The Emissary Panda
or
How To Fool Your Database Admin While They Are Unaware of Your Shenanigans
Section One:
Overview –
Do not allow picture of the cute savage animal to give you a false level of complacency. Behind that panda is a group of individuals who are not cute and more importantly have been active for a very long time. I introduce you to Emissary Panda. This is a Chinese group that has been around for at least a decade. In the past we have known them as APT 27, but they go by other names. Groups such as Emissary Panda are not constricted to nation state activities. They go where the data is needed and there are many that follow them. The tool-set used by these groups can be found and modified if one knows where to look. Care needs to be taken. This panda has a pet RAT that got loose.
Section Two:
Static Analysis
The binary file “odbcad32.exe” at first glance is a normal system file. It is the Open Database Connectivity Data Source Administrator too. The file is located in %systemdrive%\Windows\System32 folder. With this tool those who are working on databases are able to establish connections from their machines to their respective data sources. This is an interesting approach to hiding in plain site.
The binary gets more interesting when you do a static analysis. At first, we see what one would expect to see:
Version Info:
LegalCopyright Microsoft Corporation. All rights reserved.
InternalName odbcad32.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713–1255)
CompanyName Microsoft Corporation
ProductName Microsoft? Windows? Operating System
ProductVersion 6.1.7600.16385
FileDescription ODBC Administrator
OriginalFilename odbcad32.exe
Translation 0x0409 0x04b0
The File Version gives the cynical individual some pause, but its not enough to raise an alarm. When the binary opens the user should see something like this:
The above is the 64-bit version of the file, the GUI for the 32bit and 64bit are similar. As this is a Microsoft binary, we would expect to be able to verify its authenticity via the digital signature. What we see is not a Microsoft signature but something different:
MD5 17c71b458651ef30b8cfbd440c9033ad
SHA1 3e2b15d5fd1ce4df036b776caf22244343597d34
Serial Number 0a4ed6bc5249117b35b9fdb7dd33e87b
Common Name Hangzhou Bianfeng Networking Technology Co., Ltd.
Country CN
Locality Hangzhou
From a static analysis we have now established that this binary is evil. Below are the hash values:
Size 1.6MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 70cff7c176c7df265a808aa52daf6f34
SHA1 045d65b51fc3c0a051c038f8e19421798011f692
SHA256 caa46c001c3180eb7fdd5e5cbf7d084b75b7bdf72e61e06430a88378604a25eb
SHA512
2513e321542555133d3c3524de0b456e5788bdc63270f80a2c9d12d3678e1f34ce2f9cf4f33b7f1cfb97d9104c5e9001b5e8491010e0ba796c0893f4a252edc7
CRC32 1D80CDBC
ssdeep 49152:FP2O39Y1FN8zbAGWinOmp66V3H55eObRx:FOO39SN8zbzlZp66V3HPeE
Yara None matched
Section Three:
Part One — Sandbox
When the binary launches, we see the following process tree –
Net.exe is launched with the following parameters stop “Remote Registry Configuration”. Following this command, the system is presented with another net.exe that is launched with the same parameters. The command net.exe is used to manage the operating system at the command line level. The remote registry configuration is at sounds. It allows remote users to modify registry settings on the computer. If the service is stopped, the registry can be modified only by users on the computer. An alert can be created for this, however at its core its still a system function. From our perspective you should be alerting for such actions in your system, unless it is necessary there is no reason a user should be able to go in via the net.exe command and issue a stop “Remote Registry Configuration” command.
Following the above another system binary runs, rundll32.exe loads “shlzapi.dll”. The install flag is set here, at this point if you were not setup to watch for those command line net.exe commands then this whole chain is going to be missed, which makes it all the more interesting –
C:\Windows\System32\rundll32.exe “C:\Windows\system32\shlzapi.dll”,Install
The roadmap to a foothold in the system begins here. Two more net.exe commands are executed
net start “Remote Registry Configuration”
followed by
C:\Windows\system32\net1 start “Remote Registry Configuration”
The cmd.exe process comes up now — it executes the following batch file
cmd.exe /c C:\Users\admin\AppData\Local\Temp\7zVffiXxDZ.bat
C:\Windows\System32\svchost.exe -k netsvcs
After this svchost.exe is executed and the shlzapi.dll file is loaded. It then drops the file autocheck.sys in the c:\windowsystem32\drivers directory
Which then gives us
filename: C:\Windows\system32\drivers\autochk.sys
md5: 7520ec808e0c35e0ee6f841294316653
size: 198208
time: 1547ms
access: READ_CONTROL, SYNCHRONIZE, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES
created: CREATED
device: DISK_FILE_SYSTEM
name: C:\Windows\system32\drivers\autochk.sys
object: FILE
operation: CREATE
status: 0x00000000
time: 1547ms
Permissions allow autochk.sys to read the host file located at c:\windows’system32\drivers\etc\hosts
At this point persistence is established in the system, the truly malicious act was when rundll32.exe installed the rouge dll. A system alert for the net command being executed would detect this, or a at minimum your security operator would have to catch it. Save for rundll32.exe everything else done would come up benign. This is the genius in using system processes to achieve your goal and establish persistence in the system. This is why we also believe you must monitor when cmd.exe is executed.
Below is a graph of the processes –
An interesting note here, autocheck.sys digital signature also matches the signature of the odbcad32.exe as noted below:
Section Three:
Live Analysis
The malicious binary is delivered via the browser for the purpose of this analysis. It is important to note that in November the BlockedFileType list in Outlook will expand. This is a list of attachment file types that cannot be saved locally or viewed from Outlook on the web — Phishers — start getting creative. As noted above the binary is deployed and we get the following process tree:
Part One:
First Appearance
It is important to re-emphasize a major point here. What APT 27 does here is use windows system files to execute the malware. This makes it difficult to detect so we need to think strategically of what to look for. When the first appearance of the malware occurs, this will not be the first time it will have seen the questionable entity in the logs. However, all is not lost, there is behavior we can look for that will aid us in constructing alerts that can help keep the interloper away.
The first sign is the malware being downloaded to the Downloads directory of the user. Though not truly the first sign of trouble, we are of the position that when items end up in the Download directory that your security administrator should be aware of it.
Event ID: 4656
Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0x11309B6
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\Downloads\odbcad32.exe
Handle ID: 0xdf0
Resource Attributes: S:AI(RA;ID;;;;WD;(“IMAGELOAD”,TU,0x0,1))
Process Information:
Process ID: 0x1cb8
Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Access Request Information:
Transaction ID: {00000000–0000–0000–0000–000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Reasons: READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;FA;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA)
ReadEA: Granted by D:(A;;FA;;;BA)
ReadAttributes: Granted by D:(A;;FA;;;BA)
Access Mask: 0x120089
Privileges Used for Access Check: -
Restricted SID Count: 0
Part Two:
There are many events that follow the above. A lot of them can be misinterpreted. However, if we disregard setting up alerts for the Download direct, this we cannot ignore.
A new process has been created.
Creator Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0x11309B6
Target Subject:
Security ID: S-1–0–0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1744
New Process Name: C:\Windows\System32\net.exe
Token Elevation Type: %%1936
Mandatory Label: S-1–16–12288
Creator Process ID: 0xd9c
Creator Process Name: C:\Users\Administrator\Downloads\odbcad32.exe
Process Command Line: net stop “Remote Registry Configuration”
The malware in panda clothing disguised as a system process is issuing a command that effects the registry. No matter what your doing, even if you trust your users, you should always be monitoring for process that attempt to access the registry remotely. Here is our patient zero. From this moment you have to catch it, otherwise it gets worse.
Part Three:
Homicidal Panda
The malware spawns another version of net.exe — net1.exe — another stop for remote registry
full_message
A new process has been created.
Creator Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0x11309B6
Target Subject:
Security ID: S-1–0–0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x22c0
New Process Name: C:\Windows\System32\net1.exe
Token Elevation Type: %%1936
Mandatory Label: S-1–16–12288
Creator Process ID: 0x1744
Creator Process Name: C:\Windows\System32\net.exe
Process Command Line: C:\WINDOWS\system32\net1 stop “Remote Registry Configuration”
From here another system process is used — rundll32.exe. This is exactly as it sounds — it takes a dll and loads it into memory
full_message
A new process has been created.
Creator Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0x11309B6
Target Subject:
Security ID: S-1–0–0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb80
New Process Name: C:\Windows\System32\rundll32.exe
Token Elevation Type: %%1936
Mandatory Label: S-1–16–12288
Creator Process ID: 0xd9c
Creator Process Name: C:\Users\Administrator\Downloads\odbcad32.exe
Process Command Line: C:\WINDOWS\System32\rundll32.exe “C:\WINDOWS\system32\odbccx32.dll”,Install
The name of dll that is dropped by odbcad32.exe seems to change depending on the install. In the sandbox it was different, in the live install it used odbccx32.dll which would be hard to spot. Following a rogue dll being loaded by a rogue system process the same net command is issued again but this time to start the Remote Registry Configuration Process. The following events are your last chance to contain the damage.
Here it is the same rogue binary doing the work –
full_message
A new process has been created.
Creator Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0x11309B6
Target Subject:
Security ID: S-1–0–0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x23dc
New Process Name: C:\Windows\System32\net.exe
Token Elevation Type: %%1936
Mandatory Label: S-1–16–12288
Creator Process ID: 0xd9c
Creator Process Name: C:\Users\Administrator\Downloads\odbcad32.exe
Process Command Line: net start “Remote Registry Configuration”
Followed by another one –
full_message
A new process has been created.
Creator Subject:
Security ID: S-1–5–21–372134654–1229274158–1178834050–500
Account Name: Administrator
Account Domain: PROJECTFARSCAPE
Logon ID: 0x11309B6
Target Subject:
Security ID: S-1–0–0
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x63c
New Process Name: C:\Windows\System32\net1.exe
Token Elevation Type: %%1936
Mandatory Label: S-1–16–12288
Creator Process ID: 0x23dc
Creator Process Name: C:\Windows\System32\net.exe
Process Command Line: C:\WINDOWS\system32\net1 start “Remote Registry Configuration”
We are now left with a batch file that is executed from a command line. This is something we should always look for, command lines being spawned from a process, unless you know about it.
EventID
1
EventReceivedTime
2019–09–30 12:28:28
EventType
INFO
FileVersion
10.0.17134.1 (WinBuild.160101.0800)
Hashes
SHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129
Image
C:\Windows\System32\conhost.exe
IntegrityLevel
High
Keywords
-9223372036854776000
LogonGuid
{F9A5ADB1-F5DA-5D91–0000–0020B6091301}
LogonId
0x11309b6
Opcode
Info
OpcodeValue
0
OriginalFileName
CONHOST.EXE
ParentCommandLine
C:\WINDOWS\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Local\Temp\Wbi4D994Bs.bat
ParentImage
C:\Windows\SysWOW64\cmd.exe
ParentProcessGuid
{F9A5ADB1–2D09–5D92–0000–00109E446003}
ParentProcessId
9040
Part Three:
Disturbing Behavior
The malware makes a network connection to yofeopxuuehixwmj.redhatupdater.com. Most likely this is the command and control server. The domain name is interesting per the redhatupdater domain, its odd naming stands out. What stands out more is the fact that its making a connection over the port most commonly used for DNS.
We are able to further determine that the command and control server is somewhere in the Russian Federation.
message {“ts”:”2019–10–01T21:56:22.722332Z”,”uid”:”C2lJ6S2qemot0tsyl6",”id.orig_h”:”192.168.200.137",”id.orig_p”:52078,”id.resp_h”:”192.168.200.131",”id.resp_p”:53,”proto”:”udp”,”trans_id”:24130,”rtt”:2.050833,”query”:”yofeopxuuehixwmj.redhatupdater.com”,”qclass”:1,”qclass_name”:”C_INTERNET”,”qtype”:1,”qtype_name”:”A”,”rcode”:0,”rcode_name”:”NOERROR”,”AA”:false,”TC”:false,”RD”:true,”RA”:true,”Z”:0,”answers”:[“80.85.153.176”],”TTLs”:[597.0],”rejected”:false}
As noted above — the provider’s name is Chelyabinsk-Signal. As of October 1, 2019 the C&C server is still live. The server as you can see is quite chatty:
Conclusion:
The lesson to be learned here is that the skilled threat actor can disguise his/her weapons of choice as system files. Due to the fact that it is difficult to identify these rogues files as one cannot do static analysis on the fly to look at digital signatures, you must think outside of the box in detecting attacks or exfiltration of data. With the above remote access Trojan not only do we see system files being executed in their native path but we also see the Trojan communicate with the command control server over a dns port.
If we look for command shells being spawned, and alerts are given, the security operator can quickly investigate the issue to shut down the incident before it gets worse. By the time communication is established with the command and control server its already too late, but if you catch it while spawning, you can contain the damage. The guardian of your infrastructure needs to be able to think like its attackers.