Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East

Background

On March 17, 2019, 360 Threat Intelligence Center intercepted a case of a suspected "Golden Rat" APT organization (APT-C-27) using the WinRAR vulnerability (CVE-2018-20250[6] ) Targeted attack samples targeting the Middle East. The malicious ACE compressed package contains an Office Word document that uses a terrorist attack as a bait to induce the victim to decompress the file. When the victim decompresses the file through WinRAR on the local computer, the vulnerability will be triggered. After the vulnerability is successfully exploited, the vulnerability will be built-in The backdoor program (Telegram Desktop.exe) is released into the user's computer startup directory. When the user restarts or logs in to the system, the remote control Trojan will be executed to control the victim's computer.

360 Threat Intelligence Center discovered through correlation analysis that this attack activity is suspected to be related to the "Golden Rat" APT organization (APT-C-27), and after further tracing and correlation, we also found multiple Malicious samples of the Android platform related to this organization are mainly disguised as some commonly used software to attack specific target groups. Combined with the text content related to the attacker in the malicious code, it can be guessed that the attacker is also familiar with Arabic.

Detection of backdoor program (TelegramDesktop.exe) on VirusTotal

Sample analysis

360 threats The Intelligence Center analyzed the sample that exploited the WinRAR vulnerability. The relevant analysis is as follows.

Using terrorist attacks to induce decompression

314e8105f28530eb0bf54891b9b3ff69#File name This Office Word document is part of a malicious compressed file whose contents are related to a terrorist attack. Due to its political, geographical and other particularities, the Middle East has suffered numerous terrorist attacks and its people have suffered greatly. Therefore, people in the region are sensitive to terrorist attacks and other incidents, which increases the possibility of victims decompressing files:

##MD5

Decoy document translation content

If the user decompresses the malicious compressed package, the WinRAR vulnerability will be triggered, thereby releasing the built-in backdoor program to the user's startup directory Medium:

The released backdoor program Telegram Desktop.exe will be executed when the user restarts the computer or logs in to the system.

Backdoor（Telegram Desktop.exe）

##File name##MD5##36027a4abfb702107a103478f6af49be76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689.NET

The backdoor program TelegramDesktop.exe will read data from the PE resource and write it to: %TEMP%\Telegram Desktop.vbs, then execute the VBS script and sleep for 17 seconds until the VBS script is completed:

The main function of this VBS script is to decode the built-in string through Base64 and write the decoded string to the file: %TEMP%\Process. exe, and finally execute Process.exe:

After execution of Process.exe, file 1717.txt will be created in the %TEMP% directory and written Data related to the final executed backdoor program for subsequent use by Telegram Desktop.exe:

Then TelegramDesktop.exe will read 1717. txt file and replace the special characters in it:

Then decode the data through Base64 and load the decoded data in the memory. Data:

The data finally loaded and executed in the memory is the njRAT backdoor program. The relevant configuration information is as follows:

njRAT

The njRAT backdoor program executed by memory loading will first create a mutex to ensure that only one instance is running:

And determine whether the current running path is the path set in the configuration file. If not, copy itself to the path to start execution:

Then close the attachment checker and firewall:

and open the keylogging thread, and write the results of the keylogging to the registry :

Open the communication thread, establish communication with the C&C address and accept command execution:

##The njRAT remote control also has multiple functions such as remote SHELL, plug-in download and execution, remote desktop, file management, etc.:

AndroidPlatformSampleAnalysis

360 Threat Intelligence Center also related to multiple Android platform malicious samples recently used by the "Golden Rat" (APT-C-27) APT organization through VirusTotal, which also used 82.137. 255.56 as the C&C address (82.137.255.56:1740):

##The recently associated Android platform backdoor samples are mainly disguised as Android system updates, Office Upgrade programs and other commonly used software. The following is our analysis of an Android sample disguised as an Office upgrader

Telegram Desktop.exe
	SHA256
	Compilation information

##File MD5##File name

1cc32f2a351927777fc3b2ae5639f4d5

OfficeUpdate2019.apk

After the Android sample is started, it will induce the user to activate the device manager, then hide the icon and run it in the background:

Induces the user to complete the installation Afterwards, the sample will display the following interface:

Then the sample will obtain the online IP address and port through Android's default SharedPreferences storage interface. If obtained If not, decode the default hard-coded IP address and port online:

# #Decoding algorithm of related IP address:

#The final decoded IP address is: 82.137.255.56, and the port also needs to be hard-coded. Add 100 to get the final port 1740:

Once successfully connected to the C&C address, online information will be sent immediately, control instructions will be received and executed. This sample can record, take photos, perform GPS positioning, upload contacts/call records/text messages/files, and execute commands from the cloud and other functions

The list of related commands and functions of the Android backdoor sample is as follows:

##CommandFunction##1617##18192021Copy files according to cloud instructionsMove files according to cloud instructionsRename the file according to the cloud instructionsRun FileCreate the directory according to the cloud instructionsExecute cloud commandExecute a ping commandGet and upload contact information##32Get and upload text messages33Get and upload call recordsStart recording

Heartbeat management
connect
Get the specified file Basic information
Download file
Upload files
Delete files	##22
	23
	24
	25
	28
	29
	30
	31
##34
##35	Stop and upload the recording file
36	Take photos
37	Start GPS positioning
38	Stop GPS positioning and upload location information
39	Use the cloud to send ip/port
40	Reports the currently used ip/port
to the cloud 41	Get installed application information
It is worth noting that the command information returned by this sample contains information related to Arabic, so we speculate that the attacker is more likely to be familiar with using Arabic: Tracing and correlation By querying the C&C address of the backdoor program captured this time (82.137.255.56:1921), it can be seen that this IP address has been used by APT many times since 2017. - Used by the C-27 (Golden Rat) organization, this IP address is suspected to be the organization’s inherent IP asset. On the big data correlation platform of 360 Network Research Institute, you can view multiple sample information associated with the IP address Through 360 Threat Intelligence The central threat analysis platform (ti.360.net) queried the C&C address and it was also labeled with APT-C-27 related tags: And the functional modules, code logic, built-in information language, target group, network assets and other information of the relevant Trojan samples (Windows and Android platforms) captured this time are all the same as those used by APT-C-27[2] exposed earlier. Trojan sample information is highly similar. Therefore, according to the 360 ​​Threat Intelligence Center, the relevant samples intercepted this time are also related to the "Golden Rat" APT organization (APT-C-27). As we predicted, attacks using the WinRAR vulnerability (CVE-2018-20250) to spread malicious programs are in the outbreak stage. The 360 ​​Threat Intelligence Center has previously observed multiple APT attacks using this vulnerability. , and the targeted attack activities intercepted this time by the suspected "Golden Rat" APT organization (APT-C-27) that exploited the WinRAR vulnerability is just one example of many cases of using this vulnerability to carry out targeted attacks. Therefore, the 360 ​​Threat Intelligence Center once again reminds users to take timely measures to prevent this vulnerability. (See the "Mitigation Measures" section) Mitigation Measures 1. The software manufacturer has released the latest WinRAR version. The 360 ​​Threat Intelligence Center recommends that users promptly update and upgrade WinRAR (5.70 beta 1) To the latest version, the download address is as follows: 32-bit: http://win-rar.com/fileadmin/winrar-versions/wrar57b1.exe 64-bit: http://win -rar.com/fileadmin/winrar-versions/winrar-x64-57b1.exe 2. If the patch cannot be installed temporarily, you can directly delete the vulnerable DLL (UNACEV2.DLL), which will not affect general use. , but an error will be reported when encountering ACE files. Currently, all products based on the threat intelligence data of 360 Threat Intelligence Center, including 360 Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, 360 NGSOC, etc., already support such attacks. accurate detection.

The above is the detailed content of Analysis of how to use WinRAR vulnerability to target targeted attack activities in the Middle East. For more information, please follow other related articles on the PHP Chinese website!