- Targeted Attack Mail
- Infection flow of malware
- Malware Analysis and Description of Operation
- Attacker’s mistake?
- The threat actor
Analysis of attack techniques and malware used in targeted email attacks believed to be from the threat actor known as Tropic Trooper (aka: Pirate Panda, KeyBoy).
Targeted Attack Mail
Attackers are well known for emailing target organizations in an attempt to infect them with malware or steal their accounts. The attacker we analyzed also used targeted email as one of their attack methods, and in the process, we observed a unique technique used by this attacker.
The following sample mail (Subject : [重要] 2022职工住房公积金的月缴比例调整) was sent disguised as a content notice regarding the Housing Public Benefits, a program for employees working for Chinese companies.
The sample attack email was disguised as an email from a company that the organization's employees must respond to.
The attachment file that is requested to be confirmed from the email body is malware, and it has been confirmed that this malware uses various techniques of the attacker.
First, the malware is compressed in zip format and its structure is as follows:
- 职工住房公积金缴存比例对应的月缴存额明细.xlsx.lnk（shortcut file）
- &Recycle.Bin（hidden folder）
- gongjijin.xlsx（decoy file）
- McVsoCfg.dll（malicious DLL file）
- NTUSER.EXE（legitimate executable file）
- setting.dat（BLOB file）
This compressed file contains multiple files, but only the
职工住房公积金缴存比例对应的月缴存额明细.xlsx is displayed when it expanded in a default Windows OS environment.
In the past, the threat actor who spread ursnif/gozi used double-extension files with different extension added before the actual extension, such as
This is because the
.exe part at the end is not displayed when the registered extensions are not displayed in the default Windows settings, and it can be disguised as a non-executable file.
As one response to such attack methods, some organizations may display file extensions so that users can notice anomalies.
.lnk extension is an exception. Even if you enable this setting, the extension will not be displayed.
(You can force the extension to be displayed in the registry. All shortcut files on the desktop will have the
.lnk extension added, which makes them look bad. As a result, most organizations do not enable the display of
A Windows shortcut file that refers to another file or folder.
Shortcut files are easy to change icons and set the command to execute, which makes them a useful tool for attackers.
Another technique used by attackers is to exploit the function to hide system files and folders.
In Windows, the function to hide system files and folders is enabled by default to prevent users from accidentally deleting or modifying important files.
This compressed file also contains a folder named
&Recycle.Bin. This folder contains the malware itself and a harmless fake document file that matches the content of the sent email.
However, since the folder is set to be hidden, users cannot visually see the folder's existence if the function to hide system folders is enabled.
Even if the environment is set to display folders, the attacker may be trying to mislead users into thinking that the folder is a system folder or an unimportant folder by naming it
&Recycle.Bin, which is similar to the name of the
$Recycle.Bin folder, the body folder of the trashcan.
$Recycle.Binis a hidden System Volume Information folder created by the Windows OS, a linked folder to the Recycle Bin on each hard drive.
The setting to display hidden files and folders is intended to prevent users from accidentally deleting important folders or files, so careful consideration should be given to whether to use this function.
Infection flow of malware
So how do we actually infect the malware?
Let's check the techniques to establish communication to the attacker's command and control server (c2 server), which is the ultimate goal.
Launching shortcut files
When we check the shortcut file disguised as an Excel file, we can see that it calls the executable file
NTUSER.EXE in the
&Recycle.Bin folder, which was set to be hidden.
Is this executable file malware?
Let’s search the hash of this
NTUSER.EXE on VirusTotal.
VirusTotal is a website that displays the results of how registered multiple antivirus software judges uploaded files.
Although it is not possible to determine whether or not a file is malware based on the results of this site alone.
But it can provide clues for judging whether or not a file is malicious, such as whether similar files have been scanned in the past and meta information and runtime behavior that the target file has.
In this case,
NTUSER.EXE has already been inspected and no security software judged it to be malicious.
In addition, when we check the digital certificate item of the executable file, we can see that it is signed by a legitimate certificate from McAfee.
This indicates that the file is very likely to be a legitimate file from McAfee Corporation, as it cannot be set up without the information required for McAfee's signature.
Is the attacker trying to get you to execute a legitimate executable file?
In fact, an attack technique called DLL side-loading is used here.
NTUSER.EXE is an executable file from McAfee, it does not have a function to verify the legitimacy of the DLL it loads.
As a result, it will load and execute any DLL with the same file name.
The vulnerability is exploited to embed malware in the DLL that the legitimate executable file loads and execute it.
In this attack, the malicious DLL file
MsVsoCfg.dll, which is installed in the same folder as
NTUSER.EXE, is designed to call the
McVsoCfgGetObject function and load malicious code.
What is DLL side loading?
A technique that uses the Windows DLL search order mechanism to load and execute malicious payloads from the same folder as a legitimate application.
This allows the attacker to execute malicious payloads while appearing to be the legitimate application.
The shortcut file described above is set up to execute the
NTUSER.EXE file and display a fake file (decoy file) at the same time.
The user will not notice any abnormalities, as the document file that they expected to be displayed is opened.
However, behind the scenes, the legitimate executable file is loading the DLL file and starting the infection process.
Malware Analysis and Description of Operation
Let's continue and see how the malware behaves.
When we analyze the contents of
NTUSER.EXE, we can see that it loads
When we check the export functions in
MsVsoCfg.dll, we can see that the
McVsoCfgGetObject function, which was called by
NTUSER.EXE, is defined as an export function.
An export function is a function that is set to be available outside of the DLL. In this case, the
McVsoCfgGetObject function can receive external operations.
To see what the
McVsoCfgGetObject function does, let's read the code.
We can see that it has two functions: Installer (infecting) and Loader (loading).
First, let’s check the function of the Installer.
The Installer is a function that installs files. It copies three files from the folder where
NTUSER.EXE is installed to the
The file copy image is as follows.
Users will delete the attached file after checking its contents if they feel it is not necessary.
Therefore, attackers prefer to install the malware set in a specific location first.
In this case, the attacker copied the files to the
Here are some possible reasons why the malware was installed in this folder:
- The folder is not normally used by users, so it can delay detection.
- The Public folder can be shared by multiple users using the same host, so it can be used by other accounts on the host.
In the malware analyzed this time, the Downloads folder was used as the destination for the copy.
However, other similar folders, such as
C:\Users\Public\Music\, are also often used as destinations for malware copies.
The attacker changed the executable file from
Avira.exe during the copy process.
The file name
NTUSER.EXE is similar to the file name
NTUSER.DAT, which stores the user profile.
Avira.exe is similar to the name of an antivirus software.
Is it difficult to distinguish between these two files from normal system operation?
After the copy is complete,
NTUSER.EXE will launch the duplicated
Avira.exe is exactly the same executable file as
Will the copying process start in the same way as
In fact, there is the function to check if the copied file already exists, the operation is switched to Loader.
The Loader has the function to read encrypted files, restore them to an executable format, and execute them.
There was a file named
setting.dat in the copied file. This is an encrypted file. When the Loader function reads this file, it decrypted a new malware starts to run.
As you can see, the decrypted
setting.dat file data starts with
MZ which is the magic number of the execution file and the header string
This program cannot be run in DOS mode.
After that, the PE header magic number
PE can be confirmed.
These strings indicate that the decrypted file is a PE file.
What is a PE file?
Acronym for Portable Executable, one of the Windows executable file formats.
Although the file has been decrypted, there are some parts that seem strange to people who are familiar with analysis. Normally, the data after MZ is much simpler, but this decrypted file appears to have noise.
In fact, this part is shellcode that runs to make analysis difficult.
The reflective loader is called, and each section is expanded into memory according to the data in the PE header.
Finally, the Entry Point of the embedded PE file is calculated and called.
It is not clear why the shellcode was placed in the MZ header, but it may be intended to make analysis a little more difficult, avoid detection by easily identifying executable files, or erase program metadata in the header area.
The actual entity of this PE file was Cobalt Strike Beacon. Cobalt Strike is a remote access tool that is abused by attackers with an unauthorized license, despite being legitimate software with its rich features.
What is Cobalt Strike?
Commercial security tools used to simulate cyberattacks and assess the security of systems and organizations.
On the other hand, cracked versions modified for unauthorized use are circulating and widely used in malicious attacks.
The main function is to embed a backdoor program called Cobalt Strike Beacon (hereinafter referred to as "Beacon") in the target system after system intrusion, and run it to execute PowerShell scripts, record screenshots, and download files via Beacon.
Cobalt Strike Beacon has embedded configuration data (hereinafter referred to as “malware config”), which is generally encoded with 1-byte XOR.
This sample also has embedded malware config encoded with
0x2E. By extracting the corresponding data using a publicly available tool (https://github.com/Sentinel-One/CobaltStrikeParser), we obtained the following results.
During the analysis of this sample, we noticed something strange.
The malware does not have a persistence setting, which is necessary for it to run continuously. This means that if the user restarts the device, the malware will not run again.
It was not sure from the analysis whether this was an attacker's mistake, or if the attacker planned to remotely deploy a new malware or implement a persistence setting after the malware communicated with the C2 server.
The threat actor
Based on the characteristics of the malware, the attack method, and the infrastructure used, what attackers are likely behind this cyberattack?
Based on our analysis, it is highly likely that this series of attacks were carried out by a group known as Tropic Trooper (aka Pirate Panda, KeyBoy).
As a result of additional investigation, we have also been succeeded in obtaining another sample that is thought to be highly relevant to this attacker group.
We plan to unveil the further information of this campaign at VB2023, which will be held in London in October 2023 (Virus Bulletin :: Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload).
The presentation, titled "Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload" will take place at the conference.
Simultaneously, we are in the process of writing an blog for publish as an update.
Here are some countermeasures that organizations should take to defend against this targeted attack.
- Email Security
- Use a spam filter to block the attachment of shortcut files (files with .lnk extension)
※The product must be able to explore zip-format compressed files as well as simple attachment files to apply similar rules.
- Use a spam filter to block the attachment of shortcut files (files with .lnk extension)
- Endpoint Security
- Monitor file creation in the public folder
※Although there is noise from software installations, it is also effective for monitoring other unauthorized software installations
- Install products that can scan for malware in memory ※Malware cannot be detected in an encrypted state, so it is necessary to find abnormalities from the running memory.
- Monitor file creation in the public folder
- Network Security
- Block and monitor external access to non-standard destination ports.
Destination of Cobalt Strike Beacon (C2 Server)
38.54.40[.]178 (port 2433)
Details of each file
|file name||file type||MD5||SHA1||SHA256|
|&Recycle.Bin/ NTUSER.EXE||legitimate exe||c214cc5b78616b44918ce62c8a2aa773||aa0018ef4bc398cf3e7c6b2dd9109c173d12b368||563d732c54221fcdd5625bfceaefbe10937c6c62823b4a6ceca5f7ed6c81d890|