APT and Me
APT and me
So I have been starting to break into APT research and learning how various state sponsored groups conduct there attacks. The easiest way I have found is reading papers on https://samples.vx-underground.org/APTs where a number of articles are consolidated and collected in PDF format.
A group I see time and time again is APT41 which is speculated to be a CN hacker group. They go by a number of aliases, which I won’t go into but I watch there attack patterns that are very similar to those taught in the OSEP.
Microsoft Word
Introduction into the network
The inital attack vector is not anything new. An infected microsoft word doc with a “Content enable” bait that would render after the button is hit. The topic of the doucment would range depending on the target. If it was a government target, it would be a memo doc. If it was a company, they might target a companies HR with a resume file.
Something new? Template Injection
BUT! Where it differs is by doing something called template injection where a doc file can call a remotely hosted dotm (word doc template) which contained macros that would fire. It is still possible to use docx because of template injection.
Activate Macro
Here is where it would get interesting. Once the macro is activiated, one of the neat vectors would download a couple of target files and then set a LNK file in the start up folder. So that attack would not launch until the computer restarted.
From the report, it is hard to tell if the files were downloaded or if they were embeded into the macro itself but regardless, we know that attack is dropping files to disk.
The files
The files themeselvs are: An .net executable that impersonates a ESET cli utility that uses and invalidly signed cert (Note to self, look up signing).
the ini file is a AES encrypted payload.
The .Net Executable
The executable is pretty interesting. It does an http request to https://ip-api.com to get the country code. If the country code is US or RU, it does not process and exits. It is speculated that the RU is potentially a false flag op to draw sus away from APT 41.
When the check is done and passed, the ini file is decrypted with key that was stroed, and the VirtualAlloc and CreateThread are called to run the resulting shellcode.
C2 Communications
Here its gets a bit boring. Standard C2 framework stuff. The C2 communcates over HTTPS and uses /jquery and /jquery-min endpoints that contain valid jquery lib data but then has a few bytes in the code to communicate its evil deeds.
Tools: Fiddler
What was learned:
In this APT profile, we learned about microsoft word template injection, passing a LNK file to the startup folder to get and maintain persistance on next reboot, using https://ip-api.com to get a country code and filter out desired countries and using jquery lib (which is notriously large) to hide the commication.
Potential future vectors
- Using https://ip-api.com to filter out results from non client IPs (large client with IP blocks only)
References
APT - VX-underground.org
Microsoft Word Template Injecion