Weaponizing Historical Malware for Bio-Warfare APT-9
APT9
APT9 targets biotechnology and pharmaceutical industry. They gained initial access through spearfishing mails and acting as a trusted party between the industry. APT 9 uses some malwares which were already used by the APT1, APT4 and APT5 threat groups. They modified it in accordance to their needs, so that antivirus engine can't detect those threats as their hash value are modified. Most of the RAT's and backdoors used in this attack are already been used by other threat groups in China, so this is also suspected to be originated from China.
Source: ITW
Malwares Used
HomeUnix, FunRun, Zxshell, Gh0st(Apt1), Sogu(Apt3), Photo(Apt4), Poison Ivy, PlugX, Bigjolt, Jim A, SkinnyGene, Viceroy, Vipsh ELL, Wethead, Xdoor.
Suspected Thread Group
- Nightshade Panda (Group-27) or Flower Lady
Moonwind at targeting Thai government: This is named as moonwind as this malware was complied using the same Chinese compiler used for Blackmoon banking Trojan. Both were not same, but they were complied using same compiler.
Moonwind Malware Analysis
Moonwind Malware collects keylogger information and some specifications of the infected machine in a .rar file.
Specifications that Malware Collects Includes
- Hostname
- USername
- Windows version
- IP address
- Current time
- RAM amount
- Number of total drives
- No of removable drives
- Unique victim identifier
The Actual Operation
This malware spreads by visiting some affected Thai Government websites, once your machine gets affected the malware immediately creates a "svcohos.exe" in any one of the following directories.
- C:\Documents and Settings\All Users\Ufyaginptxb
- C:\Users\All Users\
- C:\Program Data\
- C:\Program Files\Common Files\
source: Bangkok Post
Then as per the scripts it executes the below command to start an instance
- cmd /c timeout /t 6 & del "C:\ProgramData\Ufyaginptxb\svcohost.exe" & del date.bat
It then creates a victim ID and stores it in "micr.ini". This file is also located in where the malware resides. Between this the scrips also checks whether the instance is running in the background with a timer, if not then it spawns a new instance and creates a .rar file and stores the device specifications details as stated above. Finally, these are transferred to a Command and Control Server which is located at several places in the world, including China.
Suspected Attacks
- Another Attack by Group 27 in Myanmar Elections using Trochilus Malware-Github
- Targeting Vietnam Pharmaceutical companies using Plug X malware
- Details of the Plug X RAT command and control IP's
Some Malwares Explained used in APT9
Plug X Malware
RSA describes plug X as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.
Gh0st Malware
Gh0st RAT is a Trojan house for the Windows platform that the operators of Ghostnet used to hack into many sensitive computer networks. It is a cyber spying computer program. The "Rat" part of the name refers to the software's ability to operate as a "Remote Administration Tool".
SOGU Malware
This backdoor is commonly used by different threat groups on targeted attacks. Plug X is also referred as KORPLUG, SOGU, DestroyRAT and is a modular backdoor that is designed to rely on the execution of signed and legitimated executables to load malicious code.
Zxshell Malware
According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.
File Description: W32/Zxshell.A is a DLL file with an exported function ("Install"), which is called to install the backdoor.
X-Door Malware
Troj/Xdoor-A is a stealthing IRC backdoor Trojan that copies itself into <Windows system>\xmdm.exe and <Windows system>\dllcache\xmdm.exe. The backdoor runs as a hidden service process named xmdm (Microsoft Debugging Machine) under Windows 2000 and Windows XP. Troj/Xdoor-A logs on to predefined IRC servers and waits for backdoor commands. Troj/Xdoor-A is hidden from process and service listings and its file xmdm.exe is also invisible in the above folders.
The other Malwares listed above are seems to be propriety and the hackers didn't disclose those hashing algorithms with the public. So it is believed that the thereat actor will be using the same malwares in the upcoming APT's with tweaking the source code.
Comments