2018-12-21 ACSC and NCCIC - Report - MSP Breach - APT10 - REDLEAVES & PlugX RAT - "Investigation report: Compromise of an Australian company via their Managed Service Provider" ============================================== Event ID : 5826 Date : 2018-12-21 Reported by : AusCERT Local owner of the event : AusCERT Distribution: This community only Tags: tlp:green, circl:incident-classification="system-compromise", malware_classification:malware-category="Spyware", source:acsc, misp-galaxy:threat-actor="Stone Panda", misp-galaxy:tool="REDLEAVES", source:nccic, misp-galaxy:mitre-enterprise-attack-malware="PlugX - S0013", misp-galaxy:mitre-enterprise-attack-malware="RedLeaves - S0153", ms-caro-malware-full:malware-type="RemoteAccess", malware_classification:malware-category="Trojan" Threat Level: Medium Analysis : Completed Description : 2018-12-21 ACSC and NCCIC - Report - MSP Breach - APT10 - REDLEAVES & PlugX RAT - "Investigation report: Compromise of an Australian company via their Managed Service Provider" ============================================== Related to: https://misp.auscert.org.au/events/view/1648 (2017-04-28) ============================================== Attributes (* indicates a new or modified attribute): * External analysis/link : https://cyber.gov.au/government/publications/msp-investigation-report/MSP_Investigation_Report.pdf * * External analysis/link : https://cyber.gov.au/government/publications/msp-risk-for-clients/PROTECT_Managing_security_when_engaging_MSPs.pdf * * External analysis/link : https://smartermsp.com/telling-cyber-attacks-data-breaches-2017/ * * Other/comment : In their latest publication addressing the MSP security breaches of 2018, the ACSC has provided mitigation advice for organisations contracting MSPs, to help mitigate the risks associated with such breaches. The document is available at: https://cyber.gov.au/government/publications/msp-risk-for-clients/PROTECT_Managing_security_when_engaging_MSPs.pdf We have included some threat indicators for REDLEAVES that were made available by NCCIC(US-CERT). NCCIC states: "he U.S. Government announced that a group of Chinese cyber actors associated with the Chinese Ministry of State Security have carried out a campaign of cyber-enabled theft targeting global technology service providers and their customers. Over the past four years, these actors have gained access to multiple U.S. and global IT service providers and their customers in an effort to steal the intellectual property and sensitive data of companies located in at least 12 countries. The U.S. Government is taking steps to hold the Chinese government accountable for these unacceptable actions and help victim organizations secure their networks and data. For more information related to this activity, go to https://www.us-cert.gov/china. The National Cybersecurity and Communications Integration Center (NCCIC), a part of the Cybersecurity and Infrastructure Security Agency (CISA), has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools. Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations." [1] "REDLEAVES Malware The most unique implant observed in this campaign is the REDLEAVES malware. The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2. Capabilities System Enumeration. The implant is capable of enumerating the following information about the victim system and passing it back to the C2: system name, system architecture (x86 or x64), operating system major and minor versions, amount of available memory, processor specifications, language of the user, privileges of the current process, group permissions of the current user, system uptime, IP address, and primary drive storage utilization. Command Execution. The implant can execute a command directly inside a command shell using native Windows functionality by passing the command to run to cmd.exe with the “/c” option (“cmd.exe /c ”). Command Window Generation. The implant can also execute commands via a remote shell that is generated and passed through a named pipe. A command window is piped back to the C2 over the network as a remote shell or alternatively to another process or thread that can communicate with that pipe. The implant uses the mutexRedLeavesCMDSimulatorMutex. File System Enumeration. The implant has the ability to enumerate data within a specified directory, where it gathers filenames, last file write times, and file sizes. Network Traffic Compression and Encryption. The implant uses a form of LZO compression to compress data that is sent to its C2. After compression, the data for this implant sample is then RC4-ciphered with the key 0x6A6F686E3132333400 (this corresponds to the string “john1234” with the null byte appended). Network Communications REDLEAVES connects to the C2 over TCP port 443, but does not use the secure flag when calling the API function InternetOpenUrlW. The data is not encrypted and there is no SSL handshake as would normally occur with port 443 traffic, but rather the data is transmitted in the form that is generated by the RC4 cipher. Current REDLEAVES samples that have been examined have a hard-coded C2. Inside the implant’s configuration block in memory were the strings in Table 1." [1] "PLUGX PLUGX is a sophisticated Remote Access Tool (RAT) operating since approximately 2012. Although there are now many variants of this RAT in existence today, there are still characteristics common to most variants. Typically, PLUGX uses three components to install itself. A non-malicious executable A malicious DLL/installer An encoded payload – the PLUGX RAT. A non-malicious executable with one or more imports is used to start the installation process. The executable will likely exist in a directory not normally associated with its use. In some cases, the actor may use an executable signed with a valid certificate, and rename the DLL and encoded payload with file names that suggest they are related to the trusted file. Importantly, the actor seems to vary the encoding scheme used to protect the encoded payload to stifle techniques used by AV vendors to develop patterns to detect it. The payload is either encoded with a single byte or encrypted and decompressed. Recently, NCCIC has observed a case where the encoded payload contains a decoding stub within itself, beginning at byte zero. The malware simply reads this payload and executes it starting at byte zero. The stub then decodes and executes the rest of itself in memory. Notably, this stub varies in its structure and algorithm, again stifling detection by signature based secur! ity software. The PLUGX malware is never stored on disk in an unencrypted or decoded format. When the initial executable is launched, the imported library, usually a separate DLL, is replaced with a malicious version that in turn decodes and installs the third and final component, which is the PLUGX rat itself. Typically, the PLUGX component is obfuscated and contains no visible executable code until it is unpacked in memory, protecting it from AV/YARA scans while static. During the evolution of these PLUGX compromises, NCCIC noted an increasing implementation of protections of the actual decoded PLUGX in memory. For example, the most recent version we looked at implements a secure strings method, which hides the majority of the common commands used by PLUGX. This is an additional feature designed to thwart signature based security tools. Once the PLUGX RAT is installed on the victim, the actors has complete C2 capabilities of the victim system, including the ability to take screenshots and download files from the compromised system. The communications between the RAT (installed on the victim system) and the PLUGX C2 server are encoded to secure the communication and stifle detection by signature based network signature tools. The advanced capabilities of PLUGX are implemented via a plugin framework. Each plugin operates independently in its own unique thread within the service. The modules may vary based on variants. Table 5 lists the modules and capabilities contained within one sample recently analyzed by NCCIC." [1] See PlugX section in US-CERT report for list of capabilities of PlugX malware References 1. https://www.us-cert.gov/ncas/alerts/TA17-117A#revisions * * External analysis/link : https://www.computerworld.com.au/article/651096/australia-charges-china-backing-msp-hacking-campaign/ * * External analysis/link : https://www.us-cert.gov/ncas/alerts/TA17-117A * * Network activity/snort : lert tcp any any -> any any (msg: "REDLEAVES Implant"; content: "|00 00 7a 8d 9b dc|"; offset: 2; depth: 6; content: "|00 00|"; offset: 10; depth: 2; sid: 314;) (IDS) * * Network activity/snort : alert tcp any -> any any (msg:”Suspicious PLUGX URI String”; content:”POST”; http_method; content:”/update?id=”; http_uri; fast_pattern:only; pcre:”/update\?id=[a-fA-F0-9]{8} HTTP/”; sid:101;) (IDS) * * Artifacts dropped/yara : rule Dropper_DeploysMalwareViaSideLoading { meta: description = "Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX" author = "USG" true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. " strings: $UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe" $PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string. condition: any of them } (IDS) * * Artifacts dropped/yara : rule REDLEAVES_DroppedFile_ImplantLoader_Starburn { meta: description = "Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT" author = "USG" true_positive = "7f8a867a8302fe58039a6db254d335ae" // StarBurn.dll strings: $XOR_Loop = {32 0c 3a 83 c2 02 88 0e 83 fa 08 [4-14] 32 0c 3a 83 c2 02 88 0e 83 fa 10} // Deobfuscation loop condition: any of them } (IDS) * * Artifacts dropped/yara : rule REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief { meta: description = "Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT" author = "USG" true_positive = "fb0c714cd2ebdcc6f33817abe7813c36" // handkerchief.dat strings: $RedleavesStringObfu = {73 64 65 5e 60 74 75 74 6c 6f 60 6d 5e 6d 64 60 77 64 72 5e 65 6d 6d 6c 60 68 6f 2f 65 6d 6d} // This is 'red_autumnal_leaves_dllmain.dll' XOR'd with 0x01 condition: any of them } (IDS) * * Artifacts dropped/yara : rule REDLEAVES_CoreImplant_UniqueStrings { meta: description = "Strings identifying the core REDLEAVES RAT in its deobfuscated state" author = "USG" strings: $unique2 = "RedLeavesSCMDSimulatorMutex" nocase wide ascii $unique4 = "red_autumnal_leaves_dllmain.dll" wide ascii $unique7 = "\\NamePipe_MoreWindows" wide ascii condition: any of them } (IDS) * * Network activity/snort : alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'HX1|3a|' 'HX2|3a|' 'HX3|3a|' 'HX4|3a|' (PLUGX Variant)"; sid:XX; rev:1; flow:established,to_server; content:"Accept|3a 20 2a 2f 2a|"; nocase; content:"HX1|3a|"; distance:0; within:6; fast_pattern; content:"HX2|3a|"; nocase; distance:0; content:"HX3|3a|"; nocase; distance:0; content:"HX4|3a|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;) (IDS) * * Network activity/snort : alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'X-Session|3a|''X-Status|3a|''X-Size|3a|''X-Sn|3a|'(PLUGX)"; sid:XX; rev:1; flow:established,to_server; content:"X-Session|3a|"; nocase; fast_pattern; content:"X-Status|3a|"; nocase; distance:0; content:"X-Size|3a|"; nocase; distance:0; content:"X-Sn|3a|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;) (IDS) * * Network activity/snort : alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'MJ1X|3a|' 'MJ2X|3a|' 'MJ3X|3a|' 'MJ4X|3a|' (PLUGX Variant)"; sid:XX; rev:1; flow:established,to_server; content:"MJ1X|3a|"; nocase; fast_pattern; content:"MJ2X|3a|"; nocase; distance:0; content:"MJ3X|3a|"; nocase; distance:0; content:"MJ4X|3a|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;) (IDS) * * Network activity/snort : alert tcp any any -> any any (msg:"Non-Std TCP Client Traffic contains 'Cookies|3a|' 'Sym1|2e|' '|2c|Sym2|2e|' '|2c|Sym3|2e|' '|2c|Sym4|2e|' (Chches Variant)"; sid:XX; rev:1; flow:established,to_server; content:"Cookies|3a|"; nocase; content:"Sym1|2e|0|3a|"; nocase; distance:0; fast_pattern; content:"|2c|Sym2|2e|"; nocase; distance:0; content:"|2c|Sym3|2e|"; nocase; distance:0; content:"|2c|Sym4|2e|"; nocase; distance:0; classtype:nonstd-tcp; priority:X;) (IDS) * * Artifacts dropped/yara : rule PLUGX_RedLeaves { meta: author = "US-CERT Code Analysis Team" date = "03042017" incident = "10118538" date = "2017/04/03" MD5_1 = "598FF82EA4FB52717ACAFB227C83D474" MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032" MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630" MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83" MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D" info = "Detects specific RedLeaves and PlugX binaries" strings: $s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 } $s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb" $s2 = "d:\\work\\plug4.0(shellcode)" $s3 = "\\shellcode\\shellcode\\XSetting.h" $s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 } $s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 } $s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 } $s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 } $s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 } $s9 = "RedLeavesCMDSimulatorMutex" condition: $s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9 } (IDS) * * Artifacts dropped/mutex : QN4869MD * * Artifacts dropped/md5 : ba4b4087370780dc988d55cbb9de885d (IDS) * * Artifacts dropped/md5 : 3d032ba5f73cbc398f1a77af92077cd8 (IDS) * * Artifacts dropped/mutex : RedLeavesCMDSimulatorMutex (IDS) * Objects (* indicates a new or modified object): * file/file * Payload delivery/md5 : 9d0da088d2bb135611b5450554c99672 (IDS) * * Payload delivery/filename : VeetlePlayer.exe (IDS) * * Other/size-in-bytes : 25704 (IDS) * * Other/text : Malicious * * file/file * Payload delivery/md5 : 9a8c76271210324d97a232974ca0a6a3 (IDS) * * Payload delivery/filename : libvlc.dll (IDS) * * Other/size-in-bytes : 33792 (IDS) * * Other/text : Malicious * * file/file * Payload delivery/md5 : 3045e77e1e9cf9d9657aea71ab5e8947 (IDS) * * Payload delivery/filename : mtcReport.ktc (IDS) * * Other/size-in-bytes : 231076 (IDS) * * Other/text : Malicious * * file/file * Payload delivery/md5 : 3ebbfeee3a832c92bb60b531f749230e (IDS) * * Payload delivery/filename : red_autumnal_leaves_dllmain.dll (IDS) * * Other/size-in-bytes : 226304 (IDS) * * Other/text : Malicious * ==============================================