securite360.net
Open in
urlscan Pro
2001:8d8:100f:f000::255
Public Scan
URL:
https://securite360.net/a-painful-quickheal
Submission Tags: @nominet_threat_intel ip-string-2nd reference_article_link confidence_medium cluster_97706195 Search All
Submission: On December 14 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel ip-string-2nd reference_article_link confidence_medium cluster_97706195 Search All
Submission: On December 14 via api from GB — Scanned from GB
Form analysis
1 forms found in the DOMPOST https://securite360.net/wp-comments-post.php
<form action="https://securite360.net/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Votre adresse e-mail ne sera pas publiée.</span> <span class="required-field-message">Les champs obligatoires sont indiqués avec <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Commentaire <span class="required">*</span></label> <textarea autocomplete="new-password" id="comment" name="c2ecff202e" cols="45" rows="8" maxlength="65525"
required="required"></textarea><textarea id="aad961bb8ed7bb0c8ec2b658dd0d562b" aria-label="hp-comment" aria-hidden="true" name="comment" autocomplete="new-password"
style="padding:0 !important;clip:rect(1px, 1px, 1px, 1px) !important;position:absolute !important;white-space:nowrap !important;height:1px !important;width:1px !important;overflow:hidden !important;" tabindex="-1"></textarea>
<script data-noptimize="">
document.getElementById("comment").setAttribute("id", "aad961bb8ed7bb0c8ec2b658dd0d562b");
document.getElementById("c2ecff202e").setAttribute("id", "comment");
</script>
</p>
<p class="comment-form-author"><label for="author">Nom <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
<p class="comment-form-email"><label for="email">E-mail <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
</p>
<p class="comment-form-url"><label for="url">Site web</label> <input id="url" name="url" type="text" value="" size="30" maxlength="200" autocomplete="url"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Enregistrer mon nom, mon e-mail et mon site dans le navigateur
pour mon prochain commentaire.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="button blue small" value="Laisser un commentaire"> <input type="hidden" name="comment_post_ID" value="351" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
</form>
Text Content
Passer au contenu Securite360 * Home * Tracker * Honeypots * Blog * Scan A PAINFUL QUICKHEAL Taking your threat intelligence seriously A PAINFUL QUICKHEAL Muffin Uncategorized décembre 13, 2024 | 0 A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT). This malware is closely associated, according to open sources, with a Chinese People’s Liberation Army (PLA)-linked intrusion set known as the Needleminer group, RedFoxtrot, or Nomad Panda Since I had never worked on QUICKHEAL before and PLA campaigns are rarely documented these days, I was eager to take a closer look at this sample. Thanks to y0sh1mitsu, I was able to retrieve the sample and begin analyzing it. The first thing I noticed is that this 32-bit DLL is protected using VMProtect. Figure 1: capture from VT VMProtect is a legitimate commercial tool used to prevent unauthorized reverse engineering of programs. Everyone knows that unpacking malware protected with VMProtect can be painful. Fortunately, I was able to unpack it using OA Labs’ Unpac.me. This was a lifesaver—I didn’t have to spend hours trying to bypass this protection. Thank you, OA Labs, for your amazing work! Once unpacked, it becomes possible to begin basic static analysis using PE Bear to gather several pieces of information about this DLL file, such as its name (RasTls.dll), the name of its export (GetOfficeDatatal), and its compilation time (08.04.2022). Figure 2: PE bear screenshot relating to RasTls.dll Capabilities The first noticeable observation about this sample is that the strings provide significant insight into its features and capabilities. Figure 3: strings inside Quickheal It is possible to infer from the string “select * from moz_logins”, the numerous references to Mozilla Firefox and SQLite databases, as well as the encryption functions, that the malware attempts to retrieve credentials stored in the Firefox browser. All these findings were already documented in a landmark analysis by Recorded Future about RedFoxtrot, which they link to PLA Unit 69010. As we will see below, the malware dynamically loads the functions required to interact with SQLite databases and NSS (Network Security Services) libraries to decrypt passwords or other sensitive information stored by applications such as Firefox. While it is quite clear that QUICKHEAL can steal Firefox credentials, it is also worth noting that several clues suggest the malware is capable of stealing passwords stored in Microsoft Internet Explorer as well. Specifically, the malware manipulates Internet Explorer’s GUID ("abe2869f-9b47-4cd9-a358-c22904dba7f7"). Figure 4: IE’s GUID manipulation IE passwords are encrypted using cryptographic functions after being salted with a text string generated from this GUID. This GUID can therefore be used to decrypt credentials stored in Internet Explorer, leveraging the CryptUnprotectData and CredEnumerateA APIs, both of which are also imported by the malware. Communications Hardcoded strings also reveal the malware’s C2 address, the port it uses, and the user-agent it employs. Figure 4: IE’s GUID manipulation igure 5: Hardcoded C2 name and port The user-agent can be found in a function whose purpose appears to be formatting the HTTP request used to communicate with the C2: Figure 6: hardcoded user-agent It is worth noting that the malware attempts to establish an HTTP connection via a proxy, as indicated by strings found in the code: "Proxy-Authenticate: NTLM", "Proxy-Authorization: NTLM", and "Proxy-Authenticate: Basic". My understanding is that the malware also tries to retrieve the user’s internet settings. To achieve this, it appears that the malware passes the arguments of RegOpenKeyExW to a wrapper function using position-independent code. However, it is possible to infer the true purpose of this function from the arguments passed to it. Figure 7: The malware passes the expected arguments for RegOpenKeyExW to a wrapper function Obfuscation What is particularly interesting is that the developers of the malware did not hold back in their efforts to obfuscate the malware’s control flow, even though most strings are in plain text. Firstly, the malware renames cmd.exe to alg.exe, which is a legitimate Windows process (Application Layer Gateway Service). Figure 8: renaming cmd.exe This trick may be used to avoid raising suspicion when the malware executes a command. To make an analyst’s job more difficult, I also believe the malware uses a custom API resolver, thereby avoiding direct invocation of these APIs. Figure 9: custom API resolver From what I could gather, the malware also uses LoadLibrary in an obfuscated manner to load the libraries it needs to decrypt Mozilla passwords. It first reconstructs the path to Mozilla Firefox and then uses registers to load the required DLL. Presumably for obfuscation purposes, the malware uses registers rather than directly invoking the API it wants to load. However, the API being used can be easily inferred from the context. Figure 9: using loadlibrary in an obfuscated way Figure 10 : MSDN documentation about loadlibrary The malware then attempts to resolve the addresses of the exported functions from the previously loaded DLLs by calling the esi register, which contains GetProcAddress or an equivalent function. To achieve this, it uses the following code: figure 11: DLLs’ export dynamic resolution The addresses of the resolved functions are stored in local variables ([ebp-...h]) for subsequent use. However, it is worth noting that the arguments are pushed in reverse order. This aligns with the MSDN documentation, which states: Figure 12 : MSDN documentation relating to GetProcAddress hModule is a handle returned by LoadLibraryA, and lpProcName corresponds to the name of the function or variable. While these two items are pushed onto the stack before the call, the function name is pushed first, followed by the handle. This suggests that the malware uses a custom version of GetProcAddress. Infrastructure mapping While reversing QUICKHEAL was challenging, pivoting on its infrastructure was much easier. Passive DNS records suggest that the same infrastructure has been in use for the past couple of years, likely across different campaigns. For example, swiftandfast[.]net seems to have been used over two years. While I cannot completely rule out false positives in the list of domains I gathered, I made an effort to exclude domains that fall outside the known timeframe of operation (i.e., 2022–2024). That being said, the attacker relied on commercial services such as Vultr or DigitalOcean. Figure 14 : Overview of the attacker’s infrastructure Since attackers are likely to choose domain names designed to fly under the radar, the targeted countries and, at times, sectors can often be deduced from them. For example, several domain names use the .in top-level domain, suggesting that India was one of the targets of this intrusion set. Moreover, several domains mimic the names of institutions in specific sectors in India, such as the telecom or space industries. For example, some domains use the acronym BSNL, which stands for Bharat Sanchar Nigam Limited, an Indian telecommunications firm. Other domains mention ISRO, which is the Indian Space Research Organisation. Figure 15: Infrastructure cluster using indian top level domains or themes. While 165.22.211[.]185 was resolved by indian related domain mostly in 2022 (starting from may), it is worth noting that a QUICKHEAL sample was already communicating with this IP address in 2021. Moreover, in some cases, the attackers appear to have used news-themed domains such as www.dailysaudinews[.]com or ju-news[.]kr. Since these domains were not resolving to the IP address associated with swiftandfast[.]net at the same time, it is possible that the IP address was redistributed. However, newspapers and other news outlets are often accessed on professional workstations, making mimicking media websites an effective way to remain undetected. Additionally, these domains are either not hosting any content or are hosting websites that appear to have been generated using ChatGPT. These elements suggest that the Middle East and South Korea may have also been targeted, although with lower confidence. Figure 16: Infrastructure cluster related to South Korea These different graphs illustrate that the attackers have poor operational security (OPSEC). Indeed, they seemed to have reused the same infrastructure for extended periods and across campaigns targeting multiple countries and sectors. Additionally, the same IP addresses were resolved by multiple domains used by the attackers, enabling us to map their infrastructure with relative ease. This lack of OPSEC stands in stark contrast to the obfuscation techniques employed by QUICKHEAL, such as packing with VMProtect and the use of position-independent code. Several reasons could explain this discrepancy. For instance, different teams might be responsible for malware development and infrastructure management. To reduce costs, the attackers may have chosen to reuse the same infrastructure across multiple campaigns. Finally, it cannot be ruled out that this infrastructure is shared among several different intrusion sets with varying levels of OPSEC. IoCs IP addresses: 65[.]20[.]90[.]139 (2024) 206[.]189[.]140[.]214 (2024) 141[.]164[.]40[.]183 (2024) 165[.]22[.]211[.]185 (2022) 172[.]105[.]48[.]166 (2022) 68[.]183[.]82[.]31 (2022) Domains – High confidence swiftandfast[.]net isrosdsc[.]camdvr[.]org indiabsnl[.]in indian[.]mefound[.]com swiftandfast[.]net bbnmsportal[.]in indiabsnl[.]com indiaeducation[.]mefound[.]com daypmsts[.]isronrsc[.]giize[.]com www[.]bbsaili[.]camdvr[.]org bbsaili[.]camdvr[.]org sts[.]isronrsc[.]giize[.]com isronrsc[.]giize[.]com nitmz[.]in admitcard[.]nitmz[.]in ftp[.]isronrsc[.]giize[.]com www[.]isronrsc[.]giize[.]com _bimi.isronrsc[.]giize[.]com default._bimi.isronrsc[.]giize[.]com IoCs Low confidence: www[.]dailysaudinews[.]com dailysaudinews[.]com ju-info[.]kr ju-news[.]kr junews[.]co[.]kr ju-tech[.]kr smartkids[.]jupi[.]in jupi[.]in mangalamservices[.]jupi[.]in NAVIGATION DE L’ARTICLE Précédent : Article précédent : Unveiling Sharp Panda’s New Loader LAISSER UN COMMENTAIRE ANNULER LA RÉPONSE Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec * Commentaire * Nom * E-mail * Site web Enregistrer mon nom, mon e-mail et mon site dans le navigateur pour mon prochain commentaire. © 2024 Securite360. Construit avec WordPress et le thème Mesmerize Securite360 * Home * Tracker * Honeypots * Blog * Scan