In Februrary, Record Futur publishes an article about a campaign against the Indian Power Sector Amid Heightened Border Tensions by RedEcho

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/

After my investigation with the RiskIQ passive DNS, I found many IOCs interesting.

The domain ntpc-co.com is the most interesting. This domains has been resolved on two IPs : 27.255.94.29 and 210.92.18.132.

And this IPs have two certificates SSL linked 2d2d79c478e92a7de25e661ff1a68de0833b9d9b and 0a71519f5549b21510410cdf4a85701489676ddb.

With theses certificates, we can found many IPs published in the article of Record Future.

223.255.155.243

210.121.164.72

223.255.155.238

180.150.226.216

223.255.155.252

And a new IP published yesterday: 210.92.18.132

RedEcho group parks domains after public exposure | The Record by Recorded Future

So these two certificates are more important to have a good view of the Infrastruscture of RedEcho. But, these certificates are linked to ShadowPad Infrastructure which used by others APT chineses groups.

Overview of the infrastructure


A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe has many similarities with older campaigns using by Operation LagTime or Tonto Team.

Document

The decoy document is a document about infection of covid19 in Russia send to the Mongolia Authorities. The document is fake signed A. Amarsaikhan.

This technics was used by Operation LagTime and another APT Chinese.

Backdoor Analysis

The backdoor is installed C:\MSBuild\WindowsUpdate\S-1–2 and the name of file is csrss.exe like the legit process of Windows

The configuration of the backdoor is stored in a ressource .NET.

The…


a new babuk ransomware was uploaded on Virustotal. bc4066c3b8d2bb4af593ced9905d1c9c78fff5b10ab8dbed7f45da913fb2d748

This version is packed with the same technics of GandGrab described here.

Threat Profile: GandCrab Ransomware (morphisec.com)

Packer

The first stage is a first shellcode loaded with GloballAlloc and VirtualProtect in function 0042df00


the file f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5 uses the version 7 of royal road document.

This file drops in memory a new backdoor rewriting the process EQNEDT32.EXE.

This document refers to the ceasefire between Armenia and Azerbaijan and seems to be send by the Mongolian authorities.

Analysis of the backdoor in memory

This backdoor is a state machine launching different threads. (function 00401640)


the decoy document 74aa6fff407dee851f224329489232a8e7f2d6046aaff3c9cebfff81b7d5db22 uses a version of royal road to drop a new bakdoor developped on MFC C++.

b19d64d6ef5329b388d688157ebb9f4fa8cae2ccd18ec1fe7bb75b0fcc2350f9

The dectection rate on virustotal is very low:

The backdoor is packed with a home made packer. The real entrypoint is call by a thread with the function AfxWinMain at FUN_00432cc8 and the entry of this thread is at 401740.


In my last article on Chinoxy backdoor, this version has its configuration in a resource called NNKK and it is deciphered. The purpose of this article is to explain the unpacking and deciphering of the configuration of this backdoor.

The backdoor is loading with the program confax.exe, a utility of Logitech for the Bluetooth.

The function called by confax.exe is LGBT_Launch.

In checking this function,


This article is a bit different of the others. The goal is to show how to follow your virustotal hunting with Yeti and Pandas.

With Virustotal Hunting, you can follow samples submitted by the users with yara rules. If a sample matches with a rule, you receive a notification and you can follow the notifications in the virus total console.

For this example, i use a rule to catch backdoor Chinoxy. In a first post, I have linked this backdoor with WINNTI.

and a second post, I have link this backdoor with Vicious Panda. https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746

and I have done a…


Last year I’ve analyzed a chinoxy backdoor dropped by an royal road RTF targeting Vietnam. https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272

The 17 march 2019, a campaign using royal road RTF targetted the Kirghistan with a lure document COVID19 about financial consideration of the world Bank.

5 years of Chinoxy implemention

This backdoor is very similar with it used for the Vietnam.

We have the same protocole HTTPs custom.

The state machine of the backoors are similare.


The cert of Malaysia made an advisory the 5th february.

It’s published many TTPs and IOCs on this group:

There is many links interessisting:

the first are this IP 195.12.50.168 and 167.99.72.82. In my yeti, I found many relative observables on it:

hxxp://195.12.50.168/D2_de2o@sp0/ and hxxp://167.99.72.82/main.dotm

this Urls were used by a campaign discovered by ClearSky

targeting Malaysia. The victimology is interesting because it’s concerning transport industry.

Another link interesting with this advisories is the link wit another campaign in November

https://app.any.run/tasks/ed03d492-688e-4182-9a06-6f65d8cb18fc/

found by

Malware used here is Dadjoke.

APT40 is an active Chinese group in South Asia, near of the MSS (Intelligence Service of China) according Intrusion Truth https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/


On twitter, a good analysis of the ransomware Clop has done. But nothing on the unpacking.

The packer has three stages.

The first stage is an allocation and dexoring of the overlay in the function FUN_00401000

local_c = (code *)VirtualAllocEx((HANDLE)0xffffffff,(LPVOID)0x0,0x1c20,DAT_0043f0dc,0x40)

while (local_40 < 900) {
local_80 = DAT_00426260;
uVar1 = *(int *)(&DAT_00426264 + local_40 * 4) - local_40 ^ DAT_00426260;
local_24 = local_24 + -0x438;
local_84 = (uVar1 << 7 | uVar1 >> 0x19) ^ DAT_00426260;
*(uint *)(local_c + local_40 * 4) = local_84;
local_40 = local_40 + 1;
}

the dropper jump in the shellcode with:

00401317 call dword…

Sebdraven

OSINT, Python,Malware Analysis, Botnet Tracker, SIEM and IPS/IDS and Threats Expert / co-organizer #BotConf / co-creator of #FastIR/ Researcher at @Epita

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store