1. Overview.
Cranberry flower, a.k.a"bitter"、"apt-c-08"、"t-apt-17"and"Bitter elephant", often launching cyber attacks against countries around South Asia and the Bay of Bengal, mainly targeting Pakistan and China. Its attack targets mainly include the first sector, nuclear industry, energy, national defense, military industry, shipbuilding industry, aviation industry and shipping industry, and its main intention is to steal sensitive information. The organization has been active since 2013, and in recent years, it has been issuing attack components for a long time to complete the control of the target device, and the general attack process is as follows, using malicious documents such as CHM documents as the attack entrance, luring users to open and execute, so as to call xxxMSI and other software** follow-up attack components. Through long-term tracking and sample hunting, Guancheng security analysts actively found 10 samples of WMRAT, the most frequently used attack component of the BITTER organization, and found that they had the following characteristics:
The overall execution logic and communication protocol of each sample have not changed, and large-end communication is still used.
The format of the communication data of each sample has not changed, and it is a four-byte identification control code + four-byte length + data control instruction.
The string encryption and communication encryption of each sample are shifted encryption, and the key used by different samples varies.
The heartbeat data and heartbeat time sent by each sample varied, and the heartbeat data sent was mostly as follows"x"、"-"、"0"、"1"、"."A combination of several elements.
The number of control instructions has been increased from 9 to 14, and the functionality is more complete than before, and there is reuse behavior in some samples.
Added network connectivity testing compared to the 2022 version.
It can be seen that there is no change in the dormancy characteristics, data format and online packets of each sample, but there are differences between different samples in terms of network connection test, key situation used, heartbeat packet and control instruction, and the development of attack ** tends to mature. The following will be analyzed in detail from these two aspects.
II. Basic Information.
The basic information of the 10 WMRAT samples analyzed in this analysis is as follows:
3. Common features.
Dormancy. After the sample runs, the sleep function is called several times to put the program into sleep in an attempt to bypass the sandbox detection, which is common to all samples.
Data format. Each sample uses a custom TCP communication protocol, the communication packet has a certain structure, and the sent data is sent using the three-way send function and also the three-way RECV function is used.
The data sent or received for the first time is a control code or identification codeThe length of the data to be sent for the third time is the second time to be sent and receivedThe third time is the actual transmitted data, the server sends the control command, and the client returns the stolen data, and encrypts the transmission in the form of all bytes (+ key).
Go live package. After the TCP connection is successful, the samples obtain the computer name, user name, and system version of the three device information and upload them to C2, and the data is used in the middle of "||".Symbol stitching. The format of the online packet of each sample remains unchanged, which is a four-byte identification code + four-byte data length + online data.
Fourth, differential performance.
Network connectivity test.
There are differences between the sample connectivity tests, and a total of three network connectivity tests have been used, including Microsoft, Baidu, and Intel.
Key changes. There are differences between the string encryption key and the communication encryption key used by some samples, and the string encryption keys used by the samples are 0xxx2e, 0x31 and 0x2d, and the communication encryption keys used are 0xxx13. Before February 2023, the same encryption key was used for sample string encryption and communication encryption, and the same key is no longer used after that, so that even if an attacker obtains the key for sample string encryption, it is impossible to easily infer the key for subsequent communication, which increases the difficulty of cracking.
Heartbeat Pack. The heartbeat data and heartbeat time sent by each sample varied. Most of the heartbeat data sent is"x"、"-"、"0"、"1"、"."With the combination of several elements, the accuracy of the heartbeat time changes from an integer at the beginning to a floating-point number, and the format of the heartbeat packet is a four-byte identifier + four-byte length + data, and the data is hard-coded in the sample. Among them, the latest revealed sample connection will be successful every 150045 seconds to send a heartbeat packet to the server, see the figure below:
Control commands. In the samples revealed in 2022, it can be seen that there are fewer instructions, imperfect functions, more non-functional instructions, and the remote control program is still in the research and development stage. Compared with the old samples in 2022, the number of control instructions in the latest samples has increased, from the initial 9 to 14, and the functions are more complete than before, and the development of remote control programs has been more mature. After summarizing the samples, it is found that there are four types of control instructions used, as shown in the table below.
Table 5 Four types of control commands.
The simulated server issues the lstcts command to obtain information including computer name, user name, disk usage, etc., as shown in the following figure
Figure 11 Control Instruction Traffic.
Figure 12 Data decryption.
5. Testing. The ENS Encryption Threat Intelligent Detection System can detect all WMRAT samples listed in **, using the latest exposed samples as an example, and the detection results are shown in the figure below.
Figure 13 Detection results of the Guancheng Guanyun (ENS)-Encryption Threat Intelligent Detection System.
6. Summary.
In the remote control program of the arabesque"wmrat"From the analysis of multiple samples, it can be seen that the organization is constantly developing attacks to gradually improve the function, but the overall execution logic of the sample has not changed, the encryption method used in communication is relatively simple, and the functions are still mainly based on file search and upload. On the traffic side, the attack** uses the TCP protocol to communicate, and the custom encryption format is indefinite and flexible, so the difficulty of this encrypted traffic detection is further improved. The Guancheng security team will keep track of the movements of the Manlinghua organization for a long time, closely follow up on the latest threats using custom encryption, and update the plan at any time to respond.