{"id":8221,"date":"2020-05-14T12:00:00","date_gmt":"2020-05-14T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2020\/05\/14\/mikroceen-spying-backdoor-leveraged-in-high-profile-networks-in-central-asia\/"},"modified":"2020-05-14T12:00:00","modified_gmt":"2020-05-14T09:00:00","slug":"mikroceen-spying-backdoor-leveraged-in-high-profile-networks-in-central-asia","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/14\/mikroceen-spying-backdoor-leveraged-in-high-profile-networks-in-central-asia\/","title":{"rendered":"Mikroceen: Spying backdoor leveraged in high-profile networks in Central Asia"},"content":{"rendered":"

In this joint blogpost with fellow researchers from Avast<\/a>, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities.<\/p>\n

Moreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky\u2019s Microcin against Russian military personnel<\/a>, Palo Alto Networks\u2019 BYEBY against the Belarussian government<\/a> and Checkpoint\u2019s Vicious Panda against the Mongolian public sector<\/a>. Also, we discuss other malware that was typically a part of the attacker\u2019s toolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of Kaspersky\u2019s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological notion<\/a>, but also to have at least phonemic agreement.<\/p>\n

Clustering<\/h2>\n

First let\u2019s discuss the clustering of Mikroceen, which is a simple RAT, and show our reasons for thinking reports from Kaspersky, Palo Alto Networks and Checkpoint write about the same specific malware family (among other malicious tools mentioned). Figure 1 provides a comparison of the decryption loop that is used for configuration data consisting of the C&C domain, a name and a password associated with each sample of the RAT. The loop is practically the same and it is implemented in three copies in a row. Checkpoint also discussed the similarities of the HTTP headers in the data sections between BYEBY and Vicious Panda, and a shared logging message V09SS0lO<\/span> that base64 decodes to WORKIN<\/span>. The encoded string is also present in Microcin.<\/p>\n<\/p>\n

\"\"<\/a><\/p>\n

Figure 1. Part of the code used to decipher internal data; the exported DLL name is at the bottom<\/i><\/p>\n<\/div>\n

In the section Attackers\u2019 arsenal<\/a><\/em> below we also compare the command grammars of the RAT\u2019s features and typical error messages that are logged during execution with its previous instances. To support the evidence, the preferred provider of the attackers’ infrastructure and the most typical malware simultaneously found on the compromised networks. All these clues should evoke strong confidence that it\u2019s the same malware family.<\/p>\n

Timeline & victimology<\/h2>\n

Figure 2 sketches the evolution how the threat was tracked in time. As we mentioned earlier, the Central Asian region joined Russia, Belarus and Mongolia as areas with victims of Mikroceen intrusions. These victims were not desktop users, but endpoints in corporate networks where a higher level of security is expected.<\/p>\n<\/p>\n

\"\"<\/a><\/p>\n

Figure 2. Timeline of events related to Mikroceen<\/i><\/p>\n<\/div>\n

\"\"<\/a><\/p>\n

Figure 3. The recent campaigns in Central Asia surrounded by the previously reported ones<\/i><\/p>\n<\/div>\n

Attackers\u2019 arsenal<\/a><\/h2>\n

Let us describe the tools the attackers used in their campaign in Central Asia. Unfortunately, we were unable to discover how they got into the compromised networks.<\/p>\n

RAT (client-side backdoor)<\/h3>\n

Once the intruders establish a foothold on a victim machine, the code in Figure 4 serves to install the RAT on the system. Note the parameter start= auto<\/span>, which establishes the malware\u2019s persistence after a reboot.<\/p>\n

@echo off sc stop PCAudit sc delete PCAudit sc create PCAudit binpath= \"C:WINDOWSsyswow64svchost.exe -k netsvcs\" type= share start= auto displayname= \"Windows Upload Manager\" sc description PCAudit \"Windows Help Service is a microsoft Windows component for System(Important). If this service is stopped, users will be unable to get useful information\" sc failure PCAudit reset= 0 actions= restart\/0 reg add HKLMSYSTEMCurrentControlSetServicesPCAuditParameters \/v ServiceDll \/t REG_EXPAND_SZ \/d %SystemRoot%Syswow64pcaudit.dll reg add HKLMSYSTEMCurrentControlSetServicesPCAuditParameters \/v ServiceMain \/t REG_SZ \/d NtHelpServiceMain reg add HKLMSYSTEMCurrentControlSetServicesPCAuditParameters \/v ServiceDllUnloadOnStop \/t REG_DWORD \/d 1 sc start PCAudit del %0 <\/code><\/pre>\n
Figure 4. Installation batch code<\/em><\/p>\n
As we mentioned earlier, each bot comes with configuration data: C&C, client name and client password. The name of the bot appears in the server-side interface. What is quite unusual is that an operator needs to authenticate by entering the client\u2019s password in order to control the client. We can only speculate about the purpose, but it could serve as protection against botnet takeover, in case a competing actor or law enforcement seize their infrastructure. So, we see that certain effort was put on the security of the client-server connection. Moreover, the client can connect directly to the C&C server or route the traffic via a proxy, which could be useful \u2013 especially in corporate networks. The connection is further secured by a certificate and this is a feature that distinguishes Mikroceen from the legion of backdoors we have seen since previously.<\/p>\n
Mikroceen uses the same basic features as already described Palo Alto Networks about BYEBY. The grammar of commands is quite specific, because each command is truncated to 6 letters and then base64 encoded. That results an 8-letter incomprehensible word in the code. While in previous cases the encoding was straightforward, in the campaign in Central Asia there\u2019s additional unknown encryption layer added. The connection of the 8-letter words with the commands in that case was done by agreement on the code level.<\/p>\n<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Command<\/th>\nMicrocin, BYEBY, Vicious Panda<\/th>\nMikroceen<\/th>\n<\/tr>\n<\/thead>\n
hello!<\/td>\naGVsbG8h<\/td>\nAmbZDkEx<\/td>\n<\/tr>\n
GOODBY<\/td>\nR09PREJZ<\/td>\neYTS5IwW<\/td>\n<\/tr>\n
BYE BY<\/td>\nQllFIEJZ<\/td>\nbo7aO8Nb<\/td>\n<\/tr>\n
DISCON<\/td>\nRElTQ09O<\/td>\n6GEI6owo<\/td>\n<\/tr>\n
LIST D<\/td>\nTElTVCBE<\/td>\nKi0Swb7I<\/td>\n<\/tr>\n
STARTC<\/td>\nU1RBUlRD <\/td>\nh71RBG8X<\/td>\n<\/tr>\n
COMMAN<\/td>\nQ09NTUFO<\/td>\n5fdi2TfG<\/td>\n<\/tr>\n
TRANSF + (UPLOAD, DOWNLO)<\/td>\nVFJBTlNG + (VVBMT0FE, RE9XTkxP)<\/td>\nJ8AoctiB + (QHbU0hQo, hwuvE43y)<\/td>\n<\/tr>\n
EXECUT<\/td>\nRVhFQ1VU<\/td>\ngRQ7mIYr<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Table 1. Command grammar of various instances of the RAT<\/em><\/p>\n
During execution, the client logs debug messages in a temporary file. This varies among various Mikroceen instances. Table 2 provides a comparison of these messages from case to case and gives additional evidence that links the instances of Mikroceen.<\/p>\n<\/p>\n\n\n\n\n\n\n\n\n\n
<\/th>\nMicrocin<\/strong><\/th>\nBYEBY<\/strong><\/th>\nVicious Panda<\/strong><\/th>\nMikroceen<\/strong><\/th>\n#rowspan#<\/th>\n<\/tr>\n<\/thead>\n
#rowspan#<\/td>\n#rowspan#<\/td>\n#rowspan#<\/td>\n32-bit<\/td>\n64-bit<\/td>\n<\/tr>\n
Folder<\/td>\n% CSIDL_COMMON_DOCUMENTS%<\/td>\n%TEMP%<\/td>\n% CSIDL_COMMON_DOCUMENTS%<\/td>\n%TEMP%<\/td>\n%TEMP%<\/td>\n<\/tr>\n
Filename<\/td>\n7B296FB0.CAB<\/td>\nvmunisvc.cab<\/td>\n5E8C6FF0.CAB<\/td>\n7B296FB0.CAB<\/td>\nW52G86ST.TMP<\/td>\n<\/tr>\n
Keywords at main<\/td>\nV09SS0lO
 U3RhcnQ=<\/td>\n		V09SS0lO
 U3RhcnQ=<\/td>\n		V09SS0lO
 U3RhcnQ=<\/td>\n		V09SS0lO<\/td>\nGvFa8Sei<\/td>\n<\/tr>\n
Keyword at connect<\/td>\nZGlyZWN0<\/td>\nZGlyZWN0<\/td>\nZGlyZWN0<\/td>\nwfZ155bJ<\/td>\nwfZ155bJ<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Table 2. Logging messages in a temporary file<\/em><\/p>\n
Simultaneously occurring malware<\/h3>\n
The previous reports always mention a wide arsenal of tools that are used in the attacks. In our case it was the same \u2013 not just Mikroceen, but other malware as well. Here are the three most important tools we observed in the compromised networks.<\/p>\n
Lateral movement via Mimikatz<\/strong><\/h4>\n
The attackers used their implementation of Mimikatz, delivered via a two-stage mechanism: the first stage was a dropper usually called installer.exe<\/span> or Yokel64.exe<\/span>, <\/em>which dropped the main payload with an indicative external DLL name mktz64.dll<\/span> in the second stage. While Mikroceen has never come with debug information, here we can see the string E:2018_MimHashmimikatzBinmktzx64.pdb<\/span><\/p>\n<\/p>\n
\"\"<\/a><\/p>\n
Figure 5. A PDB string in the Mimikatz payload<\/i><\/p>\n<\/div>\n
Mimikatz is an open source project by French security researcher Benjamin Delpy, developed since 2007. It\u2019s a robust tool that, among other things, can bypass various Windows authentication schemes, basically by dumping credential data from the Windows Local Security Account database. It\u2019s mainly used by red teams in IT security but also misused across the spectrum of APT actors, e.g. Lazarus Group<\/a>, Telebots<\/a>, Okrum<\/a> etc. After running it in a test virtual environment, its output is (the incorrect spaces before the commas are in the original):<\/p>\n
#1 domain = MSEDGEWIN10, user = Administrator , nthash=FC525C9683E8FE067095BA2DDC971889. #2 domain = MSEDGEWIN10, user = IEUser , nthash=FC525C9683E8FE067095BA2DDC971889.<\/code><\/pre>\n
Lateral movement via WMI<\/strong><\/h4>\n
The attackers use an additional tool to spread in the hosting network. This time they leverage Windows Management Instrumentation (WMI). All relevant data is needed as the file\u2019s name, as during the execution it expects @@<ComputerName>,<UserName>,<Password>,.exe<\/span>. <\/em>In the first step, a console to a remote computer is established, where the connection is identified by <ComputerName><\/span> and authenticated with (<UserName>, <Password><\/span>). Afterwards, proxy security is set to the strict level, which means arguments of each remote procedure call are encrypted and the server\u2019s access to local resources is allowed. Then WMI is used again to retrieve the Win32_Process class<\/span>, which in turn is used to create a process with given parameters. When all the work is done, the tool terminates itself.<\/p>\n
Gh0st RAT<\/strong><\/h4>\n
This infamous, old RAT<\/a> was created around 2008. In this instance it was found as rastls.dll<\/span> on the compromised systems, while the exported DLL name is usually svchost.dll<\/span>. It tries to connect with https:\/\/yuemt.zzux[.]com:443<\/span>, which resolves to an IP address in China. This is an exception with no explanation, because the server doesn\u2019t belong to any of the C&C providers used by Mikroceen. From our point of view, it seems redundant to use this additional backdoor, whose capacity is fully provided by Mikroceen itself.<\/p>\n
To recognize this backdoor, one observes the string Gh0st<\/span> within the binary. The character string uwqixgze}<\/span> is used as a placeholder for the C&C domain.\u00ad<\/p>\n<\/p>\n
\"\"<\/a><\/p>\n
Figure 6. Gh0st RAT malware (fragment)<\/i><\/p>\n<\/div>\n
C&C panel (server-side interface)<\/h3>\n
The previous reports already mention the poor operational security of the attackers (their open directories were observed by Kaspersky and Checkpoint), and the actors behind continue to leak tools not necessarily leveraged on the victims’ side. We were able to get our hands on an older version of RAT\u2019s control panel. On the lower part of Figure 7 there\u2019s a graphical interface through which all bots are commanded. It is very minimalistic, which may be due to an older version from 2017, but still, just compare it with the greater than 10-year-old panel of Gh0st RAT. There\u2019s not much improved since, visually or functionally, so the introduction of SSL connections seems like the main shift between the projects (the text box for \u201cCN Name\u201d on the figure). It seems that the operators of the botnet are content customers of Vultr services, a child company of Choopa LLC, as their operational infrastructure is mostly hosted there, and this was also observed in the Vicious Panda campaign by Checkpoint. This is a bullet-proof provider, documented by researchers from Cisco as early as 2015<\/a>.<\/p>\n<\/p>\n
\n\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
Figure 7. Interfaces for controlling bots: Gh0st RAT (2008) vs. Mikroceen\u2019s interface (2017)<\/i><\/p>\n<\/div>\n
Conclusion<\/h2>\n
We have presented the analysis of a custom implementation of a client-server model developed for spying purposes. The malware developers put great effort into the security and robustness of the connection with their victims and the operators managed to penetrate high-profile corporate networks. Moreover, they have a larger toolset of attack tools at their disposal and their projects are under constant development, mostly visible as variations in obfuscation.<\/p>\n
Indicators of Compromise (IoCs)<\/h2>\n
Here are the hashes of samples described in the article. Additional IoCs collected from the attacks can be found on ESET\u2019s GitHub<\/a> or Avast\u2019s GitHub<\/a>.<\/p>\n<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
SHA<\/th>\nTimestamp<\/th>\nDescription<\/th>\nESET detection name<\/th>\n<\/tr>\n<\/thead>\n
d215bb8af5581b31f194248fc3bd13d999a5991c<\/td>\n2016-06-29 00:34:42<\/td>\nMicrocin (Kaspersky)
 7771e1738fc2e4de210ac06a5e62c534<\/td>\n		Win32\/Mikroceen.A<\/td>\n<\/tr>\n
7a63fc9db2bc1e9b1ef793723d5877e6b4c566b8<\/td>\n2017-07-06 08:15:31<\/td>\nBYEBY (PANW) 383a2d8f421ad2f243cbc142e9715c78f867a114b037626c2097cb3e070f67d6<\/td>\nWin32\/Mikroceen.B<\/td>\n<\/tr>\n
2f80f51188dc9aea697868864d88925d64c26abc<\/td>\n2017-01-28 11:33:43<\/td>\nVicious Panda (Checkpoint)<\/td>\nWin32\/Mikroceen.C<\/td>\n<\/tr>\n
302cf1a90507efbded6b8f53e380591a3eaf6dcb<\/td>\n2019-04-25 01:15:40<\/td>\nMikroceen 32-bit<\/td>\nWin32\/Mikroceen.H<\/td>\n<\/tr>\n
21ffd24b8074d7cffdf4cc339d1fa8fe892eba27<\/td>\n2018-12-10 07:46:25<\/td>\nMikroceen 64-bit<\/td>\nWin64\/Mikroceen.C<\/td>\n<\/tr>\n
5192023133dce042da8b6220e4e7e2e0dcb000b3<\/td>\n2019-03-11 12:14:09<\/td>\nMimikatz<\/td>\nWin64\/Riskware.Mimikatz.AQ<\/td>\n<\/tr>\n
c18602552352fee592972603262fe15c2cdb215a<\/td>\n2015-03-16 03:29:39<\/td>\nLateral Movement via WMI<\/td>\nWin32\/HackTool.Agent.NEZ<\/td>\n<\/tr>\n
4de4b662055d3083a1bccf2bc49976cdd819bc01<\/td>\n2015-12-31 03:10:15<\/td>\nGh0st RAT<\/td>\nWin32\/Farfli.CSY<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
References<\/h2>\n