APT34 Returns with New TTPs And Delivers Malicious Files

0

Threat researchers at Fortinet Labs have spotted a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, who targeted a Jordanian diplomat with custom-crafted tools. Like many of these attacks, the email contained a malicious attachment. However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats.

Spearphishing Email

This spearphishing attack targeted a Jordanian diplomat, with the sender pretending to be a colleague from the IT department of the same governmental organization.

The email carried a malicious Excel attachment that contained VBA macro code that executes to create three files, a malicious executable, a configuration file, and a signed and clean DLL.

Another unusual finding concerns two anti-analysis mechanisms implemented in the macro: the toggling of sheet visibility in the spreadsheet and the other a check for the existence of a mouse, which may not be present on malware analysis sandbox services.

Malicious Excel File

In most attacks involving Excel, no hidden sheets are used. And in those cases where hidden sheets are used, the hidden sheet typically holds the malicious code. In this attack, however, the visibility of two sheets is quickly switched as soon as the workbook is opened.

One possible reason for this may be an anti-emulation technique. Emulators (such as the freely available ViperMonkey) may or may not support all Excel functionality, such as the hiding of sheets.

The astute observer may have also noticed line 25 in the previous image. Line 25 calls a function that contacts the C2 server.

Unlike most malicious macros, this one uses WMI (Windows Management Instrumentation) to ping the C2 server instead of a more commonly used tool, such as PowerShell or CMD.

Furthermore, this function is called multiple times during macro execution. It basically works as a state monitor to keep track of what’s happening during the attack. The tMsg variable changed during different stages of the attack, allowing the attackers to view their network logs to see the state of their macro.

The rds variable is a random four-digit number, with the same four digits used consistently throughout the macrostate check-in process.

C2Macro State
qwzbabz[four-digits].joexpediagroup[.]comMacro start
qwzbbbz[four-digits].joexpediagroup[.]comConnected successfully to task scheduler
qwzbaez[four-digits].joexpediagroup[.]comSuccessfully created malicious PE file
qwzbbez[four-digits].joexpediagroup[.]comSuccessfully created XML config file
qwzbcez[four-digits].joexpediagroup[.]comSuccessfully created signed Microsoft PE file
qwzbdez[four-digits].joexpediagroup[.]comDouble-check malicious PE file was created
qwzbeez[four-digits].joexpediagroup[.]comSuccessful manual execution of malicious PE file
qwzafzz[four-digits].joexpediagroup[.]comBegin task scheduler configuration for persistence
qwzbbfz[four-digits].joexpediagroup[.]comSuccessfully created scheduled task

As alluded to in the table above, the macro has the capability to create three files. A malicious PE file was created as %LocalAppData%\MicrosoftUpdate\update.exe. A configuration file was created as %LocalAppData%\MicrosoftUpdate\update.exe.config. And the third file, %LocalAppData%\MicrosoftUpdate\Microsoft.Exchange.WebServices.dll, was signed and clean.

While the malware authors decided to store these three files inside the Excel file, they again chose to do so in a way that is not commonly seen.

Three user forms are stored inside the Excel file. Each user form has a label, and each label has a caption. As seen in the image above, the caption contains base64 encoded data. Form1 contains the malicious update.exe file. Form2 contains the configuration file. And Form3 contains the clean Microsoft file.

The malware authors also used the Excel macro to create a persistence method for their update.exe file. They accomplished this by setting a scheduled task. 

The task is named MicrosoftUpdate and repeated every 4 hours. The macro also uses deprecated IdleSettings properties, such as Duration (which starts the task only if the computer has been idle for ten minutes) and WaitTimeout (which determines how long to wait for an idle condition). This task was set to allow 20 days to complete. Taking into account the date of the email and assuming the task ran immediately, the task would run until at least May 16, 2022.

In addition to the visibility switch technique described earlier, a second technique was also seen in this macro to possibly avoid automated analysis. This macro does this by checking for the existence of a mouse. If a mouse is not connected, the macro does not create any of the three files.

There are a couple of instances where a mouse would not be attached to a computer. First, a mouse is not necessarily needed if the computer is controlled remotely. The only mouse needed would be installed on the controlling computer. And second, a mouse is not needed if an analysis machine is simply processing and emulating Office files. A script can be created to automatically perform all the actions necessary without a mouse.

Dropped Files

As explained earlier, this malicious Excel macro includes the ability to create three files. In this section, we will look at them individually, starting with the two benign files.

A signed file was embedded inside the Excel file and dropped to the following location: %LocalAppData%\MicrosoftUpdate\Microsoft.Exchange.WebServices.dll. Another innocuous file was dropped as %LocalAppData%\MicrosoftUpdate\update.exe.config. Its contents are to be used as configuration data. Here are the contents after decoding:

The third file is the actual malware. It was created in the same location as the two previously dropped files, as %LocalAppData%\MicrosoftUpdate\update.exe. It was a .NET binary and contained the main payload.

The malicious executable is a .NET binary that checks program states and puts itself to sleep for eight hours after launching. The analysts believe the hackers probably set this delay on the assumption that the diplomat would open the email in the morning and leave after eight hours so that the computer would be unattended.

When active, the malware communicates with C2 subdomains using a domain generation algorithm (DGA) tool. DGA is a widely-used technique that makes malware operations more resilient to domain takedowns and block-listing.

It then sets up a DNS tunnel to communicate with the provided IP address. This is a rarely seen technique that helps threat actors encrypt the data exchanged in the context of this communication, making it hard for network monitors to catch anything suspicious.

Some of the domains used in the campaign are suspiciously named, obviously attempting to masquerade as well-known and trusted entities like AstraZeneca, HSBC, and Cisco.

Next, the C2 sends twenty-two different backdoor commands to the malware, which are executed through PowerShell or the Windows CMD interpreter.

Finally, the exfiltration of stolen data is done via DNS, with the data embedded into the request, making it appear standard in network logs.

Indicator of Attack:

CommandInterpreterPayload
1PSGet-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress
2PSGet-NetNeighbor -AddressFamily IPv4 | Select-Object “IPADDress”
3CMDwhoami
4PS[System.Environment]::OSVersion.VersionString
5CMDnet user
7PSGet-ChildItem -Path “C:\Program Files” | Select-Object Name
8PSGet-ChildItem -Path ‘C:\Program Files (x86)’ | Select-Object Name
9PSGet-ChildItem -Path ‘C:’ | Select-Object Name
10CMDhostname
11PSGet-NetTCPConnection | Where-Object {$_.State -eq “Established”} | Select-Object “LocalAddress”, “LocalPort”, “RemoteAddress”, “RemotePort”
12PS$(ping -n 1 10.65.4.50 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.51 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.65.65 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.53.53 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.21.200 | findstr /i ttl) -eq $null
13PSnslookup ise-posture.mofagov.gover.local | findstr /i Address;nslookup webmail.gov.jo | findstr /i Address
14PS$(ping -n 1 10.10.21.201 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.19.201 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.19.202 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.24.200 | findstr /i ttl) -eq $null
15PS$(ping -n 1 10.10.10.4 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.50.10 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.22.50 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr /i ttl) -eq $null
16PS$(ping -n 1 10.65.51.11 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.6.1 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.52.200 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.6.3 | findstr /i ttl) -eq $null
17PS$(ping -n 1 10.65.45.18 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.28.41 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.36.13 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.51.10 | findstr /i ttl) -eq $null
18PS$(ping -n 1 10.10.22.42 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.23.200 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.19.50 | findstr /i ttl) -eq $null
19PS$(ping -n 1 10.65.45.3 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.52 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.31.155 | findstr /i ttl) -eq $null;$(ping -n 1 ise-posture.mofagov.gover.local | findstr /i ttl) -eq $null
20PSGet-NetIPConfiguration | Foreach IPv4DefaultGateway | Select-Object NextHop
21PSGet-DnsClientServerAddress -AddressFamily IPv4 | Select-Object SERVERAddresses
22CMDsysteminfo | findstr /i \”Domain\”

Indicator of Compromise

Files

IndicatorSHA256
Confirmation Receive Document.xls82A0F2B93C5BCCF3EF920BAE425DD768371248CDA9948D5A8E70F3C34E9F7CCA
Microsoft.Exchange.WebServices.dll7EBBEB2A25DA1B09A98E1A373C78486ED2C5A7F2A16EEC63E576C99EFE0C7A49
update.exe.configC744DA99FE19917E09CD1ECC48B563F9525DAD3916E1902F61B79BDA35298D87
update.exeE0872958B8D3824089E5E1CFAB03D9D98D22B9BCB294463818D721380075A52D

Other

IndicatorValue
Mutex726a06ad-475b-4bc6-8466-f08960595f1e
C2 domainjoexpediagroup[.]com
C2 domainasiaworldremit[.]com
C2 domainuber-asia[.]com

Mitre TTPs

Initial Access
T1566.001Spearphishing
Execution 
T1059.001PowerShell
T1059.003Windows Command Shell
T1053.005Scheduled Task
T1204.002Malicious File
T1047Windows Management Instrumentation
Persistence
T1053.005Scheduled Task
Defense Evasion
T1480Execution Guardrails
Discovery
T1087.001Local Account
T1083File and Directory Discovery
T1049System Network Connections Discovery
Command and Control
T1071.004DNS
T1132.002Non-Standard Encoding
T1568.002Domain Generation Algorithms
Exfiltration
T1041Exfiltration Over C2 Channel

APT34 has been previously linked to the Iranian government and is a capable threat actor that operates in the shadows, not leaving any traces behind.

As such, Fortinet’s report is valuable for researchers and defenders alike, who should take note of the published indicators of compromise.

Source/Credits: https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt

https://www.bleepingcomputer.com/news/security/iranian-hackers-exposed-in-a-highly-targeted-espionage-campaign/

Previous articleSysmon Event ID 13 to Detect Malicious Password-Protected File unlock and Registry Changes
Next articleDetecting and Preventing F5 Big-IP Critical Vulnerability – CVE-2022-1388
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here