Clever Geek Handbook

Higaisa or Winnti? How We Defined Backdoor Ownership





While monitoring information security threats in May 2020, Positive Technologies experts discovered several new samples of malware (malware). At first glance, they should have been attributed to the Higaisa group, but detailed analysis showed that they should be associated with the Winnti group (also known as APT41, according to FireEye). 





Detailed monitoring also revealed many other instances of the APT41 group malware, including backdoors, droppers, loaders, and injectors. We also found samples of a previously unknown backdoor (we called it FunnySwitch) with atypical peer-to-peer messaging functionality. A detailed report is presented here , and in this article we will tell you about how our research began.





Introduction

The first attack that attracted the attention of experts was dated May 12, 2020.





The malicious file used in it is an archive named Project link and New copyright policy.rar (c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04). The archive contains a decoy document in PDF format (Zeplin Copyright Policy.pdf), as well as a folder All tort's projects - Web lnks with two shortcuts:





  • Conversations - iOS - Swipe Icons - Zeplin.lnk,





  • Tokbox icon - Odds and Ends - iOS - Zeplin.lnk.





20200308-sitrep-48-covid-19.pdf.lnk, Higaisa 2020.





― , LNK- Base64 CAB-, . JS-.





Script content 34fDFkfSD32.js
34fDFkfSD32.js

, , 3t54dE3r.tmp.





30 2020 — CVColliers.rar (df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d) :





  • Curriculum VitaeWANG LEI_Hong Kong Polytechnic University.pdf.lnk,





  • International English Language Testing System certificate.pdf.lnk.





12 . PDF-, IELTS.





Malwarebytes Zscaler. , Higaisa.





, , , Crosswalk. 2017 FireEye APT41 (Winnti).





Fragment of FireEye report
FireEye
Shellcode snippet 3t54dE3r.tmp
3t54dE3r.tmp

APT41: IP- C2- SSL- SHA-1 b8cff709950cfa86665363d9553532db9922265c, IP- 67.229.97[.]229, CrowdStrike 2018 . Kaspersky 2013 .





, LNK- Winnti (APT41), Higaisa .





Fragment of network infrastructure

Crosswalk

Crosswalk , . , 20 , .





:





  • (uptime);





  • IP- ;





  • MAC- ;





  • ;





  • ;





  • ;





  • ;





  • PID ;





  • .





32-, 64- . , — 1.0, 1.10, 1.21, 1.22, 1.25, 2.0.





Crosswalk VMWare CarbonBlack.





Crosswalk , Crosswalk . ― . VMProtect.





Shellcode injection code into a running process

, SeDebugPrivilege, PID . explorer.exe winlogon.exe.





:





  • Crosswalk,





  • Metasploit stager,





  • FunnySwitch ( ).





― . : , .





, LNK-.





Bootloader main function code

Winnti , . , Metasploit, Cobalt Strike, PlugX, , . , 2020 ― FunnySwitch.





, .





, Positive Technologies. Winnti. 







More articles:


All Articles