Scroll to top
© 2021, Copyright © 2021 Tatva Networks (P) Limited

APT39 Malicious Activity and Tools

The FLASH alert describes multiple variants of malware that Rana used in its operations, including signatures for indicators of compromise (IOCs), along with sets of YARA rules that the FBI has developed to identify samples. The report includes variants of malicious Visual Basic Script (VBS), AutoIt Malware, two executables leveraging the Background Intelligent Transfer Service (BITS), an executable that mocks the Firefox web browser, a Python-based malware script, a malicious Android Package (APK), and a malicious Microsoft Cabinet file named depot.dat.

  • VBS Malware

APT39 embedded multiple VBS scripts inside Microsoft Office documents, which it sent to victims via spear phishing and other techniques that use social engineering. When a victim opens one of the documents, the VBS code will:

  1. Deobfuscate and run two scripts: one PowerShell, and another VBS.
  2. Configure download and upload paths on the victim’s computer.
  3. Set up a scheduled task to run the VBS file from step one every two minutes.
  4. Run the PowerShell script from step one.
  5. Communicate with a command and control (C2) server using a URL of:  <actor IP or URL>:port/update.php?req=<victim identifier>. This URL is preceded by information specifying an action to download data, upload data, or download a batch file.

Both the VBS and the PowerShell scripts work to upload a victim’s files and execute commands locally via cmd.exe.

  • AutoIt Malware

APT39 leveraged several AutoIt scripts, which were likely embedded in Microsoft Office documents or malicious links, then sent to victims via a technique such as spear phishing. The FBI’s analysis determined these scripts to be similar in nature to the VBS malware. Each will:

  1. Perform a DNS flush.
  2. Create upload and download directories on the victim’s computer.
  3. Check for, then update the following registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion.
  4. Communicate with a C2, similar to the VBS scripts in the previous section.
    • BITS 1.0 Malware

Both the VBS and AutoIt malware download this malware, which uses Microsoft’s Background Intelligent Transfer Service (BITS) to upload a victim’s data to a C2 server. The FBI’s analysis showed that this malware installs a dropper containing two Microsoft cabinet (CAB) files. One of them is empty, while the other contains two Microsoft executable files (EXEs), along with XML files that create and run scheduled tasks to upload victim data. The two EXE files in the CAB exfiltrate the victim’s data to attacker infrastructure via BITS.

  • BITS 2.0 Malware

This variant is similar to the BITS 1.0 malware above in how it communicates with attacker infrastructure, but it has significant technical differences. Compared to the BITS 1.0 malware, the BITS 2.0 malware is a self-extracting executable containing an image, a VBS file, and another EXE. The VBS file creates and runs a persistent scheduled task to exfiltrate data; the EXE leverages BITS to exfiltrate data to attacker infrastructure.

  • Firefox Malware

This malware masquerades as a legitimate Firefox executable. It contains files and functionality that allow it to:

  • Compress / decompress files,
  • Log keyboard activity,
  • Capture screenshots, and
  • Communicate with a C2.
    • Python-Based Malware

This Python-based malware came packaged in a Roshal Archive (RAR) file. It reaches out via HTTP to a C2 server and downloads additional malware when it runs. The FBI did not specify the nature or function of additional malware.

  • Android Malware

APT39 used a malicious APK named optimizer.apk that was designed to communicate with the C2 server saveingone[.]com, and can:

  • Record audio,
  • Take photos, and
  • Exfiltrate data to a C2 server.
    • dat Malware

The depot.dat malware is a Microsoft CAB file containing four dynamic link libraries (DLLs) that can perform keylogging, and capture screenshots of the victim’s computer. A separate dropper file decrypts and achieves persistence of the files in depot.dat by overriding the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows registry key.

Prevention and Mitigation

The FBI FLASH report provides the following set of recommendations to mitigate this malware:

  • Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities.
  • Establish, and backup offline, a “known good” version of the relevant server and a regular changemanagement policy to enable monitoring for alterations to servable content with a file integrity system.
  • Employ user input validation to restrict local and remote file inclusion vulnerabilities.  Implement a least-privileges policy on the Webserver to:
    • Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts.
    • Control creation and execution of files in particular directories.
  • If not already present, consider deploying a demilitarized zone (DMZ) between the Web-facing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
  • Ensure a secure configuration of Webservers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
  • Use a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones.
  • Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero day attacks, it will highlight possible areas of concern.
  • Deploy a Web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.

Indicators of Compromise

Below is a list of MD5 hashes representative of each malware variant. In-depth YARA rules for each are included in the FLASH report.

  • Indicators
Indicator Description
9f7c280b20d021f0a0984d1ad0aeba41 VBS Malware MD5
486aa8849c173450911f886116f4b5d6 AutoIt Malware MD5
91e1793bd5f3f274ddb22b47662cb860 BITS 1.0 Malware MD5
2f01092e9cd49448b0de7da48e545682 BITS 1.0 Malware MD5
0d6d385354584264e2b37ff3a199ea04 BITS 1.0  Malware MD5
8f848b67af0d6ad3dd3419c9d11c28c1 BITS 1.0 Malware MD5
45045fa9d428f29e8a3a988048e3aff1 BITS 1.0 Malware MD5
43124f6d418b086f3107a8cb708c3d2b BITS 2.0 Malware MD5
6269e8ae9d86c648c15e41c7d89509ab BITS 2.0 Malware MD5
eee655c5522267d63314a0b20162d619 Firefox Malware MD5
de8986682ab25d98448e688506250b94 Python Malware MD5
50ded657ff5a1c80d736fe3b80beb87f Python Malware MD5
426351383DFE8F88A0959A9D5E8C43C7 Android Malware MD5
saveingone[.]com Android Malware C2
59c2c1c6451417f054efaee32416c652 Depot.dat MD5

Related posts

Post a Comment

Your email address will not be published. Required fields are marked *