APT32 poisoning GitHub to target Chinese cybersecurity professionals and malware analysis

OK, let’s jump to the first part of malware and extract the TraceIndexer.exe and TTDReplay.dll.

The incident summary and detail you can view from China ThreatBook: APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises | ThreatBook CTI,

Here I’m focused on diving deep into the process of malware analysis, the malicious file .uso, which is from the project of GitHub and recently removed by APT32, the structure as the following:

Let’s go to the malicious file .suo, it is the archive document, so you can use 7-zip to unpack it. Here is the file list:

Note that a big size file, VsToolboxService, which opens it with a text editor like Notepad or EmEditor

The malicious code is serialized by a formatter, with very long strings encoded by base64. Copy them to CyberChef and decode.

And continue to copy the highlighted‌ yellow to decode it again!

So now save and detect it, the payload encoded by base64, and the framework is .NET.

Some strings as flowing

try DnSpy to see the code.

Here, the malware seems to have a loader and plugin DLL; they are TraceIndexer.exe and TTDReplay.dll, so the important thing is we need to extract the code.

Let’s do it.

First: TraceIndexer.exe begins with the base64 string “TVqQ”

Second: TTDReplay.dll begins with the base64 string “TVp4”

Here we need to know the “TVq” and “TVp” equal to “MZ”

Back to the malware with HxD, we can find them and extract them one by one.

Open TraceIndexer.exe with IDA, and it is right for guessing before.

And now, let’s jump to the second part of malware analysis with the TraceIndexer.exe and TTDReplay.dll.

 

Beginning the analyzing before we need to change the command line in x64dbg, because it has two parameters. If not, it will exit the process.

The malware collects victim information, like computer name, user name, and so on.

And collection running process of machine and encode by base64 and packet them with JSON format

And use the token ID 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 as authorization to post back to C2.

C2 server https://api.notion.com/v1/blocks/11f5edabab70805fb7ebe2a462f4b7c0/children

And notion page id 11f5edabab708090b982d1fe423f2c0b is embedded in TTDReplay.dll.

End.