For each discovered drive, ROADSWEEP will initialize a new thread which is responsible for encrypting all files within that drive. This thread enumerates the file system using the Windows FindFirstFileW and FindNextFileW APIs. For each root directory, a ransomware note is created with the content and filename noted above.
Following this, ROADSWEEP will check whether the files within the directory match the extracted extension list, if they do not the file is encrypted. The encryption process takes place by renaming the file with the “.lck” extension. ROADSWEEP then takes the creation time, last access time, and last write time for the file and stores these internally. These values are then used after the wipe to preserve the file times, although the purpose of this is currently unknown.
ROADSWEEP will then open the file and compute the size using the GetFileSize API. Then by chunking the file’s content into blocks of 0x100000, ROADSWEEP will read in the data, encrypt the chunk using RC4, and then overwrite the file to disk. This is completed until the entire file is overwritten.
Following this, the aforementioned self-delete script is executed and the process exits.
Technical Annex B: ZEROCLEAR Variant
We identified a ZEROCLEAR payload which takes in command line arguments from the operator and results in corruption of the file system using the RawDisk driver.
- cl.exe (MD5: 7b71764236f244ae971742ee1bc6b098)
- ZEROCLEAR disruptive payload
- Compiled on 2022/07/15 13:26:28
The first command line argument must be one of the following:
- “wp” (default) – Wipes the disk using the ElDos driver, this expects the driver to be running for the wiper activity to occur.
- “in” – Installs and starts the driver named rwdsk.sys, which is expected to be located in the same directory as ZEROCLEAR.
- “un” – Uninstalls the driver named rwdsk and deletes the file on disk.
The second argument is the drive letter that the operator wants to corrupt, previous variants of ZEROCLEAR only wiped the system drive, determined from calling the GetSystemDirectoryW API.
ZEROCLEAR then opens a handle to the RawDisk driver by opening a handle to the following:
- “?RawDisk3<arg2>#B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D”
It then computes the disk size using the Windows IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY and IOCTL_DISK_GET_LENGTH_INFO DeviceIoControl calls. The ElDos driver is used to overwrite the data with the value “0”.
Technical Annex C: CHIMNEYSWEEP Backdoor
While Mandiant was unable to uncover the infection vector for CHIMNEYSWEEP, we note that the dropper has a valid digital signature. In addition to dropping the CHIMNEYSWEEP installer, this dropper also contains either an Excel or Word document or an MP4 video file.
The dropper is a signed version of a Windows Cabinet self-extracting file, which is signed by the now revoked certificate “Atheros Communications Inc.” As of 2022-07-28, the certificate used in the ROADSWEEP campaign has not been revoked. Historically we have seen APT41 also use this signature, although as noted by DUO the password for this certificate was widely available. The threat actor’s choice of signing certificate and dropper is likely based on the fact the legitimate Atheros certificate was used to distribute legitimate drivers using the legitimate dropper. This indicates the threat actors have a high degree of operational security.
Upon execution, the self-extracting tool finds the resource named “Cabinet”, drops it to disk, and then executes a process named unpack.exe.
CHIMNEYSWEEP Samples
- UNAVAILABLE (MD5: df9ab47726001883b5fcf58b56b34b41)
- CHIMNEYSWEEP backdoor
- Installed by unpack.exe (MD5: 8c8bbe3a4a23cd4cc96c12af5fb1199b)
- Contained in wextract.exe.mui (MD5: 19068e8228b6b8f5528489fa70779b2b)
- Compile time: 2021/07/26 13:39:17
- C&C servers:
- telegram-update[.]com
- avira[.]ltd
- windowsupadates[.]com
- AppxProviders.dll (MD5: f3c977830bf616b9061d7aee5ce0b2f2)
- CHIMNEYSWEEP backdoor
- Compile time: 2021/07/26 13:39:17
- C&C servers:
- telegram-update[.]com
- avira.ltd
- windowsupadates[.]com
- AppxProviders.dll (MD5: 7f6db4493c6a76eb44534306291ea85f)
- CHIMNEYSWEEP backdoor
- Compile time: 2021/07/26 13:39:17
- C&C servers:
- telegram-update[.]com
- avira.ltd
- windowsupadates[.]com
- AppxProviders.dll (MD5: 3a1033cb1eb06c2cd5e91c539cf8a519)
- CHIMNEYSWEEP backdoor
- Compile time: 2021/07/26 13:39:17
- C&C servers:
- telegram-update[.]com
- avira.ltd
- windowsupadates[.]com
- UNAVAILABLE (MD5: 23643b7bd48a200889a4613a0e0a86e4)
- CHIMNEYSWEEP backdoor
- Installed by: UNAVAILABLE (MD5: 49d72f9212d5653f5be9f764d8c9df24)
- Compile time: 2021/06/11 22:53:53
- C&C servers:
- telegram-update[.]com
- avira.ltd
- windowsupadates[.]com
- UNAVAILABLE (MD5: 9c09d147dfbc98d5e6e051fe1ed0033d)
- CHIMNEYSWEEP backdoor
- Installed by unpack.exe (MD5: 38e0fa41e9519d4783766992c203e794)
- Compile time: 2020/01/25 18:11:10
- C&C servers:
- telegram-update[.]com
- avira.ltd
- windowsupadates[.]com
- UNAVAILABLE (MD5: 5cc183702fae8cc23a55037c1efab5e5)
- CHIMNEYSWEEP backdoor
- Installed by UNAVAILABLE (MD5: 92c61e3047297136701c25deb658b35a)
- Compile time: 2020/09/21 11:44:32
- C&C servers:
- telegram-update[.]com
- avira.ltd
- windowsupadates[.]com
- ssv.dll (MD5: 77a369e5e49e7e62d8eef2c00cd02950)
- CHIMNEYSWEEP backdoor
- Compile time: 2018/10/08 17:28:39
- C&C servers:
- cloud-avira[.]com
- pgp.eu[.]com
- server-avira[.]com
- skype.se[.]net
- uk2privat[.]com
- update-pgp[.]com
Execution
After being dropped by the dropper, the installer is executed. The installer, some of which are padded with null bytes (0x00) to inflate their size, is responsible for deploying an embedded executable to disk and then executing the backdoor itself. The installer initially drops the payload as “m.d” in the covert store (“C:ProgramDataMicrosoft Installer{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}Force”). Some of the installers forge the dropped file’s CreationTime, LastAccessTime, and LastWrite time from C:WindowsSystem32smss.exe
The installer then executes the “Alloc” export which checks whether the device is currently running DeepFreeze by Faronics, although this is not applicable for the samples analysed by Mandiant. If the process name contains “creensaver.”, the backdoor will write the image to %SYSTEM32%Slui and then execute a task named “MicrosoftWindowsLicense ManagerLicenseExchange”. Alloc ultimately calls the Control_Provider export, which will initiate the backdoor.
The main functionality is provided in the next export called by the installer, “RatingSetupUI”. This export is responsible for all the command-and-control (C&C) interactions and backdoor capabilities.
The last two exports are related to the update process. “Control_Provider” manages the update process whereas “Telephon” executes the “Control_Provider” function.
If the backdoor is not running as an administrator, the backdoor may use embedded payloads to escalate privileges. A mutex named “rerunadmn” is used internally by the backdoor and the two RC4 encrypted payloads are extracted. The first payload is a .NET loader, which loads the second payload and calls the type “vjp5ZPP9AidVjXxofy” and method “s7tajdxvX”. The loader (MD5: 779940f675ff4ab4e8cab7a1b7cf5d3c) will first enumerate the loaded .NET modules looking for the above class and methods. If they exist, it will execute that module. If the module is not loaded, the assembly is loaded and then executed in memory. The backdoor will then pass through the string “AD” if the payload is already executing as Administrator or the path to a temporary file on disk, directly to the loaded .net module. This temporary file is created by writing the content of the SoftwareAppDataLoadGLXaex and writing the content to the Windows %TEMP% directory with the name APPX.<random_values>.tmp. This file is a copy of the backdoor itself. If the payload can’t resolve the export CP from the loader, it reverts to invoking PowerShell with the following command, passing in the path to the second payload, the type and method and either AD or the path to the second module:
[Reflection.Assembly]::LoadFile(“%s”)n$i=””n$r=[%s]::%s(“%s”,[ref] $i)necho $r,$in
Execution will then proceed within the second payload (MD5: 3633b3d69060a5882656b69f81655f0a), responsible for ensuring that the payload is running with administrator privileges. This payload is obfuscated by reactor and contains encrypted strings used throughout the execution. Upon execution, the payload will create the mutex “rerunadmn” and “subttoadmn”. The module utilises the following techniques to execute the payload as administrator:
- Makes use of the Windows “SilentCleanup” scheduled task. This task executes the executable running in %windir%system32cleanmgr.exe, and the payload uses the Windows Registry Environment key to change the %windir% variable to point to c:Windows. Next, the payload creates a new System32 folder and copies an embedded payload called cleanmgr.exe (MD5: 779940f675ff4ab4e8cab7a1b7cf5d3c) into this folder , alongside a .cfg file with the content “slc”. Following this, the task is executed. This technique is similar to a technique within Metasploit called bypassuac_silentcleanup.
- Makes use of the windows CMSTP.exe binary to install a malicious Microsoft Connection Manager Profile on the device. This technique drops cln.vbs to the c:windowstemp folder (MD5: 7a77c2930f0457ed2dd622e9739c7d3d), then creates a .ini file for the Ethernet service. Within this ini file, the payload contains two RunPreSetupCommandsSection values, one for the payload itself, and the second for executing the cln.vbs script. The legitimate cmstp.exe will then be executed on the host which executes the backdoor and then the clean-up script. This technique is identical to a technique made public in 2017 by Oddvar Moe.
CHIMNEYSWEEP has the following major functionality:
- Screenshot collection: Takes screenshots of the compromised device on a timer and stores to disk or can be tasked to take a screenshot and upload.
- File collection and listing: Monitors for new removable drives and performs directory listing on demand, enumerates directories for files that match a set list, and can be tasked to upload a file to the command-and-control server.
- Keylogging: Monitors the content of the clipboard and performs key logging to disk.
- Reverse shell: Contains a reverse shell which can be utilised by the attacker.
Initial configuration format
The backdoor contains settings that are found either encrypted within the payload or stored in the registry (SoftwareAppDataLowGLXSetting). The values stored in the registry will be provided from the update mechanism. The configuration is split using the tags {BEGIN} and &{END}, and each value within the settings are referenced by an integer. For extracting the C&C values, the parser stores a reference to values 30-39 where each reference can be a different C&C and URI in order.