Loading...
You are here:  Home  >  Emissary Panda

Emissary Panda

Emissary Panda
Emissary Panda

The Emissary Panda

or

How To Fool Your Database Admin While They Are Unaware of Your Shenanigans

 

 

Section One:

Overview –

 

Do not allow picture of the cute savage animal to give you a false level of complacency. Behind that panda is a group of individuals who are not cute and more importantly have been active for a very long time. I introduce you to Emissary Panda. This is a Chinese group that has been around for at least a decade. In the past we have known them as APT 27, but they go by other names. Groups such as Emissary Panda are not constricted to nation state activities. They go where the data is needed and there are many that follow them. The toolset used by these groups can be found and modified if one knows where to look. Care needs to be taken. This panda has a pet RAT that got loose.

 

Section Two:

Static Analysis -n

 

The binary file “odbcad32.exe” at first glance is a normal system file. It is the Open Database Connectivity Data Source Administrator too. The file is located in %systemdrive%\Windows\System32 folder. With this tool those who are working on databases are able to establish connections from their machines to their respective data sources. This is an interesting approach to hiding in plain site.

 

The binary gets more interesting when you do a static analysis. At first, we see what one would expect to see:

 

Version Info:

 

LegalCopyright         Microsoft Corporation. All rights reserved.

InternalName            odbcad32.exe

FileVersion                6.1.7600.16385 (win7_rtm.090713-1255)

CompanyName        Microsoft Corporation

ProductName           Microsoft? Windows? Operating System

ProductVersion         6.1.7600.16385

FileDescription         ODBC Administrator

OriginalFilename      odbcad32.exe

Translation               0x0409 0x04b0

 

The File Version gives the cynical individual some pause, but its not enough to raise an alarm. When the binary opens the user should see something like this:

 

Data Source Administrator

The above is the 64-bit version of the file, the GUI for the 32bit and 64bit are similar.  As this is a Microsoft binary, we would expect to be able to verify its authenticity via the digital signature. What we see is not a Microsoft signature but something different:

 

MD5                 17c71b458651ef30b8cfbd440c9033ad

SHA1                3e2b15d5fd1ce4df036b776caf22244343597d34

Serial Number    0a4ed6bc5249117b35b9fdb7dd33e87b

Common Name   Hangzhou Bianfeng Networking Technology Co., Ltd.

Country             CN

Locality              Hangzhou

 

From a static analysis we have now established that this binary is evil. Below are the hash values:

 

 

Size                  1.6MB

Type                 PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

MD5                 70cff7c176c7df265a808aa52daf6f34

SHA1                045d65b51fc3c0a051c038f8e19421798011f692

SHA256            caa46c001c3180eb7fdd5e5cbf7d084b75b7bdf72e61e06430a88378604a25eb

SHA512                       

2513e321542555133d3c3524de0b456e5788bdc63270f80a2c9d12d3678e1f34ce2f9cf4f33b7f1cfb97d9104c5e9001b5e8491010e0ba796c0893f4a252edc7

CRC32              1D80CDBC

ssdeep              49152:FP2O39Y1FN8zbAGWinOmp66V3H55eObRx:FOO39SN8zbzlZp66V3HPeE

Yara                  None matched

Section Three:

Part One – Sandbox

 

When the binary launches, we see the following process tree –

Sandbox process tree

Net.exe is launched with the following parameters stop "Remote Registry Configuration". Following this command, the system is presented with another net.exe that is launched with the same parameters. The command net.exe is used to manage the operating system at the command line level. The remote registry configuration is at sounds. It allows remote users to modify registry settings on the computer. If the service is stopped, the registry can be modified only by users on the computer. An alert can be created for this, however at its core its still a system function. From our perspective you should be alerting for such actions in your system, unless it is necessary there is no reason a user should be able to go in via the net.exe command and issue a stop “Remote Registry Configuration” command.

 

Following the above another system binary runs, rundll32.exe loads “shlzapi.dll”. The install flag is set here, at this point if you were not setup to watch for those command line net.exe commands then this whole chain is going to be missed, which makes it all the more interesting –

 

C:\Windows\System32\rundll32.exe "C:\Windows\system32\shlzapi.dll",Install

 

The roadmap to a foothold in the system begins here. Two more net.exe commands are executed

 

net start "Remote Registry Configuration"

 

followed by

 

C:\Windows\system32\net1 start "Remote Registry Configuration"

 

The cmd.exe process comes up now – it executes the following batch file

 

cmd.exe /c C:\Users\admin\AppData\Local\Temp\7zVffiXxDZ.bat

 

C:\Windows\System32\svchost.exe -k netsvcs

 

After this svchost.exe is executed and the shlzapi.dll file is loaded. It then drops the file autocheck.sys in the c:\windowsystem32\drivers directory

 

Which then gives us

 

filename:           C:\Windows\system32\drivers\autochk.sys

md5:                 7520ec808e0c35e0ee6f841294316653

size:                  198208

time:                 1547ms

access:              READ_CONTROL, SYNCHRONIZE, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

created:            CREATED

device:              DISK_FILE_SYSTEM

name:                C:\Windows\system32\drivers\autochk.sys

object:               FILE

operation:          CREATE

status:               0x00000000

time:                 1547ms

 

Permissions allow autochk.sys to read the host file located at c:\windows’system32\drivers\etc\hosts

 

At this point persistence is established in the system, the truly malicious act was when rundll32.exe installed the rouge dll. A system alert for the net command being executed would detect this, or a at minimum your security operator would have to catch it. Save for rundll32.exe everything else done would come up benign. This is the genius in using system processes to achieve your goal and establish persistence in the system. This is why we also believe you must monitor when cmd.exe is executed.

 

Below is a graph of the processes –

Process Graph

An interesting note here, autocheck.sys digital signature also matches the signature of the odbcad32.exe as noted below:

autocheck.sys

Section Three:

Live Analysis

 

The malicious binary is delivered via the browser for the purpose of this analysis. It is important to note that in November the BlockedFileType list in Outlook will expand. This is a list of attachment file types that cannot be saved locally or viewed from Outlook on the web – Phishers – start getting creative. As noted above the binary is deployed and we get the following process tree:

process tree - windows

Part One:

First Appearance

 

It is important to re-emphasize a major point here. What APT 27 does here is use windows system files to execute the malware. This makes it difficult to detect so we need to think strategically of what to look for. When the first appearance of the malware occurs, this will not be the first time we will have seen the questionable entity in the logs.  However, all is not lost, there is behavior we can look for that will aid us in constructing alerts that can help keep the interloper away.

 

The first sign is the malware being downloaded to the Downloads directory of the user. Though not truly the first sign of trouble, we are of the position that when items end up in the Download directory that your security administrator should be aware of it.

 

Event ID: 4656

 

Subject:

            Security ID:                    S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:               Administrator

            Account Domain:                        PROJECTFARSCAPE

            Logon ID:                      0x11309B6

 

Object:

            Object Server:                Security

            Object Type:                  File

            Object Name:                 C:\Users\Administrator\Downloads\odbcad32.exe

            Handle ID:                     0xdf0

            Resource Attributes:        S:AI(RA;ID;;;;WD;("IMAGELOAD",TU,0x0,1))

 

Process Information:

            Process ID:                    0x1cb8

            Process Name:               C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

Access Request Information:

            Transaction ID:               {00000000-0000-0000-0000-000000000000}

            Accesses:                      READ_CONTROL

                                                SYNCHRONIZE

                                                ReadData (or ListDirectory)

                                                ReadEA

                                                ReadAttributes

                                               

            Access Reasons:             READ_CONTROL:            Granted by Ownership

                                                SYNCHRONIZE:   Granted by         D:(A;;FA;;;BA)

                                                ReadData (or ListDirectory):         Granted by         D:(A;;FA;;;BA)

                                                ReadEA: Granted by         D:(A;;FA;;;BA)

                                                ReadAttributes:   Granted by         D:(A;;FA;;;BA)

                                               

            Access Mask:                  0x120089

            Privileges Used for Access Check: -

            Restricted SID Count:      0

Part Two:

 

There are many events that follow the above. A lot of them can be misinterpreted. However, if we disregard setting up alerts for the Download direct, this we cannot ignore.

 

A new process has been created.

 

Creator Subject:

            Security ID:                    S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:               Administrator

            Account Domain:                        PROJECTFARSCAPE

            Logon ID:                      0x11309B6

 

Target Subject:

            Security ID:                    S-1-0-0

            Account Name:               -

            Account Domain:                        -

            Logon ID:                      0x0

 

Process Information:

            New Process ID:             0x1744

            New Process Name:        C:\Windows\System32\net.exe

            Token Elevation Type:     %%1936

            Mandatory Label:                        S-1-16-12288

            Creator Process ID:         0xd9c

            Creator Process Name:    C:\Users\Administrator\Downloads\odbcad32.exe

            Process Command Line:  net stop "Remote Registry Configuration"

 

The malware in panda clothing disguised as a system process is issuing a command that effects the registry. No matter what your doing, even if you trust your users, you should always be monitoring for process that attempt to access the registry remotely. Here is our patient zero. From this moment you have to catch it, otherwise it gets worse.

Part Three:

Homicidal Panda

 

The malware spawns another version of net.exe – net1.exe – another stop for remote registry

 

full_message

A new process has been created.

 

Creator Subject:

            Security ID:                    S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:               Administrator

            Account Domain:                        PROJECTFARSCAPE

            Logon ID:                      0x11309B6

 

Target Subject:

            Security ID:                    S-1-0-0

            Account Name:               -

            Account Domain:                        -

            Logon ID:                      0x0

 

Process Information:

            New Process ID:             0x22c0

            New Process Name:        C:\Windows\System32\net1.exe

            Token Elevation Type:     %%1936

            Mandatory Label:                        S-1-16-12288

            Creator Process ID:         0x1744

            Creator Process Name:    C:\Windows\System32\net.exe

            Process Command Line:  C:\WINDOWS\system32\net1 stop "Remote Registry Configuration"

From here another system process is used – rundll32.exe. This is exactly as it sounds – it takes a dll and loads it into memory

 

full_message

A new process has been created.

 

Creator Subject:

            Security ID:                    S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:               Administrator

            Account Domain:                        PROJECTFARSCAPE

            Logon ID:                      0x11309B6

 

Target Subject:

            Security ID:                    S-1-0-0

            Account Name:               -

            Account Domain:                        -

            Logon ID:                      0x0

 

Process Information:

            New Process ID:             0xb80

            New Process Name:        C:\Windows\System32\rundll32.exe

            Token Elevation Type:     %%1936

            Mandatory Label:                        S-1-16-12288

            Creator Process ID:         0xd9c

            Creator Process Name:    C:\Users\Administrator\Downloads\odbcad32.exe

            Process Command Line:  C:\WINDOWS\System32\rundll32.exe "C:\WINDOWS\system32\odbccx32.dll",Install

 

The name of dll that is dropped by odbcad32.exe seems to change depending on the install. In the sandbox it was different, in the live install it used odbccx32.dll which would be hard to spot.  Following a rogue dll being loaded by a rogue system process the same net command is issued again but this time to start the Remote Registry Configuration Process. The following events are your last chance to contain the damage.

Here it is the same rogue binary doing the work –

 

full_message

A new process has been created.

 

Creator Subject:

            Security ID:                    S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:               Administrator

            Account Domain:                        PROJECTFARSCAPE

            Logon ID:                      0x11309B6

 

Target Subject:

            Security ID:                    S-1-0-0

            Account Name:               -

            Account Domain:                        -

            Logon ID:                      0x0

 

Process Information:

            New Process ID:             0x23dc

            New Process Name:        C:\Windows\System32\net.exe

            Token Elevation Type:     %%1936

            Mandatory Label:                        S-1-16-12288

            Creator Process ID:         0xd9c

            Creator Process Name:    C:\Users\Administrator\Downloads\odbcad32.exe

            Process Command Line:  net start "Remote Registry Configuration"

 

 

Followed by another one –

 

full_message

A new process has been created.

 

Creator Subject:

            Security ID:                    S-1-5-21-372134654-1229274158-1178834050-500

            Account Name:               Administrator

            Account Domain:                        PROJECTFARSCAPE

            Logon ID:                      0x11309B6

 

Target Subject:

            Security ID:                    S-1-0-0

            Account Name:               -

            Account Domain:                        -

            Logon ID:                      0x0

 

Process Information:

            New Process ID:             0x63c

            New Process Name:        C:\Windows\System32\net1.exe

            Token Elevation Type:     %%1936

            Mandatory Label:                        S-1-16-12288

            Creator Process ID:         0x23dc

            Creator Process Name:    C:\Windows\System32\net.exe

            Process Command Line:  C:\WINDOWS\system32\net1 start "Remote Registry Configuration"

We are now left with a batch file that is executed from a command line. This is something we should always look for, command lines being spawned from a process, unless you know about it.

 

EventID

1

EventReceivedTime

2019-09-30 12:28:28

EventType

INFO

FileVersion

10.0.17134.1 (WinBuild.160101.0800)

Hashes

SHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129

Image

C:\Windows\System32\conhost.exe

IntegrityLevel

High

Keywords

-9223372036854776000

LogonGuid

{F9A5ADB1-F5DA-5D91-0000-0020B6091301}

LogonId

0x11309b6

Opcode

Info

OpcodeValue

0

OriginalFileName

CONHOST.EXE

ParentCommandLine

C:\WINDOWS\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Local\Temp\Wbi4D994Bs.bat

ParentImage

C:\Windows\SysWOW64\cmd.exe

ParentProcessGuid

{F9A5ADB1-2D09-5D92-0000-00109E446003}

ParentProcessId

9040

 

 

Part Three:

Disturbing Behavior

 

The malware makes a network connection to yofeopxuuehixwmj.redhatupdater.com. Most likely this is the command and control server. The domain name is interesting per the redhatupdater domain, its odd naming stands out. What stands out more is the fact that its making a connection over the port most commonly used for DNS.

redhat-updater

We are able to further determine that the command and control server is somewhere in the Russian Federation.

 

message                        {"ts":"2019-10-01T21:56:22.722332Z","uid":"C2lJ6S2qemot0tsyl6","id.orig_h":"192.168.200.137","id.orig_p":52078,"id.resp_h":"192.168.200.131","id.resp_p":53,"proto":"udp","trans_id":24130, "rtt":2.050833,"query":"yofeopxuuehixwmj.redhatupdater.com ","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["80.85.153.176"],"TTLs":[597.0],"rejected":false}

 

As noted above – the provider’s name is Chelyabinsk-Signal. As of October 1, 2019 the C&C server is still live. The server as you can note below is quite chatty:

command and control traffic

Conclusion:

 

The lesson to be learned here is that the skilled threat actor can disguise his/her weapons of choice as system files. Due to the fact that it is difficult to identify these rogues files as one cannot do static analysis on the fly to look at digital signatures, you must think outside of the box in detecting attacks or exfiltration of data. With the above remote access trojan not only do we see system files being executed in their native path but we also see the trojan communicate with the command control server over a dns port.

 

If we look for command shells being spawned, and alerts are given, the security operator can quickly investigate the issue to shut down the incident before it gets worse. By the time communication is established with the command and control server its already too late, but if you catch it while spawning, you can contain the damage. The guardian of your infrastructure needs to be able to think like its attackers.