ta428 pdb

Tamil – TA428’s New Arsenal


In February 2020, we are studying the attack activity “Ogation LagTime IT” of the APT attack organization “TA428“.

The attackers broke into our monitored system and carried out various infringing activities. After using and Cotx RAT to control the computer, their horizontal deployment further violated the computer.

After successfully using Eternal Blue to move to multiple hosts on the same network, the attacker began to run interesting malware on one of the hosts.

The RAT with Tmanger written on the PDB is an unknown malware that I have never seen before.

Regarding the infringement at this time, we announced a very detailed investigation of the VB2020 local host [1], but here, we will introduce Tmanger and its related malware in all three parts. This time, for the first time, we will face Tmanger.


Tmanger is the RAT used by TA428. We call it Tmanger because it is written in PDB, as shown in Figure 1. Tamil may be a typo by Tmanager.

As I will introduce in the next and subsequent articles, one of the reasons is that what seems to be related to Tmanger is a malware called Smanager. I don’t know if the author of the malware has this intention, but there are other typos. For example, the strings Entery and Waston are one of them.


Figure 1 Tmanger PDB information

The development of Tmanger is very active, and some specimens may be related to this. In addition to the attacks we have observed, Tmanger can also be used against Mongolia (the original target of TA428) and Vietnam, which participates in a single-zone one-way policy.

According to reports, shares the Royal Road RTF weaponization with other APT groups such as Tick and Tonto [2] [3], but Tmanger may also share it with other APT groups. .. However, we have not found any clear evidence.

Analysis result

We are observing the version of Tmanger from 1.0 to 4.5. Basically, Tmanger includes three parts: SetUp, MloadDll and Client. Each part has some behavioral differences, but the basic roles are:

name Overview
set up Expand and run MloadDll
Load load Deploy and run the client
client Mouse body

These names are given from the internal names of each EXE, DLL and PDB, and it is believed that attackers treat them in the same way as our classification. Let’s take a closer look at each.


This behavior also exists in MloadDll and Client, but first create a specific event name using CreateEvent, and then change the behavior according to whether the behavior is successful. If it succeeds, it will continue execution, but if it fails, it ends at this point. It is believed that this is the purpose of preventing multiple activations. At this time, the event names are different, but all the Tmangers we have observed satisfy the following regular expressions.

/ [0-9a-f] {8} – [0-9a-f] {4} -4551-8f84-08e738aec [0-9a-f] {3} /

Then use IsUserAdmin to check the user’s permissions. After that, the process will be based on whether it is an Admin branch. For administrators and non-administrators, the persistence method is different.

For the administrator

First, XOR 0x88 decodes the following data. These will be used when registering for the service in the future.

· DFS replication

· FTP publishing service

· Ready to boost

· Software license

· SL UI notification service

· Terminal service configuration

· Media Center Extender Service

· Media Center Service Launcher

· Software\Microsoft\ NT\CurrentVersion\Svchost

· netsvcs

· %SystemRoot%\ System32 \ svchost.exe -k netsvcs

· Machine\System\CurrentControlSet\Service\

Then, use XOR 0x88 to similarly decode the data and parse the generated API.

· RegOpenKeyEx

· RegQueryValueEx

· OpenSC manager

· RegOpenKeyExA

· RegQueryValueExA

· RegSetValueExA

· GetSystemDirectoryA

· RegCloseKey

Next, inflate the deflated data and save it as a DLL in System32 using a random 4-character file name. The DLL is MloadDll.

Use XOR 0x88 again to decode the API name and then parse it. The API solved by this is CreateServiceA. In addition, the following data was obtained in the same manner.

· System\CurrentControlSet\Services\

· description

· show name

· ServiceDll

· parameter

Use the decoded string so far to register the DLL created before System32 as a service. Finally, start the service.

If not an administrator

First, check whether there is a file named Rahoto.exe in the Temp directory. If it does not exist, please copy yourself to the Temp directory named Rahoto.exe and use CurrentVersion\Run in the registry to set automatic startup.

Then it will act as MloadDll.

Load load

MloadDll implements Entery and ServiceMain as export functions. Even if executed from ServiceMain, Entery will eventually execute, so the basic behavior is the same.

First, generate RC4 key data, as shown in Figure 2. This process is common to Tmanger.


Figure 2 The process of generating an encryption key

After the key data is generated, it will be used to decrypt the configuration data. As shown in Figure 3, the configuration data includes the C&C server address and port number.


Figure 3 Configuration data

Then inflate the deflated data. The data it gets is the client. Finally, call the client export function callfunc.


After performing processing such as CreateEvent, the following terminal information will be collected.

· Operating system and architecture information

· Driving information

· Host information

· User Info

After that, a thread is created and a series of loops are repeated. First, create a socket, if successful, use Create Mutex to create the following Mutex.

· sock_hmutex

· cmd_hmutex

Next, check whether the connection with the C&C server is established. If the connection is successful, please wait for the command operation of the C&C server. The command list is as follows.

command Description
1, 17 Start a specific process
2 Get catalog information
3, 19, 35 Send files from client to C&C server
Four Get file information
18 years old Delete Files
20, 52 Clean up memory, etc.
34 Start the process by creating a process
36 Write file
50 File copy
80, 81 Get key log
96 Take a screenshot
Besides go to bed

The traffic is encrypted by RC4, but when it is decoded, its structure is shown in Figure 4.


Figure 4 Flow structure

Based on the process ID, an ID existing at the beginning of the decoded data is generated. The generation process is as follows.


This ID manages processes and traffic.