Analysis of Attack Activities Using Cloud Note Platforms to Deliver Remote Access Trojans

The original report is in Chinese, and this version is an AI-translated edition.

1.Overview

Recently, Antiy CERT detected an attack activity that used a cloud note platform to deliver a remote access Trojan. The attacker hosted the remote access Trojan-related payload files on a cloud note platform, evaded security product detection on the traffic side with the help of a trusted site, and continued to update the files therein.

This attack began in 2022. The attacker dropped bait files disguised as applications on download sites, or used phishing emails to send bait files disguised as documents to lure users to download and execute them. After the bait files are executed, the “DDR” (Dead Drop Resolvers ) technology is used to download the attack payload from a cloud note platform, and the executable program is used to load the malicious DLL file, obtain the Shellcode and decrypt it to obtain the final remote access Trojan , thereby achieving remote access of the user’s device.

Through correlation analysis, it was determined that the remote access Trojan ultimately delivered by the attacker using the bait file was a modified variant based on the Gh0st remote control Trojan family. This remote access Trojan has a variety of customized malicious functions such as persistence, information theft, download and execution, and file management, which can remotely control the victim’s device and has strong concealment. The code of the Gh0st remote access Trojan has been made public, so the attacker can customize the malicious functions according to needs and quickly update the malicious code. Antiy CERT published “Analysis of Attacks Involving the Deployment of Remote Access Trojans Through a Fake Chinese Version of the Telegram Website” on October 24, 2022 [1] , which introduced another attack activity that delivered this remote access Trojan variant.

It has been verified that Antiy Intelligent Endpoint Protection System (IEP) can effectively detect and kill the remote access Trojan.

2.ATT&CK Mapping Diagram Corresponding to the Incident

Regarding the complete process of the attacker launching the remote access Trojan, Antiy sorted out the ATT&CK mapping diagram corresponding to this attack incident as shown in the figure below.

Figure 2‑1 Mapping of technical characteristics to ATT&CK

The following table lists the techniques used by the attackers.

ATT&CK Phase/CategorySpecific BehaviorNotes
Resource developmentGet infrastructureGet the C2 server
Environmental preparationHost malicious payloads on cloud platforms
ExecuteInduce users to executeInduce users to execute
PersistenceBoot or log in with autostartAchieve automatic startup
Create or modify system processesCreate a Service
Defense evasionDeobfuscate/decode files or informationDecode payload information
Hidden behaviorHidden behavior
CounterfeitImpersonate other programs
Modify the registryModify the registry
Obfuscate files or informationObfuscate payload information
DiscoverDiscover application windowDiscovery application window
Discover files and directoriesDiscover files and directories
Discover processDiscover process
Query the registryQuery the registry
Discover softwareDiscover software
Discover system network configurationDiscover system network configuration
Discover system network connectionsGet system network connection
Discover system servicesDiscover system services
Find system timeFind system time
CollectCompress/encrypt collected dataEncrypt of collected data
Automatic collectionAutomatic collection
Collect local system dataCollect local system data
Data temporary storageTemporarily save keystrokes to a file
Command and ControlEncode dataEncode data
Use encrypted channelsEncrypt traffic
Use standard non-application layer protocolsUse TCP protocol
Data exfiltrationAutomatic exfiltration of dataAutomatically send online data packets
Use C2 channel for return transmissionUse C2 channel for return transmission
InfluenceCorrupt dataDelete specified data
Manipulate dataManipulate data
Tamper with visible contentTamper with visible content
System shutdown/restartSystem shutdown/restart

3.Protective Recommendations

In order to effectively defend against such attacks and improve security protection, Antiy recommends that enterprises take the following protective measures:

3.1 Enhance Host Security Protection Capabilities

  1. Install terminal protection system: Install anti-virus software. It is recommended to install Antiy Intelligent Endpoint Protection System;
  2. Strengthen password strength: Avoid using weak passwords. It is recommended to use a password of 16 characters or longer, including a combination of uppercase and lowercase letters, numbers, and symbols. Avoid using the same password on multiple servers.
  3. Deploy intrusion detection system (IDS): Deploy traffic monitoring software or equipment to facilitate the discovery and tracking of malicious code. Antiy Persistent Threat Detection System (PTD) uses network traffic as the detection and analysis object, and can accurately detect a large number of known malicious codes and network attack activities, and effectively discover suspicious network behaviors, assets and various unknown threats.

3.2 Website Propagation Protection

  1. It is recommended to use genuine software downloaded from the official website. If there is no official website, it is recommended to download from a trusted source and scan with anti-virus software after downloading;
  2. It is recommended to use a sandbox environment to execute suspicious files, and then use the host to execute them when safety is ensured. Antiy PTA uses a combination of deep static analysis and sandbox dynamic loading and execution to effectively detect, analyze and identify various known and unknown threats.

3.3 Initiate an Emergency Response Promptly When Attacked

Contact the emergency response team: If you are attacked by malware, it is recommended to isolate the attacked host in time and protect the site while waiting for security engineers to check the computer; Antiy 7*24 hours service hotline: 400-840-9234.

It has been verified that Antiy Intelligent Endpoint Protection System (IEP) can effectively detect and kill the remote access Trojan.

Figure 3 ‑1 Antiy IEP achieves effective protection for user systems

4.Attack Process

4.1 Attack Flowchart

The attacker drops bait files disguised as applications to download sites, or uses phishing emails to send bait files disguised as documents to lure users to download and execute them. After the bait file is executed, the “DDR” (Dead Drop Resolvers) technology is used to download a compressed package file containing the attack payload from a cloud note platform, which is automatically started at boot time, creates an explorer.exe process to run the specified executable program through a shortcut, and then performs a self-deletion operation. After the executable program runs, it loads the first-stage DLL file, obtains the Shellcode and decrypts it to obtain the final remote access Trojan. The attacker can use the remote access Trojan to persist the victim host, obtain system information, remotely control, download and execute other programs, and other operations.

Figure 4 ‑1 Attack flow chart

4.2 Detailed Analysis of the Attack Process

4.2.1 Propagation Phase

Attackers drop bait files disguised as applications on download sites, or use phishing emails to send bait files disguised as documents to lure users to download and execute them.

Table 4‑1 Some bait files

CategoryProgram Name
Fake appsCiscoWebExStart.exe
PuTTY.exe
suetup.exe ( bundles the malicious program with the Telegram installer)
Air Aviation Management System.exe
Click here to install Simplified Chinese 1515444n.exe
Executable programs disguised as documentsMarch salary commission details_ 7979.exe
Latest company notices_9524.exe
Mining tutorial BTC ETH CHIA3.exe
Issue settlement report x.exe
The latest important list of fugitives in China i.exe

4.2.2 Malicious Payload Download Phase

The attacker used the “DDR” (Dead Drop Resolvers ) technology to host the malicious payload in the form of a compressed file on the cloud note platform, using trusted sites to evade detection by security products on the traffic side and continuously update the content.

Figure 4 ‑2 Host the malicious payload in a compressed package on the cloud note platform

4.2.3 Remote Access Trojan Execution Stage

The attacker hosted multiple compressed files containing malicious payloads on the cloud note platform. The core of the attack is to use the executable program in the malicious payload to load the first-stage DLL file, obtain the Shellcode in info.txt, and finally deliver a modified variant based on the Gh0st remote access Trojan family. In the following “Sample Analysis” section, one of the malicious payloads will be used as an example to introduce it.

Figure 4 ‑3 Malicious payload

5.Sample Analysis

5.1 Sample Label

Table 5 ‑1 Sample labels

Virus nameTrojan/Win32.Downloader
Original file nameVBGood Browser 1.8.exe
MD5472262D56604F589EE85278FAA43C814
Processor architectureIntel 386 or later, and compatibles
File size296.00 KB (303,104 bytes )
File formatBinExecute/Microsoft.EXE[:X86]
Timestamp2023-02-28 18:16:39
Digital signatureNone
Shell typeNone
Compiled languageMicrosoft Visual Basic (6.0)
V T first upload time2023-03-03 17:30:09
VT test results37/70

5.2 Detailed Analysis

After the bait file is run, it obtains the malicious compressed package file hosted by the attacker from a cloud note platform and downloads it to the “C:/Users/Public” folder.

Figure 5 ‑1 Obtain the malicious compressed file

The malicious payload in the compressed file is decompressed to the folder “C:\Users\Public\Documents\Arice\<random 6 numbers and English letters> “.

Figure 5 ‑2 The malicious payload is decompressed to the specified path

After decompression, a shortcut is created in the “% AppData %\<random 5 numbers and English letters> ” folder and moved to the startup folder for persistence. The shortcut is used to execute the executable program in the malicious payload.

Figure 5 ‑3 Use shortcuts to achieve persistence

Modify the relevant registry entries and turn off the UAC prompt.

Figure 5 ‑4 Turn off UAC

Create an Internet shortcut in the “C:\Users\Public\Music\<random 6 numbers and English letters> ” folder and create an explorer.exe process execution shortcut to run the next stage of the malicious payload.

Figure 5 ‑5 Create an Internet shortcut

Finally, the decoy file performs a self-deletion operation and deletes the specified related files.

Figure 5 ‑6 Delete related files

5.2.1 Load the First Stage DLL File

There are 3 files in the folder “C:\Users\Public\Documents\Arice\< random 6 numbers and English letters> “: The executable program is renamed to 6 random numbers and English letters. After running, it loads the first-stage libglib-2.0-0.dll file, reads the Shellcode in the info.txt file, and finally executes the second-stage DLL file in the memory.

Figure 5 ‑7 Attack components

The executable program uses the TLS callback function to start a thread and call the export function in the libglib-2.0-0.dll file.

Figure 5 ‑8 Load libglib-2.0-0.dll file

Read the contents of the info.txt file and get the Shellcode.

Figure 5 ‑9 Get Shellcode

Decrypt the second-stage DLL file and call the export function in it.

Figure 5 ‑10 Load the second stage DLL file

5.2.2 Second Stage DLL File

The second stage DLL file is a variant based on the Gh0st remote access Trojan, which can achieve persistence by adding related registry entries or creating services.

Figure 5 ‑11 Achieve persistence

This DLL file is able to download and run other programs.

Figure 5 ‑12 Download and run other programs

Try to connect to the C2 address. After the connection is successful, create a thread to receive the data returned by the server.

Figure 5 ‑13 Connect to C2 address and receive return data

When receiving data returned by the server, subtract 49 from the data byte by byte, and then perform XOR with 0xFC to decrypt the received data.

Figure 5 ‑14 Decrypt received data

This Gh0st remote access Trojan variant collects basic system information such as the operating system version and CPU, and attempts to obtain information such as the QQ number logged in to the current system, related processes of anti-virus products, and whether the current process is in the analysis environment, in order to construct an online package.

Figure 5 ‑15 Collect information to construct an online package

After constructing the online packet, the online packet data is encrypted. The encryption algorithm is opposite to the algorithm for decrypting the received data: the sent data is first XORed with 0xFC byte by byte, and then added with 49. Finally, the encrypted online packet is obtained and sent to the C2 server.

Figure 5 ‑16 Encrypt online packet data

6.Summarize

The attacker drops bait files disguised as applications on download sites, or uses phishing emails to send bait files disguised as documents to lure users to download and execute them. The attacker uses the “DDR” (Dead Drop Resolvers) technology to host malicious payloads on cloud note platforms, and uses trusted sites to evade security products’ detection on the traffic side, and ultimately delivers remote access Trojans to remotely control the victim’s host and execute a variety of malicious functions.

The Gh0st RAT has been made public, so there are still attackers who customize and develop malicious functions based on the open source code and use fake websites, counterfeit programs, phishing emails,etc. to spread Gh0st RAT variants. Antiy CERT published “Analysis of Attacks Involving the Deployment of Remote Access Trojans Through a Fake Chinese Version of the Telegram Website” on October 24 , 2022 [1] , which introduced another attack activity that delivered this RAT variant.

We recommend that users download genuine software from official websites and do not easily open files in chat groups, forums, or emails that have not been security-checked. To prevent the impact of this attack from expanding, Antiy CERT will continue to follow up and pay attention.

7.IoCs

IoCs
472262D56604F589EE85278FAA43C814
9406935AAF579B54C49D6EDC8EE41BCA
B4D53B8479DE2E227400203E35CC762A
114AA65CE6A2EDC916DC211EED9320E3
0D40B8EF98E5DFDD6E29A629740327A3
1764813E8B969DF163D675A042A7DFCD
6CB6CAEFFC9A8A27B91835FDAD750F90
DC5CFAA8F29824B4D92B3C0ADE1813AC
C98F06B0F69566F60126C8FFB41EC872
D578B8B44D7D413721A6EA0D7CE2BBCB
A1D5DEC080C558948387F534FAA69DC9
50C7E9537ECD1A78E2A2B8A8F3426E37
https[:]//note.**.com/**/index.html?id=3865a47559efe2bcbe0fedf89106d323&type=notebook&_time=1677420095103
164.88.197.3

Appendix 1: References

[1] Analysis of Attacks Involving the Deployment of Remote Access Trojans Through a Fake Chinese Version of the Telegram Website

https://www.antiy.cn/research/notice&report/research_report/20221024.html

Appendix 2: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.