{"id":9082,"date":"2017-09-05T07:40:13","date_gmt":"2017-09-05T15:40:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/05\/news-2855\/"},"modified":"2017-09-05T07:40:13","modified_gmt":"2017-09-05T15:40:13","slug":"news-2855","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/05\/news-2855\/","title":{"rendered":"Rehashed RAT Used in APT Campaign Against Vietnamese Organizations"},"content":{"rendered":"

Credit to Author: Jasper Manuel, Artem Semenchenko| Date: Tue, 05 Sep 2017 15:30:00 +0000<\/strong><\/p>\n

\n

Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158. To evade suspicion from the victim, these RTF files drop decoy documents containing politically themed texts about a variety of Vietnamese government-related information. It was believed in a recent report<\/a> that the hacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to the group was found through malicious domains used as command and control servers by the attacker. In this blog, we will delve into the malware used in this campaign and will try to provide more clues as to the instigator of this campaign.<\/p>\n

\"\"\"\"<\/p>\n

Sample decoy documents<\/em><\/p>\n

When the documents are opened, they drop several files in one of the following folders:<\/p>\n

 %AppData%MicrosoftCredentials<\/p>\n

%AppData%MicrosoftSystemCertificates<\/p>\n

%AppData%MicrosoftWindowsTemplates<\/p>\n

Some samples drop the following files: <\/p>\n

Taskeng.exe – signed legitimate GoogleUpdate.exe version 1.3.33.5<\/p>\n

Psisrndrx.ebd – encrypted blob containing malware file<\/p>\n

Goopdate.dll – decrypter and loader of malware file<\/p>\n

Some drop the following files:<\/p>\n

SC&Cfg.exe – signed legitimate McAfee AV application<\/p>\n

Vsodscpl.dll – contains the malware file<\/p>\n

Others drop the following files:<\/p>\n

Systemm.exe – signed legitimate GoogleUpdate.exe version 1.3.30.3<\/p>\n

Systemsfb.ebd – encrypted blob containing malware file<\/p>\n

Goopdate.dll – decrypter and loader of malware file<\/p>\n

Similar to other APT attacks, such as MONSOON APT<\/a>, this APT uses DLL hijacking to evade the behavior monitoring technologies of security programs.<\/p>\n

DLL Hijacking<\/h2>\n

DLL hijacking is a technique used by some APT malware in which instead of the legitimate application (.exe) loading the benign DLL, the application is tricked into loading a DLL containing malicious code. This technique is employed to evade Host Intrusion Prevention System (HIPS) of security programs that monitor the behaviors of executed files. Most HIPS tools whitelist signed or trusted files, thereby excluding malware loaded using DLL hijacking by signed files from behavior monitoring.<\/p>\n

In the context of this attack, taskeng.exe and SC&Cfg.exe are signed legitimate applications; however, they are tricked into loading malware that are disguised as the legitimate Goopdate.dll and Vsodscpl.dll files.<\/p>\n

\"\"\"\"<\/p>\n

Taskeng.exe and SC&Cfg.exe file information<\/em><\/p>\n

Next, Taskeng.exe needs to load and import some functions from the original Goopdate.dll file; however, the Goopdate.dll was hijacked to contain malicious code, effectively changing the original code execution to execution of the malicious code.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Snippet from taskenge.exe that loads goopdate.dll<\/em><\/p>\n

In the same fashion, SC&Cfg.exe imports the “dll_wWinMain” function from the original vsodscpl.dll, but this DLL was hijacked as well, and also contains malicious code.<\/p>\n

\"\"<\/p>\n

SC&Cfg.exe import table containing import from vsodscpl.dll<\/em><\/p>\n

Once the malicious DLLs are loaded, the DLLs decrypt (from psisrndrx.ebd (1st<\/sup> case) or from its body (2nd<\/sup> case)) and load a Trojan downloader. The Trojan downloader is a DLL file. It is not dropped on disk but is only executed in memory. Also, the actual Trojan downloader in memory when dumped will not run. This is because the ‘MZ’ in the IMAGE_DOS_HEADER, the DOS stub, and the ‘PE’ signature were deliberately removed. This was done to prevent the dumped file from being analyzed properly in a debugger and decompiler. However, we can easily fix the dump by adding the ‘MZ’, a DOS stub, and the ‘PE’ signature.<\/p>\n

\"\"<\/p>\n

Missing header items as anti-analysis<\/em><\/p>\n

This Trojan downloader downloads a RAT (Remote Access Trojan), which we will call “NewCore” RAT, from the following domains:<\/p>\n

web.thoitietvietnam.org<\/p>\n

dalat.dulichovietnam.net<\/p>\n

halong.dulichculao.com<\/p>\n

Trojan Downloader<\/h2>\n

The Trojan downloader first creates an autostart registry entry so it runs whenever the machine is rebooted:<\/p>\n

HKLM\/HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/p>\n

Microsoft Windows Media = “%AppData%MicrosoftCredentials.exe”<\/legitimate><\/p>\n

As an anti-VM, it checks whether the environment has the registry key:<\/p>\n

HKCRApplicationsVMwareHostOpen.exe<\/p>\n

Before it can download the NewCore RAT, it needs to send the following information to the C&C server:<\/p>\n