Pierluigi Paganini
February 26, 2019
Introduction
In the past days, a cyber attack targeted a high profile target on the APAC area: the Australian Parliament House. As reported by the Australian prime minister there was no evidence of any information theft and the attack has been promptly isolated and contained by the Australian Cyber Security Centre (ACSC), however the attackers gained access the ruling Liberal and National coalition parties networks as well as the opposition Labor Party, just a few months before the federal election. The first technical insight points to sophisticates state-sponsored threat actors operating in the Pacific region, but no official statement has been published and the speculation that China was behind the attack is not confirmed in any way.
Contextually to the cyber incident disclosure to the public, the ACSC declassified some of the samples involved in the parliament hack, so the Cybaze-Yoroi ZLab team decided to investigate these artifacts to have an insight of Tools and Capabilities of part of this APT cyber arsenal.
All the analyzed files seem to be related to a post-exploitation phase, where the attacker leveraged them to conduct data exfiltration and lateral movements. All the modules don’t belong to an open-source post-exploitation framework, like Metasploit or Empire, but they seem to be written from scratch using the high-level language C# on top of the .NET Framework.
The firstly analyzed sample is known in the InfoSec community. The malware is named LazyCat, mainly derived by the famous Mimikatz pentest tool.
| Hash | Sha256: 1c113dce265e4d744245a7c55dadc80199ae972a9e0ecbd0c5ced57067cf755b |
| Threat | LazyCat |
| Description | LazyCat DLL to perform local privilege escalation |
| Ssdeep | 1536:kxnT6jqsSwI1ChVKt5QtkJBDbFw+IPpUuOE7qBp69bfeL:kxCpSz1CyIGrbgKuNS69bA |
Table 1: Information about LazyCat sample.
A first static analysis shows the library is written in .NET, with no heavy obfuscation, and therefore easily revertable to its source-code like representation.
An interesting function spotted in the code reveal its capability to inspect and gather the contests of an arbitrary process memory, through the usage of the MiniDumpWriteDump function belonging to DbgHelp library. The function’s result will be stored in a file just created using “Output” string parameter as name (Figure 3).
Moreover, the malware is able to start a “TcpRelay” service, probably with the intent of create a route between the attacker’s network and the victim’s one and then to make the lateral movements easier.
Exploring source code, a particular module named “RottenPotato” emerges. It contains some interesting functions, such as “findNTLMBytes” and “HandleMessageAuth”, related to the post-exploitation phase in MS Windows environments. After a quick search, it is possible to discover it is an open source tool publicly available on GitHub at https://github.com/foxglovesec/RottenPotato.
Making a diff analysis between the Github source code and the malware’s one, emerges that some functions included into malware’s RottenPoteto are not present into public source code. This indicates that the cyber attacker has further weaponized the code to make it more effective for the malicious goal. At the same time, the usage of code publicly available and open source tools makes more difficult a punctual attribution of the weapons to a particular cyber group.
The LazyCat sample owns a specific module clerks to cover tracks, named “LogEraser”.
The main function of the module is “RemoveETWLog” which has the purpose of delete the ETW (Event Tracing for Windows) files related to the malicious actions the attacker has done.
As shown in the above figure, the malware scans all the records belonging to the Windows Log and, if the record ID is equal to the given ID, it will be deleted.
At time of analysis, the sample had a middle-low detection rate, probably due to the customization of open source code-snippets; the result of VirusTotal analysis is visible in the following figure:
| Hash | Sha256: 08a85f5fe8714b4842180c12c4d192bd186500af01ee39825f6d5100a2019ebc |
| Threat | Generic |
| Description | powerkatz DLL |
| Ssdeep | 192:RPmh9ncu5qqTz3XQUOsnoGWX4L4Lzn066HVV1GfzacScaz/69ek4VUAVc:ucuqqTz3gUOsnoGWoL4Lz0661V1PcS5V |
Table 2: key information about powerkatz (sample 2)
| Hash | Sha256: a95c9fe29a8ae0f618536fdf4874ede5412281e8dfb380bf1370a8d8794f787a |
| Threat | Generic |
| Description | powerkatz DLL |
| Ssdeep | 192:BPmh9ncu5qqTz3XQUOsnoGWX4L4Lan066HVV1GfzacScazu69ek4VUf:ecuqqTz3gUOsnoGWoL4L00661V1PcS57 |
Table 3: key information about powerkatz (sample 3)
Despite the different hashes, the malicious functionalities within the DLL are the substantially the same, the attacker simply modified some strings and variables names, probably to evade av detection. The similarity between the samples is shown in Figure 9, where is possible to see the differences are minimal and they don’t impact the overall behavior.
The decompiled source code of the main class also confirms this similarity, i.e. inside the AsyncTask class in Figure 10. For this reason we will reference a single sample in the following paragraphs.
The sample is composed by few classes and functions, one of them seems a good starting point for our analysis: the “StartNew”. As intended by its name, it is able to start a new asynchronous task on the victim’s machine, executing the task object passed as _app parameter. Once the task is started, the function waits its completion using repeated 1-sec sleeps cycle, and then it returns a valid code status to the function caller. Probably this module can be used in conjunction with some other functions, belonging to other pieces of the implant, to perform malicious actions in background, making all more stealth.
The name of this sample, Powerkatz, reminds to a tool available on GitHub ( https://github.com/digipenguin/powerkatz) but even if the name is the same, the code is different. As the previous sample, also the detection rate of this sample, 28 of 70, is not high, as shown in Figure 11.
| Hash | Sha256: b63ae455f3deaca297b616dd3356063112cfda6e6c5434c407781461ae69361f |
| Threat | generic |
| Description | port scanner DLL |
| Ssdeep | 192:P4NjWnNsFM+5Ic8l5OG/i1/5gK0kbhdeODo3:P4NWnuf5Ic8l21iK0IhDS |
Table 4: key information about port scanner sample
Like other samples, it is written C# programming language too. It has two main classes named “PortScanner” and “ReconCommonFuncs”, providing a direct clue of the actions enabled by this part of the implant.
Reading the first one’s code, in fact, the “portScan” contains an Integer array listing few of the well-known network ports, covering major local network services such as HTTP, TELNET, RDP, POP, IMAP, SSH, SQL .. .
For each declared port, the function is able to perform a TCP scan, trying to connect to it. If there is an available service behind the port, it responds with its own service banner, which will be stored into a “StringBuilder” object. The malware concatenates the responses from all the scanned ports and finally it writes the results in a file using the “ReconCommonFuncs” class.
The “ReconCommonFuncs” class, instead, provides some utility functions, such as “Append” or “GZipAndBase64”, which are self-explanatory.
| Hash | Sha256: 1087a214ebe61ded9f61de81999868f399a1105188467e4e44182c02ee264a19 |
| Threat | generic |
| Description | OfficeCommu DLL |
| Ssdeep | 3072:JbMNa4pc+32UhnsZFM7iCHF6aZ4oFlSAsBycrxAqSPWy3it5r2py2jYN/IroVbpm:JbWa4xmZcl9fFlSBtuZWQ6qp8DrhFJ |
Table 5: key information about the sample
The last sample analyzed by Yoroi ZLab – Cybaze is called “OfficeCommu.dll”, probably with the intent of being confused with the legit Office Communication module available on most Windows machines.
Also this sample is a sort of utility, probably used in the post-exploitation phase, with the purpose of creating a “PowershellAgent”, a stager component of the implant able to parse and execute Powershell commands.
The analyzed samples show the attackers choose a multi-modular approach for the development of their cyber-arsenal, realizing a complex implant leveraging an ecosystem of libraries providing proper functionalities to conduct advanced, and offensive, cyber operations.
Despite these functions and libraries does not appear to contain any zero-day exploit or techniques, the detection of these modules within a high value perimeter such as the Australian Parliament provides important indication on cyber arsenal development strategies of this threat actor, revealing the abuse and the customization of open-source PenTest tools and proof of concept is one of the preferred way the attackers used to build their arsenal, possibly due to the lower the “time-to-market” and resources required to write it, without impacting its effectiveness and dangerousness.
Showing also, how these supposedly “known” techniques and tools can be easily repackaged in evasive and silent implants, capable to bypass the traditional kinds of security boundaries.
Further details, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by the experts.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Australian Parliament, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
