A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe has many similarities with older campaigns using by Operation LagTime or Tonto Team.
The decoy document is a document about infection of covid19 in Russia send to the Mongolia Authorities. The document is fake signed A. Amarsaikhan.
This technics was used by Operation LagTime and another APT Chinese.
The backdoor is installed C:\MSBuild\WindowsUpdate\S-1–2 and the name of file is csrss.exe like the legit process of Windows
The configuration of the backdoor is stored in a ressource .NET.
The content of the XML file is encrypted with the AES algorithm. The key is hardcoded in the class Main_Form in the private method Main_Form_Load.
byte crypt_key = new byte
The xml file is decrypted :
A session key is created and used for encrypting all data found by the backdoor and send to C2.
A mutant is created with the information of the configuration:
And the persistence is the run keys with a check of the privileges:
A connection to the c2 is done in a thread with the method Post_Online_Message. The messages are encrypted with the BasicKey hardcoded in the code: 8A5AE1329F9CD824EE915FE14328D267
The first information are sent in the setting of the compromise computer with the method Get_ComputerInfo.
The disk are listed, the kind of operating system, the processor information, the memory ram. These information are collecting by using WMI and the IP of the computer.
After that, the backoor waits orders in another thread with the method Get_Server_Order.
All orders are decrypted with the same BasicKey
And the method Order_Catcher launch the different orders:
the order is Getdir, $GetDisk, GetFileList, Checksum, DeleteFile, DeleteFolder, RenameFolder, RenameFile, RunHide, Upload, Download, ActiveDos, ExecuteCommand, Disconnect, Trans (to transfert data), Uninstall
Each order has a method with the same name:
Many TTPs are similar to another groups like TA428 (Operation LagTime) or Tonto. So this backdoor can be developped by APT Chinese Group.
A new technic is to use .NET. There is different example with .Net plugx loader or tool to install the different payload like RedDelta. Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations (recordedfuture.com)
In this case, there is not a side loading then many operations driven by APT chinese.
Dropped executable file
description= “Backdoor targets Mongolia”
date = “2020–03–23”
tlp = “white”
all of them