Zegost from Within – New Campaign Targeting Internal Interests

Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group named Yet Another Panda as part of our role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.

The FortiGuard SE Group has come across a recent spearphishing email campaign containing the Zegost (also known as Zusy/Kris) info stealer malware. While this latest campaign is not necessarily interesting by any means, or new, the targeted victim is because it is a governmental entity in China that provides statistical collection efforts centering around the nation’s economy, population, and various other metrics that are collected for record keeping.

And interestingly, Zegost has been historically attributed to Chinese cybercriminals, a fact that has been documented in various worldwide global campaigns. While we do not have any insight as to why the attackers behind Zegost decided to focus their campaign on a Chinese government agency, based on past behavior, we can at the very least assume that it was to gather intelligence of some kind to support the information-stealing nature of the malware.

Overview

Zegost has been around since approximately 2011. Since that time there have been many iterations of Zegost, and the numerous updates to its functionality have been well documented. In addition, the threat actors behind Zegost have been known to be especially persistent and crafty, utilizing an arsenal of exploits to ensure they establish and maintain a connection to identified victims.

One example of this craftiness is found in their ability to leverage multiple exploits, most notably the leak of documented exploits used by The Hacking Team, an Italian for-profit offensive security company that provided tools for use by law enforcement and government agencies in 2015. Another example of the craftiness of the attackers behind Zegost is a novel attack technique used against Microsoft PowerPoint, where once an infected PowerPoint file is opened, a “Loading… Please wait” hypertext message appears. If a user hovers their mouse over those words it triggers an infection chain that delivers the Zegost malware payload through PowerShell.

Technical Details

In this latest attack, Zegost begins as a simple email with an attachment [4940ABAF3A3975900C64F9476606773513B91B02D7ED0ACCF879EC64002DDD71].

The email roughly translates to "Please download the web video plugin to watch." 

Data Collection

The main purpose of Zegost is to steal and exfiltrate information. Here is a list of its data collection processes and functions.

• It starts by identifying the targeted machine’s OS version number and the number and speed of processors.
• It then checks to see if any of the following processes are running and sends the list out to the C2 server:

360tray.exe, 360sd.exe, avp.exe, KvMonXP.exe, RavMonD.exe, Mcshield.exe, egui.exe, NOD32, kxetray.exe, avcenter.exe, ashDisp.exe, rtvscan.exe, ksafe.exe, QQPCRTP.exe, K7TSecurity.exe, QQ.exe, QQ, knsdtray.exe, TMBMSRV.exe, Miner.exe, AYAgent.exe, patray.exe, V3Svc.exe, QUHLPSVC.EXE, QUICK HEAL, mssecess.exe, S.exe, 1433.exe, DUB.exe, ServUDaemon.exe, BaiduSdSvc.exe, vmtoolsd.exe, usysdiag.exe

NOTE: The process ‘mssecess.exe’ may actually be a typo on the part of the malware developers, since Microsoft Security Essentials is spelled as ‘msseces.exe’ instead.

• Connection State – Zegost checks to see which of the following connections are running and then sends the list out to the C2 server:

INTERNET_CONNECTION_MODEM, INTERNET_CONNECTION_LAN, INTERNET_CONNECTION_PROXY, INTERNET_CONNECTION_MODEM_BUSY

• RDP port number – Zegost collects this information and then sends it out to the C2 server
• QQ login number – Zegost collects this information and then sends it out to the C2 server
• Keystroke Recorder: This variant records keystrokes, saves a log of them to %CSIDL_SYSTEM%MODIf.html in the following translated format, and then sends that information out to the C2 server:

[Title:] window title
[Time:] year-month-date hour:min:sec
[Content:] pressed keys including special keys like SHIFT, INSERT, F1-12 keys, etc.

NOTE: All of the information collected above is sent to the following C2 servers:

• hxxp://lu1164224557.oicp.net:45450
• hxxp://212951jh19.iok.la:9988

Detection Evasion

To help it stay under the radar, Zegost also includes functionality designed to clear the Application, Security, and System event logs. This type of cleanup is not seen in typical malware. It is only seen when the malware authors are being thorough and want to ensure they are not detected within the current campaign. What sets Zegost apart from many infostealers is that it can also launch processes instead of only passively listening and retrieving information.

Zegost provides the following stealth options.

The Zegost process can be launched with either a visible window or a hidden one. This type of functionality can also be applied to downloaded executables in a different code path.

For persistence, Zegost uses two methods instead of one, a redundant system not often seen in typical malware. One occurs by automatically launching a service, and the other occurs through the RUN key in the registry. To avoid any runtime conflicts, Zegost creates and checks a mutex in order to make sure only one copy of itself is running at any given time.

COM Programming

Of course, like other well-known and long-lived malware, Zegost has evolved over the course of several years. One of these updates includes the usage of COM programming. As with many of the other uncommon strategies it uses, COM usage in malware is also not typically seen.

As Zegost’s primary objective is to steal information, it is also able to spy on its intended targets, and one way to achieve this is by capturing video via a device’s webcam. 

As seen in the screenshot above, the DirectShow capture filter is being used to enumerate the infected machine for video capture devices. However, this sample also uses COM for another purpose. 

During the course of our analysis, we observed that COM was used to also obtain the wallpaper for reasons that were unclear at first. 

After more analysis, it was clear that the malware performs further checks to obtain hashes of a specific wallpaper and its directory, as well as the hash of an empty file. This variant then checks to see if the wallpaper points to C:Userstestpicturesmaldun_background.jpg and if it has an MD5 hash of [21949bd7e0eff44e6a34157f84969125]. After some research, this wallpaper appears to belong to a legitimate online sandbox called Maldun (https://www.maldun.com).

It also checks to see if the MD5 hash is [d41d8cd98f00b204e9800998ecf8427e] and whether this hash represents an empty string or file.

The JPG files listed in the image above are other wallpapers also checked by Zegost. Two of them belong to Threatbook (https://threatbook.cn), another online sandbox to run malware in. While these anti-sandbox techniques are not new to Zegost, they were not included in the earliest iterations of the threat.

System Checks

On the subject of Zegost checking the system, Zegost includes even more tricks.

It checks to see if the infected machine is connected to the Internet by trying to access the legitimate QQ website. The malware authors also remembered to check for the Sandboxie environment. Specifically, it looks for any processes named SandboxieRpcSs.exe, SandboxieDcomLaunch.exe, or AtoolClient.exe. 

Another interesting observation we found is that the threat simply looped and would not run until after the date of February 14, 2019. The significance of this date is currently unknown, other than it is Valentine’s Day, and the timing observed is curious. For example, samples found on VirusTotal appear to have been compiled one day before, on February 13^th, which is an interesting finding, but its significance is unknown.

As you can see, Zegost/Zusy/Kris has definitely picked up a significant amount of extra functionality since its original version was released almost a decade ago.

Tying it All Together

At the time of our discovery, as well as during our initial observation of this spearphishing campaign, we were curious to see if this was a one-off campaign. However, our analysis now confirms that this is an emergent campaign (Figure 7) that was in progress at the time we discovered it.

Historically, the Zegost hosting infrastructure has been primarily relegated to locations based in China. Our observations for this latest run, however, reveal that multiple subdomains that act as the command and control are based on Dynamic DNS domains (DDNS), and are coming from other locations beyond China, such as Singapore, Taiwan, and the United States. During the course of our investigation, we have now confirmed that older Zegost campaigns – as early on as 2013 – were associated with the same exact subdomain DNS domain combination.

Because of the way dynamic DNS works, it allows for websites hosted on a non-static IP address to auto-populate its current IP address to the Dynamic DNS tool, which is associated with a domain – which is usually a subdomain for a visitor’s machine to know what IP address to point to.

For example, today’s IP address might be:

attackingsubdomain.DDNSdomainservice.com
192.168.2.1

And in 48 hours (or less) it can change to:

attackingsubdomain.DDNSdomainservice.com
192.168.2.2

This will automatically update the records in the DDNS software to then update the DNS records for the domain at the root level.

By querying datasets, we have further observed that these attackers are using the same infrastructure (known webhosts and sub domain using dynamic DNS) as used in previous campaigns, along with new infrastructure, and sharing them as well (we observed two different domains sharing the same IP address). Below is a summary of our findings of this massive infrastructure attributed to Zegost and its attackers.

Global Connections

*.3322.org

During our investigation we came across multiple network IOC’s that called back to notable second-level domains that exhibited unique nomenclature, such as a combination of letters and numbers with obvious patterns (e.g. 3322.org/f3322.net), as well as various alphanumeric combinations that are literally nonsensical, but form a pattern to the trained eye. 

For example, our analysis observed various call backs to the second-level domain of 3322.org, which is a dynamic DNS domain hosted in China. During the course of our investigation, we observed renhuanxi.3322.org being the command and control for one of the Zegost payloads. However, the renhuanxi.3322.org subdomain resolves to an IP address hosted with an ISP in the United States [205.209.176[.]222] and in China [223.111.145[.]149] at the time of writing.

Although this doesn’t necessarily implicate the US-based ISP of any wrongdoing, the second level domain of 3322.org has a less than stellar past. It is also a well-known DDNS that was part of a massive sinkholing project performed by Microsoft in 2012 wherein thousands of subdomains were sinkholed to disrupt the Nitol DDoS botnet, which has also been attributed to China. During their investigation, Microsoft discovered a staggering 70,000 different subdomains originating from 3322.org, along with 500 samples of known malware strains. Further analysis from our end has also come across a previous Zegost campaign originating from this exact domain back in 2013 from renhuanxi.3322.org, [8213cc4c79d1d79399843f0054cce8bb27f916e381de7c0f465b3def807cc0d8].

*.OICP.net

Another in the game of DDNS whack-a-mole is the domain of OICP.net. OICP.net is yet another DDNS provider in China that also has been observed in the distribution of various malware campaigns via multiple subdomains. Malicious activity originating from the subdomains of this domain were observed as early as 2012, such as (but not limited to) malicious Android APKs, backdoors, RATs (mobile and desktop), and malicious phishing and malspam campaigns, to name a few.

It is interesting to note that the subdomain in this latest campaign [lu1164224557[.]oicp.net] was observed using a US-based hosting provider with the IP address of [174.128.255[.]245] and [174.128.255[.]254]. 

Interestingly, because we know that OICP.net (and any other DDNS domain name) can have hundreds and possibly thousands of subdomains along with IP addresses assigned at one time, we have documented a common nexus to the United States. The webhost in question for this specific IP address has hosted hundreds of the subdomains observed for this one specific IP address – and interestingly enough, various other IP addresses on this netblock as well. Over the course of several years, this IP address has been observed through the use of passive DNS to have hundreds of various subdomains assigned to it, including but not limited to domains known for the following activities:

Vicp.net (Naikon attacks in SE Asia)
Gicp.net (Henbox Android malware focused on SE Asia and Deep Panda/ShellCrew/Maudi/PoisonIvy)
Xicp.net (MacControl malware targeting Tibetan Mac users and other Tibetan related attacks as early as 2009)

Intent is difficult to assign however, because ISPs providing such hosting (at least within the United States) are not required to monitor and police their own networks for activity that may be against national and international law. However, since the IP addresses originating directly from this specific netblock are all attributed to this threat actor, and have been observed using these various malicious dynamic DNS domains over the course of several years, it is hard to believe that the webhost in question is unaware of – at the very least – some malicious activity emanating from its own network.

In addition, it was also observed that a Deep Panda operation utilized this same infrastructure and ISP for a campaign in 2015. We aren’t completely sure why this specific webhost is the preferred choice of attackers, along with hosting known malicious campaigns – including Zegost to this day, but this is clearly the case.

*.Heikc.com

Breaking the mold of the 4-character domain nomenclature, the subdomain j.heikc.com (150.109.120.238) (Singapore) has been observed being used in various malware attacks in the past, going as far back as 2013. However previous campaigns have been limited in numbers and are not as varied as other malicious campaigns. Historical analysis also reveals that this domain has been linked to previous Zegost campaigns, as early as 2015, with the subdomain of jj.heikc.com being the command and control for the malware. Based on historical data, however, it appears that this might not be a DDNS service, as there were only a few subdomains seen for this domain.

*.Iok.la/*.f3322.net

Iok.la is another DDNS service that originates out of China. To date, over 220 different subdomains have been observed originating from this domain, including recent malicious Android malware attacks and downloaders. Zegost has also been observed calling back to 212951jh19.iok.la, located at [116.255.212[.]174] (China).

miilk.f3322.net is listed here because it shares the same IP addresses [125.224.24[.]64] (Taiwan) with 212951jh19.iok.la, and is another DDNS provider that has also been seen being utilized in various malware campaigns, such as Sakula/ShellCrew attacks.

Conclusion

Although the subdomains of the dynamic DNS domains and IP addresses aren’t exactly the same, it is too coincidental – and indeed very suspicious – that the dynamic DNS domains are so similar based on the naming convention and nomenclature variations used, as well as the closeness of the related netblocks that are being used by the same threat actors, especially on such a massive scale. The netblocks using the same infrastructure have been observed in the past distribution of malicious Android APK’s, backdoors, DDoS botnets, and spearphishing emails, just to name a few.

Since this infrastructure has been used consistently by attackers for various operations over the course of several years, without any consequences, it appears that the removal of safe harbor protections afforded to ISPs through legislation may be the only drastic measure able to combat this game of whack-a-mole. Until then, we will continue to see rampant abuses taking place by threat actors for their campaigns and personal gain.

For further information regarding the samples used in our research, including indicators of compromise that have been analyzed and mapped according to the specifications of the MITRE ATT&CK framework, please refer to our latest playbook on Yet Another Panda here.

Mitigation

FortiClient customers running the latest definitions are protected against this latest Zegost campaign.

AV coverage is in place for all the samples mentioned in this report as:

W32/Kryptik.GHUE!tr
W32/Kryptik.FHSE!tr
W32/Farfli.AFJ

Also, all network IOC’s identified in this latest campaign have been blacklisted by the FortiGuard Web Filtering Client.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

Note: MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.