Analysis of APT19 Campaign

APT19 is a threat group based out of China, they have targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2014, APT19 was responsible for the Forbes.com breach. APT19 threat group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer, to compromise the popular news website in late 2014.

In 2017, a phishing campaign was used by the APT19 threat group to target seven law and investment firms. The APT19 threat group made use of obfuscated PowerShell macros embedded within Word documents generated by Empire. Some analysts track APT19 and Deep Panda as the same group owing to the overlap in toolkit and code re-use, but it is unclear from public sources, if these two groups are the same.

Targets: North America, Australia

Motivation: Intelligence / Espionage Operations

Toolkit: Derusbi Backdoor, Poison Ivy, Empire framework and Cobalt Strike (payload)

Static Analysis of APT19 Campaign

Sample Information

SHA256 : DE33DFCE8143F9F929ABDA910632F7536FFA809603EC027A4193D5E57880B292

Filetype : DLL

Attack    : Chinese APT19 attack

It is possibly compiled in Microsoft Visual C++

File we are analyzing with ref: APT19 is a DLL file,

Interesting Strings we observed during analysis are given below,

Malicious process uses the GetTickCount API call to compute a random string consisting of 3 characters,

APT19 creates a DLL file called qlr.dll using CreateFileA,

Next, it deletes the file/directory using RemoveDirectoryA,

User Impersonation

Here’s how the APT19 malware impersonates the logged on user,

• It determines the Process ID. Next it inherits the process handle and opens the process.
• It determines process privilege using GetTokenInformation.
• Subsequently, the malware elevates the token using parameter 0x14.
• To learn more visit https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser

The malware then creates a new service named WinHelpSrv using CreateServiceA, as shown below,

WinHelpSrv is made persistent by adding a registry key under HKEY_CURRENT_USER “\”C:\Windows\SysWOW64\rundll32.exe\””

Common Anti Debugging Techniques

The malware employs a couple of well-known anti-analysis measures, including comparing the executable image path to rundll32.exe and checking for the presence of a debugger (IsDebuggerPresent). These methods enable the software to use ExitProcess to terminate itself and ensures that a threat researcher cannot execute the file.

Dynamic Analysis of APT19 Campaign

Infection Chain

By using spam campaigns with attachments as its initial infection vectors, the APT19 malware infects the victim machine (EML). Typically, it includes RTF documents from Microsoft Office that have macro content. This time, they linked with the intended object via an external URL. Thus, the victim must perform their necessary tasks by hand. Once finished, it will carry out the action on objectives.

Sample Information:
Sample   : 76e7ce4ab6d520f0717bb0dea8ff6973e1f7c6ea39f7138a5eb5d5483fd21e21
File-Type: RTF
Category: Exploit CVE-2017-0199
Attack     : Chinese APT19 attack

Technical Analysis of RTF:
Rich Text Format (RTF) is a file format that controls how texts are formatted. It is made up of groups, control words, control symbols, and unformatted text. They are used by RTF readers to enable a specific format for the text display. RTF files can include additional information such as font style, formatting, graphics, and more in addition to plain text, which is not possible with regular text files. Since many applications support them, they are excellent for cross-platform document sharing.

The document features a pop-up window asking the user whether they wish to update because it contains links to other files. What this means is that this document may open or include another embedded document within an RTF file, but the user is unaware that the document was silently installed in a hidden folder.

On Opening the Linked Data

Once linked, the user has access to the document. However, they are unaware that the object is linked to an external unknown or hidden document.

Actual file content:
Rich Text Format (RTF) files are typically used by threat actors to store exploits that target flaws in Microsoft Office and other software.

HTTP Request:

When the RTF file is opened, the macro runs a payload that was extracted to the user’s TEMP directory. Although the executable files are deleted when the Word instance is closed, the RTF files created by the macro in the temp directory could remain and be used as a host indicator during triage or response activities. APT19 sends a HTTP request to ensure that the target system has internet access (or is active) before proceeding with the attack.

Malicious Actions Performed,

APT19 used a watering hole attack on specified domain to compromise the targets.

APT19 concealed PowerShell code, possibly from the Empire framework -W Hidden by setting the Window-Style parameter to hidden, and launched a HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.

General Mitigation measures to prevent APT19,

If you do not trust the resource, do not open any attachments from external users.
Do not open any URLs from unknown senders.
Protect exposed web applications with web application firewalls, and close unnecessary firewall ports for the network and individual devices.
Use strong passwords and make Multi Factor Authentication, an organization wide habit
Maintain effective Endpoint Detection & Response applications such as (antivirus, EDR) and NDR, monitor your e-mails, and secure your email servers, when in doubt, opt for a compromise assesment to truly know the security posture of your network.

Indicators of Compromise – IOC to detect APT19 Attack

MITRE ATT&CK Mapping for APT19