[RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority - Part 1

[RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority – Part 1

19/12/2020

6:30 PM

I. Introduction

In process of monitoring and analyzing malware samples, we discovered an interesting blog post of NTT here. Following the sample hash in this report, we noticed a hash on VirusTotal:

*Figure 1. Hash’s information in the NTT blog*

On the event that a hacker group believed to be from Russia attacked and exploited the software supply chain to target a series of major US agencies, along with discovery that the keyword eToken.exe belongs to the software that is quite popularly used in agencies, organizations and businesses in Vietnam, we have used eToken.exe and SafeNet as keywords for searching on VirusTotal and Google. As a result, we uncovered information about two remarkable installation files (1, 2) that have been uploaded to VirusTotal since August 2020:

*Figure 2. Information look up on VirusTotal*

The name of the installation files are quite familiar: gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi, We have tried to download these two files from the website and they have the same hash value. However, at the present time, all files on the VGCA homepage have been removed and replaced with the official clean version. According to the initial assessment, we consider this could be an attack campaign aimed at the software supply chain that can be leveraged to target important agencies, organizations and businesses in Vietnam.

On December 17^th, ESET announced a discovery of an attack on APT they called “Operation SignSight” against the Vietnam Government Certification Authority (VGCA). In that report, ESET said they have also notified VNCERT and VGCA and VGCA has confirmed that they were aware of the attack before and notified the users who downloaded the trojanized software.

At the time of analysis, we have obtained two setup files that have been tampered by hackers. This blog post series will focus on analyzing the signatures and techniques that hackers have applied to malicious samples in these two installation files.

II. Analyze installation file

This application is named as “SafeNet Authentication Clients” from SafeNet .Inc company. Portable Executable (PE) files are mostly signed with SafeNet certificates.

*Figure 3. PE files signed with SafeNet certificate*

By using UniExtract tool, we extracted the entire file from an installer (x64 setup file). The total number of files is 218 files, 68 subfolders, the total size is 75.1 MB (78,778,368 bytes). To find out which file has been implanted by hackers, we only focus on analyzing and identifying unsigned PE files.

With the help of sigcheck tool in Micorsoft’s SysInternals Suite, with the test parameters is signed, hash, scan all PE files, scan the hash on VirusTotal, the output is csv file. Then sorting by unsigned file, resulting from VirusTotal, we discovered that eToken.exe is the file was implanted by the hacker.

Figure 4. Discovered file was implanted by hacker

The hash of this eToken.exe matches with the one in NTTSecurity’s report. Another strange point is that it’s a 32bit PE but located in the x64 directory, the version information such as “Company, Description, Product…” are not valid for such a large company application. Here is the scan result of the eToken file on VirusTotal.

Since this application is built with Visual C ++ of Visual Studio 2005 which is old version, and uses the Qt4 library, some of the dll files of this installer are also unsigned. We checked each file and determined that the files were clean, leaving only three suspicious files: RegistereToken.exe, eTOKCSP.dll and eTOKCSP64.dll.

So eToken.exe file is a malware that hackers have added to the installation of the software suite. To find out how eToken.exe is executed, we analyze the installation file: msi file (Microsoft Windows Installer file): gca01-client-v2-x64-8.3.msi

Extracting the msi file to raw format before installing, we obtained two .cab files (Microsoft Cabinet file): Data1.cab and Cabs.w1.cab. This is anomaly because a normal msi file has only one main .cab file. Check the Data1.cab file and the MSI log text file, eToken.exe and RegistereToken.exe are in Data1.cab file. And both .exe files have no GUID ID info:

*Figure 5. Exe files do not have a GUID ID info*

Continue checking the features: DriverFeature, and two files eToken.exe and RegistereToken.exe msi file with Microsoft’s Orca tool (a specialized tool for analyze and modify msi files). Through a search, the hacker has added a custom action: RegisterToken (without “e” before Token) to the msi file and added that CustomAction at the end of InstallExecuteSequence. RegistereToken.exe will be called with the parameter is eToken.exe:

*Figure 6. Hacker implanted a custom action*

Analyzing the RegistereToken.exe file, we see that this file was built on “Wednesday, 22.07.2020 07:40:31 UTC”, ie 07/22/2020, 2h40m31s PM GMT +7, PE64, using VC ++ 2013:

*Figure 7. Information of the RegistereToken.exe file*

RegistereToken.exe‘s pseudo code only calls the WinExec API to execute the passed in argument:

With all the information above and based on the timestamp in the Data1.cab and RegistereToken.exe files, we can conclude:

Hacker has created and modified the .msi file and created the Data1.cab file at timestamp: 07/20/2020 – 15:15 UTC time, added the eToken.exe file at this time.
Build RegistereToken.exe file at timestamp: 22/07/2020 – 07:40 UTC
Add RegistereToken.exe file to Data1.cab at timestamp: 22/07/2020 – 08:40 UTC

Note: According to Cab file format, the two Date and Time fields of a file in the cab file are DOS Datetime format, each of which is a Word 2 bytes which reflect the time when the file was added according to DOS time. Cab file processing programs will convert and display in UTC time. That is, the above UTC times are the current time on the hacker machine. See more here.

III. Analyze eToken.exe

1. Analyze PE Structure

File eToken.exe:

Size: 192 KB (196,608 bytes)
MD5: 830DD354A31EF40856978616F35BD6B7
SHA256: 97A5FE1D2174E9D34CEE8C1D6751BF01F99D8F40B1AE0BCE205B8F2F0483225C

Information about compiler, RichID and build timestamp:

Build with VC ++ 6 of Microsoft Visual Studio, Service Pack 6.
Build at: 26/04/2020 – 15:12:58 UTC
Checksum is correct, file has not been modified PE Header.
Linking with MFC42.dll library, Microsoft Foundation Class v4.2 library of Microsoft, is a library supporting GUI programming on Windows, always included in Visual Studio suite.
Link with a special library: dbghelp.dll. Use the MakeSureDirectoryPathExist API function. See more here.

Checking the resource section of the file, we determined that this is a Dialog application, created by MFC Wizard of Visual Studio 6. The project name is VVSup, which means the .exe file when built out would be VVSup.exe.

*Figure 10. File’s resource information*

2. Static code analysis

eToken.exe (VVSup.exe) is built with dynamic link DLL mode with MFC42.dll, so the .exe file will be small and the functions of the MFC42 libirary will be easily identified via the name import of the DLL. The name mangling rule of Microsoft VC ++ compiler reflects the class name, function name, parameter name, call type… of functions. IDA helps us to define the functions import by ordinal of MFC42.dll using the file mfc42.ids and mfc42.idt included with IDA.

However, VVSup is built with the RTTI (Runtime Type Information) option is disabled, so there is no information about the RTTI and Virtual Method Table of all classes in the file. We only have RTTI of class type_info, the root class of RTTI.

(Continute…)

Trương Quốc Ngân (aka HTC)

Malware Analysis Expert – VinCSS (a member of Vingroup)

Go back