Background
On March 17, 2019, 360 Threat Intelligence Center intercepted a case of a suspected "Golden Rat" APT organization (APT-C-27) using the WinRAR vulnerability (CVE-2018-20250[6] ) Targeted attack samples targeting the Middle East. The malicious ACE compressed package contains an Office Word document that uses a terrorist attack as a bait to induce the victim to decompress the file. When the victim decompresses the file through WinRAR on the local computer, the vulnerability will be triggered. After the vulnerability is successfully exploited, the vulnerability will be built-in The backdoor program (Telegram Desktop.exe) is released into the user's computer startup directory. When the user restarts or logs in to the system, the remote control Trojan will be executed to control the victim's computer.
360 Threat Intelligence Center discovered through correlation analysis that this attack activity is suspected to be related to the "Golden Rat" APT organization (APT-C-27), and after further tracing and correlation, we also found multiple Malicious samples of the Android platform related to this organization are mainly disguised as some commonly used software to attack specific target groups. Combined with the text content related to the attacker in the malicious code, it can be guessed that the attacker is also familiar with Arabic.
Detection of backdoor program (TelegramDesktop.exe) on VirusTotal
Sample analysis
360 threats The Intelligence Center analyzed the sample that exploited the WinRAR vulnerability. The relevant analysis is as follows.
Using terrorist attacks to induce decompression
| ##MD5
| 314e8105f28530eb0bf54891b9b3ff69 |
#File name| |
|
This Office Word document is part of a malicious compressed file whose contents are related to a terrorist attack. Due to its political, geographical and other particularities, the Middle East has suffered numerous terrorist attacks and its people have suffered greatly. Therefore, people in the region are sensitive to terrorist attacks and other incidents, which increases the possibility of victims decompressing files:
Decoy document translation content
If the user decompresses the malicious compressed package, the WinRAR vulnerability will be triggered, thereby releasing the built-in backdoor program to the user's startup directory Medium:
The released backdoor program Telegram Desktop.exe will be executed when the user restarts the computer or logs in to the system.
Backdoor(Telegram Desktop.exe)
##File name | Telegram Desktop.exe |
|
##MD5 ##36027a4abfb702107a103478f6af49be |
SHA256 |
76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689 |
Compilation information |
.NET| |
The backdoor program TelegramDesktop.exe will read data from the PE resource and write it to: %TEMP%\Telegram Desktop.vbs, then execute the VBS script and sleep for 17 seconds until the VBS script is completed:
The main function of this VBS script is to decode the built-in string through Base64 and write the decoded string to the file: %TEMP%\Process. exe, and finally execute Process.exe:
After execution of Process.exe, file 1717.txt will be created in the %TEMP% directory and written Data related to the final executed backdoor program for subsequent use by Telegram Desktop.exe:
Then TelegramDesktop.exe will read 1717. txt file and replace the special characters in it:
Then decode the data through Base64 and load the decoded data in the memory. Data:
The data finally loaded and executed in the memory is the njRAT backdoor program. The relevant configuration information is as follows:
njRAT
The njRAT backdoor program executed by memory loading will first create a mutex to ensure that only one instance is running:
And determine whether the current running path is the path set in the configuration file. If not, copy itself to the path to start execution:
Then close the attachment checker and firewall:
and open the keylogging thread, and write the results of the keylogging to the registry :
Open the communication thread, establish communication with the C&C address and accept command execution:
##The njRAT remote control also has multiple functions such as remote SHELL, plug-in download and execution, remote desktop, file management, etc.:
AndroidPlatformSampleAnalysis360 Threat Intelligence Center also related to multiple Android platform malicious samples recently used by the "Golden Rat" (APT-C-27) APT organization through VirusTotal, which also used 82.137. 255.56 as the C&C address (82.137.255.56:1740):
##The recently associated Android platform backdoor samples are mainly disguised as Android system updates, Office Upgrade programs and other commonly used software. The following is our analysis of an Android sample disguised as an Office upgrader
##File MD5 | 1cc32f2a351927777fc3b2ae5639f4d5 |
|
##File name
| OfficeUpdate2019.apk
|
After the Android sample is started, it will induce the user to activate the device manager, then hide the icon and run it in the background:
Induces the user to complete the installation Afterwards, the sample will display the following interface:
Then the sample will obtain the online IP address and port through Android's default SharedPreferences storage interface. If obtained If not, decode the default hard-coded IP address and port online:
# #Decoding algorithm of related IP address:
#The final decoded IP address is: 82.137.255.56, and the port also needs to be hard-coded. Add 100 to get the final port 1740:
Once successfully connected to the C&C address, online information will be sent immediately, control instructions will be received and executed. This sample can record, take photos, perform GPS positioning, upload contacts/call records/text messages/files, and execute commands from the cloud and other functions
The list of related commands and functions of the Android backdoor sample is as follows:
##Command|
| Function
|
##16 | Heartbeat management |
|
17 | connect |
| ##18
| Get the specified file Basic information
|
| 19
| Download file
|
| 20
| Upload files
|
| 21
| Delete files
|
##22 |
Copy files according to cloud instructions |
23 |
Move files according to cloud instructions |
24 |
Rename the file according to the cloud instructions |
25 |
Run File |
28 |
Create the directory according to the cloud instructions |
29 |
Execute cloud command |
30 |
Execute a ping command | 31 |
Get and upload contact information | ##32 |
Get and upload text messages
| 33 |
Get and upload call records
|
##34 | | Start recording
|
##35 |
Stop and upload the recording file |
|
36 |
Take photos |
|
37 |
Start GPS positioning |
|
38 |
Stop GPS positioning and upload location information |
|
39 |
Use the cloud to send ip/port |
|
40 |
Reports the currently used ip/port |
| to the cloud 41 |
Get installed application information |
|
It is worth noting that the command information returned by this sample contains information related to Arabic, so we speculate that the attacker is more likely to be familiar with using Arabic:
Tracing and correlation
By querying the C&C address of the backdoor program captured this time (82.137.255.56:1921), it can be seen that this IP address has been used by APT many times since 2017. - Used by the C-27 (Golden Rat) organization, this IP address is suspected to be the organization’s inherent IP asset. On the big data correlation platform of 360 Network Research Institute, you can view multiple sample information associated with the IP address
Through 360 Threat Intelligence The central threat analysis platform (ti.360.net) queried the C&C address and it was also labeled with APT-C-27 related tags:
And the functional modules, code logic, built-in information language, target group, network assets and other information of the relevant Trojan samples (Windows and Android platforms) captured this time are all the same as those used by APT-C-27[2] exposed earlier. Trojan sample information is highly similar. Therefore, according to the 360 Threat Intelligence Center, the relevant samples intercepted this time are also related to the "Golden Rat" APT organization (APT-C-27).
As we predicted, attacks using the WinRAR vulnerability (CVE-2018-20250) to spread malicious programs are in the outbreak stage. The 360 Threat Intelligence Center has previously observed multiple APT attacks using this vulnerability. , and the targeted attack activities intercepted this time by the suspected "Golden Rat" APT organization (APT-C-27) that exploited the WinRAR vulnerability is just one example of many cases of using this vulnerability to carry out targeted attacks. Therefore, the 360 Threat Intelligence Center once again reminds users to take timely measures to prevent this vulnerability. (See the "Mitigation Measures" section)
Mitigation Measures
1. The software manufacturer has released the latest WinRAR version. The 360 Threat Intelligence Center recommends that users promptly update and upgrade WinRAR (5.70 beta 1) To the latest version, the download address is as follows:
32-bit: http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe
64-bit: http://win -rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe
2. If the patch cannot be installed temporarily, you can directly delete the vulnerable DLL (UNACEV2.DLL), which will not affect general use. , but an error will be reported when encountering ACE files.
Currently, all products based on the threat intelligence data of 360 Threat Intelligence Center, including 360 Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, 360 NGSOC, etc., already support such attacks. accurate detection.
|
|
The above is the detailed content of Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East. For more information, please follow other related articles on the PHP Chinese website!
Where is the login entrance for gmail email?
The latest price of eth market
How to use append in python
How to read a column in excel in python
How the temperature sensor works
Introduction to SEO diagnostic methods
What does the other party show after being blocked on WeChat?
How to buy and sell Bitcoin? Bitcoin Trading Tutorial
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
