APT15 Background

Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government. The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.

APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. They are known for “living off the land,” meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target. Other names for the group are Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.

There are many articles and researches online about APT15 and their activities, the most recent one by NCC Group; although posted in March 2018, it refers to a campaign in 2017. In addition, although the 2017 campaign has been documented, during our research regarding MirageFox, we found a recently uploaded binary (6/8/2018) from the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected with only 7/66 detections on VirusTotal.

APT15 Code Reuse

We found the new version of the RAT on VirusTotal hunting, by a YARA signature we created based off code only found in Mirage and Reaver, both attributed to Chinese government affiliated groups. After seeing that these binaries were new uploads to VirusTotal, with very few detections, we analyzed them using Intezer Analyze™ to see if we could find any code reuse.

(https://analyze.intezer.com/#/analyses/d00b6787-0078-4148-aec3-a66779a22ba5)

As can be seen in this code reuse analysis report (SHA256: 28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a), there is shared code with Mirage and Reaver. The compilation timestamp is from June 8, 2018 while the upload date to VirusTotal was June 9, 2018.

(VirusTotal)

On VirusTotal, we can see there are only 10/66 detections for this binary, 11/66 for another similar version of MirageFox (SHA256: 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5), and 9/64 for the third MirageFox binary that was uploaded (SHA256: b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2).

Here’s a couple examples of code reuse similarities found in the Mirage family between one of the newer binaries and older ones.

Remote Shell :

The function above is seen throughout many of the binaries in the Mirage family and is executed when a command is sent from the C&C. It is responsible for executing commands in cmd.exe (later down in the functions, not seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA).

Configuration Decryption:

Another small, but same important function in the photo above, is the function for decrypting the data containing the C&C configuration. Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the C&C server, the port, name of the binary, a sleep timer, and what Palo Alto calls a “campaign identifier.”

Technical Details

At this moment, we were unable to retrieve the original infection vector and other information regarding what other tools the APT15 group is using to attack their targets. We are able to come up with a few very interesting conclusions about what is going on here, although we cannot say for sure what the case is without the full context.

Firstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for the modules, the name field is filled with a string MirageFox_Server.dat.

Evidently in the image, you can see there is an exported function. The MirageFox binaries export a function called dll_wWinMain, the name of an export in vsodscpl.dll, a module by McAfee that is loaded by a few of their executables that import and call this function. This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process. DLL hijacking techniques have been seen in the past with the APT15 group. The problem here is that once the export is called the first time, the module renames itself to sqlsrver.dll and there is no evidence within the module of any type of persistence. By renaming it to this, the future executions of the RAT will not be through a McAfee binary. The future persistence could be setup through another component of the malware or even a command sent by the C&C to the infected computer.

The most interesting part is the decrypted C&C configuration, as can be seen in the image below.

Decrypted Config:

C&C IP: 192.168.0.107

Port: 80

Sleep Timer: 30000

Campaign Identifier: Mirage

If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an organization they have already infiltrated and are connecting to the internal network using a VPN.

The rest of MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs.

Conclusion

There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries. As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.

IOCs

MirageFox

28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a

97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5

b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2

RoyalAPT

016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734

RoyalAPT C&C

buy.healthcare-internet[.]com

Mirage (w/ Same C&C Config Decryption)

5787eff4b4d6ee5b4c5457c9af5e2f2e3c75204b5989606b1faa9b944dc49a30

b6bd5d8f5a824db05c37dde459b60a5571df87966e00390f2df56628da49b856

b9403fb1e3743617bcdf8c1e5dd332c325c1e1f2e79bef166261fec0091880cf

ffaddb93042243926a964864e21a28365807ac5be843f5e690f9916cddbbd55b

b0a2923e817ac982c89510e4bd8eab68892ee51e5fa625bd806508a4b701aa78

da4dbc738d069fbcc9b96ab4af2bd3f7a87c7b69a4b47071e099e36b481dfa01

f633df1fb42666f62eb23fd70dac4e3c0c4908af123f9335f3b58e6ea205df8a

e67e58bc736bd54e6915cb43af5f3c332da3592839a5a4884ba141b089310815

1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f

27a0ce9761363f6a1eafc719b96bbe1f9a426e50e8b5abf84db963efddb89a8d

d22c2ef1453d5575e05a673777931e07c44734fe467a77969bebe86e26aacf98

f85023ae81917a7fae0d987134a968ffad346d5c3b35d3a98e237419dd334696

24b3c3527a2431d1c1dd27fe6566ddcaa8e4b92e31e468bb733e827350830a14

57550ab2d20a757b24137ab764a2e9bf644fd8e1f4313bca22e04db7fa608cc2

4d45ddc35abf77cded21bafe5483d345585c1d84f52a101a65ebfda88be5ad7d

421f4c83898ff3ae9b2a94621140ef770888a8a0914b163cdae4690433173899

c27fb5fd362fdaec2e344564f76197d01e1dc463ee3552b16452fc41e67f2709

cec9c4e48fad6e4c2b7cf4bc34d357893ef878e8be076c9f680f297e06184c20