2020.
The initial infection mechanism has not fundamentally changed – when you try to open any of the shortcuts, a command is executed that extracts a Base64-encoded CAB archive from the body of the LNK file, which is then unpacked into a temporary folder. Further actions are performed using the extracted JS script.
The main payload installed by the script is the shellcode named 3t54dE3r.tmp…
On May 30, 2020, a new malicious object was identified – CV archiveColliers.rar (df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d) with two shortcuts:
Curriculum VitaeWANG LEI_Hong Kong Polytechnic University.pdf.lnk,
International English Language Testing System certificate.pdf.lnk.
Their structure completely repeated the samples from May 12. In this case, PDF documents containing a resume and an IELTS certificate were used as bait.
However, a detailed analysis of the shellcode that was used as a payload showed that its samples belong to the Crosswalk malware family. This malware appeared no later than 2017 and was first mentioned in the report FireEye on the activities of the APT41 (Winnti) group.
The study of the network infrastructure of the samples also allows us to find intersections with the previously known infrastructure APT41: an SSL certificate with SHA-1 b8cff709950cfa86665363d9553532db9922265c is found on the IP address of one of the C2 servers, which also occurs at the IP address 67.229.97[.]229 mentioned in the report CrowdStrike for 2018. Further study allows you to reach some domains from report Kaspersky from 2013.
All of this leads us to the conclusion that these LNK attacks were carried out by the Winnti group (APT41), which borrowed the shortcut technique from Higaisa.
Crosswalk is a modular shellcode backdoor. Its main component is responsible for establishing a connection to the control server, collecting and sending information about the system and has the functionality for installing and executing up to 20 additional modules received from the server in the form of shellcode.
The information collected includes:
operating time of the OS (uptime);
IP addresses of network adapters;
MAC address of one of the adapters;
version and bitness of the operating system;
the name of the executable module;
PID of the process;
version and bit width of the shellcode.
Shellcode has both 32- and 64-bit modifications. Its versions are encoded with two numbers, among the ones we found – 1.0, 1.10, 1.21, 1.22, 1.25, 2.0.
For a more detailed analysis of one of the Crosswalk versions, see research VMWare CarbonBlack.
Loaders and injectors
Researching the network infrastructure and monitoring new Crosswalk samples led us to identify other malicious objects that contain the Crosswalk shellcode as their main load. All these objects can be roughly divided into two groups – local shellcode loaders and its injectors. In both groups, some of the samples were additionally obfuscated with VMProtect.
Injectors contain typical code that gets the SeDebugPrivilege right, finds the PID of the required process and injects the shellcode into it. Explorer.exe and winlogon.exe act as target processes in different instances.
The instances we have discovered contain one of three payload options:
FunnySwitch (more on this backdoor in the full article).
The main function of the samples from the local shellcode loader group is to extract and execute shellcode in the current process. Among them, two subgroups can be distinguished, depending on the source of the shellcode: it can be located both in the original executable file and in an external file in the same directory.
Most downloaders start by checking the current year, which resembles the behavior of the LNK attack samples.
The Winnti group has in its arsenal a wide range of malware tools that it actively uses in its attacks. The group uses both massive tools such as Metasploit, Cobalt Strike, PlugX, and its own developments, the list of which is constantly growing. In particular, no later than May 2020, the group started using their new backdoor – FunnySwitch.
A distinctive feature of group backdoors is the support of several transport protocols for connecting to the C&C server, which makes it difficult to detect malicious traffic.
IN full report a more detailed analysis of malware samples detected by Positive Technologies experts is presented. The document also describes examples of attacks and techniques of the Winnti grouping.