APT#27 Backdoor#2021

High level design

The sample is part of spear-phishing campaign was targeting Gambling organization(support teams). Some of Cyber security companies link the attacks to APT27 group.

Weapon :

The document file (Gamb1Docx.docx) used as weapon of this attack.

It contains script file for download info.cab file and extract it. Then run debug.exe.

Exploitation :

After downloading and extracting info.cab file. Then execute debug.exe file.

Debug.exe file is clean on OSINT and sign by Google Inc.

Product name : google update.

SHA256 : ec7e883e7af38bf3ac0ac513cfde0186038443e9acc7ad616ee6bd0ec09aacb9 .

Once debug.exe run, It will load malicious goopdate.dll file. This technique is called DLL Side-Loading.

Installation:

First debug.exe file had been run by script on docx file.

First debug.exe process created new service name spooller (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spooller), then run it; second debug.exe process ran as service.

After running second debug.exe process will create new process Misexec.exe (legitimate and sign by Microsoft), But the malware will inject malicious code on msiexec.exe process and change execution follow to run malicious code.

** This behavior of calling APIs by this sequence, On first time looks like “process hollowing” technique, but doesn't .

The same behavior (inject malicious code to legitimate process )used again on Svchost.exe.

Command and Control :

The Malware after resolving malicious domain, it tried to access server via TCP_Port:53.

betwln520[.]com
www[.]kkxx888666[.]com

IOCs:

Recommendation :

  • Monitor windows process(cmd, powershell …) options like (download file, expand and start-process).
  • Monitor Process/DLL loading from same folder, especially %temp% folder.
  • Monitor unknown ports for common protocol, like HTTP/HTTPS over port 53.
  • EDR solution to block advance behavior as example (process hollowing and process injection).
  • Block IOCs.

References :

https://papers.vx-underground.org/archive/APTs/2021/2021.01.04/Paper/APT%2027.pdf

https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf

https://attack.mitre.org/techniques/T1574/002/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store