Monday, November 9, 2020

Quick Analysis of Well Traveled Threat Actor Targeting Asia Region

 Published: 2020 Nov 09

In late October, the Twitter account of RedDrip Team, @RedDrip7 shared information on a malicious document utilizing template injection. This attack mirrored previously seen attacks loosely attributed to  Confucius a.k.a. Dropping Elephant, a.k.a. Chinastrats, a.k.a. Patchwork (pick one). 

Digging deeper into the hash provided, I was able to find an additional malicious document that shared infrastructure with the initial doc. The actor behind this phishing campaign is using tensions in the South China Sea,  as well as prospective applicants to Pakistan's space agency, (SUPARCO) to target potential victims.

It can be assumed that the malicious documents were delivered via email with an enticing message. Details of the malware and attack flow are listed below.

Initial Access

Both documents make use of template injection to load a file from a remote server, in addition to the well known EQNEDT32.exe exploit to install what appears to be the final payload, AveMaria. The document focusing on South China Sea tensions will be discussed first.

When "Testing.docx" (SHA256: a3cd781b14d75de94e5263ce37a572cdf5fe5013ec85ff8daeee3783ff95b073) is opened, it displays the image in Figure 1, indicating Word is attempting to load a template.

                                 Figure 1: Microsoft Word loading template

As this spear phishing message does not make use of macros, there is no "Enable Content" button for the user to click. Unbeknownst to the user, their computer is likely infected with the popular stealer, Ave_Maria. 

There isn't a lot of flash to the document, only an image and what appears to be an article. Figure 2 displays the document as the user would be viewing it.

                                  Figure 2: Testing.docx spear phishing message

It's unknown currently whether the target of this message was a think tank, or some other foreign policy focused group. It goes without saying, a large number of entities would be interested in the above article title. Utilizing the article title and author identified, the original source was fairly easy to locate. Figure 3 displays the original article, copy and pasted from an international affairs publication.

                                 Figure 3: Website that inspired Testing.docx

Since .docx files are little more than zip files, we can easily find the remote server. Figure 4 displays the settings.xml.rels file and the URL used to download the remote file. 

                                  Figure 4: Embedded OLE object used for template injection

**Apologies if you can't see the URL in Figure 4. The document loads a template from:

http://recent.wordupate[.]com/ver/update12/KB466432

Exploitation

 The file loaded above in Figure 4 is indeed a RTF file (SHA256: 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424) exploiting CVE-2017-11882. 

The RTF file loads an embedded  DLL file (SHA256: 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126), titled "muka.dll" written to %TEMP%. PDB path: 

C:\Users\admin\Documents\dll\linknew\Release\linknew.pdb

The DLL file is executed and contacts: 

http://wordupdate[.]com/recent/update 

Additionally, a LNK file is written to the startup directory to maintain persistence. Finally, the Ave_Maria payload, "new.exe" (SHA256: 9297a1cbcba9c2c1d90755d21ca060fc91679a32a3d8e25d183c2f5afc37cc1b) is dropped to C:\intel.

                                 Figure 5: VirusTotal results for new.exe

At the time of this post, the final payload unsuccessfully attempts to contact the following URL:

https://dc.services[.]visualstudio.com/v2/track

 Suparco Vacancy Notification.docx Analysis

                                 Figure 6: "Suparco Vacancy Notification.docx"

The second document displayed above in Figure 6 follows the same flow to gain access, persist and drop a final payload of Ave_Maria. 

SUPARCO is the Pakistan Space & Upper Atmosphere Research Commission. As in the previous sample, the application form is available as a Word document from the SUPARCO website, and likely copy pasted into the malicious message.   

Something different available in this sample as opposed to the first, is that the Ave_Maria PE uses PowerShell to  modify Defender settings to exclude the C:\ directory. The command used is: 

powershell Add-MpPreference -ExclusionPath C:\

 Three copies of the Ave_Maria stealer are dropped in this sample, each calling back to a different command and control server. 

For a detailed overview of a similar attack workflow, please see the following blog from Cofense:

 https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/


Network/Infrastructure

With a number of file and network indicators identified, we can start to dig deeper and search for additional domains, hashes, malicious documents, etc. 

                       Figure 7: Maltego visualization for recent.wordupdate[.]com

                                           Figure 8: Maltego visualization for dc.services[.]visualstudio.com

 

                                           Figure 9: Maltego visualization of IP address 23.82[.]140.14                            

The results of the visualizations in Figures 7 and 8 provide us with quite a few more hashes that can be used to pivot and locate additional malware connected to these domains.  

With new information to investigate, our focus could move to VirusTotal to lookup the hashes, or your favorite malware sandbox for dynamic analysis of the samples.

The final Ave_Maria payload calls back to IP address 172.217.23.131, or google.de. It is unknonwn at this time if Google was used as a callback for testing reasons or some other reason.

 One interesting find from looking at the above domains came from the WhoIs records for  wordupdate[.]com. In the registration details, a ProtonMail account was used to register the domain. 

This by itself is not malicious or noteworthy, but may be a soft indicator to keep an eye out for. Figure 10 displays the WhoIs information for the domain used for the template injection portion of the attack in both documents.

                             Figure 10: RiskIQ WhoIs information for wordupdate[.]com domain
 

Conclusion

The pace at which this threat actor is targeting separate geographic regions, displays diverse collection requirements in addition to a capable and not overly sophisticated group. The malware call backs to a Google domain certainly raise more questions than answers, however the theme of the messages can't be forgotten. These documents or spear phishing campaign is highly relevant to the organizations/individuals in the groups crosshairs. 

While the purpose of this post was not to point a finger in attribution, the below indicators should server defenders well that may not have patched older vulnerabilities, or are under the assumption an APT would be too "1337" to utilize Ave_Maria malware.

 
 File/Endpoint Indicators

Filename
Testing.docx
SHA1
0128cc716adf8387563c146dd6be501824d1d527
File Location
N/A    
Info
Malicious docx file exploiting EQNEDT32.EXE and drops Ave_Maria malware


Filename
KB466432[1].rtf
SHA1
78d1f25c0bbdd58be218532b5af95c4af218b271
File Location
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\
Info
Malicious RTF file that downloads and drops multiple files


Filename
muka.dll
SHA1
bc874ccd8760f4de56cd767987977d70f3bdf759
File Location
C:\Users\admin\AppData\Local\Temp\
Info
Malicious DLL dropped with Ave_Maria payload


Filename
new.lnk
SHA1
75ab4a11abbc5b13301e6690a72c30b2f9e0ab77
File Location
C:\Users\admin\AppData\Microsoft\Windows\Start Menu\Programs\Startup\
Info
LNK file dropped into Startup directory for persistence. When system is rebooted, new.exe will be executed


Filename
new.exe
SHA1
3982555e3e3af98e286641639ecc246bd080df9b
File Location
C:\intel
Info
Ave_Maria payload

 

Filename
Suparco Vacancy Notification.docx
SHA1
6b0d33cdca77154ce11a5647e2ffdcc77b210ff7
File Location
N/A
Info
Malicious docx file exploiting EQNEDT32.EXE and drops Ave_Maria malware


Filename
new.exe
SHA1
c9e3282a1fed8c44e6930097d195103d63b29916
File Location    
C:\intel
Info
Ave_Maria payload


Filename
windll.exe
SHA1
c9e3282a1fed8c44e6930097d195103d63b29916

File Location
C:\Users\admin\AppData\Roaming\
Info
Ave_Maria payload


Network Indicators

Hostname

IP Address

Notes

recent.wordupate.com

46.17.175.27:80

Domain used for loading malicious RTF in both documents

wordupdate.com

104.27.184.80:80, 104.27.185.80:80, 172.67.142.252:80

Domain used for hosting malicious documents including Ave_Maria

N/A

23.82.140.14:433

Command and control server used for Ave_Maria payload. Connection unsuccessful

dc.services.visualstudio.com

N/A

Command and control server used for Ave_Maria malware. Connection unsuccessful

 

Dual Lingo: Japanese and English Titled LNK Files Targeting Businesses

 27 Nov 2020  *The files discussed below were discovered around ~10 days ago. Domains and IP addresses have likely been changed/abandoned. W...