APT-Q-12 Darkhotel Organization

Short Summary:

APT-Q-12, also known as Pseudo Hunter, is a Chinese APT group targeting entities in Northeast Asia. The group utilizes various techniques for information collection and exploitation, including complex email probes and 0day vulnerabilities in mail clients. Their operations have evolved over the years, showing overlaps with other APT groups like Darkhotel.

Key Points:

  • APT-Q-12 targets countries in Northeast Asia, including China, North Korea, Japan, and South Korea.
  • The group has been active since at least 2017, with connections to the Darkhotel organization.
  • APT-Q-12 employs various plugins for espionage, including keyloggers and browser steganography.
  • The group uses sophisticated methods to probe and collect information about the victim’s email and office software.
  • Recent operations include exploiting 0day vulnerabilities in both Windows and Android mail clients.
  • APT-Q-12 focuses on intelligence related to semiconductor competition and political propaganda.

MITRE ATT&CK TTPs – created by AI

  • Credential Dumping – T1003
    • APT-Q-12 uses keyloggers to capture sensitive information from victims.
  • Exploitation for Client Execution – T1203
    • Exploits vulnerabilities in email clients to deliver payloads.
  • Command and Control – T1071
    • Utilizes C2 servers for remote control and data exfiltration.
  • Data Encrypted – T1041
    • Encrypts captured data to evade detection.

Overview

APT-Q-12, Chinese name pseudo hunter, has a Northeast Asian background, the QiAnXin Threat Intelligence Center first released a related technical report in 2021[1], the main target contains China, North Korea, Japan, South Korea and other countries and entities in East Asia. In fact the attack collection was first disclosed by the offshore friend blackberry in 2017 released baijiu action<sup>[2], the report mentioned that baijiu action and Kaspersky released darkhotel organization overlap.

After 2019, the percentage of operations related to Darkhotel group in open source intelligence decreased year after year, at the same time, several attack sets with Korean Peninsula background and different techniques and tactics appeared in government and enterprise terminals, and we classified these attack sets based on the TEMA and the target industry, which are APT-Q-11 (ShadowTiger), APT-Q-12 (Pseudo Hunter), APT -Q-14 (ClickOnce), APT-Q-15, UTG-Q-005, etc. After five years of continuous tracking and finding that these group overlap with each other, we believe that these attack collections are all subsets of Darkhotel back then.

The depth of research on APT groups depends on the degree of mastery of the types of plug-ins they use. At present, the mainstream APT group are just using the Trojan as a loader or downloader, and most of the espionage is done by the subsequent plug-ins. Due to the different needs of different groups for the target data, how to quickly locate the data they want among the hundreds or thousands of internal documents is the main reason that leads to a huge difference in plug-ins for APT groups in all directions, for example, in the Operation ShadowTiger [3] activities, Durain plug-in is only used to obtain a specific directory structure and move documents in a specific directory, the upload operation is by peach plug-in using the pipeline to pass the parameters of the way to upload the data to the C2 server, and APT37 and the New OceanLotus group is only uploading the path of the file and directory structure, the attacker is in the back-end of the document screening The South Asia oriented CNC group first selects the file directories of interest through a small Trojan, and finally uploads all the documents recursively by hardcoding the file directories in a steganography plugin.

So if you want to study the behavioral logic and political purpose behind the APT group, it is not enough to rely on the initial sample analysis, and plug-in research and capture is the top priority.

We recommend our government and enterprise customers to deploy Skyrocket EDR in both office and server areas and turn on the cloud checking function to protect against unknown threats.

Information collection

Detecting email platforms and brands

Friends in the recent security conference and PR report straight to the 0day vulnerability analysis, but from the attacker digging vulnerability to deliver spear mail in the middle of this there is a very complex information collection process. How to detect if the victim is using foxmail? 163? coremail? , and the platform is Win client? Web version? Mobile version? In order to perfectly trigger the 0day vulnerability of each platform, APT-Q-12 has designed several sets of complex email probes to periodically deliver probe emails to the target to collect the victim’s habits and behavioral logic, the malicious probe emails are very difficult to identify, the body mimics all kinds of advertisements and subscription numbers.

Insert the attacker’s own C2 probe link below the legitimate probe link:

Although some body text and headers are easily recognized as spam, APT-Q-12’s periodic replacement of body content always captures the victim’s User-agent information, which can lead to the target’s current use of email brands and email platforms.

Detecting Office Products

When collecting information on the office software of the target person, APT-Q-12 differentiated between wps and word.

Detecting wps

When probing against wps, the attached content has an ole object web control embedded in it.

When using wps to open the mhtml format file will request the built-in C2 probe, the local test trigger process is as follows:

Since Microsoft Word disabled the web control a decade ago, opening the above mhtml file in word will not initiate a request to the C2 probe.

Detecting Microsoft Word

Insert the C2 probe link into the template injection when probing against Microsoft Word.

To bypass sandbox detection, there is a layer of interaction when opening the decoy docx.

The C2 probe link is requested only after clicking Confirm, and no network request is initiated when the document is opened using wps.

Attackers use the above differentiated detection methods to determine the office software commonly used by the victim. The results of the information collection are shared among various APT groups in Northeast Asia, and from paving the way for subsequent 0day attacks.

Win Platform Mail Client 0day Vulnerability

Vulnerability Principles

We have mentioned in the operation Dargon Dance [3] article based on the CEF framework for the development of domestic software vulnerability issues, the domestic outsourcing personnel and black industry can easily tap the RCE vulnerability and then launch a large-scale 0day attack activities, vulnerability entrances are generally XSS vulnerabilities, the subsequent payload landing either to call the internal interface or using the Chrome kernel older RCE vulnerabilities to trigger, the internal interface to take advantage of the attack chain is as follows:

The body of the 0day email is below:

When triggered it closes the code on the title and executes the remaining js code in the title

The decrypted content is as follows:

Execute the code in the body of the email.

The Name field is decrypted as follows:

Find the resource named image.png in the mail structure and call it through the internal interface

The Base64 decryption is actually a lnk file, and the CMD commands executed are as follows:

Copy the lnk to a specific directory and decrypt the additional data of the lnk file and release it to the %temp% directory named s.mui, start rundll32 to execute the export function f of s.mui.

Trojan analysis

Filename MD5
s.mui 764c7b0cdc8a844dc58644a32773990e

The main function of s.mui is to determine the operating system version and bit number, release module.cab in the temp directory, and call expand to release the Trojan in the cab file to the AppDataLocalMicrosoftWindowsStaticCache directory and set up the com hijacking.

Filename MD5
~StaticCache-System.dat 59cd91c8ee6b9519c0da27d37a8a1b31

The ~StaticCache-System.dat file is a common first-stage downloader for APT-Q-12

The decrypted C2 is as follows.

Get the bmp from the cloud disk and decrypt it:

  • https://bitbucket.org/noelvisor/burdennetted/downloads/OAQDDI32.bmp
  • https://bitbucket.org/poppedboy/bovrilchant/downloads/32.bmp

MD5 Export Function
fa17ed2eabff8ac5fbbbc87f5446b9ca extension

The decrypted file is the second stage of the downloader, which calls the extension export function to download the tmp file from bitbucket.org/penguinwear/avoidlover/downloads/3WIGyjvJ.tmp to the %temp% directory and performs AES decryption.

Save the decrypted data to the following path AppDataLocalMicrosoftWindowsSHCoreMMDevAPI.mui

Filename MD5
MMDevAPI.mui 71094ef9f2cf685e6c7d11fe310e5efb

The Trojan is APT-Q-12 commonly used remote control Trojan , the decrypted string is as follows:

The command functionality is consistent with that disclosed by blackberry in 2017, and in the same year we captured another 0day vulnerability in the Win platform email client, where an attacker landed a Trojan by executing JS scripts with CVE-2017-5070 exploit code via an XSS vulnerability due to the low version of the Chromium kernel in the CEF framework.

The XSS trigger entry is as follows:

The CVE-2017-5070 EXP code is below:

In general the Chromium kernel of the CEF program does not open the sandbox function, so the attacker does not need to consider the steps of kernel lifting, memory loading of the downloader shellcode, the first stage of downloading the downloader from a remote server, the subsequent process is the same as the above, and will not repeat.

Plug-in Introduction

We captured a more complete plug-in type through SkyRock EDR alert data and on-site troubleshooting, and the attack target and attack logic of APT-Q-12 matched more closely with APT-Q-11 (Tiger Hibiscus):

Plug-in Type
Keylogger plugin
Browser steganography plugin
Tunneling Tools
Screenshot plugin

Attackers typically distribute keylogging plugins via the powershell command.

The recorded data is encrypted and stored in the appdataroamingmicrosoftvaultbincheck.db file with the following encryption algorithm:

Decrypting the data reveals the detailed data captured by the keylogger plugin.

Due to privacy concerns, we are unable to disclose what sensitive content is contained in the keylogs.APT-Q-12 is more concerned with intelligence in areas such as semiconductor competition and political propaganda orientation, which is in the interest of Northeast Asian countries.

Next, a browser steganography plugin was distributed to obtain credential information from the intranet web platform.

The process also collects the txt file where the passwords are saved on the machine to get as much information as possible about the account secrets, synchronizes the downlinking of screen shot plug-ins, and observes the victim’s usual operating habits and log-in patterns.

After two or three months of hibernation, the reverse tunneling tool revsocket is activated to log in to the intranet platform to take off internal data. The group does not have automated file collection plug-ins, and will combine the undisclosed events and unknown time nodes obtained from other intelligence sources, and search for the existence of relevant internal information on the victimized machine through the Trojan horse.

Android platform mail client 0day vulnerability

ClickOnce (APT-Q-14) with 2022-2023 delivery 0day vulnerability against the Android platform, the trigger logic is similar to the win platform, through the app to parse the xss vulnerability appeared in the structure of the mail to call the internal interface so as to execute the malicious code in the attachment.

The attachment contains a malicious program called 0o0o.apk:

Establishing a connection with the C2 server enables long-term control of the target phone, which will execute the Curl command to download a payload after startup.

The Payload content is as follows:

The email data from the corresponding app is read from the phone and uploaded to the C2 domain via toybox by executing the nc command after being tar-packed. The attacker wanted to spy on information related to trade between China and North Korea.

Looking around Asia as a whole, with attackers on the Korean Peninsula possessing unparalleled offensive capabilities at an overall level approaching the T1 level, and with both North and South viewing each other as major strategic targets, cyber-attacks are not only having a huge impact on both sides, but also posing a great challenge to the rest of Asia. Neighboring countries in this ongoing confrontation could be both springboards for attacks and rippled into the range of strategic targets.

Summary

Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.

IOC

MD5:

764c7b0cdc8a844dc58644a32773990e

59cd91c8ee6b9519c0da27d37a8a1b31

fa17ed2eabff8ac5fbbbc87f5446b9ca

71094ef9f2cf685e6c7d11fe310e5efb

URL:

hxxps://bitbucket.org/noelvisor/burdennetted/downloads/OAQDDI32.bmp

hxxps://bitbucket.org/poppedboy/bovrilchant/downloads/32.bmp

hxxps://c.statcounter.com/12830663/0/0ee00a3c/1/

hxxps://bitbucket.org/noelvisor/burdennetted/downloads/

C2:
(no longer available at )

82.118.27.129:80

web-oauth.com

Reference Links

[1] https://www.secrss.com/articles/36606

[2] https://blogs.blackberry.com/en/2017/05/baijiu

[3] https://ti.qianxin.com/blog/articles/the-tiger-of-the-forest-entrenched-on-foyan-mountain/

[4] https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry/

Source: https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/