• Skip to primary navigation
  • Skip to main content
  • Skip to footer
lab52

lab52

The threat intelligence division of S2 Grupo

  • Home
  • Faq
  • Blog
  • About
  • Contact

Intelligence operation against targets in Indonesia

February 12, 2020

Lab52 has detected malicious activity targeting Indonesian victims. This activity could be linked to an intelligence operation. We have been tracking this activity since December 27th of 2019

The main tools of this threat actor, are built as DLL files, and launched with this commands:

  • “C:\Windows\System32\rundll32.exe” shell32.dll,ShellExec_RunDLL regsvr32 /s C:\ProgramData\pubpool.dll /i:process104.dll
  • “C:\WINDOWS\system32\regsvr32.exe” /s C:\ProgramData\pubpool.dll /i:process104.dll
process100.dll 5813497bde09577bd1adf24b02707918bb15af62 Uploaded to Virus Total Intelligence on 12-07-2019 from Indonesia.
runtime_report.dll 1815820307a23b99d93e7307ade8b6443bbb8e96 Uploaded to Virus Total Intelligence on 2019-07-17 12:29:35 from Indonesia.
process104.dll f09176a5130c17356ad2aa5850ca14a0a02a9ded Uploaded to Virus Total Intelligence on 2019-07-17 12:29:10 from Indonesia
pubpool.dll e7b27d5e936d8dedc55ebe4ff64020d1bf4238b2Uploaded to Virus Total Intelligence on 2019-07-17 12:29:26 from Indonesia

Pubpool.dll is used as a loader for three more encrypted dll that have been found during the incident research:

1. pubpool.dll file

Lab52 has analyzed pubpool.dll and this component has code to decrypt and load files, working as a dll loader. In the next picture, you can see one example of a dll being decrypted by pubpool in memory:

library loaded in memory.

2. process104.dll file

When we launch pubpool.dll with process104.dll as parameter, this dll maps this section:

process104.dll is decrypted and mapped as inject_usb.dll. It’s main purpose is to infect USB devices.

This library exports a function named “done”. The function can be seen in the next picture:

“Done” function checks for the existence of a mutex and starts if there isn’t another instance in execution. Inject_usb.dll creates a folder named “.Recycle Bin” in every removable device and a log file named “si.log”.

3. process100.dll file

When we launch pubpool.dll with process100.dll as a parameter, this dll maps the next sections:

process100.dll is decrypted and mapped as inject_host.dll. This module execute the malware. In the next pictures there is some IOCs:

One LNK example:

4. runtime_report.dll file

When we launch pubpool.dll with runtime_report.dll as parameter, the loader maps this section:

runtime_report.dll is decrypted and mapped as TinyMet.dll. This module deploys TinyMET[1], a “tiny” meterpreter stager.

This TinyMet version has a Mutex TEST_9I89JNDBPWQ9ND:

TinyMet connects to Internet using a Hardcoded domain and User-Agent that can be seen in the next picture:

  • Domain: musicstore.global.ssl.fastly[.]net
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)

5. CONCLUSION

Lab52 has the hypothesis that this infection is part of an intelligence operation. It’s a malware developed by a threat actor (currently, it’s not possible to identify the malware family). Attribution is not possible with the information handled by Lab52.

ml10

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related

Some thoughts about Laundry Bear
May 27, 2025
Tags: APT, GRU, Russia
GRU: Military Unit 54777
February 03, 2025
GRU military unit 29155
October 11, 2024
Tags: cyberwar, GRU

Footer

Copyright &copy Lab52 2019 by S2 Grupo | Legal notice | Cookie policy | Privacy policy