Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging

 

Summary

I have recently noted that APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations, and the report from sekoia.io, the third part of the report referring to HATVIBE and CHERRYSPY infection chain, which related to another report from CERT-UA, attracted me to the extension. That sample is heavily obfuscated, so here it is, for this analysis, we will focus on doing deep dive with x32dbg debugging.

 

Technical analysis

The sample HASH md5 d0c3b49e788600ff3967f784eb5de973

Sha256: 

332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725

Format: plain text

 

To open it with Notepad++ and see it is the .hta file extension, it appears that the script designed was heavily obfuscated. This kind of obfuscation is often used in malicious scripts, such as malware or spyware, to make it harder to understand or reverse-engineer the code, to hide the true intention, and to evade detection.

Fig.1-.hta heavily obfuscated

 

The code snippet in Fig. 1 in the above post is an HTML tag <script Language="VBScript.Encode"> that indicates it is encoded VBScript. The Encode part suggests that the script might be encoded to obscure its real content. The string we're seeing after the #@~^uAsAAA== part appears to be a form of obfuscated or encoded data. It could be base64 encoding, but it failed after many tries, so I chose to do it with x32dbg debugging.

 

Obviously, it can’t be opened directly with x32dbg; otherwise, it will prompt an error and say “invalid PE file.”

That .hta file is run using the mshta.exe executable we need to know, so let’s change the command line first as follows.

Fig.2-change the command line with mshta.exe

 

To open Wireshark and to run it by pressing F9 many times, we will find the IP address 5[.]45.70[.]178, which is the C2 server, but without any response, it all failed many tries.

Fig.3-monitor with Wireshark

 

Let’s move to x32dbg. In the call stack, I found many VBScript callings to set breakpoints with them.

Fig.4-Call Stack

 

To run it again, and it will stop at one breakpoint, it means that the heavily obfuscated code was decoded.

Fig.5-one breakpoint with VBScript

 

Try to do a string reference search; we are lucky and find long strings as follows.

Fig.6-deobfuscated strings

 

Follow the disassembler in memory, edit it, and display it in Unicode String. We can get the whole strings deobfuscated. Review the code; it does an HTTP request with the PUT method and collects the computer name and user name in the compromised host and sends it with three key parameters, which should be as C2 server authentication. the code checks for a specific pattern in the response text of an HTTP request, and if the pattern matches, it proceeds to execute some further operations. Here we know it is a Trojan that is designed to collect the victim’s information and get the real payload to run from the C2 server.

Fig.7- Deobfuscated code

 

Adding details and diving deeper

 

That is a very quick way to get the source code from the above tracing, but my curiosity drove me to go back and dive deeper into the details of the deobfuscated; it is a time-consuming process. That’s why I took a break when I discovered that above, and I continued to debug step-by-step and dissect the heavily obfuscated strings found in the DS segment and copy them to the registry AX in iteration. The size is 2.95 KB (3,026 bytes), and then use the Windows API SysAllocStringLen, which allows you to allocate memory for the obfuscated strings of a specified length.

Fig.7.1-allocate memory for the length obfuscated strings

 

Let’s keep moving forward, the value of parameter ESI is equal to the size 3026 and “ss:[esp+10]” points to the address 008AC9BC which is the begin address obfuscated strings, it seems that it will handle those strings.

Fig.7.2-passing two parameters to the function vbscript.6DB6DC15

 

To keep moving forward, press F8 directly to execute the function vbsript.6DB6DC15, and it is very lucky to return the other code, but the key part of the code was obfuscated again, which means that the code was double obfuscated as follows. And I did more research and read the report of sekoia.io, and I found the deobfuscated VBS; the hash is “0fa7e3ffb8a9ca246cc1f1e3f6118ced7a7b785de510d777b316dfcefdddb0be

” which is the apt UAC0063 HATVIBE loader.

Fig.7.3- another deobfuscated code

 

The above code decoded is the final code, like “Fig. 7-Deobfuscated code” shows, decoding is very easy to do, and just print them out.

 

 

You need to know

Note: When I dove deeper into the attack samples, I changed the title of the report. The original title was “Unveiling APT28’s Heavily Obfuscated .hta Trojan: A Deep Dive with x32dbg Debugging”.

 

IOCs

Files:

md5: d0c3b49e788600ff3967f784eb5de973

Sha256: 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725

Md5: 690fe881d288167fde157c6fb834c3ef

Sha256: 0fa7e3ffb8a9ca246cc1f1e3f6118ced7a7b785de510d777b316dfcefdddb0be

Network:

5[.]45.70[.]178

 

Conclusion

The APT28’s heavily obfuscated Trojan was written by VBScript, not like the other VBScript, which can be changed in the code and print out the original source, which implies APT28 is so actively seeking new opportunities and changing their policies for cyber espionage campaigns. It is a big hidden threat to the digital world; let’s pay more close attention.

End.

APT44’s ASPX web shell leverages obfuscation techniques and firewall rule manipulation to evade detection

 

Summary

From the open and public intelligence, the Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.

 

This report is for a new finding of an ASPX web shell in 2024.04. It was relatively rare with the Sandworm Team, which means a new tendency, including the other APT groups, to pay more attention to WEB security, from here opening an entry point and making a persistence technology with web shell as a backdoor.

 

Technical analysis

The sample md5: 7c33812c068c79190554b797dfd46629

 

The web shell is very simple but powerful, which can execute system command, create a new Windows Firewall rule, upload and download files, write text content to file, list files in table, read files and delete files and directories recursively.

Figure1-the main functions of web shell

The Ugw function is designed to accept a system command to run and print the output of the result.The code “ProcessStartInfo ghjf = new ProcessStartInfo(@"cm" + @"d.exe", @"/" + @"C" + uhgl.Text + "");” use Obfuscation Techniques like String Concatenation and Unnecessary Escaping.

1.     String Concatenation: The code uses @"cm" + @"d.exe" instead of directly writing cmd.exe.

2.     Unnecessary Escaping: The use of @"/" + @"C" instead of simply "/C" adds another layer of obfuscation.

Figure2-execute command snippet

 

The IROPn function is designed to use PowerShell command creates a new Windows Firewall rule to allow inbound traffic on port 250 over the TCP protocol.

Figure3-powershell set the rule of windows Firewall

 

The FTYuvgh function is defined to handle a form submission; it will delete it if it exists; if not, it will move to the path.

Figure4-to enter path to uploading file

 

The POIj function is designed to accept an input string and print the information of all files in the table.

Figure5-list files in the table

 

The uiewhfdsvc function is designed to read file, delete file and download file. The function handles three different command events for a GridView, detail as following.

1.       CommandName "ODJ" (Reading file contents and updating GridView)

Figure6-commandName is ODJ

 

2.       CommandName "ODD" (Deleting a directory and its contents)

Figure7-commandName is ODD

 

3.       CommandName "ODO" (File download).

Figure8-commandName is ODO

 

The IUHj method is designed to recursively delete files and directories within a specified path.

Figure9- to recursively delete files and directories

 

 

IOCs

md5: 7c33812c068c79190554b797dfd46629

sha256: fbb42cf1326ca34c1f4e9149063418bc2136dbf79c46ed40599c479743c12171

 

Conclusion

The web shell from the Sandworm team is very simple but powerful, which can execute basic operations on files and directories, like other web shells that can upload and download files and execute system commands, especially since it has the ability to create a new Windows Firewall rule, which can bypass the firewall. So it’s a hidden threat as a backdoor with obfuscation techniques.

End.

APT Silver Fox is using a stock investment decoy and undocumented Windows API functions to evade detection

 

Summary

ValleyRAT is a remote access Trojan program used by the Silver Fox threat organization. I did threat hunting and found a lot of samples, but here I just analyzed one of them.

 

 

Technical analysis

ValleyRAT md5: 6923AB76F93C6D48B025D27A37E20D14
Portable executable for 80386 (PE)

Figure1-basic info

Release malware and decoy

ValleyRAT will release both Trojan “moomoo x64.exe” and decoy UUU.pdf in the directory “%LocalAppData%\Temp\,” and at the same time it starts a process, IE browser like msedge.exe, to open UUD.pdf, which is to attract the attention of the victim to cover the real motivation, the content of the PDF is written in Japanese about how to invest in the stock market, which seems the attacker is focused on the specific potential victims; in the background it also starts another Trojan process of “moomoo x64.exe.”.

Firgure2-Stock market guide

 

 

The traffic between client and server

When the process of “moomoo x64.exe” (md5: 11B499CC40D08A10C107A6FB55A31B65) is running in the background, the client will connect to the port of server “104[.]219[.]214[.]206:8008” and send an SYN request and receive an RST, ACK response from the server; obviously, the server closed by now.

Figure3-The traffic between client and server

 

Dive deep inside

The traffic between client and server was activated by shellcode which is embedded in the “moomoo x64.exe”, the shellcode is the global variable byte_479040 but need to do a XOR algorithm with the constant 0Xa7, the results of returning was copied from a place to the beginning memory address “000000000030E400” and ending with the special hex character “A7”, its length 0x256D1(or 153,297 in decimal) bytes , and then was changed the permission by the API function VirtualProtect and then to run until rasadhlp.dll loaded by assemble command “call r13 “.

Figure4-Xor and execute the shellcode

Figure5-the shellcode snippet in memory

 

lower-level undocumented windows API function

 

Move to the entry point of rasadhlp.dll, and a new find LdrResFindResourceDirectory which is an internal Windows API function used by the Windows Loaderntdll.dll to locate and retrieve resource directories within a Portable Executable (PE) file.

 

ZwProtectVirtualMemory(also known as)NtProtectVirtualMemory is a Windows Native API function used to change the memory protection of a region of virtual memory in a process.

 

The IP address 104[.]219[.]214[.]206 embedded decrypted after being called. LdrLoadDll is an undocumented Windows Native API function used to load a DLL into a process's address space.

Figure5.1-IP address

 

WSAttemptAutodialName is an undocumented function in the Windows Sockets (Winsock) API. It attempts to trigger an autodial connection for a specified network name. And the other undocumented functions used (e.g. WSNoteSuccessfulHostentLookup, WahReferenceContextByHandle,etc.)

Figure5.2-connect to C2 

Policy and Evasion

The code dynamically resolves the addresses of critical Windows API functions (e.g., ,LoadLibraryA VirtualProtect, CreateFiber, SwitchToFiber, etc.) to avoid detection by antivirus or analysis tools. It loads the necessary DLLsactiveds.dllUser32.dll into the process address space. The API function VirtualProtect is used to do memory manipulation, like modifying memory permissions.

Figure6-The code of policy and evasion

The loop sleeps for 1 second per iteration, and it runs 10 times, so the total sleep time is 10 seconds. It seems to simulate a delay in execution; its potential aim is to do a simple anti-debug technique to waste time or frustrate reverse engineers.

Figure7-A simple anti-debug technique

 

To avoid the analyst debugging the malware, multiple traps about exit functions are set in the logic of the code. If the analyst needs to learn more details, they only do a little work; it is not complicated.

Figure8-Logic trap for anti-debug

 

The IsDebuggerPresent function is a Windows API function used to detect whether a debugger is attached to the current process.

Figure9-anti-debug

 

 

Generate a pseudo-random value

An interesting thing is the code generates a unique or pseudo-random value based on system information which Combine with System Time, Process ID, Thread ID, Tick Count and Performance Counter. qword_4B37F0 is a global variable initialized to 0x2B992DDFA232LL, If qword_4B37F0 still has this initial value, the code proceeds to generate a new value. The collected values are combined using XOR, the result is masked with 0xFFFFFFFFFFFFLL to ensure it fits within 48 bits.

Figure10-Generate a pseudo-random value

 

 

Unknown thing

It seems that some URL addresses are not used. The malware cleared all URL addresses in the end.

Figure11- Unused URL strings

 

 

IOCs

ValleyRAT md5: 6923AB76F93C6D48B025D27A37E20D14

moomoo x64.exe md5: 11b499cc40d08a10c107a6fb55a31b65

UUD.pdf md5: C4FD1E5F9DF850878E7B770F50031FD2

104[.]219[.]214[.]206

hxxps[:]//www[[.]]baidu[.]com/

hxxps[:]//www[.]google[.]com/

hxxps[:]//www[.]wikipedia[.]org/

hxxp[:]//www[.]digicert[.]com

hxxp[:]//ocsp[.]digicert[.]com

C:/program/12530/do.txt

 

Conclusion

ValleyRAT will release both Trojan “moomoo x64.exe” and decoy UUU.pdf, a PDF file opened by a browser to attract the attention of potential victims and cover up the real aim: “moomoo x64.exe” is running in the background to connect to the C2 server, the shellcode embedded in the malware, and decrypted with a simple algorithm XOR in order to anti-debug and fight against anti-virus vendors, which loads user-specified DLLs automatically and uses new Windows API functions and memory operation techniques, which can bypass some anti-virus vendors. It is still a hidden threat we need to pay more attention to.

End.

The ransom group d0glun, is it hidden threat or just for fun?

 

Summary

The below ransomware d0glun was first submitted on 2025-01-16; it is worth paying more attention to because his motivation is low confidence.

 

Analysis

 

The details of the D0glun ransomware are as follows: it displays the private information “QQ424714982 TG@CXL13131,” the product name is 8180VPN, and the product version is 1.0.0.0.

Figure1-Details of file

 

A text file for warning displays on the desktop, which tells the victim what date and time they were infected by ransomware.

Figure2-a warn text on the desktop

 

On the screen, a text ransom note tells the victim what types of files will be encrypted; this is different from the other ransom group and how to recover and contact the attacker and leave the address of the dark site but without requiring any bitcoin.

Figure3-ransom notes

 

Different types of files use different suffixes, which are not very common.

Figure4-different suffix

The other windows are used for decryption and timing. To decrypt the file, the victim has to enter the KEY and ID; the timing seems not limited. A special tip on the windows and express the operator starting a ransom attack just for fun.

Figure5-ransom notes

 

On the driver C, the d0glun ransomware releases @cxl.bmp and @Main wallpaper.bmp. and on the directory c:\config, it generated many files like [@]Chengxilun.exe, [@]Chengxilun.txt, and so on. The config.ini includes the victim ID.

Figure6-release some files

And to run [@]Chengxilun.exe, it will display the way of payment and the information of the attack, which includes email, TG, QQ, and Chinese name. Both the payment and the Figure 5 tips for fun seem to be used for different motivations. But according to the above behaviors, d0lgun seems to have a new try as a beginner.

Figure7-payment and private information

 

 

IOCs

80422A4B94653C8C10E33767ED8C155B

c:\@cxl.bmp
c:\@Main wallpaper.bmp

Runcxl.txt

33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad[.]onion

cx113131[@]163[.]com

TG:[@]CXL13131

QQ:424714982

Conclusion

From the above behaviors of d0glun, until now, it seems to be between getting payment and just for fun as a beginner to the door of doing a ransom attack; it is a hidden threat or just for fun, which is up to his choice.

End.