CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders

2019-04-05T17:22:54
ID CARBONBLACK:9EA489ED6A1E01B5B462F9B9996060DA
Type carbonblack
Reporter Ryan Murphy
Modified 2019-04-05T17:22:54

Description

Recently the Carbon Black Threat Analysis Unit (TAU) analyzed the APT28 downloaders SedUploader and Zebrocy which has been observed over the previous six months.

There have been several good publications regarding the code analysis of SedUploader and Zebrocy already [1][2][5][6][7][9]. Therefore, in this article we focus on how to generate YARA rules based on the binary codes for hunting. We also provide a tool for decoding Zebrocy strings.

Carbon Black product specific content can be located in the User Exchange.

Detail

SedUploader

The SedUploader is a downloader that has been used by APT28 for a long time. At least four variants have been observed from Dec 2018 to Feb 2019. Two of them were used in an attempt to compromise some institutional entities in eastern Europe [3][4].

The strings in SedUploader are encoded by a simple rolling XOR. The keys are different in each sample.

Figure 1: function decoding with rolling xor in SedUploader

MD5

|

key length

|

key

---|---|---

549726b8bfb1919a343ac764d48fdc81

|

0xa

|

2d 30 71 1b 07 0f 43 2d 56 2a

ebdc6098c733b23e99daa60e55cf858b

|

0x11

|

5f 31 21 5e 6c 24 77 74 69 3a 16 1e 13 03 0a 0a 0f

70213367847c201f65fed99dbe7545d2

|

0x11

|

5f 31 21 5e 6c 24 77 74 69 3a 16 1e 13 03 0a 0a 0f

c4601c1aa03d83ec11333d7400a2bbaf

|

0x11

|

56 75 5b 11 6c 58 06 37 22 72 20 5a 47 7c 16 32 36

Table 1: key information for each sample

The key and key length are not fixed, however the decoding function code does not change so all variants are able to be detected by defining the YARA rule of the code.

Yara_fn.py [11] is an IDAPython script written by Willi Ballenthin to output a YARA rule from a selected function code. TAU modified the script to calculate fixup (relocation) sizes correctly and exclude direct memory reference data and other ignorable variable code. The code bytes extracted by the script are shown in Figure 2. Immediate values, near address and others are replaced with wild-cards "??". The exclusion makes it possible for the rule to detect the variants as long as the actor continues to utilize the same obfuscation algorithm.

Figure 2: extracted code bytes of the function

The final rule is on Carbon Black’s Github repo. Another function code bytes using a rolling xor are added to the rule as the decoding function is small.

Zebrocy downloader

ESET describes Zebrocy as a set of downloaders, droppers and backdoors; while downloaders and droppers are doing reconnaissance, backdoors implement persistence and spying activities against the target [9]. Palo Alto also reported APT28's "Dear Joohn" campaign from Oct 2018 to Nov 2018, targeting NATO-aligned nation states [5][6]. Additionally, Trendmicro reported some Japanese organizations were targeted during the same period [8]. Zebrocy downloader variants were utilized by the actor in both of the cases.

Creating a YARA rule for the Zebrocy downloader is not as straightforward as SedUploader due to the use of various programming languages such as C++, Delphi, .NET, AutoIt, and Go. However, most of the variants utilize a hex-ascii string decoding function in common (e.g., decoding "636D642E657865202F63" to "cmd.exe /c"), so we can define rules based on those functions even though the code bytes are different for each language.

TAU also created a string decoder script for Delphi and Go variants. The script searches the hex-ascii string patterns then outputs the decoded strings.

As Palo Alto and Trendmicro pointed out, there are two Zebrocy downloader variants. TAU refers to the first binary dropped by the malicious document file as type1 and the second binary downloaded by the first one as type2. To properly decode, we have to identify the variant before running the script since each type has a different decoding algorithm (inserting dummy characters like "#\-=@%$") and string type (ascii or unicode). The YARA rules are available to differentiate the type. "fancybear_zebrocy_downloader1_" is the type1 rule and "fancybear_zebrocy_downloader2_" is the type2 rule.

We have to execute the script with -u option if the binary is type2.

In order to handle Go variants, add the -s option. Please be careful - every Go sample doesn't always utilize the obfuscation routine.

Some characters are wrongly appended or missed due to lack of string delimiters in Go language (rgStart->PrgStart, fPwmic->wmic, TIhttp->http). If we want to obtain the perfect result, we need to use IDAPython to extract the string length.

YARA rules

The rules are available publicly here.

Tools

The tool for decoding Zebrocy strings is here.

The modified yara_fn.py is published here as a part of fn_fuzzy, a fast multiple binary diffing triage tool for IDA Pro. Fn_fuzzy will be introduced in the next blog post.

Indicators of Compromise (IOCs)

Indicator

|

Type

|

Context

---|---|---

0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94

549726b8bfb1919a343ac764d48fdc81

|

SHA256

MD5

|

SedUploader payload, compiled on 2018-11-21 [3]

7cb0bb528dca188ae73d66d8739bd9d2bf04a6c7e5c805e9b3b92858eb118bf4 ebdc6098c733b23e99daa60e55cf858b

|

SHA256

MD5

|

SedUploader payload, compiled on 2018-12-07 [4]

de660457cab011deedf4c1a142021b8702ab94ce71dc5e0c75300253e7db3ee0 70213367847c201f65fed99dbe7545d2

|

SHA256

MD5

|

SedUploader payload, compiled on 2018-12-07

6b57c77a9f2d8501f34097b60ae0d455186eeecb615e40df1bf48e597ba0a729 c4601c1aa03d83ec11333d7400a2bbaf

|

SHA256 MD5

|

SedUploader payload, compiled on 2019-01-28

beatguitar.com

|

Domain

|

SedUploader C2 [3]

photopoststories.com

|

Domain

|

SedUploader C2 [4]

wmdmediacodecs.com

|

Domain

|

SedUploader C2

e5aece694d740ebcb107921e890cccc5d7e8f42471f1c4ce108ecb5170ea1e92 a13c864980159cd9bdc94074b2389dda

|

SHA256 MD5

|

Zebrocy downloader type 1 (.NET), compiled on 2018-11-13 [6][8]

6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a f05a7cc3656c9467d38d54e037c24391

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-06 [6][8]

87f363afc9778efc78dd3e0ced112d8d66a09a8924091f0927ed02a7b64850d2 7e67122d3a052e4755b02965e2e56a2e

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-15 [8]

7b4193ea92ddf122a03e51be4645bc72cbd8ad427e992cc61ac594f8d1450261 ed80d716ddea1dca2ef4c464a8cb5810

|

SHA256 MD5

|

Zebrocy downloader type 2 (Delphi), compiled on 2018-11-13 [8]

c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65 ea5722ed66bd75871e24f7f88c5133aa

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-10-18 [6]

56e2221cddc9b12cd1021f4da804e52658e515082c8600b6ae77fe628247e002 fdbfceec5b3d2e855feb036c4e96e9aa

|

SHA256 MD5

|

Zebrocy downloader type 2 (Delphi), compiled on 2018-10-23

90926500594d9cdb194bd10da8b62e37591ad92ca890846594de35e952919bcb f4cab3a393462a57639faa978a75d10a

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-16 [10]

427b9130cca7217692673fb0e9017cbc61dc295fcde381360cc893f6e96e4092 5415b299f969c62174a624d236a56f42

|

SHA256 MD5

|

Zebrocy downloader type 2 (Delphi), compiled on 2018-11-13

03ff895c99555f00792a41e3b014f16ef6b4bb0c74d1fa2237a6a9275e2b2109 e57a401e8f0943b703d975692fcfc0e8

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-28 [10]

001cf7af29382f4f784fe45df131ca9e14908c6c0717899780f9354b8a5f0090 a4d63973c0e60936f72aed3d391fd461

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-29 [10]

3d2a7dc27d2b8d4ea86a1eab74877acf7d2768354f1a76d99ee98589b2b7e2bc 1fe6af243760ca287f80eafbb98ba1b0

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-29 [10]

65de07fc6b821d9fd3497cfa64212df2d39935dd515a86eda80d08086b183a3f 3eaf97b9c6b44f0447f2bd1c7acb8c96

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-12-10 [10]

cd925e2464d251f02b4d425e301acf276e13eeccbbf5996ade5a6f355802abb7 3e713a838a68259ae2f9ef2eed05a761

|

SHA256 MD5

|

Zebrocy downloader, VT 1st seen on 2019-01-07 [10]

72227c531de0c8198399f712157d2039c9cb205b507dcc67c03f43b480e1f34c f1aeaf72995b12d5edd3971ccbc38fac

|

SHA256 MD5

|

Zebrocy downloader, VT 1st seen on 2019-01-24 [10]

ca8087d1ec75ac6fcbad918c8f6559612b7cf8633e29bbcb3bbc8a9cbc793801 b68434af08360e6cf7a51d623195caa1

|

SHA256 MD5

|

Zebrocy downloader, VT 1st seen on 2019-01-24 [10]

4a4ccda8e1832c6dec2d4f4adbf6a087fab86b8c316719e5178c3cf9bef4e1ac 896ed83884181517a002d2cf73548448

|

SHA256 MD5

|

Zebrocy downloader, VT 1st seen on 2019-02-02 [10]

3c7fb61f0601f9facd3c2a1b319039a3fad6535b33359493b8a8a3f24dea00e3 53ae587757eb9b4afa4c4ca9f238ade6

|

SHA256 MD5

|

Zebrocy downloader, VT 1st seen on 2019-02-04 [10]

5173721f3054b92e6c0ff2a6a80e4741aa3639bc1906d8b615c3b014a7a1a8d7 268426b91d3f455ec7ef4558c4a4dfd1

|

SHA256 MD5

|

Zebrocy downloader type 1 (.NET), compiled on 2018-10-23 [6]

9a0f00469d67bdb60f542fabb42e8d3a90c214b82f021ac6719c7f30e69ff0b9 2b16b0f552ea6973fce06862c91ee8a9

|

SHA256 MD5

|

Zebrocy downloader type 1 (.NET), compiled on 2018-10-25 [6]

8d10fd18de90829eccc33e79b92987bc33999403a1f7e2766903d21d38a247a9 9a7d82ba55216defc2d4131b6c453f02

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-24 [10]

cda841969847c626f9e477b5edfb6522ebbeabe055c4a0acce570d9d2922bb94 02c46f30f4c68a442cf7e13bebe8d3f8

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-11-30 [12]

ceeb9b227d6ac68aba1fdd18625d3b8e87d4bc1c2aa50a5ad106b093225ed651 d6a60c6455f3937735ce2df82ad83627

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2018-12-01

f93b89a707c647ba492efe4515bb69a627ce14f35926ee4147e13d2e030ab55b 9ae5e57d8c40f72a508475f19c0a42f6

|

SHA256 MD5

|

Zebrocy downloader type 1 (Delphi), VT 1st seen on 2019-01-24 [7]

fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e 333d2b9e99b36fb42f9e79a2833fad9c

|

SHA256 MD5

|

Zebrocy downloader type 1 (Go), VT 1st seen on 2018-12-20 [7]

93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa 602d2901d55c2720f955503456ac2f68

|

SHA256 MD5

|

Zebrocy downloader type 1 (Go), VT 1st seen on 2018-12-04 [7]

50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc 3773150aeee03783a6da0820a8feb752

|

SHA256 MD5

|

Zebrocy downloader type 2 (Go), VT 1st seen on 2018-12-04 [7]

hxxp://109.248.148.42/agr-enum/progress-inform/cube.php

|

URL

|

Zebrocy downloader C2 [6][8]

hxxp://188.241.58.170/local/s3/filters.php

|

URL

|

Zebrocy downloader C2 [6][8]

hxxps://91.219.238.118/zx-system/core/main-config.php

|

URL

|

Zebrocy downloader C2 [8]

hxxp://185.203.118.198/en_action_device/center_correct_customer/drivers-i7-x86.php

|

URL

|

Zebrocy downloader C2 [6]

hxxps://109.248.148.22/orders/create/new.php

|

URL

|

Zebrocy downloader C2

hxxp://185.217.92.119/db-module/version_1594/main.php

|

URL

|

Zebrocy downloader C2 [10]

hxxp://93.113.131.155/Verifica-El-Lanzamiento/Ayuda-Del-Sistema/obtenerId.php

|

URL

|

Zebrocy downloader C2

hxxp://45.124.132.127/action-center/centerforserviceandaction/service-and-action.php

|

URL

|

Zebrocy downloader C2 [10]

hxxp://45.124.132.127/company-device-support/values/correlate-sec.php

|

URL

|

Zebrocy downloader C2

hxxp://86.106.131.177/SupportA91i/syshelpA774i/viewsupp.php

|

URL

|

Zebrocy downloader C2 [10]

hxxp://89.37.226.148/technet-support/library/online-service-description.php

|

URL

|

Zebrocy downloader C2 [7][10]

hxxp://145.249.105.165/resource-store/stockroom-center-service/check.php

|

URL

|

Zebrocy downloader C2 [6]

hxxp://89.37.226.148/technet-support/library/online-service-description.php

|

URL

|

Zebrocy downloader C2 [7]

hxxp://89.37.226.123/advance/portable_version/service.php

|

URL

|

Zebrocy downloader C2 [7]

hxxps://190.97.167.186/pkg/image/do.php

|

URL

|

Zebrocy downloader C2 [7]

Reference

  1. https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-full.pdf
  2. https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/
  3. https://www.emanueledelucia.net/apt28-targeting-military-institutions/
  4. https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/
  5. https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
  6. https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
  7. https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
  8. https://blog.trendmicro.co.jp/archives/19829
  9. https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/
  10. https://twitter.com/DrunkBinary
  11. https://github.com/williballenthin/idawilli/blob/master/scripts/yara_fn/yara_fn.py
  12. https://twitter.com/r0ny_123

The post CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders appeared first on Carbon Black.