ta428 pdb

Tamil – TA428’s New Arsenal

Introduction

In February 2020, we are studying the attack activity “Ogation LagTime IT” of the APT attack organization “TA428“.

The attackers broke into our monitored system and carried out various infringing activities. After using and Cotx RAT to control the computer, their horizontal deployment further violated the computer.

After successfully using Eternal Blue to move to multiple hosts on the same network, the attacker began to run interesting malware on one of the hosts.

The RAT with Tmanger written on the PDB is an unknown malware that I have never seen before.

Regarding the infringement at this time, we announced a very detailed investigation of the VB2020 local host [1], but here, we will introduce Tmanger and its related malware in all three parts. This time, for the first time, we will face Tmanger.

Tamil

Tmanger is the RAT used by TA428. We call it Tmanger because it is written in PDB, as shown in Figure 1. Tamil may be a typo by Tmanager.

As I will introduce in the next and subsequent articles, one of the reasons is that what seems to be related to Tmanger is a malware called Smanager. I don’t know if the author of the malware has this intention, but there are other typos. For example, the strings Entery and Waston are one of them.

clip_image001[7]

Figure 1 Tmanger PDB information

The development of Tmanger is very active, and some specimens may be related to this. In addition to the attacks we have observed, Tmanger can also be used against Mongolia (the original target of TA428) and Vietnam, which participates in a single-zone one-way policy.

According to reports, shares the Royal Road RTF weaponization with other APT groups such as Tick and Tonto [2] [3], but Tmanger may also share it with other APT groups. .. However, we have not found any clear evidence.

Analysis result

We are observing the version of Tmanger from 1.0 to 4.5. Basically, Tmanger includes three parts: SetUp, MloadDll and Client. Each part has some behavioral differences, but the basic roles are:

name Overview
set up Expand and run MloadDll
Load load Deploy and run the client
client Mouse body

These names are given from the internal names of each EXE, DLL and PDB, and it is believed that attackers treat them in the same way as our classification. Let’s take a closer look at each.

Setup

This behavior also exists in MloadDll and Client, but first create a specific event name using CreateEvent, and then change the behavior according to whether the behavior is successful. If it succeeds, it will continue execution, but if it fails, it ends at this point. It is believed that this is the purpose of preventing multiple activations. At this time, the event names are different, but all the Tmangers we have observed satisfy the following regular expressions.

/ [0-9a-f] {8} – [0-9a-f] {4} -4551-8f84-08e738aec [0-9a-f] {3} /

Then use IsUserAdmin to check the user’s permissions. After that, the process will be based on whether it is an Admin branch. For administrators and non-administrators, the persistence method is different.

For the administrator

First, XOR 0x88 decodes the following data. These will be used when registering for the service in the future.

· DFS replication

· FTP publishing service

· Ready to boost

· Software license

· SL UI notification service

· Terminal service configuration

· Media Center Extender Service

· Media Center Service Launcher

· Software\Microsoft\ NT\CurrentVersion\Svchost

· netsvcs

· %SystemRoot%\ System32 \ svchost.exe -k netsvcs

· Machine\System\CurrentControlSet\Service\

Then, use XOR 0x88 to similarly decode the data and parse the generated API.

· RegOpenKeyEx

· RegQueryValueEx

· OpenSC manager

· RegOpenKeyExA

· RegQueryValueExA

· RegSetValueExA

· GetSystemDirectoryA

· RegCloseKey

Next, inflate the deflated data and save it as a DLL in System32 using a random 4-character file name. The DLL is MloadDll.

Use XOR 0x88 again to decode the API name and then parse it. The API solved by this is CreateServiceA. In addition, the following data was obtained in the same manner.

· System\CurrentControlSet\Services\

· description

· show name

· ServiceDll

· parameter

Use the decoded string so far to register the DLL created before System32 as a service. Finally, start the service.

If not an administrator

First, check whether there is a file named Rahoto.exe in the Temp directory. If it does not exist, please copy yourself to the Temp directory named Rahoto.exe and use CurrentVersion\Run in the registry to set automatic startup.

Then it will act as MloadDll.

Load load

MloadDll implements Entery and ServiceMain as export functions. Even if executed from ServiceMain, Entery will eventually execute, so the basic behavior is the same.

First, generate RC4 key data, as shown in Figure 2. This process is common to Tmanger.

clip_image002[7]

Figure 2 The process of generating an encryption key

After the key data is generated, it will be used to decrypt the configuration data. As shown in Figure 3, the configuration data includes the C&C server address and port number.

clip_image003[7]

Figure 3 Configuration data

Then inflate the deflated data. The data it gets is the client. Finally, call the client export function callfunc.

client

After performing processing such as CreateEvent, the following terminal information will be collected.

· Operating system and architecture information

· Driving information

· Host information

· User Info

After that, a thread is created and a series of loops are repeated. First, create a socket, if successful, use Create Mutex to create the following Mutex.

· sock_hmutex

· cmd_hmutex

Next, check whether the connection with the C&C server is established. If the connection is successful, please wait for the command operation of the C&C server. The command list is as follows.

command Description
1, 17 Start a specific process
2 Get catalog information
3, 19, 35 Send files from client to C&C server
Four Get file information
18 years old Delete Files
20, 52 Clean up memory, etc.
34 Start the process by creating a process
36 Write file
50 File copy
80, 81 Get key log
96 Take a screenshot
Besides go to bed

The traffic is encrypted by RC4, but when it is decoded, its structure is shown in Figure 4.

clip_image004[7]

Figure 4 Flow structure

Based on the process ID, an ID existing at the beginning of the decoded data is generated. The generation process is as follows.

clip_image005[7]

This ID manages processes and traffic.

IOCs

977bd4b7e054b84b4b62e84875ff3277dd8c039cf3ee0ded435b41025d0d2b21
88ffb081f6924261df32322f343ccb9078ee45eaa369660892585037baf59078
8987b9587c1d4f6fbf2fa49eb11bb20b8b30b82d5bc988f5c882501b1f76b82a
85a53a2525643a84509b10d439734509203a2a74e1a167d5c3494e37a47c8c8c
86297be195acaa36ec042523a5484d9e14fd9fb4cbd977f709e75207358a3f86
5d3db73458eeeb6439ab921159ba447b01c7a12f7291eb4b5cf510e29a8137c6
ebe05801d32985dc954e754aed63b5cee6e889f26533b1635c1f47e42bcb483a
c60490f6fbda0a2cf1a8cd401b2f3ce9262e600268264229122a4d80e327ed4b
6fdd004d0835577749e8742c91e9f1720953faa8ecd55d3b203eddd4d6db5568
6fdd004d0835577749e8742c91e9f1720953faa8ecd55d3b203eddd4d6db5568
71fe3edbee0c27121386f9c01b723e1cfb416b7af093296bd967bbabdc706393
8109a33c573e00e7849ba2d63714703e2e7bd65dee1c2c6454951f7fc4b2f275
7807c0177cf37bce6e38ef534f804935f505a24d735baa53a18e2da766ec136b
4fcb79a73f5286ed8f2bc671b64c76dac4971a0cce10936f63d210e8e17c5fd5
e494c8916e93295338a7368f86c42fce0916b559e63d462bd1b3265b6009bf9b
d4b339f502119d4cf10d48c8c7297bbaebb22387eb7cc4447540b666d27ba166
078498d02775b64c5660ccbfdf12f31f3b810ed612e10c3dd50660cfa03ad470
afd457592715bdef21d02c4e4d0e80dd70cf801a9d4d9afed795494012994372
772e69b3d66ef5b4fdda49d3ca39a5459b8c3afce77c24ebda698aef5bdbc5c3
8e9fc7bd0673a88a04583dda7d42f278013aa7abc4e26de86e953cc4a6825708
2999e5209cf1d7fb484832278e11e4c4950ef40e8f52a44329ed4230135f9b64
c9ff00b25570f422bb4cf3258304e212bfd2f7b3
592ec23b88b1baf0bc4f41f9fac91b86d2a89b07
04b0d4f141debad94afc3f8fa611b8418c67ad32
75ec1894bd72bc51ebbefd38d44ac43e8830380c
6a10eb7351bb71b8ed87ef3ebeb27f947cbdde86
060c36e49167148a4066e9612008210f82e84e6b
9b9466d2b8cde5839d6546c51ade83d943d0c9a9
0d54ef5e391d6ca73e4dbf91b9bfbcd70df0d17e
181488511abc0ba2d05ea1075e741a9c4e905161
de122b38f4d97d7426f67c39e9575ecf
3e0ff68551a53307ad748d7391363044
505f5ed67fcf7c7e839939e6bc6b895a
154db6dc0aa8004ec899fd1caeb6fa3e
044699e01cfcc13fbeb58b78f8edb020
205e62257c8b6b2765f178d2dd50393a
90640e2064f0c636569c1c2ade99282a
50015c88ae6b6f17f1e487c227ab7021
8510f4d1bbe21688487a8a745a9d9ef2