Components<\/h2>\n\n\n\n
Evilnum mainly used a new customized trojan in this operation. NSFOCUS Security Labs named it DarkMe based on the particular string in the trojan program.<\/p>\n\n\n\n
NSFOCUS Security Labs also discovered another new trojan program that had a close connection to this operation and named it PikoloRAT, also based on the particular string in the program.<\/p>\n\n\n\n
1. DarkMe<\/strong><\/p>\n\n\n\n DarkMe is a VisualBasic spy trojan developed by Evilnum attackers and is used in various attack flows. The initial version of DarkMe appeared on September 25, 2021, and five iteration versions have been released so far.<\/p>\n\n\n\n The communication ability of DarkMe is implemented through the public module WinSock32 (http:\/\/leandroascierto.com\/blog\/winsock32\/). This module creates a window named SOCKET_WINDOW to implement socket communication with the server.<\/p>\n\n\n\n On the basis of this module, a significant number of functional codes are gradually added to DarkMe, allowing it to evolve from a downloader trojan into a stub spy trojan.<\/p>\n\n\n\n Different versions of DarkMe have different functional codes. Here, we will describe the trojan program version 5, ShellRunDllVb.dll, that appeared in this operation.<\/p>\n\n\n\n After ShellRunDllVb.dll is executed, it will collect host information and send it to the C&C server. DarkMe collects the following host information, including the geolocation abbreviation, country name, computer name, user name, antivirus software list, trojan mark, and the title of the foreground window. These items are separated by a fixed separator 0x3F, and prepended with a fixed string “92â€. The resulting register information is then sent to the C&C server.<\/p>\n\n\n DarkMe has multiple modules to support different espionage functions. clsfile is a major module used to implement file operations under C&C control. The C&C instruction is contained in the first six bytes of the communication content. The function of each instruction is described as follows:<\/p>\n\n\n In addition, DarkMe has been integrated with a set of public codes<\/a> to achieve the screenshot function.<\/p>\n\n\n DarkMe also provides persistence and self-updating functions as well as the keylogging function in some versions.<\/p>\n\n\n\n With a deeper look at samples in the wild, NSFOCUS Security Labs found DarkMe had a history of more than half a year, and was already available in multiple versions. The version iteration timeline of DarkMe is as follows:<\/p>\n\n\n It can be seen that during its lifecycle, DarkMe has evolved from a loader trojan to a spy trojan, and then to a stub payload integrated into complex attack flows. DarkMe version 4 and DarkMe version 5 both have complete code functions and can be used as a primary stealing tool or as a loader for other tools, so they were widely adopted by Evilnum attackers in recent attacks.<\/p>\n\n\n\n 2. PikoloRAT<\/strong><\/p>\n\n\n\n NSFOCUS discovered another new remote control trojan, PikoloRAT, during the in-depth analysis of the relevant information of this operation. PikoloRAT comes with typical remote control functions and can use built-in components to implement more complex control operations.<\/p>\n\n\n\n Since the built-in C&C addresses of PikoloRAT were found to coincide with the addresses used in this operation and PikoloRAT could complement the above-mentioned DarkMe, NSFOCUS Security Labs believed that PikoloRAT was used as an extension component by Evilnum attackers in the later stage of this operation.<\/p>\n\n\n\n The discovered cases demonstrated that PikoloRAT was delivered via a downloader trojan or packaged as a compressed file.<\/p>\n\n\n\n PikoloRAT is a typical RAT trojan program written in C#.<\/p>\n\n\n After PikoloRAT runs, it first collects and uploads the host information. The collected contents include the trojan mark, user name, computer name, geolocation, operating system version, trojan running time, trojan version, and antivirus software information. PikoloRAT uses a “|” to separate the preceding items, prepends them with a fixed string “654321”, and then sends it to the C&C server.<\/p>\n\n\n It can be seen that the content and format of the online traffic of PikoloRAT are similar to those of the above-mentioned DarkMe.<\/p>\n\n\n\n Then PikoloRAT enters the controlled state to control host behaviors by obtaining instructions from C&C servers. The supported remote control instructions are as follows:<\/p>\n\n\n In addition to basic remote control functions, PikoloRAT can perform more sophisticated remote control by dropping the built-in PEGASUS HVNC module, a recently leaked hVNC tool.<\/p>\n\n\n\n Overwriting Files While Sideloading<\/strong><\/p>\n\n\n\n In attack flow A, Evilnum attackers delivered a malicious file python39.dll<\/strong> and sideloaded it through a legitimate file python.exe<\/strong>. Different from common sideloading build logics, python39.dll<\/strong> was obtained by directly overwriting the original python39.dll<\/strong>. Evilnum attackers directly wrote a piece of shellcode to the location of the function PyImport_AddModuleObject of the original python39.dll<\/strong> so that the shellcode was started when python39.dll<\/strong> was loaded.<\/p>\n\n\n\n The benefits of this design are:<\/p>\n\n\n\n Shellcode Framework<\/strong><\/p>\n\n\n\n In attack flow A, Evilnum attackers used different shellcodes at different stages. Since these shellcodes had similar code implementation logic, NSFOCUS Security Labs believed that they originated from the same shellcode programming framework. The overall composition and code complexity in this operation were improved compared to previous Evilnum activities.<\/p>\n\n\n\n ntdll Mapping<\/strong><\/p>\n\n\n\n In the shellcode used in this operation, Evilnum attackers still adopted two modules, kernel32 and ntdll, to build the main attack flow. To avoid API detection for such behaviors, the attackers used the following method to map the ntdll file and use the API of the mapped file.<\/p>\n\n\n In the implementation, the attacker reloaded the ntdll module through file mapping, and obtained the API base address of the mapped API by calculating the offset of the base address of the API in the original ntdll file. Then the shellcode used the mapped API to implement corresponding behaviors, thus avoiding original API call behaviors and preventing key parameters from being monitored and recorded.<\/p>\n\n\n\n X64call<\/strong><\/p>\n\n\n\n In attack flow A, Evilnum attackers used X64call to call key APIs while injecting cmd.exe.<\/p>\n\n\n\n The injected shellcode firstly detected the process environment and the host CPU model. If the requirements were satisfied, it would call their 64-bit implementations while using key injection APIs such as NtAllocateVirtualMemory and NtWriteVirtualMemory.<\/p>\n\n\n This technique can also bypass API detection.<\/p>\n\n\n\n Image Steganography<\/strong><\/p>\n\n\n\n Evilnum attackers used two types of steganographic images in this operation.<\/p>\n\n\n\n In attack flow B, the image IMG.jpg used redundant steganography that deposited the malicious code at the end of the file and used a fixed string ($HEH$E) as the separator.<\/p>\n\n\n In attack flow A, the image carrying the payload used the RGB color image steganography scheme that deposited the malicious code in the R color pixel.<\/p>\n\n\n This construction could make blue-green dots show in white areas and red dots show in black areas in the steganographic image.<\/p>\n\n\n Socket Window<\/strong><\/p>\n\n\n\n In this operation, the trojan DarkMe used SOCKET_WINDOW communication, an old VisualBasic socket programming technique that hooks winsock messages through a SOCKET_WINDOW window and handles event messages passed by WSAAsyncSelect in the window callback function. For the original framework, refer to here<\/a>.<\/p>\n\n\n\n COM Component Execution<\/strong><\/p>\n\n\n\n Some DarkMe trojans were delivered as COM components in this operation. Evilnum attackers wrote the registry operation logic to the preloaded trojan payload, allowing it to generate and execute the file Register.reg that contained the following contents.<\/p>\n\n\n![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Register-traffic-of-DarkMe-300x55.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Description-of-DarkMe-instructions.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Screenshot-function-implemented-by-DarkMe-right-and-public-code-left-300x145.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Version-iteration-of-DarkMe-300x129.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Main-frame-of-PikoloRAT.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Online-traffic-of-PikoloRAT-300x68.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Description-of-PikoloRAT-instructions.png\")
<\/a>Techniques and Tactics<\/h2>\n\n\n\n
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Overwritten-PyImport_AddModuleObject-function-in-python39.dll_-300x133.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Mapping-logic-of-the-ntdll-module-in-the-shellcode-300x101.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/X64call-calling-logic-in-the-shellcode-injection-code-300x150.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/X64call-calling-code-300x86.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Steganographic-information-in-IMG.jpg.-300x159.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/RGB-values-in-the-steganographic-image-sKr93I.png-right-and-extracted-compressed-data-content-left-300x52.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Appearance-of-the-steganographic-image-sKr93I-300x300.png\")
<\/a>![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Appearance-of-the-steganographic-image-Fruit-300x201.png\")
<\/a>
![\"Red](\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2022\/09\/Contents-of-Register.reg_-300x103.png\")
<\/a>