apt37

APT37 uses VBA self-decoding technology to inject RokRat

Introduction

On December 7, 2020, researchers discovered a malicious document uploaded to Virus Total. The content of the document showed that a meeting would be held in January 2020, and the document was compiled on January 27, 2020, mainly attacking the South Korean government. In other words, it has been 1 year since the attack occurred.

The file contains an embedded macro, which uses VBA self-decoding technology to decode in the office memory space without writing to the hard disk. Then embed the RokRat variant into Notepad.

Based on the analysis of the injected payload, the researchers believe that the sample is related to APT37. is a mocking hacker organization, also known as ScarCruft, Reaper, and Group123. It has been active since 2012 and its main targets are victims in South Korea.

Document analysis

The VBA self-decoding technology in macros used by the attackers first appeared in 2016. Among them, the malicious macro is encoded and then decoded and executed dynamically.

clip_image001

Figure 1: Malicious document

We can think of the overview as an unpacker stub, which is executed when the document is opened. The unpacker stub will decompress the malicious macro and write it into the office memory instead of the hard disk. In this way, many security mechanisms can be bypassed.

clip_image002

Figure 2: Self-decoding technology

The macro used in this file belongs to Figure 3. The macro starts by calling the “ljojijbjs” function, and gets different paths of execution based on the result.

clip_image003

Figure 3: Encoded macro

Microsoft by default disables the dynamic execution of macros. If an attacker wants to execute macros dynamically, he needs to modify the registry value to bypass the VB object model (VBOM).

In order to check whether the VBOM is bypassed, it is necessary to see whether the VBOM is accessed. The function of “ljojijbjs” is to check read access to VBProject.VBComponent. If an exception is triggered, it means that VBOM needs to be bypassed. If there is no exception, it means that VBOM has been bypassed, and VBA can dynamically extract macros.

clip_image004

Figure 4: Check VBOM access

The “fngjksnhokdnfd” function will be called to bypass VBOM. This function will set the VBOM registry key value to 1.

clip_image005

Figure 5: Modify VBOM registry key

After bypassing VBOM, the CreateMutexA API will be called to create a Mutex on the victim’s machine and name it “mutexname”. In this way, other attackers can ensure that they only infect the victim once, but no trace of checking the mutex is found in the file.

clip_image006

Figure 6: Mutex creation

Finally, in order to perform the self-decoding process, you need to create a new application object to open itself, and load the current document in it in an invisible way.

clip_image007

Figure 7: Self-opening

If VBOM is successfully bypassed, the Init function will be called to generate a malicious macro in the obfuscated format.

clip_image008

Figure 8: Confused macro

Then, the obfuscated macro will be passed to “eviwbejfkaksd” for deobfuscation, and then executed in memory.

clip_image009

Figure 9: Anti-aliasing

In order to de-obfuscate the macro, two string arrays need to be defined:

· StringOriginal: the character array containing the anti-aliasing signature;

· StringEncoded: It contains the character array after de -obfuscation;

The loop is not defined by macro de-obfuscation. For each cycle, get a character from the obfuscated macro and look for its index in StringEncoded. After finding the index, look for the equivalent index in StringOriginal, get the character from it and add it to the new macro. For example, “gm* bf” in the encoded macro will be decoded as “Option”.

clip_image010

Figure 10: Anti-aliasing loop

Then it gets the macro executed in the office memory space. In order to execute the decoded macro, a module is created and written to the module before calling the main function to execute the macro.

The main function defines a in hexadecimal format, and the target process is notepad.exe. Then, based on the operating system version, create a Notepad.exe process and use VirtualAlloc to allocate memory in its address space. Then use WriteProcessMemory to write the shellcode into the allocated memory, and finally, call CreateRemoteThread to execute the shellcode in the address space of Notepad.exe.

clip_image011

Figure 11: Anti-obfuscation macro

analysis (RokRat)

The injected into Notepad.exe downloads an encrypted payload from http://bit[.]ly/2Np1enh, and the link is redirected to a Google network disk link.

clip_image012

Figure 12 Download URL

The injected into Notepad.exe is a variant of the cloud-based RAT-RokRat, which APT37 has been using since 2017. The compilation time of the sample is October 29, 2019. The RAT can steal data from the victim’s machine and send it to cloud services, such as Pcloud, Dropbox, Box and Yandex.

clip_image013

Figure 13: Coded cloud service

Similar to the previous variant, this variant uses many anti-analysis techniques to ensure that it is not running in the analysis environment. Some of the checks done include:

· Check the DLL, Microsoft Debugging DLL and sandbox related to iDefense SysAnalyzer;

· Call IsDebuggerPresent and GetTickCount to identify the debugger;

· Check VMWare related files.

clip_image014

Figure 14: Anti-analysis techniques

The RAT has the following functions:

· Screenshot;

clip_image015

Figure 15: Screenshot

· Collect system information, such as user name, computer name, BIOS, etc.;

clip_image016

Figure 16: Collect BIOS data

· Steal data and send to cloud service;

clip_image017

Figure 17: Data theft

· Credential theft;

· File and directory management, etc.

To sum up

The infection vector used by APT37 is mainly a spear phishing attack. In this article, the researchers found that it used office documents weaponized with self-decoding macros. Self-decoding macro technology can bypass many static detection mechanisms and hide the signs of malicious documents. The final payload used in the attack was a variant of RokRat RAT. In this example, RokRat was injected into Notepad.exe.

IOCs
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90

676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08

A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A

2A253C2AA1DB3F809C86F410E4BD21F680B7235D951567F24D614D8E4D041576

C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB

ee47206c87482de1915b1e441a23a5b3473697e3

820b7fa90839dd6c4ed2fa3d9df10b4f7f24c47c

705a787bcd02de0433dd5a111cbcd4fade8f66d3

a446f191f61eb102f590d73c6c1ddf04744ce721

4ca27691616eb17bf4de0963b406fda738f4c940

7b5f1c01980faf7801f16a761cb8d377

ca6d92c582a883378f7f3a95cb408415

82e4b4590ac2f4244d7bbd9afb999bbe

bc12ddc8baaa2f76b9574e4598948fa7

b680a929edbf58a803887182033f446b