


1. Foreword
APT has become a hot topic in the security field.
Innovación y laboratorio, a subsidiary of Eleven Paths, published the "Docless Vietnam APT" report in April:
The above information states that we have detected some malicious The email was sent to a mailbox belonging to the Vietnamese government. The date of this Vietnamese email is March 13, 2019. There are suspicious elements in this email, which may come from within the Vietnamese government, but it cannot be ruled out that someone sent the email to the security department.
TKCT quy I nam 2019.doc.lnk.malw sample information is as follows:
Picture 1: TKCT quy I nam 2019.doc.lnk.malw
2. Static analysis
1. After the TKCT quy I nam 2019.doc.lnk.malw sample is downloaded locally, it is cleverly disguised as a Word shortcut, tricking the victim into running or habitually double-clicking it. View it as follows:
Picture 2: Disguise doc shortcut
First of all, word documents are generally not .lnk links, and the size of the link should be in It is about 1kb, but the APT sample shortcut is 126kb. It is obvious that something else is hidden. Many viruses disguise the file name as .dat, .docx, etc. In fact, the suffix is .exe. You can see it by turning on the file name extension.
2. Extract the malicious code contained in the target in the sample attributes and find that it is an obfuscated and encrypted cmd command, and execute powershell, as shown below:
Picture 3: Obfuscated instructions
APT attack methods favor VBS, PowerShell, JS and other types of scripting languages, which are easy to obfuscate and encrypt, and are convenient for anti-virus processing.
Therefore, viruses and malware in the past have this commonality. For example, Manlinghua, Xbash, and ransomware all like to execute powershell as the first "payload" and give it to the computer as a surprise.
3. After parsing the obfuscation instructions, we found that the TKCT quy I nam 2019.doc.lnk shortcut was redirected to the s.sp1 file. In fact, the desktop shortcut is a powershell script file. The obfuscation variables are sorted out as follows:
Finally redirect TKCT quy I nam 2019.doc.lnk to the temp folder, name it s.ps1 and execute the powershell, as shown below:
Picture 4: Deobfuscation
4. It is also possible to manually remove the iex confusion. Open the file and remove the characters "iex". The powershell running command format is: file Name (original) >> s.sp1 (new file name). The redirect file is as follows:
Picture 8: .net disassembly
How to understand shellcode or payload? Essentially, it can be said to be a bunch of hexadecimal data. For executable files, it is data that can be interpreted and executed by the assembly engine.
Because the following will involve binary data extraction and assembly analysis, here is a simple diagram to introduce the basic concepts of shellcode or payload (for malicious code), as shown in the following figure:
Picture 9: payload
As shown in Figure 9, for viruses, especially self-starting and persistent attacks, it is difficult to implement without a backdoor (the vulnerability persists (except for pulling a small amount of traffic each time for data theft).
For example, the base address of ASLR address randomization will change every time the system is restarted, or it will be injected into a new process space. The function base address of the code itself is wrong. How to accurately obtain the function address? To achieve perfect operation, some extra operations are required. Of course, these are not problems, and the technology is relatively mature.
Assuming that readers have certain knowledge about Windows PE format, assembly and kernel, the following knowledge explanation will be easier to understand. I will not popularize basic knowledge. I will analyze how to do these shellcodes from the PE format and assembly level, how to dynamically obtain the module base address such as kernel32.dll, how to use hash values or Hash to traverse the export table, and avoid killing sensitive strings. and sensitive function API, etc.
3. Talk about PE and Viruses
Take the above malicious code as an example. Because .net encountered many problems during shellcode debugging, we used c/c to restore tmp_pFWwjd.dat.exe. sample.
Once again, OD is used for dynamic debugging. Of course, you can Dump it for analysis. According to your personal preferences, you can directly interrupt the execution of the shellcode, as shown below:
Picture Ten: Pointer
1. Enter the entry point, then XOR decrypt the data, and restore the malicious code that needs to be actually executed, as shown below:
Picture 11: XOR decryption
2. The hash value encrypts the string, which has the advantage of reducing the size of the shellcode, and can hide sensitive characters, making it difficult for anti-virus software to intercept, as shown below:
Picture 12: Hash value acquisition function address
3. We enter function 1E0A42 and find a bunch of seemingly ordinary assignment operations, as follows Display:
Picture 13: fs:[0x30]
Fs is a register, kernel state is fs = 0x30, user state fs = 0x3B, fs Point to _KPCR in kernel mode and point to _TEB in user mode.
TEB (Thread Environment Block), thread environment block, that is to say, each thread will have a TEB, which is used to save data between the system and the thread to facilitate operation control. Then Fs:[0x30] is the PEB process environment block.
4. PEB is the current process environment. Shellcode can easily obtain PEB information. It obtains _PEB_LDR_DATA through offset 0xc. This structure contains information about the loaded modules of the process.
A bidirectional circular linked list is obtained through offset 0x1c. Each linked list points to the LDR_DATA_TABLE_ENTRY structure. Let's take a look at the data contained in this structure. The above data offset is related to the operating system, as shown below:
Picture 14: Obtain module matrix
Picture 15: Obtain current environment module base address Steps
5. Pass The above process will successfully obtain ntdll.dll, as shown below:
Picture 16: Obtain module Address
6. Continue to analyze the function 1E0B2A, two parameters. According to the function calling convention, parameter 1 is the kernel32 base address, parameter 2 is the hash value of the function name, and this function is a self-implemented GetProcAddress() function, as shown below:
Picture 17: GetProcAddress
The purpose of this function is to check whether it complies with the PE standard format and obtain the NT header and export table. The export table saves the addresses of three tables. Let’s look at the export table structure first, as shown below:
The malicious code needs to locate the addresses of these three tables, traverse the function name table AddressOfName, obtain the function name and calculate the hash value. If the hash value is the same as parameter 2, it means is the same function.
Return the currently traversed subscript, use the subscript to go to the function sequence number table AddressOfNameOrdinals to find the corresponding sequence number, obtain the value saved in the sequence number table, and obtain the AddressOfFunctions in the function address table. The three are simply expressed as shown in the figure below. Relationship:
Picture 18: Relationship between the three
As shown in the figure above, the serial number table and the name table correspond one to one, and the subscripts and subscripts are in The stored values are related. These three tables are cleverly designed and utilize the concept of relational database.
It should be noted that the serial numbers are not in order and there will be gaps. Some functions in the address table do not have function names, that is, the address table has addresses but cannot be associated with the name table. At this time, the serial number is used to call. The serial number content plus the Base serial number base address is the real call number.
8. With this knowledge in mind, if you look at the malicious code in the sample, you will find that it is exactly the same as the above description, as shown below:
Picture 19: GetProcAddress()
9. The final verification result is successful, as shown below:
Picture 20: Verification
11. A new thread is created, and the thread callback will create directories and files, but the local verification fails to create the file, as shown below:
Picture 21: Create directory
Create file and directory name path c:\User\......\AppData\Roaming\
11. The server responds and downloads the malicious code, which will start a new journey, as shown below:
4. vkT2 analysis, first decrypts the data, and then dynamically obtains the function address, which is an old routine used by samples.
The data of each section (section table) is circularly spliced. Here, according to the VirtualAddress, the address of each section after being loaded into the memory is circularly spliced. The memory alignment granularity is 0x1000, and the DOS header feature code is erased to form a PE. Format file, as shown below:
Picture 28: Memory expansion
5. Since it is PE format Expanded into the memory, the next step is to repair the IAT table and relocation. There are many aspects involved here, and it is also a PE format content. You can check the "Windows Authoritative Guide", as shown in the following figure:
Picture 29: Repair IAT
6. Next, analyze the key points, obtain the system variables, and determine whether it is running on a 64bit system, as shown below:
Picture 30: Determining the operating environment
8. System data, host ip, Host name and other information are collected as follows:
As shown in Figure 35, the servers for client communication should all be proxy servers. In fact, the real environment is far more complicated than the above process, which is also the difficulty in tracing the source. As shown in Figure 33, key data information is extracted from the stack memory. This is different from the usual request data we see. The summary is as follows:
We use the Cobalt Strike tool as an example, which integrates port forwarding, scanning multi-mode port Listener, Windows exe program generation, Windows dll dynamic link library generation, java program generation, office macro code generation, including site cloning to obtain the browser related information, etc.
One of the more useful functions is the behavior of the Beacon payload, modifying the default attribute values of the framework, changing the frequency of check-in and modifying the Beacon network traffic. The configuration of these functions is in the file Malleable C2.
Malleable-C2-Profiles function can construct a normal Web disguised traffic, and ultimately achieve the effect of communication concealment. We take amazon.profile as an example, as shown below:
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";http-get {Seturi"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books";client {header "Accept" "*/*";header "Host" " www.amazon.com ";metadata {base64;prepend "session-token=";prepend "skin=noskin;";append "csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996";header "Cookie";}http-post {set uri "/N4215/adj/amzn.us.sr.aps";client {header "Accept" "*/*";header "Content-Type" "text/xml";header "X-Requested-With" "XMLHttpRequest";header "Host" " www.amazon.com ";parameter "sz" "160x600";parameter "oe" "oe=ISO-8859-1;";id {parameter "sn";}parameter "s" "3717";parameter "dc_ref" "http%3A%2F%2F www.amazon.com ";}
The above code completely matches the communication characteristics of the sample vkT2.shellcode. By loading the corresponding profile file, the traffic characteristics of the target host and server are changed to hide the traffic and ultimately achieve the purpose of concealing communication.
The above is the detailed content of How to conduct in-depth analysis of Vietnamese APT attack samples. For more information, please follow other related articles on the PHP Chinese website!

ZoomEye线上的数据是覆盖更新的模式,也就是说第2次扫描如果没有扫描到数据就不会覆盖更新数据,ZoomEye上的数据会保留第1次扫描获取到的banner数据,这个机制在这种恶意攻击溯源里其实有着很好的场景契合点:恶意攻击比如Botnet、APT等攻击使用的下载服务器被发现后一般都是直接停用抛弃,当然也有一些是被黑的目标,也是很暴力的直接下线!所以很多的攻击现场很可能就被ZoomEye线上缓存。当然在ZoomEye历史api里提供的数据,不管你覆盖不覆盖都可以查询出每次扫描得到的banner数

一般来说著名的Linux系统基本上分两大类:RedHat系列:Redhat、Centos、Fedora等;Debian系列:Debian、Ubuntu等。yum(YellowdogUpdater,Modified)是一个在Fedora和RedHat以及SUSE中的Shell前端软件包管理器。apt(AdvancedPackagingTool)是一个在Debian和Ubuntu中的Shell前端软件包管理器。概述一般来说著名的Linux系统基本上分两大类:RedHat系列:Redhat、Cento

关于威胁情报处理周期模型“威胁情报处理周期”(F3EAD)一词源于军事,是美陆军为主战兵种各级指挥员设计的组织资源、部署兵力的方法。网络应急响应中心借鉴这套方法,分以下六个阶段处理威胁情报信息:威胁情报处理周期F3EAD威胁情报处理周期模型的应用第一步:查找某月某日,部署在合作方公有云服务器上的“洋葱”系统告警发现疑似木马程序,于是应急响应团队快速启动应急相应流程:干系人等一键拉群,电话接入。受害系统隔离待查。安全系统、审计日志导出待溯源分析。业务系统架构、代码相关资料准备,待分析入侵突破口及受

手动修改Ubuntu的apt-get源1、用ssh工具连接到Ubuntu(我用的xshell)2、命令行敲入cd/etc/apt/3、备份此目录下的source.list文件(要有sudo权限),此时就有了一个source.list.bak文件4、清空source.list文件内容(注:清空后不可恢复,所以需要执行上一步提前备份一下这个文件),此时用sudo提示权限不够,直接切换到root用户下执行这条命令5、用vim打开source.list,按i键进入编辑模式把要修改的源地址粘贴进来,然后按

在Deepin系统上安装PHP8,您可以按照以下步骤进行操作:更新系统:打开终端,并执行以下命令来更新系统软件包:sudoaptupdatesudoaptupgrade添加OndřejSurýPPA源:PHP8可以通过OndřejSurýPPA源进行安装。执行以下命令来添加该源:sudoaptinstallsoftware-properties-commonsudoadd-apt-repositoryppa:ondrej/php更新软件包列表:执行以下命令来更新软件包列表以获取PPA源中的PHP

以下是Ubuntu18.04系统编译安装Docker的教程:卸载旧版Docker(如果已安装):sudoaptremovedockerdocker-enginedocker.iocontainerdrunc更新系统软件包:sudoaptupdatesudoaptupgrade安装Docker依赖项:sudoaptinstallapt-transport-httpsca-certificatescurlsoftware-properties-common添加Docker官方的GPG密钥:curl-

可以通过使用MySQL官方的APT存储库来安装MySQL5.7。以下是在Ubuntu20.04系统上通过官方APT存储库安装MySQL5.7的步骤:添加MySQLAPT存储库:wgethttps://dev.mysql.com/get/mysql-apt-config_0.8.17-1_all.debsudodpkg-imysql-apt-config_0.8.17-1_all.deb在安装过程中,您将看到一个配置界面。选择MySQLServer版本为5.7,然后完成配置。更新软件包列表:sud

yum是RedHat系列发行版(如RHEL和CentOS)中的包管理器,而Ubuntu使用的是另一种包管理器,名为apt(AdvancedPackageTool)。在Ubuntu系统中,您可以使用apt命令来管理软件包。以下是在Ubuntu系统中安装软件包的基本步骤:更新软件包索引在执行任何安装操作之前,首先执行以下命令以更新软件包索引:sudoaptupdate安装软件包使用以下命令来安装特定的软件包:sudoaptinstallpackage_name将”package_name̶


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Dreamweaver CS6
Visual web development tools

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
