Threat Research

Russian Army Exhibition Decoy Leads to New BISKVIT Malware

By Jasper Manuel and Rommel Joven | August 20, 2018

A few days ago, the FortiGuard Labs team found a malicious PPSX file exploiting CVE-2017-0199 that had been crafted for Russian speakers. The filename “Выставка” when translated means “Exhibition”. On further examination, the PPSX file seems to have been targeted at an exhibition being held annually in Russia called Army 2018 International Military and Technical Forum. This is one of the largest exhibitions of military weapons and special equipment, not only in Russia, but also one of the outstanding events among similar exhibitions in the world. The discovery of this malicious document is very timely since the event is scheduled to be held August 21-26, 2018.

Figure 01. Decoy file

Another interesting element of this malware is the included paragraph, shown below. 

Figure 02. Invitation in Russian

This roughly translates to:

Closed dynamic show of modern and prospective samples of military armament and special equipment for the “reconnaissance and raid action of combined-arms units”

While the event is open to anyone, organizers from last year have set up specialized expositions that include “demonstrations behind closed doors.” This caters to selected guests, where pieces of classified equipment are being displayed, including large aerial vehicles and missiles. That being said, we believe that this malicious document is being targeted to those selected guests who want to be, or are already included in these closed door invitations. This year’s event has already 66 official foreign delegations confirming their participation. We will take a look on how a PPSX file could compromise an unpatched system.

Analysis

We begin with the malicious PPSX file that exploits CVE-2017-0199 and opens a bait file. CVE-2017-0199 is an HTA (HTML application) vulnerability that allows a malicious actor to download and execute a script containing PowerShell commands when a user opens a document containing an embedded exploit This is not the first time we have encountered an APT abusing this vulnerability. In fact, previous attacks have targeted people from UN agencies, Foreign Ministries, and people and organizations who interact with international governments.

Figure 03. Overview of attack

Once the PPSX file is opened, it triggers a script in ppt/slides/_rels/slides1.xml.rels. The exploit then downloads additional code from the remote server, as shown in figure 04, and executes it using the PowerPoint Show animations feature. 

Figure 04. PPSX file exploiting CVE-2017-0199

Shown below is the code from the remote server after the PowerShell exploit embedded in the XML file is successfully executed and downloads an executable payload into %Temp%.

Figure 05. defender XML

When executed, Defender.exe drops the following files:

Figure 06. TMPEC4E directory

·      SynTPEnh – a directory with the BISKVIT malware package

·      Csrtd.db – an encrypted configuration file used by DevicePairing.exe for autorun installation

Figure 07. Decrypted configuration

·      DevicePairing.exe – also identified in the code as "AutorunRegistrator", its function is to copy the SynTPEnh directory to %appdata% and add it to the autorun registry entry

·      DevicePairing.exe.config – a runtime configuration file

·      Kernel32.dll – a common library of BISKVIT malware

·      Newtonsoft.Json.dll – a popular JSON serializer  for .NET

BISKVIT

The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”.  Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit.

Figure 08. Biscuit modules

Due to the modular nature of BISKVIT, it’s difficult to exactly determine all of its functionalities since components are only downloaded and loaded on the fly at the direction of the attacker.  As of this writing, we have only been able to download one component. So far, based on the code of the components that we were able to acquire, this malware is capable of, but not limited to the following:

·      Downloading files and components

·      Hidden/stealthy execution of downloaded and local files

·      Downloading of dynamic configuration files

·      Updating itself

·      Deleting itself

The BISKVIT malware is copied to the %appdata%\ SynTPEnh from the %temp% folder, as mentioned above. These are the contents of the %appdata%\SynTPEnh folder:

·      SynTPEnh.exe  – the main BISKVIT malware file

·      Csrtd.db – an encrypted configuration file

·      SynTPEnh.exe.config – a runtime configuration file

·      Kernel32.dll – a common library of BISKVIT malware

·      Newtonsoft.Json.dll – a popular JSON serializer  for .NET

The main BISKVIT file disguises itself as the legitimate Synaptics Pointing Device Driver file to avoid suspicion by the user.

Figure 09. Information disguised as Synaptics

When executed, it initializes its base configuration, which contains the following information:

Figure 10. Base configuration

It then loads and decrypts its configuration file, named csrtd.db. This configuration file is encrypted with AES using the following keys:

Figure 11. Default AES and IV key

Once decrypted, this configuration file contains the command and control server, the time interval used by the malware to check for jobs from the command and control server, an API key, and RSA key information. We didn’t find code references to the RSA encryption method, so we think that’s being used by other components that we haven’t acquired as of this writing.

Figure 12. Decrypted configuration

Command and Control Communications

This malware communicates with the command and control server through REST APIs using the JSON format. The malware first gets an access token by sending an API key. If not specified in the configuration, the API key is generated from the CPU, disk drive, and MAC address information of the infected machine. This API key is a unique ID, which is also used to identify the machine.

Figure 13. Unique Id composition

The API key is sent to the command and control server via an HTTP POST request to the API /api/auth/token.

Figure 14. POST ApiKey

The server replies with access token information that will be used for the entire session.

Figure 15. Access token

This malware then receives and executes commands from the attacker through a jobs API. It sends an HTTP GET request to the API /api/job to get a job after a certain time has lapsed, as indicated by the interval set in the configuration.

Figure 16. GET api/job

The response would be a job with four main keys: id, resultUri, tasks, and executionOptions

Figure 17. Job

·      id - is the job ID

·      resultUri  - is where the malware will HTTP POST the result of the job

·      executionOptions - tells the malware if it will execute the package at certain time interval, and if it will be started at startup.

·      tasks – this key contains information about packages (components/other files) that the attacker wants downloaded to and executed on the infected machine. 

The executeMode in the key tasks tells the malware how to execute the package. 

Figure 18. Execute modes

If the mode is 0, the package is treated as a component/library and is executed with the parameter indicated in the parameters key.

If the mode is 1, the package is treated as a file and is executed by using either the ShellExecuteEx() or CreateProcess() Windows API, with WindowStyle set to Hidden and CreateNoWindow set to true.

Figure 19. ExecuteHide

If the mode is 2, the package is treated as file and is executed using the CreateProcessAsUser() Windows API.

Figure 20. StartAsUser

Another interesting feature of this malware is that it saves jobs locally in a folder named 534faf1cb8c04dc881a3fbd69d4bc762. 

Figure 21. Jobs Directory

Jobs are encrypted using the same AES encryption as that of the configuration file, and are named with its job id with a .db extension. This means that it can continue executing the jobs on the next execution of the malware even when its current process is interrupted or terminated. After completing the job, this malware deletes the locally saved job.

During our analysis, the malware received a job to download a package with executeMode set to 0. This means the package is a component/library that can be downloaded from /api/package/5b61b91da99a25000198dfcc.

Figure 22. Job with packageId and executeMode

The package from the downloadUri specified in the job resulted to a zip file with a PK header.

Figure 23. Get Package

Packages are stored in the folder 083c57797944468895820bf711e3624f.

Figure 24. Packages Directory

After checking what component had been downloaded, we discovered that it was a component called FileExecutor, which just executes the files indicated in the parameters key. 

Figure 25. Job and Task’s parameters

This FileExecutor component has the same functionality as the executeMode set to 1, which just executes a file using either the ShellExecuteEx() or CreateProcess() with WindowStyle set to Hidden and CreateNoWindow set to true. In the above job, it tells the malware to use the FileExecutor component to execute “systeminfo” with timeout set at 30 seconds, as indicated by the Waittime key.

The command systeminfo displays detailed configuration information about a computer and its operating system, including its operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards). 

Figure 26. Systeminfo data POST to CC

For the C&C to know the status of the jobs running, it also includes the key State that has the values shown below. The data that was sent during our analysis included the State being equal to 2, meaning it is complete.

Figure 27. Job States

After the systeminfo job, it seemed that the attacker noticed that the machine he/she sent the job to was an analysis machine, so the C&C stopped sending any jobs. This could only mean that the attacker behind this attack is being very careful to not infect computers that are not targets and to avoid alerts.

While it is not new for C&C servers used in targeted attacks to suddenly stop responding after collecting the basic information of the victim’s computer, the C&C used here is not completely blocking its communication. Instead, it just stopped sending jobs. This enables researchers and analysts to still monitor the C&C.

Low AV Detection

Interestingly, even if the malware files are not packed or obfuscated, only a few AV vendors, including Fortinet, were able to detect the files.

Conclusion

The use of current and upcoming events as bait to target high profile targets is becoming more and more popular among attackers.

Based on our findings, we believe that this is a well-planned attack, especially considering the timely distribution of the malicious decoy file and the use of a never-before-seen malware. These two ingredients provide the best chance for comprising their targets.

Solution
Fortinet detects all Biskvit malware components as W32/BiskvitLoader.A!tr, MSIL/BiskvitAutoRun.A!tr, MSIL/BiskvitLib.A!tr, MSIL/Biskvit.A!tr, MSOffice/Exploit.CVE20178570!tr.

Malicious URLs related to this malware are also blocked through the FortiGuard Web Filtering Service.

We recommend that all users apply the patch released by Microsoft for CVE-2017-0199.

Special thanks to Evgeny Ananin for translating the content of the exploit document from Russian to English.

IOC

be7459722bd25c5b4d57af0769cc708ebf3910648debc52be3929406609997cf

a87daccbb260c5c68aaac3fcd6528f9ba16d4f284f94bc1b6307bbb3c6a2e379

b4a1f0603f49db9eea6bc98de24b6fc0034f3b374a00a815b5c906041028ddf3

934542905f018ecb495027906af13cc96e3f55e11751799f39ef4a3dceff562b 23a286d14de1f51c5073caf0fd40a7636c287f578f32ae5e05ed331741fde572

CC

hxxp://bigboss.x24hr.com

hxxp://secured-links.org/

 

 

Download our latest Global Threat Landscape Report.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.