Successfully reported this slideshow.

[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe

0

Share

1 of 35
1 of 35

[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe

0

Share

Download to read offline

In April 2021, we observed new targeted attack campaign and we named it "Operation Software Concepts". Operation Software Concepts aimed at Russia, Mongolia and South Korea as attacking targets by using unknown malwares. Some malwares associate to past Royal Road RTF Weaponizer related attacks and ShimRAT by Mofang. In this presentation, we will show the whole case of Operation Software Concepts, the detailed analysis result about the malwares which were used in the operation, and relations of several past attack cases. Afterwards, we will explain the connection to some attack groups.

In April 2021, we observed new targeted attack campaign and we named it "Operation Software Concepts". Operation Software Concepts aimed at Russia, Mongolia and South Korea as attacking targets by using unknown malwares. Some malwares associate to past Royal Road RTF Weaponizer related attacks and ShimRAT by Mofang. In this presentation, we will show the whole case of Operation Software Concepts, the detailed analysis result about the malwares which were used in the operation, and relations of several past attack cases. Afterwards, we will explain the connection to some attack groups.

More Related Content

More from CODE BLUE

Related Books

Free with a 14 day trial from Scribd

See all

[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe

  1. 1. Operation Software Concepts Beautiful Envelope for Wrapping Weapon NTT Security (Japan) KK Rintaro Koike, Shogo Hayashi, Ryuichi Tanabe
  2. 2. © NTT All Rights Reserved About us • Rintaro Koike (小池 倫太郎) • Security analyst at NTT Security Japan (threat research, malware analysis) • Founder of nao_sec • Shogo Hayashi (林 匠悟) • Security analyst at NTT Security Japan (responding to EDR detections, creating custom signatures) • Co-founder of SOCYETI • Ryuichi Tanabe (田邉 龍一) • Security analyst at NTT Security Japan (responding to EDR detections, malware analysis) • Speaker of VB2021 localhost, TheSAS2021
  3. 3. © NTT All Rights Reserved Motivation & Goal Operation Software Concepts • Introducing campaign overview • Targets, characteristics, purpose • Showing detailed analysis results • SSV Dropper, SSV Downloader, SSV RAT and WerNis RAT • Considering relationships and attribution
  4. 4. © NTT All Rights Reserved 4 © NTT All Rights Reserved 2021 1. Attack Overview 2. Malware Analysis 3. Attribution 4. Wrap-Up Agenda
  5. 5. © NTT All Rights Reserved Attack Flow 2021 SCR SSV Dropper DLL EXE Legitimate-A SSV Downloader Malware Server SSV RAT Create & Execute Download Load EXE C&C Server-A EXE Legitimate-B Data WerNis RAT EXE Legitimate-C C&C Server-B EXE Loader Data Mimikatz DLL Decoder Load Execute Download Inject Download Load Domain Controller Zerologon
  6. 6. © NTT All Rights Reserved Evasion Techniques Techniques used in Operation Software Concepts • Valid signature • SSV Dropper • DLL Side-Loading • Symantec Endpoint Protection (RtvStart.exe) • Microsoft Edge Update (MicrosoftEdgeUpdate.exe) • Process Injection • WerNis RAT (dllhost.exe) • Loader & Encoded Data • SSV Downloader, WerNis RAT, Mimikatz 2021
  7. 7. © NTT All Rights Reserved Attack Operation Timeline (2021-04-22) 2021 Time (JST) Object Description 16:32 SSV RAT Executed and accessed to C&C server 16:44 – 16:55 SSV RAT Investigated environment of host 17:09 SSV RAT Downloaded WerNis RAT from C&C server 17:15 WerNis RAT Executed and accessed to C&C server 17:17 – 17:43 WerNis RAT Investigated environment of Active Directory 17:52 Mimikatz Exploited DC by Zerologon 17:47 – 17:56 WerNis RAT Captured Desktop many times 18:08 - Attacker stopped operation
  8. 8. © NTT All Rights Reserved Malware Analysis 8 © NTT All Rights Reserved 2021
  9. 9. © NTT All Rights Reserved SSV Dropper With a valid signature • SOFTWARE CONCEPTS LIMITED 1. Drop exe + dll files • C:¥ProgramData¥Apacha › ssvagent.exe › MSVCR110.dll 2. Execute ssvagent.exe 2021 SSV Dropper (Signed) Legit EXE SSV Downloader
  10. 10. © NTT All Rights Reserved SSV Downloader DLL Side-Loading • ssvagent.exe • Legitimate & signed exe file › Symantec Endpoint Protection (RtvStart.exe) MSVCR110.dll • SSV Downloader • Download encoded SSV RAT › https[:]//www.flushcdn[.]com/download/image9588.jpg 2021 SSV RAT Legit EXE SSV Downloader www.flushcdn[.]com
  11. 11. © NTT All Rights Reserved SSV Downloader MSVCR110.dll • SSV Downloader • Decode “image9588.jpg” › 5bytes XOR » [0x0e, 0x06, 0x33, 0x11, 0x12] » This actor prefers to use 5bytes XOR 2021
  12. 12. © NTT All Rights Reserved SSV RAT Basic RAT • File operation • Download, upload, create, delete, move, copy, search › Download & execute WerNis RAT • Process operation • Create, kill self • Traffic • RC4 encoded (Key: 0x1fa8cc16) 2021 SSV RAT DATA Legit EXE Decoder WerNis RAT (Encoded) api.flushcdn[.]com api.hostupoeui[.]com
  13. 13. © NTT All Rights Reserved WerNis RAT 2nd RAT • Mutex • WerNisSvc3 • File operation • Download, upload, delete, move, copy, search › Download & execute Mimikatz 2021 DATA Legit EXE Decoder WerNis RAT (Encoded) info.hostupoeui[.]com DATA Decoder Mimikatz (Encoded)
  14. 14. © NTT All Rights Reserved WerNis RAT 2nd RAT • Process operation • Create, remote shell • Information theft • System/disk information, desktop screen, keylogging › Encoded (XOR 0x7f) & write to “SetEvent.dll” • Traffic • HTTPS communication 2021
  15. 15. © NTT All Rights Reserved Tools Mimikatz • mm.exe • Decode crack.dll › 5bytes XOR » [0x09, 0x12, 0x0e, 0x47, 0x51] • crack.dll • Encoded Mimikatz • Attacker exploited Zerologon 2021
  16. 16. © NTT All Rights Reserved Attribution 16 © NTT All Rights Reserved 2021
  17. 17. © NTT All Rights Reserved Activity Timeline 2021 Mar-2019 May-2020 Dec-2020 Jan-2021 Mar-2021 May-2021 Jul-2021 RU WerNis RAT + Lockdown Loader + ShadowPad SSV Dropper -> SSV Downloader MN Royal Road RTF -> SSV Dropper -> SSV Downloader SSV Dropper (looks like Able Soft) -> CobaltStrike Beacon Malicious document files -> PowerShell SSV Dropper -> SSV Downloader etc Tonto exploited Exchange Server and executed ShadowPad SSV Dropper -> SSV Downloader Lockdown Loader -> ShimRAT
  18. 18. © NTT All Rights Reserved 2021 Past SSV family cases In March 2019, SSV Dropper and SSV Downloader were observed in an attack using Royal Road RTF against Mongolia In May 2020, SSV Dropper “AbleRepair.exe” executed CobaltStrike Beacon SSV Dropper Legit EXE SSV Downloader Royal Road RTF DATA Legit EXE Decoder CobaltStrike Beacon SSV Dropper (AbleRepair.exe)
  19. 19. © NTT All Rights Reserved Past SSV family cases In January 2021, SSV Dropper executed SSV Downloader. This can be related to an attack case against Mongolia in December 2020. 2021 SSV Dropper (news.exe) Legit EXE SSV Downloader With Macro PS1 ? drmtake[.]tk in December 2020
  20. 20. © NTT All Rights Reserved Past case using WerNis RAT In March 2021, a Russian defense company submitted some files at the same time to VirusTotal • WerNis RAT Loader (with huge padding) • Lockdown Loader (with huge padding) • ShadowPad 2021
  21. 21. © NTT All Rights Reserved 2021 Lockdown Loader Characteristics • A loader for executing encoded malware • In May 2021, a Lockdown Loader executing ShimRAT was observed • Mainly observed in Russia • Contains huge padding data sometimes Dropper DATA Legit EXE Lockdown Loader Shim RAT
  22. 22. © NTT All Rights Reserved 2021 Overlap with others APT31 (BRONZE VINEWOOD) • HanaLoader/RAT and SSV family are similar • DLL Side-Loading • File path and name • Registry key • Self Deleting method • Target organization • Using Mimikatz Using TopDNS as name server • Operation Software Concepts • Russian incident (in March 2021) • Recent Mofang activities
  23. 23. © NTT All Rights Reserved 2021 Overlap with others Vicious Panda • Same target • 2020/03 › Royal Road RTF • 2021/08 › SSV Dropper https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
  24. 24. © NTT All Rights Reserved 2021 APT31 Tonto Mofang Secureworks Report Recent Mofang Activity Royal Road Related Attack Microsoft Exchange Related Attack Operation Software Concepts Russian Incident SSV RAT SSV Downloader SSV Dropper WerNis RAT Lockdown Loader ShadowPad ShimRAT TopDNS NameServer
  25. 25. © NTT All Rights Reserved Wrap-Up 25 © NTT All Rights Reserved 2021
  26. 26. © NTT All Rights Reserved Wrap-Up Operation Software Concepts • Targeting Russian and Mongolian government or defense sector • Multiple stages • SSV Dropper drops and executes SSV Downloader • SSV Downloader downloads SSV RAT to operate remotely • WerNis RAT and Mimikatz can be additionally downloaded and executed • SSV family has been in use since March 2019 at least • Overlapping with various attack groups such as Tonto, APT31 and Mofang • One of these groups may have attacked or the tools maybe shared between these groups 2021
  27. 27. © NTT All Rights Reserved Any Questions? 27 2021
  28. 28. © NTT All Rights Reserved Appendix: IOC • SSV Dropper • 2b495829b8b3319f98e22f35d7bd48c4dea1b9bafe80749d628da99fede6d694 • c3bf8fb3dbbce74d3448d7608ea6dd0567f6bcc437693abd1dcab0ab7fb48155 • 5d0872d07c6837dbc3bfa85fd8f79da3d83d7bb7504a6de7305833090b214f2c • 78cc364e761701455bdc4bce100c2836566e662b87b5c28251c178eba2e9ce7e • be5431c999094078e617ce27d27a064b44616421bde334e0bc6fe625ce961ced • 002dc9f6823ad8d3de23bcb5e41bcefd895df573ed3d89e0821243aa9b7bb4a8 • 679955ff2a97ea11a181ae60c775eff78fadd767bc641ca0d1cff86a26df8ac8 • 8276c2c3a9680de856f5d6dc920a63445b430496ad16c0f3f45ccaf0e995b296 • 874b946b674715c580e7b379e9597e48c85c04cca3a2790d943f56600b575d2f 2021
  29. 29. © NTT All Rights Reserved Appendix: IOC • SSV Dropper • 33f136069d7c3a030b2e0738a5ee80d442dee1a202f6937121fa4e92a775fead • 80de328bd22e08855af9d05532b89087d2605f6c469925f48e1cc774e7375304 • eb1005ae12b883a69e81d0f1c0dd162b5e48ada337c163ffbca5d62473913a73 • 9ad30d25e74c272a7965f52a5c06f7343df9a493d21d16b339cc0dc65be8cc2a 2021
  30. 30. © NTT All Rights Reserved Appendix: IOC • SSV Downloader • cff71b69e36cd552ab2eb9bc605269bb6859ddaff2151d1361b0306b922f8a0f • c15a475f8324fdfcd959ffc40bcbee655cbdc5ab9cbda0caf59d63700989766f • 93eb4a701aac14be362389665a36f7f0747f118e3fc2095bb93c0ceff72ae605 • 00cf3b462059908085fef43e65417e0cca1ac0314cad8af7d89fb34c01f75a03 • 4d9c89a590deb5f3cda6001ea46f8fe2a6ada74e75a8ad14f5c1d14c2980dc47 • 71bd4e5847776d6731510220c3fdf16ad7a55088bd43681cdb408cb9fde59b3d • 7a16da50a63f7a181d07b45ae552c87ee9ffeb78c512405bd9bf6243f920d56c • 48ca9a8188c6d640f20c93a9a106cedc0f78251e4f6c5ad4eacc0266862c9499 • 9b0557eda035fc5817c2a6ab33859bb824389638afc41f9ba49221b312638b64 2021
  31. 31. © NTT All Rights Reserved Appendix: IOC • SSV Downloader • e724b1ffb3b7aea4c9397a8db348fac3576633faced1c80c739bb439f8b3f8fa • 354bd3dc0f36663e12ec38e302dcfc7a3e57ee13dced3c8a2ff0257532106d3d • b65c14519f2de3115051b0b0ad7ec1cd207ac66228c95006abc9a6b660c2c278 • 0b3d5dd39b60eb43298f4ab89f2c339acf4dc8609d2f7ad6fa1649fd36f5da88 • 34524a538828a976a131c1a9f38294fd50faf0bf671b299e5978b063d3532604 • 61f2a08b3d113fcb57693fb4d392e8327e688e2f126c4286b3d00d72b5098e09 • 900b77a3fb472a8c7a7853e16c736a7eee5607a13bff3c904700815039d0ac90 2021
  32. 32. © NTT All Rights Reserved Appendix: IOC • SSV RAT • 3e3a7233b46f59ae480f970a9a405756a576447e10676f59c61381ba2789a7cf • 2affdebbaa4f0cfa64e5c42e70d78665ef9ccb2c731c5fe07582ccdfdc05b0cc • 727302e57ca2cc3d514786adf940ce1f6665905664856a89ff6be5eb90b1121c • 7b68299383c3f896e13a5990febba55c7ae6f615e07705125aa15771cd401f5d • b993aab918421ad79964d5d719a4988778ab5a09fc4c699a041fd07fc678dcb5 • 070eeb088a46942f50832a3207ab44b843f293f9685344e04744fe4586f9631e 2021
  33. 33. © NTT All Rights Reserved Appendix: IOC • WerNis RAT • 72c4c4d80f5878fe80c7cd2552020ea1c7e2c1d1b5ce7fa6b8a172b050d70aac • a2c65fd4baa610e4d6c764d5ac2cbbce8b4226ca34ce34a8544a5dd09e056a48 • 54d299f45472f0b5aebf7d5461723a23687f521c0878b4a364a25f92372abab1 • Mimikatz • 596070358c9cff3358f265cbc4d518c37edb748126dc1b9cdff31943c9608e54 • 2b391473abb5608f666fde872e8c2f126e126034143f39a159c9e13daa056d2c 2021
  34. 34. © NTT All Rights Reserved Appendix: IOC • Lockdown Loader • 5bc1ea08648b5683b506fe2934999b881516f286b421b92cb45ec8ad8aeb7481 • aaf8bb3d65022444cea3b4810a519b3fb2cecd6fa1c2aae8ef4a55a5f6a007ae • 3b3357f44d2ab14090dd77c1d49be70bfe1f8183cd9f30bfbb1cd845587af4d2 • d4ed5d54f422e7702667e0d7723249e5966b52450adf95e7998358c18d3ca2b2 • 9b0c3478bb2a8f08fca66faaf4a005bf6002266a87e9e6a53690ac4207d2c496 • 905e4e31a499b4982470ed69c756464f3ad5df4e6242fb299ed54d572ffe18f5 • 58cc619c251087e56f761a5c277218785b76138eae357b0f12f955ddf59f5fff • 25750e8196ba73188a91eba8fb2c767bda7450361acc869fbfc86829ed2888e5 2021
  35. 35. © NTT All Rights Reserved Appendix: IOC • ShimRAT • 4ce6e6da83eb521e8735c178b711449c37d2224414a4f05b394e6f80e936a5b4 • 1098eb0ca4e34ca63ba40dd537d00e858c36e14044a6a592c306877401478ffe • D158cf4fa1a954d1fd5609f67a764fbab188dc03916400caaa15b4c3500ea291 • ShadowPad • 83025b94d64e778d9ab800152b239ddc5b19074779d164af89da564367f8aee0 • Malicious document file • b83b1a3fbec8bf0a54bf03ebd89c82d1da00b3012d135974b0183545a3878621 • a92d4b23c85c59c60227a26a9aac6a38520b2d5b52424db2962257c14198501a • a3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d 2021

×