[RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 2


IV. The relevant evidence to China Panda hacker group

Smanager_ssl.dll was built with Visual Studio (VS) 2015, build timestamp: Sunday, 26.04.2020 15:11:24 UTC, which was 04/26/2020 - 10:11:24 PM Vietnam time (GMT +7). Linker version 14.00 is from VS 2015 and after that, VS 2017, 2019,… still remains 14.xx.

Figure 1. Linker information

Information about PE RichID of Smanager_ssl.dll:

Figure 2. PE RichID information

Based on PE RichID and VS version, our Threat Intelligence Platform for malware detected a subset of a sample set with the same PE RichID and VS version. This set of samples was also used by a group of hackers in an APT campaign targeted a large corporation in Vietnam from the end of 2018 to the end of 2019. We collected the sample and analyzed them afterwards. But for some reasons, we couldn't publish the analysis.

In the subset, we paid special attention to the following samples, which are PE x64:

1.    msiscsi.dll:

-       MD5: F61B44ECF57EA6D0F49A7DC2C4456E89

-    SHA256: F654E98695E642416A74AF92776A4D24DC55249CEE354D1E868D7C3ACD26030

-       Build timestamp: Tuesday, 24.09.2019 01:03:41 UTC

-       PDB Path: N:\DEV\MMPro\x64\Release\8.1.pdb (8.1.dll)

-       Export: ServiceMain, run as a Service Dll.

2.    verifierpr.dll:

-       MD5: FD35D50D1D30275DC216263B906F9F9A

-       SHA256: 9B2C8D17F4296DF83F5AE05CFA049DF2243A5303A0310C38C4C4796319A53234

-       Build timestamp: Thursday, 24.01.2019 23:55:44 UTC

-       PDB Path: C:\Dev\18M\x64\Release\8.pdb (8.dll)

-       Export: DllGetClassObject

3.    wercplsupport.dll:

-       MD5: 2644C5916A7B49FD216DA16B1F798D3A

-       SHA256: B9E07FF5109CC340D6CB371AFD8D112EBE29BFC1E2D395A28F04761E627D0E39

-       Build timestamp: Thursday, 24.01.2019 23:56:17 UTC

-       PDB Path: C:\Dev\18M\x64\Release\8.1.pdb

-       Export: ServiceMain, run as a Service Dll

Comparison table for PE RichID of the above files and smanager_ssl.dll file:

Figure 3. Comparison table for PE RichID

Focus on the Description column, version of the components compiler/linker/... in the Visual Studio. For many of the samples in that sample set, we think that this hacking group has many members and also has a Source Code Control server.

The C&C info is stored in .nls, impersonating the main Windows .nls files, in the Windows\System32 folder. NLS file is National Language Support files.

We decoded some of the C&C as follow:

Figure 4. C&Cs information

With smanager_ssl.dll and almost all of the samples we have collected, we noticed that the hacker changed the default calling convention of the VC ++ compiler in the VS IDE (or command line) to __fastcall. This made for difficult analyzing, recreate the source code of the malware, give the correct definition of the function protytype.

As mentioned in previous part, Smanager_ssl.dll is registered by eToken.exe (VVSup.exe) and run as a Service Dll. We compare the ServiceMain function (which is required of a Service Dll) and find almost the same code and coding style. We speculate that the code for Service is a file and is generally used for many samples. The ServiceMain function is always responsible for calling the main function, which is the function that performs the main tasks of malware.

The ServiceMain function of smanager_ssl.dll:

Figure 5. ServiceMain function of smanager_ssl.dll

wercplsupport.dll’s ServiceMain

Figure 6. ServiceMain function of wercplsupport.dll

Not only the code is identical, there’s also another special point, a global variable that we named g_dwServiceState in our pseudocode. We will see this variable in the SvcCtrlHandler callback function.

SvcCtrlHandler function of smanager_ssl.dll:

Figure 7. SvcCtrlHandler function of smanager_ssl.dll

wercplsupport.dll’s SvcCtrlHandler

Figure 8. SvcCtrlHandler function of wercplsupport.dll

If we conclude based on the above evidences only, it still be uncertain, as you know hackers often share malwares source code with each other. However, we have discovered one particular feature that hackers themselves may have overlooked and missed when building these malwares.

Since Visual Studio 2005, Microsoft has included .h and .lib files for Telemetry feature, and has been supporting gradually since Windows Vista. During build application, Telemetry feature will be added default in the binary. If we want to disable it, we have to link it with notelemetry.obj. The Microsoft’s Telemetry.cpp file is not included in the Visual Studio 2015. You can find notelemetry.cpp file in the new Windows SDKs later.

The code of notelemetry.cpp is to NULL sub the VC CRTL functions for Telemetry.

Figure 9. notelemetry.cpp to NULL sub the VC CRTL functions for Telemetry

During the analysis, we discovered that in addition to smanager_ssl.dll, two samples in the above subsamples were linked to Telemetry VC CRTL: verifierpr.dll and wercplsupport.dll.

Figure 10. Other samples linked to Telemetry VC CRTL

__telemetry_mai_invoke_trigger will be called before DllMain or WinMain/main function. And __telemetry_main_return_trigger will be called as soon as our above functions exit.

Figure 11. __telemetry_mai_invoke_trigger will be called before DllMain or WinMain/main function

The Telemetry API is provided by Microsoft in the TraceLoggingProvider.h file of the newer Windows SDK distributions. Since there is no source code of telemetry.cpp, we rely on the .h file above and reanalyze the VC CRTL functions for Telemetry. We have identified ProviderMetaData on smanager_ssl.dll file. And especially the providerData of both verifierpr.dll and wercplsupport.dll are the same. GroupGuid is a type of GUID that is generated when an attacker uses an IDE wizard or a GuidGen.exe tool or something similar. GUIDs never match.

We searched this GUID: {CF4F5073 - 8289 - B347 - E0DC - E8C90476BA01} on the Internet and sites as below but we couldn't find any result:

Through all the points we just mentioned, we conclude, the code of smanager_ssl.dll is built on a version of Visual Studio 2015, using a source that accidentally embedded Telemetry feature.

Figure 12. smanager_ssl.dll is built on a version of Visual Studio 2015 and embedded Telemetry feature

To learn more about Telemetry of VS 2015 and Windows, you can read the following links (1, 2). With the GUIDs of the eToken.exe and the providerData GUID of the three dll above, we could write Yara rules as follows:

1.    eToken.exe (VVSup.exe):

-       GUID_1 = { 5AD5B72A - 853B - 456E – AF92 – 0F4DFF9D8BAF }

Hex string = “2A B7 D5 5A 3B 85 6E 45 AF 92 0F 4D FF 9D 8B AF”

-       GUID_2 = { 798E265A - CC96 – 4623 - BA97023B575502B8 }

Hex string = “5A 26 8E 79 96 CC 23 46 BA 97 02 3B 57 55 02 B8”

-       GUID_1 and GUID_2

2.      Smanager_ssl.dll:

-       Text = “Microsoft.CRTProvider”

-       GUID = { CF4F5073 – 8289 - B347 – E0DC – E8C90476BA01 }

Hex string = “73 50 4F CF 89 82 47 B3 E0 DC E8 C9 04 76 BA 01”

-       Text and GUID

Combining all the indicators and TTPs we've got, we considered this was the another campaign of the Chinese Panda group aimed at agencies, organizations and businesses in Vietnam over past few years.

In the next part, we will describe in detail the C++ code of the smanager_ssl.dll that we analyzed and recreated.

Merry Christmas & Happy New Year!

(To be continued …)

Click here for Vietnamese version: Part 3

Trương Quốc Ngân (aka HTC)

Malware Analysis Expert - VinCSS (a member of Vingroup)

No comments:

Post a Comment