search
HomeOperation and MaintenanceSafetyHow to implement APT32 sample analysis

1. Basic information

##Sample MD5bb3306543ff******* *9372bb3c72712Sample file size3.29 MB (3,449,856 bytes)Sample type Backdoor programSample descriptionUsing Office malicious macros to load Trojan modulesAnalysis timeDecember 2019

2. Analysis

2.1 Introduction

This malicious document has been implanted with three pieces of malicious macro code. The main function of the macro is to load and execute the malicious document in the memory. Shellcode code stored in hexadecimal stream mode.

The function of the ShellCode part is to extract a DLL Trojan program {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll from itself, and then execute the export function DllEntry of this Dll to release two 2 in the memory A DLL file related to network communication. The network communication related files are used to support HTTP, HTTPS and UDP protocol communication, and finally establish a communication connection with the C2 end to accept control instructions.

Note: {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll name is consistent with the DLL name of a previously analyzed APT32 sample, and the Shellcode code obfuscation method is similar, the memory loading method is similar, and the IOC extraction method is also similar. All belong to the APT32 organization, so this sample is judged to be related to APT32.

2.2 Deception execution

This attack uses malicious macro code to load malicious modules, and uses social engineering to disguise itself as 360 prompt information to gain the trust of users, thereby Trick users into enabling malicious macro code.

How to implement APT32 sample analysis

2.3 Malicious Macro Analysis

A total of three pieces of malicious macro code were implanted in this malicious document. The first piece of code is saved in the default location of office. 2. The third piece of malicious macro code is saved in the header of the document in the form of a hexadecimal stream.

How to implement APT32 sample analysis

The first macro code (the first macro code to be executed) reads the second macro code saved in the hexadecimal stream from the beginning of the document, dynamically loads and Call the entry function x_N0th2ngH3r3().

How to implement APT32 sample analysis

The second section of macro code reads the third section of macro code saved in the hexadecimal stream from the beginning of the document, dynamically loads and calls the entry function x_N0th2ngH3r3 ().

How to implement APT32 sample analysis

The third section of macro code loads the Shellcode code stored in the hexadecimal stream in the malicious document into the memory by creating a remote thread for the WINWORD process.

How to implement APT32 sample analysis

2.4 Shellcode Malicious Code Analysis

The core function of ShellCode is to extract a DLL file from itself, and self-load this DLL in the memory, and then Execute the exported function DllEntry of this dll. The picture below shows the corrected PE header data:

How to implement APT32 sample analysis

After dumping the Shellcode file from the memory, using LordPE you can see that the export name of the file is: {A96B020F-0000 -466F-A96D-A91BBF8EAC96}.dll. As shown below:

How to implement APT32 sample analysis

##2.5 Analysis of {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll

There is an encrypted resource in the decrypted DLL Resource file:

How to implement APT32 sample analysis

When the DLL is running, it first obtains the resource file and decrypts it. The decrypted resource file contains Trojan configuration information and two network communication-related DLL files, network communication related files are used to support HTTP, HTTPS and UDP protocol communication. The picture below shows the decrypted resource file information:

How to implement APT32 sample analysis

The data structure of the resource is as follows:

2.6 Communication Analysis

Passed by {A96B020F- The C2 domain name resolution address 45.122.138.31 decrypted from the 0000-466F-A96D-A91BBF8EAC96}.dll file resource establishes a communication connection, and uses the POST method in the HTTP protocol to send an online notification to the C2 end, and finally accepts the control end command of the C2 end. Control the target terminal.

How to implement APT32 sample analysis

2.7 Backdoor Function Analysis

Create Process

How to implement APT32 sample analysis

Create Directory, Delete Directory

How to implement APT32 sample analysis

How to implement APT32 sample analysis

File search, read and write, create, delete files and other operations

How to implement APT32 sample analysis

How to implement APT32 sample analysis

How to implement APT32 sample analysis

Registry read and write operations

How to implement APT32 sample analysis

How to implement APT32 sample analysis

2.8IOC

cloud.360cn.info

dns.chinanews.network

aliexpresscn.net

chinaport.org

3. Trend

APT32 is a Vietnamese hacker organization, also known as the OceanLotus organization , focused on attacking foreign companies with close ties to Vietnam, mainly attacking companies related to cybersecurity, manufacturing, media, banks, hotels, technology infrastructure, and consulting. The stolen information included trade secrets, confidential conversation logs, and progress plans. The attack method is to send well-designed phishing emails to targets, and include watering hole attacks with tempting malicious attachments in the emails to implant backdoors or malware into the targets to achieve the goal. The malicious document analyzed this time is the attachment in the phishing email received by the customer.

Through tracking research on the APT32 organization, we found that the organization has now begun to use cloud-based email analysis software in order to monitor and track the distribution of emails, and is gradually using the latest cutting-edge technology to achieve attack purposes. Practitioners in special industries should remain vigilant and confirm the legitimacy of the document when opening emails or sensitive information documents from unknown sources.

The above is the detailed content of How to implement APT32 sample analysis. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete
What category does the operation and maintenance security audit system belong to?What category does the operation and maintenance security audit system belong to?Mar 05, 2025 pm 03:59 PM

This article examines operational security audit system procurement. It details typical categories (hardware, software, services), budget allocation (CAPEX, OPEX, project, training, contingency), and suitable government contracting vehicles (GSA Sch

What does the operation and maintenance safety engineer do?What does the operation and maintenance safety engineer do?Mar 05, 2025 pm 04:00 PM

This article explores the roles and required skills of DevOps, security, and IT operations engineers. It details the daily tasks, career paths, and necessary technical and soft skills for each, highlighting the increasing importance of automation, c

What are the job safety responsibilities of operation and maintenance personnelWhat are the job safety responsibilities of operation and maintenance personnelMar 05, 2025 pm 03:51 PM

This article details crucial security responsibilities for DevOps engineers, system administrators, IT operations staff, and maintenance personnel. It emphasizes integrating security into all stages of the SDLC (DevOps), implementing robust access c

The difference between operation and maintenance security audit system and network security audit systemThe difference between operation and maintenance security audit system and network security audit systemMar 05, 2025 pm 04:02 PM

This article contrasts Operations Security (OpSec) and Network Security (NetSec) audit systems. OpSec focuses on internal processes, data access, and employee behavior, while NetSec centers on network infrastructure and communication security. Key

What is operation and maintenance security?What is operation and maintenance security?Mar 05, 2025 pm 03:54 PM

This article examines DevSecOps, integrating security into the software development lifecycle. It details a DevOps security engineer's multifaceted role, encompassing security architecture, automation, vulnerability management, and incident response

What is the prospect of safety operation and maintenance personnel?What is the prospect of safety operation and maintenance personnel?Mar 05, 2025 pm 03:52 PM

This article examines essential skills for a successful security operations career. It highlights the need for technical expertise (network security, SIEM, cloud platforms), analytical skills (data analysis, threat intelligence), and soft skills (co

What is operation and maintenance security?What is operation and maintenance security?Mar 05, 2025 pm 03:58 PM

DevOps enhances operational security by automating security checks within CI/CD pipelines, utilizing Infrastructure as Code for improved control, and fostering collaboration between development and security teams. This approach accelerates vulnerabi

Main work of operation and maintenance securityMain work of operation and maintenance securityMar 05, 2025 pm 03:53 PM

This article details operational and maintenance (O&M) security, emphasizing vulnerability management, access control, security monitoring, data protection, and physical security. Key responsibilities and mitigation strategies, including proacti

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

EditPlus Chinese cracked version

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function

DVWA

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Atom editor mac version download

Atom editor mac version download

The most popular open source editor