APT

APT34: Glimpse project

The APT34 Glimpse project is maybe the most complete APT34 project known so far, the popular researcher Marco Ramilli analyzed it for us.

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move on and start a quick analysis on it.

Context:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

Today I’d like to focus my attention on the Glimpse project since, in my personal opinion, it could be considered as the “stereotype” of APT34 (with the data we ‘ve got so far).

The Glimpse Project

The package comes with a README file having as a name “Read me.txt” (note the space). The name per se is quite unusual and the content is a simple guide on how to set a nodejs server and a Windows server who would run the “stand alone” .NET (>v4) application to control infected machines. The infection start by propagating a .VBS script called “runner_.vbs” which is a simple runner of a most sophisticated powershell payload. The Powershell payload is a quite complex script acting several functions. The following image shows its “deobfuscated” main loop.

Glimpse Infection Payload Main Loop

The payload loops waiting for instructions, once a command comes from C2 it starts to perform specific actions and it answers back to C2 by requesting crafted subdomains based on variable $aa_domain_bb. One of the most important functions the payload has implemented is to drop and execute additional toolsets. Indeed this payload is mainly a delivery module with some additional controls entirely based on DNS covert channel.

The $aa_domain_bb variable contains the main domain name for which the C2 acts as authoritative Domain Name Server. While no actions are coming from C2 the infected agent would just periodically “ping” C2 by giving basic informations regarding the victim machines. For example the function aa_ping_response_bb would compose an encoded DNS message ( aa_text_response_bb ) which sends it own last IP address. At this stage we might appreciate two communication ways. The first communication channel comes from the subdomain generation for example: 59071Md8200089EC36AC95T.www.example.com while a second communication channel comes from TXT DNS record such as: control: 95 – ackNo: 0 – aid: 59071d8289 – action: M >>> 59071Md8200089EC36AC95T. Both of them are implemented to carry different informations. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth. The decoded actions are stored into the variable aa_act_bb and are the following ones:

Command and Control. Env creation for new connected agents
  • M. If the agent is already registered to C2 this command acts like a ping, it updates basic informations to the corresponding “agent” folder. If it’s the first time the agent connects back to C2 it starts a registration section which enables, server side (command and control side) the building up of an dedicated folders and file environment. Please check the previous image: Command and Control. Env creation for new connected agents.
  • W. This is a TXT request to list the waiting commands (or, if you wish “kind of jobs”). The first command that is executed after the registration phase is the command tagged as 10100 having as a content: “whoami&ipconfig /all”
  • D. Is actually what should be executed. It takes as input the tagged task and it forwards to the requesting Agent the Base64 encoded content of the file.
  • 0. It is not a TXT request. This request makes the authoritative DNS (the command and control) answers to the agent the requested file in the waiting folder. Answering back an A record having as data field a crafted ip (11.24.237.110) if no “actions” (fileS) are in the waiting folder the C2 answers back an A record value having as data field “24.125.” + fileNameTmp.substring(0, 2) + “.” + fileNameTmp.substring(2, 5); and time to live a random number between 0 to 360.
  • 1. It is not a TXT request. This request makes the authoritative DNS (the command and control) answer back with the file content. It implements a multiple answering chain, according to RFC4408, to send files greater than 255 characters.
  • 2. It is not a TXT request. This requests makes the authoritative DNS (the command and control) to receive a file from the Agent. It implements a complex multi-part chain for reconstructing partials coming from domain name requests. After sending all of the data, the Agent will issue a final DNS query with “COCTabCOCT” in the data segment. This query notifies the C2 server that the Trojan has finished sending the contents of the file.
Command and Control: COCTabCOCT end of communication

The following image shows a running example of the infection chain run on a controlled virtual environment.You might appreciate the communication layers over the requested domains. For example the following requests would carry on data in subdomain, while the answered IP gives a specific affermative/negative response.

10100*9056*****************.33333210100A[.]example[.]com

Glimpse running environment

The command and control is implemented by a standalone .NET application working through files. The backend, a nodeJS server, runs and offers Public API and and saves, requests to agents, and results from agents, directly into files named with “UID-IP” convention acting as agent ID. The panel reads those files and implements stats and actions. The following image shows the static configuration section in the C2 panel.

Command and Control Panel Hardcoded Settings

The Control Panel is mainly composed by two .NET Window components. Main Windows where the list of connected Agents is shown within additional informations such as: Agent ID, Agent IP, Agent Last Online Time and Attacker Comments. And Control Window which is called once the attacker clicks on the on a selected Agent. The event onClick spawn the following code:

controlPanel = new controlPanel(agent.id, agent.ip, agent.lastActivity);
controlPanel.Show();

After its initialisation phase the control panel enables the attacker to write or to upload a list of commands or a file within commands to agents. The following image shows the controPanel function which takes commands from inputs “TextFields”, creates a new file into the waiting folder within commands. The contents of such a folder will be dropped on the selected Agent and executed.

Command and Control, controlPanel insert_command function

The controlPanel offers many additional functionalities to better control single or group of Agents. By focusing on trying to give a project date we might observe the compiled time which happens to be 9/1/2018 at 5:13:02 AM for newPanel-dbg.exe while it happens to be 9/8/2018 at 8:01:54 PM for the imported library called ToggleSwitch.dll.

With High probability we are facing a multi-modular attacking framework where on one side the DNS communication channel delivers commands to the target Agents and on the other side many control panels could be developed and attached to the DNS communication system. It would be quite obvious if you look to that framework as a developer, thus the DNS communication channel uses files to store informations and to synchronise actions and agents, so that many C2 could be adapted to use it as a communication channel. We might think that that many APT34 units would be able to reuse such a communication channel. Another interesting observation might come from trying to date that framework. A powershell Agent as been leaked on PasteBin o August 2018 (take a look here) by an anonymous user and seen, since today, from very few people (197 so far). The used command and control has been compiled the month before (July 2018). The developing technologies (.NET, nodeJS) are very different and the implementation styles differ as well. DNS Communication channel is developed in linear and more functional driven programming style, while the standalone command and control is developed using a little bit more sophisticated object oriented programming with a flavour of agent-oriented programming: the attacker considers the object agentt as an independent agent working without direct control. The attacker writes files as the medium to address the Agent behaviour.

The original post was published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/05/02/apt34-glimpse-project/

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

[adrotate banner=”9″][adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – APT34, Glimpse project)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

32 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.