Details Concerning Sapphire Mushroom (APT-C-21) Attack Infrastructure Uncovered
360 Security released it's first report on July 5, 2018 concerning an advanced organization that has targeted my country's government, military, research community, and financial sector for almost 8 years, starting in 2011, with attacks meant for advanced espionage. Sapphire Mushroom (APT-C-12) activities have actually increased in recent months. This article is to serve as a supplement to uncover details surrounding the attack infrastructure used by Sapphire Mushroom. We hope that the security community can understand every piece of the attacker's methodology and share blue team details together in order to face this nation-state level threat.
After April of 2018, 360 Monitoring and Response Center and 360 Threat Intelligence Center observed a focused spearphishing attack campaign in which the attackers tricked users into opening the attached LNK PowerShell script that uploaded sensitive user information and files and installed a malicious backdoor for continued access and control over the user's computer.The attack methodology actually uses a pretty novel approach to using LNK files, using AWS S3 and cloud infrastructure communication protocols to exfiltrate sensitive user information. Here, we will go into more detail concerning this attack methodology.
360 Threat Intelligence Center has confirmed multiple external phishing emails that, in part, came from the email address baoaostaff[@]163[.]com. The emails appear as if they're an invitation coming from the staff of the Baoao Forum for Asia.
(Picture of phishing email depicts a general invitation, saying "Respected [name], thank you very much for participating in this year's Baoao Forum for Asia discussion, attached is a thank you letter that we hope you will read. Thank you for your continued support" followed by a traditional Chinese closing that doesn't translate well. Notably, the Chinese appears native, to the point of being appropriately formal for the context of the counterfeited correspondence.)
Attached is a RAR file uploaded to the 163 cloud storage service, which we consider to be the malicious payload.
(Pictured is the inside of the archive file containing a file named "Public Sentiment Surrounding Internet Governance Survey.")
If the user clicks the LNK shortcut, it will execute the PowerShell script, gather and upload sensitive user information, and install the backdoor to offer continued access to the victim's computer.
Inside of the attached archive file, there is an LNK file named "Public Sentiment Surrounding Internet Governance survey." Observing the properties of this particular file (Pictured) there is no indication of the target of this LNK file, but using a disassembler, we can see it has PowerShell executable headers and settings meant to hide details about the file.
Analyzing the LNK file, some important functions emerge that reveal the malicious intentions of the payload, including: LinkTargetIDList, COMMAND_LINE_ARGUMENTS, and EnvironmentVariableDataBlock.
LinkTargetIDList is an array that specifies a link's target. Regarding the malicious samples, putting all of the LIST elements together forms the real malicious target using a debugger:
COMMAND_LINE_ARGUMENTS discerns the target program's arguments. The parameters in the sample are passed to PowerShell to be executed, but because they contain characters that can't be displayed in Unicode, the code won't be displayed when viewing the 'Properties' of the file.
Setting the EnvironmentVariableDataBlock will cause the target to be set to the corresponding value, but it should be noted that it doesn't work for the actual program call. Finally, Shell32.dll starts PowerShell by parsing the StringTargetIDList array.
Decrypting the powershell payload
The following PowerShell function will decrypt the payload:
The PowerShell script lies at the very end of the LNK file:
This portion of the LNK file is Base64 encoded, and after decoding it takes the form of [compressed package+PowerShell script].
The decrypted PowerShell script begins by executing the function ps_start.
ps_start is used to decrypt the rest of the functions and decompress the corresponding package, which contains the information stealing modules. The script is decoded using [convert]::frombase64string((gc $a|select -l 2|select -f 1))); and Base64 is again used to decrypt the compressed package file, while rundll32 is used to load beoql.g. The backdoor file (load function being DllRegister), and a PowerShell script are passed as a parameter. The PowerShell is named ps_loader:
The compressed package contains the DLL backdoor named beoql.g, a legitimate decompression program named Rar.exe, and a legitimate DOC file that was used as the lure for the user.
(Picture of the files)
The script will then try to reach out to 3 IP addresses that act as C&C servers:
If it succeeds in connecting to a C2 server, it will then use the command line to gather core system information:
(List of well-known command line functions)
After gathering the system information, the script uses Rar.exe to create a compressed file named start.rar and then uses RSA encryption using a random string shown below to encrypt it.
The random string will then be used as the RAR encryption password and is saved in the id.rar file, and uses the pv9 function to upload to the attacker's cloud infrastructure.
The script then searches the system for files created within the past 180 days with designated suffixes (jpg,txt,eml,doc,xls,ppt,pdf,wps,wpp,et) and continues to use Rar.exe to compress the files using the random string to encrypt the files.
The script then uses the pv9 function to upload the RAR files using the AWS S3 protocol to the attacker's cloud-based infrastructure located at 0123[.]nyc3[.]digitaloceanspaces[.]com. The program contains the ACCESS_KEY and SECRET_KEY that are expected to be required by Amazon's S3 protocol.
(Explanation of Amazon S3 service)
The purpose of this function is to add some header values that use AWS s3 V4 signing algorithms, which look like this:
(Displayed Header info)
The highlighted functions encapsulate the request and finalize the final upload, where ul3 encapsulates the uploaded file request headers and ig3 finishes the upload. The request headers created by ul3 are stored as $9, while another important variable, Signature, is created by the a53 and e77 function. $9 is encapsulated into $g, which is the final request. The whole thing looks like this:
The final upload looks like this:
After downloading the DLL backdoor, the ps_start function will then choose a C2 server among the 3 IP addresses and download another PowerShell script, here called ps_loader.
ps_loader will first generate the us and Cookie fields for the request, and as you can see the response is just a series of decimal numbers.
(Screenshot of request and response)
The data is then decrypted by sj8 using the string 'whatthefuckareyoudoing.'
The decrypted program is also a PowerShell backdoor, here named ps_backdoor, which invokes the function ROAGC:
The ps_backdoor script is a PowerShell backdoor whose primary function (ROAGC) has the following parameters:
1) Interval - here, 10.
2) ID - here, zhengyi5
3) IP/Port - a size 2 tuple
4) KEY - encryption key
5) MAC - mac address
These are the backdoor's commands:
rs - runs a CMD command
up - upload file
dw - download file
Aside from basic windows CMD commands, the backdoor also supports the following Linux commands:
ls/dir - display directory information
mv/move/copy/cp/rm/del/rmdir - move files
cd - change directory
lpconfig/ifconfig - networking information
ps/tasklist - display running processes
whoami/getuid - display user information
rteboot/restart - restarts machine
The upload/download functionality uses AES encryption, where the KEY is located in ps_loader and is Dqd6lfRDcXK2KxIFDqU1S/MMyxGJ7qPIwM/xZe0R6Ps=:
ps_start uses Rundll32.exe to run the decompressed beoql.g backdoor, which is the persistent backdoor module that uses ps_loader and the LNK file to maintain persistence. Below are details included in the beowl.g DLL:
The following are the real purposes of the data included in the DLL:
DllEntry - used to start PowerShell
DllRegister - saves the incoming PowerShell script and calls DllEntry to start PowerShell, calls DllInstall to generate and start the BAT script to modify the system LNK file.
DllInstall - generates and starts the BAT script that alters the LNK file
DllCanUnload - ?
DllSetClassObject - Used by the BAT script to alter the LNK file
DllUnsetClassObject - restores the LNK file
DllCopyClassObject - used by the BAT script to copy the LNK file to a temporary directory
DllEntryPoint - entry point for the DLL
ps_start also invokes the DllRegister field using the ps_loader script as a parameter and save ps_loader as the encrypted beoql.g.ini. It will then invoke the DllEntry and fun_Callinstall.
You can see the encrypted beoql.g.ini PowerShell script below
(WinHex dump of beoql.g.ini)
When DllEntry is invoked, it will first use CMD commands to delete relevant Jinshan security modules.
It will then use the CreateProcess function to invoke the ps_loader script:
When fun_Callinstall decrypts the relevant encrypted strings, they are used by Rundll32.exe to runn DllInstall.
The DllInstall function will first traverse multiple directories looking for LNK files.
It then creates nview32_update.bat script and runs it:
After nview32_update.bat runs, it will detect and delete certain WPS modules and then begins to modify the LNK files it found before:
It first uses DllCopyClassObject to copy the LNK to a temporary directory, then uses the DllSetClassObject to modify the LNK file in the %temp% directory. Finally, it writes the modified LNK file back to the original location:
DllSetClassObject uses the fun_Changelnk function to modify the LNK file:
The modified LNK file is broken up by multiple exclamation marks:
The specific purpose is as follows: the LNK shortcut file is altered to run the DllEntry function in the DLL using Rundll32.exe. The main purpose of the function is to run the ps_loader script by hijacking the LNK shortcut file in order to maintain persistence:
The methodology of the attack
(The picture, thankfully already translated, depicts the attack cycle)
The IPs were primarily used in April and May of this year, exactly corresponding to the samples we captured as well. This is indicative of the incredibly focused nature of the attacks.
By simulating some of the attacker's infrastructure, we were able to gain metrics on what was being stolen, such as computer name and time of attack. The data indicates that the victims number in the hundreds.
(Not going to directly translate, basically pontification about how awesome their TIP is, how they do more than just browsing twitter and blogs to gather intelligence, and that their TIP already has early warning monitoring for this APT)
(UNREDACTED IOCs FROM A CHINESE INFOSEC COMPANY???????)