[DNSPIONAGE] – weird APT32 stuff ?

[

Explanations

Recently, we had an incident response involving the malware described by TALOS on this blogpost :
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

I will not analyze the malware here again, because of course they did an amazing job.

But I will talk about IOC I observed, « Threat Intelligence » and my observations made during this case.

Observations made during Forensics

During such forensics case, I usually try to have a global picture of domains/IP used by the malware involved, including dates (to see the beginning of preparation phase for an example), IP and domains (to see if this is a well-known group, or if this was used in other attacks).

I am usually using VT and RiskIQ.

When using it, I saw the following things :

(source : https://www.virustotal.com/#/domain/hr-suncor.com on 06-dec-2018) :

hr-suncor[.] com Passive DNS Replication
2018-12-06     185[.]161[.]211[.]79
2018-10-24     185[.]174[.]101[.]68

From these IP, I usually check their Passive DNS replication. Sometimes it could be interesting :

(source : https://www.virustotal.com/#/ip-address/185.174.101.68 on 06-dec-2018)

185[.]174[.]101[.]68 Passive DNS Replication
2018-10-24     hr-suncor[.]com
2018-10-16     files-sender[.]com
2018-10-16     hr-wipro[.]com
2018-08-02     sennenresources[.]com
2018-07-11     indianmpkinson[.]com
2018-05-07     www.sennenresources[.]com

Well, some malicious domains, used in DNSPIONAGE attacks (like hr-wipro[.]com).

I did’nt know the other domains, so I tried to look on google about indianmpkinson[.]com (better than nothing) and it gave me this article : https://ti.360.net/blog/articles/oceanlotus-with-cve-2017-8570/ .

Of course, I am fluent in chinese.
This is a report from 360.net about OceanLotus (APT32) which is an APT group known for targeting East-Asia.

Well ok, it is really funny, but maybe not so relevant as indianmpkinson[.]com passive DNS Replication information is dated 2018-07-11. This infrastructure may be reused I guess

And furthermore the TTP and the targets are not exactly the same (especially in my case).

And I had to continue the investigation, so I didn’t have any more time to perform such hypothesis.

More IOC

During my investigation, the malware I had to investigate was the « sh**ty » version. You know, compiled with debug, and with logs in a plaintext file called « log.txt ». (source : https://www.virustotal.com/#/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/detection on 06-dec-2018 )

So I was very lucky (I know), and I started to understand what the malware did on the target network, using the log.txt.

Reminder : The malware creates a scheduled task (1 execution/minute on targeted laptop).

So in the log.txt, I could tell when the infection was made by counting « lines » of communication. Very clever hacker guys, thanks a lot, it helped a lot for investigation.

So, I was creating a timeline (very useful) with the log.txt datas, and I saw they tried to create an SSH tunnel from inside to 185[.]236[.]78[.]63 in order to connect themselves in RDP (easier with gui when you have no skills using cli I guess).

Do you remember, I told you I usually try to have a global picture when I find this kind of IOCs.

(source : https://www.virustotal.com/#/ip-address/185.236.78.63 on 06-dec-2018)

185[.]236[.]78[.]63 Passive DNS Replication
2018-10-16     perntho[.]com
2018-09-20     tefanie[.]com

And I used ThreatIntelligenceAdvancedPlatform (lol – google) again.

Nothing with tefanie[.]com and nothing with perntho[.]com directly. Ok that’s weird, because the dates are very close of my case (6 october 2018 is the infection date, so around two weeks after the passive dns replication log).

So my mind told me : « hey, try these domains with OceanLotus or APT32 in google, for fun, in case of surprise ».

Ok so now that’s funny : tefanie[.]com is an IOC of the following report redacted in march. – https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf

Conclusion

So, I have two IOC in my case that are present in two different reports talking about APT32, and one of them is not very far away from my case (in terms of timeline). I know these informations come from old passive DNS replication, and may not be releavant, but it’s just an observation I made.

185[.]236[.]78[.]63 ===has passive dns record===> tefanie[.]com ===was observed in===> APT32 ESET report.

hr-suncor[.]com ===used following IP===>185[.]174[.]101[.]68 ===has passive dns record===> indianmpkinson[.]com ===was observed in===> APT32 ti.360.net report.

So I put this here because I don’t really know what to think about these IOC.
What do you think about, is this just an accident, hazard, chance?

I just want to remind you that Threat Intelligence/Attribution and stuff is not exactly my job. I’m an incident responder.

I hope this will help regarding attribution of this attack (because at CERT-OPMD we don’t do attribution, this is not our work) and that it will help people still investigating on these recent incidents.

Regards,

Arnaud from CERT-OPMD

(If you want to contact me : @AZobec on keybase/twitter/stuff)

EDIT

As Félix Aimé  said on Twitter:

Obviously, according to APT-32’s TTP, this case seems not to be linked to this group.

And We can assume that VPS rental is observed here. It’s interesting to see many threat actors using same IP Range or hoster.