Perspectives

Researchers Discover New variants of APT34 Malware

Written by Jay Novak and Matthew Pennington

Person at a desk typing on a laptop and a keyboard simultaneously, with a tablet and phone on the side.

Abstract

As previously reported, researchers observed APT34, a hacker group, using BONDUPDATER (downloader) and POWRUNER (backdoor). Pivoting from these known indicators, Booz Allen’s DarkLabs' Threat Hunt team performed a deep dive analysis and found an additional 3 malware variants and associated network infrastructure that are a potential threat to organizations worldwide.

DarkLabs identifies additional APT34 malware variants

Booz Allen’s DarkLabs Threat Hunt team developed an advanced technique that pivots on open source indicators of compromise (IOC) to discover new variants of Malware. The life cycle of an openly reported IOC does not end when an operator deploys the indicator to a sensor or a threat hunter checks their security information and event manager (SIEM). Merging the IOC with internal or external raw sources of cyber threat intelligence reveals additional IOCs and malware variants. Additional indicators, robust detection, and advanced analytics can work together to stop threat actors in their tracks. Booz Allen's DarkLabs Threat Hunt team exercised a combination of open-source reporting and acquired sources of threat intelligence, then merged this information with our own internally developed tools to expand and perform deep analysis on previously reported APT34 behaviors.

In early December 2017, FireEye released a report discussing recent activity, which they attributed to APT34. APT34 is a group that is thought to be involved in nation state cyber espionage since at least 2014. The FireEye report references binary (MD5: C9F16F0BE8C77F0170B6CE876ED7FB) which is a loader for both BONDUPDATER, the downloader, and POWRUNER, the backdoor. This loader connects to a known Command and Control (C2) domain, proxycheker[.]pro. Using this binary as a starting point, our DarkLabs team of Threat Hunters discovered three additional binaries that appear to be associated with APT34 activity.

Perspectives

Advanced Persistent Adware: Nation-State Tactics Analyzed

This unique adware’s advanced behavior is typically only seen in attacks attributed to nation-state APTs. Read More

Perspectives

The first two samples were found using a custom tool developed by DarkLabs’ Threat Hunt Team. This tool extracts a binary’s metadata, such as creation date or filename, and automatically searches VirusTotal for any potentially related malware variants. If any matches are found, the associated files are pulled so our threat hunters can reverse engineer or perform static and dynamic malware analysis to determine if the samples are variants of the initial binary. When we ran the initial binary through our tool, it returned two potentially related binaries. By analyzing the three binaries together, we discovered unique debug strings that flagged in all three samples. This type of comparative analysis highlights the common functions used by the developer and where any changes to defeat detection may have been implemented. Using these discovered similarities, we performed a VirusTotal Intelligence (VTI) retrohunt (searching back in time for malware – signature match) which uses a YARA rule to search previously submitted files in VTI, within a recent limited timeframe. The retrohunt yielded the discovery of a fourth binary.

The three new variants of the FireEye reported binary all exhibit similar behavior. Each binary creates, runs, and deletes rUpdateChecker.ps1 in the C:\ProgramData\Windows\Microsoft\java\ staging directory. That PowerShell file also creates a VBScript and the Scheduled Tasks entry to run the VBScript script every minute. All versions of rUpdateChecker.ps1 contained the POWRUNER backdoor, but not all had the BONDUPDATER downloader script. There were also other differences between the various binaries that are discussed below. The POWRUNER backdoor can execute arbitrary code and exfiltrate data via simple command and control over TCP.

Table 1. Relationship between original binary and three discovered variants. (Use the scrollbar to view the content on the far right.)

As you can see from Table 1 above, these files exhibit many similar characteristics and behaviors. Most of the differences appear to be cosmetic and do not affect the underlying functionality. Our analysts took a closer look at the C2 domain poison-frog[.]club, which is used in 3 of the 4 files, and found that it overlaps with the findings of the FireEye report. The domain resolved to 82.102.14.219 from at least August 2017 until December 2017. Additional domains that resolved to that IP during that time frame are dns-update[.]club, hpserver[.]online, and anyportals[.]com which were all mentioned in the FireEye report. The other C2 domain used, proxycheker[.]pro, resolved to 94.23.172.164 and 185.15.247.147, with 185.15.247.147 also hosting dns-update[.]club during that time frame. This new-found evidence, in combination with similar versions of POWRUNER and BONDUPDATER, the existence of the same debug strings in the code of each variant, and the overlapping infrastructure indicate that these three new binaries are also associated with APT34 operations.

The DGA domain generation algorithm used in one version of the BONDUPDATER backdoor is broken down into two parts: send and receive. If data is being sent, then the following format is used:

Use the scrollbar to view the content on the far right.

This is created from combining a unique ID (generated from the MAC address or encoded version of whoami) along with two other parameters which are inserted at two different random offsets in the unique ID
Random characters generated from: -join ((48 .. 57)+(65 .. 70) | Get-Random -Count (%{ Get-Random -InputObject (1 .. 7) }) | %{ [char]$_ })
Hardcoded "A"
Two random offset values referenced in #1.
Hardcoded "7"
Data Chunk being sent
Encoded Filename being sent
Hardcoded domain ".poison-frog[.]club"

If data is being received, then the following format is used:

DGA domain generation algorithm - Receive

This is created from combining a unique ID (generated from the MAC address or encoded version of whoami) along with two other parameters which are inserted at two different random offsets in the unique ID
Random characters generated from: -join ((48 .. 57)+(65 .. 70) | Get-Random -Count (%{ Get-Random -InputObject (1 .. 7) }) | %{ [char]$_ })
Hardcoded "A"
Two random offset values referenced in #1.
Hardcoded "7"
Hardcoded domain ".poison-frog[.]club"

The Domain Generating Algorithm (DGA) generation process is different than what was previously mentioned in the FireEye report. However, it would still be detected using DarkLabs' custom DGA detection mechanism.

In early January 2018, ClearSky Cyber Security tweeted about two new malware samples attributed to Oilrig/APT34. These samples were being deployed via a malicious .chm (Compiled HTML Help File) file. ClearSky provides a link to a Google document they use for "Raw Threat Intelligence" which contained additional IOCs associated with this campaign. Two hashes provided in that document are for versions of POWRUNER (MD5: BED81E58EF8FF0B073E371D433A08855) and BONDUPDATER (MD5: 63D6B1933F7330358A8FBFAF77532133). These two backdoors contain a reference to another C2 domain, www.window5[.]win. Using the custom tool developed in DarkLabs, we were able to pivot from these samples and discover an additional sample each of POWRUNER and BONDUPDATER.

These two new samples exhibit similar behavior to the samples mentioned in the FireEye report. However, there are a few slight differences - namely the use of a new C2 domain and URI, www.window5[.]win/update.aspx. At writing time of this post, that domain resolves to 185.181.8.246. Current research indicates that IP does not host any other domains publicly available. Additionally, the %PUBLIC%\Java location (e.g. C:\Users\Public\Java) is used for a staging directory in this version of POWRUNER.

Source	Hash Value	C2 Domain	Details
FireEye Report	C9F16F0BE8C77F0170B9B6CE876ED7FB	proxychecker[.]pro	Contains both POWRUNER and BONDUPDATER Communicates with C2 via proxychecker[.]pro/update_wapp.aspx POWRUNER appears to not have the ability to save files
ATH Tool	87FB0C1E0DE46177390DE3EE18608B21	poison-frog[.]club	Contains both POWRUNER and BONDUPDATER Communicates with C2 via poison-frog[.]club/update_wapp.aspx POWRUNER appears to not have the ability to save files
ATH Tool	A602A7B6DEADC3DFB6473A94D7EDC9E4	poison-frog[.]club	Contains both POWRUNER and BONDUPDATER Communicates with C2 via poison-frog[.]club/update_wapp.aspx POWRUNER appears to not have the ability to save files
RetroHunt	4EA656D10BEAC05D69252D270592	poison-frog[.]club	Contains only POWRUNER Communicates with C2 via poison-frog[.]club/update_wapp.aspx POWRUNER appears to not have the ability to save files POWRUNER contains more Base64 obfuscation effort than other versions

000C20009204A601	7D	A	56	7	6556666775466767667566765657661c79e4f73cd932f3f64ca161c45041	336662009e6a	.poison-frog.club
1	2	3	4	5	6	7	8

0800C0092904A601	02	A	51	7	.poison-frog.club
1	2	3	4	5	6

Source	Hash Value	C2 Domain	Details
ClearSky Cyber Security	BED81E58EF8FF0B073E371D433A08855	window5[.]win	POWRUNER Communicates with C2 via www.window5[.]win/update.aspx
ClearSky Cyber Security	63D6B1933F7330358A8FBFAF77532133	window5[.]win	BOUNDATER Communicates via DGA based DNS to wondow5[.]win
ATH Tool	CBE2F69D9EF39093D8645D3C93FD7F21	window5[.]win	POWRUNER Communicates with C2 via www.window5[.]win/update.aspx
ATH Tool	277FF86501B98A4FF8C945AC4D4A7C53	window5[.]win	BONDUPDATER Communicates via DGA based DNS to window5[.]win

Table 2. Relationship between original two samples and two discovered variants. (Use the scrollbar to view the content on the far right.)

IOC - Network

Domain/IP Address	Description
proxycheker[.]pro	C2
poison-frog[.]club	C2
window5[.]win	C2
82.102.14.219	Has resolved poison-frog[.]club, dns-update[.]club, hpserver[.]online & anyportals[.]com
94.23.172.164	Has resolved proxycheker[.]pro
185.15.247.147	Has resolved proxycheker[.]pro & dns-update[.]club
185.181.8.246	Has resolved window5[.]win

IOC - Endpoint

Filename	Description	MD5 Hash
dupdatechecker.exe	Dropper of POWRUNER and BONDUPDATER	C9F16F0BE8C77F0170B9B6CE876ED7FB
exeruner_new.exe	Dropper of POWRUNER and BONDUPDATER	87FB0C1E0DE46177390DE3EE18608B21
exeruner.exe	Dropper of POWRUNER and BONDUPDATER	A602A7B6DEADC3DFB6473A94D7EDC9E4
exeruner_new.exe	Dropper of POWRUNER	4EA656D10BE1D6EAC05D69252D270592
GoogleUpdateschecker.vbs	Deploys POWRUNER	6F2CA6D892CCA631C191233CB89D9B93
JavaUpdates	Scheduled Task to run VBS script	0681F2459EDF28DCD99493AE8A6398D5
rUpdateChecker.ps1	Sets up scheduled task to deploy POWRUNER	EE93A172937D37D3152D694331E59A21
GoogleUpdateTasks.vbs	Deploys POWRUNER and BONDUPDATER	F0B278427C8841C5D1A79ED2631B1522
JavaUpdatesTasksHosts	Scheduled Task to run VBS script	52973212E6373585F55B4DD207D890FF
rUpdateChecker.ps1	Sets up scheduled task to deploy POWRUNER and BONDUPDATER	06D537AF8C43F65FC467781B01047E5C
GoogleUpdateschecker.vbs	Deploys POWRUNER and BONDUPDATER	33E86AB6621F3DB7CD7E37CAF42C95E5
JavaUpdates	Scheduled Task to run VBS script	517D1D51414019272849E7C67E622597
rUpdateChecker.ps1	Sets up scheduled task to deploy POWRUNER and BONDUPDATER	614DDCCDCAF73172C1216D812595394C
UpdateCheckers.ps1	BONDUPDATER	1DE8F76404EB799C780DA5830915A17E
dUpdateCheckers.ps1	BONDUPDATER	27ACDFAB0A264B4EBD4DD16DAE6C4E0E
GoogleUpdates.vbs	Deploys POWRUNER and BONDUPDATER	D9BBB27B0C5249D681179D234BFF60DE
JavaUpdatesTask	Scheduled Task to run VBS script	347929555E8D7174D82356F47A054106
rUpdateChecker.ps1	Sets up scheduled task to deploy POWRUNER and BONDUPDATER	C3572009CA311F44A99C4FAB3F3DFF92
hxyz.ps1	POWRUNER	BED81E58EF8FF0B073E371D433A08855
dxyz.ps1	BONDUPDATER	63D6B1933F7330358A8FBFAF77532133
unknown	POWRUNER	CBE2F69D9EF39093D8645D3C93FD7F21
unknown	BONDUPDATER	277FF86501B98A4FF8C945AC4D4A7C53
Yara Signature for the dropper	{ strings: $exeruner_string_1 = "C:\\Users\\aaa\\documents\\visual studio 2015\\Projects\\exeruner\\exeruner\\obj\\Debug\\exeruner.pdb" $exeruner_string_2 = "C:\\Users\\aaa\\Desktop\\test\\exeruner\\exeruner\\obj\\Debug\\exeruner_new.pdb" condition: $exeruner_string_1 or $exeruner_string_2 }

Use the scrollbar to view the content on the far right.

By diving deeper and pivoting on known indicators using techniques developed and honed by our experienced analysts, the indicator lifecycle can diversify discovery. In this case, analysts discovered additional unreported, yet campaign associated IOCs that can be used for further detection. Additionally, our analysts also developed YARA signatures for static detection, and TTP based signatures to deploy to EDR tools or for hunting through endpoint telemetry data.

The Booz Allen DarkLabs Threat Hunt team recommends deploying detection to endpoints for the hashes listed above and perform a retroactive search for the domains and IPs in SIEM logs. We also recommend the use of telemetry data collected via EDR tools to continuously hunt for this behavior. Monitoring for the behavior or TTP is a critical step because although IOCs can be used for detection and discovery, they can in many cases be changed cheaply and easily. Our advanced Threat Hunt team always recommends a robust proactive approach to threat hunting with a focus on behavioral detection.

Please contact us if you would like to learn more about DarkLabs Threat Hunt team or if you are interested in joining our team.