APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere

Introduction

PT Expert Security Center (PT ESC) specialists regularly track the activity of hacker groups and the emergence of new information security threats (threat intelligence). During such monitoring in April 2021, a mailing list with previously unknown malicious content was sent to Mongolia. Some of the files found during the study had rather interesting names ("хавсралт.scr" ["havsralt.scr"] (mong. attachment), "Информация_Рб_июнь_2021_года_2021062826109.exe") and, as the study showed, they contained a remote access trojan (RAT). Similar attacks were subsequently identified in Russia, Belarus, Canada, and the United States. According to PT ESC threat intelligence analysts, from January to July 2021, approximately 10 attacks were carried out using the discovered malware samples. A detailed analysis of malware samples, data on the paths on which working directories and registry keys were located, techniques and mechanisms used by the attackers (from the injection of malicious code to the logical blocks and structures used) helped correlate this malware with the activity of the APT31 group.

This group, also known as Judgment Panda (CrowdStrike) and Zirconium (Microsoft), has been active since at least 2016. The group is presumed to be of Chinese origin, providing data to the Chinese government and state-owned enterprises to achieve political, economic, and military advantages. Cyberespionage is of key interest. The attackers' targets include the government sector, aerospace and defense enterprises, as well as international financial companies and the high-tech sector. In different years, the group's victims have included the government of Finland and, it is presumed, the governments of Norway and Germany too. The group also attacked organizations and individuals close to U.S. presidential candidates during the 2020 campaign. Recent attacks on companies in France, involving the hacking of home and office routers, have also been linked with the group.

In this article, we will study the malware created by the group, focus in more detail on the types of droppers discovered and the tricks used by its developers. We will also present the criteria on the basis of which the attacks were attributed.

Analysis of malicious content

Dropper

The main objective of the dropper, the appearance of the main function of which is shown in Figure 1, is the creation of two files on the infected computer: a malicious library and an application vulnerable to DLL Sideloading (this application is then launched). Both files are always created over the same path: C:\ProgramData\Apacha. In the absence of this directory, it is created and the process is restarted.

Overview of the dropper's basic function
Figure 1. Overview of the dropper's basic function

At the second stage, the application launched by the dropper loads the malicious library and calls one of its functions. It is noteworthy that MSVCR100.dll was chosen as the name of the malicious library in all cases. A library with an identical name is included in Visual C ++ for Microsoft Visual Studio. It is available on almost all PCs, but in a legitimate case it is located in the System32 folder (Figure 2). Moreover, the size of the malicious library is much smaller than the legitimate one.

Parameters of the legitimate MSVCR100.dll
Figure 2. Parameters of the legitimate MSVCR100.dll

It is also worth noting the trick of the malware developers: by way of exports, the library contains names that can be found in the legitimate MSVCR100.dll. Without a doubt, this was done to make the malicious library as identical to the original version as possible.

Part of the exports of malicious MSVCR100.dll
Figure 3. Part of the exports of malicious MSVCR100.dll

However, the number of exports in the malicious sample is much smaller, and most of them are ExitProcess calls.

Below is an example of a call to a malicious function from the created library. After the call, control is transferred to the malicious code. Note that the names of malicious functions were most often those used during the regular loading of applications.

Calling a malicious function inside a legitimate application
Figure 4. Calling a malicious function inside a legitimate application

During the analysis of malware samples, PT ESC specialists detected different versions of droppers that contain the same set of functions. The main difference is the name of the directory in which the files contained in the dropper will be created. However, in all the instances studied, the directories found in C:\ProgramData\ were used.

The version of the dropper that downloads all files from the control server is worthy of particular note. Let's take a closer look. At the first stage, the presence of a working directory is also checked, after which connection is made to the control server and the necessary data is downloaded from it.

Checking for a directory
Figure 5. Checking for a directory

Communication with the server is not encrypted in any way, nor is the control server's address inside the malware. Downloaded files are written to the created working directory.

Creating files in the working directory
Figure 6. Creating files in the working directory

Figure 7 displays the code sections responsible for downloading all files from the server (the last reviewed case), while Figure 8 displays the code for loading the main library (first instance).

Downloading files from C2
Figure 7. Downloading files from C2
Downloading a malicious library from C2
Figure 8. Downloading a malicious library from C2

Examining the open directories of control servers revealed unencrypted libraries (Figure 9).

Encrypted and unencrypted libraries on the server
Figure 9. Encrypted and unencrypted libraries on the server

It is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid digital signature (Figure 10). PT ESC experts believe that this signature was most likely stolen.

Valid digital signature of a dropper
Figure 10. Valid digital signature of a dropper

Malicious library

Execution commences with receipt of a list of launched processes. That said, this has no impact on anything and is not used anywhere. The library then checks for the presence of the file C:\\ProgramData\\Apacha\\ssvagent.dll. This is the encrypted main load downloaded from the server. If this file does not exist, then the address of the control server from which the download will be performed is decrypted.

In fact, this is a 5-byte XOR with a key built into the library. Inside the binary file, the key is stored in the form xmmword with the constant 9000000090000000900000009h (the fifth byte is added to the memory by the malware itself using the direct address). In fact, encryption is performed with byte 0x9. After decrypting the C2 address, it connects to the control server and downloads the encrypted payload from it. Then the received data is saved in the file C:\\ProgramData\\Apacha\\ssvagent.dll, and the legitimate application ssvagent.exe is restarted. The main part of the described functions is presented in Figure 11.

Decrypting the C2 address, loading and launching a new instance of ssvagent.exe
Figure 11. Decrypting the C2 address, loading and launching a new instance of ssvagent.exe

If the payload has been loaded earlier, it is checked for an application that is already running. To do this, a mutex named ssvagent is created; if it has been created, the application ends.

The library then writes the legitimate ssvagent.exe to startup via the registry, as shown in Figure 12.

Persistence via registry key
Figure 12. Persistence via registry key

After this, the file downloaded from the server is decrypted using a XOR operation with a 5-byte key. (The algorithm and key shown in Figure 10 differ from those used when decrypting the address of the control server.) Just as when decrypting the address of the control server, the key is stored in the form xmmword and is a constant: 1100000033000000060000000Eh. The fifth byte is identical in all cases; its value is 0x12.

Decryption code of the main library
Figure 13. Decryption code of the main library

After this, the decrypted data is placed in the application memory, and control is transferred to it.

Payload

The main library starts its execution by creating a package that will be sent to the server. Officially, the package is created from three parts:

  1. Main heading
  2. Hash
  3. Encrypted data

The main heading has the following structure:

    
typedef struct _MAIN_HEADER { DWORD sizeOfPacket;//excluding the field itself DWORD const_1; DWORD const_2; } MAIN_HEADER, *PMAIN_HEADER;

The values of const_1 and const_2 are identical and remain unchanged from package to package (unit value equalized to 4 bytes value).

To generate a hash, which is preceded by the main heading, the malware obtains the MAC address and PC name (the result of executing GetComputerNameExW). These values are concatenated (without using any separators), after which an MD5 hash is taken from the resulting value, which is then converted into a string. An example of hash generation is presented in Figure 14.

Example of hash generation
Figure 14. Example of hash generation

The third part of the package is then formed. The structure describing it is presented below:

    
typedef struct _FIRST_PACKET { char pcName[]; //result of GetComputerNameExW BYTE splitByte_0x09; char userName[]; // result of GetUserNameW BYTE splitByte_0x09; char hostIp[]; BYTE splitByte_0x09; char decrStr_1[2]; BYTE splitByte_0x2E; char decrStr_2[1]; BYTE splitByte_0x2E; char decrStr_3[5]; BYTE splitByte_0x2E; char decrStr_4[2]; BYTE splitByte_0x2E; char osVersion_inverted[2]; BYTE splitByte_0x09; char version[3]; BYTE splitByte_0x09; char macAddr[]; BYTE splitByte_0x09; } _FIRST_PACKET, *_FIRST_PACKET;

Each field is separated from the other by a value of 0x09; some fields are separated by a value of 0x2E.

An example of a generated package
Figure 15. An example of a generated package

Heading fields decrStr_1 through decrStr_4 are not generated by the malware and are not collected on the infected computer. All values are encrypted inside the malware. Each value is decrypted separately and is added to the heading. The decrStr_4 field depends on the bitness of the operating system, which ultimately leads to different offsets of the encrypted data transferred to the decryption function (Figure 17) as an argument.

The format of a complete generated package is presented below. The main heading is highlighted in green; the hash, in red; the encrypted data, in yellow.

Encrypted package with all headings
Figure 16. Encrypted package with all headings
Decrypting data from a specific position within a binary file
Figure 17. Decrypting data from a specific position within a binary file

The generated package is encrypted with RC-4 with the key 0x16CCA81F, which is embedded in the encrypted data and sent to the server. After this, malware waits for commands from the server.

Let's take a look at the list of commands that the malware implements:

  • 0x3: get information on mapped drives.
  • 0x4: perform file search.
  • 0x5: create a process, communication through the pipe.
  • 0xA: create a process via ShellExecute.
  • 0xC: create a new stream with a file download from the server.
  • 0x6, 0x7, 0x8, 0x9 (identical): search for a file or perform the necessary operation via SHFileOperationW (copy file, move file, rename file, delete file).
  • 0xB: create a directory.
  • 0xD: create a new stream, sending the file to the server.
  • 0x11: self-delete.

It is noteworthy that some of them duplicate each other's functions, and some are identical in terms of code implementation. This is most likely connected with the fact that the potential malware version is 1.0. This assumption is based on the value embedded in the code and contained in the network packages.

The code for processing the last command is particularly intriguing: all the created files and registry keys are deleted using a bat-file.

Code for removing all components
Figure 18. Code for removing all components

Attribution

During their investigation, PT ESC specialists found a Secureworks report describing the APT31 DropboxAES RAT trojan. Analysis of the detected malware instances allows us to assert that the group is also behind the attack we studied. Numerous overlaps were found in functionality, techniques and mechanisms used, starting with the injection of malicious code (up to the names of the libraries used) and ending with logical blocks and structures used inside the program code. The paths along which the malware working directories are located and the registry keys through which the persistence mechanism and their identity to the working directories are provided are also identical. In addition, the command handlers executed by the malware proved to be extremely similar, while the self-delete mechanism is identical.

The main difference between this version of the malware and that reviewed by Secureworks lies in the communication of the main load with the control server. In the cases studied, there was a custom communication protocol that Dropbox does not use to exchange data.

Network infrastructure

The detected malware samples, including the encrypted ones, revealed no overlaps between them in the network infrastructure. Nevertheless, in several cases, the payload accessed nodes other than those from which it was downloaded.

Identified servers
Figure 19. Identified servers

In one of the latest malware samples, an interesting domain inst.rsnet-devel[.]com was identified, which imitates the domain of federal government bodies and government bodies of constituent entities of the Russian Federation for a segment of the Internet. This might indicate an attack on government organizations in the Russian Federation.

Authors: Denis Kuvshinov, Daniil Koloskov, PT ESC

Conclusion

In the study PT ESC specialists analyzed new versions of the malware used by APT31 in attacks from January to July this year. The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks, including against Russia, along with other tools that might be identified by code correspondence or network infrastructure.

IOCs

File MD5 SHA-1 SHA-256

Dropper

jconsole.exe 3f5ea95a5076b473cf8218170e820784 765bd2fd32318a4cb9e4658194fe0fb5d94568e0 33f136069d7c3a030b2e0738a5ee80d442dee1a202f6937121fa4e92a775fead
- db1673a1e8316287cb940725bb6caa68 6a358afdd2c59f0bbfc7b1982ae6b0a782399923 2affdebbaa4f0cfa64e5c42e70d78665ef9ccb2c731c5fe07582ccdfdc05b0cc
- 2798b66475cf0794e9b868d656defca7 0c3e0a5553cc29049fd8c5fc3a1af3ae6c0c298e 002dc9f6823ad8d3de23bcb5e41bcefd895df573ed3d89e0821243aa9b7bb4a8
- 626270d5bf16eb2c4dda2d9f6e0c4ef9 f585917fdb89b9dc849621676376b0b1e6b348fa 2b495829b8b3319f98e22f35d7bd48c4dea1b9bafe80749d628da99fede6d694
news.exe 56450799fe4e44d7c5aff84d173760e8 10037b4533df13983a75d74dcea32dc73665700c 679955ff2a97ea11a181ae60c775eff78fadd767bc641ca0d1cff86a26df8ac8
- d919fed03ec53654be59e15525c1448f 9db9fe7b04bc5b2fc10f78da3891eb30c19a48b6 efdbb19fb65bcf5c4a8feb3eab784682d01f3e75f711674e4d469d4dfe4a21f3
хавсралт.scr d22670ab9b13de79e442100f56985032 6e7540fa001fc992d2050b97ea17686d34863740 78cc364e761701455bdc4bce100c2836566e662b87b5c28251c178eba2e9ce7e
president_email.exe 8e744f7b07484afcf87c454c6292e944 da845d8219d3315c02f84c27094965d02cdaa76c 5d0872d07c6837dbc3bfa85fd8f79da3d83d7bb7504a6de7305833090b214f2c
Информация_Рб_июнь_2021_года_2021062826109.exe 49bca397674f67e4c069068b596cab3e d13d6d683855f5a547b96b6e2365c6f49a899d62 874b946b674715c580e7b379e9597e48c85c04cca3a2790d943f56600b575d2f

Malicious library

MSVCR100.dll 8cefaa146178f5c3a297a7895cd3d1fc 81779c94dbe2887ff1ff0fd4c15ee0c373bd0b40 c15a475f8324fdfcd959ffc40bcbee655cbdc5ab9cbda0caf59d63700989766f
MSVCR100.dll 326024bc9222ebec281ec53ca5598cc1 5c25b93ebcedafcff0c85bcde2a0857ca72dc73e 0229404a146bb43ebc6d25d2145b493e950b2f92483be1b964f4f1c90ec6cf70
MSVCR100.dll 6f3047277719e2351ce14a54a39f7b15 7de335e005b0766268df918e7e3b64f4b3521c1e 640128a35efc0ad83fe5b1461090f1b869c7a6ed0a8a661be403359d48a78085

Network indicators

gitcloudcache[.]com

edgecloudc[.]com

api[.]hostupoeui[.]com

api[.]flushcdn[.]com

const[.]be-government[.]com

drmtake[.]tk

inst[.]rsnet-devel[.]com

20[.]11[.]11[.]67

Network signature

As a result of researching the format of the complete generated packet, Positive Technologies experts managed to develop rules for detecting this threat in network traffic. You can download the free redistributable rules from our repository at https://github.com/ptresearch/AttackDetection/tree/master/APT31

MITRE

ID Name Description

Resource Development

T1587.001 Malware APT31 develops malware and malware components that can be used during targeting
T1587.002 Develop Capabilities: Code Signing Certificates APT31 uses code signing to sign their malware and tools

Initial Access

T1566 Phishing APT31 sends phishing messages to gain access to victim systems

Execution

T1204.002 User Execution: Malicious File APT31 relies upon a user open a malicious file to get it executed
T1059.003 Command and Scripting Interpreter: Windows Command Shell APT31 uses the Windows command shell for command execution
T1106 Native API APT31 directly interacts with the native OS application programming interface (API) to execute behaviors

Persistence

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder APT31 achieves persistence by adding a program to a Registry run key
T1574 Hijack Execution Flow: DLL Search Order Hijacking APT31 executes their own malicious payloads by hijacking the way operating systems run programs

Defense Evasion

T1036 Masquerading APT31 manipulates features of their artifacts to make them appear legitimate to users
T1140 Deobfuscate/Decode Files or Information APT31 uses mechanisms to decode or deobfuscate information
T1027 Obfuscated Files or Information APT31 uses encryption to make it difficult to detect or analyze an executable file
T1112 Modify Registry APT31 team uses the Windows registry for persistence

Discovery

T1082 System Information Discovery APT31 obtains detailed information about the operating system

Collection

T1005 Data from Local System APT31 uses backdoor functionality to exfiltrate any file on the infected machine

Command and Control

T1001 Data Obfuscation APT31 obfuscates command and control traffic to make it more difficult to detect
T1521 Standard Cryptographic Protocol APT31 uses data hiding in C&C with RC4
T1043 Commonly Used Port APT31 uses ports 80 and 443 for communication
T1071.001 Application Layer Protocol: Web Protocols APT31 uses HTTP and HTTPS protocols to communicate with control servers

Exfiltration

T1020 Automated Exfiltration APT31 uses automatic exfiltration of stolen files
T1041 Exfiltration Over C2 Channel APT31 uses C&C channel to exfiltrate data
Share this article:

Get in touch

Fill in the form and our specialists
will contact you shortly