Gifts from Tropical Pirates -New Dangerous Weapons Hidden in Email and Malware

Summary

Analysis of attack techniques and malware used in targeted email attacks believed to be from the threat actor known as Tropic Trooper (aka: Pirate Panda, KeyBoy).

Targeted Attack Mail

Attackers are well known for emailing target organizations in an attempt to infect them with malware or steal their accounts. The attacker we analyzed also used targeted email as one of their attack methods, and in the process, we observed a unique technique used by this attacker.

The following sample mail (Subject : [重要] 2022职工住房公积金的月缴比例调整) was sent disguised as a content notice regarding the Housing Public Benefits, a program for employees working for Chinese companies.

Figure 1. Sample email body

Figure 2. English translation of sample email

The sample attack email was disguised as an email from a company that the organization's employees must respond to.

Attachments

The attachment file that is requested to be confirmed from the email body is malware, and it has been confirmed that this malware uses various techniques of the attacker.

First, the malware is compressed in zip format and its structure is as follows:

  • 职工住房公积金缴存比例对应的月缴存额明细.xlsx.lnk(shortcut file)
  • &Recycle.Bin(hidden folder)
    • gongjijin.xlsx(decoy file)
    • McVsoCfg.dll(malicious DLL file)
    • NTUSER.EXE(legitimate executable file)
    • setting.dat(BLOB file)

This compressed file contains multiple files, but only the 职工住房公积金缴存比例对应的月缴存额明细.xlsx is displayed when it expanded in a default Windows OS environment.

Figure 3. How it is displayed when the attachments expanded

In the past, the threat actor who spread ursnif/gozi used double-extension files with different extension added before the actual extension, such as .xlsx.exe and .pdf.exe.
This is because the .exe part at the end is not displayed when the registered extensions are not displayed in the default Windows settings, and it can be disguised as a non-executable file.
As one response to such attack methods, some organizations may display file extensions so that users can notice anomalies.

However, the .lnk extension is an exception. Even if you enable this setting, the extension will not be displayed.
(You can force the extension to be displayed in the registry. All shortcut files on the desktop will have the .lnk extension added, which makes them look bad. As a result, most organizations do not enable the display of .lnk extensions.)

Figure 4. Explorer setting "Do not display registered extensions"

What is .lnk extension?

A Windows shortcut file that refers to another file or folder.

[MS-SHLLINK]: Shell Link (.LNK) Binary File Format | Microsoft Learn

Shortcut files are easy to change icons and set the command to execute, which makes them a useful tool for attackers.

Figure 5. Shortcut file specified to execute the extracted file

Another technique used by attackers is to exploit the function to hide system files and folders.
In Windows, the function to hide system files and folders is enabled by default to prevent users from accidentally deleting or modifying important files.

This compressed file also contains a folder named &Recycle.Bin. This folder contains the malware itself and a harmless fake document file that matches the content of the sent email.
However, since the folder is set to be hidden, users cannot visually see the folder's existence if the function to hide system folders is enabled.

Figure 6. Explorer settings "Show hidden files and folders"

Even if the environment is set to display folders, the attacker may be trying to mislead users into thinking that the folder is a system folder or an unimportant folder by naming it &Recycle.Bin, which is similar to the name of the $Recycle.Bin folder, the body folder of the trashcan.

What is $Recycle.Bin?

$Recycle.Bin is a hidden System Volume Information folder created by the Windows OS, a linked folder to the Recycle Bin on each hard drive.

The setting to display hidden files and folders is intended to prevent users from accidentally deleting important folders or files, so careful consideration should be given to whether to use this function.

Infection flow of malware

So how do we actually infect the malware?
Let's check the techniques to establish communication to the attacker's command and control server (c2 server), which is the ultimate goal.

Figure 7. Overall infection flow diagram

Launching shortcut files

When we check the shortcut file disguised as an Excel file, we can see that it calls the executable file NTUSER.EXE in the &Recycle.Bin folder, which was set to be hidden.

Figure 8. Command details of the shortcut file

Is this executable file malware?
Let’s search the hash of this NTUSER.EXE on VirusTotal.
VirusTotal is a website that displays the results of how registered multiple antivirus software judges uploaded files.

Although it is not possible to determine whether or not a file is malware based on the results of this site alone.
But it can provide clues for judging whether or not a file is malicious, such as whether similar files have been scanned in the past and meta information and runtime behavior that the target file has.
In this case, NTUSER.EXE has already been inspected and no security software judged it to be malicious.

Figure 9. Judgment results of NTUSER.EXE of each antivirus software

In addition, when we check the digital certificate item of the executable file, we can see that it is signed by a legitimate certificate from McAfee.
This indicates that the file is very likely to be a legitimate file from McAfee Corporation, as it cannot be set up without the information required for McAfee's signature.

Figure 10. Properties of NTUSER.EXE signed by McAfee certificate

Is the attacker trying to get you to execute a legitimate executable file?
In fact, an attack technique called DLL side-loading is used here.

Although this NTUSER.EXE is an executable file from McAfee, it does not have a function to verify the legitimacy of the DLL it loads.
As a result, it will load and execute any DLL with the same file name.
The vulnerability is exploited to embed malware in the DLL that the legitimate executable file loads and execute it.

In this attack, the malicious DLL file MsVsoCfg.dll, which is installed in the same folder as NTUSER.EXE, is designed to call the McVsoCfgGetObject function and load malicious code.

What is DLL side loading?

A technique that uses the Windows DLL search order mechanism to load and execute malicious payloads from the same folder as a legitimate application.
This allows the attacker to execute malicious payloads while appearing to be the legitimate application.

Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise | MITRE ATT&CK®

The shortcut file described above is set up to execute the NTUSER.EXE file and display a fake file (decoy file) at the same time.
The user will not notice any abnormalities, as the document file that they expected to be displayed is opened.
However, behind the scenes, the legitimate executable file is loading the DLL file and starting the infection process.

Malware Analysis and Description of Operation

Let's continue and see how the malware behaves.
When we analyze the contents of NTUSER.EXE, we can see that it loads McVsoCfg.dll.

Figure 11. libraries called by NTUSER.EXE and their functions

When we check the export functions in MsVsoCfg.dll, we can see that the McVsoCfgGetObject function, which was called by NTUSER.EXE, is defined as an export function.
An export function is a function that is set to be available outside of the DLL. In this case, the McVsoCfgGetObject function can receive external operations.

Figure 12. Functions provided by MsVsoCfg.dll

To see what the McVsoCfgGetObject function does, let's read the code.
We can see that it has two functions: Installer (infecting) and Loader (loading).

Installer Operation

First, let’s check the function of the Installer.
The Installer is a function that installs files. It copies three files from the folder where NTUSER.EXE is installed to the C:\Users\Public\Downloads folder.

Figure 13. Installer function in MsVsoCfg.dll

The file copy image is as follows.

Figure 14. File duplication image

Users will delete the attached file after checking its contents if they feel it is not necessary.
Therefore, attackers prefer to install the malware set in a specific location first.

In this case, the attacker copied the files to the C:\Users\Public\Downloads\folder.
Here are some possible reasons why the malware was installed in this folder:

  • The folder is not normally used by users, so it can delay detection.
  • The Public folder can be shared by multiple users using the same host, so it can be used by other accounts on the host.

In the malware analyzed this time, the Downloads folder was used as the destination for the copy.
However, other similar folders, such as C:\Users\Public\Videos\ and C:\Users\Public\Music\, are also often used as destinations for malware copies.

The attacker changed the executable file from NTUSER.EXE to Avira.exe during the copy process.
The file name NTUSER.EXE is similar to the file name NTUSER.DAT, which stores the user profile.
The changed Avira.exe is similar to the name of an antivirus software.
Is it difficult to distinguish between these two files from normal system operation?

Loader Operation

After the copy is complete, NTUSER.EXE will launch the duplicated Avira.exe. Avira.exe is exactly the same executable file as NTUSER.EXE.
Will the copying process start in the same way as NTUSER.EXE?
In fact, there is the function to check if the copied file already exists, the operation is switched to Loader.

The Loader has the function to read encrypted files, restore them to an executable format, and execute them.
There was a file named setting.dat in the copied file. This is an encrypted file. When the Loader function reads this file, it decrypted a new malware starts to run.

Figure 15. Reading process of setting.dat
Figure 16. setting.dat before decoding
Figure 17. setting.dat after decoding process

As you can see, the decrypted setting.dat file data starts with MZ which is the magic number of the execution file and the header string This program cannot be run in DOS mode.
After that, the PE header magic number PE can be confirmed.

These strings indicate that the decrypted file is a PE file.

What is a PE file?

Acronym for Portable Executable, one of the Windows executable file formats.

PE Format - Win32 apps | Microsoft Learn

Although the file has been decrypted, there are some parts that seem strange to people who are familiar with analysis. Normally, the data after MZ is much simpler, but this decrypted file appears to have noise.

Figure 18. General MZ header

In fact, this part is shellcode that runs to make analysis difficult.
The reflective loader is called, and each section is expanded into memory according to the data in the PE header.
Finally, the Entry Point of the embedded PE file is calculated and called.

Figure 19. Shellcode embedded within MZ header

It is not clear why the shellcode was placed in the MZ header, but it may be intended to make analysis a little more difficult, avoid detection by easily identifying executable files, or erase program metadata in the header area.

The actual entity of this PE file was Cobalt Strike Beacon. Cobalt Strike is a remote access tool that is abused by attackers with an unauthorized license, despite being legitimate software with its rich features.

What is Cobalt Strike?

Commercial security tools used to simulate cyberattacks and assess the security of systems and organizations.
On the other hand, cracked versions modified for unauthorized use are circulating and widely used in malicious attacks.

The main function is to embed a backdoor program called Cobalt Strike Beacon (hereinafter referred to as "Beacon") in the target system after system intrusion, and run it to execute PowerShell scripts, record screenshots, and download files via Beacon.

Cobalt Strike Beacon has embedded configuration data (hereinafter referred to as “malware config”), which is generally encoded with 1-byte XOR.
This sample also has embedded malware config encoded with 0x2E. By extracting the corresponding data using a publicly available tool (https://github.com/Sentinel-One/CobaltStrikeParser), we obtained the following results.

Figure 20. Malware configuration for Cobalt Strike Beacon

Attacker’s mistake?

During the analysis of this sample, we noticed something strange.
The malware does not have a persistence setting, which is necessary for it to run continuously. This means that if the user restarts the device, the malware will not run again.
It was not sure from the analysis whether this was an attacker's mistake, or if the attacker planned to remotely deploy a new malware or implement a persistence setting after the malware communicated with the C2 server.

The threat actor

Based on the characteristics of the malware, the attack method, and the infrastructure used, what attackers are likely behind this cyberattack?
Based on our analysis, it is highly likely that this series of attacks were carried out by a group known as Tropic Trooper (aka Pirate Panda, KeyBoy).
As a result of additional investigation, we have also been succeeded in obtaining another sample that is thought to be highly relevant to this attacker group.

We plan to unveil the further information of this campaign at VB2023, which will be held in London in October 2023 (Virus Bulletin :: Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload).
The presentation, titled "Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload" will take place at the conference.
Simultaneously, we are in the process of writing an blog for publish as an update.

Countermeasures

Here are some countermeasures that organizations should take to defend against this targeted attack.

  • Email Security
    • Use a spam filter to block the attachment of shortcut files (files with .lnk extension)
      ※The product must be able to explore zip-format compressed files as well as simple attachment files to apply similar rules.
  • Endpoint Security
    • Monitor file creation in the public folder
      ※Although there is noise from software installations, it is also effective for monitoring other unauthorized software installations
    • Install products that can scan for malware in memory ※Malware cannot be detected in an encrypted state, so it is necessary to find abnormalities from the running memory.
  • Network Security
    • Block and monitor external access to non-standard destination ports.

IoCs

Destination of Cobalt Strike Beacon (C2 Server)

38.54.40[.]178 (port 2433)

Details of each file
file name file type MD5 SHA1 SHA256
职工住房公积金缴存比例对应的月缴存额明细.zip zip 477064c3182a8eec3c048fb76d939ca4 edb4a995eca1b65f7d588dca0f2d22487614ff96 89a71c796b86aec5f12e48524e044d427629438b4e573e4c9d7353b08eb0d7de
职工住房公积金缴存比例对应的月缴存额明细.xlsx.lnk lnk ea5d6c5912e25cec49d0eca7cd5dbfca 553b3a5450ece97410a32a0319f202ac6c501708 95a3850ef6f727ce84aff3295e8f05c8e47856390d8b0091f60fc705b675b719
&Recycle.Bin/ gongjijin.xlsx decoy 327fed79e399a98b4036799408235b34 730510f4c7f06ff2f96a1ac804defd9276654a5c 75447462e748956009d1528ba6e960784b56360dccfcf689f7bff093a0da55bf
&Recycle.Bin/ McVsoCfg.dll loader 4006dcb60b94f22e313138d836f6692f ba6fb4bad430efe434f614ba8c7a71b69f8f0462 acf4422360ca41bb1318a46b2386c5e5458666e951faf19dcf48f0ab3abd5900
&Recycle.Bin/ NTUSER.EXE legitimate exe c214cc5b78616b44918ce62c8a2aa773 aa0018ef4bc398cf3e7c6b2dd9109c173d12b368 563d732c54221fcdd5625bfceaefbe10937c6c62823b4a6ceca5f7ed6c81d890
&Recycle.Bin/ setting.dat BLOB 84b6a4044b6a505c1d24f4cceba294d0 c7e04e6a03be8b32519fd7eec578ba1c651f8cb5 af9408a97f414cc6165de8f9f47d1a6ca3d596e3c999f86caa3841098766b514

©︎ITOCHU Cyber & Intelligence Inc.