APT & Targeted Attacks
Trend Micro has uncovered a spear-phishing campaign ongoing in Japan since June 2024. Indications about the malware utilized in this campaign point to it being part of a fresh initiative by Earth Kasha.
Read time: ( words)
This blog article is within a series discussing Earth Kasha. Please visit our previous posts for a detailed look into Earth Kasha’s strategies and targets. Click here to delve into it deeply,
Commencement
Pursuant to Trend Micro’s investigation, a recent spear-phishing campaign aimed at individuals and institutions in Japan has been in progress since approximately June 2024. An intriguing facet of this operation is the revival of a previously known backdoor labeled ANEL, which had been operational in previous APT10 campaigns in Japan until circa 2018 and had remained dormant since then. Besides, NOOPDOOR, linked to activities by Earth Kasha, has been identified in the same campaign. These discoveries lead to the conclusion that this campaign is part of a new initiative by Earth Kasha.
Campaign Particulars
The campaign, noted around June 2024 and associated with Earth Kasha, utilized spear-phishing emails for Initial Access. Specific targets encompass individuals connected to political entities, research bodies, think tanks, and institutions related to international affairs. In 2023, Earth Kasha predominantly sought to exploit edge device vulnerabilities for intrusion, but this fresh campaign unveils a shift in approach towards other vectors such as spear-phishing, demonstrating an evolved modus operandi.
Once again, alterations were made to their TTPs. This change seems to be motivated by a shift in targets, transitioning from corporations to individuals. Moreover, an examination of the victim profiles and the titles of the bait files being dispersed indicates that the attackers are particularly intrigued by subjects concerning Japan’s national security and global affairs.
The phishing emails utilized in this initiative were dispatched either from no-cost email accounts or from compromised accounts. These emails featured a hyperlink to a OneDrive location. They presented a message in Japanese prompting the recipient to acquire a ZIP file. Here are a few possible email subjects that were detected, likely tailored to capture the attention of the targets:
- 取材申請書 (Interview Request Form)
- 米中の現状から考える日本の経済安全保障 (Japan’s Economic Security in Light of Current US-China Relations)
- [官公庁・公的機関一覧] ([List of Government and Public Institutions])
The contents of the ZIP file, which acts as the method of infection, vary depending on the timeframe and the target.
Scenario 1: Macro-Enabled Document
The most straightforward scenario involves a document containing embedded macros. The infection process commences upon opening the document and enabling the macros. This document file functions as a noxious dropper named ROAMINGMOUSE. As elucidated later, ROAMINGMOUSE can extract and execute embedded ANEL-related elements (a legitimate EXE, ANELLDR, and encrypted ANEL). Two distinct patterns can be identified in this procedure: one involves the dropping of a ZIP file followed by its extraction, while the other entails the direct dropping of the components.
Scenario 2: Shortcut + SFX + Macro-Enabled Template Document
In other instances, the ZIP file did not directly include ROAMINGMOUSE. Instead, it featured a shortcut file and an SFX (self-extracting) file camouflaged as a document by altering its icon and extension.
Upon opening the shortcut file, it runs the SFX file in the same directory disguised as a .docx file.
The SFX file deposits two document files into the %APPDATA%MicrosoftTemplates folder. One of these files serves as a benign decoy document, while the other, named “normal_.dotm,” houses a macro named ROAMINGMOUSE. Upon opening the decoy document, ROAMINGMOUSE is automatically loaded as a Word Template file. The post-execution behavior of ROAMINGMOUSE mirrors that observed in Scenario 1.
Scenario 3: Shortcut + CAB + Macro-Enabled Template Document
A parallel case to Scenario 2 has also been identified, where the shortcut file launches PowerShell, which then drops an embedded CAB file.
The shortcut file in this case contained a PowerShell one-liner, as depicted in the figure below. This script dropped and extracted a CAB file that was embedded at a specific offset within the shortcut file and initialized a decoy file. The decoy file then automatically loaded ROAMINGMOUSE as a template file, following a similar course as in Scenario 2.
Malware on Initial Access
ROAMINGMOUSE
The macro-enabled document devised for the initial access in this campaign is named “ROAMINGMOUSE.” This document acts as a vehicle for ANEL-related components. The primary function of ROAMINGMOUSE is to carry out the subsequent ANEL payload while reducing the risk of detection. To achieve this, various obfuscation tactics are implemented.
(Basic) Sandbox Evasion
The ROAMINGMOUSE variant introduced in Scenario 1 necessitates macro activation by the user. This variant incorporates a feature that triggers malicious actions based on specific mouse movements performed by the user. This capability is achieved through the integration of a function that responds to the “MouseMove” event, which is activated when the user’s mouse hovers over a user form embedded within the document.
This functionality ensures that malicious behaviors do not initiate unless specific user interactions occur, likely utilized as a sandbox avoidance method. Nonetheless, various commercial and open-source sandboxes have countered such evasion methods in recent times, diminishing their effectiveness.
Custom Encoded Payloads in Base64
The categorization of this as an evasion method may be debatable; nevertheless, it is unquestionably a distinctive feature of ROAMINGMOUSE. In Case 1, Pattern 1, ROAMINGMOUSE encodes the ZIP file containing ANEL-associated components in Base64, splitting it into three segments. One section is encoded using a unique Base64 encoding scheme. The files from the ZIP file are subsequently decompressed into a specific location.
This tactic could impede analysis but could also serve as an evasion tactic against contemporary tools that automatically decode Base64 within VBA. Such tools have become more prevalent, potentially acting as a countermeasure.
HEX-Encoded Payloads
In certain scenarios, like Case 1 and Pattern 2, instances were witnessed where ANEL-related components were directly deposited without undergoing Base64 encoding in a ZIP file. Every element was infused as HEX-encoded strings within the VBA code in these situations.
Execution Via WMI
The delivered files encompass the subsequent ANEL-related components:
- ScnCfg32.Exe: A lawful application that loads the DLL in the same folder through DLL sideloading.
- vsodscpl.dll: The ANELLDR loader.
- <RANDOM>: The encrypted ANEL.
ANEL is executed by ROAMINGMOUSE through the operation of the lawful application “ScnCfg32.exe,” which loads the malevolent DLL “vsodscpl.dll” via DLL sideloading. WMI is utilized to commence “explorer.exe” with “ScnCfg32.Exe” as an argument during this procedure.
This methodology strives to evade detection by security products, which are more prone to flag operations like “cmd.exe” when enacted directly from a document file such as a Word document. By circumventing “cmd.exe” and initiating the program via WMI, they aim to surpass these detection mechanisms.
ANELLDR – Unique Loader
We have monitored the distinct loader utilized to launch ANEL in private storage, denoted as ANELLDR. ANELLDR has been visible as early as 2018. Concerning its operations, the version employed in this campaign mirrors the previous version from 2018. ANELLDR is recognized for employing anti-analysis tactics like the insertion of junk code, Control Flow Flattening (CFF), and Mixed Boolean Arithmetic (MBA). The current iteration of ANELLDR in this campaign has similarly implemented these methodologies.
While some data about ANELLDR is publicly accessible, a thorough explanation of its operations is still essential. We will provide an in-depth narrative of the loader’s functionality.
ANELLDR is activated through DLL sideloading from a legitimate application to commence its malevolent operations. Upon execution, it scans files in the current folder to locate encrypted payload files. Noteworthy is the variance in the decryption logic of ANELLDR between its initial and subsequent executions.
During the first run, ANELLDR computes the Adler-32 checksum for the final four bytes of the target file, along with the data up to the file size minus 0x34 bytes (where 0x34 bytes encompass the 0x30 bytes of AES material and 0x4 bytes of checksum, further elucidated later). Subsequently, it contrasts the checksum to determine if the target file matches the anticipated encrypted file. If a directory exists at a similar level, it methodically processes the files within that directory.
Upon successful verification, the decryption phase initiates. For this, the last 0x30 bytes of the file are segregated into two components: the initial 0x20 bytes serve as the AES key, while the remaining 0x10 bytes operate as the AES IV. ANELLDR then decrypts the encrypted content (up to the file size minus 0x34 bytes) utilizing AES-256-CBC and executesthe data in memory.
After successfully decrypting the encrypted payload, ANELLDR updates the key and IV. Following that, it re-encrypts the payload using AES-256-CBC, and it then replaces the original encrypted payload file with the newly encrypted data. The generation of the AES key and IV for this process is based on the file path of the executing file and a hardcoded string. This procedure involves the utilization of a personalized Base64 encoding, the Blowfish encryption algorithm, and XOR operations, ensuring the uniqueness of the key and IV in the operational environment. Given that the encryption’s AES key and IV are not embedded in the file, knowledge of the precise file path where the payload was first stored is essential to decrypt an encrypted payload file obtained from an infected system.
The 2nd-stage shellcode
The decrypted information takes the shape of shellcode and runs in memory. This 2nd-stage shellcode’s role is to load and execute the ultimate payload, in this case, a DLL, in memory. Initially, the 2nd-stage shellcode attempts to avoid being debugged by initiating the ZwSetInformationThread API with the second argument set to ThreadHideFromDebugger (0x11). It then fetches the address of the encrypted information by invoking a distinctive function replete with NOP instructions to acquire the current memory address. Subsequently, it calculates the location of the data related to the encrypted payload, positioned immediately after this function.
The structure of the encrypted data section follows this format:
ANELLDR deciphers the succeeding encrypted data using a 16-byte XOR key. A salient characteristic of this operation is that each byte of the encrypted data undergoes XOR with the complete 16-byte key. Essentially, the algorithm applies XOR to each data byte 16 times, employing a distinct key byte for each such operation.
Following the XOR process, the data undergoes decompression utilizing the Lempel–Ziv–Oberhumer (LZO) data compression algorithm. Additionally, the first 4 bytes and the Adler-32 checksum of the payload DLL are computed and cross-checked to ensure the accurate decoding and decompression of the data. With a successful integrity verification, the DLL is dynamically initialized in memory, and the predefined export function is called upon to execute the payload.
ANEL
ANEL stands as a 32-bit HTTP-oriented backdoor that has been under observation since circa 2017. It was recognized as one of the primary backdoors employed by APT10 until approximately 2018. During that period, ANEL went through active development, with the last publicly observed version, in 2018, being “5.5.0 rev1.” However, in the recent campaign of 2024, versions “5.5.4 rev1,” “5.5.5 rev1,” “5.5.6 rev1,” and “5.5.7 rev1” have been noticed, besides a newly revealed version where the version details have been obscured.
|
|
5.5.0 rev1 |
5.5.4 rev1 |
5.5.5 rev1 |
5.5.6 rev1 |
5.5.7 rev1 |
unknown |
| C&C Comm Encryption (GET) | Custom ChaCha20 + random-byte XOR + Base64 | |||||
| C&C Comm Encryption (POST) | Custom ChaCha20 + LZO | |||||
| ChaCha20 Key Generation | Selected from the hardcoded key based on the C&C URL | |||||
|
Backdoor Command |
|
|
||||
We will now delve deeper into these specific updates.
and modifications in every iteration.
5.5.4 rev1
The latest release of ANEL did not bring about any significant alterations, but a couple of minor corrections and enhancements were integrated. One prominent adjustment was the elimination of the functionality that saved an error code in the HTTP Cookie header and dispatched it to the C&C server, which existed in versions up to “5.5.0 rev1.” This particular feature had previously served as a detection marker for ANEL, hence its removal may have aimed to avoid detection. Another enhancement concerned the version details relayed to the C&C server. It now encompasses details regarding the OS architecture of the operating environment. Despite ANEL being a 32-bit application, if operated on a 64-bit OS, the phrase “wow64” is affixed to the version data before transmission to the C&C server.
5.5.5 rev1
The “5.5.5 rev1” version also did not introduce considerable modifications. One notable enhancement was the insertion of code to refresh the local IP address during the initial connection to the C&C server.
5.5.6 rev1 / 5.5.7 rev1
In the version “5.5.6 rev1,” a fresh backdoor directive was appended. ANEL interprets the command string received from the C&C server by transmuting it to uppercase and hashing it with xxHash, subsequently contrasting it against a predetermined hash value to deduce the command. In this instance, a new directive corresponding to the hash value “0x596813980E83DAE6” was introduced in this version.
This directive furnishes the ability to execute a specified program with elevated privileges (Integrity High) by exploiting the CMSTPLUA COM interface, a recognized UAC bypass method.
Conversely, in “5.5.7 rev1,” no additional noteworthy functions were detected.
Unknown version
Subsequent to examining version “5.5.7 rev1,” a variant of ANEL was identified with obscured version data. In this scenario, the version data field contained an encoded string in Base64, yielding the data “A1 5E 99 00 E7 DE 2B F5 AD A1 E8 D1 55 D5 0A 22” post-decoding. This information was combined with “wow64” and dispatched to the C&C server. This change has heightened the complexity in tracking versions and comparing functionalities.
Post-Installation Actions
The tracking of the opponent’s actions subsequent to ANEL installation unveiled that they amassed data from the infected milieu, such as capturing screenshots and executing commands like arp and dir to compile network and file system specifics. In certain instances, further malware, particularly NOOPDOOR, was also deployed.
NOOPDOOR, noticed since at least 2021, is a modular backdoor with more sophisticated functionalities. It appears to serve as an additional payload Earth Kasha utilizes, particularly for targets of high importance. In this operation, it is presumed that NOOPDOOR was utilized against specific targets of interest to the adversary.
Association and Understandings
Based on the evaluation of the ongoing campaign, Trend Micro infers that the spear-phishing operation utilizing ANEL, seen since June 2024, is part of a new endeavor carried out by Earth Kasha.
The attribution to Earth Kasha is founded on the subsequent rationales:
- Till early 2023, Earth Kasha directed campaigns towards individuals and organizations in Japan through spear-phishing emails as the primary infiltration method. There are no significant disparities in terms of TTPs or victim demographics.
- NOOPDOOR, speculated to be exclusive to Earth Kasha, was likewise utilized in this operation.
- As mentioned earlier, there exist code resemblances between ANELLDR and NOOPDOOR, implying the involvement of the same developer or an individual with access to both source codes. Hence, the reuse of ANEL in this operation is not surprising and further bolsters the connection between the former APT10 and the current Earth Kasha.
By leveraging intelligence, clients can preemptively safeguard their ecosystems, minimize vulnerabilities, and effectively counteract threats.
Trend Micro Vision One Intelligence Reports Application [IOC Sweeping]
- Who’s Back? The Resurgence of ANEL in the Recent Spear-phishing Offensive by Earth Kasha in 2024
Trend Micro Vision One Threat Insights Application
Search Queries for Hunting
Trend Micro Vision One Search Application
Clients of Trend Micro Vision One can utilize the Search Application to match or track down the malicious signals referenced in this blog post within their setup.
Identifying malware linked to the spear-phishing offensive by Earth Kasha
(malwareName:*ANEL* OR malwareName:*ROAMINGMOUSE*) AND eventTitle: DETECTION_OF_MALWARE
Suspicious IPs employed by ANEL in the spear-phishing operation of 2024
eventNumber:3 AND (destination:”139.84.131.62″ OR destination:”139.84.136.105″ OR destination:”45.32.116.146″ OR destination:”45.77.252.85″ OR destination:”208.85.18.4″ OR source:”139.84.131.62″ OR source:”139.84.136.105″ OR source:”45.32.116.146″ OR source:”45.77.252.85″ OR source:”208.85.18.4″)
Additional hunting queries are accessible to Vision One customers with Threat Insights Entitlement enabled.
YARA regulation
This YARA regulation can be employed to detect Earth Kasha’s operations.
Wrap-up
The campaigns by Earth Kasha are anticipated to evolve further, with enhancements to their tools and tactics. Numerous targets include individuals, like researchers, who might possess varied security measures compared to corporate entities, thus making such attacks more challenging to identify. It’s crucial to sustain fundamental preventive measures, such as refraining from opening attachments in suspicious emails. Additionally, collecting threat intelligence and notifying relevant parties are essential. With this campaign believed to be ongoing as of October 2024, sustained vigilance is imperative.
Signs of Compromise
The complete list of Indicators of Compromise can be found here.
Categories
