What's new

Alert! APT organization "Rattlesnake" malware attack on Pakistan-RISING report. GoP issues Advisory

The Eagle

SENIOR MODERATOR
Oct 15, 2015
22,272
174
42,148
Country
Pakistan
Location
Pakistan
APT organization "Rattlesnake" attack report on Pakistan (Navy)
2019-10-29

Recently, Rising Security Research Institute has once again captured the attack launched by the internationally renowned APT organization "Rattlesnake" through the Rising Threat Intelligence System. This time, the organization targeted the target of the Pakistani Navy. The method is different from the previous attacks against China, but the core is the same. The ultimate goal is to steal confidential information from the government, energy, military, minerals and other fields. .

First, the background
Recently, Rising Security Research Institute has once again captured the attack launched by the internationally renowned APT organization "Rattlesnake" through the Rising Threat Intelligence System. This time, the organization targeted the target of the Pakistani Navy. The method is different from the previous attacks against China, but the core is the same. The ultimate goal is to steal confidential information from the government, energy, military, minerals and other fields. .

Rising security experts said that the "Rattlesnake" organization's previous attacks against China used the Office Remote Code Execution Vulnerability (cve-2017-11882) to deliver a bait document with malware through phishing emails, resulting in a computer. Internal confidential data such as system information, installation programs, and disk information are stolen.


Figure: Attacks on China

The attack on Pakistan used the target collision hijacking method of the new LNK file path to deliver false shortcut files by mail or other means, pretending to be the Indian and Chinese leaders issued by the Pakistan Naval Public Relations Bureau. The press release of the talks induced the victim to click. Once the user accesses the link contained in the shortcut attribute, the malware is downloaded and all the file information in the computer is stolen.


Photo: Attack on Pakistan

Because the "Rattlesnake" organization has always been stealing confidential information in the national government, military, science and technology fields, and has similarly launched similar attacks on China's military and national defense, users of relevant enterprises should be vigilant to prevent such The occurrence of an attack.

Second, the attack event
The attack targeted Pakistan, where the attacker disguised the bait document as a press release issued by the Pakistan Navy Public Relations Bureau. The press release recorded the points discussed by Indian Prime Minister Modi and Chinese President Xi Jinping.


Figure: Bait document

Third, technical analysis
3.1 Analysis of malicious LNK files
1. The malicious LNK file uses a completely new technical means to hide the target program to be executed. The LNK shortcut name is “Key_Points.doc.lnk”. In the link target, you can see that the target application called is cftmo.exe, and the parameter is: http://www.paknavy[.]gov.pk.ap1- port.net/images/E7B62E1D/1182/2258/fc8fe2b4/692cd02.


Figure: "Rattlesnake" Shell Link File

However, in the actual running process, the Link file finally executes mshta.exe in System32, and executes the specified URL malicious script file through mshta download.


Figure: Link file execution mshta.exe

In view of the above behavior, Rising security personnel analyzed and found that the lnk file was constructed in a completely new way, hiding the real target program, which we call the target hijacking technology of the Link file path. The following is a detailed breakdown of the technology.

2.Link file path target hijacking

ShellLinkHeader:

The LNK file structure contains a ShellLinkHeader header that contains information such as identification information, timestamps, and the existence of an optional structure.

Struct ShellLinkHeader {
Uint32_t HeaderSize;
Uint32_t LinkCLSID[4];
Uint32_t LinkFlags;
Uint32_t FileAttributes;
Uint32_t CreationTime[2];
Uint32_t AccessTime[2];
Uint32_t WriteTime[2];
Uint32_t FileSize;
Uint32_t IconIndex;
Uint32_t ShowCommand;
Uint16_t HotKey;
Uint16_t Reserved1;
Uint32_t Reserved2;
Uint32_t Reserved3;
};

EnvironmentVariableDataBlock:

There is a LinkFlags member in the ShellLinkHeader structure, which specifies some information and some optional structure information of lnk. One HasExpString flag specifies whether the lnk holds the environment variable block EnviromentVariableDataBlock structure.


When the target program path of LNK contains an environment variable, the structure exists and holds a target program path with an environment variable.


LinkTargetIDList:

This structure specifies the target program path for the shortcut and consists of multiple IDLists.


The IDList is an array of structures that identify the source location of the namespace in which the target resides. The number is determined by the level of the target path, and the last IDList identifies the final executable name.


Figure: LinkTargetIDList structure

There are two important path related members under the IDList structure: PrimaryName and ExtraDataBlock. The IDList structure members are not described in detail in Microsoft's official documentation.


Target hijacking analysis:

When the analysis finds that the operating system displays the LNK shortcut attribute, the value of the target path is related to the HasExpString flag. When the HasExpString value is not set, the operating system will splicing the target path from the LinkTargetIDList, and if HasExpString is set, the operating system will read and expand the environment variable display from TargetUnicode under the EnviromentVariableDataBlock.

If HasExpString is set and TargetUnicode under EnviromentVariableDataBlock provides a target program that does not exist, when the lnk file double click is executed, the system will try to access LinkTargetIDList to get the path and try to determine whether the target program exists. If it exists, use the path for final execution. Target program. However, when the operating system right-clicks the property, it will use the program path specified in the EnviromentVariableDataBlock first, and will not judge whether the target program exists or not. This will result in the hijacking of the lnk target program.

However, such lnk file hijacking cannot be persisted. After the double-click execution, the system will clear the HasExpString in the lnk file, and the file path in the LNK attribute will use the actual target program pointed to in the LinkTargetIDList, resulting in the property in the attribute after double-clicking the LNK. The target program path was modified.

In the sample of the rattlesnake delivery we captured, it was found that the target path hijacking was not modified after the execution. We further analyzed that if you want to persist the hijacking you must also modify the PrimaryName value in the last item in the IDList array. Normally, the contents specified in the PrimaryName and ExtraDataBlock in the IDList array are the same. If the executable file name specified by PrimaryName is the same as the program name specified in EnviromentVariableDataBlock, the system will consider this to be a normal lnk file, and will not modify the lnk after execution. So as long as the program name pointed to by the path in the EnviromentVariableDataBlock is the same as the PrimaryName value in the last item of the IDList array and the program does not exist, the hijacking function is achieved.

3.Key_Points.doc.lnk file analysis

In the Link file used by this "Rattlesnake" APT, it tries to confuse the user through the camouflaged link path (%windir%\system32\cftmo.exe) to mask the link target that the system actually executes (%windir%\system32\ Mshta.exe).

Binary analysis shows that the link file has been added to the environment variable as a path, thus triggering the creation of ExtraData's extended structure EnvironmentVariableDataBlock. In this structure, TargetUnicode is also responsible for the display of the environment variable path under the Link property. The malicious Link file implements the masquerading effect of the external link attribute in the path with the environment variable by modifying the TargetUnicode field.

The link masquerading of the Link file can be directly implemented by modifying the TargetUnicode field, and the system will then access the ExtraData in the sIDList structure to obtain the actual execution path. The Shell Link used by the "Rattlesnake" also modified the PrimaryName so that the two fields are unified into cftmo.exe. When the system calls the Link file, the Link path checking mechanism persists the lnk target path hijacking when it knows that the PrimaryName is the same as the TargetUnicode.


Figure: Modified PrimaryName

The final implementation effect When viewing the file through the attribute, the link target of the Link file is a non-existent cftmo.exe, but the actual system can execute the mshta.exe process through the maliciously constructed Link file, and access the C&C download JavaScript script 692cd02. Hta.


Figure: "Disguise" Link

3.2 Sample analysis: 692cd02.hta
692cd02.hta is a JavaScript script file generated by the open source tool DotNetToJScript. The main function is to execute .NET DLL files in memory. The script first decrypts LinkZip.dll, and reflects the pink function in the DLL. It passes 4 parameters to the pink function. Parameter 1 is the URL to download file.hta, and parameter 2 is the URL to upload soft information and abnormal error. Parameter 3 is the content of the encrypted bait document, and parameter 4 is the name of the bait document.


Figure: Memory execution .NET dll

3.3 Sample Analysis: LinkZip.dll
LinkZip.dll is a .NET program that mainly downloads the executable file.hta and opens the bait document Key_Points.doc.

The following is the detailed process:

1. Decrypt the bait document data, name it Key_Points.doc, save it under %temp%, and open the bait document. If the above operation fails, the exception information is reported to the URL: http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true/true/.


Figure: Open the bait document


Figure: Reporting exception information

2. Report the kill soft name and status to http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true/true/.


Figure: Reporting killing soft
3. Visit the URL

Http://www.paknavy.gov.pk.ap1-port.net/cgi/b6c82f0f84/1182/2258/af0c8a9f/file.hta, get the file.hta data from it, and randomly name it in the %temp% directory. If the acquisition is successful, hta will be executed and deleted after execution. If it is not successful, repeat the access URL, the round-trip access limit is 10 times, more than 10 times to the website http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true /true/ Reports the custom exception error message "File-not-Written".


Figure: Get file.hta data and execute

4. The attack methods used since the file.hta file are the same as those reported by Rising before attacking China.

Brief description of the attack process (for detailed attack analysis, please refer to http://it.rising.com.cn/dongtai/19639.html and http://it.rising.com.cn/dongtai/19655.html):

(1) file.hta is a JavaScript script generated by the open source DotNetToJscript tool. The main function is to decrypt the memory and execute the StInstall.dll file, and reflect the pin function in the DLL.

(2) The malicious operation in StInstall.dll is: 1 Create a working directory: %programdata%\CommonsFiles. 2 Copy the system file write.exe to the working directory, and release PROPSYS.dll in the working directory, randomly named .tmp and write.exe.config. 3 Create a self-starting item in Software\Microsoft\Windows\CurrentVersion\Run with the name Commons and the data item C:\ProgramData\ CommonsFiles \write.exe. 4 use white plus black means to malicious operation: run write.exe (white file) in the working directory, call PROPSYS.dll (black file) in the same directory.

(3) PROPSYS.dll is a .NET dll. Its main function is to load the random name .tmp under the same directory to achieve the purpose of stealing. Eventually the malicious program steals a lot of user data information. It integrates the stolen information in json format. The data content is stored in plain text in the %appdata%\CommonsDat directory. The four files with the .fls, .flc, .sif, and .err files are named: random string. + specific suffix.


Figure: stealing information files

The file with the suffix .fls records the file information of the suffixes doc, docx, xls, xlsx, pdf, ppt, pptx.

filePath File name and path
Complete File transfer
sentOffset File upload data size
Table: Information Record
The files with the suffix .sif are mainly stored with system permission information, system information, 4 system directory file lists, disk drive information, and system installation software list.


Figure: Information stored in the suffix .sif

The format of the system permission information is privileges":{"IsInAdminGroup":"Yes/NO","IsAdminPrivilege":"Yes/NO"}.

The system information record format of the victim machine is: "sysInfo": {system information}.

Detailed system information is shown in the following table:


Figure: System Information


Continued: 1/2
 
Last edited:

The Eagle

SENIOR MODERATOR
Oct 15, 2015
22,272
174
42,148
Country
Pakistan
Location
Pakistan
Continued: 2/2

The four system catalog file list record format on the victim machine is: "dirList": {directory file list}.

The list of detailed directory files is shown in the following table:

Desktop directory Document directory Download file directory Contact directory
Table: File Directory
The drive information record format of the victim machine is: "driveInfo": {disk drive information}.

Detailed disk drive information is shown in the following table:

Name Type isReady TotalSize
FreeSpace availableFreeSpace driveFormat volumeLabel
Table: Disk Drive Information
The installer list record format on the victim machine is: "installedApps": {installer list}.

A detailed list of installers is shown in the following table:

name of software Software version
Table: Installer Information
The file with the suffix .flc records the folder information and the folder and file information under the drive letter.

Length Name DriveType IsReady
Format AvailableFreeSpace TotalFreeSpace TotalSize
VolumeLabel
Table: Drive letter information
The folder information that the attacker wants to obtain is as follows:

Length Name Attributes CreationTime
LastWriteTime LastAccessTim
Table: Folder information under the drive letter
The file information that the attacker wants to obtain is as follows:

Length Name Attributes CreationTime
LastWriteTime LastAccessTim
Table: File information under the drive letter
A file with a suffix of .err that records exception information during program execution.


Figure: Capture exception

Fourth, summary
It can be seen from the above analysis that the APT organization "Rattlesnake" has frequently attacked China and Pakistan in different ways. Through Rising threat intelligence analysis, it can be known that the organization mainly targets government, military, technology companies and other fields. In order to steal private information inside the organization, in order to formulate the next attack plan, it is necessary for domestic relevant government agencies and enterprises to pay attention and strengthen defense measures.

Fifth, preventive measures
1. Do not open suspicious emails, do not download suspicious attachments.

The initial entry of such attacks is usually phishing emails. The phishing emails are very confusing. Therefore, users need to be vigilant. Enterprises should also strengthen the training of employees' network security awareness.

2. Deploy network security situation awareness, early warning systems and other gateway security products.

Gateway security products can use threat intelligence to trace threat behavior trajectories, help users to analyze threat behaviors, locate threat sources and purposes, trace the means and paths of attacks, solve network threats from the source, and find the most attacked nodes to help enterprises Fast response and processing.

3. Install effective anti-virus software to intercept and kill malicious files and Trojans.

Anti-virus software can block malicious documents and Trojan viruses. If users accidentally download malicious documents, anti-virus software can intercept and kill, prevent viruses from running, and protect users' terminal security.

4. Patch system patches and patches for important software in a timely manner.

Sixth, IOC information
MD5
7E23C62A81D2BFB90EF73047E170DEA8
58B5A823C2D3812A66BBF4A1EBC497D3
5E98EA66670FA34BF67054FB8A41979C
8DA5206BACACD5C8B316C910E214257F
65F66BC372EA1F372A8735E9862095DA
361DFD8F299DD80546BCE71D156BC78E
1B11A5DD12BB6EC1A0655836D97F9DD7

Domain
https://asp- bin.net/ini/VlfWgE8ym to8f22Q4eeE3dMxQXSp HcU7s6cTPQW9/1182/2258/747abb18
Http://ww w.pakna vy.gov.pk.ap1- port.net/plugins /1182/2258/true/true/
Http://ww w. pakn avy. gov.pk. ap1-port.net/cgi/ b6c82f0f84/1182/2258/ af0c8a9f/file.hta
http://w ww. pak navy. gov.pk. ap1-port.net/images /E7B62E1D/1182/2258/fc8fe2 b4/ 692cd02

[Editor: Ruirui]



Further information observed as :


 

The Eagle

SENIOR MODERATOR
Oct 15, 2015
22,272
174
42,148
Country
Pakistan
Location
Pakistan
I de-linked few http tags and had to post in two parts except for last two tweets that are in regard to one of the Urdu typing software called "InPage" doc.
 

-blitzkrieg-

SENIOR MEMBER
Mar 1, 2015
4,000
2
4,787
Country
Pakistan
Location
Pakistan
Continued: 2/2

The four system catalog file list record format on the victim machine is: "dirList": {directory file list}.



The list of detailed directory files is shown in the following table:

Desktop directory Document directory Download file directory Contact directory
Table: File Directory
The drive information record format of the victim machine is: "driveInfo": {disk drive information}.

Detailed disk drive information is shown in the following table:

Name Type isReady TotalSize
FreeSpace availableFreeSpace driveFormat volumeLabel
Table: Disk Drive Information
The installer list record format on the victim machine is: "installedApps": {installer list}.

A detailed list of installers is shown in the following table:

name of software Software version
Table: Installer Information
The file with the suffix .flc records the folder information and the folder and file information under the drive letter.

Length Name DriveType IsReady
Format AvailableFreeSpace TotalFreeSpace TotalSize
VolumeLabel
Table: Drive letter information
The folder information that the attacker wants to obtain is as follows:

Length Name Attributes CreationTime
LastWriteTime LastAccessTim
Table: Folder information under the drive letter
The file information that the attacker wants to obtain is as follows:

Length Name Attributes CreationTime
LastWriteTime LastAccessTim
Table: File information under the drive letter
A file with a suffix of .err that records exception information during program execution.


Figure: Capture exception

Fourth, summary
It can be seen from the above analysis that the APT organization "Rattlesnake" has frequently attacked China and Pakistan in different ways. Through Rising threat intelligence analysis, it can be known that the organization mainly targets government, military, technology companies and other fields. In order to steal private information inside the organization, in order to formulate the next attack plan, it is necessary for domestic relevant government agencies and enterprises to pay attention and strengthen defense measures.

Fifth, preventive measures
1. Do not open suspicious emails, do not download suspicious attachments.

The initial entry of such attacks is usually phishing emails. The phishing emails are very confusing. Therefore, users need to be vigilant. Enterprises should also strengthen the training of employees' network security awareness.

2. Deploy network security situation awareness, early warning systems and other gateway security products.

Gateway security products can use threat intelligence to trace threat behavior trajectories, help users to analyze threat behaviors, locate threat sources and purposes, trace the means and paths of attacks, solve network threats from the source, and find the most attacked nodes to help enterprises Fast response and processing.

3. Install effective anti-virus software to intercept and kill malicious files and Trojans.

Anti-virus software can block malicious documents and Trojan viruses. If users accidentally download malicious documents, anti-virus software can intercept and kill, prevent viruses from running, and protect users' terminal security.

4. Patch system patches and patches for important software in a timely manner.

Sixth, IOC information
MD5

7E23C62A81D2BFB90EF73047E170DEA8
58B5A823C2D3812A66BBF4A1EBC497D3
5E98EA66670FA34BF67054FB8A41979C
8DA5206BACACD5C8B316C910E214257F
65F66BC372EA1F372A8735E9862095DA
361DFD8F299DD80546BCE71D156BC78E
1B11A5DD12BB6EC1A0655836D97F9DD7

Domain
https://asp- bin.net/ini/VlfWgE8ym to8f22Q4eeE3dMxQXSp HcU7s6cTPQW9/1182/2258/747abb18
Http://ww w.pakna vy.gov.pk.ap1- port.net/plugins /1182/2258/true/true/
Http://ww w. pakn avy. gov.pk. ap1-port.net/cgi/ b6c82f0f84/1182/2258/ af0c8a9f/file.hta
http://w ww. pak navy. gov.pk. ap1-port.net/images /E7B62E1D/1182/2258/fc8fe2 b4/ 692cd02

[Editor: Ruirui]



Further information observed as :


We need a private cloud for hosting data strictly in Pakistan that caters tsensitive data..can start off with a hybrid model i.e cloud and on prem.

We also need regular training of folks for cyber threat awareness ..
 
Last edited:

ASKardar

FULL MEMBER
Oct 2, 2019
630
1
1,443
Country
Pakistan
Location
Pakistan

ISLAMABAD – Government of Pakistan has issued an advisory to remain alert as India is trying to get secret information through cyber terrorism.


As per details, Indian cyber group ‘APD group from India’ is trying to get access to Defence officials through E mails. The group asks officials to download data through E meil and then hacks data in background folder.

The advisory issued by the government directs institutions to make software restriction policy and to re-check Emails and social media accounts.The advisory also asked to make internet banking foolproof for the purpose of security.

SOURCE: http://dunyanews.tv/en/Pakistan/520191
 

Users Who Are Viewing This Thread (Total: 1, Members: 0, Guests: 1)


Top Bottom