Evasive Maneuvers by the Wekby Group with Custom ROP-packing and DNS Covert Channels

<p>ThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby threat actors (a/k/a <a href="http://www.secureworks.com/resources/blog/vertical-hopscotch/">TG-0416</a>, <a href="http://www.bloomberg.com/news/articles/2014-08-21/chinese-hackers-vacuum-data-from-u-s-health-industry">APT-18</a>, Dynamite Panda). The Wekby actors have recently been observed compromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long standing interest in the HealthCare industry.  This campaign uses obfuscated variants of the HTTPBrowser tool that use DNS as a control channel.</p><p>This recent campaign exhibits many of the groups key characteristics to deliver a more technically advanced version of their toolkit than has previously been found. The Wekby group is keen on using phishes that purport to be from the IT helpdesk, often with links or attachments claiming to be vpn or citrix upgrades. This specific instance used a “cisco” vpnclient theme.</p><p>The Phishing links are: </p><p><em>hXXp://it-desktop[.]com/vpn/cisco/vpnclient.exe</em></p><p><em>hXXp://wangke99[.]tgk[.]delldns[.]com/tools.exe</em></p><p>These URIs result in the download of an installer, which creates a PE of the malware typically known as HTTPBrowser, but called Token Control by the Wekby group themselves (based upon the PDB strings found within many of the samples).  The PEBuildDate of the installers range from 2015-06-30 11:57:13 to 12:03:13 UTC. Two samples use subdomains of local.it-desktop.com and were submitted to VirusTotal at 15:32:37 from users in Great Britain. At that time only 8 of 55 AntiVirus engines detected the same as malware, mostly with generic and heuristic detections.  The third sample was first submitted on July 1st 2015 from a user in South Korea.   </p><p>The samples install HTTPBrowser at <em>%APPDATA%/wdm.exe</em>. Persistence is established via the <em>HKCUSoftwareMicrosoftWindowsCurrentVersionRun</em> key value for <em>wdm</em> set to the path of the executable. Previous samples have set persistence via Run key values for <em>360v</em>.</p><p> <img alt="HKCU Run Key for wdm" src="https://cdn.filestackcontent.com/fbKoMJoVSwWd1evTDsRM"/></p><p>This tool has been used by a few groups since at least 2012 based upon PEBuildDates). However this sample is a bit more interesting. Normally HTTPBrowser sends traffic over HTTP using a user-agent of <em>HTTPBrowser/1.0</em>.  This sample uses DNS as a covert channel for communications. Specifically this sample utilizes DNS TXT records with 9 uppercase letters followed by a number and 7 more uppercase letters, then the C2 domain used. In this PCAP the C2 domain is glb.it-desktop.com. The “glb” label is believed to be a campaign ID. The other samples use the C2 domains of local.it-desktop.com and hi.getgo2.com</p><p><img alt="DNS TXT C2" src="https://cdn.filestackcontent.com/b3ahC1fdRsSOlUWmLnHx"/></p><p>Adding to the intrigue of this sample is a novel form of obfuscation that greatly complicates analysis. Specifically the sample uses Return Oriented Programming to control execution flow, and creates an extraordinary amount of functions filled with instructions that essentially evaluate to elaborate NOPs (no operation).  The way this works is each function modifies the stack to replace the return point with additional functions including a function that includes the next bit of code that needs to be executed. Each subroutine includes the bare minimum number of operations necessary to call another subroutine, or perform local control flow (looping, branching, and simple calculations), before modifying the stack to return to the next subroutine. While looking at a sample in OllyDbg, you would see the following, where execution will continue with Subroutine <em>0x0040F62E</em>. If that subroutine does not add any additional functions to the stack, execution will continue to Subroutine <em>0x0040F38A</em>. </p><p><img alt="ROP Obfuscation" src="https://cdn.filestackcontent.com/aGPJtCnaS5emrMHeTapm"/></p><p>While many of the Wekby threat actors campaigns may appear unsophisticated because they often rely upon stolen credentials or basic malware, this group of actors is extremely successful at obtaining their objectives. If your organization does not use Two-Factor authentication, the group will typically rely upon stolen credentials for remote access. The Wekby group has exhibited a preference to use a tool named HcdLoader which often persists as a Windows Service on externally facing servers for remote access. The group is particularly skilled at living off the land by using the tools already present on computers for <a href="http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/">lateral movement</a> and exfiltration.</p><p> </p><p>The samples detailed here can be found on VirusTotal at:</p><p><a href="https://www.virustotal.com/en/file/4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16/analysis/">d0f79de7bd194c1843e7411c473e4288 </a></p><p><a href="https://www.virustotal.com/en/file/1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094/analysis/">e5414c5215c9305feeebbe0dbee43567</a> </p><p><a href="https://www.virustotal.com/en/file/9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b/analysis/">985eba97e12c3e5bce9221631fb66d68</a></p><p> </p><p><strong>UPDATE: The original post noted a domain of hi.get2go.com in error. This domain should have been hi.getgo2.com</strong></p>