{"id":738,"date":"2020-02-12T11:06:37","date_gmt":"2020-02-12T10:06:37","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=738"},"modified":"2020-02-12T11:12:12","modified_gmt":"2020-02-12T10:12:12","slug":"intelligence-operation-against-targets-in-indonesia","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/intelligence-operation-against-targets-in-indonesia\/","title":{"rendered":"Intelligence operation against targets in Indonesia"},"content":{"rendered":"\n<p>Lab52 has detected malicious activity targeting Indonesian victims. This activity could be linked to an intelligence operation. We have been tracking this activity since December 27<sup>th<\/sup> of 2019<\/p>\n\n\n\n<p>The\nmain tools of this threat actor, are built as DLL files, and launched\nwith this commands:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\n&#8220;C:\\Windows\\System32\\rundll32.exe&#8221;\n\tshell32.dll,ShellExec_RunDLL regsvr32 \/s C:\\ProgramData\\pubpool.dll\n\t\/i:process104.dll\n<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>\n&#8220;C:\\WINDOWS\\system32\\regsvr32.exe&#8221;\n\t\/s C:\\ProgramData\\pubpool.dll \/i:process104.dll\n<\/li><\/ul>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td> <strong>process100.dll<\/strong> <\/td><td> 5813497bde09577bd1adf24b02707918bb15af62 <\/td><td> Uploaded to Virus Total Intelligence on 12-07-2019 from Indonesia. <\/td><\/tr><tr><td>  <strong>runtime_report.dll<\/strong> <\/td><td>1815820307a23b99d93e7307ade8b6443bbb8e96<\/td><td> Uploaded to Virus Total Intelligence on  2019-07-17 12:29:35 from Indonesia. <\/td><\/tr><tr><td> <strong>process104.dll<\/strong> <\/td><td> f09176a5130c17356ad2aa5850ca14a0a02a9ded <\/td><td> Uploaded to Virus Total Intelligence on  2019-07-17 12:29:10 from Indonesia <\/td><\/tr><tr><td><strong>pubpool.dll<\/strong> <\/td><td>e7b27d5e936d8dedc55ebe4ff64020d1bf4238b2<\/td><td>Uploaded to Virus Total Intelligence on  2019-07-17 12:29:26 from Indonesia <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>Pubpool.dll is used as a loader for three more encrypted dll that have been found during the incident research:  <\/p>\n\n\n\n<p class=\"has-large-font-size\"><strong>1. pubpool.dll file <\/strong> <\/p>\n\n\n\n<p>Lab52 has analyzed pubpool.dll and this component has code to decrypt and load files, working as a dll loader. In the next picture, you can see one example of a dll being decrypted by pubpool in memory:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"444\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-1024x444.png\" alt=\"\" class=\"wp-image-739\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-1024x444.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-300x130.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-768x333.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image.png 1454w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>library loaded in memory.<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"has-large-font-size\"><strong>2. process104.dll file <\/strong> <\/p>\n\n\n\n<p>When we launch pubpool.dll with process104.dll as parameter, this dll maps this section:  <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"937\" height=\"92\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-1.png\" alt=\"\" class=\"wp-image-740\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-1.png 937w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-1-300x29.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-1-768x75.png 768w\" sizes=\"(max-width: 937px) 100vw, 937px\" \/><\/figure><\/div>\n\n\n\n<p>process104.dll\nis decrypted and mapped as inject_usb.dll.\nIt\u2019s main purpose is to infect USB devices.<\/p>\n\n\n\n<p>This library exports a function named \u201cdone\u201d. The function can be seen in the next picture:  <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"498\" height=\"259\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-2.png\" alt=\"\" class=\"wp-image-741\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-2.png 498w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-2-300x156.png 300w\" sizes=\"(max-width: 498px) 100vw, 498px\" \/><\/figure><\/div>\n\n\n\n<p>\u201cDone\u201d function checks for the existence of a mutex and starts if there isn\u2019t another instance in execution. Inject_usb.dll creates a folder named <strong>\u201c.Recycle Bin\u201d<\/strong> in every removable device and a log file named <strong>\u201csi.log\u201d<\/strong>. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"423\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-3.png\" alt=\"\" class=\"wp-image-742\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-3.png 853w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-3-300x149.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-3-768x381.png 768w\" sizes=\"(max-width: 853px) 100vw, 853px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-large-font-size\"><strong>3. process100.dll file <\/strong> <\/p>\n\n\n\n<p>When we launch pubpool.dll with process100.dll as a parameter, this dll maps the next sections:  <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"935\" height=\"86\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-4.png\" alt=\"\" class=\"wp-image-743\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-4.png 935w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-4-300x28.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-4-768x71.png 768w\" sizes=\"(max-width: 935px) 100vw, 935px\" \/><\/figure><\/div>\n\n\n\n<p>process100.dll is decrypted and mapped as inject_host.dll. This module execute the malware. In the next pictures there is some IOCs:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"836\" height=\"39\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-5.png\" alt=\"\" class=\"wp-image-744\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-5.png 836w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-5-300x14.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-5-768x36.png 768w\" sizes=\"(max-width: 836px) 100vw, 836px\" \/><\/figure><\/div>\n\n\n\n<p>One LNK example:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"837\" height=\"256\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-6.png\" alt=\"\" class=\"wp-image-745\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-6.png 837w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-6-300x92.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-6-768x235.png 768w\" sizes=\"(max-width: 837px) 100vw, 837px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-large-font-size\"><strong>4. runtime_report.dll file<\/strong> <\/p>\n\n\n\n<p>When we launch <strong>pubpool.dll<\/strong> with runtime_report.dll as parameter, the loader maps this section:  <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"87\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-7.png\" alt=\"\" class=\"wp-image-746\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-7.png 920w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-7-300x28.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-7-768x73.png 768w\" sizes=\"(max-width: 920px) 100vw, 920px\" \/><\/figure><\/div>\n\n\n\n<p><strong>runtime_report.dll<\/strong>\nis decrypted and mapped as <strong>TinyMet.dll<\/strong>.\nThis module deploys TinyMET[1], a &#8220;tiny&#8221; meterpreter\nstager.<\/p>\n\n\n\n<p>This TinyMet version has a Mutex TEST_9I89JNDBPWQ9ND:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"514\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-8.png\" alt=\"\" class=\"wp-image-747\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-8.png 608w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-8-300x254.png 300w\" sizes=\"(max-width: 608px) 100vw, 608px\" \/><\/figure><\/div>\n\n\n\n<p>TinyMet connects to Internet using a Hardcoded domain and User-Agent that can be seen in the next picture:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"440\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-9-1024x440.png\" alt=\"\" class=\"wp-image-748\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-9-1024x440.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-9-300x129.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-9-768x330.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/02\/image-9.png 1066w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li> Domain: musicstore.global.ssl.fastly[.]net <\/li><li> User-Agent: Mozilla\/4.0 (compatible; MSIE 6.1; Windows NT)<\/li><\/ul>\n\n\n\n<p class=\"has-large-font-size\"><strong>5. CONCLUSION<\/strong><\/p>\n\n\n\n<p>Lab52\nhas the hypothesis that this infection is part of an intelligence\noperation. It\u2019s a malware developed by a threat actor (currently,\nit\u2019s not possible to identify the malware family). Attribution is\nnot possible with the information handled by Lab52.  \n<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lab52 has detected malicious activity targeting Indonesian victims. This activity could be linked to an intelligence operation. We have been tracking this activity since December 27th of 2019 The main tools of this threat actor, are built as DLL files, and launched with this commands: &#8220;C:\\Windows\\System32\\rundll32.exe&#8221; shell32.dll,ShellExec_RunDLL regsvr32 \/s C:\\ProgramData\\pubpool.dll \/i:process104.dll &#8220;C:\\WINDOWS\\system32\\regsvr32.exe&#8221; \/s C:\\ProgramData\\pubpool.dll \/i:process104.dll [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-738","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-uncategorised","7":"entry","8":"has-post-thumbnail"},"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"ml10","author_link":"https:\/\/lab52.io\/blog\/author\/ml10\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/738"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=738"}],"version-history":[{"count":4,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/738\/revisions"}],"predecessor-version":[{"id":754,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/738\/revisions\/754"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}