APT1: resistant intrusion pattern

In the last part of our material on the Mandiant report on the APT1 group, we talked about the main findings that were made by the company at the conclusion of the investigation. We will not repeat this information again, you can read it here . In today's post we will talk about the internal structure of this attack and the schemes that were used to compromise and invade networks of enterprises. We also note that, from the point of view of the possibilities of malicious code, these attacks do not represent anything conceptually new and the schemes that have been used have been known for a long time.



Nature of attack
')

APT1 has a well-defined attack methodology, honed over the years and focused on stealing huge amounts of information. The attack begins with aggressive phishing, with which malicious code is delivered to the victim’s computer, and ends with the theft of data that is compressed and sent to the APT1 servers. This cycle can be repeated several times. The malicious code families that participated in these attacks were constantly updated and refined. APT1 used the adaptation or targeting scheme of these attacks for a specific environment, which made them rather effective. In addition, immediately before the attack begins, so-called initial intelligence is carried out, i.e., gathering information about a potential victim company and its employees. This allows you to achieve a certain level of targeting.

"Letter for you"

The initial compromise is the method by which attackers make initial penetration into the organization’s network. As with most other groups, APT1 uses phishing as the primary method of initial compromise. Sent emails contain a malicious file in an attachment, or a link from the message text leads to it. The subject of the letter, like its text, is usually sent to a specific recipient. Mail accounts from which these messages were sent were registered in the names of people who were familiar to the recipient, for example: a colleague, a company manager, an employee of the IT department. As a real example, the following is one of such emails addressed to a Mandiant employee.


Fig. Phishing email sent by APT1 (Kevin Mandia - CEO Mandiant).

The obvious catch here is that [at] rocketmail [dot] com is not Kevin's internal corporate account in Mandiant and instead uses the free rocketmail service [dot] com. The word "here" contains a hyperlink, passing on which you can download the file Internal_Discussion_Press_Release_In_Next_Week8.zip. This archive contains a malicious executable file that installs a backdoor on a computer (in this case, WEBC2-TABLE). [ Mandiant uses its malware family naming scheme ]. Some more names of such archives are presented below:

2012ChinaUSAviationSymposium.zip
Employee-Benefit-and-Overhead-Adjustment-Keys.zip
MARKET-COMMENT-Europe-Ends-Sharply-Lower-On-Data-Yields-Jump.zip
Negative_Reports_Of_Turkey.zip

The topics that attackers use in letters are very diverse. As we see, in this case we are talking about a targeted attack.

Getting access

The access phase includes actions that are taken by APT1 to ensure access to the organization’s network from outside. APT1 accesses the victim's computer as soon as the backdoor is installed on the system. Accordingly, the purpose of the backdoor is to open access to a computer compromised by it to hackers . Malicious code also receives and receives commands from a remote C & C server. As soon as it is installed in the system, the connection to the C & C takes place and the commands are expected from it. In this case, when opening outgoing connections, it is possible to go unnoticed by the firewall installed on the computer.

We found that in some cases, APT1 used public backdoors, such as Poison Ivy or Gh0st RAT . In most cases, they apparently used their own developments and we documented 42 families of such backdoors. We have divided these families into two categories: loaders [ in the original version: “beachhead”, but one of their main functions is loading other files ] and regular ones (full-featured).

Loaders contain a minimum of features. They are used to perform such simple tasks as retrieving files, collecting basic information about the system, loading and executing ordinary (full-featured) backdoors. We also call such backdoor loaders WEBC2 and this family is probably the most well-known type of APT1 backdoors. WEBC2 is designed for downloading a web page from a C & C server. He expects that this web page contains special html tags, searches for them and tries to interpret the commands between. Older versions of WEBC2 tried to find commands between HTML comments, newer ones use other types of tags for this. In accordance with our observations, we can confirm that APT1 used WEBC2 backdoors as early as July 2006. However, we observed one of the samples - WEBC2-KT3 with a compilation date from 2004-01-03, i.e., backdoors of this type, presumably Were in development since 2004. We collected more than 400 WEBC2 samples and assume that APT1 had direct access to the developers of this malware, since the constant release of its new versions, which participated in these attacks for 6 years, is obvious. Listed below are the lines extracted from the threat executables, which indirectly indicate a continuing development process.

sample a
MD5: d7aa32b7465f55c368230bb52d52d885
Compile date: 2012-02-23
\ work \ code \ 2008-7-8muma \ mywork \ winInet_winApplication2009-8-7 \ mywork \ aaaaaaa2012-2-23 \ Release \ aaaaaaa.pdb

sample B
MD5: c1393e77773a48b1eea117a302138554
Compile date: 2009-08-07
D: \ work \ code \ 2008-7-8muma \ mywork \ winInet_winApplication2009-8-7 \ mywork \ aaaaaaa \ Release \ aaaaaaa.pdb

Some list of WEBC2 families [ Mandiant classification ]:

WEBC2-AUSOV
WEBC2-ADSPACE
WEBC2-BOLID
WEBC2-CLOVER
WEBC2-CSON
WEBC2-DIV
WEBC2-GREENCAT
WEBC2-HEAD
WEBC2-KT3
WEBC2-QBP
WEBC2-RAVE
WEBC2-TABLE
WEBC2-TOCK
WEBC2-UGX
WEBC2-YAHOO
WEBC2-Y21K

In general, WEBC2 backdoors provide the APT1 with the following features:

• Start the command line interpreter process (cmd.exe).
• Download executable files and run them for execution.
• They have a "sleep" mode, remaining in an inactive state for some time.

The usual non-WEBC2 backdoor interacts with the command C & C server via the HTTP protocol, or using its own protocol that the code authors wrote for this purpose. This type of backdoor provides attackers with the following capabilities on a compromised computer:

• Various file and directory operations.
• File transfer, both ways.
• Process management
• Modification of the registry.
• Removing screenshots of the user's desktop.
• Keylogger
• Track cursor movement.
• Run command line.
• Remote access via remote desktop.
• Collect passwords.
• Getting a list of users.
• Get a list of visible computers on the network.
• Sleep mode (malicious code will be inactive).
• Perform user change operation (log off).
• Turn off the computer.

Fig. List of families and chronology of compilation dates.

The BISCUIT backdoor is a good example, in terms of the set of commands it supports, which APT1 builds into “regular” backdoors. APT1 has been used and continuously refined by BISCUIT since 2007. It has been used in attacks to this day.


Some backdoors, for disguise, try to imitate legitimate traffic. Mandiant identified some of these protocols and the families in which they are used: MSN Messenger (MACROMAIL), Jabber / XMPP (GLOOXMAIL), Gmail Calendar (CALENDAR). This masking provided some legitimacy mode for the traffic transmitted to C & C. In addition to this, many APT1 backdoors used SSL encryption for connections to C & C. In Appendix F, we provide a list of public SSL certificates that have been used for this purpose.

Privilege escalation

[ It is not entirely clear why this stage of the attack was named that way. Apparently, for APT, privilege escalation means just such a tactic .] Raising privileges includes getting usernames and passwords from various accounts. With their help, you can access other resources in a compromised environment and administrator accounts. In addition to the username and password, APT1 can access PKI, VPN certificates, computers with increased access levels, or other resources. To obtain logins and passwords of administrator credentials, the password hashes are dumped from a PC, server, or domain controller. APT1 uses publicly available tools for this. List of used dumpers:

• cachedump
• fgdump
• gsecdump
• lslsass
• mimikatz
• pass-the-hash toolkit
• pwdump7
• pwdumpx

Collection of information

At this stage, APT1 collects information about the environment of the compromised computer. Like most APTs (and not APTs), APT1 uses built-in OS commands to investigate a compromised system and its network environment. When they have access to the command line interpreter, they execute these commands in it, sometimes batch files are also used to speed up the collection of information. The following code from the batch file was used in at least four cases of intrusions.



The script performs the following actions and saves the results to a text file:

• Gets a list of settings for network connections.
• Gets a list of running services.
• Gets a list of running processes.
• Gets a list of user accounts in the system.
• Gets the list of accounts that belong to the Administrators group.
• Gets a list of current network connections.
• Gets a list of connected network resources.
• Gets a list of other machines on the network.
• For a domain controller, gets lists of accounts according to global groups in domains.

Maintaining presence

At this stage, APT1 takes measures to obtain permanent, long-term control over key systems in a compromised network. This is done in three ways:

• APT1 installs new backdoors to various systems on the network during their stay on the compromised network. Thus, even if one of them is deleted, their other modifications will remain on the network. We usually found several backdoor families in a compromised network.
• APT1 exploits stolen VPN credentials. We found that the attackers used the stolen Lokins and VPN passwords to enter compromised VPNs, but only when using a single-factor authentication mechanism to enter the VPN. Thus, they entered secure VPN networks under legal user accounts.
• APT1 also compromises the web servers used in the organization’s network.

Transfer stolen data to APT1 servers

Before sending data directly to a remote server, they are packed into an archive. Often, for these purposes, use the usual RAR using password protection. Batch scripts are sometimes used for this purpose. An example of one of them.



After creating the necessary archives, the malicious code on the side of the compromised network sends this data to the APT1 servers. FTP can be used for transmission. Also backdoors implement their own protocols for this. Often the archives are so large that they are broken apart for onward transmission.



Unlike other APT groups that we tracked, APT1 used two special, unique tools to send stolen data to APT1 email - GETMAIL and MAPIGET.

APT1 in the media

APT1 activity was recorded in various publications, notes and articles. At the same time, it is quite difficult to compile these sources together, since often different names are used when referring to APT1. In addition, many analysts wrote about tools that were used in other Chinese APTs. The table below gives a comparison of the pseudonyms of groups mentioned by other companies with APT1.

• The earliest known public infrastructure report APT1 belongs to the Japanese division of Symantec Corporation. The report mentions sb.hugesoft.org, which was registered to a person known as “Ugly Gorilla”.
• In September 2012, well-known journalist Brian Krebs on his blog reported on the compromise of Telvent Canada Ltd (now Schneider Electric). We attribute this incident to the activities of APT1, based on the tools and infrastructure they use, to gain access to their network.
• SCADA published a report on recorded invasion operations using phishing in June 2012. AlienVault analyzed the relevant malicious code. According to the indicators of compromise that were included in the report, we attributed this to APT1.
• In November 2012, Bloomberg journalist Chloe Whiteaker wrote about the Comment Group, describing the tools and domains used in APT1.

Example backdoor used by APT1

Appendix F (The Malware Arsenal) contains a list of families of threats that were used by APT1 for various purposes. This list is really impressive. We will consider one of these threats - AURIGA.

Main features of AURIGA:

• Contains keylogger and functionality to track the movement of the cursor.
• Creation / completion of processes.
• Transfer files to the server and download them from there.
• Collecting information about the system.
• Getting logins and passwords.
• Hides your network connections.
• Hides its processes (DKOM).
• Implements code in processes.
• Provides remote desktop access.
• May shut down the system.
• Takes screenshots.

All collected information is encrypted using DES. Interaction with C & C is carried out through port 443, but it does not use SSL or TLS. The keylogger stores information in the% WINDIR% \ System32 \ config \ sam.sav file. It can provide an interactive session to the cmd.exe command interpreter, and the session data will be encrypted using DES. The backdoor copies the% SYSTEMROOT% \ system32 \ cmd.exe command interpreter file to% SYSTEMROOT% \ system32 \ ati.exe. Further, in the new ati.exe file, it replaces strings of the type “microsoft corp.” With “superhard corp.”. The ati.exe file is deleted after the session is completed.

Logins and passwords are collected using the HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Account Manager \ Accounts registry key and values:

• POP3 User Name
• HTTPMail User Name
• HTTPMail Password2
• Hotmail
• POP3 Server
• POP3 Password2

The riodrv32.sys driver can inject the malicious dll into the processes indicated to it. It marks its presence in the system with the device \ Device \ rio32drv and a link to it \ DosDevices \ rio32drv. It can also hide the IP address from the list of network connections. The driver interacts with the user mode via IOCTL, here are some of them:

• 0x2A7B8008. Remember IP address to hide.
• 0x2A7B800C. Embed dll in the process.
• 0x2A7B8018. Hide process by id.

From the driver: d: \ drizt \ projects \ auriga \ branches \ stone_ ~ 1 \ server \ exe \ i386 \ riodrv32.pdb