Get best of the week

New Year greetings and COVID-19: how hackers use the news



Cybercriminals often use the latest news and events to send malicious files. In connection with the coronavirus pandemic, many APT groups, including Gamaredon, SongXY, TA428, Lazarus, Konni, Winnti, began to use this topic in their campaigns. One recent example of such activity is the attacks of the South Korean group Higaisa.

PT Expert Security Center experts detected and analyzed malicious files created by Higaisa.

Example 1: fake WHO report


The first World Health Organization (WHO) notifications of the spread of coronavirus appeared in early March. Within a few days, Higaisa participants began to send letters with a malicious file. For concealment, a legitimate WHO report file in PDF format was used.

The infection began with the file 20200308-sitrep-48-covid-19.pdf.lnk: The

image

contents of the LNK file The

file is a .lnk shortcut with the icon of the PDF document. When you try to open, the cmd.exe / c command is executed with the following command line:

image

Running findstr.exe retrieves the Base64 load at the end of the LNK file, which is then decoded using CertUtil.exe (msioa.exe). The decoding result is a CAB archive that is unpacked into the same% tmp% folder and contains several files, including the malware installation script, the original WHO report file (as a decoy), and the installer payload.

Example 2: New Year's greetings


The second sample analyzed is an RTF file with New Year's greetings:

image

A document with a congratulatory text The

document was created using the popular Royal Road RTF (or 8.t) builder exploiting the CVE-2018-0798 vulnerability in the Microsoft Equation Editor. This builder is not publicly available, but is widely distributed among Chinese APT groups, including TA428, Goblin Panda, IceFog, SongXY . The name 8.t is due to the fact that a malicious document during operation creates a file named 8.t in the temporary folder containing the encrypted payload.

As a result of exploiting the vulnerability, the file% APPDATA% \ microsoft \ word \ startup \ intel.wll is created. This is a DLL dropper that will be loaded the next time you start Microsoft Word. Its payload consists of two files:% ALLUSERSPROFILE% \ TotalSecurity \ 360ShellPro.exe and% ALLUSERSPROFILE% \ TotalSecurity \ utils \ FileSmasher.exe. Files are encrypted using xor 0x1A.

image

The main function of the dropper intel.wll (fragment)

Next, there is a fixation in the system.

This file is not the only similar object of authorship Higaisa. So, Tencent analysts were recordeddistribution of malicious executable files with the names Happy-new-year-2020.scr and 2020-New-Year-Wishes-For-You.scr during the same period. In this case, the source files are executable, and the bait is present in the form of a greeting JPG card, which is unpacked and opened in the default viewer:

image

The structure of these threats, minus the exploitation of CVE-2018-0798, is almost identical to the RTF document. SCR files are droppers, the payload is decrypted using xor 0x1A and unpacked into a subfolder in% ALLUSERSPROFILE%.

Conclusion


A study by Positive Technologies analysts revealed the evolution of the Higaisa malware. At the same time, the structure of the tools used (droppers, loaders) remains largely unchanged. To complicate the detection, attackers vary individual details, such as the URL of the control server, the parameters of the RC4 key, legitimate files used for SideLoading, and libraries for HTTP interaction.

The full report is available here .

More articles:


All Articles