a guest Jun 24th, 2019 206 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Special edition
  2. Cyber ​​Rescue Center Report Special Editing
  3.  Cyber ​​Emergency Center Report-Threat Management and Incident Response-
  4.   The shadow behind a cyber attack that targets virtual currency
  5. 01
  6. June 19th, 2019 Cyber ​​Emergency Center
  8.  Cyber ​​Rescue Center Report Special Editing
  9.  Cyber ​​Emergency Center Report Special Editing
  10. table of contents
  11. 03 Introduction
  12. 04 Timeline of attacks targeting virtual currency
  13. -Activity summary of HYDSEVEN
  14.   05 Attack Overview
  15. -Three attack methods "VBA macro" "software vulnerability" "fake installer"
  16. 30 Attack malware
  17. -Characteristics of two malware "NetWire" and "Ekoms (Mokes)"
  18. 38 C2 Infrastructure
  19. -Overseas server used for attack
  20. 39 Attacker Group Background
  21. -Two footprints "Decoy Document File" "Code Signing Certificate"
  22. 44 Detection or mitigation
  23. 47 Conclusion
  24. 48 Indicator-of-Compromise (IOC)
  25. Cyber ​​Emergency Center Report (hereinafter referred to as “this document”) is for the purpose of providing information, and LAC Co., Ltd. is not responsible for any loss resulting from the use of the description. Please note that the information contained in this document is at the time of initial publication and may have changed at the time of viewing and provision. LAC, Luck, Cyber ​​Emergency Center, and Cyber ​​119 are trademarks or registered trademarks of Luck Co., Ltd. Other company names and product names mentioned in this document are trademarks or registered trademarks of their respective owners.
  26. The photos on the front and back covers are the works of Nozomi Nagayasu. When citing this document, please be sure to specify the source. It is prohibited to copy or reprint part or all of this document beyond the scope defined by the Copyright Act.
  27. C 2019 LAC Co., Ltd. All Rights Reserved.
  28.    02
  29.  In the beginning
  30. In recent years, with the growing interest in virtual currency (cryptographic currency), cyber attacks aimed at virtual currency are also being actively carried out. Attacks that target virtual currency include direct stealing from a virtual currency exchange, stealing from a wallet with a virtual currency owner, and mining that uses PC and server resources illegally. Amid these various attacks, the virtual currency outflow from the virtual currency exchange has attracted attention as it relates to the reliability and security of the virtual currency itself. According to a survey 1 of cyber security company Group-IB, the damage to the exchange due to cyber attacks since 2017 has grown to a total of $ 882 million, and a huge amount of virtual currency You can see that it has been leaked illegally. Attacks targeting virtual currency continue in 2019, and are expected to increase in the future.
  31. This report shows the TTPs (Tactics, Techniques and Procedures) that they used in the period from 2016 to 2019, regarding the activities of the attacker group "HYDSEVEN" for the purpose of stealing virtual currency. As far as we confirm, as of June 2019, although there is little information mentioned about this HYDSEVEN activity, it is known that the activity is performed in various countries including Japan and Poland. Aiming for a virtual currency We would be grateful if you could use this report for alerting and security measures within an organization or industry, or for detecting attacks, etc., when considering measures for HYDSEVEN.
  32. Cyber ​​Rescue Center Report Special Editing
  33.  Cyber ​​Emergency Center Threat Analysis Team Yoshihiro Ishikawa
  34.  1 03
  35.  Cyber ​​Rescue Center Report Special Editing
  36. Timeline of attacks targeting virtual currency
  37. Figure 1 shows an overview of the activities of HYDSEVEN, an attacker group targeting virtual currency, which was confirmed from August 2016 to March 2019. In our survey of the cyber emergency center threat analysis team, we confirmed many attacks in 2016 and 2017, and the attacks continued even in 2019. Many of the beginnings of these attacks are spear-phishing emails, and HYDSEVEN pretends to be a university official or researcher, attacking specific organizations or people. Attacks can be made using a variety of methods, such as exploiting VBA macros in Office document files, exploiting software vulnerabilities (exploit), and spoofing legitimate software installations using linked spearphing. In addition, HYDSEVEN mainly uses NetWire and Ekoms (Mokes) as attack malware. These malware are introduced in Chapter 4, and the next Chapter 3 focuses on the HYDSEVEN attack signature and introduces its features.
  38. Fig. 1 HYDSEVEN Activity Timeline 04
  40.  Attack summary
  41. HYDSEVEN steals virtual currency with three different attack signatures: VBA macros embedded in Office document files, exploiting software vulnerabilities, and impersonating legitimate software installers. This chapter introduces them.
  42. Signature of exploiting VBA macros in Office document files
  43. Attacks exploiting the VBA macro were confirmed in August and December 2016. Figure 2 shows the flow of attacks that took place at these times. The Office document file used in the August 2016 attack is as a guide to collaborating with the School of Economics and Political Science (LSE) as shown in Figure 3 or as an account opening account for Arab Emirates (UAE) Bank. is. If you look at the Office document file, you can see that the “Security Warning” message bar2 is displayed at the top, and that it contains two or more types of active content such as VBA and add-ins.
  44. Fig. 2 Outline of attack method using VBA macro
  45. 2
  46. Cyber ​​Rescue Center Report Special Editing
  47.    05
  48.  Cyber ​​Rescue Center Report Special Editing
  49. Figure 3 Example of Office document file exploiting VBA macro
  50. Figure 4 is a partial excerpt of the VBA macro contained in the Office document file, and executes the PowerShell command as shown in Figure 5 using Shell function 3 as shown by the red frame. This will download and run NetWire or Ekoms (Mokes) from the C2 server.
  51.    3 06
  52.  Cyber ​​Rescue Center Report Special Editing
  53. ','% TEMP% / g32dc.exe '); Start-Process'% TEMP% / g32dc.exe';
  54. Figure 4 VBA macro included in the Office document file (partial excerpt)
  55. Figure 5 Example of PowerShell command executed by VBA macro
  56. In addition, the VBA macro contains distinctive code that creates a random string for the password, as shown in Figure 6. A similar code was released (Figure 7) in the Web Programming Developer Forum ( 4 in November 2011, and it is possible that an attacker could use this published code. I think it is expensive.
  57.          4 07
  58.  Cyber ​​Rescue Center Report Special Editing
  59.  Figure 6 Password generation code example included in VBA macro
  60.  Fig. 7 Password generation code posted on the website
  61. 08
  62.  Cyber ​​Rescue Center Report Special Editing
  63. Approaches to exploit software vulnerabilities
  64. Attacks that exploit software vulnerabilities have been identified in February 2017, September, and March 2019. Figure 8 illustrates the flow of attacks that took place at different times, and different software vulnerabilities were exploited at different times.
  65. Fig. 8 Outline of attack method exploiting vulnerability
  66. (1) Case of February 2017
  67. The attack during this time exploits the CVE-2015-25455 and CVE-2016-72556 vulnerabilities to infect NetWire on the user's PC. First, I will briefly introduce these two vulnerabilities. The CVE-2015-2545 vulnerability is due to the handling of EPS files in Microsoft Office and is an arbitrary code execution issue. In addition, the CVE-2016-7255 vulnerability is an issue that allows elevation of privileges due to the handling of memory objects in the Microsoft Windows kernel mode driver (win32k.sys).
  68. 5 6 -7255
  69.   09
  70.  Cyber ​​Rescue Center Report Special Editing
  71. Figure 9 shows the Office document file that was used for the attack, and the content is the one that asks permission to participate in the Banking Technology Awards from School of Economics and Political Science (LSE).
  72. Figure 9 Example of Office document file exploiting CVE-2015-2545 and CVE-2016-7255
  73. If you check this Office document file using 7-ZIP, you can see that it is an EPS file (imgage1.eps) as it is surrounded by a red frame (Fig. 10). In addition to the code that exploits the two vulnerabilities, this EPS file contains, as payload, the executable file (NetWire in 32-bit environment) and NetWire in 64-bit environment, as indicated by the red border in Figure 11. Figure 12 is part of the code that exploits the CVE-2016-7255 vulnerability and performs privilege escalation.
  74.   7 We have also reviewed an Office document file that encourages us to participate in the AWC Awards from the School of Economics and Political Science (LSE).
  75. Ten
  76.  Cyber ​​Rescue Center Report Special Editing
  77.    Figure 10 Office Example of EPS file included in document file
  78. Figure 11 NetWire in 32-bit Environment Included in EPS File (Excerpt)
  79.    11
  80.  Cyber ​​Rescue Center Report Special Editing
  81. Figure 12 Code exploiting the CVE-2016-7255 vulnerability (partial excerpt) (2) Example of September 2017
  82. An attack during this time exploits the CVE-2017-01998 vulnerability to infect NetWire on the user's PC. The CVE-2017-0199 vulnerability is due to the processing of HTA data with URL Moniker 10 in Microsoft OLE 9 and is an arbitrary code execution issue.
  83. Figure 13 shows the Office document file used for the attack. The screen at the front is displayed when the file is opened, and the screen at the back is displayed after the linked data is updated. As far as we can see, the screen displayed to the user after exploiting the vulnerability was not a readable decoy document file, but a byte string. It is unknown if this file is intentionally prepared by an attacker or if it is a design mistake.
  84. 8
  85. 9 Technology for linking and sharing data among multiple Windows applications
  86. 10 COM object that provides a service to make the specified URL resource available to other components
  87.   12
  90.  Cyber ​​Rescue Center Report Special Editing
  91. Figure 13 Example of Office document file exploiting CVE-2017-0199
  92. This Office document file is an RTF file and contains an embedded object ({/ object keyword) (Figure 14). The string “d0 cf 11 e0 a1 b1 1a e1” in the red frame indicates that the embedded object is in OLE format. Also, the screen below the red arrow shows this OLE object, and the code is partially confirmed. You will find that you download HTML applications (HTA files) from external sites.
  93.   13
  94.  Cyber ​​Rescue Center Report Special Editing
  95. Figure 14: OLE object included in Office document file (partial excerpt)
  96. Next, let's look at the downloaded HTA file. As shown in Figure 15, HTA files are created with VBScript, and when you look at the code, you will notice that the code writing, implementation, variable names, etc. are distinctive. This VBScript script was created with Microsoft Word Intruder (MWI). MWI is a toolkit that allows the creation of files that exploit vulnerabilities in Microsoft Office products, and was developed in Russia by the handle name "Objekt" and has been marketed in the underground market since around 201311. Figure 16 is part of an MWI sales ad posted to an underground forum. In addition, it is reported in the blog of proofpoint 12 that the code that exploits the CVE-2017-0199 vulnerability is embedded in MWI from the version sold in May 2017.
  97. 11 er-revealed.pdf? La = en
  98. 12 9-utilized-cobalt-group-target
  99.       14
  100.  Cyber ​​Rescue Center Report Special Editing
  101.      Figure 15 Downloaded HTA file (partial excerpt)
  102.  Figure 16: Example of advertisement posted in underground forum (partial excerpt)
  103. 15
  104.  Cyber ​​Rescue Center Report Special Editing
  105. Looking again at the HTA file exploited in this attack, VBscript uses the bitsadmin command 13 to bring down the DLL file and the decoy document file to be displayed to the user from the C2 site shown in the red frame in Figure 15. You can see that it loads and executes (Figure 17). In addition, information such as system information, information on anti-virus software used on the PC, and information on processes being executed will be Base64 encoded and sent to the MWI panel (MWISTAT) shown in the blue frame in Fig.15. Figure 18 shows the Base64 decoded data sent to MWISTAT.
  106. Figure 17 Download files from C2 server using bitsadmin command
  107. Fig. 18 Example of decoding information sent to MWI panel (partial excerpt)
  108. 13 16
  110.  Cyber ​​Rescue Center Report Special Editing
  111. Finally, the downloaded DLL file is a downloader that downloads and executes new malware from the C2 server, as shown in Figure 19. The malware downloaded by this downloader has been confirmed to be NetWire. The original file name of this DLL file is considered to be “DownloaderDLL.dll” from the entry name exported in the DLL file (Figure 20).
  112. Figure 19 Downloader function included in DLL file
  113. Fig. 20 DLL file exported in DLL file
  114. The C2 server used in this attack also contains Ekoms (Mokes), which may have been exploited in an attack campaign different from this attack campaign. Figure 21 is a mapping of malware placed on an IP address that was exploited around September 2017 as a C2 server, and the highlight is Ekoms (Mokes).
  115.   17
  116.  Figure 21: Malware placed on C2 server around September 2017 (3) Example of March 2019
  117. Attacks during this time exploit the CVE-2018-2025014 vulnerability to drop a VBScript file onto the user's PC. The VBScript file then downloads NetWire. The CVE-2018-20250 vulnerability is a problem that allows path traversal due to the processing of an absolute path in unacev2.dll15, and an attacker can place malicious files in any path. You
  118. Figure 22 shows the ACE archiver used for the attack opened by WinRAR. You can confirm that the absolute path to the startup folder is included like a red frame.
  119. Cyber ​​Rescue Center Report Special Editing
  120.      Figure 22: Contents of ACE Archiver exploiting this vulnerability
  121. 14
  122. 15 A library used to extract ACE format archives, and used by file compression / decompression software such as WinRAR and Lhaplus
  123.  18
  124.  Cyber ​​Rescue Center Report Special Editing
  125. When this ACE file is extracted using WinRAR, a document file of the content of the notification from Council on Social Work Education (CSWE) shown in Figure 23 is created in the specified extraction directory, and at the same time the VBScript is added to the startup folder. The file is dropped. This causes Wscript to execute the VBScript file when Windows starts.
  126. Fig. 23 Decoy document file disguised as CSWE (partial excerpt)
  127. The created VBScript file is a bot that implements command functions as shown in Table 1. This VBScript bot makes several connections with the C2 server and then downloads NetWire from the designated C2 server via the “Pr” command.
  128.  19
  129.  Cyber ​​Rescue Center Report Special Editing
  130. Table 1 Code to send and receive VBScript bot instructions
  131.     Instruction command
  132.    Description
  133.     d
  134.    Delete VBScript file
  135.     Pr
  136.    Download and execute file from specified URL
  137.     Hw
  138.      Get OS version
  139.     av
  140.     Check for the presence of the following anti-virus software vendors: "VIPRE", "Trend Micro", "Panda Security", "Norton Security", "Malwarebytes", "Kaspersky Lab", "G DATA", "F-Secure", "Emsisoft Anti-Malware", "DrWeb", "COMODO",
  141. "BullGuard Ltd", "Bitdefender", "Avira", "AVG",
  142. "AVAST Software", "AhnLab", "360"
  143.   This VBScript bot interestingly uses the Authorization header to interact with the C2 server. Add the Authorization header to the HTTP request sent to the C2 server using the SetRequestHeader function, as shown in the red frame in Figure 24, and use the GetResponseHeader function to obtain the Authorization header included in the HTTP response from the C2 server. You can check what you are doing. Also, the two functions in the blue box Base64 encode and decode parameter values ​​in the Authorization header.
  144. Figure 24 Function to send request to C2 server
  145.          20
  146.  Cyber ​​Rescue Center Report Special Editing
  147. Figure 25 shows the HTTP request and response when the VBScript bot sends the command result to the C2 server after receiving the “av” command from the C2 server. The red arrow destination string is a Base64 decoded value of the authorization header parameter. The ID included in the decoding result is an identifier unique to the infected terminal and is a value calculated by combining the computer name, process ID, and user name. In addition, this attack
  149. Is also reported on the March 2019 FireEye blog.
  150. Figure 25 Request and response to C2 server
  151.  ID: 85000080af0e, AV: Not found
  152.        ok ok
  153.   16 21
  154.  Cyber ​​Rescue Center Report Special Editing
  155. A method for disguising a regular software installer
  156. The link spear phishing attack for disguising genuine software installers has been confirmed at the center in November 2016, October 2017 and February 2019. In these attacks, the Web meeting software (WebMeeting) provided by Vast Conference, or the statistical analysis software (Stata) provided by StataCorp, is used as a fake installer. Figure 26 illustrates the flow of attacks using these fake installers.
  157. Fig. 26 Outline of attack spoofing software installer (1) Cases of November 2016 and February 2019
  158. Attacks during these times use linked spearphing to download fake statistical analysis software installers. The email contains URLs for downloading fake installers from the official websites of foreign universities, according to the three operating systems (Windows, MacOS, Linux). HYDSEVEN infringes the university's web server as a springboard for attacking, and it seems that the server administrator installed files that the server administrator did not intend. In the following, Windows confirmed in the case of February 2019
  159.  twenty two
  160.  Cyber ​​Rescue Center Report Special Editing
  161. Introduces an attack that uses a fake installer of the environment. As for the November 2016 attacks, Exatel has reported on related events in December 201617.
  162. Figure 27 shows the fake statistical analysis software installer and the statistical analysis software code signing certificate provided by StataCorp. It can be confirmed that fake statistical analysis software is given a company signature “SANJ CONSULTING LTD” which is different from the signature of regular software.
  163. Figure 27 Confirmation of code signing certificate of statistical analysis software (upper: false / lower: regular)
  164. Figure 28 compares the files created after running the official statistical analysis software and the fake statistical analysis software installer. "StataSE-64.exe" which exists in both folders is a program of regular statistical analysis software. The left screen directory expanded by the fake installer is in the right directory
  165. 17
  166.      twenty three
  167.  Cyber ​​Rescue Center Report Special Editing
  168. You can confirm that there is a red border executable file or a blue border regular DLL file (such as Qt18 library or SSL library). The executable file with a red frame in it is malware, which is executed when the fake statistical analysis installer is executed.
  169. Figure 28 Checking the file created by the installer (left: false / right: regular)
  170. So let's look at "StataSE.exe" created by fake statistical analysis installer. As shown in Figure 29, this executable is a downloader created using Qt, a multi-platform framework. Outwardly, we run regular statistical analysis software with blue border, but on the back side download NetWire and Ekoms (Mokes) etc from the C2 server with red border as a downloader function and execute it.
  171. 18
  172.        twenty four
  173.  Cyber ​​Rescue Center Report Special Editing
  174.      Fig. 29 Downloader function included in “StataSE.exe” (partial excerpt)
  175. Finally, the code that detects the virtual environment contained in this downloader is introduced. As shown in Figure 30, the downloader uses EnumDisplayDevicesW function 19 to obtain the display device name, and the display device contains the string “VMware”, “VirtualBox”, “Parallels”, etc. Contains code to verify. If you execute the downloader on a virtual environment created with the applicable software, an alert box as shown in Fig. 31 is displayed, and the program ends with an error.
  176.  Figure 30 Code to detect VMware environment (partial excerpt)
  177.  19 25
  178.  Figure 31 Alerts Displayed When Running Downloader in Virtual Environment (2) Example of October 2017
  179. Attacks during this period also use the same linked spearphing as in the example above to download fake software appropriate for the OS from the official websites of foreign universities. The software to be downloaded is different and exploits the web meeting software provided by Vast Conference. The following sections introduce attacks that use fake installers for MacOS environments.
  180. Figure 32 shows the presence of a code signing certificate for the fake WebMeeting package and the WebMeeting package provided by the legitimate Vast Conference company. You can see that fake WebMeeting does not contain a code signing certificate. Furthermore, if you check the application ( included in the package as well, you can see that the fake WebMeeting does not contain a code signing certificate (Figure 33).
  181. Cyber ​​Rescue Center Report Special Editing
  182.      Figure 32 Confirmation of code signing certificate of WebMeeting package (upper: false / lower: regular)
  183. 26
  184.  Cyber ​​Rescue Center Report Special Editing
  185. Figure 33 Code Signing Certificate Verification (upper: false / lower: regular)
  186. Figure 34 compares the contents of installed. The fake applications include, and NW.js20 related applications and libraries that are not included in the formal package.
  187. Figure 34 Checking the file created by the installer (left: false / right: regular)
  188. 20
  189.              27
  190.  Cyber ​​Rescue Center Report Special Editing
  191. Let's look at and installed from this fake package. First, is a downloader that downloads and executes NetWire and Ekoms (Mokes) from the C2 server using the curl command, as shown in the red frame in Figure 35. also contains code that executes, as shown in the blue box in Figure 37, which runs in parallel with the malware download.
  192.      Figure 35 Downloader function of (partial excerpt)
  193. Also, is an application created with NW.js, reads app.nw file under Resources folder, and accesses the login screen for joining WebMeeting (Fig. 36). The app.nw file is a ZIP file containing main.html and package.json, and the contents of these files are shown in Figure 37. You can confirm that the URL for joining WebMeeting is included.
  194.  Figure 36 Webmeeting login screen
  195. 28
  196.  Figure 37 Contents of the app.nw file (upper: main.html / lower: package.json)
  197. Finally, the code that detects the virtual environment contained in this downloader is introduced. It contains almost the same code as the statistical analysis software case introduced above, and in this case, it has a built-in mechanism to detect VMware and Parallels. If you run the downloader in these virtual environments, an alert box as shown in Figure 38 will be displayed. The content displayed in this alert box is the same as the statistical analysis software case.
  198. Cyber ​​Rescue Center Report Special Editing
  199.    Figure 38 Checking Execution Alert Box
  200. 29
  204.  Attack malware
  205. HYDSEVEN uses NetWire and Ekoms (Mokes) in its attack activities as the main attack malware. Here, we introduce the features of these two types of malware.
  206. About NetWire
  207. One of the files downloaded by the downloader is the Remote Administration Tools (RAT) called NetWire 21 sold by World Wired Labs (Figure 39). NetWire is compatible with multiple platforms such as Windows, Linux, MacOS, etc., and various functions 22 such as remote shell, file operation, key logging, etc. for remote management are implemented. In addition, NetWire is widely sold to the public with many functions, and is often exploited by attackers. For example, attackers targeting an attacker group APT3323 or a financial institution who is suspected to have Iranian government involvement The group Carbanak 24 is reportedly abused by cybercrime FireEye and proofpoint have reported it.
  208. Figure 39 NetWire Website Sold by World Wired Labs
  209. 21
  210. 22
  211. 23 / apt33-insights-into-iranian-cyber-espionage.h tml
  212. 24 financial-organizations-in-middle-east
  213. Cyber ​​Rescue Center Report Special Editing
  214.    30
  215.  Cyber ​​Rescue Center Report Special Editing
  216. HYDSEVEN is also exploiting NetWire made with Windows, Linux and MacOS for attack. However, the NetWire used in this attack contains several different features compared to the commercial version of NetWire, so here we introduce some of the features of this customized NetWire.
  217. (1) RC4 encryption key (Windows version, Linux version, MacOS version)
  218. The customized NetWire has a common RC4 encryption key “hyd7u5jdi8” (Figure 40). This encryption key is used to decrypt some RC4-encrypted file names, variable names, Window API names, etc. included in NetWire.
  219.                                                    SHFileOperationW
  220. % Rand%
  221. Figure 40 RC4 encryption key "hyd7u5jdi8" (upper: Windows version / lower: Linux version)
  222.       31
  223.  Cyber ​​Rescue Center Report Special Editing
  224. (2) NetWire version (Windows version, Linux version, MacOS version)
  225. NetWire is upgraded with the addition of functions, and the latest version is v2.025. The version information of NetWire is contained in the file, and Figure 41 shows the commercial version of v1.6a (0x1066100) and v1.7a (0x1076100). On the other hand, customized NetWire also contains version information, which is v1.0? (0x1000100) as shown in Figure 42. This version of NetWire can not be compared with the commercial version of NetWire v1.0 released in 2012, but it works even when compared to the commercial versions of v1.2 and v1.4 etc. We think of it as a customized NetWire, because its implementation is different. Also, many of the customized NetWire configuration information sizes are 0x468 bytes 26, which contain the information shown in Table 2 and operate based on this information.
  226. Figure 41 Comparison of commercial version of NetWire (left: v1.6a / right: v1.7a)
  227. Figure 42 Customized NetWire Version (Left: Windows / Right: MacOS)
  228. 25
  229. 26 The size of the setting information of MacOS version is different, and 0x3D4 byte and 0x3E4 byte etc are confirmed.
  230.              32
  231.  Cyber ​​Rescue Center Report Special Editing
  232. Table 2 List of setting information (Windows version)
  233.     offset
  234.    Description
  235.     0x000
  236.   Communication destination
  237.     0x100
  238.      Proxy settings
  239.     0x200
  240.  Password (AES encryption key seed)
  241.     0x224
  242.    RC4 encryption key of setting information "
  243.     0x238
  244.    Host ID
  245.     0x24C
  246.      Group ID
  247.     0x260
  248.  Mutex name
  249.     0x280
  250.    Installation path
  251.     0x320
  252.      Startup key name 1
  253.     0x360
  254.  Startup key name 2 (UUID)
  255.     0x3A0
  256.      Key log directory
  257.     0x424
  258.  Judgment flag
  259.     0x440
  260.      File timestamp setting
  261.     0x464
  262.  Connection wait time
  263.  (3) PowerCat (Windows version)
  264. The customized NetWire incorporates an open source publicly available network tool called Powercat27. Figure 43 shows a partial comparison between Powercat included in NetWire and Powercat published on github, confirming that they are identical. Also, Figure 44 is a batch file that runs Powercat. You can also see that it contains commands to connect back to the C2 server using the local port 4000 / tcp.
  265.  27
  266. 33
  267.  Cyber ​​Rescue Center Report Special Editing
  268.   Fig. 43 Powercat partial code comparison (upper: code included in Netwire / lower: github code)
  269. Figure 44 Running Powercat with a batch file
  270.  34
  271.  (4) Character code of command prompt (Windows version)
  272. The customized NetWire is executed by specifying UTF-8 (chcp 65001) as the character encoding when executing the command prompt (cmd.exe) by the command from C2 server (Figure 45). Compared to the commercial version v1.6, this version shows that “chcp 65001” is specified as an argument when executing the command prompt. By setting the character code UTF-8 of the command prompt to be displayed, it is considered that the purpose of the attacker is to manipulate the command prompt without depending on the character code of the user environment.
  273. Cyber ​​Rescue Center Report Special Editing
  274.   Figure 45 Comparison of character encoding when executing command prompt (upper: customized version / lower: commercial version) (5) C2 communication (Windows version, Linux version, MacOS version)
  275. The customized NetWire differs from the commercial version in the communication packet that communicates with the C2 server. Figure 46 compares the initial communication packets sent by the client to the C2 server. Each border has the meaning shown in Figure 47.
  276. z
  277. z
  278.                  Figure 46 Comparison of initial communication packets sent to the C2 server (upper: customized version / lower: commercial version (v1.6a))
  279. 35
  280. z
  281.      zz
  283.  Cyber ​​Rescue Center Report Special Editing
  284. Figure 47 Description of the border of the initial communication packet to be sent to the C2 server
  285. In customized NetWire, the first byte does not contain the packet length, but contains the instruction command (0x7f). This value is encrypted by the XOR operation (encryption key: 0x7c), and when it is decrypted, it becomes the same command as the commercial version “0x03” 28. In addition, the command command of the packet sent from the C2 server to the client is also encrypted with a different XOR operation (encryption key: 0x0FFFFFFE3h) (Figure 48). In addition, the customized NetWire sends data that is not sent in the commercial version and appears to be an OS environment-specific identifier. Other features of NetWire's C2 communications are described in detail on Paloalto's blog 29, so please refer to that.
  286. Figure 48 XOR operation of instruction command (left: encode / lower: decode)
  287.     28 NetWire version 1.7a sends 0x99 as a parameter instead of 0x03
  288. 29
  289. 36
  290.  Cyber ​​Rescue Center Report Special Editing
  291. About Ekoms (Mokes)
  292. Another file downloaded by the downloader is malware called Ekoms (Mokes). Ekoms (Mokes) is a bot with functions such as keyboard input, voice data logging, and screen capture, and is developed in Qt. As for the reason called Ekoms, I think that the project name that seems to have been used by an attacker when creating a program includes the name Ekoms, and that it is named from there. Figure 49 shows the project names included in Ekoms confirmed by the attack.
  293. Figure 49 Project name included in malware (example)
  294. Ekoms, which HYDSEVEN uses for attack, has been verified to run on Windows, Linux, and MacOS environments, and most of them are compressed with UPX30. While investigating the attacks, Ekoms is related to what is reported on January 2016 Kaspersky Lab's blog 31 and Dr.Web's website 32 33 at the same time, and the malware function also differs. It turned out that there was not. Two vendors analyze in detail the functions of Ekoms, so please refer to these blogs.
  295.   30
  296. 31 ered / 73503 /
  297. 32
  298. 33
  299. 37
  300.  C2 infrastructure
  301. Here, we focus on the malware C2 server that HYDSEVEN uses. Many C2 servers were abused by overseas hosting servers, and many of them did not acquire a domain and were operated with IP addresses. Figure 50 shows the relationship between malware and the three hosting servers (OVH, 23media GmbH, Leaseweb Deutschland GmbH) frequently used by HYDSEVEN. In addition, in the attack confirmed in 2019, the IP address managed by 23media GmbH is exploited as C2 server.
  302. Figure 50 Malware communication destination (partial excerpt)
  303. Cyber ​​Rescue Center Report Special Editing
  304.   38
  305.  Attacker group background
  306. Cyber ​​Rescue Center Report Special Editing
  307.  In the course of investigating a series of attacks, I found some landmarks that seem to be the footprints of HYDSEVEN. This vision disguises itself and hides its identity. of the Office document files used in an attack that exploits the VBA macros described in Chapter 3, Attack Overview. You can confirm that the language setting in the document file is "Russian", as in the red line frame. Even if you check the “Language Code” and “Code Page” included in the document file using Exiftool 34, you can see that Russian (Cyrillic) is included.
  308. Figure 51 Language information contained in the Office document file (upper: language information / lower: result of Exiftool)
  309. 34
  310. 39
  312.  Cyber ​​Rescue Center Report Special Editing
  313. Some Office document files used in other attacks also contain "Russian", and as shown in Figure 52, the text portion is "English (US)" as the language setting, but the blank portion is Is "Russian". Also, if you check the properties of the Office document file in Figure 52, the company name contains the characters “Grizli 777”. (Figure 53) This string is included when using pirated Office products and is reported in Russia and Romania as being reported on Twitter35 by Florian Wagner.
  314. Figure 52 Language information of Office document file (left: English / right: Russian)
  315. Figure 53 The string "Grizli 777" included in the properties of the Office document file
  316. 35 40
  318.  Code signing certificate
  319. HYDSEVEN gives malware a code signing certificate and uses it in attacks. The aim is to make it look like legitimate software and avoid detection by security products. The following methods can be considered for an attacker to obtain a code signing certificate.
  320. 1. Take a secret key and certificate for code signing from a legitimate software development company
  321. 2. Purchase a code signing certificate from the underground forum etc.
  322. 3. Establish a fictitious company or work with a legitimate company and proceed through a formal procedure from the certification authority to the code site
  323. Issue a certificate
  324. Figure 54 shows the code signing certificate exploited in the attack from around August 2016 to around September 2017. If you check the information contained within the subject of the certificate, you will find that the Russian company name and address are registered. In addition, if you check Nalog.io36 for company registration information in the red frame, you can see that it is a retail distributor of household equipment established on January 37, 2010 (Fig. 55). In addition, a survey of the registered address using Google Maps revealed that the house was located in a residential area as shown in Figure 56. From this, it is highly probable that this code signing certificate has not been stolen from a legitimate software company, but has been obtained by the “2.” or “3.” method.
  325. Figure 54 Confirming the subject of the code signing certificate
  326. 36
  327. 37 Bankruptcy on August 2, 2017 due to violation of Russian Federation law (08.08.2001 No. 129-ФЗ)
  328. Cyber ​​Rescue Center Report Special Editing
  329.     41
  330.  Cyber ​​Rescue Center Report Special Editing
  331. Fig. 55 The company information (partial excerpt) of Silva, LLC of the code signing certificate
  332.     Fig. 56 The address registered in the code signing certificate (quoted from the search results of Google Maps)
  333. 42
  334.  Cyber ​​Rescue Center Report Special Editing
  335. There are several other code signing certificates that have been exploited in Figure 54. Table 3 summarizes some of the code signing certificates given to the malware used in the attack.
  336. Table 3 Code Signing Certificate Granted to Malware (Excerpt)
  337.    Hash value
  338.       Malware
  339.      Code signing (name)
  340.    b04e7 cba 062 e 23 c 9 bb cc 3 b 8 ba 38 ab 4 da ca 584961 b 829 2 d 3 d 0 75 b 5799 488 352 a
  341.   NetWire Downloader
  342.  Younty Ltd
  343.    80aa2d0c8c05a78487b85013c43c2143
  344.       NetWire
  345.      Silva, LLC
  346.    3d9a8ad7ae2bf9d4e4bd6381438d2b0c f08d3083c19320e 2202128802b7ff306
  347.   NetWire Downloader
  348.  Megaprom, OOO
  349.    f84d985b94e31c04b6823af150f0b96f
  350.       NetWire
  351.      ASRA Solutions Ltd
  352.    a549d7ca2deb4aa7f7ce46efa1295e76 91099aa413722d22aa50f85794ee386e
  353.   NetWire Ekoms
  354.  Issledovaniya i razrabotka
  355.    12def981952667740eb06ee91168e643
  356.     NetWire
  358.    a5cbda7bb3864626d6251f3a8cd09cb7
  359.       Downloader
  360.      NNM Dev LLC
  361.    ab235de113ee97926fb15eeaac555490
  362.    Ekoms
  363.  SoftVision Development GmbH
  364.  Lastly, I would like to introduce some interesting points, although not the footprint of HYDSEVEN. HYDSEVEN, as introduced in Chapter 3, is an attack that impersonates the installer of legitimate software as one of the attack methods. This attack technique has many similarities to the Lazarus technique reported by Kaspersky Lab 38 in August 2018. Examples include theft of virtual currency, linked spear phishing attacks, exploits of installers impersonating legitimate software, exploits of MacOS, etc. However, malware used in attacks is ultimately different. HYDSEVEN uses malware such as NetWire and Ekoms, but we have not confirmed that Lazarus has used such malware until now. Although there is no guess, it is possible that they may try to show off the crime of another attacker group that uses Lazarus or similar attack signature as a false flag.
  365. 38 43
  367.  Detection or mitigation
  368. About attack tactics
  369. Spear phishing emails are used for attacks, including VBA macros embedded in Office document files, exploits for software vulnerabilities, and exploits exploits such as impersonating legitimate software installers. As basic security measures, "Don't open attachments and URLs in suspicious emails carelessly", "Don't enable macros carelessly", "Always update OS, Office products, Web browser etc. It is recommended to pay attention to the state of In addition, for the method of disguising a genuine software installer, check the presence or absence of the code signing signature included in the application using Sigcheck39 tool (Windows environment) or codesign command (MacOS environment) etc. If it does not contain a document, check if the hash value is really legitimate software. If a code signing certificate is included, the expiration date of the code signing certificate signed by the software vendor you use will expire. It is recommended to stop and check again before running the file, for example to check if it is not.
  370. About attack malware
  371. NetWire and Ekoms (Mokes), which are used as attack malware, create and execute files in the following file paths, depending on the OS environment. Note that since the file name created may differ depending on the execution environment, if there is a suspicious executable file in the relevant directory, use a service such as VirusTotal40 to check if the file is a legitimate file. It is recommended. In addition, entries for automatic execution of malware are registered according to each OS environment.
  372. (1) NetWire
  373. In the Windows environment
  374. •% APPDATA% / adobe / colorprofiler.exe •% APPDATA% / ati / ace.exe
  375. 39 40
  376. Cyber ​​Rescue Center Report Special Editing
  377.   44
  378.  •% APPDATA% / AMD / OGLCache.exe •% APPDATA% / intel / icls.exe
  379. •% APPDATA% / Java / JavaBeem.exe •% APPDATA% / Java / javad.exe
  380. •% APPDATA% / Java / jschedu.exe
  381. •% APPDATA% / Macromedia / flashupd.exe
  382. •% APPDATA% / Sun / Java / Deployment / jvmgr.exe •% APPDATA% / Sun / Java / Deployment / jvsgr.exe •% APPDATA% / Sun / Java / Deployment / jvm.exe
  383. •% APPDATA% / vlc / MediaDecoder.exe
  384. •% APPDATA% Unity / Prefs.exe
  385. Automatic execution
  386. Key: HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Run Value: Executable file path above
  387. MacOS environment
  388. • $ HOME / .defaults / / Contents / MacOS / Finder
  389. Autorun $ HOME / Library / LaunchAgents / = $ HOME / .defaults / / C ontents / MacOS / Finder
  390. (2) Ekoms (Mokes)
  391. In the Windows environment
  392. •% APPDATA% / Skype / SkypeHelper.exe
  393. •% APPDATA% / Dropbox / bin / DropboxHelper.exe •% APPDATA% / Google / Chrome / nacl32.exe
  394. •% APPDATA% / Google / Chrome / nacl64.exe
  395. •% APPDATA% / Mozilla / Firefox / mozillacache.exe •% APPDATA% / Adobe / Acrobat / AcroBroker.exe •% APPDATA% / Hewlett-Packard / hpqcore.exe
  396. •% APPDATA% / Hewlett-Packard / hpprint.exe
  397. •% APPDATA% / Hewlett-Packard / hpscan.exe
  398. 45
  399. Cyber ​​Rescue Center Report Special Editing
  400.  Cyber ​​Rescue Center Report Special Editing
  401. Automatic execution
  402. Key: HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Run Value: <Execute file path above>
  403. MacOS environment
  404. • $ HOME / Library / App Store / storeuserd
  405. • $ HOME / Library / App Store / storeaccountd
  406. • $ HOME / Library / / SpotlightHelper • $ HOME / Library / / Spotlightd
  407. • $ HOME / Library / Dock /
  408. • $ HOME / Library / Skype / SkypeHelper
  409. • $ HOME / Library / Skype / soagent
  410. • $ HOME / Library / Dropbox / DropboxCache
  411. • $ HOME / Library / Dropbox / quicklookd
  412. • $ HOME / Library / Google / Chrome / nacld
  413. • $ HOME / Library / Google / Chrome / accountd
  414. • $ HOME / Library / Firefox / Profiles / profiled
  415. • $ HOME / Library / Firefox / Profiles / trustd
  416. Automatic execution
  417. $ HOME / Library / LaunchAgents / <file name> .plist = <executable file path above>
  418. Linux environment
  419. • $ HOME / $ DATA / .mozilla / firefox / profiled41
  420. • $ HOME / $ DATA / .dropbox / DropboxCache
  421. Autorun $ HOME / .config / autostart / profiled.desktop $ HOME / .config / autostart /DropboxCache.desktop
  422. 41 $ DATA is QStandardPaths :: writableLocation (QStandardPaths :: GenericDataLocation) 46
  424.  in conclusion
  425. Cyber ​​Rescue Center Report Special Editing
  426.  Thus, as we have seen, the HYDSEVEN attack is clever and tries to steal the virtual currency while avoiding security measures and surveillance. The attacking method is also used in combination with VBA macros embedded in Office document files, exploiting software vulnerabilities, impersonating legitimate software installers, etc. The malware used is also multi-platform compatible, etc. HYDSEVEN In the past, we are actively working on various techniques. This time, this report has been prepared to assist such attackers in discovering attacks and considering future countermeasures such as damage control.
  427. Recently, along with the rapid growth of the virtual currency market in Japan and overseas, a variety of large and small virtual currency exchanges are raging along with the spread of virtual currency. For the attackers, exchanges dealing with a large amount of virtual currency are good targets, and cyber attacks targeting virtual currency exchanges are expected to increase in the future. Under these circumstances, we would like to continue to investigate HYDSEVEN attacks and to provide information widely, so it would be appreciated if you could utilize them.
  428. 47
  429.  Cyber ​​Rescue Center Report Special Editing
  430. Indicator-of-Compromise (IOC)
  431.  ハ ッ シ ュ Hash value (MD5) NetWire
  432.         0f83e147217c156b7ab66a26cf865827
  433.     2e4 d 861 bdb 438 c 9 b 3 a 3 d 6658 d 40 d 07 b 2
  434.     3d9a8ad7ae2bf9d4e4bd6381438d2b0c
  435.     796e 62 cc 921 af 203 c 2 dae 93 159 f 93 f 70
  436.     8ffa073c1d4860ec5ac05b53998b421d
  437.     a20bb703d44d5717feb76fb36f571aea
  438.     a24aef033e061d358579250c6fed8e32
  439.     a2d60db7db42adc8c3ab87b3dd244777
  440.     a3e4801aa871f4e165bbd760333237b8
  441.     a4f27cd95be3ae069b285648c568f5ea
  442.     a5462407c447351788ef9ac5bae52c9d
  443.     a5838df9164d968b40fc5e2140c5ac99
  444.     a63de560895005588a313e502be3efd2
  445.     a6f3379cdf41f1cdf11ee071e3e40854
  446.     a8d7582d9f7e9c2c8631351837817f2d
  447.     a99a4d2a2cbc10f07d2bbcf0c1c91d0c
  448.     aa 6 cc 819 f 92 f 2 678 219 43 90 96 c 02 37
  449.     aadb3437d9c0ede00b9a0672b7bfd0e1
  450.     ab29919492a0cddabfe2d75c4d42d00d
  451.     abd9e42eb48a10ac1990fdfb03bd09a8
  452.     acf159e78dce7c5095640030a5a0d6d2
  453.     ad9fa32f08638897fe126db894aa8260
  454.     afdc898cf874b74e68280185867250f9
  455.     b157c08db89d194eaa 73c0723cf42b36
  456.     b4376a7ef36f1357109e6b6362a71152
  457.     b76ae18bb4d86add42b3a9af7b880a39
  458.     b7a12cc9e44a55814fe9b0cc6aa7fb1e
  459.     12def981952667740eb06ee91168e643 32f30ef97554b4e5993152252e57e86c 58cf773d2eb957d48b931079b9c087dd 80aa2d0c8c05a78487b85013c43c2143 a19829fed00d46c91d81f203fe9cb6c5 a2480c9d205e90432daf4586809f3755 a26ef7c2b718f2b13240f6f9cf91c693 a3ce918d207e725f89683cc2c768b454 a4d1098a0c18c147e0b1bfa53cf6dd88 a502134c8f4b1d9a055375d79acfa9a9 a549d7ca2deb4aa7f7ce46efa1295e76 a59252c2d3143dca47fb7e14d1b13d33 a650ccb18450dff911365aa830d1ecb9 a6f8ae86cf8725e16193e0fab0483c2c a8ebaefd17089cce9efb8749926dca6d a9a32cd4275138e6ff9e3b1912b1163b aad72111d8d41e2edc0ab4e96613aa70 ab28a1d4fbe377f4b08c40bbd96e7a51 ab373d32f290e6928446f7f94e616c38 acd18d845812ac288016c9610d1c9c39 ad836caa03a5f1df34d9131922ffa495 afab14af38d50262b13a95e10cd7bba8 b04e7cba062e23c9bbcc3b8ba38ab4da b1ebf98704fe7549be440692e48b0a72 b5c67058209e85fbc1f048e42ded9a48 b78c6850cc40b385e839498abc17fc98 b7c546c7f72b78568ea99706d0343229
  460.                             48
  461.  Cyber ​​Rescue Center Report Special Editing
  462.    b8b776ebe5cf30c6dc1547ed35a79f42
  463.       b92c2bdb21b7eb6578bd4cb1ceb9eb64
  464.    ba3a1e3d00e04073e90bfcc 744 264067
  465.   bae5d7736ff20f96528cde32c8c5e6cb
  466.    bb5f033b8717f42d5804b9c905fe9f50
  467.     bf38f2371d30bc6ab6382626a4eba298
  468.    c1aaf1f7652d483ae2d4712d05b5f0ad
  469.       c1e658bcda1b5ddaf7284fe5d219420d
  470.    cb75044f5941530d963df9a626c813ae
  471.   d1f8ba71e08c27e752722eb61d7dd3eb
  472.    de3a8b1e149312dac5b8584a33c3f3c6
  473.     f84d985b94e31c04b6823af150f0b96f
  474.    fcb719e28da41dd7443017eb1f456ff3
  475.       fe84cb5d1832333e5e77cb6efdf5bfb6
  476.        Ekoms (Mokes)
  477.    0943806cea1913227d2595dbcc2b94c0
  478.      4df998fe61fc43803aed470fe52dc14e
  479.    796dff8007f3163adfcb9fa7f5fded1c
  480.     8c0ba5e0351975e8fc0c49fdb6dba4ff
  481.    91099aa413722d22aa50f85794ee386e
  482.       ab235de113ee97926fb15eeaac555490
  483.     bbae132bf 631a093af5567e3fb540eee
  484.       Fake Installer / Dropper / Downloade
  485.    006bdb19b6936329bffd4054e270dc6a
  486.      0469be73633d45aea1665dddd31a1c694
  487.    16e55ba5c7870400cfa244ee211414d9
  488.       2abe3cc4bff46455a945d56c27e9fb45
  489.    5f5847160dbfe0d6604dc5b6dd64ffb9
  490.   786925 ad4a4f91a98dd09508471ebddf
  491.    8c1d6403f550a9ddb6640ade3f38a171
  492.       838e0e1bfdb8b26fa8bfca3d14b09b9f
  493.    9a9c3d7a44834f1d08ebdf3c9e5c3e62
  494.   a5cbda7bb3864626d6251f3a8cd09cb7
  495.    a86cf58cb8c3ed3ca3c89a2c0443d6d7
  496.       ba83abf043344d425cf39c612d0fb5c4
  497.     f08d3083c19320e 2202128802b7ff306
  498.    先 Communication destination
  499.    103 [.] 234 [.] 220 [.] 230
  500.     119 [.] 81 [.] 131 [.] 251
  501.    130 [.] 255 [.] 185 [.] 77
  502.       137 [.] 59 [.] 22 [.] 42
  503.    146 [.] 185 [.] 170 [.] 48
  504.     149 [.] 202 [.] 69 [.] 6
  505.    158 [.] 69 [.] 24 [.] 141
  506.   162 [.] 248 [.] 227 [.] 9
  507.    185 [.] 106 [.] 122 [.] 113
  508.     185 [.] 49 [.] 68 [.] 145
  509.    185 [.] 49 [.] 68 [.] 192
  510.       185 [.] 49 [.] 68 [.] 193
  511.    185 [.] 49 [.] 68 [.] 195
  512.   185 [.] 82 [.] 21 [.] 65
  513.    188 [.] 165 [.] 218 [.] 177
  514.       37 [.] 235 [.] 48 [.] 233
  515.    45 [.] 63 [.] 22 [.] 17
  516.   46 [.] 165 [.] 194 [.] 94
  517.    46 [.] 165 [.] 249 [.] 77
  518.       51 [.] 255 [.] 86 [.] 55
  519.   49
  520.  Cyber ​​Rescue Center Report Special Editing
  521.    81 [.] 4 [.] 122 [.] 139
  522.       84 [.] 200 [.] 2 [.] 12
  523.    89 [.] 34 [.] 111 [.] 113
  524.   91 [.] 121 [.] 120 [.] 198
  525.    94 [.] 23 [.] 48 [.] 115
  526.     anongfs671234d [.] com
  527.    cameforcameand33212 [.] com
  528.       g890ios20 [.] com
  529.    gloria18611 [.] com
  530.   homegwjskjl111 [.] info
  531.    jessiman901 [.] com
  532.     jikenick12and67 [.] com
  533.    kaplaromenmmxs [.] com
  534.     kleboneonn12 [.] com
  535.    kurgen 3211a [.] com
  536.       stata14lic [.] org
  537.     statalicensesrv [.] com
  538.  50
  539.  Editor's Note
  540. This issue focused on the findings of a group of attackers, but it was
  541. Cyber ​​Rescue Center Report Special Editing
  542.    Is not it. Initially, it was promoted as an article publication in LAC WATCH (our company's own media), but
  543.  As a special edition of the Cyber ​​Emergency Center Report, as the survey results are always read and answered
  544.  I delivered it. The pace has fallen a little recently recently, but the report of the usual contents constitution is also July
  545.  We hope to release it, so please look forward to it. (Mio)
  546. Question of questionnaire
  547. We would be glad if you could fill in the questionnaire from the following URL or QR code in order to make a better article in the future. Please send us your honest opinions and comments.
  549. Hiroyuki Isoo Editor-in-chief Yoshihiro Ishikawa
  550.  51
  551.   Cyber ​​Rescue Center Report Special Editing
  552.     Rack Corporation
  553. 2-16-1 Hirakawacho, Chiyoda-ku, Tokyo 102-0093 Hirakawacho Mori Tower E-MAIL:
  555.  52
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand