In search of APT30: as we noticed a new activity of the group after several years of silence
The cybergroup APT30 has been known for quite some time – in 2015, our colleagues from FireEye described its activity. Members of this group usually attack government agencies in South and Southeast Asia (in India, Thailand, Malaysia and other countries) with the aim of cyber espionage, and their tools have been developed at least since 2005.
In the past few years, the APT30 has not been very active, but in the spring of 2020 we were able to detect traces of new malware developed by hackers. Full study published by the link, and in this article we will touch on its main points.
On April 8, 2020, our experts from the PT Expert Security Center discovered the activity of a well-known cybercriminal group. A popular resource for dynamic malware analysis triggered network signatures describing the activity of APT30, about which nothing had been heard for a long time. This was the starting point of our study.
As it turned out, hackers not only continue to support their old, well-known tools of a decade ago, but also adhere to their approaches to organizing network resources.
BACKSPACE and NETEAGLE backdoors
August 25th, 2019 at VirusTotal file was uploaded (MD5: f4f8f64fd66a62fc456da00dd25def0d) with the name AGENDA.scr from Malaysia. This is an x86-based executable PE file packaged by UPX. The sample has an office document icon to fool the user, and the resources contain two more encrypted objects.
The first file (MD5: 634e79070ba21e1e8f08aba995c98112) is written to the directory with Microsoft Office templates – % APPDATA% Microsoft Windows Templates AGENDA.docx – and it starts. This is an office document that contains a plan for a meeting in one of the departments of the Malaysian government. The purpose of the document is to attract the attention of the user.
The second file (MD5: 56725556d1ac8a58525ae91b6b02cf2c) is placed in the startup directory % APPDATA% Microsoft Windows Start Menu Programs Startup WINWORD.EXE. At the time of creation, the file does not start (attackers expect it to work, for example, after rebooting the system so as not to attract attention). This is the backdoor of the NETEAGLE family, whose modifications are discussed in detail in the report of our colleagues from FireEye. It is curious that the typical NetEagle line from the 2015 samples (which served as the name of the malware family) is now replaced by Jokerplay.
NetEagle String in 2015 Sample
JokerPlay string in 2019 sample
According to the indicators obtained, two more backdoors were found (MD5: d9c42dacfae73996ccdab58e429548c0 and MD5: 101bda268bf8277d84b79fe52e25fee4). According to the compilation date, they were created on October 21, 2019, and one of them was also uploaded to VirusTotal from Malaysia, and only in May 2020. These malware belong to the BACKSPACE family, modifications of which are also considered in the report of experts from FireEye. We give the decrypted lines for each sample along with the decoding algorithm.
Represents an x86-based executable PE file. First, the malware tries to extract the value of the random key of the registry branch HKCU Software HttpDiv. If this fails, using the WinAPI function GetSystemTimeAsFileTime, the system time will be obtained – and then used as a seed generator of arbitrary numbers. The generated random number will be stored in the registry and used later.
Using a GET request to the address hxxp: //www.kabadefender.com/plugins/r.exe, the malware receives and stores the legitimate WinRAR archiver (its CLI component, 4fdfe014bed72317fa40e4a425350288). Then it creates a fingerprint of the system, collecting the computer name, IP address and version of the system, and sends it with a POST request to the address
It is an x86-based executable PE file developed using the MFC library and packaged using UPX.
Using a single-byte XOR with the number 0x23, the malware decrypts the address of the main attacker server: 103.233.10 .152. Turning to him over TCP on port 4433, checks the success of the connection. If the connection failed, it uses additional data to obtain the server address.
Additional data are addresses
hxxp://www.techmicrost.com/infos/pencoded with single-byte XOR with the number 0x25. Having decrypted the addresses, the malware tries to connect to them alternately through a GET request. The server response expects 8 bytes: server IP address and port.
Getting the address of the attacker server: ‘0xAC 0xF7 0xC5 0xBD’ → ‘172 247 197 189’, ‘0xBB 0x01 0x00 0x00’ → 0x1BB → 443
After receiving the valid IP address of the attacker server, the malware reconnects to the server and expects to receive the Jo * Po * Hello string from it. This string is encoded in the body of the malware with a single-byte XOR with the number 0x24. A curious trick: as a rule, trojans themselves initiate data exchange.
If the line is received, a fingerprint of the system is created: the system version, IP address, information about the brand and frequency of the processor, and the amount of disk space. The collected data is encrypted with a unique algorithm based on bitwise cyclic shifts and XOR (namely, a left shift by 4 + 3 = 7 bits and XOR with 0x23) and sent to the attacker server.
Then a separate stream is created, which sends the same data buffer to the server every 30 seconds. Next, the control receives a command processing function that decrypts the received data (the decryption algorithm consists of actions opposite to the encryption algorithm considered) and retrieves the command number.
This is not to say that the software created by the attackers is distinguished by a high class of program code, some tricks to hide in the system or bypass detection. It does not seem that the goals are changing: perhaps they do not need a more sophisticated malicious arsenal. Speaking about the new toolkit, we noted its incompleteness. Perhaps the group is testing fresh software in combat, identifying flaws. So in the future we should expect the appearance of improved backdoors RHttpCtrl and RCtrl, possibly using techniques to hide or complicate the analysis.
The full report is available at the link.
Posted by Alexey Vishnyakov, Positive Technologies