Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging

 

Summary

I have recently noted that APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations, and the report from sekoia.io, the third part of the report referring to HATVIBE and CHERRYSPY infection chain, which related to another report from CERT-UA, attracted me to the extension. That sample is heavily obfuscated, so here it is, for this analysis, we will focus on doing deep dive with x32dbg debugging.

 

Technical analysis

The sample HASH md5 d0c3b49e788600ff3967f784eb5de973

Sha256: 

332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725

Format: plain text

 

To open it with Notepad++ and see it is the .hta file extension, it appears that the script designed was heavily obfuscated. This kind of obfuscation is often used in malicious scripts, such as malware or spyware, to make it harder to understand or reverse-engineer the code, to hide the true intention, and to evade detection.

Fig.1-.hta heavily obfuscated

 

The code snippet in Fig. 1 in the above post is an HTML tag <script Language="VBScript.Encode"> that indicates it is encoded VBScript. The Encode part suggests that the script might be encoded to obscure its real content. The string we're seeing after the #@~^uAsAAA== part appears to be a form of obfuscated or encoded data. It could be base64 encoding, but it failed after many tries, so I chose to do it with x32dbg debugging.

 

Obviously, it can’t be opened directly with x32dbg; otherwise, it will prompt an error and say “invalid PE file.”

That .hta file is run using the mshta.exe executable we need to know, so let’s change the command line first as follows.

Fig.2-change the command line with mshta.exe

 

To open Wireshark and to run it by pressing F9 many times, we will find the IP address 5[.]45.70[.]178, which is the C2 server, but without any response, it all failed many tries.

Fig.3-monitor with Wireshark

 

Let’s move to x32dbg. In the call stack, I found many VBScript callings to set breakpoints with them.

Fig.4-Call Stack

 

To run it again, and it will stop at one breakpoint, it means that the heavily obfuscated code was decoded.

Fig.5-one breakpoint with VBScript

 

Try to do a string reference search; we are lucky and find long strings as follows.

Fig.6-deobfuscated strings

 

Follow the disassembler in memory, edit it, and display it in Unicode String. We can get the whole strings deobfuscated. Review the code; it does an HTTP request with the PUT method and collects the computer name and user name in the compromised host and sends it with three key parameters, which should be as C2 server authentication. the code checks for a specific pattern in the response text of an HTTP request, and if the pattern matches, it proceeds to execute some further operations. Here we know it is a Trojan that is designed to collect the victim’s information and get the real payload to run from the C2 server.

Fig.7- Deobfuscated code

 

Adding details and diving deeper

 

That is a very quick way to get the source code from the above tracing, but my curiosity drove me to go back and dive deeper into the details of the deobfuscated; it is a time-consuming process. That’s why I took a break when I discovered that above, and I continued to debug step-by-step and dissect the heavily obfuscated strings found in the DS segment and copy them to the registry AX in iteration. The size is 2.95 KB (3,026 bytes), and then use the Windows API SysAllocStringLen, which allows you to allocate memory for the obfuscated strings of a specified length.

Fig.7.1-allocate memory for the length obfuscated strings

 

Let’s keep moving forward, the value of parameter ESI is equal to the size 3026 and “ss:[esp+10]” points to the address 008AC9BC which is the begin address obfuscated strings, it seems that it will handle those strings.

Fig.7.2-passing two parameters to the function vbscript.6DB6DC15

 

To keep moving forward, press F8 directly to execute the function vbsript.6DB6DC15, and it is very lucky to return the other code, but the key part of the code was obfuscated again, which means that the code was double obfuscated as follows. And I did more research and read the report of sekoia.io, and I found the deobfuscated VBS; the hash is “0fa7e3ffb8a9ca246cc1f1e3f6118ced7a7b785de510d777b316dfcefdddb0be

” which is the apt UAC0063 HATVIBE loader.

Fig.7.3- another deobfuscated code

 

The above code decoded is the final code, like “Fig. 7-Deobfuscated code” shows, decoding is very easy to do, and just print them out.

 

 

You need to know

Note: When I dove deeper into the attack samples, I changed the title of the report. The original title was “Unveiling APT28’s Heavily Obfuscated .hta Trojan: A Deep Dive with x32dbg Debugging”.

 

IOCs

Files:

md5: d0c3b49e788600ff3967f784eb5de973

Sha256: 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725

Md5: 690fe881d288167fde157c6fb834c3ef

Sha256: 0fa7e3ffb8a9ca246cc1f1e3f6118ced7a7b785de510d777b316dfcefdddb0be

Network:

5[.]45.70[.]178

 

Conclusion

The APT28’s heavily obfuscated Trojan was written by VBScript, not like the other VBScript, which can be changed in the code and print out the original source, which implies APT28 is so actively seeking new opportunities and changing their policies for cyber espionage campaigns. It is a big hidden threat to the digital world; let’s pay more close attention.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.  

![Alipay QR Code] 支付宝

*I am deeply grateful from the bottom of my heart!*