English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    ICS/SCADA

    Critical infrastructure on the frontline

    Vulnerability Management

    Stop being an easy target

    Financial Services

    Can your security keep up with you?

    Protection from targeted attacks (anti-apt)

    Early detection, rapid investigation

    PT Industrial Cybersecurity Suite

    PT ICS is an integrated platform for cyberthreat detection and response in industrial systems

    Utilities

    Industrial-grade cybersecurity

    ERP Security

    Take control of your ERP security

    Security Compliance

    Turn policies into protection

    View all →
  • Products
    MaxPatrol 8

    Vulnerability and compliance management system.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT Network Attack Discovery

    NDR system to detect attacks on the perimeter and inside the network.

    PT Sandbox

    Advanced sandbox with customizable virtual environments

    XSpider

    Vulnerability scanner.

    MaxPatrol VM

    Next-generation vulnerability management system.

    MaxPatrol SIEM All-in-One

    Full-featured SIEM for mid-sized IT infrastructures.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT BlackBox

    Dynamic application security testing tool

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    ATM Security Assessments

    Uncover Your Weaknesses

    Web Application Security Services

    Black Box and White Box Analysis

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Penetration Testing

    A Comprehensive Approach

    Forensic Investigation Services

    Prevent Future Incidents

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    View all →
  • Analytics
    Threatscape
    PT ESC Threat Intelligence
    Cybersecurity glossary
    Knowledge base
    View all →
  • Partners
    Authorized Partners
    Distributors
    Technology Partners
    View all →
  • About
    Clients
    Press
    News
    Events
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • PT ESC Threat Intelligence
  • Studying Donot Team

Studying Donot Team

Published on 28 May 2020

APT group called Donot Team (aka APT-C-35, SectorE02) has been active since at least 2012. The attackers hunt for confidential information and intellectual property. The hackers' targets include countries in South Asia, in particular, state sector of Pakistan. In 2019, we noticed their activity in Bangladesh, Thailand, India, Sri Lanka, the Philippines, and outside of Asia, in places like Argentina, the United Arab Emirates, and Great Britain.

For several months, we have been monitoring changes in the code of this group's malicious loaders. In this article, we will review one of the attack vectors, will talk about the loaders in more detail, and will touch upon the peculiarity of the network infrastructure.

Attack chain

At the early stage of infection, the victim receives an MS Word document in Office Open XML format. Even though we do not have clear evidence, we are sure that the initial penetration vector is a targeted phishing message with MS Office attachment. The document itself is not malicious, but it abuses the external elements autoloading capability to launch the next stage document.

Communicating with a linked external object
Communicating with a linked external object

The loaded fine is an RTF document exploiting vulnerability CVE-2018-0802 in Microsoft Equation. The main shellcode is preceded by a chain of intermediate ones, each decrypting the subsequent slice with a single-byte XOR with keys 0x90 and 0xCE.

First shellcode decrypting the second one
First shellcode decrypting the second one
Second shellcode decrypting the third one
Second shellcode decrypting the third one
Third shellcode decrypting the main one
Third shellcode decrypting the main one

The main shellcode performed the following actions:

  • Uses a single-byte XOR with key 0x79 to decrypt binary data from file %TEMP%\one.
  • Creates executable files C:\Windows\Tasks\Serviceflow.exe and C:\Windows\Tasks\sinter.exe. These are the group's malicious loaders. We will talk more about them later.
  • Creates file C:\Windows\Tasks\S_An.dll, containing two bytes 0x90.
  • Creates file C:\Windows\Tasks\A64.dll. Depending on the system bit capacity, this is a modified x64-bit or x86-bit version of UACMe utility escalating privileges in the system. In addition to bypassing UAC control, the library creates and launches BAT script %TEMP%\v.bat. The script will use the following commands to register one of the loaders created earlier as a service:
sc create ServiceTool displayname= "ServiceFill" binpath= "C:\Windows\Tasks\Serviceflow.exe" start= "auto" sc start ServiceTool
Decrypting BAT scripts in modified UACMe libraries
Decrypting BAT scripts in modified UACMe libraries
  • Creates and launches JScript script C:\Windows\Tasks\bin.js. Its task is to launch library A64.dll via RnMod export using rundll32.
  • Creates shortcut WORDICON.lnk in the startup folder. Its task is to launch loader sinter.exe after system restart.
  • Creates shortcut Support.lnk in the startup folder. Its task is to launch bin.js JScript script after system reboot.
Decompiled code of the main shellcode
Decompiled code of the main shellcode

So, at that stage there are two loaders with a firm foothold in the System. We will discuss their operation later on.

Lo2 loaders

Despite their classification, the trojans have different objectives. For instance, file Serviceflow.exe acts as a watchdog. It collects the following information about the system:

  • Username
  • Computer name
  • Contents of \Program Files\ and \Program Files (x86)\
  • OS version
  • Data about the processor

The watchdog records the results in file log.txt. It also checks Windows\Tasks\ for files A64.dll and sinter.exe. If necessary, it downloads the files from control server skillsnew[.]top and launches them on behalf of the current user. The corresponding token is extracted from process winlogon.exe. Trojan sinter.exe lets the attackers know about the infection by sending a request to hxxps://mystrylust.pw/confirm.php, and sends the collected information about the system to skillsnew[.]top. Then, if the attackers are still interested in the victim's computer, the trojan obtains contents of customer.txt file at hxxp://docs.google.com/uc?id=1wUaESzjGT2fSuP_hOJMpqidyzqwu15sz&export=download. The file contains the name for control server car[.]drivethrough.top, with which the trojan communicates further. Downloaded files are placed in folder \AppData\Roaming\InStore\, and launched with task scheduler.

Decrypted strings of command fragments and task template
Decrypted strings of command fragments and task template

As a result of malicious loaders' activity, components of framework yty are inserted into the system, allowing the attackers to get more details about their victim, including files with a certain extension, intercepted input strings, list of processes, and screenshots. We will not discuss plugins in this article.

When we studied other similar samples, we found some paths and project names left in the debugging information including the following:

  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\New_Single_File\Lo2\SingleV2\Release\BinWork.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\New_Single_File\Lo2\SingleV2_Task_Layout_NewICON\Release\BinWork.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\New_Single_File\Lo2\SingleV2_Task_Layout_NewICON_N_Lnk\Release\BinWork.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\New_Single_File\Lo2\SingleV3\Release\WorkFile.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\Off\Off_New_Api\Release\C++\ConnectLink.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\Off\Off_New_Api\Release\C++\TerBin.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\m0\yty 2.0 - With AES Chunks LOC FOR XP Just Bit-Change_Name\Release\TaskTool.pdb
  • D:\Soft\DevelopedCode_Last\BitDefenderTest\yty 2.0 - With AES Chunks OFFS Just Bit\Release\C++\MsBuild.pdb
  • D:\Soft\DevelopedCode_Last\yty 2.0\Release\C++\Setup.pdb

In addition to substring yty 2.0 connecting the trojans with the framework, we also noticed substring Lo2, which may be an abbreviation from Loader 2..

In loaders versions before mid-2018, all used strings were stored in the file in cleartext. In subsequent builds, the attackers started encrypting the strings. In different versions, the following changes were made to the algorithm:

  • Since May 2018: reverse the string and encode with Base64
  • Since April 2019: perform the previous actions twice.
  • Since January 2019: encrypt the string with AES in CBC mode and encode with Base64. Sample of Python code for decryption:
import base64 from Cryptodome.Cipher import AES aeskey = (0x23, 0xd4, 0x67, 0xad, 0x96, 0xc3, 0xd1, 0xa5, 0x23, 0x76, 0xae, 0x4e, 0xdd, 0xca, 0x13, 0x55) def aes_decrypt(data, aeskey): iv = bytes(list(range(0, 16))) key = bytes(aeskey) aes = AES.new(key, AES.MODE_CBC, iv) return aes.decrypt(data).decode().strip('\x00') def base64_aes_decrypt(data, aeskey): data = base64.b64decode(data) data = aes_decrypt(data, aeskey) return data
  • Since June 2019: perform symbol-by-symbol circular subtraction with the set array of bytes, encode with UTF-8, and encode with Base64. Sample of Python code for decryption:
subgamma = (0x2d, 0x55, 0xf, 0x59, 0xf, 0xb, 0x60, 0x33, 0x29, 0x4e, 0x19, 0x3e, 0x57, 0x4d, 0x56, 0xf) def sub_decrypt(data, subgamma): o = '' length = len(data) subgamma_length = len(subgamma) for i in range(length): o += chr((0x100 + ord(data[i]) - subgamma[i%subgamma_length]) & 0xff) return o def base64_utf8_sub_decrypt(data, subgamma): data = base64.b64decode(data) data = data.decode('utf-8') data = sub_decrypt(data, subgamma) return data
  • Since October 2019: perform symbol-by-symbol circular modified XOR with the set array of bytes, and encode with Base64 twice. The peculiarity of XOR algorithm is that if the string symbol value matches the value of the symbol in the set array of bytes, XOR is not required. Sample of Python code for decryption:
xorgamma = (0x56, 0x2d, 0x61, 0x21, 0x16) def modxor_decrypt(data, xorgamma): o = '' length = len(data) xorgamma_length = len(xorgamma) for i in range(length): c = data[i] if c != xorgamma[i%xorgamma_length]: c = data[i] ^ xorgamma[i%xorgamma_length] o += chr(c) return o def base64_modxor_decrypt(data, xorgamma): data = base64.b64decode(data) data = modxor_decrypt(data, xorgamma) return data

When we were writing the decryption script, we found that some strings couldn’t be decrypted. But then we found that these lines can still be decrypted with one of the decryption methods mentioned earlier. After we verified that each sample uses only one decryption method, we concluded that the attackers had simply forgotten to delete unused strings or replace them with those correctly encrypted for the next version of the malware.

Strings in one of the loader samples were encrypted with various methods, but only one is used in the executable file.
Strings in one of the loader samples were encrypted with various methods, but only one is used in the executable file.

Such mistakes are always advantageous for the researchers. For instance, the strings left by the attackers often contained the attackers' control servers which we did not know about before.

Network Infrastructure peculiarities

To complete the picture, we want to point out some typical features which can help you make a connection between the group's attacks in the future.

  • Most of the control servers are rented from DigitalOcean, LLC (ASN 14061), and are located in Amsterdam.
  • The attackers do not use the same servers for different DNS names. They prefer reserving a new allocated host for each new domain name.
  • In most cases, domain owners' registration information is hidden with privacy services. The attackers can use the following services: WhoisGuard, Inc.; Whois Privacy Protection Service, Inc.; Domains By Proxy, LLC; and Whois Privacy Protection Foundation. In some cases the data is accessible, and we can see the common approach to filling the fields.
WHOIS information about domain burningforests[.]com
WHOIS information about domain burningforests[.]com
WHOIS information about domain cloud-storage-service[.]com
WHOIS information about domain cloud-storage-service[.]com
  • Most commonly, the attackers use .top, .pw, .space, .live, and .icu TLD.

Conclusions

Donot Team is known to use their own tools at every stage of the attack. On the one hand, the group uses various techniques to make code analysis more difficult, but on the other hand, it does not attempt to hide or disguise their actions in the system. Multiple attacks on the same targets can be indicative of particular interest in the chosen range of victims. This can also mean that the used tactics and techniques are not very efficient.

Author: Alexey Vishnyakov, Positive Technologies

IOCs

6ce1855cf027d76463bb8d5954fcc7bb — loader in MS Word format
hxxp://plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC
21b7fc61448af8938c09007871486f58 — dropper in MS Word format
71ab0946b6a72622aef6cdd7907479ec — loader Lo2 in C:\Windows\Tasks\Serviceflow.exe
22f41b6238290913fc4d196b8423724d — loader Lo2 in C:\Windows\Tasks\sinter.exe
330a4678fae2662975e850200081a1b1 — modified x86 version of UACMe
22e7ef7c3c7911b4c08ce82fde76ec72 — modified x64 version of UACMe
skillsnew[.]top
hxxps://mystrylust.pw/confirm.php
hxxp://docs.google.com/uc?id=1wUaESzjGT2fSuP_hOJMpqidyzqwu15sz&export=download
car[.]drivethrough.top
burningforests[.]com
cloud-storage-service[.]com
Related articles
  • May 20, 2020 Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
  • August 3, 2021 APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere
  • December 9, 2022 APT Cloud Atlas: Unbroken Threat
Share:
Link copied
Related articles
November 27, 2020

Investigation with a twist: an accidental APT attack and averted data destruction

April 12, 2021

PaaS, or how hackers evade antivirus software

June 19, 2020

The eagle eye is back: old and new backdoors from APT30

All articles
Solutions
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Protection from targeted attacks (anti-apt)
  • PT Industrial Cybersecurity Suite
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol 8
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Network Attack Discovery
  • PT Sandbox
  • XSpider
  • MaxPatrol VM
  • MaxPatrol SIEM All-in-One
  • PT MultiScanner
  • PT BlackBox
Services
  • ICS/SCADA Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • PT ESC Threat Intelligence
  • Cybersecurity glossary
  • Knowledge base
Partners
  • Authorized Partners
  • Distributors
  • Technology Partners
About
  • Clients
  • Press
  • News
  • Events
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
Find us:
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap