ChessMaster Adds Updated Tools to Its Arsenal

by Tamada Kiyotaka and MingYen Hsieh

Trend Micro discovered the ChessMaster campaign back in July 2017 as part of our monitoring efforts to protect our customers. At the time, we found ChessMaster targeting different sectors from the academe to media and government agencies in Japan. The threat group used a variety of attack tools and techniques to spy on their target organizations.

Back then, we noted that ChessMaster’s sophisticated nature implied that the campaign could evolve, before finding changes in the tools and tactics used in the campaign a few months later.  While the original campaign was comprehensive and used remote access Trojans (RATs) such as ChChes and RedLeaves, this new campaign used a new backdoor (Detected by Trend Micro as BKDR_ANEL.ZKEI) that leverages the CVE-2017-8759 vulnerability for its cyberespionage activities.

In this blog post, we analyze ChessMaster’s current status, including the updated tools in its arsenal — with a particular focus on the evolution of ANEL and how it is used in the campaign.

Technical Analysis

Figure 1. Infection Chain for the current ChessMaster campaign

ChessMaster’s current iteration starts off with the familiar phishing attacks seen in the earlier campaigns that involved the use of an email with an attached malicious document using the doc, docx, rtf, csv and msg formats. The email title and attached file name were written in Japanese and contain general business, political, and economy-themed phrases such as

• 世界経済(World economy)
• 経済政策(economic policy)
• 予算概算要求(budget estimation request)
• 日米対話(Japan-US dialogue)
• 安倍再任(re-appointment of Prime Minister Abe)
• 連絡網(contact network)
• 職員採用案(staff recruitment plan)
• 会議(meeting)

However, there is a change in the exploit document. When we tracked ChessMaster back in November, we noted that it exploited the SOAP WSDL parser vulnerability CVE-2017-8759 (patched in September 2017) within the Microsoft .NET framework to download additional malware. While ChessMaster still uses the previous exploit, it also added more methods to its arsenal: one exploits another vulnerability, CVE-2017-11882 (patched in November 2017), which was also exploited to deliver illegal versions of the Loki infostealer.

Figure 2. Exploitation of CVE-2017-11882

It also abuses three legitimate MS Office functions:

Figure 3. Exploitation of DDEAUTO

Figure 4. Abusing Microsoft Word’s “Frames/Frameset”

Figure 5. Exploitation of Link Auto Update

ChessMaster can utilize any of these methods to download the next malware in the chain, the open source post-exploitation tool known as “Koadic,” which the previous campaign also used. This tool is responsible for stealing information — specifically the environment information — within the target system.

Koadic executes the following command:

• %comspec% /q /c <cmd> 1> <Output> 2>&1

The commands and output of Koadic will change according to the ANEL version used in the attack. The table below lists examples of the commands and outputs for ANEL versions 5.1.1 rc and 5.1.2 rc1. Note that if ANEL 5.1.2 rc1 was downloaded, the attacker would use HTTPS to avoid the downloaded data being captured as clear text.

Figure 6. Koadic commands and output when ANEL 5.1.1 rc is used

Figure 7. Koadic commands and output when ANEL 5.1.1 rc1 is used

The table below lists all of Koadic’s functions:

Figure 8. Command added when the Koadic RAT is downloaded (use of {Variable}.shell.exec command)

If Koadic finds that the system is conducive to the attacker’s interests, it downloads a base64-encrypted version of the ANEL malware from the Command-and-Control (C&C) server and executes it.  Encrypted ANEL is decrypted using the “certutil -docode” command. When ANEL executes, a decrypted DLL file with the filename “lena_http_dll.dll” is expanded in memory. This file contains one export function — either “crt_main” or “lena_main”

Figure 9. Base64 encoded ANEL downloaded by Koadic

ANEL will send the infected environment’s information to the C&C server. When sending the information, ANEL encrypts the data using blowfish, XOR, and Base64-based encryption methods. The format ANEL uses to send data is similar to ChChes, but ANEL’s encryption method is easier to use.

Figure 10. Encryption key using blowfish

We initially discovered the malware known as ANEL back in November 2017. At that time, ChessMaster was using ANEL as a backdoor into the target system then injects code into svchost.exe, which then decrypts and activates the embedded backdoor. This initial version of ANEL had a hardcoded version labeled “5.0.0 beta1” that contained incomplete code. We noted that this might signify the release of a future variant.

Instead of just one new variant, we discovered four different versions of ANEL:

• 5.0.0 beta1
• 5.1.1 rc
• 5.1.2 rc1
• 5.2.0 rev1

The different versions contain changes in the ANEL loader and the main ANEL DLL. The figure below shows a summary of the changes between each version:

Figure 11. Summary of the changes between each version of ANEL

Differences with regards to Backdoor commands:

The differences shown in the table above are subtle but present. For example, the initial ANEL version, “5.0.0 beta1,” uses a different C&C server compared to the other versions. Once ANEL evolved to “5.1.1 rc,” it changed its file type to an executable, while also changing the C&C server. The third version we found (5.1.2 rc1) reverts to a DLL file type but retains the C&C server. The fourth version of ANEL (5.2.0 rev1) changes both the export function in the expanded main ANEL DLL and uses a different C&C server. Overall, we can see subtle changes, which indicate that the threat actors behind ANEL are making incremental improvements to the malware to refine it.

Figure 12. Backdoor function differences between ANEL 5.0.0 beta1/5.1.1 rc/5.1.2 rc1 (left) and ANEL 5.2.0 rev1 (right)

Once ANEL enters the user’s system, it will download various tools that could be used for malicious purposes, including password retrieval tools as well as malicious mail services and accessibility tools that will allow it to gather information about the system. These include Getpass.exe and Mail.exe, which are password and information stealers.

It also downloads the following:

• Accevent.exe <-> Microsoft Accessible Event Watcher 7.2.0.0
• event.dll <-> the loader of ssssss.ddd, (Detected as TROJ_ANELLDR)
• ssssss.ddd (lena_http.bin) <-> encrypted BKDR_ANEL (Detected as BKDR_ANELENC)

These three files work together using a common technique call DLL Side-Loading or DLL Hijacking. In this scenario, accevent.exe is the primary executable, which is usually legitimate.

After the execution of accevent.exe, it loads event.dll, which will be placed in the same folder (so it takes loading priority), after which event.dll decrypts and loads the encrypted backdoor ssssss.ddd, which is BKDR_ANEL. When we analyzed ANEL 5.1.1 rc, encrypted ANEL 5.1.2 rc1 was downloaded and executed.

Short-term mitigation

When the user opens the document DDEAUTO or Link Auto Update, Office will display a message. If the user clicks on the “No” button, malicious activity will not initiate.

Figure 13: Popup message when users open the document that abuses DDEAUTO

Figure 14. Popup message when the user opens the document that abuses Link Auto Update

Koadic sends its own JavaScript code as plain text. The suspect communication allows us to detect the traffic.

Figure 15. Koadic’s communication traffic

Medium- to long-term mitigation

At first glance, it seems ChessMaster’s evolution over the past few months involves subtle changes. However, the constant addition and changing of features and attack vectors indicate that the attackers behind the campaign are unlikely to stop and are constantly looking to evolve their tools and tactics.

Organizations can implement various techniques and best practices to defend against targeted attacks, such as regular patching to prevent vulnerability exploitation and using tools that provide protection across different network levels. Solutions that feature behavior monitoring, application control, email gateway monitoring, and intrusion/detection systems can help with this.

Given how cybercriminal tools, tactics and procedures are evolving, organizations will have to go beyond their typical day-to-day security requirements and find a way to preempt attacks. Thus, there is a pressing need to detect and address threats via a proactive incident response strategy. Essentially, this involves creating a remediation plan for effectively combating the threat and using round-the-clock intrusion detection and threat analysis to prevent attacks from entering the system. A proactive strategy can be much more effective for targeted attacks, as these kinds of attacks are often designed to be elusive and difficult to detect, thus the need to scope them out. A comprehensive security strategy that involves proactive incident response will need the input of both decision makers and tech-savvy personnel, as they will need to be on the same page for it to be effective.

In addition to implementing both mitigation techniques and proactive strategies, organizations can also strengthen their security by employing solutions such Trend Micro Deep Security, Vulnerability Protection, and TippingPoint, which protects endpoints from threats that abuse vulnerabilities.

In addition, comprehensive security solutions can be used to protect organizations from attacks. These include Trend Micro endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free Business Security, which can protect users and businesses from these threats by detecting malicious files, well as blocking all related malicious URLs. Trend Micro Deep Discovery can protect enterprises by detecting malicious attachment and URLs.

Trend Micro OfficeScan with XGen endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against all kinds of threats.

A more detailed analysis of the Command-and-Control communication flow of ANEL can be found in this technical brief.

Indicators of Compromise

Hash Downloader used in the campaign:

• 76b1f75ee15273d1226392db3d8f1b2aed467c2875e11d9c14fd18120afc223a
• 4edcff56f586bd69585e0c9d1d7ff4bfb1a2dac6e2a9588f155015ececbe1275
• 1b5a1751960b2c08631601b07e3294e4c84dfd71896453b65a45e4396a6377cc

Hashes detected as part of the BKDR_ANEL Family:

5.0.0 beta1

• af1b2cd8580650d826f48ad824deef3749a7db6fde1c7e1dc115c6b0a7dfa0dd

5.1.1 rc

• 2371f5b63b1e44ca52ce8140840f3a8b01b7e3002f0a7f0d61aecf539566e6a1

5.1.2 rc1

• 05dd407018bd316090adaea0855bd7f7c72d9ce4380dd4bc0feadc6566a36170

5.2.0 rev1

• 00030ec8cce1f21120ebf5b90ec408b59166bbc3fba17ebae0fc23b3ca27bf4f

lena_http.bin

• 303f9c00edb4c6082542e456a30a2446a259b8bb9fb6b0f76ff318d5905e429c

Tools used in the campaign:

Getpass.exe

• 52a8557c8cdd5d925453383934cb10a85b117522b95c6d28ca097632ac8bc10d

event.dll

• 6c3224dbf6bbabe058b0ab46233c9d35c970aa83e8c4bdffb85d78e31159d489

mail.exe

• 2f76c9242d5ad2b1f941fb47c94c80c1ce647df4d2d37ca2351864286b0bb3d8

URLs and IP Addresses related to the campaign:

• www[.]nasnnones[.]com
• trems[.]rvenee[.]com
• contacts[.]rvenee[.]com
• 91[.]207[.]7[.]91
• 89[.]18[.]27[.]159
• 89[.]37[.]226[.]108
• 185[.]25[.]51[.]116
• 185[.]81[.]113[.]95
• 185[.]144[.]83[.]82
• 185[.]153[.]198[.]58
• 185[.]159[.]129[.]226

The post ChessMaster Adds Updated Tools to Its Arsenal appeared first on .

Read more: ChessMaster Adds Updated Tools to Its Arsenal