{"id":2326,"date":"2023-07-07T13:31:40","date_gmt":"2023-07-07T11:31:40","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2326"},"modified":"2023-07-07T13:31:42","modified_gmt":"2023-07-07T11:31:42","slug":"beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users\/","title":{"rendered":"Beyond appearances: unknown actor using APT29’s TTP against Chinese users"},"content":{"rendered":"\n

Introduction<\/h1>\n\n\n\n

Lab52 has detected a different maldoc samples of a potential malicious campaign. The initial access is through a Chinese phishing. \u00a0The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The social engineering technique applied into the maldoc\u2019s content is to pretend to be a Curriculum Vitae of a 28 years old professional who is specialized in finance, concretely into the software development for banking systems and NCR.<\/p>\n\n\n\n

The infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the typical APT29\u2019s infection chain that makes consider that it does not seem to be this threat actor.  <\/p>\n\n\n\n

This is a compressed file with Chinese characters referring to “Sun Jichao – Peking University \u2013 Master”. The file has a file with extension “.pdf” and a hidden directory “_MACOSX\/.DOCX”, which contains a .bat file, two .tmp files (also hidden) and another .pdf file.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

In the following image capture is shown the content of the .pdf maldoc: \u00a0\u00a0<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Analysis<\/h1>\n\n\n\n

Stage 0<\/h2>\n\n\n\n

The infection starts with the file “\u5b59\u7ee7\u8d85-\u5317\u4eac\u5927\u5b66-\u7855\u58eb.pdf” which is actually a “.lnk” file that executes the binary “aaa.bat” using the following command: %windir%\\system32\\cmd.exe \/c “__MACOSX\\.DOCX\\aaa.bat”. It is also interesting to note the comment “chang the world google”.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

When analyzing the “.bat” binary, we observe that it is obfuscated with special characters.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Searching for part of this string in Google, we found that it is obfuscated using a specific “.bat” file encryption technique. Fortunately, there is a tool called Batch Encryption DeCoder<\/a> that allows to decrypt the content automatically.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Analyzing the “.bat” file, it can be seen that it performs the following actions:<\/p>\n\n\n\n

  1. First copy the files “wda.tmp” and “mbp.tmp” to the folder “C:\\ProgramData”.<\/li>
  2. Then change the attributes of the file, to unhide them.<\/li>
  3. Rename “wda.tmp” to “OfficeUpdate.exe” and “mbp.tmp” to “appvisvsubsystems64.dll”.<\/li>
  4. Execute the “.pdf” file showing the Decoy (a resume).<\/li>
  5. Execute “OfficeUpdate.exe” to continue with stage1.<\/li>
  6. Finally delete the stage0 files “wda.tmp”, “mbp.tmp”, “aaa.bat” and the “lnk”; so that only what is in C:\\ProgramData\\ persists.<\/li><\/ol>\n\n\n\n

    Stage 1<\/h2>\n\n\n\n

    We continue the execution with the two files located in “C:\\ProgramData”, “OfficeUpdate” and “appvisvsubsystems64.dll”. The first one is the legitimate “WinWord” binary and “appvisvsubsystems64.dll” is a malicious library that will load \u201cWinWord\u201d via DLL Side-Load.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    These names and techniques are reminiscent of those used by APT29 in its campaigns in recent months and we discussed in this Lab52 post.<\/a><\/p>\n\n\n\n

    Looking at the dll “appvisvsubsystems64.dll” statically we find that its compilation date is quite recent (July 4th) and that it is packaged by the open source packer “UPX”. It is also noted that the binary is written in Go.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    The DLL has several exports, but the malicious code is in the section called “test”. With IDA you can see how it creates a thread to execute this function.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n

    Analyzing the operation of the library, it can be seen that it is a CobaltStrike beacon<\/u><\/strong> that the actor will use as a post-exploitation framework.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    Infection Chain<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n

    Comparison with APT29<\/h1>\n\n\n\n

    As discussed above, the group uses a number of TTPs and artifacts that have been linked in previous campaigns to APT29. Examples of these could be:<\/p>\n\n\n\n

    • The use of Side-Load DLL with the “appvisvsubsystems64.dll” library and the legitimate “WinWord.exe” binary.<\/li>
    • The fact of developing the DLL in the go language (something that has also been seen in APT29).<\/li>
    • Deploying a CobaltStrike at the end of the infection.<\/li><\/ul>\n\n\n\n

      However, there are several features that suggest that the attack was not perpetrated by the Russian group:<\/p>\n\n\n\n

      • The infection chain is different, employing an encrypted “.bat”.<\/li>
      • Chinese characters are found in all the files and the “decoy” is addressed to Beijing.<\/li>
      • It saves the files in the %ProgramData% folder, unlike APT29 which did so in %AppData%.<\/u><\/strong><\/li><\/ul>\n\n\n\n

        IOCs<\/h1>\n\n\n\n

        Campaign: Sun Jichao – Peking University \u2013 Master<\/strong><\/p>\n\n\n\n

        File<\/strong><\/td>Hash<\/strong><\/td><\/tr>
        \u5b59\u7ee7\u8d85-\u5317\u4eac\u5927\u5b66-\u7855\u58eb.pdf.lnk<\/td>D5A8B6635240CC190BC869A2A41BC437A48BFBFCCE0D218B879D9768D85D1D6F<\/td><\/tr>
        aaa.bat<\/td>F1F6BB1BDF41217D26EC33E00E1E52FBC479E636B5D43671736905210FC4D734<\/td><\/tr>
        aaa.bat (DESCIPHER)<\/td>A5A0BEE3304C77BDB5B6DCC4EDAFBFC941CDC0B5153E3D82E2689150E83B1329<\/td><\/tr>
        mbp.tmp (appvisvsubsystems64.dll)<\/td>6B13519A3AEA8747400932191048D5DAB7DACCB3FD45A3F5E0FFD34C32AED35D<\/td><\/tr>
        appvisvsubsystems64.dll (UNPACKED)<\/td>D465F6DA893F2F76CDFB7089C3B9292D09A201E7D0FAEFB0F88A8B8BA5FD3FBA<\/td><\/tr>
        wda.tmp (OffceUpdate.exe) [Legit]<\/td>DD657A7A3688D039F0A208F39B1128EC447689EE664C6695D5C7E384DCDC1014<\/td><\/tr>
        \u5b59\u7ee7\u8d85-\u5317\u4eac\u5927\u5b66-\u7855\u58eb.pdf (Decoy)<\/td>E15EE2E8ED2C3F37C1B47BF67E81AA2E89B0CE7B3159918A32DA2E30420E6819<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
        C2<\/strong><\/td><\/tr>
        info.gtjas.site<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

        Campaign: 2023 Medical Examination Program<\/strong><\/p>\n\n\n\n

        File<\/strong><\/td>Hash<\/strong><\/td><\/tr>
        2023\u5e74\u4f53\u68c0\u9879\u76ee.exe [Legit]<\/td>DD657A7A3688D039F0A208F39B1128EC447689EE664C6695D5C7E384DCDC1014<\/td><\/tr>
        appvisvsubsystems64.dll<\/td>FC6847A8B62AF02C2D1EFF1D77F7D8B90CBD34654AFF38C671D86194D351CD6E<\/td><\/tr>
        appvisvsubsystems64.dll (UNPACKED)<\/td>4C750B8471BFEC0ED2DCF1A856163601FC140EB892710B8415D505A9088BD7F3<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
        C2<\/strong><\/td><\/tr>
        hxxp:\/\/123.60.168.]69:443\/jquery-3.3.2.slim.min.js<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

        Campaign: Beijing Municipal Communications Commission Year-end Summary Report – Template 1<\/strong><\/p>\n\n\n\n

        File<\/strong><\/td>Hash<\/strong><\/td><\/tr>
        \u5317\u4eac\u5e02\u4ea4\u901a\u59d4\u5e74\u7ec8\u603b\u7ed3\u62a5\u544a-\u6a21\u72481.pdf<\/td>D5A8B6635240CC190BC869A2A41BC437A48BFBFCCE0D218B879D9768D85D1D6F<\/td><\/tr>
        aaa.bat<\/td>F7CC627464981B8918347487BDC73C2026B645FD31A1FBAB4D5FCC03CBE88901<\/td><\/tr>
        aaa.bat (DESCIPHER)<\/td>256357877AE60DB9AD247AEF686AA3AAECB7DE0FDB84ED35EA91B28BE9725E36<\/td><\/tr>
        \u5317\u4eac\u5e02\u4ea4\u901a\u59d4\u5e74\u7ec8\u603b\u7ed3\u62a5\u544a-\u6a21\u72481.pdf(Decoy)<\/td>7EE465B6132819063B741D7F60246A539A1624E0667098BB162E22DE0D06CF2E<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

        Introduction Lab52 has detected a different maldoc samples of a potential malicious campaign. The initial access is through a Chinese phishing. \u00a0The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The social engineering technique applied into the maldoc\u2019s content is to pretend to […]<\/p>\n","protected":false},"author":6,"featured_media":2329,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-2326","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/CV-maldoc-568x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/CV-maldoc-568x600.png","author_info":{"display_name":"Dex","author_link":"https:\/\/lab52.io\/blog\/author\/dex\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2326"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2326"}],"version-history":[{"count":3,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2326\/revisions"}],"predecessor-version":[{"id":2342,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2326\/revisions\/2342"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2329"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}