CYCRAFTPRESS RELEASE
#TLP/WHITE
2019-09-01

Possible Hidden Malicious Campaign Targeting Financial Sector Using Sophisticated Malware and Valid Certificates

Executive Summary

In this article, we share a surprising discovery we found when studying the ASUS Live Update attack that occurred during March of 2019. Our research shows the possible presence of another malicious operation that seemingly targeted the financial sector. Below are our key takeaways.

  • Four distinct valid certificates were utilized in this operation, which indicates certificates cannot be 100% trusted.
  • Despite the certificate owner not being the same as the program's developer, no warning was triggered since the certificate was valid.
  • The discovered malware employed sophisticated techniques:
  • Modified a normal Portable Executable (PE) file and replaced a function in commonly used CRT library to avoid detection.
  • Huge amounts of junk instructions/functions were inserted to obfuscate instructions and control flow.
  • Used "busy loop" to compute the decryption key, which is used to decrypt the next stage payload.
  • In-memory process hollowing was used to obstruct cyber forensic analysis.
  • Payload was multi-layered encoded, preventing final motive to be discovered.
  • Several social engineering tricks were conducted to confuse victims. Specifically, various phishing websites were used, where the financial sector seemed to be the main target.
  • Made a social engineering trick as a pcisecuritysstandrads[.]org to deceive financial sector victims.
  • Fake Adobe Download Manager with legitimate digital signature are used to pretend as a legal program.

Surprising Discovery from ASUS LIVE UPDATE Malware Hunting

This financial sector attack was inadvertently discovered during our investigation of Operation ShadowHammer[1], which was an advanced persistent threat (APT) targeting certain ASUS users. Compromising the update mechanism of the ASUS Live Update platform, the legitimate certificate and the trusted dispatch channel made it easy for the attacker to mask their malicious activities. While Operation ShadowHammer highlighted the severity of a supply chain attack, our research team dug deeper to see if there was any other malware utilizing the fake ASUS Live Update service.

Our research involved developing several Yara rules and malware hunting techniques on VirusTotal. For instance, the ShadowHammerDropper rule, which is demonstrated in Fig. 1, detected the string "ASUS Live Update" and the resource name "EXE". Another rule, ShadowHammerSigned determined if ASUS certificates were used. We also implemented several rules for detecting ShadowHammer's malware. Results revealed the detection of several malware samples, including ones unrelated to ShadowHammer. Among these unrelated samples, we were particularly interested in the following three malware. Since these malware had valid certificates, they would not be flagged by most anti-virus software.

  • 5c23eb19db84a7fc1755040c6cdfec6d2dc83920385c340b95217dd7752c7c6b
  • 9c34fa3ab4cbb982f30602703caf3ad1a5971d1c53502823c3e8d271f8d46768
  • 31d1bc9911cdcd9af78c0a215417699a9406fcd4e7802c3d2f0e7cff4477f384

A more detailed analysis is presented in the following sections.

Fig. 1. Shadow Hammer Hunting Yara Rule
Fig. 1. Shadow Hammer Hunting Yara Rule

Overall Attack Graph

According to the behavior of these samples, they can basically be classified into two types of payload, as depicted in Fig. 2 and Fig. 3. The type 1 malware was downloaded from the phishing website https[:]//pcisecuritysstandards[.]org/, tricking users to think it was https[:]//pcisecuritysstandards[.]org/. Due to this social engineering attempt, we believe these malware samples were aimed at the financial sector. The downloaded malware pretended to be Adobe Download Manager, which resulted in users downloading another type of malware from the second stage C2 statistic.data-akamai[.]com. The final payload was a Cobalt Strike backdoor. Compared to type 1, the type 2 malware did not involve a second-stage process, but directly dropped and executed the Cobalt Strike backdoor.

Fig. 2. Type 1 malware behavior graph
Fig. 2. Type 1 malware behavior graph

Fig. 3. Type 2 malware behavior graph
Fig. 3. Type 2 malware behavior graph

First Stage Dropper

Fig 4. CTI info of the first stage dropper
Fig 4. CTI info of the first stage dropper

Basic information of the first stage dropper (31d1bc9911cdcd9af78c0a215417699a9406fcd4e7802c3d2f0e7cff4477f384) is shown in Fig. 4. Our threat intelligence platform gave it a MEDIUM threat rating. The first stage droppers was a fake Adobe Download Manager with legitimate signatures ( FOURSTAR SOLUTIONS LTD and AUSTEK CONSULTING LIMITED ), coded in C++ without obfuscation or packing.

A very important feature of the first stage dropper was that a legal certificate was used to sign this malware, causing many security vendors to treat it as a benign program, thereby increasing the likelihood of a system compromise. The malware used the name “AUSTEK CONSULTING” as a disguise for “ASUSTeK Computer Inc” to confuse victims. The inconsistency between the certificate and the program's intent highlights the risk that certificates cannot be regarded as a foolproof way to establish trust.

Fig. 5. shows the reversed code snippet of the malware. The malware extracted the second stage malware from its resource section and invoked the second stage via ShellExecuteA. The second stage malware, RC/101 and RC/102, were dropped to C:\Windows\System32. RC/102 was a service launcher that installed the RC/101 service.

Fig. 5. Code drop and next stage malware installation
Fig. 5. Code drop and next stage malware installation

Second Stage Payload

The second stage payload consisted of a backdoor (RC/101) and a service launcher (RC/102), which were embedded in the resource section. Each discovered dropper dropped two files from the resource to C:\Windows\System32\ with the following names:

  • 5c23eb19db84a7fc1755040c6cdfec6d2dc83920385c340b95217dd7752c7c6b

    • RC/101: PhotoScreensaver.exe
    • RC/102: pssvc.exe
  • 31d1bc9911cdcd9af78c0a215417699a9406fcd4e7802c3d2f0e7cff4477f384

    • RC/101: LiveUpdate.exe
    • RC/102: LiveUpdate.Service.exe
  • 9c34fa3ab4cbb982f30602703caf3ad1a5971d1c53502823c3e8d271f8d46768

    • RC/101: LiveUpdate.exe
    • RC/102: LiveUpdate.Service.exe

As an example, the main routine of the service launcher (RC/102) is shown in Fig. 6.

Fig. 6. Service launcher/installer main routine
Fig. 6. Service launcher/installer main routine

Obfuscation Technique

We found two types in the second stage payload. One of them was the downloader, while the other was the Cobalt Strike backdoor. The payload was encoded three times to evade detection.

An interesting technique employed by this malware was modifying __tmainCRTStartup in CRT for malicious behavior, which is illustrated in Fig. 7a. Meanwhile, some function calls were modified to _securityinit_cookie. As it is highly unlikely for this function to fail, even if some changes were made to the function, nothing would be triggered by the subsequent error checking. There would be no early exits, and the programs would be normally executed. Thus, the implanted malware can be more robustly executed. Since CRT is very common in a normal executable and reverse engineers usually ignore them, it increases the chances for the malware to avoid detection.

As the memory protection attribute of the .text section was modified to read-write-execute, this implied the SMC (self-modifying code) technique was applied. It used a busy-loop-liked routine to compute xor key "CCCMMM", as shown in Fig. 7b. Billions of instruction cycles were required, which caused a few seconds of delay, thereby allowing it to evade the emulation-based detection.

The first layer released a shellcode followed by a UPX packed module into the memory and a process hollowing trick to execute the UPX packed module as a second layer. The payload inside the UPX packed module released the Cobalt Strike backdoor as shellcode into the memory and was executed with ReflectiveLoader. Fig. 8 is the partial memory released from the first layer. The MZ indicates there was an embedded PE structure, which would be loaded later. The UPX0 string indicates this malware was packed with the UPX. Thus, it could be extracted from the memory and unpacked.

Fig. 7a. Comparison between original and modified __tmainCRTStartup
Fig. 7a. Comparison between original and modified __tmainCRTStartup

Fig. 7b. Routine for xor key calculation
Fig. 7b. Routine for xor key calculation

Fig. 8. Shellcode and UPX packed payload
Fig. 8. Shellcode and UPX packed payload

Type 1: Cobalt Strike backdoor

The Cobalt Strike backdoor, which was dropped by the previous fake Adobe Download Manager, masqueraded as the ASUS Live Update utility program. The backdoor had the ability to upload files, download files, inject shellcode, execute powershell script, etc..., as shown by our reverse result in Fig 11. In Fig. 9, which is the resource information of this malware, the "LiveUpdate" strings appears in the Version Info. Another resource also contains a dialog template similar (or identical) to the ASUS Live Update, as shown in Fig. 10.

Fig. 9. Metadata from fake ASUS LiveUpate utility
Fig. 9. Metadata from fake ASUS LiveUpate utility

Fig. 10. UI resource from fake LiveUpdate utility
Fig. 10. UI resource from fake LiveUpdate utility

Fig. 11. Cobalt Strike command dispatcher
Fig. 11. Cobalt Strike command dispatcher

Type 2: Downloader

The other way to invoke the final stage malware was via a downloader. The downloader downloaded shellcode from https[:]//statistic.data-akamai[.]com/eYVU and executed it in memory without dropping any file. From our threat intelligence platform, this domain was once bounded to 23[.]106.215.179. This IP is known to be involved in previous attacks as shown in our CTI platform, Fig 11 . The final stage shellcode (eYVU) was also a Cobalt Strike backdoor, similar to the one described above.

Fig. 11. Basic information of 23.106.215[.]179
Fig. 11. Basic information of 23.106.215[.]179

Cobalt Strike Backdoor C2 Config

Since Cobalt Strike is a general backdoor, minimal information can be inferred. Thus, a more in-depth analysis was made to the C2 config to obtain further information. We developed a script, as shown in Fig. 12, to decrypt and deserialize the C2 config from the extracted shellcode. The C2 config data blob is a list, which contains many records. Each record consists of index, type, and data. There are three possible types: short, int and bytes. Tab. 1 shows the three Cobalt Strike config that appeared in this attack.

Fig. 12. Backdoor Config ID Mapping & Deserializer Result
Fig. 12. Backdoor Config ID Mapping & Deserializer Result

Tab. 1. Parsed Cobalt Strike Config
Tab. 1. Parsed Cobalt Strike Config

Summary

In this white paper, we share our investigation results about an attack on the financial sector. Four distinct valid certificates were utilized in this attack. We not only show how this meticulous long-term attack plan was stealthily implemented, but also highlight the dangers when certificates are taken advantage of. Some of the malware was equipped with sophisticated techniques, such as replacing a function in the commonly used CRT library to avoid detection, inserting junk instructions to frustrate signature-based and control flow-based detection mechanisms, and in-memory process hollowing. In view of the various phishing websites that were used, this paper serves as an important reminder that social engineering tricks are still an effective method to confuse victims. Finally, the related indicators of compromise (IoCs) are listed below for further investigation.

Reference

[1] Kaspersky GReAT, 2019, March 25, “Operation ShadowHammer,” Retrieved from https://securelist.com/operation-shadowhammer/89992/

IOC

Files

  • 5c23eb19db84a7fc1755040c6cdfec6d2dc83920385c340b95217dd7752c7c6b

    • 2ce9445576817aaba591cf4b181bf6e088f05670e1833687205ce0f3e7fe3218
    • 7c1a60351e3ea2c5fcfcfe4f39311cab934ab76e1b0e7799718a9e0b1a69b984
  • 9c34fa3ab4cbb982f30602703caf3ad1a5971d1c53502823c3e8d271f8d46768

    • 4ac603869822d56c5180e21b925a17c5644aed4305b1ff2efcb28a792431a0c6
    • 1cbc014cf87bc75e7a72ef851fc719a551d9ba40d2109f7090a4b1905dccca8c
  • 31d1bc9911cdcd9af78c0a215417699a9406fcd4e7802c3d2f0e7cff4477f384

    • 0cedccf32d51f7a9fda8646226e0b3f3cd55109c54fba2e2f1b6a3ac9edbf826
    • 59ba40b2795f3943e9959578d4f5d0f395d5dd1640b3f088ef7878db63b4c0f8

IP / Domain

  • 23[.]106.215.179
  • statistic.data-akamai[.]com
  • {1,100,2398,3696,4686,5246,5899,7121,8196,8266,8703,8708,8879,10030,10692,12649,12723,13024,13305,13970,14615,15383,15815,15827,16102,16423,16974,18300,18504,20536,21031,21179,22867,23570,23574,24191,24422,26598,27217,28197,29639,31003,33283,34052,34163,34491,34525,34777}.{pnt,revise,datamg}.data-akamai[.]com

Certificates

  • Cert 1

    • AUSTEK CONSULTING LIMITED
    • Serial: 0c17eea5816be02716cc500b9b14db3c
    • Used to sign dropper itself
  • Cert 2

    • Recogg Limited
    • Serial: 00b157bf6d148ca2406115091d73b38cda
    • Used to sign launcher and malware which embedded in dropper resource ( RES/RC/{101,102} )
  • Cert 3

    • Noahab Ltd
    • Serial: 4eb0878fcc243536b2d8c9f7bf395577
    • Used in another related launcher 7c1a60351e3ea2c5fcfcfe4f39311cab934ab76e1b0e7799718a9e0b1a69b984
  • Cert 4

    • FOURSTAR SOLUTIONS LTD
    • Serial: 05bbcaa3a44dca3f49fa08aa6446f6ab
    • File: 5c23eb19db84a7fc1755040c6cdfec6d2dc83920385c340b95217dd7752c7c6b