{"id":16018,"date":"2019-08-07T15:40:07","date_gmt":"2019-08-07T23:40:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/08\/07\/news-9761\/"},"modified":"2019-08-07T15:40:07","modified_gmt":"2019-08-07T23:40:07","slug":"news-9761","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/08\/07\/news-9761\/","title":{"rendered":"Tricky Chinese-Targeted Trojan Bypasses Authentication"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>A <\/b><i>FortiGuard Labs Threat Analysis Report<\/i> <\/p>\n<h2>Introduction<\/h2>\n<p>FortiGuard Labs uncovered a new campaign targeted at Chinese-speakers using malware that bypasses normal authentication by exploiting known WinRAR file (cve-2018-20250) and RTF file (cve-2017-11882) vulnerabilities. This attack uses a watering hole attack strategy to target Chinese-speaking users by delivering malware through a hacked Chinese news site. Based on our analysis, the campaign also appears to be experimental because it uses so many different techniques and tools to target this end user community.<\/p>\n<p>We first discovered this backdoor malware campaign in 2017, and over the years it has continued to upgrade its functionalities. In this article, we will first analyze how this malware is delivered. We will then analyze the functionalities and C2 connection of the malware, and describe its development.<\/p>\n<h2>A Hacked Chinese News Site<\/h2>\n<p>The originally hacked Chinese news site mentioned above is located in the US, where it is used to distribute Chinese news to Chinese-speaking individuals living overseas. To protect the news site, we will obscure any related identifying information. We will also refer to it as <b><i>victim1 <\/i><\/b>in the remaining parts of this article.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_745512586.img.png\" alt=\"Figure 1 Red squares: injected malicious links to a WinRAR exploit. Blue square: Fake Twitter login page link \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Red squares: injected malicious links to a WinRAR exploit. Blue square: Fake Twitter login page link <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When we first found the hacked site, malicious phishing links had already been injected into it. Those links are faked as <b><i>victim1\u2019s <\/i><\/b>introduction information. In addition, there is a \u201cContact to our Twitter\u201d link, which is really a phishing Twitter login page.<\/p>\n<p>There is also a malicious script running on <b><i>victim1<\/i><\/b>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1624516247.img.png\" alt=\"Figure 2 Malicious script running on victim1\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Malicious script running on victim1<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_139711561.img.png\" alt=\"Figure 3 Deobfuscated JS script\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Deobfuscated JS script<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>If we normalize and deobfuscate the JavaScript script, as seen in Figure 3, we find that this script first checks cookie data to ensure that access is coming from a Windows system. Second, it checks for the existence of \u201c___utma\u201d, a cookie used to distinguish users and sessions in Google Analytics. If found, it would mean the actor wants fresh access to <b><i>victim1<\/i><\/b>. It then dynamically downloads a script from hxxps:\/\/click.<a name=\"_Hlk14847133\" id=\"_Hlk14847133\"><\/a>clickanalytics208[.]com\/s_code.js?cid=239&amp;v=243bcb3d3c0ba83d41fc to <b><i>victim1. <\/i><\/b>This injected script is then able to execute arbitrary JS script delivered from the URL. We also found an analysis report mentioning a fake update campaign related to this URL. However, we didn\u2019t observe attacks with this script during our research.<\/p>\n<p>For more details, here is the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/04\/fakeupdates-campaign-leverages-multiple-website-platforms\/\">report<\/a>.<\/p>\n<h2>Malware Analysis<\/h2>\n<h3>Dual Exploits Used<\/h3>\n<p>An attack begins with an exploit targeted at a vulnerable WinRAR file (cve-2018-20250). This exploit extracts another exploit for the vulnerable RTF file (cve-2017-11882). We show the flow of this attack below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1936521522.img.png\" alt=\"Figure 4 WinRAR Exploit (cve-2018-20250)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: WinRAR Exploit (cve-2018-20250)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>There are two routes for this backdoor malware to infect the system.<\/p>\n<p style=\"margin-left: 40.0px;\">1. WinRAR (cve-2018-20250) exploit extracts backdoor<\/p>\n<p style=\"margin-left: 40.0px;\">We can observe that this \u201c.rar\u201d file is really an \u201c.ace\u201d file, and that it has a corresponding unpacking path located in the blue square of figure 4. The file uses the WinRAR exploit to extract conf.exe to the Startup folder so it can be executed at system booting.<\/p>\n<p style=\"margin-left: 40.0px;\">However, this seems like a mistake or a test, because conf.exe is extracted correctly only when the username is \u201ctest\u201d.<\/p>\n<p style=\"margin-left: 40.0px;\">Interestingly, we also found that conf.exe is infected by Sality, an infamous file infector malware. When conf.exe is executed, both the backdoor payload in conf.exe and the Sality infector shellcode will be executed at the same time.<\/p>\n<p style=\"margin-left: 40.0px;\">2. RTF (cve-2017-11882) exploit downloads backdoor<\/p>\n<p style=\"margin-left: 40.0px;\">The extracted \u201c.doc\u201d file is really an \u201c.rtf\u201d file. It triggers the Microsoft Equation Editor, runs regsvr32.exe to connect to 154.222.140[.]49, and then downloads the next stage &#8211; a malicious script named <i>123.sct<\/i>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_655378770.img.png\" alt=\"Figure 5 RTF exploit (cve-2017-11882)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: RTF exploit (cve-2017-11882)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_166604746.img.png\" alt=\"Figure 6 Script \u201c123.sct\u201d for downloading next stage of malware\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Script \u201c123.sct\u201d for downloading next stage of malware<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">The executed 123.sct script downloads \u201chxxp:\/\/154.222.140[.]49\/qq.exe\u201d to \u201cC:\\WindowsTempconf.exe\u201d. This conf.exe is different from the previous one. It is a backdoor for malware without the Sality infection.<\/p>\n<p style=\"margin-left: 40.0px;\">We also found another download script in 123.sct that accesses \u201chxxp:\/\/154.222.140[.]49\/calc.exe\u201d. It uses this URL to download a clean Windows 64bit file, and it was likely used by the developer to debug the whole infection flow.<\/p>\n<h2>Sality Infected Backdoor<\/h2>\n<p>The Sality-infected backdoor payload is the same as the download qq.exe. \u00a0We find that both the backdoor malware code and the Sality code are running when the malware is executed. We also observed the following connections when this sample runs, though we haven\u2019t observed any further activities from the Sality C2 servers.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1459414988.img.png\" alt=\"Figure 7 \u201cOriginal\u201d Backdoor connection (green) and Sality infector connections (red)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: \u201cOriginal\u201d Backdoor connection (green) and Sality infector connections (red)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Backdoor Payload<\/h2>\n<p>In this section we will analyze the backdoor payload in depth. Both of the executable samples we found in this campaign (dropped and downloaded) have the same backdoor functionalities. When they are running, they allocate memory and dynamically load a malicious DLL. There are also three export functions, which are shown in the following figure.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1982971668.img.png\" alt=\"Figure 8 Export function in the malicious DLL\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Export function in the malicious DLL<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Again, we found a default \u201ctest.dll\u201d, which indicates the malware is still under development.<\/p>\n<p style=\"margin-left: 40.0px;\">1. DealC<\/p>\n<p style=\"margin-left: 40.0px;\">This function collects system information sends it to it C2 server repeatedly.<\/p>\n<p style=\"margin-left: 40.0px;\">2. DealR<\/p>\n<p style=\"margin-left: 40.0px;\">This function is for malware installation. There are two kinds of installation. The first one registers the malware to \u201cHKCUSoftwareClassesFolderShelltestCommand\u201d to add a shortcut to the copied malware in the context menu. The second one registers the malware to \u201cHKCUSoftwareMicrosoftWindowsCurrentVersionRun\u201d with the path \u201c[%PROGRAMDATA%]Mpclient.exe\u201d for persistence. Interestingly, it also checks to see if its name is kphonewiz (Kingsoft Phone Wizard) or kminisite (Kingsoft Hot News Mini Site). Both of the software names come from Chinese software created by Kingsoft. This further indicates that this backdoor malware is targeting a Chinese audience.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1635985991.img.png\" alt=\"Figure 9 Interesting string that indicates that the malware is targeting a Chinese audience\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Interesting string that indicates that the malware is targeting a Chinese audience<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">3. DealS<\/p>\n<p style=\"margin-left: 40.0px;\">Before running the main part of the backdoor malware, DealS loads Windows libraries. It does this to gather the Windows API call function addresses to generate a function table in memory. All the library names and function names are encoded using a simple character table via shifting specific index.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1723934572.img.png\" alt=\"Figure 10 Function table creation and name string decoded function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Function table creation and name string decoded function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then saves its installation path from the registry \u201cSoftwareMicrosoftWindowsCurrentVersionRun\u201d file to the file \u201c[%PROGDATA%]\/Destro\u201d.<\/p>\n<h2>Main Functionalities<\/h2>\n<p>This malware contains stealthy functionalities designed to collect system information and send information to its C2 server. It can also download files and create a reverse shell for further attacks.<\/p>\n<p>Backdoor functionalities:<\/p>\n<ol>\n<li>Collects system information<\/li>\n<li>Collects disk hardware information<\/li>\n<li>Collects a directory list under a specific directory<\/li>\n<li>Collects a file list in a specific directory<\/li>\n<li>Collects an installed program list<\/li>\n<li>Collects a processes list<\/li>\n<li>Collects data from a different application, such as Skype, Fetion, SogouInput, SogouDesktopBar, etc.<\/li>\n<li>Collects network adapter information<\/li>\n<li>Searches for files<\/li>\n<li>Collects screenshots<\/li>\n<li>Creates a reverse shell<\/li>\n<li>Downloads files<\/li>\n<li>Gets a collected file MD5 hash<\/li>\n<li>Collects clipboard text<\/li>\n<li>Collects CPU information<\/li>\n<\/ol>\n<h2>C2 Connection Overview<\/h2>\n<p>This backdoor malware reads its C2 IP address from a constant RVA address. In this campaign, it tries to connect to the following C2 address: 122.112.245[.]78.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1021697285.img.png\" alt=\"Figure 11 C2 IP in constant address\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: C2 IP in constant address<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>There are two connection types for this malware: TCP with port 55556 and UDP with port 8000.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_355978070.img.png\" alt=\"Figure 12 Left: Data sending decoding and checking. Right: C2 Connection protocol configured \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12 Left: Data sending decoding and checking. Right: C2 Connection protocol configured <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Let\u2019s check the backdoor C2 connection in Figure 7.<\/p>\n<p>First, the malware connects to 360.cn to read 100 bytes of data, but it always gets a \u201c404 Not Found\u201d message. We can observe the content check in Figure 13. The first 5 bytes in the content should be something like: \u201c0x11 0x22 [Data] 0x33 0x44\u201d. If the content check passes, the data will be saved and used in the C2 data header. However, during our testing the content check always failed, and seems useless.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_21249037.img.png\" alt=\"Figure 13 Failed content check to www.360.cn\/status\/getsign.asp\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Failed content check to www.360.cn\/status\/getsign.asp<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It then connects to http:\/\/icanhazip.com to acquire the IP address of the victim system. After collecting this information, it connects to its C2 to send information and get possible further commands.<\/p>\n<h2>RC4 Encryption for Data<\/h2>\n<p>The backdoor\u2019s C2 connection data is encrypted and decrypted by RC4. It uses a hardcoded encryption key.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1728756493.img.png\" alt=\"Figure 14 RC4 Encryption function and RC4 key.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: RC4 Encryption function and RC4 key.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>A custom header would then be inserted into the data\u2019s head. Then the data would be encrypted by the RC4 algorithm and sent to the C2.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_289161027.img.png\" alt=\"Figure 15 Encrypted data example and RC4 encryption signature check\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15: Encrypted data example and RC4 encryption signature check<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We find that the first 8 bytes of the header are assigned as a constant value. As we analyzed the source more, we found this value is checked by the malware\u2019s RC4 decryption function. If the check does not pass, the data does not need to be decrypted. Instead, this is a symbol for the malware to ensure the data is encrypted using the RC4 algorithm. The next 4 bytes are then created using a MAC sum calculation function, and they are possibly used to identify victims.<\/p>\n<h2>C2 Connection: Content-Type<\/h2>\n<p>To distinguish the different types of stolen data or information, \u201dcontent-type\u201d is used in the connection data from the victim to the C2 server. \u00a0There is a thread for receiving and handling the command from the C2 server.<\/p>\n<p>We have observed the following content-types in the malware:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_9293599.img.png\" alt=\"Figure 16 Content-type list and their feature\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16: Content-type list and their feature<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 17 shows an example of the content-type usage. There are other headers used to describe the content. \u201ctime\u201d is the data creation time. \u201cackfile\u201d means the file used to save this data. \u201ccontent-length\u201d means the whole data size.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1525351222.img.png\" alt=\"Figure 17 Usage example for content-type\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17: Usage example for content-type<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>C2 Connection: C2 Request Solution<\/h2>\n<p>The C2 command uses some tricks to trigger a corresponding function to resolve its request. An example of the request for changing monitored file type is shown in the following figure. At the offset 0x0D of the C2 request data, 0x2E in the red square of Figure 18 will be used as a function index to call the corresponding function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_1527795915.img.png\" alt=\"Figure 18 Usage example for C2 command to trigger function\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 18: Usage example for C2 command to trigger function<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Backdoor Development<\/h2>\n<p>We found that this backdoor malware has been in use since 2017. The following is the timeline of its development.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 19 Backdoor development timeline\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 19: Backdoor development timeline<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Interestingly, we found this backdoor malware always uses a Chinese-native software name to lure a victim to execute it. At first, it was simply an executable, but that was changed to a DLL version in 2018. The DLL version of the backdoor is encrypted and saved in the data section of a loader program. When the loader runs, the backdoor DLL is decrypted and loaded for running.<\/p>\n<p>We found that the latest sample is uploaded with the name \u201cXLAccount.dll\u201d. It has an interesting new functionality to collect information of a VPN tool, called \u201cShadowsocks\u201d, which is used in China for going over the Great Firewall of China. \u201cXLAccount.dll\u201d is as a known module belonging to Xunlei Game Box, a web game platform developed by Xunlei.<\/p>\n<h2>Conclusion<\/h2>\n<p>FortiGuard Labs investigated a campaign centered around a hacked Chinese news site. Threat actor(s) hacked the news website and injected fake links. A phishing link was also injected onto the same website. As of the time of this writing, its dynamically loaded malicious script is still running.<\/p>\n<p>The backdoor malware used in this campaign has been seen in the wild since 2017, and samples use regular Chinese application names. In this campaign, this backdoor malware exploits two different vulnerabilities, cve-2018-20250 and cve-2017-11882, to force victims to install a backdoor. While we analyzed its functionalities and C2 connections in this blog, it is still under active development and adding new functionalities to improve its ability to steal more information and data.<\/p>\n<p>FortiGuard Labs will continue to monitor the development of this malware and related campaigns.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2>Solution<\/h2>\n<p>Fortinet users are protected from the malicious threats mentioned in this article with the following solutions:<\/p>\n<ul>\n<li>Files are detected by FortiGuard Antivirus<\/li>\n<li>Malicious and Phishing URLs are blocked by <a name=\"OLE_LINK122\" id=\"OLE_LINK122\"><\/a><a name=\"OLE_LINK123\" id=\"OLE_LINK123\"><\/a><a name=\"OLE_LINK124\" id=\"OLE_LINK124\"><\/a>the FortiGuard Web Filtering Service<\/li>\n<\/ul>\n<h2>IOCs<\/h2>\n<p><b>WinRAR exploit sample:<\/b><\/p>\n<p>bbf36d18436c8993d2c2dc3ee2095db6bb23ece287568ebb31040124733367ee &#8211;<\/p>\n<p>MSOffice\/CVE_2017_11882.A!exploit<\/p>\n<p>\u00a0<\/p>\n<p><b>RTF exploit sample:<\/b><\/p>\n<p>88d13e9bb6a644bf258b353afdf48bbd83c8490d01f16b9b3731bf4a62eb4b30 &#8211; MSOffice\/CVE_2017_11882.A!exploit<\/p>\n<p>\u00a0<\/p>\n<p><b>123.sct:<\/b><\/p>\n<p>4614b2f398d17fe231fd690eeb5b842ea5135a504ee3f464daacbe55d669c2c0 &#8211; VBS\/Agent.NUC!tr.dldr<\/p>\n<p>\u00a0<\/p>\n<p><b>Backdoor malware:<\/b><\/p>\n<p>7692617edaeb5598c8a3653c44ad85aca5cf61cd7effcd4ae88af1eb057d8f08 &#8211; W32\/Malicious_Behavior.SBX<\/p>\n<p>6dc753cd93e1e5f205676b545dd1b9f81277f17c147a2e1bb5692560154f3ab9 &#8211; W32\/Sality.E<\/p>\n<p>25a2dee5c5e9d537def7a9027a799815c5796fe7513978b0335ec46ea8ac6698 &#8211; GenericRXBJ.PX!tr<\/p>\n<p>46043089b8242b8b0066f7694faad8d353be1e564df1a28831102038b08859f8 &#8211; W32\/Generic.AC.3F15F3!tr<\/p>\n<p>e326393f0609c91a1c83b1a53c8be050966bf0d2414d0156476c27762214c752 &#8211; W32\/GenKryptik.CTVY!tr<\/p>\n<p>a66ec1ab17f71659965edd7aa4187ef776ca730a8c19439533c14f80ff6b45a8 &#8211; W32\/GenKryptik.DGHA!tr<\/p>\n<p>93d3201a560b34613327af582c76bb08cea9e74d1e02f2915b76d901e0d0b98c &#8211; W32\/GenKryptik.CANP!tr<\/p>\n<p>db1b203f2d169afadf026d470bc2d462ec13cfdf6fa4f3e990a460570188080e &#8211; W32\/Kryptik.GHFL!tr<\/p>\n<p>1567b42c3f95faf9a67e9b698ad80c8192cc0382ede5b42412cb6f18ddf52d25 &#8211; W32\/Agent.PHR!tr.spy<\/p>\n<p>263a967112ee6eeb15503f4a8327bda58cebac4e8e565447f300483f8fe0179a &#8211; W32\/Agent.PHR!tr.spy<\/p>\n<p>18082e681361d6994ab39d8bd5615de5cceafce49fa29f4771fabe2b97f65fd0 &#8211; W32\/Kryptik.GRIG!tr<\/p>\n<p><b>C2 URLs:<\/b><\/p>\n<p>hxxp:\/\/154.222.140[.]49\/123.sct &#8211; Malicious<\/p>\n<p>hxxp:\/\/154.222.140[.]49\/qq.exe &#8211; Malicious<\/p>\n<p>hxxps:\/\/click.clickanalytics208[.]com\/s_code.js?cid=239&amp;v=243bcb3d3c0ba83d41fc &#8211; Malicious<\/p>\n<p>204.24.133[.]116:8000 &#8211; Malicious<\/p>\n<p>204.24.133[.]116:55556 &#8211; Malicious<\/p>\n<p>122.112.245[.]78:8000 &#8211; Malicious<\/p>\n<p>122.112.245[.]78:55556 &#8211; Malicious<\/p>\n<p>218.31.126[.]140:8000 &#8211; Malicious<\/p>\n<p>218.31.126[.]140:55556 &#8211; Malicious<\/p>\n<p><b>Phishing URL:<\/b><\/p>\n<p>hxxps:\/\/www.twitter.hnwfj[.]com\/login\/ &#8211; Phishing<\/p>\n<p><b>Sality C2 URLs:<\/b><\/p>\n<p>hxxp:\/\/althawry[.]org\/images\/xs.jpg?62ba3=3639483 &#8211; Malicious<\/p>\n<p>hxxp:\/\/althawry[.]org\/images\/xs.jpg?68697=2993697 &#8211; Malicious<\/p>\n<p>hxxp:\/\/www.careerdesk[.]org\/images\/xs.jpg?6b4db=2637090 &#8211; Malicious<\/p>\n<p>hxxp:\/\/www.careerdesk[.]org\/images\/xs.jpg?63cf2=3679362 &#8211; Malicious<\/p>\n<p>hxxp:\/\/arthur.niria[.]biz\/xs.jpg?63d8b=1635884 &#8211; Malicious<\/p>\n<p>hxxp:\/\/arthur.niria[.]biz\/xs.jpg?6983e=3889710 &#8211; Malicious<\/p>\n<p>hxxp:\/\/amsamex[.]com\/xs.jpg?640d7=1229445 &#8211; Malicious<\/p>\n<p>hxxp:\/\/amsamex[.]com\/xs.jpg?6a441=3046855 &#8211; Malicious<\/p>\n<p>hxxp:\/\/apple-pie[.]in\/images\/xs.jpg?6c18d=4427650 &#8211; Malicious<\/p>\n<p>hxxp:\/\/apple-pie[.]in\/images\/xs.jpg?2ae562=28112340 &#8211; Malicious<\/p>\n<p>hxxp:\/\/ahmediye[.]net\/xs.jpg?67f06=4257340 \u2013 Malicious<\/p>\n<p>hxxp:\/\/ahmediye[.]net\/xs.jpg?6b69d=3959685 &#8211; Malicious<\/p>\n<p>hxxp:\/\/ampyazilim.com[.]tr\/images\/xs2.jpg?67994=3394720 &#8211; Malicious<\/p>\n<p>hxxp:\/\/g2.arrowhitech[.]com\/xs.jpg?66deb=421355 &#8211; Malicious<\/p>\n<p>hxxp:\/\/g2.arrowhitech[.]com\/xs.jpg?6e6c8=2713776 &#8211; Malicious<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/34AxhazOK7c\/chinese-targeted-trojan-analysis.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/chinese-targeted-trojan-analysis\/_jcr_content\/root\/responsivegrid\/image_745512586.img.png\"\/><br \/>FortiGuard Labs uncovered a new campaign targeted at Chinese-speakers using malware that bypasses normal authentication by exploiting known WinRAR file (cve-2018-20250) and RTF file (cve-2017-11882) vulnerabilities. Read this analysis to learn more.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/34AxhazOK7c&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16018","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16018"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16018\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}