Contents

Introduction

During threat research in March 2020¹, PT Expert Security Center specialists found a previously unknown backdoor and named it xDll, based on the original name found in the code. As a result of a configuration flaw of the malware's command and control (C2) server, some server directories were externally accessible. The following new samples were found on the server:

• ShadowPad
• A previously unknown Python backdoor
• Utility for progressing the attack
• Encrypted xDII backdoor

ShadowPad is used by Winnti (APT41, BARIUM, AXIOM), a group that has been active since at least 2012. This state-sponsored group originates from China². The key interests of the group are espionage and financial gain. Their core toolkit consists of malware of their own making. Winnti uses complex attack methods, including supply chain and watering hole attacks. The group knows exactly who their victims are. They develop attacks very carefully and deploy their primary tools only after detailed reconnaissance of the infected system. The group attacks countries all over the world: Russia, the United States, Japan, South Korea, Germany, Mongolia, Belarus, India, and Brazil. The group tends to attack the following industries:

• Gaming
• Software development
• Aerospace
• Energy
• Pharmaceuticals
• Finance
• Telecom
• Construction
• Education

The first attack with ShadowPad was recorded in 2017³. This backdoor has been often used in supply chain attacks such as the CCleaner⁴ and ASUS⁵ hacks. ESET released its most recent report about Winnti activities involving ShadowPad in January 2020⁶. We didn't find any connection with the current infrastructure. However, during research we found that the new ShadowPad infrastructure had commonalities with infrastructures of other groups, which may mean that Winnti was involved in other attacks with previously unknown organizers and perpetrators.

This report contains a detailed analysis of the new network infrastructure related to ShadowPad, new samples of malware from the Winnti group, and also analysis of ties to other attacks possibly associated with the group.

Network infrastructure

Detecting ShadowPad

Initially, when the xDll backdoor was analyzed (see Section 2.2), it could not be clearly tied to any APT group. The sample had a very interesting C2 server, www.g00gle_jp.dynamic-dns[.]net, which potentially could indicate attacks against Japan. When we studied the network infrastructure and searched for similar samples, we found several domains with similar names.

The domain names give reason to suspect that attacks also target South Korea, Mongolia, Russia, and the United States. When we studied the infrastructure further, we found several simple downloaders unfamiliar to us (see Section 2.1). They contact related C2 servers, and in the response should receive a XORencrypted payload with key 0x37. The downloader we found was named SkinnyD (Skinny Downloader) for its small size and bare-bones functionality. The URL structure and some lines in SkinnyD make it very similar to the xDll backdoor.

At first, we could not obtain the payload for SkinnyD, because all C2 servers were inactive. But after a while, we found new samples of the xDII backdoor. When we analyzed one of the samples, we found some public directories on its С2 server. The file called x.jpg is an xDll backdoor encrypted with XOR with key 0x37. This suggests that xDll is a payload for SkinnyD.

The most interesting thing on the server is the contents of the "cache" directory.

It contains data about the victims and the malware downloaded to infected computers. The name of the victim file contains an MD5 hash of the MAC address for the infected computer sent by xDll; the file contents include the time of the last connection to the C2 server. Based on the changes in the second part of the name of the malware file, server time might seem to be indicated in nanoseconds. But that cannot be true, since that would take us back all the way to March 1990. Ultimately, we don't know why this time period was selected.

In the malware files, we found ShadowPad, a previously unknown Python backdoor, and utilities for progressing the attack. Detailed analysis of the malware and utilities is provided in Section 2.

At certain intervals, the attackers request information from infected computers via the xDII backdoor. This information is saved to the file list.gif.

We should note that in the xDII samples we have, the Domain field contains the name of the domain where the infected computer is located. However, in the log that field for almost all computers contains the SID of the user whose name was used to launch xDII. That may be an error in the code of a certain xDII version, because this value does not provide any useful information to the attackers.

Going deeper into the network infrastructure, we found that many servers have the same chain of SSL certificates with the following parameters:

• Root: C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myCA, SHA1=0a71519f5549b21510 410cdf4a85701489676ddb
• Base: C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer, SHA1=2d2d79c478e92a7 de25e661ff1a68de0833b9d9b

We have encountered this certificate in several publications about ShadowPad attacks.

The first one is an investigation of the 2017 attack on CCleaner. Avast has provided details⁷ regarding the attack. A screenshot, included there, shows the same certificate.

The second is a talk by FireEye researchers at Code Blue 2019 about cyberattacks against Japanese targets⁸. In one of the attacks, the researchers found the use of POISONPLUG (the name for ShadowPad used by FireEye). Analysis of the infrastructure revealed the same certificate on ShadowPad C2 servers.

Searching for servers with this certificate helped us not only detect new ShadowPad samples and C2 servers, but also find connections to other attacks previously not attributed to Winnti (see Section 1.2).

As a result, we found over 150 IP addresses with this certificate, or addresses where it had been installed previously. Of these, 24 addresses were active at the time of writing of this article. There were also 147 domains related to those addresses. For the domains, we found Winnti malware.

During our research, the group's domains relocated from one IP address to another many times, which is indicative of active attack operations.

However, the motive for using the same SSL certificate on almost all ShadowPad C2 servers was not clear. This may be the result of having the same system image installed on the C2 servers, or else simple overconfidence.

We saw the same thing with certificates when researching the activity of the TaskMasters⁹ group. At some point, the attackers started installing self-signed certificates with identical metadata on their servers, which ultimately helped us in finding their infrastructure.

The following figure shows distribution of detected IP addresses by location:

About half of the group's servers are located in Hong Kong. The IP addresses are distributed between 45 unique providers. More than half of the servers are concentrated on the IP addresses of six providers, five of which are in Asia (Hong Kong, China, and South Korea).

1.2. Links to other groups

1.2.1. TA459

In 2017, Proofpoint issued a report about attacks against targets in Russia and Belarus using ZeroT and PlugX.¹⁰ The report mentions the domain yandax[.]net, which was indirectly related to the infrastructure used in that attack. The domain was on the same IP address as one of the PlugX servers. WHOIS data of that domain looks as follows:

In the past few years, the email address dophfg@yahoo[.]com has been used to register several more domains.

In our study of ShadowPad infrastructure, we came across active servers linked to two domains from the group: www.ertufg[.]com and www.ncdle[.]net. Those servers also had the SSL certificate typical of ShadowPad. In addition, we found ShadowPad samples connecting to those domains. One of the samples had a rather old compilation date, July 2017. However, this time is probably not accurate, because the C2 server for it was registered in August 2018. It can also disguise itself as a Bluetooth Stack component for Windows by Toshiba named TosBtKbd.dll.

Here we can make another inference. The domain yandax[.]net initially had a different email address in its WHOIS data: fjknge@yahoo[.]com. The same address was also used to register one of the NetTraveler C2 servers, namely, riaru[.]net. That domain was used for attacks targeting the CIS and Europe. These attacks have been described by Proofpoint researchers.¹¹ It is also possible that the infrastructure was used by some other group to disguise its activities. However, the scope, targeted countries, and industries all overlap with those of the Winnti group. The connections are indirect and individual in nature, but still provide reason to believe that all these attacks were carried out by the same group.

1.2.2. Bisonal

On one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks in 2015–2020.

In addition, we found a Bisonal sample with a direct relationship to the new ShadowPad infrastructure.

We came across a presentation¹² made at JSAC 2020 by Hajime Takai, a Japanese researcher with NTT Security. The researcher details an attack on Japanese systems, in which the chain included xDII for downloading Bisonal to the infected computer.

Takai links the attack to the Bitter Biscuit campaign described by Unit 42.¹³ Bisonal was used in that attack, too. The attack tools found by Takai are almost completely identical to the ones we found on the ShadowPad server. Even some hash sums are identical (see Section 2).

Researchers believe¹⁴ that the Bisonal attacks were performed by Tonto Team. The group concentrates its efforts on three countries: Russia, South Korea, and Japan. Its targets include governmental entities, militaries, finance, and industry. All these fall within the area of interests of the Winnti group. And with the new details about Bisonal used together with xDII, plus overlapping network infrastructures, it stands to reason that the Winnti group is behind the Bisonal attacks.

1.3. Victims

According to the server data, more than 50 computers had been infected. We could not establish the exact location and industry for every infected computer. However, if we match the time of the latest connection of the infected computer to the server and the time we received the file with this timestamp, we can make a map of the timezones.

Most countries located in the timezones marked on the map are within the area of interest of Winnti.

We were able to identify some of the compromised organizations, including:

• A university in the U.S.
• An audit firm in the Netherlands
• Two construction companies (one in Russia, the other in China)
• Five software developers (one in Germany, four in Russia)

All victims, both identified and unidentified, were notified by the national CERTs

We have no details about those attacks. However, since ShadowPad was used in supply chain attacks via software developers, and knowing that at least two software developers have been compromised, we are dealing with either a new distribution attempt or an attack that is already in progress.

1.4. Activity

Activity on the server (such as collection of information from the victims and appearance of new utilities) usually took place outside of the business hours in the victims' timezones. For some, it was evening; for others, early morning. This tactic is typical of Winnti. The group did the same when they compromised CCleaner, as Avast reported.

2. Analysis of malware and tools

Judging by the data we collected, the delivery process in the current campaign looks as follows:

The compilation time of the malware samples we found corresponds to business hours in UTC+8 timezone (where China and Hong Kong are located).

2.1. Analyzing SkinnyD

SkinnyD (Skinny Downloader) is a simple downloader: it contains several C2 addresses and goes through them one by one.

The next stage is downloaded with a GET request to the С2 server via a special URL address generated according to a format string hard-coded in the malware code.

The malware checks the data received from the C2 as follows:

• The data size must be more than 0x2800 bytes.
• The data must begin with the bytes "4D 5A" (MZ).

The downloaded binary file is decrypted with XOR and loaded with PE reflective loading. After the binary file loads, control transfers to the exported symbol MyCode.

The malware gains persistence via the key Environment\UserInitMprLogonScript.¹⁵

In the SkinnyD samples we studied, we found an interesting artifact linking it to xDII. This was the string "3853ed273b89687". Since the string is not used by the downloader, perhaps it's a builder artifact.

2.2. Analyzing xDII

2.2.1. Dropper

The dropper is an executable file written in C and compiled in Microsoft Visual Studio. Its compilation date (February 11, 2020, 9:54:40 AM) looks plausible.

It contains a payload in the form of the xDII backdoor in the data section.

The dropper extracts 59,392 bytes of data and attempts to write this to one of two paths:

• %windir%\Device.exe
• %windir%\system32\browseui.dll

Next, it copies itself to the directory %windir%\DeviceServe.exe and creates a service named VService, thereby ensuring auto-launch as a service.

When the service runs, it creates a separate thread for running the payload.

We should note that there is no option to launch a different payload variant in the form of a DLL library (browseui.dll).

2.2.2. xDll backdoor

The backdoor is a file written in C++ and compiled in Microsoft Visual Studio using the MFC library. It also has a plausible compilation date of February 10, 2020, 6:14:37 PM.

It creates a separate thread in which all actions take place.

It starts by scouting the system and collects the following information:

• Computer name
• IP address
• OEM code page
• MAC address (used later on to calculate the MD5 hash sum for C2 interactions



• OS version



• The preset identifier "sssss" (probably characteristic of this particular version of the backdoor)
• Whether the user is an admin



• Whether it is in a virtual environment



• Domain and username



• CPU



• RAM



• System language

Next, the backdoor decrypts C2 server addresses. In this case, there are two, but they are identical: www.oseupdate.dns-dns[.]com. The backdoor body contains a third address (127.0.0.1), which is replaced with the decrypted one.

When the C2 server address is obtained, a GET request will be sent, with its format as follows: hxxp://{host}:{port}/{uri}?type=1&hash={md5}&time={current_time}. Request parameters are:

• host (C2 address)
• port (port 80)
• uri (string "news.php")
• md5 (hash sum of the MAC address, which is probably the victim's identifier)
• current_time (current system time)

Here's how it all looks:

Note that the request uses a preset value for the HTTP User-Agent header:

The expected server response is the character "1". If that response is received, a POST request is sent with basic system information in JSON format:

• Hash sum of the MAC address
• Computer name
• IP address
• OS version
• Domain name
• Preset identifier "sssss"
• OEM code page

Example request:

We should note that the JSON format used is incorrect. In addition, the value of the In_IP field is missing. Perhaps it was expected that both the internal and external IP addresses would be determined. But logic for determining the external address was not yet implemented in this variant of xDII. Another tell-tale detail is the value ("post_info") of the Referer HTTP header. In addition, a different value is selected for the User-Agent HTTP header:

Next comes the loop for processing C2 commands. For that purpose, the backdoor sends a GET request in a format matching the one described earlier. The only difference is that "type" parameter value is now "2" instead of "1":

The expected server response is a lowercase Latin letter (from a to z). The following table shows commands and the corresponding actions:

Successful execution of some commands requires additional data. For instance, downloading a file from the server (the "e" command) requires indicating the file name. In this case, the server provides that name after a comma. For instance, "e,dangerous_file.txt".

This is what a request and the response look like:

Next, the file is requested and its content is returned:

Then a report indicating successful download is sent.

Notice again the idiosyncratic value of the "Referer: upfile" field, the type of transmitted data (image/ pjpeg), and the name of the transmitted file: {md5}.gif (using the hash sum of the MAC address).

When the command for collecting the directory listing (the "d" command) is processed, the delineator is not a comma. Instead, the path to the catalog is expected to start from the second character, for instance: "d|C:\Users".

The data is transmitted in JSON format, and this time the format is correct.

The following example shows sending information obtained from system analysis (the "o" command).

The data is submitted in JSON format again, but with fewer keys.

The JSON string templates are specified in the backdoor; the string itself is formed by concatenation, without using any special libraries.

However, in some cases, when a brief report is sufficient, the information may be transmitted in plaintext.

2.3. ShadowPad

As mentioned, we found some public directories on one of the xDll servers, and one of those directories contained ShadowPad. We found no significant differences from earlier versions, therefore the following is only a brief analysis of the new version.

2.3.1. ShadowPad loader and obfuscation

The first stage is decryption of the shell code responsible for installing the backdoor on the system. The shellcode is decrypted with an XOR-like algorithm, which modifies the encryption key at each iteration with arithmetic operations with certain constants.

After decryption, control transfers to the loader, which features a characteristic type of obfuscation.

We already saw this type of obfuscation in previous versions of ShadowPad. Certain bytes are inserted in various sections of the code pre-marked with two opposite conditional jumps pointing to the same address. To do away with this obfuscation, the indicated bytes must be replaced (with the "nop" opcode, for instance).

After the addresses of the API functions are received and the required code is placed in memory, control passes to the backdoor installation stage.

2.3.2. ShadowPad modules

Like the previous versions, this backdoor has a modular architecture. By default, the backdoor includes the following modules:

The identifiers of these modules remain unchanged from version to version; they, too, are installed and run in a separate thread via the registry. Module compilation times can be found in the auxiliary header that comes before the shellcode.

A typical feature of any copy of ShadowPad is encryption of the strings in each module. The encryption algorithm is similar to the one used for backdoor decryption. The only difference is in the constants used for key modification.

The method of calling some API functions in ShadowPad modules is somewhat interesting. Some copies of the malware calculate the function address for each time a function is called, as shown in Figure 47. In addition, addresses of the functions to be called can be obtained via a special structure. Loading addresses for libraries are obtained based on the values of the structure members, to which the offsets of the required API functions are then added.

For persistence, the backdoor copies itself to C:\ProgramData\ALGS\ under the name Algs.exe and creates a service with the same name.

The malware proceeds to launch a new svchost.exe process, which it injects with its own code and then gives control.

2.3.3. ShadowPad configuration

In all samples of the backdoor, the configuration is encrypted. The Config module is responsible for operations with it.

Configuration is a sequence of encrypted strings, in which each string follows the previous one without any zero padding or alignment. The configuration is encrypted by the same algorithm as the strings.

2.3.4. Network protocol

The format of the packets used in all ShadowPad versions has remained unchanged.¹⁶ For the packets sent to the server, the packet body and the packet header are generated separately. After they are concatenated (without any padding), the packet is covered with an encryption algorithm with logic close to that of the algorithms used for decrypting the main module and the strings inside the backdoor. Figure 53 shows the algorithm.

The structure of encrypted packets received from the C2 server is fairly simple (as illustrated by the Init packet).

2.4. Python backdoor

This backdoor we found on the server was in py2exe format. The backdoor is written in Python 2.7 and contains configuration variables in the beginning.

Three commands can be executed remotely:

• CMDCMD: execute via cmd.exe
• UPFILECMD: upload the file to the server
• DOWNFILECMD: download the file from the server

The ONLINECMD command is executed by the backdoor right after launch. This is a command for collecting system information and sending it to the server.

The backdoor has a function for gaining persistence via the registry:

After gaining persistence and collecting system information, the malware packs the data and uploads it to the C2 server. Interaction with the server is via TCP sockets:

Certain values are added in before the data is sent; then the data is compressed with ZLIB and encoded in Base64.

In the code in Figure 55:

• Flag is the value initialized when the backdoor starts.



• Key is the value from configuration changes.
• Cmd is an executed config command.
• Data is the collected data.
• After the data is prepared, its length and the delimiter indicated in the config are added to the beginning, and then the data is sent to the server.

After the initial system data is sent, the backdoor goes into a loop as it awaits a command from the server.

2.5. Utilities

Among our finds on the server were utilities for lateral movement. Most of those are open-source ones available on GitHub. They were initially written in Python but converted to PE. The server had the following utilities:

• Utilities¹⁷ to check for and exploit vulnerability MS17-010
• LaZagne¹⁸ for gathering passwords
• get_lsass¹⁹ for dumping passwords on x64 systems
• NBTScan
• DomainInfo for collecting domain information

The hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire subnet.

Network scanning is performed out of sequence, which may throw defenders off the scent. In addition, the scan will skip addresses with 1 and 2 in the final octets, because such addresses very rarely belong to user computers.

Another utility of note on the server collects information about the domain of the target computer. The information includes the following:

• Computer name
• Names of computer users, divided into groups
• Domain name
• Name of the current user's group
• Names of the groups on the domain
• Names of users in each group

All this information is collected in a legitimate way via the API functions of library Netapi32.dll and saved to the utility directory in XML format.

Interestingly enough, the utility was compiled in 2014 with Microsoft Visual Studio 2005 and has the PDB "e:\Visual Studio 2005\Projects\DomainInfo\Release\Domain05.pdb".

Conclusion

We have analyzed the infrastructure of the Winnti group and conclude that it has been active since early 2019. Currently this infrastructure is growing, which means Winnti is active. According to our information, the group has already compromised over 50 computers, and some of those may serve as a staging ground for subsequent, more serious attacks. The group has added new malware to its arsenal, such as SkinnyD, xDll, and a Python backdoor. We found important connections between the current Winnti infrastructure and other large attacks in which the group may have been directly involved.

The observed spike in the group's activity may be related to the coronavirus pandemic. Many companies have switched employees to working from home and, as shown by our data, 80 percent of employees use their personal computers for work. The result is that many employees are currently not protected by corporate security tools and security policies. This makes them an easy target.

Network indicators

SkinnyD

80.245.105.102

xDll

www.yandex2unitedstated.dns05.com

www.oseupdate.dns-dns.com

www.yandex2unitedstated.dynamic-dns.net

g00gle_jp.dynamic-dns.net

hotmail.pop-corps.com

www.yandex2unitedstated.dynamic-dns.net

ShadowPad

www.ncdle.net

www.ertufg.com

info.kavlabonline.com

ttareyice.jkub.com

unaecry.zzux.com

filename.onedumb.com

www.yandex2unitedstated.dns04.com

www.trendupdate.dns05.com

Bisonal

www.g00gleru.wikaba.com

Python backdoor

daum.pop-corps.com

Related domains

MITRE

 

1. twitter.com/Vishnyak0v/status/1239908264831311872
2. securelist.com/winnti-more-than-just-a-game/37029/
3. securelist.com/shadowpad-in-corporate-networks/81432/
4. blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer
5. securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
6. welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
7. blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer
8. slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-olegbondarenko
9. ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/
10. proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx
11. proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests
12. jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf
13. unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/
14. blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html
15. attack.mitre.org/techniques/T1037/
16. media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf
17. github.com/worawit/MS17-010/blob/master/checker.py
18. github.com/AlessandroZ/LaZagne
19. github.com/3gstudent/Homework-of-C-Language/blob/master/sekurlsa-wdigest.cpp