Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) has discovered a new Advanced Persistent Threat (APT) campaign focusing on luring unsuspecting victims through phishing websites mimicking well-known software applications.
- In this campaign, a phishing website was observed masquerading as OpenVPN software tailored for Chinese users and serves as a host to deliver the malicious payload.
- Once executed, the installer drops and runs Rust-based malware on the system, subsequently triggering a Shellcode.
- The Shellcode performs anti-debugging and decryption operations. Afterward, it establishes encrypted Command and Control (C&C) communication with a remote Threat Actor (TA).
- Surprisingly, the characteristics of this malware bear similarities to those previously employed by the Higaisa APT group in their past campaigns.
- Further investigation revealed that the C&C IP was associated with three additional malicious installers responsible for downloading Google Meet and Zoom, indicating a broader and coordinated malicious effort.
Overview
Cyble Research and Intelligence Labs (CRIL) discovered a phishing website named “open-vpn[.]top” on October 16th. This deceptive site is designed to imitate the legitimate OpenVPN website. It is suspected to be associated with a new campaign initiated by an Advanced Persistent Threat (APT) group called Higaisa.
Higaisa APT is believed to have South Korean origins and was initially disclosed by Tencent Security Threat Intelligence Center in early 2019. The group’s malicious activities can be traced back to at least 2016, involving the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Their targets encompass government officials, human rights organizations, and other entities associated with North Korea.
Phishing websites are frequently utilized by Threat Actors (TAs) as their primary method for distributing malware. These TAs frequently employ brand impersonation in their phishing campaigns, adeptly tricking users into a false sense of trust and legitimacy, ultimately enticing unsuspecting individuals. Given the widespread use of VPNs by individuals to overcome online censorship, it is conceivable that these TAs are specifically targeting those seeking to evade such restrictions. The image below depicts the fraudulent OpenVPN website.
The website hosted a malicious OpenVPN installer file, which is bundled with a genuine OpenVPN executable and a malicious Rust-based executable. Notably, the Rust-based executable has a valid digital signature. This digital signature is attributed to the Chinese organization “Zhiya Yunke (Chengdu) Finance and Tax Service Co., Ltd.,” as shown below.
CRIL investigated further to identify any resemblances to previous campaigns. During this analysis, we discovered that Malwarebytes had previously identified a campaign where the initial infection was initiated through LNK files. Additionally, Zscaler published an in-depth analysis of the final payload used in that campaign.
Technical Analysis
We have obtained a file named “OpenVPN.exe” from the phishing website. This file is a 32-bit Graphical User Interface-based executable.
Upon execution of the file, it initiates a prompt for the user to choose their desired language, as shown in the figure below. It displays an installation wizard to proceed with the installation process.
During the installation, the installer drops several files in the “C:\Program Files (x86)\OpenVPN” directory. These files consist of the genuine OpenVPN MSI installer (openvpn.msi), two legitimate runtime DLLs (vcruntime140.dll & vcruntime140Org.dll), and an additional malicious 64-bit console-based executable file written in the Rust programming language named “rom.exe,” which is a shellcode runner. Then, the installer file executes the malicious “rom.exe” file.
The figure below shows the files dropped by the OpenVPN executable.
When “rom.exe” is executed, the malware employs Windows APIs such as FindResource(), LoadResource(), and SizeofResource() to search for encrypted content stored within the executable’s resource section. Subsequently, it decrypts this content, which is a Shellcode and proceeds to execute it. The figure below shows the malware locating and executing the Shellcode.
Upon execution, the Shellcode conducts an anti-debugging check by calculating a 32-bit hash of the current code section and subsequently comparing it to the original 32-bit hash of the code section. This check is designed to detect debugging attempts. When a debugger is in use, and a breakpoint is added, the debugger inserts the opcode “0xCC” at the location where the original opcode existed. This alteration to the opcode disrupts the original hash of the code section. If the hash does not match, the Shellcode terminates itself. The figure below shows the hash comparison.
Subsequent to performing the anti-debugging operation, the malware proceeds secondary decryption of the Shellcode using a 16-byte XOR key and executes it, as shown in the figure below.
After decryption, it creates a new thread with the purpose of generating a cryptographic session key. This key is intended to be sent to the C&C server to establish a secure communication channel.
To generate the session key, the Shellcode initially utilizes the API function UUIDCreate(), which generates a 16-byte UUID (Universally Unique Identifier). This UUID will then be used for creating an AES encryption key. The code responsible for creating this UUID is depicted in the figure below.
After generating the initial UUID, it proceeds to create an additional UUID. The last byte of the newly created UUID is typically used to generate a byte that will be used to compute a 32-bit hash using ROR and ADD-based instructions. This process is similar to the process used by shell code to compute hash at the time of anti-debugging operation. This hash is then passed to the CryptBinaryToStringA() API function for the purpose of generating Base64 encoded data using the second UUID, as shown in the figure below.
The Shellcode employs the Windows Crypto API CryptCreateHash() to generate an MD5 hash using the first UUID. Subsequently, the Shellcode proceeds to create a second MD5 hash, this time of the previously generated hash. The figure below shows the routine for creating these hashes.
Once the hashes are generated, the Shellcode proceeds to create a 128-bit AES encryption key using the CryptDeriveKey() function. The figure below shows the routine involved in creating this 128-bit AES key.
The newly generated AES key is employed to enable encrypted communication with the C&C server. To establish a secure connection with the C&C server, the Shellcode utilizes a socket.
Following the key initialization, the Shellcode initiates another thread, within which it establishes a socket connection and verifies the internet connectivity. To determine internet availability, the Shellcode evaluates connections to a predefined list of websites. If any of these websites can be reached, the Shellcode proceeds with additional operations. The figure below shows the routine containing hardcoded URLs.
Network Communication
Following an internet connectivity check, the Shellcode initiates communication with the C&C server. To facilitate this communication, the Shellcode spawns additional threads. Specifically, it creates two additional threads that collaborate to manage the commands exchanged between the backdoor and the C&C server.
The Shellcode creates a dispatch thread to handle the commands posted by the worker thread. The function of the dispatch thread is to create a message queue leveraging the PeekMessageW() API. Then, the worker thread proceeds to send the message ID alongside the command buffer to the message queue using the PostThreadMessageW() API.
Once the dispatch thread receives a message from the worker thread, the message is then retrieved with the help of the GetMessageW() API.
Based on the ID of the messages received, the command handler will accordingly receive the message. The figure below shows the dispatch thread.
The shellcode is communicating to the IP 43.246.209[.]83 whose details are mentioned below:
| Network | 43.246.208.0/22 |
| Autonomous System Number | 132883 |
| Autonomous System Label | TOPWAY GLOBAL LIMITED |
| Regional Internet Registry | APNIC |
| Country | Hongkong |
Upon establishing a successful connection with the C&C server, the attacker gains the ability to take control of the victim’s machine, perform malicious activities, and deploy additional malware, such as ransomware and others.
CRIL also noticed three additional files engaged in communication with the C&C server, masquerading as GoogleMeet and ZoomInstaller.
Conclusion
TAs often hide their malware payloads within genuine software installer files for various strategic reasons. This approach leverages the trust users have in legitimate software, increasing the likelihood of users willingly executing these files – believing them to be secure. Moreover, genuine software installers are frequently distributed through widely recognized channels, diminishing suspicion and boosting the chances of successful infiltration.
In this case, TAs are concealing a shellcode runner within the legitimate OpenVPN software application. The analyzed Shellcode displays a high level of sophistication and presents a significant danger to unsuspecting users, largely due to the fact that the associated files possess valid digital signatures. This attribute significantly reduces the likelihood of detection at the time of writing this blog.
Moreover, the manual nature of the malware’s operation suggests that the TAs are carefully selecting their targets for more precise and specific operations. This underscores the importance of user vigilance in light of the potential for further such attacks. Users should remain alert to the possibility of similar threats in the future.
Our Recommendations
- The initial infiltration is taking place via phishing websites. It is crucial to only download and install software applications from well-known and trusted sources.
- Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access (TA0001) | Drive-by Compromise (T1189) | TAs hosting malware on websites |
| Execution (TA0002) | User Execution (T1203) | User opens the malicious software installer |
| Privilege Escalation (TA0004) | Hijack Execution Flow: Executable Installer File Permissions Weakness (T1574.005) | TAs embedded malicious executable with legitimate software installer |
| Defense Evasion (TA0005) | Debugger Evasion (T1622) | TAs implemented source code hashing to check breakpoints |
| Command and Control (TA0011) | Encrypted Channel: Symmetric Cryptography (T1573.001) | TAs using AES 128-bit encryption to send the data to C&C |
| Command and Control (TA0011) | Application Layer Protocol : Web Protocols (T1437.001) | Communicated with C&C server using HTTP |
| Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | Exfiltration Over C&C Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Details |
| open-vpn[.]top | URL | Download page |
| 43.246.209[.]83 | IP | C&C |
| aec9716853a0814b3bf974314542b999 93a5cb6925e6d7154401142478739bf82f1a7611 2ce87c2719fa5119e6519a1c97b18a4b30ec1ec39167454c94a057831ae3ebcf | MD5 SHA1 SHA256 | Malicious installer |
| fb08395645ba9da02224101ad25e06d3 b620fdd9ae29303d3e6eab359deeec6f09ffb888 d329431aa23dba73214d1c104d01d57653fc59989a915337d1f92e6c7b56ac13 | MD5 SHA1 SHA256 | rom.exe |
| d0b94b242e23327e81b5a0b50b4a5171 79d35375f8bfb168c07c7c7fe235dee4e086e6cd ff1221e79f2b3c563ccb8345cf833001a276932b3ec7d10c9f0bc9c362af1a8f | MD5 SHA1 SHA256 | GoogleMeet.exe |
| 1e76771744ba85ae91d35756dd3d5ebd 54228718bddb9c282abbdbf726c99a3da83c5d0d 9c426d8f9cf933ec604757617660b80e6dce884ac13ac29c28f50262f9695795 | MD5 SHA1 SHA256 | Zoom.exe |
| 8bbe41fd86dab09e06ce461b2ab13caa 0c694e57d3ac3ad608b69d50084e0e82952cd1d7 330863846998cf8f5c61f21a73a83fb54669074dcdcb4411e8d5cb0a7894efe4 | MD5 SHA1 SHA256 | Pg.exe |
YARA Rule
rule Higasia_APT
{
meta:
author = “Cyble”
description = “Detects Higasia Loader”
date = “2023-10-26”
os = “Windows”
scan_type = “file”
severity = 90
reference_sample = “d329431aa23dba73214d1c104d01d57653fc59989a915337d1f92e6c7b56ac13”
strings:
$a = “MECHREVO”
$b = “\\shellcode_runner.pdb”
$c = “shellcode_runner\\”
condition:
uint16(0) == 0x5a4d and all of them
}
