In April 2020, highly malicious cyber activity was detected in several Taiwan government agencies. In one environment alone, out of the thousands of endpoints scanned, 30 endpoints were confirmed to be infected, and 10 high-risk endpoints were connected by these compromised endpoints. 10 key malware were discovered during these sophisticated targeted attacks — most of them were Waterbear Loader malware.
This article is Part 1 of a series of articles. Click here to read Part 2: Owlproxy Malware.
The attackers discovered and leveraged a weak point in trusted and commonly used data loss prevention (DLP) software in order to trigger malware and maintain persistence. The government agencies targeted for attack in April 2020 had already been compromised prior to the April attacks; however, CyCraft AIR (our automated detection and response platform) discovered that not all the malware from the previous attack was removed during another vendor’s IR investigation, allowing the attackers to use the previously compromised endpoints yet again.
The discovered Waterbear Loader malware used several methods to evade defense. (Each method will be expanded upon later in the article.)
The attackers first compromised a user’s endpoint to harvest administrative credentials. The credentials were then utilized to RDP a web server. With the connectivity of the web server, the attackers “net use” through (proxying) the webserver, allowing them to distribute malware directly to other endpoints.
As mentioned before, several malware was not removed from a previous IR investigation. One endpoint in the victim’s private network was still compromised. The attackers used this previously compromised endpoint in the victim’s private network as the C2 server for this attack.
One key feature of this attack was DLL Hijacking.
A DLL hijacking attack exploits the Windows search and load mechanism, allowing attackers to inject code into applications through disk manipulation. By simply injecting a DLL file in the right location, attackers can cause vulnerable applications to load malicious DLLs.
The attackers leveraged a DLL hijacking vulnerability in the DLP software to enlarge its defensive evasion capability and to persistently trigger next-stage malware. However, the DLP software failed to verify the integrity of their loaded DLLs. Thus the DLP software loaded the malicious DLL with high privilege.
The attacker modified LOG4C.DLL to implant a new entry in the import table. The new entry will enforce the DLP software to load the malicious SecureFile.dll (or LIBDIG.dll). The loaded DLL then injects shellcode to system services, including Winmgmt, sens, Wuauserv and LanmanServer. Then, the next-stage malware payload is invoked to communicate to the C2 server.
Next-Stage Malware
C[:]\PROGRAM FILES\XYZ\AGENT\ExportAgentConfig[.]dat
C[:]\Windows\PolicyDefinitions\TrayBar.admx
File-based scanners sometimes skip the scanning of larger files to maintain performance. The attackers enlarged the file size to bypass scanning altogether. The original size of file oci[.]dll is 66.5 KB however, as the above screenshot of CyberTotal demonstrates, oci[.]dll had been enlarged to 130 MB. Thus allowing it to be ignored by numerous security scanning tools.
The threat actor made use of Windows IKEEXT Service to load even more malware into memory — WLBSCTRL.DLL. Windows IKEEXT Service is a service for APN authentication that is disabled in the default Windows setting. This service is widely abused by attackers we observe.
filename: libgid.dll
md5: e3be074e0da9ba0c3201ceea4dd972d6
sha1: cd8f49e467cf2f630c7f3b38a2e4c30e7bac6466
sha256: e69690e4f94a60678aefc3adb80eef484bb5ca4285a2d3aabc1bb8d975fb7610
filetype: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
family: Waterbear Loader
file_path: C[:]\Windows\PolicyDefinitions\TrayBar.admx
The Waterbear Loader malware resurrected a 10-year-old antivirus evasion technique known as Heaven’s Gate. In this particular case, the attackers applied Heaven’s Gate to inject shellcode into the 64-bit system service from 32-bit WoW64.
Just as 64-bit and 32-bit programs are quite different, so are analysis mechanisms. Malware equipped with Heaven’s Gate contains both 64-bit and 32-bit parts. Therefore, some monitor/analysis systems will only apply 32-bit analysis and will fail the 64-bit part; thus, this approach will break some monitor/analysis mechanisms.
Waterbear Loader forced itself to be unloaded, allowing it to evade detection from some memory forensic tools.
This antivirus evasion technique permits 32-bit malware to hide API calls by switching to a 64-bit environment. Malware typically remains hidden inside the loader making it difficult for the AV to detect.
While Heaven’s Gate was first considered to be an advanced technique, over the last decade the Heaven’s Gate exploit has been observed in more and more rootkits as well as other malware, such as the infamous Emotet trojan.
Even though usage of the Heaven’s Gate spread, Microsoft’s release of Control Flow Guard (CFG) in Windows 10 immediately hindered the exploit’s effectiveness as CFG prevented code jumps from WoW64 32-bit execution to native 64-bit code execution space. However, like most exploits, attackers still equip them when targeting legacy systems and the like — further demonstrating the need for organizations to update defenses early and update them often.
The following MITRE ATT&CK techniques were observed in this attack.
T1547.001 Registry Run Keys/ Startup Folder
T1574.001 DLL Search Order Hijacking
T1574.001 DLL Search Order Hijacking
T1574.001 DLL Search Order Hijacking
T1027.002 Software Packing
T1070.006 Timestop
T1021.001 Remote Desktop Protocol
IOCS NAME
30DDEFC3093AFD7075A74BE30A381A3D SQLWVSS.DLL
C6EE3CEED5ADA7EE23FEB0E0CEA95193 IGTERM.DLL
8B4631B618D2B516A3D3EBC38B25D267 OCI.DLL
2FAAFC5D2C4BC6DE4D0B73B34FB7B379 SECUFILE.DLL
E3BE074E0DA9BA0C3201CEEA4DD972D6 LIBGID.DLL
F44805399017DAECF9E37F7190BCF699 WLBSCTRL.DLL
F10034D1D8F90F36FEA602A4128BAEBC SQLWVSS_NT.DLL
49D6C7FD1D47F345F64EEA6DA8591084 LOG4C.DLL
AE63EBAE30678DA8A7314A9427747BBE LIBGID.DLL
48AA2A38E5125C4E0E4A069C473F67FC LOG4C.DLL
1. Add listed IOCs to preventative solution blacklists.
2. Adjust detection and response solutions to detect listed IOCs.
3. Meticulously tracking down the root cause of the attack (not just the endpoint) and thoroughly removing malware is not only paramount in an IR investigation but could also prevent future attacks.
4. As DLP software is widely deployed in sensitive organizations, is daily-used software, and often has high privilege, DLP vendors and customers both need to constantly be striving on hardening security to maintain resilience even in the worst of situations.
5. Do not rely on a one-solution security policy. Preventative solutions (e.g., firewalls, antivirus) and DLP solutions are no longer enough to maintain resilience during an attack of this sophistication. AI-driven detection and response solutions, such as our award-winning CyCraft AIR, not only reduce mean dwell time but also increase SOC efficiency, automate investigations, and reduce alert fatigue.
This article is Part 1 of a series of articles. Click here to read Part 2: Owlproxy Malware.
Writer: CyCraft
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.