Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ANALYSIS-IN-DEPTH
- • Tick Group of Korean Companies
- 'USB Usage Attack Technique' in-depth analysis
- ASEC REPORT Vol.95 | Security Trend
- There is a group of threats that have been steadily attacking since 2008 to the second quarter of 2019. Aka 'Tick'
- The group, which is called the group, has been in full-fledged domestic activity since 2014. These are the defense industry
- Including defense and political organizations, security, IT and electronics industries.
- I have.
- In addition, the Tick (Tick) group grasps the security vulnerabilities of attack targets in advance,
- It is known to have. Especially, the attack of Tickusb
- , It can infect a secure USB flash drive (USB memory) that is in use by an enterprise and propagate the malicious code
- As a result, the domestic IT environment and infrastructure are already considerable.
- .
- In this report, we aim at major domestic corporations and corporations and use USB flash drive to get information
- Tick Attack Taking centering on actual attack cases of group AhnLab Security
- The correlation of the Tickusb malicious code analyzed by the Emergency-response Center (ASEC)
- Law and so on.
- 20
- Domestic companies
- Tick Group 'USB Usage
- Attack technique 'in-depth analysis
- Detailed analysis of malicious code
- Analysis-In-Depth
- ASEC REPORT Vol.95 | Security Trend 21
- 1. Tickusb Attack Trends
- 'Tickusb' is a tick attack group that uses USB flash drives to leak confidential information of domestic companies.
- Malicious code was created for the purpose of detecting malicious code from spring 2014 to November 2017. [Figure 2-1]
- Tickusb malicious code used by tick attack group. Some variations of Tickusb
- It exists as a dock file, but it is mostly composed of DLL file and EXE file.
- Figure 2-1 | Tickusb whole relationship diagram
- When a malicious DLL file is run, it creates a log file in a specific path and checks for a USB flash drive connection
- All. If your system has a USB flash drive connected, run a malicious EXE file and download additional files
- It is also said. Malicious EXE files perform slightly different functions depending on the variation,
- Collect information about the files in the drive. Some variants modulate the EXE file in the USB flash drive.
- After connecting the USB flash drive with the final modified EXE file to another system,
- When run, the computer is also infected with Tickusb.
- [Figure 2-2] is a timeline showing the change of Tickusb malicious code.
- ASEC REPORT Vol.95 | Security Trend 22
- Figure 2-2 | Tickusb Timeline
- The initial version is supposed to be made before 2014, and the 2014 version with the file name cryptbase.dll
- The brother appears. In September 2014, a variant was created that modifies an EXE file in a USB flash drive.
- All. In 2015, a variant of the DLL and EXE files will be created, and at the beginning of June 2015,
- I used a tool to patch malicious files on my system and load malicious DLLs. 2016
- From October to November 2017, change the filename of the malicious DLL to wincrypt.dll.
- [Table 2-1] summarizes major attacks using Tickusb in chronological order.
- When to Discover File Contents
- 2014.3? .Exe September 2012 production estimate. In 2018, Unit 42 released its analysis for the first time and other Tickusb
- Estimated to be an early version of Tickusb with significantly different variants and code.
- 2015.4 CRYPTBASE.dll December 2014 Production Estimate. DLL single type.
- System information and USB Flash Drive file information collection.
- 2015.6 BrStMonW.exe, BrWeb.dll, wsmt.exe
- Modify the BrStMonW.exe file associated with the Brother printer and load the BrWeb.dll file.
- Download the msupdata.exe file.
- My EXE file tampering with USB Flash Drive and ALYAC25.exe file patch.
- 2015.6 CRYPTBASE.dll, svcmgr.exe February 2015 Production Estimate. Check for a specific secure USB connection. My EXE file in USB Flash Drive
- Modulation and patches the ALYAC25.exe file.
- 2015.7? .Dll (Unidentified), ctfmon.exe Estimated production in September 2014. USB Flash Drive ALYAC25.exe with my EXE file tampering
- File patch.
- 2015.7 CRYPTBASE.dll, svcmgr.exe (uncertain) November 2014 production estimates.
- 2016.10 Wincrypt.dll, wsmt.exe (Uncertified) -
- 2017.01 Wincrypt.dll, wsmt.exe (Uncertified) -
- 2017.11 Wincrypt.dll DLL single type.
- Table 2-1 | Major attacks using Tickusb
- ASEC REPORT Vol.95 | Security Trend 23
- Tickusb's dropper was discovered in March 2014. The build date of the malicious code generated is 2012
- It is probable that it has been active since 2014, due to the fact that it is a monthly one. This variant is different
- The Tickusb variant is different from the code and is estimated to be an early version of Tickusb.
- In April 2015, a variant of Tickusb, Cryptbase.dll, was discovered. Unlike other Tickusb variants, DLL
- It is a file-only type. Windows has the same export function as the normal CRYPTBASE.dll file
- And the file path found is% ProgramFiles% \ common files \ java \ java update \ cryptbase.dll
- to be. It is assumed that the Java related program is loaded when it is executed.
- The attack that occurred on June 1, 2015 found a variant consisting of a DLL file and an EXE file. attacker
- Patches the Brother printer driver file BrSrMonW.exe and executes the corresponding file
- I have loaded BrWeb.dll, a malicious DLL file. EXE file contains EXE from USB flash drive
- The ability to find and modify files has been added. In addition, other than Tickusb malicious code
- Secure unlock win.exe which acts as a dropper and asp server which acts as downloader.
- A bisodown deformation and a ghostdown deformation were further found.
- In October 2016, a variant of Tickusb, wincrypt.dll (16572393021beea366679e80cc78610c)
- A variant with the same filename was discovered by November 2017.
- 2. Malicious code analysis
- Tickusb Malware related dropper, downloader, etc. have been found, but specific infection method still not confirmed
- It was not. However, with the disassembled installation files and USB flashes infected with Tickusb
- As a result of comparing and analyzing the file modulation codes in the drive, some of the droppers are EXE waves
- It was confirmed as work. In addition, an attacker can not run Tickusb malware automatically when booting Windows,
- ASEC REPORT Vol.95 | Security Trend 24
- Is executed only when it is executed. This is to prevent the user from finding malicious code
- It looks for purpose. Let's look at the droppers, downloaders, patchers, and loaders that an attacker used in Tickusb attacks.
- 2-1) Dropper
- Tickusb malware has been found to be associated with several droppers.
- One of them, Aya.exe (b76d2b33366c5ec96bc23a717c421f71) is a Go game file, and [Figure 2-3]
- When the game is launched, as in the initial version of Tickusb (6f665826f89969f689cba819
- d626a85b are generated. The Aya.exe file was collected in March 2014 in AAPL and the build of the dropped file
- Time seems to have worked before 2014.
- Figure 2-3 | Aya.exe execution screen
- The Secure Unlock win.exe file (bb8c83cfd133ab38f767d39605208a75)
- The dropper used in domestic attack in early June, the normal program is a modulated form and the program is executed
- , It creates wsktray.exe file (3c6e67fc006818363b7ddade90757a84) in the temporary folder. Also
- ASEC REPORT Vol.95 | Security Trend 25
- When creating a file, it adds a garbage value to the end of the file, which is more than 34 megabytes in length. At this time,
- A file is a variant of Bisodown that downloads another malware.
- Another dropper, Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2),
- pNDPS (V2.11) .exe (c865b83a2096642b0de3e2880e63ab0e), NEW_GOMPLAYERSETUP.
- exe (0a4bec5fc88406d126aa106a7c0aab87) uses the same Bisodown transform file (e470
- b7538dc075294532d8467b1516f8), of which SecretZone.exe and pNDPS (V2.11).
- The exe file is assumed to be infected by the Tickusb variant.
- 2-2) Downloader - Ghostdown
- Tickusb On a system infected with malware, a ghostdown that acts as anRespectively.
- Ghost Down is the first malicious code found in February 2013 that has been active until February 2018,
- Last Name Code (4868fd194f0448c1f43f37c33935547d, 62ee703bbfbd5d77ff4266f9038c3c6c) Also,
- Found.
- Figure 2-4 | Characteristic string of ghost-down variant malicious code (4868fd194f0448c1f43f37c33935547d)
- ASEC REPORT Vol.95 | Security Trend 26
- Figure 2-5 | Encrypted C & C string decryption result
- [Figure 2-4] shows the characteristic string of the ghost-down variant malicious code. API, connection address, etc.
- The main string is encrypted, and the initial version has the address and key string it connects to with the XOR 0xDF key
- It is encrypted.
- Figure 2-6 | iff.exe execution screen
- The initial variant of ghostdown is to use www.poi.cydisk.net, www.kot.gogoblog.net, etc. as a C & C server.
- All of these addresses were created with the service www.dnserver.com. Figure 2-5 shows the encrypted C & C
- This is the result of decoding the string. This allows the ghost-down variant found in the Tickusb infection system in 2016
- C & C address is www.memsbay.com:443, and you can see that you have used the cloud service.
- 2-3) Patcher - iff.exe
- Iff.exe (e84f29c45e4fbbce5d32edbfeec11e3a) acts as a patcher to modulate the EXE file
- Execute a specific EXE file or load a specific DLL file. The iff found in the Tickusb infection system.
- The exe file is assumed to be an additional file after the attacker has infiltrated the system.
- ASEC REPORT Vol.95 | Security Trend 27
- iff.exe is a file modification method, a file to be modulated, a file to be executed or a DLL file to be loaded as shown in [Figure 2-6].
- It is input as argument value.
- The -b option modifies the executable file by adding it to the end of the target EXE file, and the -l option causes the target EXE
- Modify the file to load a specific DLL file.
- As shown in [Figure 2-7], there is '.texe' which is infection identification string in EXE file modulated by iff.exe.
- Figure 2-7 | Patch Results by iff.exe 1
- You can also change the jump command to the entry point (entry point)
- Let the command execute first.
- Figure 2-8 | Patch Contents by iff.exe 2
- ASEC REPORT Vol.95 | Security Trend 28
- The code added with the -b option in [Figure 2-9] requires the necessary API (Application Programming Interface)
- After loading the file, load the contents of the executable file at the end of the modified file in the% temp% folder.
- Create it as a file and execute it. According to the text of the executable screen of the iff.exe file, download another malware
- It seems to be for the purpose of adding an adder to download.
- Figure 2-9 | Additional code by iff.exe -b
- Also, the executable file to be executed by MZ is added to the end of the modulated file as shown in [Figure 2-10]. therefore
- The total file length increases by the length of the file appended to the end of the file.
- Figure 2-10 | Code at the end of the modulated file
- The -l option overwrites the code that finds a blank area in the target EXE file and loads the specified DLL file. follow
- If there is not enough free space in the file, no file tampering will occur and even if file tampering occurs
- ASEC REPORT Vol.95 | Security Trend 29
- There is no change in the file length of the target EXE file.
- 2-4) Loader - BrStMonW.exe
- The attacker used the iff.exe file on June 1, 2015 to download Brother's printer program
- I have patched the BrStMonW.exe file (d536f5f929ddd2472a95f3356f7d835c). Through this patch,
- When I run the BrStMonW.exe file, which has more role, I have modified it to load the malicious BrWeb.dll file first.
- Also, modify the entry point (Entry Point) as shown in [Figure 2-11] and add the code address
- '0x004972EF' was executed first.
- Figure 2-11 | Entry points modified with JMP code
- Another characteristic is that since the arbitrary code is overwritten in the blank area of the BrStMonW.exe file,
- There is no change in file length even after modulation. The code for the modified BrStMonW.exe file is shown in [Figure 2-12]
- .
- ASEC REPORT Vol.95 | Security Trend 30
- Figure 2-12 | Modified BrStMonW.exe
- Figure 2-13 | Added specific DLL loading code
- The code added by iff.exe will load the specific DLL (BrWeb.dll) file into memory as shown in [Figure 2-13].
- And then execute it.
- Therefore, only when the printer is used, Tickusb malicious code is executed,
- it's difficult.
- Using a patcher, such as iff.exe, an attacker can break into the system and select a program
- You can run additional malicious code through the process of patching.
- ASEC REPORT Vol.95 | Security Trend 31
- 3. Tickusb strain analysis
- Tickusb is usually made up of DLL files and EXE files, some of which are DLL files or EXE files
- In the form of a single file. Tickusb DLL file to connect USB flash drive from system
- If it is connected, it executes malicious EXE file. The EXE file that is executed at this time,
- And modifies the executable file in the flash drive. The DLL file that configures Tickusb
- Let's examine the EXE file in detail.
- 3-1) Tickusb DLL Analysis
- The files used as Tickusb DLL files are BrWeb.dll, CRYPTEBASE.dll, and wincrypt.dll. double
- The CRYPTEBASE.dll file is the same as the Windows filename that provides password-related functionality. As well as
- It has the same Export function as CRYPTBASE.dll in Windows,
- You can load the CRYPTBASE.dll file when a program with Malignant CRYPTBASE.
- A program that loads a dll is assumed to use the cryptographic function.
- The Tickusb DLL file acts as a loader, and it contains the name of the log file to execute, the path of the EXE file to execute,
- Drive type, and so on. [Figure 2-14] is the main string of the Tickusb DLL file.
- Figure 2-14 | Key string for Tickusb DLL file
- ASEC REPORT Vol.95 | Security Trend 32
- The Tickusb DLL CRYPTBASE.dll (bcb56ee8b4f8c3f0dfa6740f80cc8502), which was discovered in April 2015,
- There is no additional EXE file in the form of DLL file alone. When the DLL is executed, the Credentials.dat file
- And creates a TAG file (C: \\ WINDOWS \\ system32 \\ CatRoot \\ {375EA1F-1CD3-22D3-7602-
- 00D04ED295CC} \\ TAG) and collect system information with netstat.exe. In addition,
- Verify that VPN_Cliend.exe and IPPEManager.exe are present on the server.
- The Tickusb DLL, BrWeb.dll (9b31a5d124621e244cede857300f8aa6), found in June 2015,
- (Brother) and disguised as a printer related file, C: \ Program Files (x86) \ browny02 \ brother
- And C: \ Program Files (x86) \ ControlCenter4. As shown in [Figure 2-15]
- It is loaded when the corresponding EXE file is executed by patching BrinterMon.exe, which is a linter related file, and the BrWeb.dll file
- Credentials.csv (% USERPROFILE% \ AppData \ Roaming \ Microsoft \ Credentials \
- Credentials.csv).
- Figure 2-15 | Tickusb relationship that occurred in June 2015
- ASEC REPORT Vol.95 | Security Trend 33
- It also creates a mutex called 'WinsMutexIII' and creates three threads. First thread
- (0x10004774) indicates that if a USB flash drive is connected to the system, the wsmt.exe file (C: \
- WINDOWS \ System32 \ migration \ WSMT \ wsmt.exe). Second thread (0x100045cd)
- Reads the basev1.xsd file (C: \ Windows \ schemas \ AvailableNetwork \ basev1.xsd)
- Find a specific process through Windows (FindWindow). Process lease you are looking for in basev1.xsd
- It is presumed that it contains. The third thread (0x100035f0) checks the system date,
- For Sundays and Thursdays, download the file from http://update.saranmall.com/script/main.html
- Create and run the MSUPDATA.EXE file.
- msupdata.exe is a file name often used as a downloader by the Ticking attack group, and since October 2016
- Changed the file name to wincrypt.dll file. Variants with this filename will be found by November 2017
- .
- 3-2) Tickusb EXE Analysis
- Tickusb EXE file collects file list in USB flash drive or modifies EXE file
- , And it was confirmed as a file such as cftmon.exe, svcmgr.exe, and wsmt.exe.
- Within that EXE file,Strings related to infections, logs associated with USB flash drives, etc.
- And the main string is shown in [Figure 2-16].
- Figure 2-16 | Key string of Tickusb EXE file
- ASEC REPORT Vol.95 | Security Trend 34
- The EXE variant found in June 2015 (29875836605c26f7c78fc91bb2cff95d) is in the USB flash drive
- The ability to collect file information and modulate EXE files has been added.
- When the EXE file is executed, the FlashHistory.dat file (C: \ Users \
- Default \ AppData \ Local \ Microsoft \ Windows \ History \ FlashHistory.dat).
- Figure 2-17 | File contents of FlashHistory.dat
- For some variants, find and modify the EXE file on a USB flash drive. Of the target EXE file to be modulated
- At the end, you can add a specific file (for example, C: \ Windows \ AppPatch \ Custom \ Custom64 \ apihex.dat)
- It is a way to execute.
- For some Tickusb found between 2012 and 2014, certain secure USB flash drives from domestic companies
- It is confirmed that the data is read from a specific area of the USB drive and executed.
- . Such attacks are estimated to be aimed at attacking networked enterprise systems.
- 4. EXE analysis modulated by Tickusb transformation
- As we have seen, some of the Tickusb variants have evolved to find and manipulate EXE files in USB flash drives.
- ASEC REPORT Vol.95 | Security Trend 35
- Perform sexual activity. Modified EXE files will have their entry points modified to execute specific code,
- Execute the executable file added at the end. The added executable file is not verified, but with a modified file
- The executable file is assumed to be an downloader.
- Figure 2-18 | Modulated EXE
- Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2) serving as a dropper
- pNDPS (V2.11) .exe (c865b83a2096642b0de3e2880e63ab0e) is the same downloader (e470b7538dc
- 075294532d8467b1516f8).
- The Tickusb variant that was discovered in June 2015 finds the EXE file on a USB flash drive and writes the apihex.dat file
- (C: \ Windows \ AppPatch \ Custom \ Custom64 \ apihex.dat) to the end of the EXE file.
- Modify the work.
- As a result of the analysis, it is confirmed that the code added to the modified EXE file is similar to the code of the file known as the dropper
- . Therefore, these files are assumed to be EXE files modulated from Tickusb variants, not droppers. [Drawing
- 2-19] is a comparison of the codes of the two files.
- ASEC REPORT Vol.95 | Security Trend 36
- Figure 2-19 | Comparing the Tickusb infected file code with the file known as the dropper
- Other infection identifiers are also similar. As shown in [Figure 2-20], the EXE file modulated by Tickusb transformation is characterized
- It contains '.texe' as an example.
- Figure 2-20 | Tickusb dropper containing '.texe' string
- Figure 2-21 | The initial Tickusb dropper that contains the string '.ext'
- A file that drops an early version of Tickusb found in March 2014 (b76d2b33366c5ec96bc23a717c42
- 1f71) contains '.ext' as an infection identifier as shown in [Figure 2-21]. This file also has a dropper
- It is presumed that the file is likely to be modified by a non Tickusb variant.
- ASEC REPORT Vol.95 | Security Trend 37
- 5. Analyze additional installation files
- In the Tickusb malware-infected system, the keylogger, ARP spoofer,
- Port Scanner, and Mimikatz were added. These chusens used in the Tickusb attack
- Let's look at the installation file.
- 5-1) Keylogger Type C
- Keyloggers have been found in some of the Tickusb infection systems. Found between April 2017 and February 2018
- The keyloggers mainly used file names such as apphelp.dll, linkinfo.dll, and netutils.dll.
- The key string used in the keylogger is shown in [Figure 2-22], and the key content entered by the user is debug.log
- In the file.
- Figure 2-22 | Keylogger key string
- 5-2) ARPspaper (ARPSpoofer) - hwp70.exe
- The attacker carried out the attack by disguising it as a file related to the program. Of a system infected with Tickusb
- The malicious EXE file hwp70.exe (026ae46934eca5862db4) from the Hangman Hangul folder (C: \ HNC \ Hwp70)
- dfc8c88c720a) was found.
- ASEC REPORT Vol.95 | Security Trend 38
- A hijack that causes ARP spoofing (ARPS spoofing)
- It is presumed to be one purpose, and the execution screen is as shown in [Figure 2-23].
- Figure 2-23 | Hijack (hijack) execution screen
- 5-3) Port Scanner ScanLine - l.dat
- The attacker will be able to scan files that have Packed Scanning Line (ScanLine), the port scanner of Foundstone in 2016
- (a353b591c7598a3ed808980e2b22b2a2) was used in the attack. In many systems,
- RAM has been used, and the file names used are msp.exe, ls.tmp, and sl-p.exe.
- [Figure 2-24] is the screen where the scan line is executed.
- Figure 2-24 | ScanLine execution screen
- ASEC REPORT Vol.95 | Security Trend 39
- 5-4) Mimikatz - mi.exe, mi2.exe
- The attacker could use the Mimikatz variant mimi 2.1 (3fe76cf644e045b8620d577c2
- 366630a) and mimi 2.1.1 (b108df0bd168684f27b6bddea737535e). File name
- Also, mi.exe, mi2.exe which is mainly used in tick attack group.
- [Figure 2-25] and [Figure 2-26] are execution screens of mimi 2.1 and mimi 2.1.1, respectively.
- Figure 2-25 | mimi 2.1 launch screen
- Figure 2-26 | mimi 2.1.1 launch screen
- ASEC REPORT Vol.95 | Security Trend 40
- 6. Conclusion
- Most major corporations and organizations use networked systems, so security updates
- It is easy to overlook, or neglect security regulations. Since 2008, for the past 10 years,
- The Tick attack group, which is constantly attacking companies,
- Spear Phishing, Watering hole attack as well as USB flash drive
- EXE files to infect malicious code by using various attack techniques, such as continuous attacks
- I have done.
- In particular, in order to prepare for attacks such as Tickusb,
- Do not use USB flash drive, hash before running executable in USB flash drive
- Etc. to check whether there is no malicious code infection during the file transfer process.
- You need to be careful.
- The V3 family detects the corresponding Tickusb-related malicious code with the following diagnosis.
- <V3 Family Diagnostics>
- - HackTool / Win32.Hijack
- - HackTool / Win32.Mimikatz
- - HackTool / Win32.Tickpatcher
- - Trojan / Win32.Agent
- - Trojan / Win32.Homamdown
- - Trojan / Win32.Loader
- - Trojan / Win32.Tickusb
- ASEC REPORT Vol.95 | Security Trend 41
- 7. Indicators of Compromise (IoC)
- Representative file name
- apphelp.dll
- BrWeb.dll
- CRYPTBASE.dll
- igfext.exe
- linkinfo.dll
- msupdata.exe
- svcmgr.exe
- wincrypt.dll
- wsmt.exe
- Hashes (md5)
- -Downloader: Bisodown
- 3c6e67fc006818363b7ddade90757a84
- e470b7538dc075294532d8467b1516f8
- -Downloader: Ghostdown
- 4868fd194f0448c1f43f37c33935547d
- 62ee703bbfbd5d77ff4266f9038c3c6c
- -Tickusb
- 15e72d83caaf1fe9e72e72b633ec5dfb
- 16572393021beea366679e80cc78610c
- ASEC REPORT Vol.95 | Security Trend 42
- 29875836605c26f7c78fc91bb2cff95d
- 46c9fb12187c08f9da3429c047a41fd8
- 4aadf927e5c2aa43b90d4b830c331a69
- 599c4110aed58aa75d2322b4232a6855
- 6f665826f89969f689cba819d626a85b
- 9b31a5d124621e244cede857300f8aa6
- ad33da0d9507e242eb344b313454cea9
- bcb56ee8b4f8c3f0dfa6740f80cc8502
- ca99ea5f1ece7430243d8322445d1a1c
- dfba5e8019be5e400d53afeba83d6d93
- -Keylogger
- 220bf51185cd7ccc0aa64229c434ce1a
- 27dbf927e85e00f14ee9be56711a5246
- 7f98ff2b6648bd4fe2fc1503fc56b46d
- b79ef5a004e26c3d491eca895c59fb86
- -Tools
- 026ae46934eca5862db4dfc8c88c720a
- 3fe76cf644e045b8620d577c2366630a
- a353b591c7598a3ed808980e2b22b2a2
- b108df0bd168684f27b6bddea737535e
- e84f29c45e4fbbce5d32edbfeec11e3a
- ASEC REPORT Vol.95 | Security Trend 43
- Domains, URLs and IP address
- 127.0.0.1/jscript/timepill.html
- pre.englandprevail.com/km/news/index.htm
- update.saranmall.com/script/main.html
- www.memsbay.com:443
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement