Notification
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as BUFFETLINE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.
DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
This report looks at a full-featured beaconing implant. This sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
For a downloadable copy of IOCs, see MAR-10271944-3.v1.stix.
Submitted Files (1)
52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 (smss.exe)
IPs (2)
107.6.12.135
210.202.40.35
Findings
52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695
Tags
trojan
Details
Name | smss.exe |
---|---|
Size | 139265 bytes |
Type | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 11cb4f1cdd9370162d67945059f70d0d |
SHA1 | f59c7ce763c4d5717f986e578e3bce8a43f721d2 |
SHA256 | 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 |
SHA512 | 53c308aa54eed5cf2979d519fc128fcebce8ce425566426086c88e9eb5ebf69c4e40361ebb5df50f98fdf823b0ecf7f1a1736be189db67d56624d76245fb146d |
ssdeep | 3072:BqrWp5J6z3fNOo7R650dB+0l2pucertVev7:4Wp5J6zP9di2Bt0J |
Entropy | 6.180760 |
Antivirus
Ahnlab | Trojan/Win32.Akdoor |
---|---|
Antiy | Trojan/Win32.Agent |
Avira | TR/NukeSped.dtrpn |
BitDefender | Trojan.GenericKD.5884300 |
ClamAV | Win.Trojan.HiddenCobra-7402602-0 |
ESET | a variant of Win32/NukeSped.AU trojan |
Emsisoft | Trojan.GenericKD.5884300 (B) |
Filseclab | Trojan.Agent.ikox.sjwn |
Huorong | Trojan/Generic!6B2189F3963492CB |
Ikarus | Trojan.Win32.NukeSped |
K7 | Trojan ( 004d07bc1 ) |
McAfee | GenericRXDC-AJ!11CB4F1CDD93 |
NANOAV | Trojan.Win32.NukeSped.faxfdd |
Symantec | Trojan.Hoplight |
VirusBlokAda | BScope.Trojan.Tiggre |
Zillya! | Trojan.Agent.Win32.817728 |
YARA Rules
- rule encodedHandshakeStrings
{
meta:
author = “CISA trusted 3rd party”
incident = “10271944.r3.v1”
date = “2019-12-25”
category = “Hidden_Cobra”
family = “BUFFETLINE”
strings:
$e1 = { dd 91 4a 1d cb 93 52 0a d0 cb 0a 4c ca d5 08 4b ca 92 4b 1d de 92 4b 1e d2 8b 5c 14 de 92 5c }
$e2 = { 81 8c 4d 1d d1 8a 52 1d d7 8a 4c 0d 8b c8 01 4c cd 9c 5e 0b dc 97 5e 12 95 cb 4a 48 cf 9c 53 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
} - rule polarsslClientHello
{
meta:
author = “CISA trusted 3rd party”
incident = “10271944.R3.V1”
date = “2019-12-25”
category = “Hidden_Cobra”
family = “BUFFETLINE”
strings:
$polarSSL = “fjiejffndxklfsdkfjsaadiepwn”
$cliHello = “!Q@W#E$R%T^Y&U*I(O)P”
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
ssdeep Matches
100 | 16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd |
---|
PE Metadata
Compile Date | 2016-10-03 02:34:09-04:00 |
---|---|
Import Hash | 6a3547c38d6806b7d5a8b2638621ca32 |
PE Sections
MD5 | Name | Raw Size | Entropy |
---|---|---|---|
83eb1da0a8ab18f046922a558cb8ede6 | header | 4096 | 0.676716 |
b672be56b1bc345710663b196247c46c | .text | 98304 | 6.661074 |
058bc0c9a6ef4120a61e2cb75b7e2825 | .rdata | 12288 | 6.220732 |
1b2e3c963ae327f7f74e13f15a31fa55 | .data | 20480 | 2.725473 |
02bb750555f1c2623effc3aa3d077a34 | .rsrc | 4096 | 0.897401 |
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0 |
Relationships
52f83cdaef… | Connected_To | 107.6.12.135 |
52f83cdaef… | Connected_To | 210.202.40.35 |
Description
The sample performs dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide it’s usage of network functions.
The sample obfuscates strings used for API lookups as well as the strings used during the network handshake using a modified RC4 algorithm. A Python 3 script to decrypt the obfuscated strings is given below. Note: The hardcoded command and control (C2) IP’s are not obfuscated, but appear in plaintext within the executable.
–Begin Python 3 Decode Script–
def decode_string(enc, key=0x15b3):
dec = b”
sbox = b”
tmp = ((key + len(enc)) * -0x52) & 0xff
for i in range(0x100):
sbox += bytes([((i + 1) * key * -0x78) & 0xff])
for b in enc:
dec += bytes([ord(b) ^ sbox[tmp]])
tmp = (tmp + (key + len(enc)) * 0x7c) & 0xff
return dec
–End Python 3 Decode Script–
–Begin C2 IP and Port–
107.6.12.135:443
210.202.40.35:443
–End C2 IP and Port–
The sample attempts to perform a PolarSSL handshake to initiate a connection to each of these hardcoded C2 IPs using TLS version 1.1. It uses the PolarSSL server_name extension with the Server Name set to “!Q@W#E$R%T^Y&U*I(O)P”. The PolarSSL certificate and private key are provided below.
–Begin PolarSSL Certificate–
—-BEGIN CERTIFICATE—–
MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
—–END CERTIFICATE—–
–End PolarSSL Certificate–
–Begin Private Key–
—–BEGIN RSA PRIVATE KEY—–
MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF
B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1
bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9
Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH
7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v
dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst
yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz
4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt
ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA
zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d
l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf
DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT
VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL
Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7
wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys
c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi
33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60
ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0
BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW
KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+
UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc
7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq
gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu
bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv
8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==
—–END RSA PRIVATE KEY—–
–End Private Key–
After the TLS authentication is completed this particular sample does NOT use the session key that is generated via TLS. Instead, it uses a FakeTLS scheme, where a ‘fake’ TLS packet header is prepended to the packet data which is encrypted with custom xor encryption scheme. The FakeTLS packet format and a Python 3 script to decrypt network traffic is given below.
–Begin FakeTLS Packet Structure–
17 03 02 <2 Byte data length> <4 Byte Key> <data>
–End Fake TLS Packet Structure–
Note: Each “Key” is generated by the sender rand( ).
–Begin Python 3 Network Communication Decode Script–
def decode_pkt(enc, key):
dec = b”
sbox = b”
addVal = len(enc) * key & 0xff
for i in range(0x100):
sbox += bytes([((i + 1) * key) & 0xff])
indexVal = addVal;
for b in enc:
dec += bytes([b ^ sbox[indexVal]])
indexVal = indexVal + addVal & 0xff;
return dec
–End Python 3 Network Communication Decode Script–
After the TLS authentication, the sample performs a handshake with the C2, where hardcoded 32 Byte strings are exchanged, as well as a Victim ID and the Victim Internal IP. After this exchange, the implant sends it’s Victim Information (Figure 2), and then waits for tasking from the C2.
Screenshots
Figure 1 – Configuration Structure.
Figure 2 – Victim Information Structure.
Figure 3 – Implant Functionality.
Figure 4 – Session Structure.
107.6.12.135
Tags
command-and-control
Ports
Relationships
107.6.12.135 | Connected_From | 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 |
Description
Hardcoded C2 IP.
210.202.40.35
Tags
command-and-control
Ports
Relationships
210.202.40.35 | Connected_From | 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 |
Description
Hardcoded C2 IP.
Relationship Summary
52f83cdaef… | Connected_To | 107.6.12.135 |
52f83cdaef… | Connected_To | 210.202.40.35 |
107.6.12.135 | Connected_From | 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 |
210.202.40.35 | Connected_From | 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 |
Mitigation
// The following Snort rule can be used to detect the FakeTLS handshake packets by targeting to a
// logical inconsistency in the appdata packet sizes due to the inclusion of the 4 Byte decode key
// before the data, but not being included in the data length.
alert tcp any any -> any any (msg:”Malware Detected”; content:”PolarSSL”; pcre:”/ \x17\x03\x02\x00\x23.{39}\x17\x03\x02/”; rev:1; sid:99999999;)
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.
Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.us-cert.gov.