Hunting for Sofacy: Lojax Double-Agent Analysis

Introduction

A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Yoroi-Cybaze ZLab researchers. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.

The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba and Asus machines. In the past, this software was known as “Computrace”.

Despite it’s legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position.

The control flow of the Lojack software is detailed in the following figure:

 

Figure 1. Lojack control flow (Source:ESET)

The analysis performed links the sample to the notorious russian group APT28, also known as “Fancy Bear” or “Sofacy”. The sample, in fact, triggers the Lojax YARA rule defined by Arbor Networks allowing to classify it as Double-Agent. 

The APT28 Group has trojanized the “rpcnetp.exe” agent to spread it as fake update of the legitimate software. However, the propagation vector is not clear yet.

Technical Analysis

The size of the malicious artifact is the same of the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware.

Hash

Sha256: 6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e

Names

rpcnetp.exe

Digital Signature

-

First Submission

2018-11-05

Notes

Lojack Double-Agent
File size: 17 KB

When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one except for some header flags. After this, Lojax searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. If the Absolute Lojack components are not found, the malware kills itself.

Hash

Sha256: aa5b25c969234e5c9a8e3aa7aefb9444f2cc95247b5b52ef83bf4a68032980ae

Names

rpcnetp.dll

Digital Signature

-

First Submission

2018-11-05

Notes

Double-Agent
File size: 17 KB

Through a static analysis of the sample we have discovered a new C2 address, unknown to the community and to the threat intelligence platforms until now. This address, ciphered using XOR encryption with a single byte key 0xB5, was hidden in the section “.cdata”. 

After the decryption of the address, the result is “regvirt.com”, as shown in the below figure:

Figure 2. Encrypted string analysis

Domain “regvirt.com”

The domain has been registered on 10th Oct 2017 by “Tibor Kovacs” ([email protected]) and it’s handled by the “Shinjiru Technology Sdn Bhd” provider. The username part of the mailbox contains the same name and surname found in the Registrant name, with the addition of a terminal “r” tiborkovacsr,  its not clear if this letter could be a clue usable to focus the investigation to an hypothetical profile of the registrant.

Registrant Name: Tibor Kovacs
Registrant Organization:
Registrant Street: Vezer u 43  
Registrant City: Budapest
Registrant State/Province: Budapest
Registrant Postal Code: 1141
Registrant Country: HU
Registrant Phone: +36.361578632154
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]

The domain hosts inactive inactive subdomains, such as mail.regvirt.com pointing to the localhost address 127.0.0.1. Also, it has resolved to a different ip address 209.99.40.226 during the 16th Oct 16 07th Nov  time period, this address is related the Confluence Network ISP: that ip has been blacklisted for limited time by abuse.ch, between 2017-09-18 and 2017-10-19, and have been reported as malicious by the abuseipdb on december 2017.  Other malicious activities related to the cybercrime threat actors have been reported through the ransomware tracker platform, where the ip is associated to several Locky ransomware distribution domains back in 2016. However, all the possible reported misuse of the ip address does not apparently  match the regvirt.com’s resolution time period.

The 46.21.147.71 ip address, instead, has been resolved since the first registration of the “regvirt.com” domain back in 2017. This network destination has been reported as command and control server of altered CompuTrace/Lojack’s software, part of the APT28 arsenal. The report published by the UK’s National Cyber Security Center on October 2018 states this implant have been used to modify system memory and maintain persistence on compromised hosts in the long run.

 

Domain Time-period between  2017-10-17 and 2018-11-13 Time-period between 2018-10-16 and 2018-11-07
regvirt.com

46.21.147.71  DEDICATED-SERVERS NL  (Eureka Solutions Sp. z o.o. PL)

regvirt.com MX  mail.regvirt.com

209.99.40.226  TX1-CONFLUENCE-4 AE  (Confluence Networks Inc.)

http://www.regvirt.com http://www.regvirt.com CNAME regvirt.com
mail.regvirt.com mail.regvirt.com A 127.0.0.1

Mitigation

Despite the presence of the UEFI “Secure Boot”, this malware could execute itself because it replaces only the “rpcnetp.exe” component. Anyhow, the MalwareLab researchers advise to keep enabled the UEFI Secure Boot and keep always updated the Operative System and the anti-malware solution.

Indicator of Compromise

C2:

YARA Rule

rule rpcnetp {

meta:
   description = "Yara Rule for Lojack Double-Agent"
   author = "Cybaze-Yoroi"
   last_updated = "2018-11-13"
   tlp = "white"
   category = "informational"

strings:
$a1 = {50 61 74 68 73 5C 69 65 78 70 6C 6F 72 65 2E 65 78 65}
$a2 = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}
$b1 = "rpcnetp exe"
$b2 = {00 48 1A B5 E5 9B A0 26 F2 C7 D0 D2 C3 DC C7 C1 9B D6 DA D8 B5 B5 B5 B5 B5 B5 B5 B5 B5 0A 02 07 10 06 06 00}

condition:
         1 of ($b*) and $a1 and $a2
}

 

The “MartyMcFly” investigation: anchors-chain case

Background

On October 17th we disclosed the “MartyMcFly” Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by  Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to check more related threats by asking a joint cyber force with Fincantieri, one of the biggest player on Naval Industry across Europe. Fincantieri who was not involved in the previous “MartyMcFly” attack identified and blocked additional threats targeting their wide infrastructure intercepted on during the week of 20th August 2018, about a couple of months before the “MartyMcFly” campaign. Our task was to figure out if there were a correlation between those attacks targeting Italian Naval Industries and try to identify a possible attribution.

Malicious Email

Fincantieri’s security team shared with us a copy of a malicious email, carefully themed as the ones intercepted by the Yoroi’s Cyber Security Defence Center between 9th and 15th October. At first look the message appears suspicious due to inconsistent sender’s domain data inside the SMTP headers:

The email messages has been sent from a mailbox related to the “jakconstruct.com” domain name, which is owned by the quatari’s “AK CONSTRUCTION W.L.L.”, suggesting a possible abuse of their email infrastructure.

Figure 1. SMTP header smtp details

The “anchors-chain.com” domain found in the SMTP “From” header has been purchased a few weeks before   the delivery of the malicious message: a privacy protected user registered the domain on 21 June 2018,  through the “NameSilo, LLC” provider.

Figure 2. Whois data of “anchors-chain.com”

During the time-period between the 22th of June and the 2nd of September 2018 this domain resolved to the IP address 188.241.39.10, owned by “Fast Serv Inc.”, hosting provider sometimes abused for illicit purposes (e.g. command and control services of info stealers malware). Unfortunately, the domain results offline at time of writing, so it wasn’t possible to assess the presence of redirections to legit services as observer on the “MartyMcFly” case.

Also, the  “anchors-chain.com” domain shows an explicit reference to an asian company producing chains for a wide range of customers in the shipbuilding industry: the “Asian Star Anchor Chain Co. Ltd.” or “AsAc Group”. The real domain of the group spells almost the same: “anchor-chain.com”, the letter “s” is the only difference between the name registered by the attacker and the legit one. Moreover the message body has been written in chinese language and the signature includes a link to another legit domain of the group, confirming the attacker was trying to impersonate personnel from AsAc Group, simulating the transmission of quotations and price lists.

 

Figure 4. Malicious email message

Attachment

The email message contains a pdf document named ”Marine_Engine_Spare__Parts_Order.pdf”, originally prepared from a Office document using “Microsoft Word 2013” and then converted into PDF format using the “Online2PDF.com” online service. The document does not contain any javascript or exploit code, however the single page inside the document tries to lure the victim to open up the real documenti on a so called “Adobe Online Protection” secure portal.  The embedded link points to an external resource protected by the url shortening service “Ow.ly”.

 

 

Figure 5. Malicious PDF document

The link “http://ow.ly/laqJ30lt4Ou“  has been deactivated for “spam” issues and is no longer available at time of writing. However analyzing automated sandox report dated back to the attack time-period is possible to partially reconstruct  the dynamic of the payload execution, since the click on the embedded “ow.ly” link.

Figure 6. Attachment's process tree

The dynamic trace recorded some network activity directed to two suspicious domains on the “.usa.cc” TLD  originated right after the launch of the “iexplore.exe” browser’s process: respectively “wvpznpgahbtoobu.usa.cc” and  “xtyenvunqaxqzrm.usa.cc”.

Figure 7. DNS requests intercepted

The first network interaction recorded is related to the embedded link inside the pdf attachment “http://ow.ly/laqJ30lt4Ou”, returning a redirection to another resource protected by the same URL shortening service.

Figure 8. Redirection to the second ow.ly url

The opening of the next url “http://ow.ly/Kzr430lt4NV” obtains another HTTP 301 redirect to a HTTPS resource related to one of the  previously identified “usa.cc” domain:

Figure 9. Redirecion to “wvpznpgahbtoobu.usa.cc”

Analyzing the SSL/TLS traffic intercepted during the dynamic analysis session shows multiple connections to the ip address 188.165.199.85, a dedicated server hosted by OVH SAS. The SSL certificate has been released by the “cPanel,  Inc“ CA and is valid since 16th August 2018; this encryption certificate is likely related to the previously discussed HTTP 301 redirection due to the common name “CN=wvpznpgahbtoobu.usa.cc” found in the Issuer field.

Figure 10. SSL Certificate details  “wvpznpgahbtoobu.usa.cc”

Another SSL/TLS connections recorded shows traffic related to the “xtyenvunqaxqzrm.usa.cc” domain directed to the same 188.165.199.85 ip address:

Figure 11. SSL Certificate details “xtyenvunqaxqzrm.usa.cc”

OSINT investigations gathered evidence of past abuses of the “xtyenvunqaxqzrm.usa.cc” for malicious purposes, for instance an urlquery report dated back on 23rd August 2018 shows a phishing portal previously reachable at https://xtyenvunqaxqzrm .usa.cc/maesklines/Maerskline/maer.php” contained a login page of a fake “Maersk” holding’s shipping portal, multinational company operating in the logistic sector, one of the world’s largest container shipping company.

Figure 12. Phishing page previously hosted on xtyenvunqaxqzrm.usa.cc 

The elements found in the dynamic execution report indicates a compatibility between the OSINT information about the “xtyenvunqaxqzrm.usa.cc” domain and the attachment itself: one of the dropped file recorded during the automated analysis section is named “login.html” and it has been classified as phishing template on the VT platform (hash  4cd270fd943448d595bfd6b0b638ad10).

Figure 13. login.html page dropped during the execution

Conclusion

The evidences collected during the joint analysis with the Fincantieri’s security team suggests some, still unspecified, targeted threat is likely trying to establish a foothold at least into the Italian naval industry.  At this time is not possible to confirm the two waves of attack have been planned and executed by the same threat actor of the “MartyMcFly” campaign, many differences such as the distinct type of payload are relevant. However, at the same time, common elements impose to not discard the possibility of this relationship, for example the following indicators are likely suggesting correlations:

Having said that we would like to thanks colleagues of Fincantieri’s security team for sharing data about these attacks, helping us in the investigation of this threat.

Indicator of Compromise

Here the list of indicator of compromise collected during the analysis:

Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)

Background

During the last week Yoroi CERT’s analysts uncovered several attacks targeting the italian naval and defence industry. The attacker used email as known propagation vector in order to infect victims by sending a special crafted xls file. The identified attack properties triggered internal defcon escalation in order to assess the threat magnitude and eventually special malware analyses according to the threat.

The suspicious emails have been intercepted between 9th and 15th October during our common CSDC (Cyber Security Defence Center) operations in two different champains, each one characterized by one or more attempts and slightly different social engineering tricks.

Malicious Emails

The first intercepted malicious email had “markvanschaick.nl @qixnig .com” as a sender address. The specific name has been likely chosen by the attacker to try to exploit the Dutch marine service company reputation “Mark Van Schaick”, but sender’s domain and ip address shown no direct relationship to that organisation.

Figure 1. SMTP header details of wave 1

The message has been sent from a Roundcube webmail server hosted on lord. vivawebhost .com (173.237.190.12 COLO4-BLK7 US) and apparently unrelated to the sender’s domain. Moreover,  “qixnig .com” (sender domain name) resolves to a different IP address reachable at 66.45.243.148 (INTERSERVER US). It’s interesting to figure out the crafted redirection applied to any visiting users: a HTTP 301 code redirecting to the Dan Marine Group’s official web portal.

Figure 2. Redirection to the Dan Marine web portal

The second email campaign was slightly different respect to the first one. It was originated by another Roundcube webmail service hosted at mail.dbweb .se (52.58.78.16 AT-88-Z US):

Figure 3. SMTP header details of wave 2

In this case the fake communication process mimics the interaction between  “Naviera Ulises Ltd <[email protected]>” and "Evripidis Mareskas (Mr) <supplies.ulisnav @ kiramko .com>”.  The extracted domain r happens to be “kiramko .com” and it resolved to the same remote ip address discovered in the first campaign wave  (“qixnig .com”, 66.45.243.148 INTERSERVER US). Those campaigns could be considered as closely correlated. The “ulisnav .gr” appears to be unregistered at time of writing.

The intercepted emails come up with a carefully prepared phishing scheme, definitely targeting the italian naval sector. The observed chunks of headers and the network context shown the attacker tried to impersonate known vendors of marine parts and naval services in order to lure victims to open up the attached documents.

For example the first two detected attempts tried to mimic inquiries from the Chinese Dan Marine Group, pretending to validate the sender’s domain “qixnig .com” as legibly owned by the group. It then tried to redirect  visitors to the Dan Marine official website. Another intercepted email inserted the victim as BCC into a fake communication between the tech support of the greek Naviera Ulises Ltd and one of its employer (data publicly available on linkedin).

No one of these communications appear to be real and legitim, indeed the intercepted data does not suggest the attacker has any kind of access to real assets.

Attachments

The intercepted email messages have more than one attached documents: on the first email campaign we observed two copies of the same Excel file (5c947b48e737648118288cb04d2abd7b) wrapping CDFV2 encrypted data and scoring relatively low in the VT’s AV coverage test (9/59 at time of writing).  

This document is able to download an executable payload (66b239615333c3eefb8d4bfb9999291e) from a compromised web portal:

Figure 4. Malware download HTTP request intercepted

Further details regarding the evasion techniques, especially related to the “VelvetSweatshop” trick and the Equation Editor’s exploit used to drop the malware, are available here (link).

Figure 5. Malicious excel document

The second attack had as attachment a copy of Excel file and one more PDF document named “Company profile.pdf” (6d2fc17061c942a6fa5b43c285332251), this file appears to have been generated in the same time-period of the phishing attempts: nearly 30 minutes before the dispatch of the malicious message, from a MS Word 2013 document.

Figure 6. “Company Profile.pdf” metadata

The embedded attachments have been delivered in the middle of October using multiple names, most of them related to the naval industry and containing references to quotations, inquiry or orders of mechanical parts.

   

Figure 7. Submission time and names of the samples

Having said that, we can now explain the internal choice of the "MartyMcFly" code-name for this campaign: the name comes from the "First Seen in The Wild" value reported by the VT platform and the meta-data found in the artifacts, which are a quite interesting topic to be discussed.

Payload

The executable payload has been downloaded from a potentially compromised website legitimately owned by a turkish company selling mechanical spare parts, indicating the attacker had carefully taken care of the thematization of the malware distribution infrastructure.

The PE32 file 66b239615333c3eefb8d4bfb9999291e contains executable binary code compiled from Delphi source code (BobSoft Mini Delphi).

The first stage of execution shows several anti-analysis patterns and tricks, for instance at 0x0045e304 the malware checks if the year of the local time configured in the OS is after 2017 (rif. Figure 8) moreover at 0x045e393 it slows down the execution invoking the SleepEx library function (rif. Figure 9).

Figure 8. Current Local Time check

Figure 9. Code slow down via SleepEx

The bypass of all the debug checks and evasion tricks inside the malicious code leads to the dynamic loading of a .NET module in a RWX code-segment mapped at the 0x012e0000 location.

Figure 10. Executable module unpacked in memory

Yara signatures claim the extracted PE32 module is attributable to a weaponized version of “QuasarRAT”: an open-source remote administration tool freely available on github.

Figure 11. Yara signature match on the dumped .NET Modules

The manual verification reported in Figure 12 confirms the extracted payload is compatible with QuasarRAT modules published on the github repository. Moreover, the IoC section below reports the C2 server locations found in the malware configurations.

  

Figure 11. Example of module names and messages used by the QuasarRAT

At the moment no attribution to known group is possible, many threat actor choose to use or customize open-source tools to try to make the attribution harder, such as the chinese “Stone Panda” group (APT-10) known for espionage operations against defence and government, having the QuasarRAT in their arsenal, or also the “Gorgon Group”, the ambiguous mercenary group responsible of both cyber-crime attacks and targeted espionage campaigns against governments.

Indicator of Compromise

Here the list of indicator of compromise collected during the analysis: