Malware Analysis Report (AR19-252A)

MAR-10135536-10 – North Korean Trojan: BADCALL

Summary

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov /hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report provides analysis of four (4) malicious executable files. The first three (3) files are 32-bit Windows executables that function as proxy servers and implement a "Fake TLS" method similar to the behavior described in a previously published NCCIC report, MAR-10135536-B. The fourth file is an Android Package Kit (APK) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT).

For a downloadable copy of IOCs, see:

Submitted Files (4)

4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc (C01DC42F65ACAF1C917C0CC29BA63A...)

93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672 (22082079AB45CCC256E73B3A7FD547...)

d1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7 (C6F78AD187C365D117CACBEE140F62...)

edd2aff8fad0c76021adc74fe3cb3cb1a02913a839ad0f2cf31fdea8b5aa8195 (D93B6A5C04D392FC8ED30375BE17BE...)

Additional Files (2)

91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c (z)

da353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f (hc.zip)

Findings

d1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7

Tags

backdoordownloadertrojan

Details
Name C6F78AD187C365D117CACBEE140F6230
Size 208896 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c6f78ad187c365d117cacbee140f6230
SHA1 5116f281c61639b48fd58caaed60018bafdefe7a
SHA256 d1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7
SHA512 f03fe686fac20714a6a7141bff1471c9187b0d4630752fb5eb922605dbb74105c1ecced7e1980a0d79195c1a7f1b2f221e483bc9f7e2164a8b4290b512e06503
ssdeep 1536:X86D0r4QxG5+XCFpaG7+esyzktLYUwnZ7hUOKYUwnZ7hUOaeYUwnZ7hUOKYUwnZr:X8O0IgCvH7+UzktMxzxgRxzx9
Entropy 6.833120
Antivirus
Ahnlab Backdoor/Win32.Akdoor
Antiy Trojan/Win32.BTSGeneric
BitDefender Trojan.Agent.CUTNUnclassified
ClamAV Win.Trojan.BadCall-6473322-0
Cyren W32/Trojan.DCIV-3872
ESET Win32/NukeSped.CX trojan
Emsisoft Trojan.Agent.CUTN (B)
Ikarus Trojan.Win32.NukeSped
K7 Trojan ( 005272fc1 )
Microsoft Security Essentials Backdoor:Win32/Hidcob.A
NANOAV Trojan.Win32.NukeSped.eydshe
Sophos Troj/Cruprox-C
Symantec Trojan Horse
TACHYON Backdoor/W32.Agent.208896.DD
TrendMicro BKDR_NUKESPED.A
TrendMicro House Call BKDR_NUKESPED.A
Vir.IT eXplorer Trojan.Win32.Dnldr26.BAYE
VirusBlokAda Trojan.Downloader
Zillya! Trojan.NukeSped.Win32.49
Yara Rules
hidden_cobra_consolidated.yara rule NK_SSL_PROXY { meta: Author = "CISA Code & Media Analysis" Incident = "10135536" Date = "2018-01-09" Category = "Hidden_Cobra" Family = "BADCALL" Description = "Detects NK SSL PROXY" MD5_1 = "C6F78AD187C365D117CACBEE140F6230" MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC" strings: $s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E} $s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E} $s2 = {4775401F713435747975366867766869375E2524736466} $s3 = {67686667686A75797566676467667472} $s4 = {6D2A5E265E676866676534776572} $s5 = {3171617A5853444332337765} $s6 = "ghfghjuyufgdgftr" $s7 = "q45tyu6hgvhi7^%$sdf" $s8 = "m*^&^ghfge4wer" condition: ($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8) }
hidden_cobra_consolidated.yara rule xor_add { meta: Author = "CISA trusted 3rd party" Incident = "10135536" Date = "2018-04-19" Category = "Hidden_Cobra" Family = "n/a" Description = "n/a" strings: $decode = { 80 ea 28 80 f2 47} $encode = { 80 f2 47 80 c2 28} condition: uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-02-06 22:17:51-05:00
Import Hash 3f197f5c6469421f4472504b1bada91e
PE Sections
MD5 Name Raw Size Entropy
a8f97910c62034b318e17aa17fb97f1c header 4096 0.688106
08112b571663ff5ed42e331a00ccce0c .text 53248 6.508967
ca61927558a4dfe9305eb037a5432960 .rdata 8192 4.573237
bb49b2fb00c1ae88ad440971914711a7 .data 139264 6.941279
c58b62cf949e8636ebd5c75f482207c3 .sxdata 4096 0.181138
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Description

This file is a malicious 32-bit Windows executable. Analysis indicates this application is designed to force a compromised system to function as a proxy server. When executed, the malware binds and listens for incoming connections on port 8000 of the compromised system. The proxy session traffic is protected by way of a simple cipher based on rotating XOR and ADD. The cipher will XOR each byte sent with 47h and added by 28h. Each byte received by the malware will be XOR’ed by 47h and subtracted by 28h. See Figures 1, 2 and 3 for code examples. Notably, this malware attempts to disable the Windows firewall before binding to port 8000 by modifying the following registry key:

--Begin Firewall Reg Key Modified--

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\\List

--End Firewall Reg Key Modified--

Analysis of this malware indicates it is designed to turn a victim host into a "hop point" by relaying traffic to a remote system. When the adversary initially connects to a victim’s machine via port 8000, the adversary must first authenticate (over a session secured with the XOR/ADD cipher described above) by providing the ASCII string "1qazXSDC23we”. If the malware does not receive this value, it will terminate the session, responding with the value "m*^&^ghfge4wer”.

If the operator authenticates successfully, they can then issue the command "ghfghjuyufgdgftr" which instructs the malware to begin functioning as a proxy server and respond to the operator with the value "q45tyu6hgvhi7^%$sdf”. Next, the malware attempts to create a proxy session between the operator and another server. During this process, the malware will attempt to authenticate with the destination server by sending the value "ghfghjuyufgdgftr" as a challenge. To complete the authentication sequence, the malware expects to receive a response value of "q45tyu6hgvhi7^%$sdf". All challenge and response traffic is encoded using the ADD/XOR cipher described earlier.

The proxy session begins with a remote operator connecting to this implant via a "fake TLS" connection attempt, similar to the behavior described in a previously released NCCIC report, MAR-10135536-B. Essentially, the malware initiates the TLS session using one of several public SSL certificates obtained from well known, legitimate internet services and embedded in the malware. However, the traffic from the operator to this implant is not protected with SSL / TLS encryption. The traffic is only protected via the ADD/XOR cipher embedded within this implant (see Figure 2-3.). If the remote operator authenticates correctly as detailed above, the implant attempts to begin a proxy session with the remote target system. The traffic to the remote systems from this implant are sent and received via the SSL_read and SSL_write APIs available in OpenSSL. However, the malware does not appear to attempt to load an SSL private key or certificate.

The malware contains public SSL certificates for the following list of domains, which are used for initiating the "fake TLS" session:

--Begin SSL Certificate Strings--

myservice.xbox.com
uk.yahoo.com
web.whatsapp.com
www[.]apple.com
www[.]baidu.com
www[.]bing.com
www[.]bitcoin.org
www[.]comodo.com
www[.]debian.org
www[.]dropbox.com
www[.]facebook.com
www[.]github.com
www[.]google.com
www[.]lenovo.com
www[.]microsoft.com
www[.]paypal.com
www[.]tumblr.com
www[.]twitter.com
www[.]wetransfer.com
www[.]wikipedia.org

--End SSL Certificate Strings--

Screenshots
Figure 1 -

Figure 1 -

Figure 2 -

Figure 2 -

Figure 3 -

Figure 3 -

Figure 4 -

Figure 4 -

4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc

Tags

backdoortrojan

Details
Name C01DC42F65ACAF1C917C0CC29BA63ADC
Size 233472 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 c01dc42f65acaf1c917c0cc29ba63adc
SHA1 d288766fa268bc2534f85fd06a5d52264e646c47
SHA256 4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc
SHA512 0ff6745ef787e89bd0f154bd96571f086f6b6596621e7211bb8ce8f970a26a72770a44b9aa1b906e6599dd5f421e0dd50895e2cde9ba85be78b9efbc3e8db5c0
ssdeep 1536:cseScclTQDYY3TSF00sK/LVtKYUwnZ7hUO1YUwnZ7hUOAeYUwnZ7hUO7YUwnZ7hj:cseScjYY3Tyc0LVt9xsxuRxSxzxg0j
Entropy 6.861843
Antivirus
Ahnlab Backdoor/Win32.Akdoor
Antiy Trojan/Win32.BTSGeneric
Avira TR/NukeSped.ydcjt
BitDefender Trojan.Agent.CBEJUnclassified
ClamAV Win.Trojan.Agent-6449123-0
Cyren W32/Agent.OOKJ-8303
ESET Win32/NukeSped.CX trojan
Emsisoft Trojan.Agent.CBEJ (B)
Ikarus Trojan.Agent
K7 Trojan ( 005272fc1 )
Kaspersky Backdoor.Win32.Agent.texxz
McAfee Generic.ayf
Microsoft Security Essentials Trojan:Win32/Autophyte.B!dha
NANOAV Trojan.Win32.NukeSped.eyembk
Quick Heal Trojan.Multi
Sophos Troj/BadCall-A
Symantec Trojan Horse
TACHYON Trojan/W32.Agent.233472.APN
TrendMicro BKDR_NUKESPED.B
TrendMicro House Call BKDR_NUKESPED.B
Vir.IT eXplorer Backdoor.Win32.Agent.LX
VirusBlokAda Backdoor.Agent
Zillya! Trojan.Agent.Win32.879097
Yara Rules
hidden_cobra_consolidated.yara rule NK_SSL_PROXY { meta: Author = "CISA Code & Media Analysis" Incident = "10135536" Date = "2018-01-09" Category = "Hidden_Cobra" Family = "BADCALL" Description = "Detects NK SSL PROXY" MD5_1 = "C6F78AD187C365D117CACBEE140F6230" MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC" strings: $s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E} $s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E} $s2 = {4775401F713435747975366867766869375E2524736466} $s3 = {67686667686A75797566676467667472} $s4 = {6D2A5E265E676866676534776572} $s5 = {3171617A5853444332337765} $s6 = "ghfghjuyufgdgftr" $s7 = "q45tyu6hgvhi7^%$sdf" $s8 = "m*^&^ghfge4wer" condition: ($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8) }
hidden_cobra_consolidated.yara rule xor_add { meta: Author = "CISA trusted 3rd party" Incident = "10135536" Date = "2018-04-19" Category = "Hidden_Cobra" Family = "n/a" Description = "n/a" strings: $decode = { 80 ea 28 80 f2 47} $encode = { 80 f2 47 80 c2 28} condition: uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-02-05 13:16:54-05:00
Import Hash 0b10d6fde1b7cdd778e0338a2d7e5046
PE Sections
MD5 Name Raw Size Entropy
f0cb80c557b1172362064c51bbb9b271 header 4096 0.696473
e9d0219343e64c8c8aa6f084db44b92c .text 45056 6.324040
1092801819f120298e2ddac6a96e3fd0 .rdata 8192 3.775333
5109fb1db61b533c23762d9044579db7 .data 167936 7.045393
9ce04d3e820fa7056f351dbcfa05b0fb .reloc 8192 2.767666
Packers/Compilers/Cryptors
Microsoft Visual C++ 6.0
Microsoft Visual C++ 6.0 DLL (Debug)
Description

This file is a malicious 32-bit Windows DLL. Static analysis indicates this application is very similar in structure and function to C6F78AD187C365D117CACBEE140F6230. However, rather than being a PE32 executable this application is a Windows 32-bit DLL, which must be loaded by an external loader. This external loader was not included within this submission.

This DLL is designed to force a compromised system to act as a proxy server. This implant is designed to proxy network traffic from an operator to another software tool that is being operated by the adversary on a remote system. The traffic to and from this proxy server will be protected with the same simple XOR / ADD cipher used by the malware C6F78AD187C365D117CACBEE140F6230. Static analysis indicates sessions from the remote operator connecting directly to this implant will be protected via SSL / TLS, however the proxy sessions to the remote systems will not be protected via TLS but will instead use a "fake TLS" session. The traffic from the operator to this implant and traffic from the implant to the remote systems will be protected via the embedded XOR / ADD cipher (view screenshot). To implement SSL with the remote operator, the malware loads a private key from a file named 'wbemhost.dll' and a certificate from a file named 'netconf.dll'. This malware does not drop either of these files (see Figure. 7).

Analysis of this malware indicates it is designed to bind to and listen for incoming connections to the victim’s system after disabling the firewall by modifying the following registry key. The firewall is disabled by allowing incoming access on port 443.

--Begin Firewall Reg Key Modified--

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\\List

--End Firewall Reg Key Modified--

After connecting to this malware, the operator must issue the challenge value "qwertyuiop" to authenticate with the implant (see Figure 5). This malware also has the added capability of allowing an operator to collect information about the compromised system. This information is collected using the Windows APIs GetComputerNameW, gethostbyname, and GetAdaptersInfo. In order to use this feature, the operator must issue the instruction value "ghfghjuyufgdgftr” after authenticating. As with C6F78AD187C365D117CACBEE140F6230, this malware uses the OpenSLL functions ssl_read() and ssl_write() to exchange data with the operator, however the malware additionally uses a simple XOR cipher (as earlier described) to decrypt incoming traffic.

Analysis indicates this malware must also authenticate with the destination server to which the operator wishes to proxy traffic. To do so, this malware first sends that remote server the challenge value "1qazXSDC23we." The malware must then receive the following response from the destination server before it will allow the operator to proxy traffic to it: "m*^&^ghfge4wer” (see Figure 6). The authentication values sent to and from this proxy server will be protected via the same XOR / ADD cipher utilized by the malware C6F78AD187C365D117CACBEE140F6230 (see Figures 8-9).

The following is a list of the domains for which the malware contains public SSL certificates, used for initiating the "FAKE TLS" sessions:

--Begin SSL cert list--

myservice.xbox.com
uk.yahoo.com
web.whatsapp.com
www[.]apple.com
www[.]baidu.com
www[.]bing.com
www[.]bitcoin.org
www[.]comodo.com
www[.]debian.org
www[.]dropbox.com
www[.]facebook.com
www[.]github.com
www[.]google.com
www[.]lenovo.com
www[.]microsoft.com
www[.]paypal.com
www[.]tumblr.com
www[.]twitter.com
www[.]wetransfer.com
www[.]wikipedia.org

--End SSL cert list--

Screenshots