{"id":1943,"date":"2023-05-05T22:27:38","date_gmt":"2023-05-05T20:27:38","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=1943"},"modified":"2023-05-22T11:32:52","modified_gmt":"2023-05-22T09:32:52","slug":"1943-2","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/1943-2\/","title":{"rendered":"Let&#8217;s talk about the malware used by Mustang Panda"},"content":{"rendered":"\n<p>In the last post, <a href=\"https:\/\/lab52.io\/blog\/new-mustang-pandas-campaing-against-australia\/\">Lab52 covered the new Mustang Panda\u2019s campaing against Australia<\/a>. &nbsp;Now is time to talk about the malware used by the APT group <a href=\"https:\/\/attack.mitre.org\/groups\/G0129\/\">Mustang Panda<\/a> in said campaing.&nbsp;<\/p>\n\n\n\n<p>Indeed, the malware used to commit the attack is not enterely new; there are previous reports from <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\">TrendMicro<\/a> and <a href=\"https:\/\/blog.talosintelligence.com\/mustang-panda-targets-europe\/\">Talos<\/a> where similar tactics and procedures are detailed. However, some parts highlighted below differ and should be known in order to prepare our detection systems.&nbsp;<\/p>\n\n\n\n<p>Summarizing, this post covers the following aspects:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Continues the previous post, <strong>from a &#8220;malware&#8221; perspective<\/strong>, detailing the piece of malware used in this campang. <\/li><li>The <strong>encryption algorithm<\/strong> using during the Stage 2 is  different from those observed in similar reports.<\/li><li>Both <strong>shellcodes for Stage 2 and 3<\/strong> are considered new artifacts.<\/li><li>There are <strong>two commands used by the shellcode in Stage 3<\/strong> identified during the analysis.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 1: Execution and persistence<\/h2>\n\n\n\n<p>This analysis starts with a zip file called &#8220;Biography of Senator the Hon Don Farrell.zip&#8221;. As mentioned in <a rel=\"noreferrer noopener\" href=\"https:\/\/lab52.io\/blog\/new-mustang-pandas-campaing-against-australia\/\" target=\"_blank\">the previous article<\/a>, Hon Don Farrell is the current Secretary of State for Trade and Tourism of Australia. <\/p>\n\n\n\n<p>The zip file contains two files. On one hand, there is a<strong> legitimate application for processing PDF files<\/strong> called <strong>Solid PDF Creator<\/strong>, renamed as &#8220;Biography of Senator the Hon Don Farrell\/Biography of Senator the Hon Don Farrell.exe&#8221;. On the other hand, we have identified a malicious payload named <strong>SolidPDFCreator.dll<\/strong>. The artifact is executed using the <strong>Dll Side Loading <\/strong>technique.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>File<\/th><th>Hash<\/th><\/tr><\/thead><tbody><tr><td>Biography of Senator the Hon Don Farrell\/Biography of Senator the Hon Don Farrell.exe<\/td><td>e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942<\/td><\/tr><tr><td>SolidPDFCreator.dll<\/td><td>3c4671b4a0c3e7da186bd356e07cf0daca7267addde668044b1ded42c6dbe09b<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"725\" height=\"122\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f1.png\" alt=\"\" class=\"wp-image-1947\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f1.png 725w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f1-300x50.png 300w\" sizes=\"(max-width: 725px) 100vw, 725px\" \/><figcaption>Files used by the malware<\/figcaption><\/figure><\/div>\n\n\n\n<p>Once executed, the payload will check if it is located in the path &#8220;<strong>C:\\Users\\Public\\Libraries\\PhotoTvRHD<\/strong>&#8220;. If not, it will create the folder and copy the contents of the zip file into it.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"686\" height=\"181\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f2.png\" alt=\"\" class=\"wp-image-1948\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f2.png 686w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f2-300x79.png 300w\" sizes=\"(max-width: 686px) 100vw, 686px\" \/><figcaption>Check for the binary <\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"152\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f3.png\" alt=\"\" class=\"wp-image-1949\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f3.png 780w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f3-300x58.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f3-768x150.png 768w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><figcaption>Operation to write the file in the path<\/figcaption><\/figure><\/div>\n\n\n\n<p>Furthermore, the following command is executed, which adds persistence, copies the DLL to the correct path, and creates a scheduled task that <strong>executes the payload every minute<\/strong> in that location.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>C:\\Windows\\SysWOW64\\cmd.exe \/C copy SolidPDFCreator.dll C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll &amp; reg add \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d \/v SolidPDF \/t reg_sz \/d \u201cC:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.exe\u201d \/F &amp; schtasks \/F \/Create \/TN SolidPDF \/SC minute \/MO 1 \/TR C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.exe<\/td><\/tr><\/tbody><\/table><figcaption>Command executed<\/figcaption><\/figure>\n\n\n\n<p>In the event that it is located in the correct path, the payload will decrypt a shellcode and execute it. <strong>During the realization of this investigation, this shellcode has not been found published.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">Hash of the first shellcode (used during stage 2)<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">8059E00CFB899B5BCDE4607AFB6858A922C71AEA1D744EFBE93D922868C34489<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 2: Downloader disguised as Microsoft update<\/h2>\n\n\n\n<p>The shellcode employs well-known anti-analysis techniques, such as using the <strong>ror13 hashing algorithm <\/strong>to resolve DLLs and functions.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"423\" height=\"195\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f4.png\" alt=\"\" class=\"wp-image-1956\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f4.png 423w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f4-300x138.png 300w\" sizes=\"(max-width: 423px) 100vw, 423px\" \/><figcaption>Hashing algorithm ror13 used by the malware<\/figcaption><\/figure><\/div>\n\n\n\n<p>Moreover, it uses the kernel32 functions  GetProcAddress and LoadLibraryA, and gets the addresses for a list of functions listed at the end of this post.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"363\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f5.png\" alt=\"\" class=\"wp-image-1957\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f5.png 616w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f5-300x177.png 300w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><figcaption>GetProcAddress and LoadLibrary<\/figcaption><\/figure><\/div>\n\n\n\n<p>The shellcode will create a socket to port 80 of the malicious IP address 123.253.35[.]231. It will then send an HTTP request that uses legitimate headers, <strong>attempting to impersonate common Microsoft update communications<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"297\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f6.png\" alt=\"\" class=\"wp-image-1958\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f6.png 886w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f6-300x101.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f6-768x257.png 768w\" sizes=\"(max-width: 886px) 100vw, 886px\" \/><figcaption>Extract of the communication with the C2<\/figcaption><\/figure><\/div>\n\n\n\n<p>The body of the message contains a base64-encoded string. It uses a protocol identical to the one seen in the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\">TrendMicro report<\/a>. It is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>17 03 03 + &lt;payload size&gt; + &lt;payload&gt;<\/td><\/tr><\/tbody><\/table><figcaption>Protocol used by shellcode<\/figcaption><\/figure>\n\n\n\n<p>The above protocol will be present in all base64-encoded strings exchanged between the victim and the C2. In this particular request, the payload being sent contains the following information.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&lt;tick count&gt; + &lt;computer name&gt; + &lt;username&gt;<\/td><\/tr><\/tbody><\/table><figcaption>Packet information sent by the first shellcode<\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"524\" height=\"119\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f7.png\" alt=\"\" class=\"wp-image-1961\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f7.png 524w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f7-300x68.png 300w\" sizes=\"(max-width: 524px) 100vw, 524px\" \/><figcaption>Contents of the payload before encryption<\/figcaption><\/figure><\/div>\n\n\n\n<p>Next, the payload content will be encrypted with the following key:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>78 5a 12 4d 75 14 14 11 6c 02 71 15 5a 73 05 08 70 14 65 3b 64 42 22 23 20 00 00 00 00 00 00 00<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>It should be noted that although this key is identical to the one used in the <a href=\"https:\/\/blog.talosintelligence.com\/mustang-panda-targets-europe\/\">Talos report<\/a>, the algorithm used is different. An implementation of the protocol in Python can be found at the end of this post. In this case <strong>the algorithm used for encryption is based on applying XOR four times<\/strong>. In this algorithm, the XOR operation is used to encrypt the data in the &#8220;original&#8221; array with the data in the &#8220;key&#8221; array in a four-step iterative process. Each step is performed using a different position in the &#8220;key&#8221; array, making it harder to decipher. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"560\" height=\"458\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f8.png\" alt=\"\" class=\"wp-image-1963\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f8.png 560w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f8-300x245.png 300w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/><figcaption>XOR-based Encryption algorithm <\/figcaption><\/figure><\/div>\n\n\n\n<p>Note that the previous algorithm has some similarity with the RC4 encryption, which is also a symmetric stream cipher. Both ciphers use the XOR operation to combine the data with a sequence of bytes generated from a shared secret key.<\/p>\n\n\n\n<p>However, <strong>there are some significant differences between the algorithm analyzed in this report and the RC4 encryption<\/strong>. In the algorithm under consideration, four iterative cycles are used to combine the data with the secret key, while in the RC4 encryption, a single iterative cycle is used. Additionally, RC4 encryption is a stream cipher algorithm that generates a pseudo-random byte sequence using an internal state table, while in the algorithm you shared, the byte sequence is obtained directly from the secret key.<\/p>\n\n\n\n<p>Using the above information, the C2 will return a second shellcode.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"345\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f9.png\" alt=\"\" class=\"wp-image-1964\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f9.png 830w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f9-300x125.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f9-768x319.png 768w\" sizes=\"(max-width: 830px) 100vw, 830px\" \/><figcaption>Payload sent by the C2<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>During the realization of this investigation, this shellcode has not been found published. <\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">Hash of the second shellcode (used during stage 3)<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">E184F099957C27A04ADF2F5F46772D0FD86B27084CBDDCDEAC5EB7CFA23604F7<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Stage 3: Communication with the C2<\/h2>\n\n\n\n<p>This second shellcode is very similar to the first one and also uses the same hashing algorithm to resolve functions.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"362\" height=\"449\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f10.png\" alt=\"\" class=\"wp-image-1965\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f10.png 362w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f10-242x300.png 242w\" sizes=\"(max-width: 362px) 100vw, 362px\" \/><figcaption>API hashing used by the malware<\/figcaption><\/figure><\/div>\n\n\n\n<p>Analogous to the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\">TrendMicro report<\/a>, this variant has several functionalities.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"721\" height=\"584\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f11.png\" alt=\"\" class=\"wp-image-1966\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f11.png 721w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f11-300x243.png 300w\" sizes=\"(max-width: 721px) 100vw, 721px\" \/><figcaption>Function in charge of executing the commands received from c2<\/figcaption><\/figure><\/div>\n\n\n\n<p>Most of the commands identified correspond to those listed in this <a href=\"https:\/\/www.trendmicro.com\/es_es\/research\/23\/c\/earth-preta-updated-stealthy-strategies.html\" data-type=\"URL\" data-id=\"https:\/\/www.trendmicro.com\/es_es\/research\/23\/c\/earth-preta-updated-stealthy-strategies.html\">TrendMicro report from March<\/a>, with the exception of 0x05 (keep alive) and 0x20 (close shell). The following table summarises a list of commands used by the shellcode.<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">Value<\/th><th class=\"has-text-align-center\" data-align=\"center\">Description<\/th><th class=\"has-text-align-center\" data-align=\"center\">TrendMicro report<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>0x05<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Keep Alive*<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\">&#8211;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x03<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x01<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x1b<\/td><td class=\"has-text-align-center\" data-align=\"center\">Begin upload<\/td><td class=\"has-text-align-center\" data-align=\"center\">UploadBegin error: %d!<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x1D<\/td><td class=\"has-text-align-center\" data-align=\"center\">Data upload<\/td><td class=\"has-text-align-center\" data-align=\"center\">UploadData error:%d!<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x1A<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x1E<\/td><td class=\"has-text-align-center\" data-align=\"center\">cmd start<\/td><td class=\"has-text-align-center\" data-align=\"center\">CmdStart error:%d!<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x1F<\/td><td class=\"has-text-align-center\" data-align=\"center\">cmd write<\/td><td class=\"has-text-align-center\" data-align=\"center\">CmdWrite error:%d!<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">0x30<\/td><td class=\"has-text-align-center\" data-align=\"center\">cmd read<\/td><td class=\"has-text-align-center\" data-align=\"center\">CmdWrite error:%d!<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>0x20<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Close shell<\/strong>*<\/td><td class=\"has-text-align-center\" data-align=\"center\">Unknown<\/td><\/tr><\/tbody><\/table><figcaption>List of shelcode commands. *: found during this research<\/figcaption><\/figure>\n\n\n\n<p>The shellcode is used to obtain a shell on the victim&#8217;s computer. It uses pipes to read and write commands from it. To achieve this, it uses the CreatePipe function.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"953\" height=\"369\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-16-13-58.png\" alt=\"\" class=\"wp-image-1988\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-16-13-58.png 953w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-16-13-58-300x116.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-16-13-58-768x297.png 768w\" sizes=\"(max-width: 953px) 100vw, 953px\" \/><figcaption>Creation of pipes<\/figcaption><\/figure><\/div>\n\n\n\n<p>Unlike the previous stage, the shellcode no longer impersonates <strong>www.asia.microsoft.com<\/strong>. Instead it uses <strong>www.download.windowsupdate.com<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"733\" height=\"144\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-13-48-43.png\" alt=\"\" class=\"wp-image-1984\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-13-48-43.png 733w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-13-48-43-300x59.png 300w\" sizes=\"(max-width: 733px) 100vw, 733px\" \/><figcaption>HTTP request for this stage<\/figcaption><\/figure><\/div>\n\n\n\n<p>On each request the last 25 characters of the URL are changed to random characters using a call to CryptGenRandom.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"505\" height=\"245\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-13-54-25.png\" alt=\"\" class=\"wp-image-1985\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-13-54-25.png 505w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Captura-desde-2023-05-08-13-54-25-300x146.png 300w\" sizes=\"(max-width: 505px) 100vw, 505px\" \/><figcaption>Algorithm used to generate random URLs<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p>Since there were already different articles that extensively detailed similar malware to that used in the targeted campaign, it was desired to verify if the malware samples used in the new campaign significantly varied their operation compared to the previous reports. During the analysis, it was observed that the malware authors have changed the <strong>encryption algorithm <\/strong>and some aspects slightly, <strong>without drastically modifying the malware or improving its operational security<\/strong>. This has several implications, but at least the most immediate ones are: (1) <strong>cybercriminal groups can still cause impact with samples <\/strong>that should be identified by detection systems, and (2) sometimes <strong>slight modifications are enough to make detection and analysis more complicated<\/strong>. Through this post, we aim to minimize the second point.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary of functions used in the shellcodes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">First shellcode (stage 2)<\/h3>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>Kernel32<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>User32<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Ws2_32<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>advapi<\/strong><\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualAlloc<\/td><td class=\"has-text-align-center\" data-align=\"center\">MessageBoxA<\/td><td class=\"has-text-align-center\" data-align=\"center\">WSAStartup<\/td><td class=\"has-text-align-center\" data-align=\"center\">GetUserNameA<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualProtect<\/td><td class=\"has-text-align-center\" data-align=\"center\">wsprintfA<\/td><td class=\"has-text-align-center\" data-align=\"center\">gethostbyname<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualFree<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">inet_ntoa<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Sleep<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">WSAGetLastError<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetComputerNameA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">socket<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetVolumeInformationA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">closesocket<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetTickCount<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">shutdown<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">htons<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">inet_addr<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">recv<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">send<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">connect<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">setsockopt<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Second shellcode (stage 3)<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>Kernel32<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>User32<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Ws2_32<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>advapi<\/strong><\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CloseHandle<\/td><td class=\"has-text-align-center\" data-align=\"center\">MessageBoxA<\/td><td class=\"has-text-align-center\" data-align=\"center\">WSAStartup<\/td><td class=\"has-text-align-center\" data-align=\"center\">CryptAcquireContextA<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetLastError<\/td><td class=\"has-text-align-center\" data-align=\"center\">MessageBoxW<\/td><td class=\"has-text-align-center\" data-align=\"center\">gethostbyname<\/td><td class=\"has-text-align-center\" data-align=\"center\">CryptGenRandom<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualAlloc<\/td><td class=\"has-text-align-center\" data-align=\"center\">wsprintfA<\/td><td class=\"has-text-align-center\" data-align=\"center\">inet_ntoa<\/td><td class=\"has-text-align-center\" data-align=\"center\">CryptReleaseContext<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualFree<\/td><td class=\"has-text-align-center\" data-align=\"center\">wsprintfW<\/td><td class=\"has-text-align-center\" data-align=\"center\">WSAGetLastError<\/td><td class=\"has-text-align-center\" data-align=\"center\">RegOpenKeyExA<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualAllocEx<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">socket<\/td><td class=\"has-text-align-center\" data-align=\"center\">RegQueryValueExA<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualFreeEx<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">closesocket<\/td><td class=\"has-text-align-center\" data-align=\"center\">GetUserNameA<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VirtualProtect<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">shutdown<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Sleep<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">htons<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateMutexA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">inet_addr<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">OpenMutexA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">recv<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WriteProcessMemory<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">send<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateFileA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">connect<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateFileW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">setsockopt<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetFileSize<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">SetFilePointerEx<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">ReadFile<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WriteFile<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">DeleteFileA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">DeleteFileW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetFileAttributesA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetFileAttributesW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetModuleFileNameA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetModuleFileNameW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetModuleHandleW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateToolhelp32Snapshot<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Process32FirstW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Process32NextW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">OpenProcess<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateProcessA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateProcessW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateThread<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreateRemoteThread<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WaitForSingleObject<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetDriveTypeA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetDiskFreeSpaceExA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetLogicalDriveStringsA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetNativeSystemInfo<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GetComputerNameA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GlobalMemoryStatusEx<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Wow64DisableWow64FsRedirection<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Wow64RevertWow64FsRedirection<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">OutputDebugStringA<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">OutputDebugStringW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">TerminateProcess<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">LocalAlloc<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">LocalFree<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">lstrcmpW<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CreatePipe<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">PeekNamedPipe<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)<\/h2>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><thead><tr><th class=\"has-text-align-left\" data-align=\"left\">Hash <\/th><th>Description<\/th><th>Access<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-left\" data-align=\"left\">e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942<\/td><td>Legitimate exe<\/td><td>Public<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">3c4671b4a0c3e7da186bd356e07cf0daca7267addde668044b1ded42c6dbe09b<\/td><td>Malicious dll<\/td><td>Public<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">8059E00CFB899B5BCDE4607AFB6858A922C71AEA1D744EFBE93D922868C34489<\/td><td>First Shellcode<\/td><td>Private<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">E184F099957C27A04ADF2F5F46772D0FD86B27084CBDDCDEAC5EB7CFA23604F7<\/td><td>Second Shellcode<\/td><td>Private<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">Domains<\/th><th class=\"has-text-align-center\" data-align=\"center\">Stage<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>www.asia.microsoft.com<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\">Stage 1<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>www.download.windowsupdate.com<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\">Stage 2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Python helper functions for protocol decryption and encryption<\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>import base64\nimport struct\n\nkey=bytearray(&#91;0x78, 0x5a, 0x12, 0x4d, 0x75, 0x14, 0x14, 0x11, 0x6c, 0x02, 0x71, 0x15, 0x5a, 0x73, 0x05, 0x08, 0x70, 0x14, 0x65, 0x3b, 0x64, 0x42, 0x22, 0x23, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])\n\ndef cipher_xor(message, key):\n    key_length = len(key)\n    length = len(message)\n\n    for i in range(length):\n        message&#91;i] ^= key&#91;(i + 1) % key_length] ^ 0xff\n\n    for i in range(length):\n        message&#91;i] ^= key&#91;(i + 9) % key_length] ^ 0xff\n\n    for i in range(length):\n        message&#91;i] ^= key&#91;(i + 4) % key_length] ^ 0xff\n\n    for i in range(length):\n        message&#91;i] ^= key&#91;i % key_length] ^ 0xff\n    \n    return message\n\ndef decipher_payload(message):\n    msg=bytearray(base64.b64decode(message))&#91;5:]\n    \n    return cipher_xor(msg,key)\n\ndef cipher_payload(message):\n    header=bytearray(&#91;0x17, 0x03, 0x03])\n    size=len(message)\n\n    return base64.b64encode(header + struct.pack('>H',size) + cipher_xor(bytearray(message),key))<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In the last post, Lab52 covered the new Mustang Panda\u2019s campaing against Australia. &nbsp;Now is time to talk about the malware used by the APT group Mustang Panda in said campaing.&nbsp; Indeed, the malware used to commit the attack is not enterely new; there are previous reports from TrendMicro and Talos where similar tactics and [&hellip;]<\/p>\n","protected":false},"author":28,"featured_media":2020,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21],"tags":[63],"class_list":{"0":"post-1943","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"tag-mustangpanda","9":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Image20230509122514-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Image20230509122514-600x600.jpg","author_info":{"display_name":"3722304989","author_link":"https:\/\/lab52.io\/blog\/author\/3722304989\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1943"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=1943"}],"version-history":[{"count":37,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1943\/revisions"}],"predecessor-version":[{"id":2159,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1943\/revisions\/2159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2020"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=1943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=1943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=1943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}