Pierluigi Paganini
February 17, 2020
Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power.
In recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.
The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.
| Hash | 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a |
| Threat | Gamaredon Pteranodon weaponized document |
| Brief Description | Doc file weaponized with Exploit |
| Ssdeep | 768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir:uG1aKQ5OwCrItq3TgGfLt9r |
Table 1. Information about initial dropper
The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.
The document leverages the common exploit aka CVE-2017-0199 and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.
Thanks to this exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:
| Hash | e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 |
| Threat | Gamaredon Pteranodon loader dot file |
| Brief Description | Dot file enabling the infection of the Gamaredon Pteranodon |
| Ssdeep | 768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ:oI8XoWruHpp/P4 |
Table 2. Information about second stage
If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.
The body of the macro can be logically divided into two distinct parts:
The evidence of the written file in the Startup folder:
Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from “hxp://get-icons.]ddns.]net/” & NlnQCJG & “_” & uRDEJCn & “//autoindex.]php”, where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot.
The dropped sample is an SFX archive, like the tradition of Gamaredon implants.
| Hash | c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f |
| Threat | Gamaredon Pteranodon implant SFX archive |
| Brief Description | SFX Archive First Stage |
| Ssdeep | 24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv:zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv |
Table 3. Information about first SFX archive
By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”.
When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:
It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:
At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.
The fact that the “28847.exe” file can be opened makes us understand that the “28847” file is another SFX file. Some static information about SFX are:
| Hash | 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1 |
| Threat | Gamaredon Pteranodon implant SFX archive |
| Brief Description | SFX Archive Second Stage |
| Ssdeep | 24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM:OoZwxVvfoaPu |
Table 4. Information about the second SFX archive
Exploring it, it is possible to see several files inside of it, as well as the 6323 file. The following figure shows a complete list.
In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning.
The source code looks as follows.
The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit.
Part of the content of the variable “xVGlMEP”:
There is a thin difference between the two files.
As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure.
So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt” ones. First of all the macro will set the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path.
Finally, the malware will write the “IndexOffice.txt” file in the “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:
The script will check the presence of the “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”.
The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.
Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.
Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years.
The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dynamically changes, make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.
Further technical details, including Indicators of Compromise and Yare rules, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]
