{"id":788,"date":"2020-03-23T13:33:45","date_gmt":"2020-03-23T12:33:45","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=788"},"modified":"2020-03-23T14:22:52","modified_gmt":"2020-03-23T13:22:52","slug":"apt-c-36-new-anti-detection-tricks","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/apt-c-36-new-anti-detection-tricks\/","title":{"rendered":"APT-C-36 new anti-detection tricks"},"content":{"rendered":"\n

Lab52 has recently detected an increase in the efforts carried out by APT-C-36 to improve their capabilities to remain undetected by Anti Malware software, using a more complex infection chain than a simple packer, as they have been doing so far.<\/p>\n\n\n\n

The\nsample detected using this new detection evasion technique has a name\nand icon that tries to supplant a PDF document, which is already a\ncommon TTP of this group. \n<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Until\nnow, these binaries were executables packed with common anti-virus\ncircumvention software, but in this case it is an “SFX\nInstaller” that contains a bunch of files, including some that\nare simply trash and others that are part of the infection chain:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

When these installers are executed, they create a temporary folder on the system, where they dump all the files they contain, and then execute one of them as an “Entry Point” in the execution\/infection chain. <\/p>\n\n\n\n

In this case, it is called gospels.exe:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

This\nexecutable consists of a very small program that simply loads\ndynamically the library “Quoteworthy.dll” that is near the\nbinary, and calls its exported function “Excluders”,\npassing as parameters some system APIs resolved by the original\nexecutable:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The\nDLL’s Excluders function simply calls two internal functions:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The first one (unk_6D321170), consists of code that is part of the DLL, and that is in charge of deciphering (with an XOR algorithm) a buffer contained in the .data section of the library. Inside this buffer, the function ignores out of every 4 bytes (since they are zeros). After building this buffer, it reserves a memory area with execution permissions and copies there the decoded content. Then it creates an array of 7 elements in which it stores the string “Boondoggle” (which corresponds to a binary file inside the temporary folder), 4 numbers, and the pointers to the functions “GetProcAddres” and “GetModuleHandleA” that match with the ones received as parameters by this DLL:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

After that, the first function of this DLL ends and calls the second one, which, at this point of the execution, points to the memory area where it was written the decoded shellcode, and to which it passes as parameter the before mentioned 7-element array.<\/p>\n\n\n\n

Once\nit jumps to that shellcode, using GetProcAddres and GetModuleHandle,\nit extracts a list of Kernel32 Functions that are “hardcoded”:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

It\nloads the “Boondoggle” file with the CreateFile API and\nmakes a decode with the same XOR key as before, from which it decodes\na new complete executable and a small “PE Loader” that\nallows it to load the executable into memory using the technique\nknown as “ReflectivePEInjection” either in the process\nitself or in a remote process.<\/p>\n\n\n\n

After this, it runs the decrypted binary, which repeats the same logic over another section of the “Boondoggle” from which it extracts a second executable, this time consisting of a copy of the “OllyDBG” plug-in called “OllyDBG PE Dumper” which contains overwritten malicious code that is called.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

This\ndll extracts the final threat and in case the initial binary\n“gospels.exe” had been executed from the installer arriving\nby mail, it has been observed that it is injected in a legitimate new\nprocess “cmd.exe”. On the other hand, in case it is loaded\nthrough its persistence in the registry, it is injected in the\nprocess “gospels.exe” itself.<\/p>\n\n\n\n

An interesting point of this stage of infection is that it tries to remove a file called “turpitude.exe” that should be located in the user’s %APPDATA% folder, but no trace has been observed at any point of the analysis, thus it could be an attempt to clean up tools from previous campaigns of this group, although it has not been able to confirm this fact through the analysis of the threat.<\/p>\n\n\n\n

Eventually, the final threat remains completely deployed in the memory of the machine, which in this case consists on the “Remcos” remote acces trojan.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

This threat contacts the command and control domain “pruebaremc.]duckdns.org” through port “1010”.<\/p>\n\n\n\n

IOCS:<\/p>\n\n\n\n
SHA256<\/td> E03903AFC4DC4A9DEEDF5442B6D1C8319194F57F1D7620A9C4EBC7D61C436B70 <\/td><\/tr>
DNS<\/td> pruebaremc.duckdns.]org <\/td><\/tr><\/tbody><\/table>\n","protected":false},"excerpt":{"rendered":"

Lab52 has recently detected an increase in the efforts carried out by APT-C-36 to improve their capabilities to remain undetected by Anti Malware software, using a more complex infection chain than a simple packer, as they have been doing so far. The sample detected using this new detection evasion technique has a name and icon […]<\/p>\n","protected":false},"author":5,"featured_media":802,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-788","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/03\/Captura-de-pantalla-de-2020-03-23-13-41-51.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/03\/Captura-de-pantalla-de-2020-03-23-13-41-51.png","author_info":{"display_name":"JagaimoKawaii","author_link":"https:\/\/lab52.io\/blog\/author\/jagaimokawaii\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/788"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=788"}],"version-history":[{"count":7,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/788\/revisions"}],"predecessor-version":[{"id":807,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/788\/revisions\/807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/802"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}