Analysis of Samples Used in a Quasi-APT Attack Targeting Chinese Organizations
1. Background
Antiy recently discovered a quasi-APT attack targeting Chinese organizations. In the attack scenario, the attackers used shellcode generated by the Cobalt Strike automated attack testing platform, which communicated using beacon mode, to remotely control the target host. This attack manifested on the target host as follows: no malicious code files, sending network heartbeat packets every 60 seconds, and sending data using cookies. These behaviors can, to some extent, evade detection by host security software and firewalls. Given the connection between this attack and the Cobalt Strike platform, we have temporarily named this attack APT-TOCS (TOCS stands for Threat on Cobalt Strike).
The core steps of the APT-TOCS attack are: a script that loads shellcode, using the command line to call powershell.exe to load encrypted data into memory for execution. The decrypted data is an executable shellcode generated by Cobalt Strike (an automated attack testing platform). Antiy’s analysis team correlated the shellcode-loading script with a PE program that might be used as a script pre-executable file in similar attacks. However, since the script can be executed in various ways and does not necessarily depend on the pre-executable PE program, and given that it is a standard attack script generated by Cobalt Strike, the association between this pre-executable PE file and the attack in this case could not be determined. This script + shellcode-based memory injection execution method does not involve disk write operations, uses beacon mode for communication, supports multi-beacon communication, and can work with multiple beacons simultaneously. This attack method can be carried out without relying on a carrier file, but can rely on network deployment capabilities and lateral movement within the intranet for on-demand deployment, which will bring great difficulties to forensics. Moreover, some current sandbox detection products are ineffective against this attack.
Although the APT-TOCS attack seems to be close to the level of APT attacks, it does not rely more on the attack team’s own capabilities, but rather on commercial automated attack testing platforms.
2. Event Sample Analysis
2.1 Prerequisite Files and Sample Loading
APT-TOCS uses “powershell.exe” to execute shellcode scripts to remotely control target systems. Antiy analysts believe the attackers possess multiple remote injection techniques capable of achieving various script loading privileges, such as exploiting security flaws or vulnerabilities to directly execute scripts on the host. Furthermore, through correlation analysis, the following binary attack preamble file (hereinafter referred to as Sample A) was discovered and has been used in similar attacks:
| Virus Name | Trojan/Win32.MSShell |
| Original Filename | ab.exe |
| MD5 | 44BCF2DD262F12222ADEAB6F59B2975B |
| Processor Architecture | X86 |
| File Size | 72.0 KB (73,802 bytes) |
| File Format | BinExecute/Microsoft.EXE[:X86] |
| Timestamp | 2009-05-10 07:02:12 |
| Digital Signature | NO |
| Packing Type | Unknown |
| Compiled Languages | Microsoft Visual C++ |
The script embedded in this PE sample has the same functional code as the Shellcode script obtained by Antiy, but the encrypted data is different. This PE sample was first uploaded to VirusTotal on May 2, 2015.
Figure 1. Encrypted Data Embedded in a PE File and Loaded Using powershell.exe
This PE sample uses WinExec to run embedded malicious code:
Figure 2. Use the WinExec Function to Call powershell.exe and Load Encrypted Data
This suggests that this “prelude file” can be used as a precursor to similar attacks. By leveraging system and application vulnerabilities, script execution and ultimate control can still be achieved without relying on such files. Currently, it cannot be determined whether this precursor sample is related to this APT incident.
2.2 Key Mechanisms
The core of the APT-TOCS remote control attack is an encrypted data script (hereinafter referred to as Sample_B) loaded by PowerShell. Figure 1 shows the derivative relationships between the modules of the script and the main functions of each module:
Figure 3. Derivation Relationships Between Modules and Their Primary Functions
2.3 APT-TOCS Main Sample (Sample B) Analysis
The contents of Sample B (base64 content has been omitted) are as follows:
Figure 4. Contents of Sample B
The function of this part of the script is to decrypt the base64 encrypted content, then decompress it using Gzip to obtain module 1, and then load and execute it using PowerShell.
2.4 Script 1 Analysis
The content of script 1 (the base64 content has been omitted) is as follows:
Figure 5. Content of Script 1
The function of this section is to decrypt the base64 encrypted data to obtain module 1, write it into the powershell.exe process, and then call and execute it.
2.5 Module 1 Analysis
The main function of this module is to call functions of the wininet module to connect to the network, download module 2, and load it into memory for execution.
Figure 6. HTTP GET Request
The image above shows an HTTP GET request used to retrieve a file: http://███████████████████████████████
2.6 Module 2 Analysis
Module 2 creates and suspends the system process rundll32.exe:
Figure 7. Create Suspended System Process rundll32.exe.
Data written to module 3:
Figure 8. Write Data to Module 3
Although the data in Module 3 starts with “MZ”, it is not a PE file, but shellcode with backdoor functionality.
Figure 9. Shellcode Starting with MZ (4D 5A)
2.7 Module 3 Analysis
This module will connect to two addresses, port number 80:
█████████████████ (Romania)
█████████████████ (Romania)
Send request data and receive response data.
Figure 10. Sending Request Data
The decryption method for the aforementioned IP address, domain name, and access address is “XOR 0x69”. Judging from the string in this module and the system functions it calls, this module is a backdoor program. It actively sends GET requests to a specified address, uses the Cookie field to send heartbeat packets, and the interval is 60 seconds. The heartbeat packet data includes a checksum, process ID, system version, IP address, computer name, username, and whether it is a 64-bit process. This data is encrypted and encoded using RSA and BASE64.
Figure 11. Raw Heartbeat Data
Because the process ID and checksum are different, the heartbeat packet data transmitted each time is different. The checksum is calculated using the process ID and the number of milliseconds elapsed since the system booted up. The algorithm is as follows:
Figure 12. Checksum Algorithm
The encrypted heartbeat packet is transmitted using the Cookie field:
Figure 13. Data Packet Content
3. Verification and Analysis of the Source of the Attack Techniques
The PE pre-files Sample_A and Sample B, associated with Antiy CERT analysts, used the exact same PowerShell method. However, given the high degree of standardization in the relevant scripts, it cannot be ruled out that Sample_A is not necessarily related to this attack. Based on a comprehensive analysis of other factors, we still believe this is a series of attacks. The attackers may have used social engineering emails, file bundling, system and application vulnerability exploitation, and lateral movement within the internal network to gain control of the target host.
While analyzing “Module 1”, we discovered strings such as “Beacon”. Based on past analytical experience, we suspect that this shellcode is closely related to the Cobalt Strike automated attack testing platform. Therefore, the analysts compared and analyzed the Beacon generated using Cobalt Strike to verify the relationship between the two.
Cobalt Strike is a GUI-based framework penetration testing tool based on Metasploit (a penetration testing platform). The commercial version of Cobalt Strike integrates service scanning, automated overflow, multi-mode port listening, various trojan generation methods (DLL trojans, memory trojans, Office macro viruses, and Beacon communication trojans, etc.), phishing attacks, site cloning, target information acquisition, and automatic browser attacks.
3.1 Comparison of Module 1
We compared Module 1 with the payload generated using Beacon and found that there were only three differences: the header data sent during the GET request, the file name requested, and the IP address.
Figure 14. Comparison of Module 1
The left side shows sample module 1, and the right side shows the module generated by Beacon. From the comparison, we can conclude that module 1 is generated by Beacon.
A screenshot of the data packet during the request is shown below:
Figure 15. Module 1 Transmit Packet Data Comparison
3.2 Comparison of Module 2 Disassembly Instructions
Analysts compared module 2 of the sample with Beacon-related files and found that, apart from the functional code, the disassembly instructions were completely identical, including XOR decryption at the entry point, loading system DLLs, obtaining function addresses, and function call methods. Three examples are listed below:
| Sample Module 2 Beacon Related Documents | |
| XOR decryption at the entry point (using the x86/shikata_ga_nai variant) |  |
| Decrypted code at the entrance |  |
| Function call |  |
3.3 Comparison and Analysis of Module 3 Data Packages
Below is a comparison of the Get requests of sample module 3 and the module generated by Beacon. It can be seen that both use cookies to transmit information, which is encrypted. A request is actively sent every 60 seconds, and the data is the online packet/heartbeat packet.
Figure 16. Module 3 Packet Data Comparison
3.4 Features of Cobalt Strike
Cobalt Strike attacks can perform various operations on a target system, such as downloading files, uploading files, executing specified programs, injecting keyloggers, executing commands via PowerShell, importing PowerShell scripts, executing commands via CMD, and capturing system passwords using mimikatz.
Cobalt Strike has the following features:
· Penetrate Sandbox
· Avoiding whitelist mechanisms and cloud detection
· Internal network penetration
· Persistent attacks
· Attack multiple platforms
4. Summary
The Cobalt Strike automated attack testing platform enables penetration of firewalls, and its control over target hosts is highly covert and difficult to detect. It also supports multiple platforms, such as Windows, Linux, and Mac, and is capable of countering trusted computing environments, cloud detection, and sandbox detection. Based on Antiy’s past tracking, this threat has existed for nearly five years, yet effective products and methods for detecting similar threats remain lacking.
The Antiy CERT analysis team classifies the APT-TOCS incident as a quasi-APT event because it exhibits characteristics of highly targeted APT attacks, along with strong stealth and multiple anti-detection techniques. However, unlike many APT incidents we are familiar with in the past, where the attackers possessed extremely high cost-bearing capacity and enormous capability reserves, the cost threshold for these incidents is not high. The malicious code in these incidents is not written and constructed by the attackers themselves. Commercial attack platforms eliminate the need for attackers to incur high costs in developing malicious code. These platforms also provide attackers with a large number of optional injection methods, offering supporting methods for loading and persisting malicious code. This approach reduces the cost of attacks, allowing countries and organizations lacking substantial funds and elite hackers to conduct quasi-APT-level attacks using services provided by existing commercial attack platforms. This highly “patterned” attack also makes the attack lack distinct genetic characteristics, making it more difficult to trace.
We must reiterate the view of information security pioneer Bruce Schiner: “Some major information security attacks are considered examples of cyber warfare. I think this is nonsense. I think the current and truly important trend is that more and more tactical behaviors from warfare are spreading into the broader cyberspace environment. This is very important. Technology can facilitate the spread of capabilities, especially computer technology, which can automate attack behaviors and capabilities”. Clearly, highly automated commercial attack platforms have made this capability spread faster than we predicted.
We need to draw attention to the fact that, given the extremely low replication cost of cyberattack techniques, a serious risk of cyber arms proliferation already exists. While commercial penetration testing platforms have become a valuable tool for efficiently verifying system security, they can be a nightmare for countries, industries, and institutions lacking sufficient security budgets or the capacity to bear greater security costs. On this issue, on the one hand, more communication and consensus are needed from all parties; on the other hand, there is no doubt that the superpower, currently possessing top-tier capabilities on both offense and defense, should bear greater responsibility for effectively controlling the proliferation of such weapon-level attack methods.
Meanwhile, APT-TOCS, like many other incidents we have previously discovered, reflects the severe cybersecurity challenges faced by a country with 1.3 billion people undergoing large-scale information technology construction; it also testifies to the efforts made by Chinese users and security companies to address these challenges.
Appendix 1: References on Cobalt Strike and its Author
Cobalt Strike is the commercial version of Armitage. Armitage is a Java-based Metasploit graphical interface penetration testing software that can be used in conjunction with known Metasploit exploits to automate attacks against existing vulnerabilities. The free version of Armitage is integrated into BT5 and Kali Linux systems, with its most powerful feature being the addition of a Beacon payload.
Cobalt Strike was first released in June 2012.
| Version | Description |
| Cobalt Strike 1.45 and earlier versions | It could connect to the local Windows Metasploit server, but this was later discontinued, and a connection to a remote Linux Metasploit server was now required. |
| Cobalt Strike 1.46 | The system analyzer uses a fallback mechanism to check the Java report version information and fixes the key generation vulnerability. |
| Cobalt Strike 1.47 | It alleviates the backlog of multiple Beacon messages; a comprehensive check is performed when the listener is activated. |
| Cobalt Strike 1.48 | Beacon adds the timestomp command; bypassuac privileged file copying completes and waits 10 seconds. |
| Cobalt Strike 1.49 | Fixed the Beacon HTTP Stager load generator for Windows XP. |
| Cobalt Strike 2.0 | The plasticity of commands and controls has been enhanced, and the “veil” option has been added to the load generator. |
| Cobalt Strike 2.1 | PowerShell commands launch the local main PowerShell instance; the build.sh tool has been updated. |
| Cobalt Strike 2.2 | The rebuild process injects and connects to the VNC server on the target system. The new process is more easily ignored by host-based firewalls; the vulnerability report shows URL references from ZDI, MSB, US-CERT-VU, and WPVDB. |
| Cobalt Strike 2.3 | The DNS phase of Beacon is encoded using a custom encoder; the runas and pwd commands have been added to Beacon. |
| Cobalt Strike 2.4 | Added timestamps to the view -> web log item; regenerated the default Beacon HTTPS certificate with different parameters; now generates customizable C2 HTTPS certificates with different parameters; updated the default toolkit for executables and DLLs. |
Cobalt Strike author: Raphael Mudge (USA), founder of Strategic Cyber LLC, a Washington-based company that develops software for the RED TEAM. He created Armitage, the sleep programming language, and the IRC client jIRCii for Metasploit. Previously a security researcher and tester for penetration testing in the U.S. Air Force, he developed a syntax detector that he sold to Automattic. He has published numerous articles and regularly speaks on security topics. He has provided RED TEAM support for many cybersecurity competitions and participated in hacker conferences from 2012-2014.
Education: Syracuse University, Michigan Technological University;
Current Employment: Strategic Cyber LLC; Delaware Air National Guard;
Skills: Software development, information security, object-oriented design, distributed systems, graphical interfaces, computer network design, blog systems, social engineering, security research, etc.
| Company/Project/Organization | Position | Time |
| Strategic cyber LLC | Founders and leaders | 2012.1-present |
| Cobalt strike | Leaders, traditional reserves | 2009-present |
| TDI | Project leader | 2011.11-2012.5 |
| Automattic | Senior Security Engineer | 2010.8-2011.6 |
| Feedback Army, After the Deadline | Wrangler code | 2009.7-2010.8 |
| Cobalt strike | Founder | 2008.7-2009.11 |
| U.S. Air Force Research Laboratory | System Engineer | 2006.4-2008.3 |
| U.S. Air Force | Communications and Information Officer | 2004.3-2008-3 |
Supporting Organizations:
College Cyber Defense Competition (CCDC)
North East CCDC 2008-2015
Mid Atlantic CCDC 2011-2015
Pacific Rim CCDC 2012, 2014
South East CCDC – 2014
Western Regional CCDC – 2013
National CCDC 2012-2014
Projects Developed:
Sleep Scripting Language (an extensible, general-purpose language using Perl, inspired by the Java platform). Sleep is open source and licensed under the LGPL.
jIRCii (a scriptable multi-user online chat client for Windows, macOS X, and Linux platforms, open source)
Published Works:
“Live-fire Security Testing with Armitage and Metasploit” (Linux Magazine);
“Get in through the backdoor: Post exploitation with Armitage” (Hakin9 Magazine);
“Tutorial: Hacking Linux with Armitage” (ethicalhacker.net);
“The Design of a Proofreading Software Service” (NAACL HLT2010 Conference on Linguistics and Writing in Computer Science);
“Agent-based Traffic Generation” (Hakin9 Magazine).
Contributions:
cortana-scripts
metasploit-loader
malleable-c2-profiles
layer2-privoting-client
armitage
Projects:
Commercial Joint Ventures
After the Deadline
Feedback Army
Cobalt Strike
Open Source Software
Armitage
Far East
jIRCii
Moconti
One Hand Army Man s
phPERL Same Game
Sleep
Information Reference Links:
https://plus.google.com/116899857642591292745/posts (google+)
https://github.com/rsmudge (GitHub)
https://www.youtube.com/channel/UCJU2r634VNPeCRug7Y7qdcw (youtube)
http://www.oldschoolirc.com/
https://twitter.com/rsmudge
http://www.hick.org/~raffi/index.html
http://www.blackhat.com/html/bh-us-12/speakers/Raphael-Mudge.html
http://www.linkedin.com/in/rsmudge