Power-Shell-based malware linked to Iranian group APT34 (OilRig and HelixKitten)

Summary:

Recently, Volon Threat Research identified a malware sample that was uploaded to Public File scanning service on Dec 23, 2019, and was able to acquire the malware and perform further research. Our analysis indicates that the malware appears to be targeting hosts that run LANDesk Management Agent. Public reporting on the malware suggests, based on the code reuse and identification of five reused strings which links the malware sample to Iranian group APT34, (also known as OilRig and HelixKitten). The report will focus on Volon Research on malware.

Technical Analysis:

The section will cover the technical analysis performed by Volon Threat Research. Below is the summary of the analysis,

  • The sample appears to be PowerShell-based malware.
  • Checks for user systems installed with LANDesk Management Agent.
  • Only executes on systems with Administrative privileges.
  • On identification with LANDesk Management Agent, the malware connects to the C&C (Command and Control) server to download the second-stage payload.
  • The C&C server throws ‘403 Forbidden message (Request forbidden by administrative rules)’.
  • No further information about the second-stage payload.

Binary Information:

File name: CBA8REINSTALL[1].EXE
FileType: Win32 EXE
MD5: 2de2e528991ac2d85aa8f12fce5351ad
SHA-1: 7e14e661a577e7cb502717e9570c6651932ab4b8
SHA-256: 8406ca490c60ec41569b35f31f1860ff4663bba44d1daac64760ecdfe694203d
Creation Date: 2017-01-21

(Static PE information)

The above screenshot displays, the malware to be coded in C++ compatible for x86 and x64 architecture with memory protections disabled.

 

(PE Assembly information)

In the dry run, the malware prompts for UAC (User Access Control) popup. Attackers generally do this to gain maximum possible privileges. UAC is a component of the Microsoft Windows ecosystem which helps mitigate the impact of malware on the current user.

In this scenario, the Administrator privileges are necessary to run powershell script and endure its actions to enumerate ‘LanDesk’.

(Powershell Script inside resource)

 

The binary includes hidden encoded powershell script inside the resource section of itself, making it stageless. With the help of FindResource and LoadResource, the resource is loaded inside the memory.

(MSDN implementation of FindResourceA and LoadResource)

 

File Creation Routine:

(File Creation using CreateFileA)

 

Once the binary is executed, the file is created inside the temp directory with a random name in each execution followed by the powershell script which is also saved with a random name inside it.

File Writing Routine:

(MSDN implementation of WriteFile)

 

(Buffer being written to powershell file created using WriteFile)

X64 dbg debugger analysis indicates a ‘do while’ loop which keeps decoding the poweshell script hidden inside resource until it’s completely decoded. From this, we observed that the payload does nothing but decode and execute a powershell script. Further, we added breakpoint on “WriteFile” function and waited till malware execution flow decodes powershell script stored inside resource section for further executions.

(Execution operation flow)

 

The above graph displays, if the “WriteFile” function fails to write the decoded powershell script into file, it automatically deletes the empty powershell script file using DeleteFileA.

(IDA Flowchart graph in the debugger)

Inside function ‘sub_4077CA’, WriteFile reveals all the required parameter along with the following information:

  • The handle to the file which is being written to the respective path
  • Decrypted ps1 script in data
  • Its buffer length

(ShellExecuteA in IDA Flowchart)

On the other hand, if the file successfully writes the decoded powershell script inside the file, the powershell script is executed using `ShellExecute` Win32API in a separate child thread, as shown in the above screenshot.

Extracted Script:

(Extracted Powershell Script)

 

The powershell script, first checks, if the host system is installed with LANDesk, and then sends a post request to defined C&C with results. If the results seem favorable, it downloads the second stage payload and continues its job.

Here is the command executed by the binary:
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” –NoProfile -ExecutionPolicy Bypass -File C:\Users\john\AppData\Local\Temp\.tmp\.ps1

About APT34:

APT34 (also known as OilRig and HelixKitten) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets.

MITRE ATT&CK group tracking: https://attack.mitre.org/groups/G0049/

About LANDesk:

LANDesk is an asset management software system used to remotely inventory and manage desktop computers. It has the ability to report on installed software and hardware, allow remote assistance, and install operating system security patches.

 

Reflections

The malware is tracked by the name ‘PowDesk’, a PowerShell-based malware. Based on the functionality of the malware, we assess the attacker’s interest is to target IT sector, specifically MSP (Managed Service Providers) who uses LANDesk Management Agent to take remote control of their customer’s network to manage systems desktop computers.  Since the C&C domain URL throws ‘403 Forbidden message’, we are not able to get any further information on the second stage payload. However, we recommend organization(s) running LANDesk Management Agent across enterprise network systems should block the IoC’s attached with this report.

Although it’s unclear how the first stage malicious binary was delivered, however, from the malware sample name, we suspect the attackers are sending phishing emails containing the malicious binary and tricking users to ‘REINSTALL’ the LANDesk Management Agent.

Indicators 

32a5f02066b4f74de28d156132bb9eb4
2de2e528991ac2d85aa8f12fce5351ad
lcepos.com
7e14e661a577e7cb502717e9570c6651932ab4b8
http://lcepos.com/php/reclaimlandesk.php?
8406ca490c60ec41569b35f31f1860ff4663bba44d1daac64760ecdfe694203d

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).