securite360.net Open in urlscan Pro
2001:8d8:100f:f000::255  Public Scan

URL: https://securite360.net/a-painful-quickheal
Submission Tags: @nominet_threat_intel ip-string-2nd reference_article_link confidence_medium cluster_97706195 Search All
Submission: On December 14 via api from GB — Scanned from GB

Form analysis 1 forms found in the DOM

POST https://securite360.net/wp-comments-post.php

<form action="https://securite360.net/wp-comments-post.php" method="post" id="commentform" class="comment-form">
  <p class="comment-notes"><span id="email-notes">Votre adresse e-mail ne sera pas publiée.</span> <span class="required-field-message">Les champs obligatoires sont indiqués avec <span class="required">*</span></span></p>
  <p class="comment-form-comment"><label for="comment">Commentaire <span class="required">*</span></label> <textarea autocomplete="new-password" id="comment" name="c2ecff202e" cols="45" rows="8" maxlength="65525"
      required="required"></textarea><textarea id="aad961bb8ed7bb0c8ec2b658dd0d562b" aria-label="hp-comment" aria-hidden="true" name="comment" autocomplete="new-password"
      style="padding:0 !important;clip:rect(1px, 1px, 1px, 1px) !important;position:absolute !important;white-space:nowrap !important;height:1px !important;width:1px !important;overflow:hidden !important;" tabindex="-1"></textarea>
    <script data-noptimize="">
      document.getElementById("comment").setAttribute("id", "aad961bb8ed7bb0c8ec2b658dd0d562b");
      document.getElementById("c2ecff202e").setAttribute("id", "comment");
    </script>
  </p>
  <p class="comment-form-author"><label for="author">Nom <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
  <p class="comment-form-email"><label for="email">E-mail <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
  </p>
  <p class="comment-form-url"><label for="url">Site web</label> <input id="url" name="url" type="text" value="" size="30" maxlength="200" autocomplete="url"></p>
  <p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Enregistrer mon nom, mon e-mail et mon site dans le navigateur
      pour mon prochain commentaire.</label></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="button blue small" value="Laisser un commentaire"> <input type="hidden" name="comment_post_ID" value="351" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
</form>

Text Content

Passer au contenu
Securite360
 * Home
 * Tracker
 * Honeypots
 * Blog
 * Scan




A PAINFUL QUICKHEAL

Taking your threat intelligence seriously


A PAINFUL QUICKHEAL

Muffin    Uncategorized    décembre 13, 2024  |  0

A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent
campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT).
This malware is closely associated, according to open sources, with a Chinese
People’s Liberation Army (PLA)-linked intrusion set known as the Needleminer
group, RedFoxtrot, or Nomad Panda

Since I had never worked on QUICKHEAL before and PLA campaigns are rarely
documented these days, I was eager to take a closer look at this sample. Thanks
to y0sh1mitsu, I was able to retrieve the sample and begin analyzing it. The
first thing I noticed is that this 32-bit DLL is protected using VMProtect.









Figure 1: capture from VT









VMProtect is a legitimate commercial tool used to prevent unauthorized reverse
engineering of programs. Everyone knows that unpacking malware protected with
VMProtect can be painful. Fortunately, I was able to unpack it using OA Labs’
Unpac.me. This was a lifesaver—I didn’t have to spend hours trying to bypass
this protection. Thank you, OA Labs, for your amazing work!



Once unpacked, it becomes possible to begin basic static analysis using PE Bear
to gather several pieces of information about this DLL file, such as its name
(RasTls.dll), the name of its export (GetOfficeDatatal), and its compilation
time (08.04.2022).





Figure 2: PE bear screenshot relating to RasTls.dll







Capabilities



The first noticeable observation about this sample is that the strings provide
significant insight into its features and capabilities.





Figure 3: strings inside Quickheal





It is possible to infer from the string “select * from moz_logins”, the numerous
references to Mozilla Firefox and SQLite databases, as well as the encryption
functions, that the malware attempts to retrieve credentials stored in the
Firefox browser. All these findings were already documented in a landmark
analysis by Recorded Future about RedFoxtrot, which they link to PLA Unit 69010.





As we will see below, the malware dynamically loads the functions required to
interact with SQLite databases and NSS (Network Security Services) libraries to
decrypt passwords or other sensitive information stored by applications such as
Firefox.





While it is quite clear that QUICKHEAL can steal Firefox credentials, it is also
worth noting that several clues suggest the malware is capable of stealing
passwords stored in Microsoft Internet Explorer as well. Specifically, the
malware manipulates Internet Explorer’s GUID
("abe2869f-9b47-4cd9-a358-c22904dba7f7").





Figure 4: IE’s GUID manipulation

IE passwords are encrypted using cryptographic functions after being salted with
a text string generated from this GUID. This GUID can therefore be used to
decrypt credentials stored in Internet Explorer, leveraging the
CryptUnprotectData and CredEnumerateA APIs, both of which are also imported by
the malware.







Communications





Hardcoded strings also reveal the malware’s C2 address, the port it uses, and
the user-agent it employs.



Figure 4: IE’s GUID manipulation igure 5: Hardcoded C2 name and port

The user-agent can be found in a function whose purpose appears to be formatting
the HTTP request used to communicate with the C2:



Figure 6: hardcoded user-agent





It is worth noting that the malware attempts to establish an HTTP connection via
a proxy, as indicated by strings found in the code: "Proxy-Authenticate: NTLM",
"Proxy-Authorization: NTLM", and "Proxy-Authenticate: Basic".

My understanding is that the malware also tries to retrieve the user’s internet
settings. To achieve this, it appears that the malware passes the arguments of
RegOpenKeyExW to a wrapper function using position-independent code. However, it
is possible to infer the true purpose of this function from the arguments passed
to it.





Figure 7: The malware passes the expected arguments for RegOpenKeyExW to a
wrapper function



Obfuscation



What is particularly interesting is that the developers of the malware did not
hold back in their efforts to obfuscate the malware’s control flow, even though
most strings are in plain text.

Firstly, the malware renames cmd.exe to alg.exe, which is a legitimate Windows
process (Application Layer Gateway Service).

Figure 8: renaming cmd.exe

This trick may be used to avoid raising suspicion when the malware executes a
command.

To make an analyst’s job more difficult, I also believe the malware uses a
custom API resolver, thereby avoiding direct invocation of these APIs.





Figure 9: custom API resolver



From what I could gather, the malware also uses LoadLibrary in an obfuscated
manner to load the libraries it needs to decrypt Mozilla passwords. It first
reconstructs the path to Mozilla Firefox and then uses registers to load the
required DLL. Presumably for obfuscation purposes, the malware uses registers
rather than directly invoking the API it wants to load. However, the API being
used can be easily inferred from the context.

Figure 9: using loadlibrary in an obfuscated way





Figure 10 : MSDN documentation about loadlibrary





The malware then attempts to resolve the addresses of the exported functions
from the previously loaded DLLs by calling the esi register, which contains
GetProcAddress or an equivalent function. To achieve this, it uses the following
code:





figure 11: DLLs’ export dynamic resolution





The addresses of the resolved functions are stored in local variables
([ebp-...h]) for subsequent use.

However, it is worth noting that the arguments are pushed in reverse order. This
aligns with the MSDN documentation, which states:



Figure 12 : MSDN documentation relating to GetProcAddress



hModule is a handle returned by LoadLibraryA, and lpProcName corresponds to the
name of the function or variable. While these two items are pushed onto the
stack before the call, the function name is pushed first, followed by the
handle. This suggests that the malware uses a custom version of GetProcAddress.



Infrastructure mapping



While reversing QUICKHEAL was challenging, pivoting on its infrastructure was
much easier. Passive DNS records suggest that the same infrastructure has been
in use for the past couple of years, likely across different campaigns. For
example, swiftandfast[.]net seems to have been used over two years.

While I cannot completely rule out false positives in the list of domains I
gathered, I made an effort to exclude domains that fall outside the known
timeframe of operation (i.e., 2022–2024). That being said, the attacker relied
on commercial services such as Vultr or DigitalOcean.





Figure 14 : Overview of the attacker’s infrastructure



Since attackers are likely to choose domain names designed to fly under the
radar, the targeted countries and, at times, sectors can often be deduced from
them. For example, several domain names use the .in top-level domain, suggesting
that India was one of the targets of this intrusion set. Moreover, several
domains mimic the names of institutions in specific sectors in India, such as
the telecom or space industries. For example, some domains use the acronym BSNL,
which stands for Bharat Sanchar Nigam Limited, an Indian telecommunications
firm. Other domains mention ISRO, which is the Indian Space Research
Organisation.





Figure 15: Infrastructure cluster using indian top level domains or themes.



While 165.22.211[.]185 was resolved by indian related domain mostly in 2022
(starting from may), it is worth noting that a QUICKHEAL sample was already
communicating with this IP address in 2021.



Moreover, in some cases, the attackers appear to have used news-themed domains
such as www.dailysaudinews[.]com or ju-news[.]kr. Since these domains were not
resolving to the IP address associated with swiftandfast[.]net at the same time,
it is possible that the IP address was redistributed. However, newspapers and
other news outlets are often accessed on professional workstations, making
mimicking media websites an effective way to remain undetected. Additionally,
these domains are either not hosting any content or are hosting websites that
appear to have been generated using ChatGPT. These elements suggest that the
Middle East and South Korea may have also been targeted, although with lower
confidence.





Figure 16: Infrastructure cluster related to South Korea

These different graphs illustrate that the attackers have poor operational
security (OPSEC). Indeed, they seemed to have reused the same infrastructure for
extended periods and across campaigns targeting multiple countries and sectors.
Additionally, the same IP addresses were resolved by multiple domains used by
the attackers, enabling us to map their infrastructure with relative ease.

This lack of OPSEC stands in stark contrast to the obfuscation techniques
employed by QUICKHEAL, such as packing with VMProtect and the use of
position-independent code. Several reasons could explain this discrepancy. For
instance, different teams might be responsible for malware development and
infrastructure management. To reduce costs, the attackers may have chosen to
reuse the same infrastructure across multiple campaigns. Finally, it cannot be
ruled out that this infrastructure is shared among several different intrusion
sets with varying levels of OPSEC.



IoCs

IP addresses:




65[.]20[.]90[.]139 (2024)
206[.]189[.]140[.]214 (2024)
141[.]164[.]40[.]183 (2024)
165[.]22[.]211[.]185 (2022)
172[.]105[.]48[.]166 (2022)
68[.]183[.]82[.]31 (2022)

Domains – High confidence



swiftandfast[.]net
isrosdsc[.]camdvr[.]org
indiabsnl[.]in
indian[.]mefound[.]com
swiftandfast[.]net
bbnmsportal[.]in
indiabsnl[.]com
indiaeducation[.]mefound[.]com
daypmsts[.]isronrsc[.]giize[.]com
www[.]bbsaili[.]camdvr[.]org
bbsaili[.]camdvr[.]org
sts[.]isronrsc[.]giize[.]com
isronrsc[.]giize[.]com
nitmz[.]in
admitcard[.]nitmz[.]in
ftp[.]isronrsc[.]giize[.]com
www[.]isronrsc[.]giize[.]com
_bimi.isronrsc[.]giize[.]com
default._bimi.isronrsc[.]giize[.]com

IoCs Low confidence:

www[.]dailysaudinews[.]com
dailysaudinews[.]com
ju-info[.]kr
ju-news[.]kr
junews[.]co[.]kr
ju-tech[.]kr
smartkids[.]jupi[.]in
jupi[.]in
mangalamservices[.]jupi[.]in


NAVIGATION DE L’ARTICLE

Précédent : Article précédent : Unveiling Sharp Panda’s New Loader



LAISSER UN COMMENTAIRE ANNULER LA RÉPONSE

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués
avec *

Commentaire *

Nom *

E-mail *

Site web

Enregistrer mon nom, mon e-mail et mon site dans le navigateur pour mon prochain
commentaire.



©  2024 Securite360. Construit avec WordPress et le thème Mesmerize

Securite360
 * Home
 * Tracker
 * Honeypots
 * Blog
 * Scan