Who doesn't love to study threat actors & their Mysterious Ways of operations? This One piqued my interest due to its name and its modus operandi. Also, There were some Intelligence Floating around.
Last updated
Let's Start by Gathering Intelligence and Building on The actor Profile
(Threat Attribution as some may call it. Still learning this Art!! ).
"Know Your Enemy"
DarkHotel or DUBNIUM has the following key Characteristics:
Name 1
DarkHotel
By KasperSky Labs
Name 2
Dubnium
by Microsoft
Name 3
Shadow Crane
Crowdstrike
Origin
South Korea
Target
Primarily East Asia
Last Observed Activity
2014
Active Since
2004
Other Names
Fallout Team, Karba, Luder, Nemim, Nemin, Tapaoux, Pioneer, APT-C-06, SIG25, TUNGSTEN BRIDGE, T-APT-02
The Modus Operandi is Interesting !!
This Group used to track the traveling plans of their targets and used Hotel Networks/Wi-Fi to compromise them. They scaled their attacks later beyond business entities to political leaders/personas.
Most of the SOC operations and Hunting Operations revolve around Threat Intelligence, You might have a Vendor/Platform/Intelligence Team providing you data/feeds from multiple sources.
Similar to Co-existing system of Threat Intelligence & Hunting Operations, I believe Threat Intelligence is the Backbone of Hunting (I repeat Searching IOCs is not Hunting!!) and I try to engulf as many threat/intelligence reports as possible and try to make them actionable (Lot of Threat Research Teams doing some amazing work publishing for us to Consume, Aspire to become like one of those Amazing Threat Researchers.).
I came across one of those Feeds and this caught my attention. Did some Searching and data collection to finally stumble upon a Malware Sample used by this group.
Most of the Reports you go through provide you with the IOCs, as written in my previous post, IOCs are basically entities that indicate that there is a compromise, which also means if you search around those IOCs you will reach the main Sample.
One Such Threat Sample/IOC was a Malicious Document used by this threat actor/Group
SHA256: 8d956e79689f2e34d66052f4a795440afd69e396f3f3f47802fcacea3e37d99d
I gathered this sample from Virustotal and began Detonating it in my Lab Environment to study behaviours.
Downloaded the File and Renamed it "8d956e79689f2e34d66052f4a795440afd69e396f3f3f47802fcacea3e37d99d.docx", after all it's a word document. After execution, Winword.exe Opened and loaded the file, it took like 2 minutes to just open up this document in protected mode by the Word processor.
"Open in Editing Mode" crashed my word process (maybe my VM was having low memory). I gave it another shot and opened the document this time in Editing mode and it successfully opened after loading for 2 more minutes.
Now here it begins.
I executed this word file on two different VMs and found this error to be generating on both of them as soon as i clicked "Enable Editing" :
In my experience, I saw no unexpected behavior that hinted at a security warning/issue(except the tooltip while clicking on enable editing). The word document contained a list of products and their shopping links that it was promoting. I just scrolled through the pages and then closed the MS-Word.
So to a normal user, this document might not at all seem malicious or dangerous as it didn't do any observable anomalous action in the front-end. Which is Dangerous!!
Now Let's start our analysis.
Investigating Network/DNS Events observed ( Office apps making anomalous Network Connection is a very typical Threat Behaviour.)
I have also enabled Sysmon along with Elastic EDR to have Two Different types of Telemetry for the same events, this will help be ensure the reliability of
Interestingly, WinWord Process Spawned a few Anomalous Child Processes :
DW20.exe : This can be ignored as it is a Process that calls Microsoft error reporting Tool.
Cmd.exe : CommandLines (/cipconfig /renew) issues are commands to renew the IP address allocated to the Machine (DHCP Configuration)
qq3104.exe (Interesting!!): Random named Binary Process from an unusual location.
If I Just go by the number of Hits for File Creations(using the above Query), 87 Different entries appear, which is a very strong Indicator of Something not right.
File Activities by WinWord.exe should provide us context if this binary was dropped. (Chaining Pieces Together and Backtracking is Important step of Investigation and Hunting Operations )
As suspected the File was itself dropped by WINWORD.exe.
Another question that comes here is was the File Downloaded from a remote server and then Written on Disk or the File was embedded in the word document?
We'll have to figure that out, with File Forensics/Sample Analysis.
So there were multiple suspicious File Write Operations , The word process wrote these files and also wrote in their alternate Data Streams
qq3104.exe
qq2688.exe
googleofficechk.sct
p
b
As of now we know, a Word Document, Dropped multiple suspicious Files and initiated one of them (qq3104.exe) as a process.
Other Important Observation: Word document has written to Alternate Datastream to these dropped files.(Hence I rounded only these out of 87 as suspicious, !! I might be missing pieces here, but I'm generating leads for further investigations.)Another Very popular Technique)
Let's do a Datatable Visualization on Network Comms that are not DNS Type . (I hate how Kibana doesn't support Inline Aggregation Queries like Splunk/SQL/AQL/EQL; I know it supports EQLbut that's a stripped-down version of The Actual EQL )
Running the Data via VirusTotal, No Interesting Leads were Observed (Although these cloud IPs are something that I fear a lot, It could be Attacker Hosted Malicious Servers and since they are in CSPs they are difficult to work with)
Looks Like I'll have to set up network Monitoring Tools as well, only Destination IPs are not good enough to understand what happened!!!! Will try Installing Snort/Suricata/Zeek in the Next Analytical Story I write.
DNS queries
"signing-config.com" was a little suspicious, Running all the Data against Reputation Check, No significant Leads were observed.
let's move to understand what happened next, Traverse the Holy Tree !!
Now with an EDR you get a process Tree the breaks down the Process for you to quickly understand and act on it, while that might be the fastest way to understand contain and triage in a production Environment (Highly Recommended!!) for the sake of Learning and Understanding of every event and build solid research on the sample, I'll take the more data-intensive way of Traversing the Document. I'll upload the Process Tree diagram on the Github Repo for your reference if you guys are interested.
Let's Search for all the Child Processes of WinWord.exe to identify any suspicious process executed by the Application.
There are 10 Entries (Red Box shows the start and end of the WinWord.exe Process in the Below Diagram), Interestingly(also expected) we have qq3104.exe as a child process.
To sum up all the Interesting Observations :
Winword.exe Dropped Suspicious Files(qq3104.exe, qq2688.exe, googleofficechk.sct, p, b)
WinWord.exe Executed qq3104.exe
Interestingly qq3104.exe did not do anything after that, I had no events, no process flows, no file writes and no DLL reads, nothing after this.
I had two Explanations for this in my Head :
Anti-Analysis Technique/Vm-Virtual Environment Detection
The Criteria for Malware Infection didn't meet.
There's only one way to find this out: Static Sample Analysis
Since the sample we have our hands on it a Document file, let's start with Malicious Document analysis,
We'll be using OleTools to identify if the WORD document contains any Macro/OLE objects/ remote objects
Interestingly there is nothing suspicious Embedded in the document.
Let's proceed to Dump the Contents of the word document.
We get another Docx File(Altchunk2.docx) in the Dump.
Let's re-iterate the process of Dumping contents from this Docx file(Altchunk.docx).
This time we got an embedded RTF File(AltChunk.rtf) of 3966KB, while the Original sample download was 1141KB, and we have only performed dumping of embedded files,
Interesting, (also note the amount of compression that has been done by the Threat actor).
Since this is an RTF file, let's check first if it has any embedded objects inside it using oleTools :
We observe "b", "p", "googleofficechk.sct" files as we observed during dynamic detonation of the file.
We'll save these files on disk using OleTools.
Let's open the sct file in VSCode. There were 2 important sections of the script:
The First section actually grabs a list of running processes, creates a string out of it, encodes it into base64 and send it to "hxxp://signing-config.com/cta/key.php" The data is sent as L=G641g1QQoWUiXE&q= {encoded list of processes}.
I've tried to simplify 2nd piece of code, by replacing variables with their values
The logic basically checks if there is already a folder named "LOCALAPPDATA\PeerDistRepub". if not Create it.
If LOCALAPPDATA\PeerDistRepub\msrcvcd32.exe exists then do nothing
Else
Copy TEMP\p to LOCALAPPDATA\PeerDistRepub\qq3104.exe.
Copy TEMP\b to LOCALAPPDATA\PeerDistRepub\qq2688.exe
Creates Alternate data streams for qq3104.exe and qq2688.eexe and writes ("ZoneID=1" as ZoneTransfer data)
Executes qq3104.exe
Renews Ipv4 configuration for NICs
The above file is a 32-bit binary, probably one of the reasons why it didn't execute properly on my Lab environment
Some interesting Strings could be observed in the above screenshot.(I will use these strings to jump on to probably important code statements during reverse Engineering)
Let's Just directly open the Disassembler and jump straight to references of "explorer.exe"(as inspected in the above strings section), decompiling the section
The code locks the PEB (PEB Contains the Process information )
The code attempts to lock the PEB and copies the process parameters of "explorer.exe" (probably to behave like explorer.exe)
Skimming through the binary code, another interesting peice of the code was observed:
Googling these CSLIDs,I easily got information that these are vulnerable CSLIDs are prone to UAC bypass attacks for privilege Escalation.
Also, these two are popularly exploited by almost all of the popular ransomware (Better keep a note of the pattern!!)
To note, these two CLSIDs point to
Cmstplua.dll
colourui.dll
Also the binary Executes another binary named qq2688.exe , which we know if renamed dropped binary "b".
Straight off the entry point, it can be observed that the binary is checking for "360Tray.exe" and "QQPCTray.exe"
The binary also checks for a bunch of Firewall Rules (I've renamed the Function to "Check_passed_Firewall_Rules" for the ease of understanding.)
Finally, the Malicious Code segment is called:
The Code Attempts to Make some registry changes at "HKLM" hive, at "SYSTEM\\CurrentControlSet\\Services\\X" location
Keys Created are:
Description
DisplayName
ObjectName
ErrorControl
ImagePath
Start
Type
s
x
the ImagePath key value is an interesting string, let's try decoding that as well.
The code executes mshta.exe to invoke powershell.exe with the payload
Decoded payload:
Now this command fetches data from HKLM:\SYSTEM\CurrentControlSet\Services\X\s , splits it and executes it.
The value is of s key is in HEX, so let's convert the code back to UTF-8 encoded string :
Decoding the base64 encoded Command we get a similar command:
Now this command fetches data fromHKLM:\SYSTEM\CurrentControlSet\Services\X\s, splits it, and executes it. Again fetching that Data (and converting it from HEX to string):
we get a long string(powershell Command/payload) of obfuscated strings and commands(so the long string is assigned to $a variable and 2nd part of the string is a series of obfuscated command).
De-obfuscating and modifying the above code to readable payload, Also modyfing the commands to save the data into a file rather than PowerShell executing it:
PowerShell is used to de-obfuscate the payload and save it into MemoryStream and execution takes from the Memory
We get a DLL File for Analysis, Phew!!! what a long chain of attack
This is supposedly a .NET Dll hence we'll use VisualStudioCode + ISPY to decompile this DLL.
This Gives us a nicely formatted code to analyze:
Since the Malicious Code attempted to Execute stat() function via the Object initiation of this Class1,
I straight away jumped to analyze that function.
Initially, I used an online C# Compiler to compile codes in pieces and obtain necessary information, rather than unnecessary reverse engineering.
But then I encountered functions that couldn't run on online compilers as they were querying System Properties hence decided to quickly setup by .Net Env in VSCODE and write the code there. (I'm a C# noob but can do a code review to understand what's happening and write using the help of google)
I tried Changing the Program code to just perform the logic and print out variable names so as to Have a Reference of what happened and we can study the behavior.
So the Code logic is:
Create two Directories :(text & text2 from above snipped, Locations are Hard-coded)!!
Call GetSystemInfo() method which internally runs the following query:
I converted this to the Equivalent PowerShell command, got values from there and hardcoded the variables on the code (cause I'm not that good at C#/.net and didn't want to waste time debugging and assembly reference issue while setting up Visual Studio :-( )
Get a list of Running Processes
Get the Mac Address of the Machine
Generate C2 URLS : (Text9 + MacAddress+&mk=u<c=+base64(list of processes))
Text 9 and Text 10 are basically C2 Domains(values could be seen from the above snippet)
Execute the Download String via Webclient
If exception Genereate new c2 URL : (Text10 + MacAddress+&mk=u<c=+base64(list of processes))
These are executed as download strings to download the file from the C2
Code enters in infinite-Loop
Determine [Content-Disposition] Header in response, if its set,
PreProcess the [Content-Disposition] header ,
trigger a switch case(Pattern Indicative of C2 Commands being received in the Header)
On "TTA" command the file is moved (%appdata/RandomFileName --> %appdata/provided_filename)
On "TTX" command file is added .exe and executed (%appdata/ProvidedFilename --> %appdata/Provided_fileName+.exe)
On "TTT" file is again moved ((%appdata/ProvidedFilename --> %appdata/Provided_fileName)
On "TTW" the file is added .wll extension and moved(%appdata/ProvidedFilename --> %appdata/Provided_fileName+.+Provided_extension)
the C2s are not active, the Further file couldn't be downloaded for analysis, Hence I would conclude this Study here.
The Attack would really happen on a 32-bit OS
The C2's are down hence the entire attack chain couldn't be studied.
There was a fairly low amount of Obfuscation compared to an APT group-style attack.
Powershell to Deobfuscate code directly into memory and execute it in memory was a clever way of defense evasion & execution
Copying properties of Explorer.exe and using it to spawn a spoof as nice TTP
Elastic EDR Detections were not as effective against these Attacks as an "EDR" should be.
I'll post a separate Hunting & Detection jupyter notebook with all the code/forensics commands soon.
