Weaponizing Historical Malware for Bio-Warfare APT-9

Advancing till APT9 made us to think why emergent and emerging nations are allegedly suspecting china for the cyberattack. To suspect China, those nations require additional information. As of now, the world powers says that all command and control are located in China, and also they are the one to introduce the concept of APT(Advanced Persistent Threat).

APT9

APT9 targets biotechnology and pharmaceutical industry. They gained initial access through spearfishing mails and acting as a trusted party between the industry. APT 9 uses some malwares which were already used by the APT1, APT4 and APT5 threat groups. They modified it in accordance to their needs, so that antivirus engine can't detect those threats as their hash value are modified. Most of the RAT's and backdoors used in this attack are already been used by other threat groups in China, so this is also suspected to be originated from China.

Source: ITW

Malwares Used

HomeUnix, FunRun, Zxshell, Gh0st(Apt1), Sogu(Apt3), Photo(Apt4), Poison Ivy, PlugX, Bigjolt, Jim A, SkinnyGene, Viceroy, Vipsh ELL, Wethead, Xdoor.

Suspected Thread Group

• Nightshade Panda (Group-27) or Flower Lady
  

 

 Source: Slideshare

  

Other Attacks by Same Thread Group

Moonwind at targeting Thai government: This is named as moonwind as this malware was complied using the same Chinese compiler used for Blackmoon banking Trojan. Both were not same, but they were complied using same compiler. 

Moonwind Malware Analysis

Moonwind Malware collects keylogger information and some specifications of the infected machine in a .rar file. 

 

 

Specifications that Malware Collects Includes

• Hostname
• USername
• Windows version
• IP address
• Current time
• RAM amount
• Number of total drives
• No of removable drives
• Unique victim identifier

The Actual Operation

This malware spreads by visiting some affected Thai Government websites, once your machine gets affected the malware immediately creates a "svcohos.exe" in any one of the following directories.

•  C:\Documents and Settings\All Users\Ufyaginptxb
•  C:\Users\All Users\
•  C:\Program Data\
• C:\Program Files\Common Files\

 

 

source: Bangkok Post

Then as per the scripts it executes the below command to start an instance 

 

• cmd /c timeout /t 6 & del "C:\ProgramData\Ufyaginptxb\svcohost.exe" & del date.bat

 

It then creates a victim ID and stores it in "micr.ini". This file is also located in where the malware resides. Between this the scrips also checks whether the instance is running in the background with a timer, if not then it spawns a new instance and creates a .rar file and stores the device specifications details as stated above. Finally, these are transferred to a Command and Control Server which is located at several places in the world, including China.

Suspected Attacks

• Another Attack by Group 27 in Myanmar Elections using Trochilus Malware-Github
  
• Targeting Vietnam Pharmaceutical companies using Plug X malware
  
• Details of the Plug X RAT command and control IP's
  

 

 

Some Malwares Explained used in APT9

Plug X Malware 

RSA describes plug X as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

Gh0st Malware

Gh0st RAT is a Trojan house for the Windows platform that the operators of Ghostnet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "Rat" part of the name refers to the software's ability to operate as a "Remote Administration Tool".

 SOGU Malware

This backdoor is commonly used by different threat groups on targeted attacks. Plug X is also referred as KORPLUG, SOGU, DestroyRAT and is a modular backdoor that is designed to rely on the execution of signed and legitimated executables to load malicious code.

 

 

Zxshell Malware

According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.

File Description: W32/Zxshell.A is a DLL file with an exported function ("Install"), which is called to install the backdoor.

X-Door Malware

Troj/Xdoor-A is a stealthing IRC backdoor Trojan that copies itself into <Windows system>\xmdm.exe and <Windows system>\dllcache\xmdm.exe. The backdoor runs as a hidden service process named xmdm (Microsoft Debugging Machine) under Windows 2000 and Windows XP. Troj/Xdoor-A logs on to predefined IRC servers and waits for backdoor commands. Troj/Xdoor-A is hidden from process and service listings and its file xmdm.exe is also invisible in the above folders.

  

The other Malwares listed above are seems to be propriety and the hackers didn't disclose those hashing algorithms with the public. So it is believed that the thereat actor will be using the same malwares in the upcoming APT's with tweaking the source code.