MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as COPPERHEDGE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.



FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.



This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.



The Manuscrypt family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified based on network and code features. The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of "WinHTTP_Protocol" and later "WebPacket".

For a downloadable copy of IOCs, see MAR-10288834-1.v1.stix.



The breakdown for the variants is displayed below:



Variant A

D8AF45210BF931BC5B03215ED30FB731E067E91F25EDA02A404BD55169E3E3C3

7985AF0A87780D27DC52C4F73C38DE44E5AD477CB78B2E8E89708168FBC4A882



Variant B

E98991CDD9DDD30ADF490673C67A4F8241993F26810DA09B52D8748C6160A292

4838F85499E3C68415010D4F19E83E2C9E3F2302290138ABE79C380754F97324

E76B3FD3E906AC23218B1FBD66FD29C3945EE209A29E9462BBC46B07D1645DE2

1FAAA939087C3479441D9F9C83A80AC7EC9B929E626CB34A7417BE9FF0316FF7

3FF4EBAE6C255D4AE6B747A77F2821F2B619825C7789C7EE5338DA5ECB375395

C2F150DBE9A8EFB72DC46416CA29ACDBAE6FD4A2AF16B27F153EAABD4772A2A1

1678327C5F36074CF5F18D1A92C2D9FEA9BFAE6C245EAAD01640FD75AF4D6C11

C0EE19D7545F98FCD15725A3D9F0DBD0F35B2091E1C5B9CF4744F16E81A030C5

9E4BD9676BB3460BE68BA4559A824940A393BDE7613850EDA9196259E453B9F3

EEE38C632C62CA95B5C66F8D39A18E23B9175845560AF84B6A2F69B7F9B6EC1C

F6E1A146543D2903146698DA5698B2A214201720C0BE756C6E8D2A2F27DCFAFF



Variant C

37BB27F4EB40B8947E184AFDDBA019001C12F97588E7F596AB6BC07F7C152602

E6FC788B5FF7436DA4450191A003966A68E2A1913C83F1D3AEC78C65F3BA85CA

284BC471647F951C79E3E333B2B19AA37F84CC39B55441A82E2A5F7319131FAC

A1CDB784100906D0AC895297C5A0959AB21A9FB39C687BAF176324EE84095472



Variant D

B4BF6322C67A23553D5A9AF6FCD9510EB613FFAC963A21E32A9CED83132A09BA



Variant E

134B082B418129FFA390FBEE1568BD9510C54BFDD0E6B1F36BC7B8F867E56283



Variant F

0A763DA26A67CB2B09A3AE6E1AC07828065EB980E452CE7D3354347976038E7E

1884DDC53EF66488CA8FC641B438895FCAADA77C15210118465377C63223B3BC

C24C322F4535DEF3F8D1579C39F2F9E323787D15B96E2EE457C38925EFFE2D39

Submitted Files (22)

0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e (171B9135540F89BF727B690B9E587A...)

134b082b418129ffa390fbee1568bd9510c54bfdd0e6b1f36bc7b8f867e56283 (633BD738AE63B6CE9C2A48CBDDD154...)

1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11 (86D3C1B354CE696E454C42D8DC6DF1...)

1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc (22F8D2A0C8D9B54A553FCA1B2393B2...)

1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7 (667CF9E8EC1DAC7812F92BD77AF702...)

284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac (DB590EA77A92AE6435E2EC954D065E...)

37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602 (A8B6EC51ED88C0329FD3329CB615BB...)

3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395 (A7C804B62AE93D708478949F498342...)

4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324 (EB6275A24D047E3BE05C2B4E5F5070...)

7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882 (C6801F90AAA11CE81C9B66450E0029...)

9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3 (668D5B5761755C9D061DA74CB21A8B...)

a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472 (0856655351ACFFA1EE459EEEAF1647...)

b4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba (34C2AC6DAA44116713F882694B6B41...)

c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5 (5182E7A2037717F2F9BBF6BA298C48...)

c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39 (FDD55A38A45DE8AF6F8C34A33BAE11...)

c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1 (86685EC8C3C717AA2A9702E2C9DEC3...)

d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3 (12C786C490366727CF7279FC141921...)

e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca (117FA0B8B8B965680C7B630C6E2BF0...)

e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2 (AA7F506B0C30D76557C82DBA45116C...)

e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292 (912F87392A889070DBB1097A82CCD9...)

eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c (35E38D023B253C0CD9BD3E16AFC362...)

f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff (72FE869AA394EF0A62BB8324857770...)

Domains (42)

028xmz.com

168wangpi.com

33cow.com

3x-tv.com

51shousheng.com

530hr.com

919xy.com

92myhw.com

97nb.net

aedlifepower.com

aisou123.com

aloe-china.com

anlway.com

ap8898.com

apshenyihl.com

as-brant.ru

aurumgroup.co.id

bogorcenter.com

cabba-cacao.com

castorbyg.dk

creativefishstudio.com

danagloverinteriors.com

duratransgroup.com

eventum.cwsdev3.biz

eygingenieros.com

growthincone.com

inverstingpurpose.com

locphuland.com

markcoprintandcopy.com

marmarademo.com

matthias-dlugi.de

new.titanik.fr

nuokejs.com

pakteb.com

qdbazaar.com

rhythm86.com

rxrenew.us

sensationalsecrets.com

stokeinvestor.com

streamf.ru

theinspectionconsultant.com

vinhsake.com

d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3

Tags

backdoortrojan

Details

Antivirus

YARA Rules

• rule CISA_3P_10135536_24 : success_fail_codes
  
  {
  
     meta:
  
         Author = "CISA Trusted Third Party"
  
         Incident = "10135536-A"
  
         Date = "2017-11-14"
  
         Actor = "Hidden Cobra"
  
         Category = "n/a"
  
         Family = "FALLCHILL"
  
         Description = ""
  
     strings:
  
         $s0 = { 68 7a 34 12 00 }
  
         $s1 = { ba 7a 34 12 00 }
  
         $f0 = { 68 5c 34 12 00 }
  
         $f1 = { ba 5c 34 12 00 }
  
     condition:
  
         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
  
  }
• rule CISA_3P_10135536_24 : success_fail_codes
  
  {
  
     meta:
  
         Author = "CISA Trusted Third Party"
  
         Incident = "10135536-A"
  
         Date = "2017-11-14"
  
         Actor = "Hidden Cobra"
  
         Category = "n/a"
  
         Family = "FALLCHILL"
  
         Description = ""
  
     strings:
  
         $s0 = { 68 7a 34 12 00 }
  
         $s1 = { ba 7a 34 12 00 }
  
         $f0 = { 68 5c 34 12 00 }
  
         $f1 = { ba 5c 34 12 00 }
  
     condition:
  
         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit Dynamic Link Library (DLL) and has been identified as Variant A. Variant A uses RC4 encryption to obfuscate import loading with an RC4 key of "0x78292E4C5DA3B5D067F081B736E5D593". A hard-coded string of "*dJU!*JE&!M@UNQ@" is embedded in the malware beacons. This variant also obfuscates Hypertext Transfer Protocol (HTTP) header strings using a custom character manipulation where the certain ranges of characters are modified by either adding or subtracting a constant value 9.



Variant A will generate HTTP POST requests with the following format:



--Begin HTTP POST request--

POST /<uri> HTTP/1.1

Connection: keep-alive

Cache-Control: max-age=0

Accept: */*

Content-Type: multipart/form-data; boundary=----FormBoundary<randomCharacters>

Accept-Encoding: gzip,deflate,sdch

Accept-Language: ko-KR

User-Agent: <obtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36>

Host: <domain>

Content-Length: <length>



------FormBoundary<randomCharacters>

Content-Disposition: form-data; name="board_id"

<sessionID>

------FormBoundary<randomCharacters>

Content-Disposition: form-data; name="user_id"

<*dJU!*JE&!M@UNQ@ if beacon request otherwise empty>

------FormBoundary<randomCharacters>

Content-Disposition: form-data; name="file1"; filename="<randomly picked>"

Content-Type: application/octet-stream

<datagram>

--End HTTP POST request--



Variant A uses a custom algorithm to encrypt data from datagrams. An implementation of the algorithm is provided below:



--Begin custom algorithm--

modVal = 0x6be

addVal = 0x95d9

keyVal = 0x25

def encrypt(data):

   global keyVal

   r = ""

   for c in data:

       r += chr((ord(c) ^ keyVal) & 0xff)

       keyVal = (((ord(c) + keyVal) % modVal) + addVal) & 0xffffffff

   return r

--End custom algorithm--

Screenshots

530hr.com

Tags

command-and-control

URLs

• 530hr.com/data/common.php

Relationships

Description

12C786C490366727CF7279FC141921D8 and C6801F90AAA11CE81C9B66450E002972 attempt to connect to the domain.

028xmz.com

Tags

command-and-control

URLs

• 028xmz.com/include/common.php

Relationships

Description

12C786C490366727CF7279FC141921D8 and C6801F90AAA11CE81C9B66450E002972 attempt to connect to the domain.

168wangpi.com

Tags

command-and-control

URLs

• 168wangpi.com/include/charset.php

Relationships

Description

12C786C490366727CF7279FC141921D8 and C6801F90AAA11CE81C9B66450E002972 attempt to connect to the domain.

7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882

Tags

backdoorbottrojan

Details

Antivirus

YARA Rules

• rule CISA_3P_10135536_24 : success_fail_codes
  
  {
  
     meta:
  
         Author = "CISA Trusted Third Party"
  
         Incident = "10135536-A"
  
         Date = "2017-11-14"
  
         Actor = "Hidden Cobra"
  
         Category = "n/a"
  
         Family = "FALLCHILL"
  
         Description = ""
  
     strings:
  
         $s0 = { 68 7a 34 12 00 }
  
         $s1 = { ba 7a 34 12 00 }
  
         $f0 = { 68 5c 34 12 00 }
  
         $f1 = { ba 5c 34 12 00 }
  
     condition:
  
         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
  
  }
• rule CISA_3P_10135536_24 : success_fail_codes
  
  {
  
     meta:
  
         Author = "CISA Trusted Third Party"
  
         Incident = "10135536-A"
  
         Date = "2017-11-14"
  
         Actor = "Hidden Cobra"
  
         Category = "n/a"
  
         Family = "FALLCHILL"
  
         Description = ""
  
     strings:
  
         $s0 = { 68 7a 34 12 00 }
  
         $s1 = { ba 7a 34 12 00 }
  
         $f0 = { 68 5c 34 12 00 }
  
         $f1 = { ba 5c 34 12 00 }
  
     condition:
  
         (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant A. Refer to 12C786C490366727CF7279FC141921D8 for analysis.

e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292

Tags

backdoortrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Variant B generates an HTTP POST request similar to Variant A. However, in Variant B datagrams are RC4 encrypted. The implant maintains separate RC4 key streams for each side of the conversation. The RC4 key used is "0x271A16AB6D7A900EF3FA677DCE8AB268". The RC4 key streams will reset after the implant receives a "SystemInfo" command. Variant B performs the same RC4 key as variant A for Application Programming Interface (API) obfuscation.

Screenshots

marmarademo.com

Tags

command-and-control

URLs

• marmarademo.com/include/extend.php

Relationships

Description

912F87392A889070DBB1097A82CCD93F attempts to connect to the domain.

33cow.com

Tags

command-and-control

URLs

• 33cow.com/include/control.php

Relationships

Description

912F87392A889070DBB1097A82CCD93F attempts to connect to the domain.

97nb.net

Tags

command-and-control

URLs

• 97nb.net/include/arc.sglistview.php

Relationships

Description

912F87392A889070DBB1097A82CCD93F attempts to connect to the domain.

4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324

Tags

backdoortrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

anlway.com

Tags

command-and-control

URLs

• anlway.com/include/arc.search.class.php

Relationships

Description

EB6275A24D047E3BE05C2B4E5F50703D attempts to connect to the domain.

apshenyihl.com

Tags

command-and-control

URLs

• apshenyihl.com/include/arc.speclist.class.php

Relationships

Description

EB6275A24D047E3BE05C2B4E5F50703D attempts to connect to the domain.

ap8898.com

Tags

command-and-control

URLs

• ap8898.com/include/arc.search.class.php

Relationships

Description

EB6275A24D047E3BE05C2B4E5F50703D attempts to connect to the domain.

e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2

Tags

backdoorbottrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

aloe-china.com

Tags

command-and-control

URLs

• aloe-china.com/include/bottom.php

Relationships

Description

AA7F506B0C30D76557C82DBA45116CCC attempts to connect to the domain.

92myhw.com

Tags

command-and-control

URLs

• 92myhw.com/include/inc/inc_common.php

Relationships

Description

AA7F506B0C30D76557C82DBA45116CCC attempts to connect to the domain.

aisou123.com

Tags

command-and-control

URLs

• aisou123.com/include/dialog/common.php

Relationships

Description

AA7F506B0C30D76557C82DBA45116CCC attempts to connect to the domain.

1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7

Tags

backdoortrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

markcoprintandcopy.com

URLs

• markcoprintandcopy.com/data/helper.php

Relationships

Description

667CF9E8EC1DAC7812F92BD77AF702A1 attempts to connect to the domain.

aedlifepower.com

Tags

command-and-control

URLs

• aedlifepower.com/include/image.php

Relationships

Description

667CF9E8EC1DAC7812F92BD77AF702A1 attempts to connect to the domain.

919xy.com

Tags

command-and-control

URLs

• 919xy.com/contactus/about.php

Relationships

Description

667CF9E8EC1DAC7812F92BD77AF702A1 attempts to connect to the domain.

3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

pakteb.com

Tags

command-and-control

URLs

• pakteb.com/include/left.php

Relationships

Description

A7C804B62AE93D708478949F498342F9 and 86685EC8C3C717AA2A9702E2C9DEC379 attempt to connect to the domain.

nuokejs.com

Tags

command-and-control

URLs

• nuokejs.com/contactus/about.php

Relationships

Description

A7C804B62AE93D708478949F498342F9 and 86685EC8C3C717AA2A9702E2C9DEC379 attempt to connect to the domain.

qdbazaar.com

Tags

command-and-control

URLs

• qdbazaar.com/include/footer.php

Relationships

Description

A7C804B62AE93D708478949F498342F9 and 86685EC8C3C717AA2A9702E2C9DEC379 attempt to connect to the domain.

c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1

Tags

backdoortrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

aurumgroup.co.id

Tags

command-and-control

URLs

• aurumgroup.co.id/wp-includes/rest.php

Relationships

Description

86D3C1B354CE696E454C42D8DC6DF1B7 and 5182E7A2037717F2F9BBF6BA298C48FB attempt to connect to the domain.

51shousheng.com

Tags

command-and-control

URLs

• 51shousheng.com/include/partview.php

Relationships

Description

86D3C1B354CE696E454C42D8DC6DF1B7 and 5182E7A2037717F2F9BBF6BA298C48FB attempt to connect to the domain.

new.titanik.fr

Tags

command-and-control

URLs

• new.titanik.fr/wp-includes/common.php

Relationships

Description

86D3C1B354CE696E454C42D8DC6DF1B7 and 5182E7A2037717F2F9BBF6BA298C48FB attempt to connect to the domain.

c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

duratransgroup.com

Tags

command-and-control

URLs

• duratransgroup.com/engl/lang.php

Relationships

Description

668D5B5761755C9D061DA74CB21A8B75 attempts to connect to the domain.

eygingenieros.com

Tags

command-and-control

URLs

• eygingenieros.com/wp-includes/common.php

Relationships

Description

668D5B5761755C9D061DA74CB21A8B75 attempts to connect to the domain.

eventum.cwsdev3.biz

URLs

• eventum.cwsdev3.biz/wp-includes/common.php

Relationships

Description

668D5B5761755C9D061DA74CB21A8B75 attempts to connect to the domain.

eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

theinspectionconsultant.com

Tags

command-and-control

URLs

• theinspectionconsultant.com/wp-content/plugins/akismet/index1.php

Relationships

Description

835E38D023B253C0CD9BD3E16AFC362A7 and 72FE869AA394EF0A62BB8324857770DD attempt to connect to the domain.

danagloverinteriors.com

Tags

command-and-control

URLs

• danagloverinteriors.com/wp-content/plugins/jetpack/common.php

Relationships

Description

835E38D023B253C0CD9BD3E16AFC362A7 and 72FE869AA394EF0A62BB8324857770DD attempt to connect to the domain.

as-brant.ru

Tags

command-and-control

URLs

• as-brant.ru/wp-content/themes/shapely/common.php

Relationships

Description

835E38D023B253C0CD9BD3E16AFC362A7 and 72FE869AA394EF0A62BB8324857770DD attempt to connect to the domain.

f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for analysis.

37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602

Tags

backdoorpuptrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant C. Variant C can be distinguished from previous versions through the absence of the beacon string "*dJU!*JE&!M@UNQ@" and the use of a generated cookie to pass certain information instead of multi-part HTTP POST requests. The cookie is designed to appear like a standard Google Analytics cookie. The format used by the malware is noted below:



--Begin cookie format--

Cookie: _ga=GA1.%d.%02d%d%d%02d.%d%05d%04d; gid=GA1.%d.%02d%d%03d.%d%05d%04d Cookie: _ga=GA1.<1>.<2><3><4><5>.<6><7><8>; gid=GA1.<1>.<9><10><11>.<6><7><8>

where

1 = rand % 10

2 = rand % 100

3 = 0 or 1 if implant is ready to receive its first command

4 = sessionID

5 = rand % 100

6 = rand % 10

7 = rand % 100000

8 = rand % 10000

9 = rand % 100

10 = 1879 or 8678 if handshake packet

11 = rand % 1000

--End cookie format--



Variant C will randomly choose from one of three hard-coded Accept-Language headers:



--Begin Accept-Language headers--

Accept-Language: en-US,en;q=0.5

Accept-Language: de-CH

Accept-Language: az-Arab

--End Accept-Language headers--



Variant C datagrams are sent in the HTTP POST body and encrypted in the same manner as Variant B with the same RC4 key. Like in Variant B, the RC4 key stream will reset after the SystemInfo command. Variant C performs API loading at runtime but does not obfuscate the strings.

Screenshots

rxrenew.us

Tags

command-and-control

URLs

• rxrenew.us/wp-content/themes/hestias/index.php

Relationships

Description

A8B6EC51ED88C0329FD3329CB615BBC9 and 117FA0B8B8B965680C7B630C6E2BF01D attempt to connect to the domain.

creativefishstudio.com

Tags

command-and-control

URLs

• creativefishstudio.com/newbiesspeak/left.php

Relationships

Description

A8B6EC51ED88C0329FD3329CB615BBC9 and 117FA0B8B8B965680C7B630C6E2BF01D attempt to connect to the domain.

sensationalsecrets.com

Tags

command-and-control

URLs

• sensationalsecrets.com/js/left.php

Relationships

Description

A8B6EC51ED88C0329FD3329CB615BBC9 and 117FA0B8B8B965680C7B630C6E2BF01D attempt to connect to the domain.

e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca

Tags

puptrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant C. Refer to A8B6EC51ED88C0329FD3329CB615BBC9 for analysis.

284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac

Tags

puptrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant C. Refer to A8B6EC51ED88C0329FD3329CB615BBC9 for analysis.

rhythm86.com

Tags

command-and-control

URLs

• rhythm86.com/wp-content/themes/twentysixteen/about.php

Relationships

Description

DB590EA77A92AE6435E2EC954D065ED4 attempts to connect to the domain.

cabba-cacao.com

Tags

command-and-control

URLs

• cabba-cacao.com/wp-content/themes/integral/about.php

Relationships

Description

DB590EA77A92AE6435E2EC954D065ED4 attempts to connect to the domain.

3x-tv.com

Tags

command-and-control

URLs

• 3x-tv.com/plugins/editors/about.php

Relationships

Description

DB590EA77A92AE6435E2EC954D065ED4 attempts to connect to the domain.

a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472

Tags

backdoorpuptrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant C. Refer to A8B6EC51ED88C0329FD3329CB615BBC9 for analysis.

castorbyg.dk

Tags

command-and-control

URLs

• castorbyg.dk/wp-content/themes/302.php

Relationships

Description

0856655351ACFFA1EE459EEEAF164756 attempts to connect to the domain.

matthias-dlugi.de

Tags

command-and-control

URLs

• matthias-dlugi.de/wp-content/themes/twentyfifteen/helper.php

Relationships

Description

0856655351ACFFA1EE459EEEAF164756 attempts to connect to the domain.

locphuland.com

Tags

command-and-control

URLs

• locphuland.com/wp-content/themes/hikma/total.php

Relationships

Description

0856655351ACFFA1EE459EEEAF164756 attempts to connect to the domain.

b4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba

Tags

downloadertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file is a 32-bit Windows executable and has been identified as Variant D. Variant D generates an HTTP POST request very similar to that of Variant A. The only difference is the beacon string, this variant uses "t34kjfdla45l". Datagrams are encrypted with a combination of RC4 and differential XOR. The RC4 key used is "0x0D06092A864886F70D01010105000382".

Screenshots

134b082b418129ffa390fbee1568bd9510c54bfdd0e6b1f36bc7b8f867e56283

Details

Antivirus

YARA Rules

• rule CISA_10135536_06 : HiddenCobra rat
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10135536"
  
         Date = "2018-05-04"
  
         Actor = "HiddenCobra"
  
         Category = "Trojan RAT"
  
         Family = "BLINDINGCAN"
  
         Description = "Detects Trojan RAT"
  
         MD5_1 = "f9e6c35dbb62101498ec755152a8a67b"
  
         SHA256_1 = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
  
         MD5_2 = "d742ba8cf5b24affdf77bc6869da0dc5"
  
         SHA256_2 = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
  
         MD5_3 = "aefcd8e98a231bccbc9b2c6d578fc8f3"
  
         SHA256_3 = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
  
         MD5_4 = "3a6b48871abbf2a1ce4c89b08bc0b7d8"
  
         SHA256_4 = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
  
     strings:
  
         $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
  
         $s1 = { 50 4D 53 2A 2E 74 6D 70 }
  
         $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
  
     condition:
  
         any of them
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file is a 64-bit DLL and has been identified as Variant E. Variant E forgoes the multi-part HTTP POST request format of Variant D and instead uses a single HTTP POST body with four parameters of Base64 encoded data as displayed below:



--Begin HTTP POST format--

POST /<uri> HTTP/1.1

Connection: Keep-Alive

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: <obtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36>

Host: <domain>

Content-Length: <length>



id=<key><paramList>&<random_1>=<sessionID>&<random_2>=<fixedString>&<random_3>=<datagram>

--End HTTP POST format--



The first parameter, 'id', will consist of two separate base64 encoded parts. The first part consists of nine randomly generated lower case characters to be used as the RC4 key for the first three parameters. The second part of the 'id' parameter is a colon delimited list of the other three parameter names encrypted with RC4. Those three parameters are randomly selected from a list of 51 strings. The second parameter data is the session id. The third parameter data is a fixed string in the implant: "T1B7D95256A2001E". When encrypting data from the first three parameters, the encryption starts "0xC00 bytes" into the RC4 key stream. The last parameter will contain the datagram to be sent. The datagram is encrypted in the same manner as Variant B Version 1.0 using a combination of RC4 and differential XOR. The only difference is the additional layer of Base64 encoding.

Screenshots

0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant F. Variant F of the implant uses multi-part HTTP POST messages consisting of three parts holding the victim id, response code, and datagram, as outlined below:



--Begin HTTP POST format--

POST /<uri> HTTP/1.1

Content-Type: multipart/form-data; boundary=<boundaryString>

User-Agent: <obtained from ObtainUserAgentString>

Host: <domain>

Content-Length: <length>

Expect: 100-continue

Connection: Keep-Alive



--<boundaryString>

Content-Disposition: form-data; name="_webident_f"

<victimId>

--<boundarString>

Content-Disposition: form-data; name="_webident_s"

<response code>

--<boundaryString>

Content-Disposition: form-data; name="file"; filename="<random>.dat"

Content-Type: octet-stream

<datagram>

--<boundaryString>

--End HTTP POST format--



Two additional User-Agent strings have been used by this version:



--Begin User-Agent strings--

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36

--End User-Agent strings--



Datagrams are encoded using a single byte XOR with the value "0xAA".

Screenshots

streamf.ru

Tags

command-and-control

URLs

• streamf.ru//wp-content/index2.php

Relationships

Description

171B9135540F89BF727B690B9E587A4E attempts to connect to the domain.

vinhsake.com

Tags

command-and-control

URLs

• vinhsake.com//wp-content/uploads/index2.php

Relationships

Description

171B9135540F89BF727B690B9E587A4E attempts to connect to the domain.

bogorcenter.com

Tags

command-and-control

URLs

• bogorcenter.com/wp-content/themes/index2.php

Relationships

Description

171B9135540F89BF727B690B9E587A4E attempts to connect to the domain.

1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc

Tags

backdoortrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is a 32-bit DLL and has been identified as Variant F. Refer to 171B9135540F89BF727B690B9E587A4E for analysis.

stokeinvestor.com

Tags

command-and-control

URLs

• stokeinvestor.com/common.php

Relationships

Description

22F8D2A0C8D9B54A553FCA1B2393B266 and FDD55A38A45DE8AF6F8C34A33BAE11CB attempt to connect to the domain.

growthincone.com

Tags

command-and-control

URLs

• growthincone.com/board.php

Relationships

Description

22F8D2A0C8D9B54A553FCA1B2393B266 and FDD55A38A45DE8AF6F8C34A33BAE11CB attempt to connect to the domain.

inverstingpurpose.com

Tags

command-and-control

URLs

• inverstingpurpose.com/head.php

Relationships

Description

22F8D2A0C8D9B54A553FCA1B2393B266 and FDD55A38A45DE8AF6F8C34A33BAE11CB attempt to connect to the domain.

c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39

Tags

backdoortrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a 64-bit DLL and has been identified as Variant F. Refer to 171B9135540F89BF727B690B9E587A4E for analysis.

Snort rules for this malware family is displayed below:



alert tcp any any -> any 80 (msg:"handshake detected"; content:"*dJU!*JE&!M@UNQ@"; sid:5; rev:1;)

alert tcp any any -> any 80 (msg:"handshake detected"; content:"t34kjfdla45l"; sid:6; rev:1;)

alert tcp any any -> any 80 (msg:"malware traffic detected"; content: "_webident_f"; http_client_body; content: "_webident_s "; http_client_body; sid:33; rev:1;)

alert tcp any any -> any 80 (msg:"malware traffic detected"; content: "_webident_f"; http_client_body; content: "_webident_s"; http_client_body; sid:1; rev:1;)

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• NCCICCustomerService@us-cert.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.