A new sample has been uploaded to VirusTotal, and its characteristics strongly resemble QUARTERRIG, a malware recently analyzed by CERT.PL and linked to APT29. In said analysis, the campaign was named “Note“. Based on the aforementioned report, the purpose of this post is to show the new features of this new campaign that we named “Information“.
The hash of the sample made public in VirusTotal is b422ba73f389ae5ef9411cf4484c840c7c82f2731c6324db0b24b6f87ce8477d, and only 3 antivirus engines target the sample as malicious during the writing of this post.
APT29 is a hacker group allegedly affiliated with one or more Russian intelligence agencies. It is a sophisticated group that has been carrying out attacks against European governments and diplomatic agencies since 2008.
The main entry vector for APT29 is email. Using this input vector, attackers attach a PDF with a link that will download an ISO.
New campaign: “Information”
This new campaign, which will be referred to as Information, contains a structure very similar to the Note campaigns shown in the CERT.PL report. The samples analyzed in that report are from March. However, from Lab52, we have observed a change in the operation of this type of malware since April, and in the latest analyzed samples, the injection method has varied. In this post, we use one of the latest samples to highlight the new changes in the mechanisms employed.
This time the file containing the shellcode is located in a file called “dbg.info” unlike what we have been observing in previous campaings. The Information.iso contains:
- AppvlsSubsystems64.dll – DLL used to load a legitime system DLL and inject the shellcode into it.
- dbg.info – shellcode.
- Information .exe – Legitime binary signed by Microsoft. This will be use to load AppvlsSubsystems64.dll (by DLL Side-Load).
The compilation date for AppvIsvSubsystems64.dll in this new campaign is more recent than the previous one. This could suggest that changes were made to improve the sample.
This post focuses on the main diferences between the previous campaing and the new one, in order to contribute to the community. The most noticeable change is the injection technique. Nevertheless some addional notes are added for the curious.
The objective is the same: the executable (Information.exe in this case) will be used to execute two DLLs. The first DLL is AppvlsvSubsystems64.dll, that will be loaded by the process as part of its execution. The second DLL will be loaded by AppvlsvSubsystem64.dll. In this case, however, the second DLL will be carefully modified with different techniques in order to minimize the detection methods.
Therefore, Information.exe, that is a legitime binary, will be the container for the malware to be executed. In order to do that, it will load AppvIsvSubsystems64.dll who needs to identify a suitable system DLL to be modified – with the shellcode – before the load in Information.exe. The main changes are located in AppvIsvSubsystems64.dll. Also, the command and control (C2) varies.
The following diagram describes the infection chain analysed in this post.
Description of the APIs
When running the sample, the first difference lies in how the AppvIsvSubsystems64.dll loads the functions needed for the execution. In the “Note” campaing, the funcions are loaded at an early stage than the Information campaign. Moreover, the decription in this last case occurs at a different point, later in during the execution.
The way in which the sample injects shellcode into memory also varies from campaign to campaign. As can be seen in the report, “Note” reserves a memory space in its process and writes the shellcode into it.
In this case the injection process is more sophisticated, the injection will be triggered by modifying the .text section of legitimate libraries. The following actions are performed by AppvIsvSubsystems64.dll.
In order to do that, first it goes through each of the DLLs stored in System32.
Next check the size of the DLL, it will only be a candidate if it has a size greater than or equal to 782629 bytes (Shellcode size).
The sample also checks that the candidate DLL is not already loaded in the executable (Information.exe). That is, the following list are the DLLs already loaded in Information.exe, and, therefore, discarded by the malware:
After said checks, the malware has a set of candidate DLLs. The DLL selected for injection will vary in each execution, thanks to a randomization function implemented in the sample. A list of candidate DLLs by default – those that satisfy the requirements needed by the malware – in Windows 10 64b is provided at the end of this post. This may vary depending on the operating system. However, following the steps in this post is not difficult to prepare your own script. A similar technique is described in the Netero1010 post.
The malware selects the DLL used for the injection as follows.
First, it uses the system time as a seed to apply a series of arithmetic operations on it. The result will be the seed of the next DLL to be checked.
Interestingly, the values it uses for multiplication and addition are identical to those provided in a “Holiday Hack Challenge 2019” challenge organized by SANS. In particular, in the challenge there is a function called “super_secure_random” that performs the same operations with the same operands to a seed (“state”).
Finally, it checks if this resulting number is a multiple of 25 and if it is, it continues with the injection.
Once the DLL has been chosen, the sample accesses the library with CreateFileW (in the execution used to take the pictures for this example the DLL selected was “AppContracts.dll”).
At this point, the sample reads the headers of the libraries to pass a round of checks again. First, look at the “Magic” value to verify that it is a 64-bit system DLL (PE64).
Another comprobation is to check the “SizeOfImage” field, which refers to the size to reserve in memory to load the executable. If it is less than 782629 bytes (shellcode size), it is discarded.
Finally, the sample checks the size of the “.text” section (where the shellcode will be injected) and verifies that it is larger than 782629 bytes.
Unfortunately, at this point AppContracts.dll (the DLL selected in this execution) does not meet the injection requirements, and the search for the next optimal DLL is AppxPackaging.dll, in this example.
After this screening, the malware will have about 283 candidates for injection in the system used. At the end of the post you will find a table with the possible DLLs in which the malware could be injected, consiering the size required for the injection by this sample (782629) and the system where it be executed.
At this point, the chosen DLL (in this example, at this moment, AppxPackaging.dll) is ready to receive the shellcode, using the following injection method.
Step1. Subsequently, it makes a call to NtCreateSection to create a memory section in the process.
Step2. And map the library in that section with ZwMapViewOfSection.
Step3. Once the library is mapped in memory, the write permissions are modified to be able to write the shellcode in it. The address pointed to by VirtualProtect corresponds to the “.text” section of the DLL.
Step4. After that, write the shellcode in the “.text” section.
Step5. Finally the malware changes the permissions of the “.text” section back to “EXECUTABLE_READ” again.
Once the shellcode is loaded, the execution is identical to what can be seen in the QUARTERRIG report of CERT.PL, but with a different C2. In this case, the actors use the URL hxxps:]]//pizzais.com/order.php.
As mentioned before, Lab52 has observed the evolution in techniques since April. Specifically, here we provide an additional hash of a different file published on VirusTotal that uses this injection technique, found during the writing of this post.
|C71EC48A59631BFA3F33383C1F25719E95E5A80936D913AB3BFE2FEB172C1C5E||Notes.iso injecting the shellcode in the .txt section of the DLL||28/04/2023|
Therefore, at the least in a previous registered case, the .iso file still bears the name “Note.iso,” which could indicate that the new technique was already in use in some samples of the previous campaign. However, the most recent observations show a change in their name to “Information”.
Just as QUARTERRIG was the evolution of HALFRIG, in this new campaign APT29 has modified the logic of its dll loader “Applvsubsystem64.dll” to make it more sophisticated.
The fact of using legitimate random DLLs for injection instead of the process memory itself, adds another layer of complexity to the way the shellcode is loaded.
A list of system candidates to be injected is provided in this post. However, it must be considered carefully because these are extracted of a specific system, following the previous steps. The analysts can follow the steps mentioned here in order to build their own script to get the list of DLL candidates to be used by the authors this new campaing.
Indicators of Compromise (IOC)
|C:\Users\user\AppData\Local\MSOfficeUpdate\||AppvIsvSubsystems64.dll, Information .exe, dbg.info|
Candidate system DLLs for injection
The following DLLs will pass the checks for this sample (size and other requirements). This list may vary on the target system depending on the version and the system software installed. Please check.