ChessMaster Adds Updated Tools to Its Arsenal

by Tamada Kiyotaka and MingYen Hsieh

Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.

Back then, we noted that ChessMaster’s sophisticated nature implied that the campaign could evolve, before finding changes in the tools and tactics used in the campaign a few months later.  While the original campaign was comprehensive and used remote access Trojans (RATs) such as ChChes and RedLeaves, this new campaign used a new backdoor (Detected by Trend Micro as BKDR_ANEL.ZKEI) that leverages the CVE-2017-8759 vulnerability for its cyberespionage activities.

In this blog post, we analyze ChessMaster’s current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.

July ChessMaster Campaign November ChessMaster Campaign Current ChessMaster Campaign
Point of Entry
  • Spear-phishing emails containing decoy documents
  • Malicious shortcut (LNK) files and PowerShell
  • Self-extracting archive (SFX)
  • Runtime packers
  • Spear-phishing emails containing decoy documents exploiting CVE-2017-8759
  • Spear-phishing emails containing decoy documents exploiting  CVE-2017-11882, DDEAUTO, Microsoft Office Frameset and Link auto update
Notable Tools
  • Hacking Tools
  • Second-stage payloads


  • Koadic
  • Hacking Tools
  • Second-stage payloads
  • Koadic
  • Hacking Tools
  • Second-stage payloads
  • ChChes
  • ANEL


  • ANEL

Technical Analysis

 Figure 1. Infection Chain for the current ChessMaster campaign

Figure 1. Infection Chain for the current ChessMaster campaign

ChessMaster’s current iteration starts off with the familiar phishing attacks seen in the earlier campaigns that involved the use of an email with an attached malicious document using the doc, docx, rtf, csv and msg formats. The email title and attached file name were written in Japanese and contain general business, political, and economy-themed phrases such as

  • 世界経済(World economy)
  • 経済政策(economic policy)
  • 予算概算要求(budget estimation request)
  • 日米対話(Japan-US dialogue)
  • 安倍再任(re-appointment of Prime Minister Abe)
  • 連絡網(contact network)
  • 職員採用案(staff recruitment plan)
  • 会議(meeting)

However, there is a change in the exploit document. When we tracked ChessMaster back in November, we noted that it exploited the SOAP WSDL parser vulnerability CVE-2017-8759 (patched in September 2017) within the Microsoft .NET framework to download additional malware. While ChessMaster still uses the previous exploit, it also added more methods to its arsenal: one exploits another vulnerability, CVE-2017-11882 (patched in November 2017), which was also exploited to deliver illegal versions of the Loki infostealer.

 Figure 2. Exploitation of CVE-2017-11882

Figure 2. Exploitation of CVE-2017-11882

It also abuses three legitimate MS Office functions:

Function Purpose Affected MS Office Formats we found in the wild
Automatic Dynamic Data Exchange (DDEAUTO) A legitimate Microsoft Office function used in an Office file to retrieve data from another Office file


  • .doc
  • .rtf
  • .msg
Link Auto Update An Office function used for automatic and user-free updates for embedded links upon opening.
  • .csv
Microsoft Word’s “Frames/Frameset” A feature that allows HTML or Text pages to be loaded in a frame within Microsoft Word.
  • .docx

 Figure 2. Exploitation of DDEAUTO

Figure 3. Exploitation of DDEAUTO

 Figure 3. Abusing Microsoft Word's

Figure 4. Abusing Microsoft Word’s “Frames/Frameset”

 Figure 4. Exploitation of Link Auto Update

Figure 5. Exploitation of Link Auto Update

ChessMaster can utilize any of these methods to download the next malware in the chain, the open source post-exploitation tool known as “Koadic,” which the previous campaign also used. This tool is responsible for stealing information — specifically the environment information — within the target system.

Koadic executes the following command:

  • %comspec% /q /c <cmd> 1> <Output> 2>&1

The commands and output of Koadic will change according to the ANEL version used in the attack. The table below lists examples of the commands and outputs for ANEL versions 5.1.1 rc and 5.1.2 rc1. Note that if ANEL 5.1.2 rc1 was downloaded, the attacker would use HTTPS to avoid the downloaded data being captured as clear text.

Figure 5. Koadic commands and output when ANEL 5.1.1 rc is used

Figure 6. Koadic commands and output when ANEL 5.1.1 rc is used

Figure 6. Koadic commands and output when ANEL 5.1.1 rc1 is used

Figure 7. Koadic commands and output when ANEL 5.1.1 rc1 is used

The table below lists all of Koadic’s functions:

{Variable}.user User-related functions
{Variable}.user.isElevated Check Privilege
{Variable}.user.OS Get OS Version
{Variable}.user.DC Get DCName from Registry
{Variable}.user.Arch Get Architecture
{Variable} Get User Information
{Variable}.work Main Routine functions
{Variable} Reports to server
{Variable}.work.error Returns error
{Variable}.work.make_url Alters/Modifies URL (C&C)
{Variable}.work.get Get the return of POST Header
{Variable}.work.fork Creates rundll32.exe process
{Variable}.http HTTP Connection functions
{Variable}.http.create Creates initial HTTP objects
{Variable} POST header
{Variable}.http.addHeaders Adds HTTP Headers
{Variable}.http.get GET Header
{Variable}.http.upload Uploads binaries/data
{Variable}.http.bin2str String manipulation
{Variable}.http.downloadEx Downloads response
{Variable} Additional download function
{Variable}.process Process-related functions
{Variable}.process.currentPID Get Current Process ID
{Variable}.process.list Enumerates Process
{Variable}.process.kill Terminates Process
{Variable}.registry Registry-related functions
{Variable}.registry.HKCR Set HKEY_CLASSES_ROOT
{Variable}.registry.HKCU Set HKEY_CURRENT_USER
{Variable}.registry.HKLM Set HKEY_LOCAL_MACHINE
{Variable}.registry.STRING Set String Value
{Variable}.registry.BINARY Set Binary Value
{Variable}.registry.DWORD Set DWORD Value
{Variable}.registry.QWORD Set QWORD Value
{Variable}.registry.write Write/Add Registry
{Variable}.registry.provider Create Registry Handle
{Variable}.registry.destroy Deletes Registry Key
{Variable} Get/Read Registry Entries
{Variable}.WMI WMI-related functions
{Variable}.WMI.createProcess Creates specified process
{Variable}.shell File/Process Execution functions
{Variable} Run commands
{Variable}.shell.exec Executes process
{Variable}.file File-related functions
{Variable}.file.getPath Get specified file path
{Variable}.file.readText Reads specified text file
{Variable}.file.get32BitFolder Get System Folder (32/64-bit)
{Variable}.file.writol Writes on specified file
{Variable}.file.deleteFile Deletes specified file
{Variable}.file.readBinary Reads specified binary file.

 Figure 7. Command added when the Koadic RAT is downloaded (use of {Variable}.shell.exec command)

Figure 8. Command added when the Koadic RAT is downloaded (use of {Variable}.shell.exec command)

If Koadic finds that the system is conducive to the attacker’s interests, it downloads a base64-encrypted version of the ANEL malware from the Command-and-Control (C&C) server and executes it.  Encrypted ANEL is decrypted using the “certutil -docode” command. When ANEL executes, a decrypted DLL file with the filename “lena_http_dll.dll” is expanded in memory. This file contains one export function — either “crt_main” or “lena_main”

Figure 8. Command added when the Koadic RAT is downloaded (use of {Variable}.shell.exec command)

Figure 9. Base64 encoded ANEL downloaded by Koadic

ANEL will send the infected environment’s information to the C&C server. When sending the information, ANEL encrypts the data using blowfish, XOR, and Base64-based encryption methods. The format ANEL uses to send data is similar to ChChes, but ANEL’s encryption method is easier to use.

 Figure 6. Encryption key using blowfish” width=

Figure 10. Encryption key using blowfish


We initially discovered the malware known as ANEL back in November 2017. At that time, ChessMaster was using ANEL as a backdoor into the target system then injects code into svchost.exe, which then decrypts and activates the embedded backdoor. This initial version of ANEL had a hardcoded version labeled “5.0.0 beta1” that contained incomplete code. We noted that this might signify the release of a future variant.

Instead of just one new variant, we discovered four different versions of ANEL:

  • 5.0.0 beta1
  • 5.1.1 rc
  • 5.1.2 rc1
  • 5.2.0 rev1

The different versions contain changes in the ANEL loader and the main ANEL DLL. The figure below shows a summary of the changes between each version:

Figure 10. Summary of the changes between each version of ANEL

Figure 11. Summary of the changes between each version of ANEL

Differences with regards to Backdoor commands:

CMD ID 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 5.2.0 rev1
0x97A168D9697D40DD Save File
0x7CF812296CCC68D5 Upload File
0x652CB1CEFF1C0A00 NA Load New PE file
0x27595F1F74B55278 Save File and Execute
If no match above Execute Command or File

The differences shown in the table above are subtle but present. For example, the initial ANEL version, “5.0.0 beta1,” uses a different C&C server compared to the other versions. Once ANEL evolved to “5.1.1 rc,” it changed its file type to an executable, while also changing the C&C server. The third version we found (5.1.2 rc1) reverts to a DLL file type but retains the C&C server. The fourth version of ANEL (5.2.0 rev1) changes both the export function in the expanded main ANEL DLL and uses a different C&C server. Overall, we can see subtle changes, which indicate that the threat actors behind ANEL are making incremental improvements to the malware to refine it.

 Figure 11. Backdoor function differences between ANEL 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 (left) and ANEL 5.2.0 rev1 (right)

Figure 12. Backdoor function differences between ANEL 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 (left) and ANEL 5.2.0 rev1 (right)

Once ANEL enters the user’s system, it will download various tools that could be used for malicious purposes, including password retrieval tools as well as malicious mail services and accessibility tools that will allow it to gather information about the system. These include Getpass.exe and Mail.exe, which are password and information stealers.

It also downloads the following:

  • Accevent.exe <-> Microsoft Accessible Event Watcher
  • event.dll <-> the loader of ssssss.ddd, (Detected as TROJ_ANELLDR)
  • ssssss.ddd (lena_http.bin) <-> encrypted BKDR_ANEL (Detected as BKDR_ANELENC)

These three files work together using a common technique call DLL Side-Loading or DLL Hijacking. In this scenario, accevent.exe is the primary executable, which is usually legitimate.

After the execution of accevent.exe, it loads event.dll, which will be placed in the same folder (so it takes loading priority), after which event.dll decrypts and loads the encrypted backdoor ssssss.ddd, which is BKDR_ANEL. When we analyzed ANEL 5.1.1 rc, encrypted ANEL 5.1.2 rc1 was downloaded and executed.

Short-term mitigation

When the user opens the document DDEAUTO or Link Auto Update, Office will display a message. If the user clicks on the “No” button, malicious activity will not initiate.

 Figure 12: Popup message when users open the document that abuses DDEAUTO

Figure 13: Popup message when users open the document that abuses DDEAUTO

 Figure 13. Popup message when the user opens the document that abuses Link Auto Update

Figure 14. Popup message when the user opens the document that abuses Link Auto Update

Koadic sends its own JavaScript code as plain text. The suspect communication allows us to detect the traffic.

 Figure 14. Koadic’s communication traffic

Figure 15. Koadic’s communication traffic

Medium- to long-term mitigation

At first glance, it seems ChessMaster’s evolution over the past few months involves subtle changes. However, the constant addition and changing of features and attack vectors indicate that the attackers behind the campaign are unlikely to stop and are constantly looking to evolve their tools and tactics.

Organizations can implement various techniques and best practices to defend against targeted attacks, such as regular patching to prevent vulnerability exploitation and using tools that provide protection across different network levels. Solutions that feature behavior monitoring, application controlemail gateway monitoring, and intrusion/detection systems can help with this.

Given how cybercriminal tools, tactics and procedures are evolving, organizations will have to go beyond their typical day-to-day security requirements and find a way to preempt attacks. Thus, there is a pressing need to detect and address threats via a proactive incident response strategy. Essentially, this involves creating a remediation plan for effectively combating the threat and using round-the-clock intrusion detection and threat analysis to prevent attacks from entering the system. A proactive strategy can be much more effective for targeted attacks, as these kinds of attacks are often designed to be elusive and difficult to detect, thus the need to scope them out. A comprehensive security strategy that involves proactive incident response will need the input of both decision makers and tech-savvy personnel, as they will need to be on the same page for it to be effective.

In addition to implementing both mitigation techniques and proactive strategies, organizations can also strengthen their security by employing solutions such Trend Micro™ Deep Security™Vulnerability Protection, and TippingPoint, which protects endpoints from threats that abuse vulnerabilities.

In addition, comprehensive security solutions can be used to protect organizations from attacks. These include Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security, which can protect users and businesses from these threats by detecting malicious files, well as blocking all related malicious URLs. Trend Micro Deep Discovery™ can protect enterprises by detecting malicious attachment and URLs.

Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against all kinds of threats.

A more detailed analysis of the Command-and-Control communication flow of ANEL can be found in this technical brief.

Indicators of Compromise

Hash Downloader used in the campaign:

  • 76b1f75ee15273d1226392db3d8f1b2aed467c2875e11d9c14fd18120afc223a
  • 4edcff56f586bd69585e0c9d1d7ff4bfb1a2dac6e2a9588f155015ececbe1275
  • 1b5a1751960b2c08631601b07e3294e4c84dfd71896453b65a45e4396a6377cc

Hashes detected as part of the BKDR_ANEL Family:

5.0.0 beta1

  • af1b2cd8580650d826f48ad824deef3749a7db6fde1c7e1dc115c6b0a7dfa0dd

5.1.1 rc

  • 2371f5b63b1e44ca52ce8140840f3a8b01b7e3002f0a7f0d61aecf539566e6a1

5.1.2 rc1

  • 05dd407018bd316090adaea0855bd7f7c72d9ce4380dd4bc0feadc6566a36170

5.2.0 rev1

  • 00030ec8cce1f21120ebf5b90ec408b59166bbc3fba17ebae0fc23b3ca27bf4f


  • 303f9c00edb4c6082542e456a30a2446a259b8bb9fb6b0f76ff318d5905e429c

Tools used in the campaign:


  • 52a8557c8cdd5d925453383934cb10a85b117522b95c6d28ca097632ac8bc10d


  • 6c3224dbf6bbabe058b0ab46233c9d35c970aa83e8c4bdffb85d78e31159d489


  • 2f76c9242d5ad2b1f941fb47c94c80c1ce647df4d2d37ca2351864286b0bb3d8

URLs and IP Addresses related to the campaign:

  • www[.]nasnnones[.]com
  • trems[.]rvenee[.]com
  • contacts[.]rvenee[.]com
  • 91[.]207[.]7[.]91
  • 89[.]18[.]27[.]159
  • 89[.]37[.]226[.]108
  • 185[.]25[.]51[.]116
  • 185[.]81[.]113[.]95
  • 185[.]144[.]83[.]82
  • 185[.]153[.]198[.]58
  • 185[.]159[.]129[.]226

The post ChessMaster Adds Updated Tools to Its Arsenal appeared first on .

Read more: ChessMaster Adds Updated Tools to Its Arsenal

Story added 29. March 2018, content source with full text you can find at link above.