Today I wanted to do a post on a sample that I pulled down from 0xffff0800 website here. It is just a quick behavioral analysis in order to rip out some IOC’s for quick wins.

A little background on who APT32 or OceanLotus is, according to FireEye, “APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests”. If you would like more information on this group please check out this awesome post by Nick Carr from FireEye here. Now lets take a look at the file…

First thing you will notice is that the binary will use an icon to try to disguise itself as a Word document. This is most likely an attempt to trick the user into thinking the file is just a benign Word file.

When first inspecting a file I also like to look at other sites to try and gather as much data as I can on the file before I start my analysis. The sites I use most are app.any.run, Hybrid Analysis and VirusTotal. So after a little internet research I will begin my behavioral analysis to see if I am able to replicate or find anything new that these sites may have missed, Trust but Verify!

I first setup fakedns, inetsim and Wireshark on my Linux box to emulate internet services in case my sample is trying to connect out. A word of caution, always ensure your VM is stand alone or in host only networking to mitigate the potential of spreading. If for some reason the sample has to have internet access to run or needs it for other functionality, which does happen sometimes, ensure you are completely segregated, not on your home network or production network. Here is some of the traffic that I see from Wireshark.

So as you can see it does try to connect out to the internet to the domain name in the Referer field of the first Wireshark picture. The connection out is created from one of the dropped files: “C:\\Program Files (x86)\\Symantec\\Officewordtask\\rastlsc.exe”. This file will spin up try to connect out and then kill itself repeatedly beaconing out.

This sample also connects to a ton of registry items associated with the Office suite, I won’t list them here because it is a lot, but here is a screenshot of ProcDot to give you an idea. I know it is too small to read, just showing it for perspective on how it touches the registry.

So the other file it creates is:”C:\\Users\\REM\\AppData\\Local\\Temp\\tmp.docx”. rastlsc.exe and tmp.docx were both created with Windows API CreateFileW.

So to wrap things up, it looks like the main function of this sample was to be a dropper for the other files, setup the environment and setup a connection out with rastlsc.exe. So I hope this was somewhat informative and until next time…

Happy hunting,

Marcus

IOC’s:

md5: D592B06F9D112C8650091166C19EA05A

sha1: FE0161FB8A26A0BF4AFAD746C7EBF89499DCD3A7

sha256: A17D4568AD5F745D36FC17846D3E0EDF63D4E3C9FCCB9861579E957F7A560217

imphash: 852A09940E2B099CE4E8AF070CB40884

referer:http[:]//mkggmlggnjggmbggnkggmfggngggidggjiggmjggjjggmpggnhggmoggmfgg.ijhlbkga.anessallie[.]com/14/49615-Uwuay-Wav-Kool-Lay-Youv

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

References:

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

http://iec56w4ibovnb4wc.onion/Library/APT32/

https://www.hybrid-analysis.com/sample/a17d4568ad5f745d36fc17846d3e0edf63d4e3c9fccb9861579e957f7a560217?environmentId=120

https://www.virustotal.com/#/file/a17d4568ad5f745d36fc17846d3e0edf63d4e3c9fccb9861579e957f7a560217/behavior