May 27, 2022

TheCyberThrone

Thinking Security ! Always

Antlion APT linked with China

A cyberespionage campaign  of a China-linked APT group tracked as Antlion is using a custom backdoor called xPack in attacks aimed at financial organizations and manufacturing companies gone detected more years.  

xPack is a custom backdoor with a .Net loader that deployed which allowed threat actors to run WMI commands remotely and mount shares over SMB  executes AES-encrypted payloads to transfer data from C2 servers to them. The malware was also used by the attackers to browse the web, likely using it as a proxy to mask their IP address.

Advertisements

Attackers were exploiting CVE-2019-1458 for privilege escalation and remote scheduled tasks to execute their backdoor.

Researchers analyzed one of the attacks carried out by the APT group that remained in the compromised network of a manufacturing organization for 175 days and in another attack against a financial institution remained active for 250 days

It’s been speculated that the attackers exploited a web application or service because they noticed in one attack that threat actors were utilizing the MSSQL service to execute system commands. But not arrived at a conclusion on initial attack vectors.

Following are the custom tools used by Antlion in this campaign:

  • EHAGBPSL loader – custom loader written in C++ – loaded by JpgRun loader
  • JpgRun loader – customer loader written in C++ – like xPack, reads the decryption key and filename from the command line – decodes the file and executes it
  • CheckID – custom loader written in C++ – based on loader used by BlackHole RAT
  • NetSessionEnum – Custom SMB session enumeration tool
  • ENCODE MMC – Custom bind/reverse file transfer tool
  • Kerberos golden ticket tool based on the Mimikatz credentials stealer
Advertisements

Attackers also used legitimate versions of WinRAR appear for data exfiltration and batch scripts to automate the data collection process. In some cases, threat actors staged stolen data for further exfiltration.

The threat actors were returning periodically in the compromised network to launch xPack again and steal account credentials from the compromised organizations.

Indicators of Compromise

SHA2 hashes

85867a8b4de856a943dd5efaaf3b48aecd2082aa0ceba799df53ba479e4e81c5
12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2
e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed
e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a
9456d9a03f5084e44f8b3ad936b706a819ad1dd89e06ace612351b19685fef92
730552898b4e99c7f8732a50ae7897fb5f83932d532a0b8151f3b9b13db7d73c
de9bd941e92284770b46f1d764905106f2c678013d3793014bdad7776540a451
390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66
4331d1610cdedba314fc71b6bed35fea03bc49241eb908a70265c004f5701a29
9b5168a8f2950e43148fe47576ab3ac5b2cfa8817b124691c50d2c77207f6586
a74cb0127a793a7f4a616613c5aae72142c1166f4bb113247e734f0efd48bdba
e5259b6527e8612f9fd9bba0b69920de3fd323a3711af39f2648686fa139bc38
eb7a23136dc98715c0a3b88715aa7e936b88adab8ebae70253a5122b8a402df3
789f0ec8e60fbc8645641a47bc821b11a4486f28892b6ce14f867a40247954ed
3db621cac1d026714356501f558b1847212c91169314c1d43bfc3a4798467d0d
443f4572ed2aec06d9fb3a190de21bfced37c0cd2ee03dd48a0a7be762858925
f4534e04caced1243bd7a9ce7b3cd343bf8f558982cbabff93fa2796233fe929
e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2
0bbb477c1840e4a00d0b6cd3bd8121b23e1ce03a5ad738e9aa0e5e0b2e1e1fea
55636c8a0baa9b57e52728c12dd969817815ba88ec8c8985bd20f23acd7f0537
2a541a06929dd7d18ddbae2cb23d5455d0666af7bdcdf45b498d1130a8434632
85867a8b4de856a943dd5efaaf3b48aecd2082aa0ceba799df53ba479e4e81c5
29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78
f7cab241dac6e7db9369a4b85bd52904022055111be2fc413661239c3c64af3d
2aa52776965b37668887a53dcd2374fc2460293b73c897de5d389b672e1313ff
79a37464d889b41b7ea0a968d3e15e8923a4c0889f61410b94f5d02458cb9eed
48d41507f5fc40a310fcd9148b790c29aeb9458ff45f789d091a9af114f26f43
f01a4841f022e96a5af613eb76c6b72293400e52787ab228e0abb862e5a86874
e1a0c593c83e0b8873278fabceff6d772eeaaac96d10aba31fcf3992bc1410e5
dfee6b3262e43d85f20f4ce2dfb69a8d0603bb261fb3dfa0b934543754d5128b
%d bloggers like this: