Characteristics of Attack Tactics<\/h2>\n\n\n\n
Use compromised sites:<\/strong><\/p>\n\n\n\n MurenShark tends to use compromised sites as the file server and the C&C server in the attack process. As shown in the last chapter, the organization used the Near East University site (Yakın DoÄŸu Ãœniversitesi) (https:\/\/neu.edu.tr\/) as a remote server.<\/p>\n\n\n\n The Near East University is a private university located in Northern Cyprus. The known attack process shows that MurenShark has controlled the official website server of the university for more than one year, placed Trojan horse programs in multiple locations on the website, run the LetMeOut Trojan horse server program, and even deployed the server of the CobaltStrike penetration platform to continuously control the victims.<\/p>\n\n\n\n Although it has such attack resources, MurenShark is relatively restrained in the use of the compromised sites. These sites are silent for most of the time and have not been traded or abused. This utilization of the compromised sites by MurenShark effectively hides the traces of organization and extends the available period of resources.<\/p>\n\n\n\n Breakdown of component behaviors<\/strong><\/p>\n\n\n\n When designing the process, MurenShark follows a special pattern of behavior splitting.<\/p>\n\n\n\n For example, the new version of NiceRender attack component recently used by the organization divides the malicious documents’ normal functions into two parts. Part A is designed as a macro code reader and injector, and part B is designed as a macro code carrier and injection carrier. Part A needs to obtain Part B through network connection to carry out the complete component behavior.<\/p>\n\n\n\n For example, the LetMeOut Trojan program commonly used by the organization will also split its download function into two parts. The Trojan first uploads the Trojan information and the victim host information to the C&C server . After receiving the confirmation information from the server, the Trojan obtains the download path of the subsequent payload through calculation.<\/p>\n\n\n\n The advantages of this design are obvious. In cooperation with the compromised site described above, when the remote address of these components fails or stops service, there will not be any malicious behavior characteristics on the network side and the process side, and even untrained personnel cannot detect abnormalities when opening the corresponding files. These subdivided component behaviors also interfere with forensics analysis and attack process restoration. A large number of interaction mechanisms effectively protect the network resources and attack components in the process and reduce the exposure probability.<\/p>\n\n\n\n When the C&C server is disconnected, the behavior of the new version of NiceRender is similar to that of the normal document:<\/p>\n\n\n\n NiceRender<\/strong><\/p>\n\n\n\n This tool is a malicious macro type document with a specific execution mode. MurenShark attackers use this tool to create various phishing documents and use them as the preliminary step of attack activities. There are currently two versions of this tool.<\/p>\n\n\n\n NiceRender Ver.1<\/strong><\/p>\n\n\n\n The early version of NiceRender includes three functional parts: bait decoding, online notification and payload release.<\/p>\n\n\n\n (I)Decoy decoding<\/strong><\/p>\n\n\n\n The biggest difference between NiceRender and other common phishing documents is that the component will use a unique logic to transcode the text content in the document into garbled characters, and decode these garbled characters, giving the victim an illusion that the encrypted document has indeed been decrypted, thus increasing the credibility of such phishing documents.<\/p>\n\n\n\n NiceRender’s character transcoding logic is to search for specific wide byte characters and convert them into corresponding ASCII characters.<\/p>\n\n\n\n The decimal value sequence corresponding to the wide character to be converted is:<\/p>\n\n\n\n [321, 325, 338, 334, 332, 331, 324, 329, 335, 333, 341, 340, 339, 322, 345, 353, 357, 361, 370, 366, 364, 363, 356, 367, 365, 373, 372, 371, 354, 377]<\/p>\n\n\n\n The corresponding ASCII character sequence is:<\/p>\n\n\n\n [A, E, R, N, L, K, D, I, O, M, U, T, S, B, Y, a, e, i, r, n, l, k, d, o, m, u, t, s, b, y]<\/p>\n\n\n\n After the conversion is completed, NiceRender will hide the “enable editing” notification at the top of the original content to further improve the credibility of the document.<\/p>\n\n\n\n The following figure shows the comparison between the original content of a typical NiceRender bait and the effect after transcoding.<\/p>\n\n\n\n (II) Online notification<\/strong><\/p>\n\n\n\n This version of NiceRender has a special operation, which will notify the attacker through the network when the macro code is running.<\/p>\n\n\n\n This notification operation is realized through the DNS resolution mechanism. The NiceRender producer first registers the domain name “cachedns. IO” and binds the resolution server of the domain to itself:<\/p>\n\n\n\n When the macro code of the NiceRender document runs, the current timestamp will be obtained and combined into a domain name in the following format:<\/p>\n\n\n\n [timestamp]. D0g3.cachedns.io<\/p>\n\n\n\n The Trojan then performs DNS query on the domain name. Since the attacker has set the primary domain as described above, the DNS related query request will be directly sent to the domain name server deployed by the attacker. The attacker can read the domain name and obtain the tag (d0g3) and running time (timestamp) information of the corresponding NiceRender component to control the running state and attack scale of the component.<\/p>\n\n\n\n (III) Payload release<\/strong><\/p>\n\n\n\n NiceRender then reads the text information in the specific object in the document, obtains a PE file and saves it to %LOCALAPPDATA%\\Microsoft\\EdgeFss\\FileSyncShell64.dll. The PE file is the UniversalDonut Trojan.<\/p>\n\n\n\n It should be noted that NiceRender uses a COM component hijacking policy to load the DLL file. The tool adds a running key to the windows scheduled task MsCtfMonitor by modifying the registry key, which points to the above DLL file path to run malicious programs.<\/p>\n\n\n\n The specific implementation of the hijacking logic can be referred to:<\/p>\n\n\n\n https:\/\/github.com\/S3cur3Th1sSh1t\/OffensiveVBA\/blob\/main\/src\/COMHijack_DLL_Load.vba<\/a><\/p>\n\n\n\n UniversalDonut<\/strong><\/p>\n\n\n\n MurenShark attackers frequently use a Trojan program in the form of DLL as a transitional component in their attack process. NSFOCUS Security Labs named it UniversalDonut according to the key information of this component.<\/p>\n\n\n\n UniversalDonut is a Trojan program of shellcode loader type. After the Trojan is executed, first detect the following items:<\/p>\n\n\n\n After the detection passes, the Trojan uses the multibyte XOR algorithm to decrypt a section of shellcode contained in the resource section and run it.<\/p>\n\n\n\n The shellcode carried by UniversalDonut is a complete payload generated by an open source framework Donut (https:\/\/github.com\/TheWover\/donut). With this framework, UniversalDonut can implement a large number of countermeasures in the shellcode execution stage, including Chaskey algorithm encryption, AMSI \/ WDLP bypass, connectivity detection, etc. Most importantly, the. Net support provided by Donut allows MurenShark attackers to use this shellcode to load LetMeOut, the main Trojan horse in subsequent stages.<\/p>\n\n\n\n LetMeOut<\/strong><\/p>\n\n\n\n LetMeOut is a kind of .Net downloader Trojan, equipped with a unique insurance mechanism. MurenShark has used this Trojan horse many times in the invasion process.<\/p>\n\n\n\n The main code logic of LetMeOut is divided into two parts:<\/p>\n\n\n\n The program first confirms whether there is a binary file named FileSyncShell64.dat under the directory %LOCALAPPDATA%\\Microsoft\\EdgeFss\\. If the file is found, decrypts and decompresses the file using the multibyte XOR algorithm and gzip compression algorithm, and then loads it into memory for operation.<\/p>\n\n\n\n Judging by the behavior, the FileSyncShell64.dat is an encrypted Trojan file cached locally by the Trojan program after C&C communication.<\/p>\n\n\n\n If a file named FileSyncShell64.dat is not found in the specified directory, the Trojan will specify the C&C server address for HTTP communication, and attach three pieces of information in the HTTP parameter section.<\/p>\n\n\n\n P1 base64 transcoding, Current proxy content<\/p>\n\n\n\n P2 base64 transcoding, http User-Agent content<\/p>\n\n\n\n P3 Boolean value, TRUE or FALSE on 64-bit process<\/p>\n\n\n\n Thenthe program makes a second HTTP request to obtain the contents of a hash path obtained through calculation. The hash path is calculated by the following parameters:<\/p>\n\n\n\n The decryption method of the encrypted content contained in the reply package is the same as that of the FileSyncShell64.dat file. The LetMeOut Trojan will run the decrypted content in the form of shellcode.<\/p>\n\n\n\n CobaltStrike<\/strong><\/p>\n\n\n\n MurenShark uses the famous CobaltStrike penetration platform to manage the invaded hosts, and completes horizontal movement and secret theft through the CobaltStrike Beacon Trojan horse program.<\/p>\n\n\n\n Attack on Scientific and Technological Research Council of Turkey<\/p>\n\n\n\n According to the investigation conducted by NSFOCUS Security Labs, one of the main targets of MurenShark, Scientific and Technological Research Council of Turkey, is not the first time to be attacked. As a top scientific research institution that has undertaken a large number of national projects in Turkey, it is a key victim of various hacking activities and even APT activities.<\/p>\n\n\n\n A type of frequent attacks against this institution are launched in the form of phishing emails. The attackers use common payloads such as compressed package attachments and vulnerability documents to deliver AgentTesla and other secret theft Trojans to the users of tubitak.gov.tr mailbox, and collect files, credentials and browser cache data on the victim’s host.<\/p>\n\n\n\n There are also some e-mails with forged quotation request and organization pictures of Scientific and Technological Research Council of Turkey in the mail body, and the attachments of the e-mails carry AgentTesla Trojan horse in the form of compressed package.<\/p>\n\n\n\n The above-mentioned attacks are very typical in the phishing mail activities in recent years. The mail hacker organization will use this method to steal various documents in the victim’s host and sell them in black market. These phishing emails indicate that Scientific and Technological Research Council of Turkey has been exposed in a high risk of data leakage for a long time. Another type of attack is more serious, directly from MuddyWater, an Iranian APT organization. MuddyWater launched a series of phishing attacks against Scientific and Technological Research Council of Turkey around 2019. The process of such attacks is relatively simple, that is to use several types of PowerShell Trojans by delivering bait documents with keyword “TÃœBÄ°TAKâ€.<\/p>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms6.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms7.png\")
<\/a>Known Attack Tools<\/h2>\n\n\n\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms8.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms9.png\")
<\/a><\/figure>\n\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms10.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms11.png\")
<\/a>Related Investigation<\/h2>\n\n\n\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms12.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms13.png\")
<\/a>
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms14.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/ms15.png\")
<\/a>