Home  >  Article  >  Operation and Maintenance  >  Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

王林
王林forward
2023-05-30 08:55:461076browse

Background

On March 17, 2019, 360 Threat Intelligence Center intercepted a case of a suspected "Golden Rat" APT organization (APT-C-27) using the WinRAR vulnerability (CVE-2018-20250[6] ) Targeted attack samples targeting the Middle East. The malicious ACE compressed package contains an Office Word document that uses a terrorist attack as a bait to induce the victim to decompress the file. When the victim decompresses the file through WinRAR on the local computer, the vulnerability will be triggered. After the vulnerability is successfully exploited, the vulnerability will be built-in The backdoor program (Telegram Desktop.exe) is released into the user's computer startup directory. When the user restarts or logs in to the system, the remote control Trojan will be executed to control the victim's computer.

360 Threat Intelligence Center discovered through correlation analysis that this attack activity is suspected to be related to the "Golden Rat" APT organization (APT-C-27), and after further tracing and correlation, we also found multiple Malicious samples of the Android platform related to this organization are mainly disguised as some commonly used software to attack specific target groups. Combined with the text content related to the attacker in the malicious code, it can be guessed that the attacker is also familiar with Arabic.


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Detection of backdoor program (TelegramDesktop.exe) on VirusTotal

Sample analysis

360 threats The Intelligence Center analyzed the sample that exploited the WinRAR vulnerability. The relevant analysis is as follows.

Using terrorist attacks to induce decompression

314e8105f28530eb0bf54891b9b3ff69#File name This Office Word document is part of a malicious compressed file whose contents are related to a terrorist attack. Due to its political, geographical and other particularities, the Middle East has suffered numerous terrorist attacks and its people have suffered greatly. Therefore, people in the region are sensitive to terrorist attacks and other incidents, which increases the possibility of victims decompressing files:
##MD5


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East
Decoy document translation content

If the user decompresses the malicious compressed package, the WinRAR vulnerability will be triggered, thereby releasing the built-in backdoor program to the user's startup directory Medium:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East
The released backdoor program Telegram Desktop.exe will be executed when the user restarts the computer or logs in to the system.

Backdoor(Telegram Desktop.exe)

##File name##MD5##36027a4abfb702107a103478f6af49be76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689.NET

The backdoor program TelegramDesktop.exe will read data from the PE resource and write it to: %TEMP%\Telegram Desktop.vbs, then execute the VBS script and sleep for 17 seconds until the VBS script is completed:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

The main function of this VBS script is to decode the built-in string through Base64 and write the decoded string to the file: %TEMP%\Process. exe, and finally execute Process.exe:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

After execution of Process.exe, file 1717.txt will be created in the %TEMP% directory and written Data related to the final executed backdoor program for subsequent use by Telegram Desktop.exe:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Then TelegramDesktop.exe will read 1717. txt file and replace the special characters in it:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Then decode the data through Base64 and load the decoded data in the memory. Data:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

The data finally loaded and executed in the memory is the njRAT backdoor program. The relevant configuration information is as follows:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

njRAT

The njRAT backdoor program executed by memory loading will first create a mutex to ensure that only one instance is running:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

And determine whether the current running path is the path set in the configuration file. If not, copy itself to the path to start execution:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Then close the attachment checker and firewall:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

and open the keylogging thread, and write the results of the keylogging to the registry :


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Open the communication thread, establish communication with the C&C address and accept command execution:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

##The njRAT remote control also has multiple functions such as remote SHELL, plug-in download and execution, remote desktop, file management, etc.:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

AndroidPlatformSampleAnalysis

360 Threat Intelligence Center also related to multiple Android platform malicious samples recently used by the "Golden Rat" (APT-C-27) APT organization through VirusTotal, which also used 82.137. 255.56 as the C&C address (82.137.255.56:1740):


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East
##The recently associated Android platform backdoor samples are mainly disguised as Android system updates, Office Upgrade programs and other commonly used software. The following is our analysis of an Android sample disguised as an Office upgrader

Telegram Desktop.exe
SHA256
Compilation information
##File MD5##File name
1cc32f2a351927777fc3b2ae5639f4d5
OfficeUpdate2019.apk

After the Android sample is started, it will induce the user to activate the device manager, then hide the icon and run it in the background:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Induces the user to complete the installation Afterwards, the sample will display the following interface:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Then the sample will obtain the online IP address and port through Android's default SharedPreferences storage interface. If obtained If not, decode the default hard-coded IP address and port online:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

# #Decoding algorithm of related IP address:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

#The final decoded IP address is: 82.137.255.56, and the port also needs to be hard-coded. Add 100 to get the final port 1740:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Once successfully connected to the C&C address, online information will be sent immediately, control instructions will be received and executed. This sample can record, take photos, perform GPS positioning, upload contacts/call records/text messages/files, and execute commands from the cloud and other functions


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

The list of related commands and functions of the Android backdoor sample is as follows:

##CommandFunction##1617##18192021Copy files according to cloud instructionsMove files according to cloud instructionsRename the file according to the cloud instructionsRun FileCreate the directory according to the cloud instructionsExecute cloud commandExecute a ping commandGet and upload contact information##32Get and upload text messages33Get and upload call recordsStart recording
Heartbeat management
connect
Get the specified file Basic information
Download file
Upload files
Delete files ##22
23
24
25
28
29
30
31
##34
##35 Stop and upload the recording file
36 Take photos
37 Start GPS positioning
38 Stop GPS positioning and upload location information
39 Use the cloud to send ip/port
40 Reports the currently used ip/port
to the cloud 41 Get installed application information

It is worth noting that the command information returned by this sample contains information related to Arabic, so we speculate that the attacker is more likely to be familiar with using Arabic:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Tracing and correlation

By querying the C&C address of the backdoor program captured this time (82.137.255.56:1921), it can be seen that this IP address has been used by APT many times since 2017. - Used by the C-27 (Golden Rat) organization, this IP address is suspected to be the organization’s inherent IP asset. On the big data correlation platform of 360 Network Research Institute, you can view multiple sample information associated with the IP address


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Through 360 Threat Intelligence The central threat analysis platform (ti.360.net) queried the C&C address and it was also labeled with APT-C-27 related tags:


Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

And the functional modules, code logic, built-in information language, target group, network assets and other information of the relevant Trojan samples (Windows and Android platforms) captured this time are all the same as those used by APT-C-27[2] exposed earlier. Trojan sample information is highly similar. Therefore, according to the 360 ​​Threat Intelligence Center, the relevant samples intercepted this time are also related to the "Golden Rat" APT organization (APT-C-27).

As we predicted, attacks using the WinRAR vulnerability (CVE-2018-20250) to spread malicious programs are in the outbreak stage. The 360 ​​Threat Intelligence Center has previously observed multiple APT attacks using this vulnerability. , and the targeted attack activities intercepted this time by the suspected "Golden Rat" APT organization (APT-C-27) that exploited the WinRAR vulnerability is just one example of many cases of using this vulnerability to carry out targeted attacks. Therefore, the 360 ​​Threat Intelligence Center once again reminds users to take timely measures to prevent this vulnerability. (See the "Mitigation Measures" section)

Mitigation Measures

1. The software manufacturer has released the latest WinRAR version. The 360 ​​Threat Intelligence Center recommends that users promptly update and upgrade WinRAR (5.70 beta 1) To the latest version, the download address is as follows:

32-bit: http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe

64-bit: http://win -rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe

2. If the patch cannot be installed temporarily, you can directly delete the vulnerable DLL (UNACEV2.DLL), which will not affect general use. , but an error will be reported when encountering ACE files.

Currently, all products based on the threat intelligence data of 360 Threat Intelligence Center, including 360 Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, 360 NGSOC, etc., already support such attacks. accurate detection.

The above is the detailed content of Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete