Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia

Overview

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure.

Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT.

Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013 [1].

Delivery

Proofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019. These campaigns originated from adversary-operated free email sender accounts at yahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names found in the languages of targeted entities. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions.

The lures used in the subjects, attachment names, and attachment content in several cases utilized information technology themes specific to Asia such as governmental or public training documents relating to IT. On one specific occasion an email utilized the subject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity & Interoperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the attachment name “190315_annex 1 online_course_agenda_coei_c&i.doc”. The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries.

Figure 1: Example lure used by TA428 referencing an APAC IT conference

We identified several government agencies targeted as part of Operation LagTime IT. These agencies are responsible for overseeing IT, scientific research, domestic affairs, foreign affairs, political processes, and financial development.

Exploitation

As we previously noted, the malicious RTF attachments exploited vulnerabilities in the Microsoft Equation Editor, specifically CVE-2018-0798, before downloading subsequent payloads. The exploit uses an encoded RTF object to drop a PE file to the Windows temporary directory. The dropped PE file has the distinctive file name “8.t”. When executed, writes a Word Add-In file with the “.wll” extension to the Windows Startup directory, which runs the next time Word is opened. It should be noted that this dropper methodology is not unique to TA428, and has been identified by security researchers in campaigns related to at least four additional Chinese APT groups. RTF files leveraging this technique have historically contained the string "objw871\\objh811\\objscalex8\\objscaley8" which has been noted by researchers at Anomali [2] and FireEye. Researchers have also recently observed this RTF weaponizer tool in commodity campaigns delivering Async RAT.

After it is executed, the .wll file renames itself as RasTls.dll. Simultaneously, it decrypts a legitimate Symantec PE binary commonly named IntelGraphicsController.exe or AcroRd32.exe. This legitimate Symantec binary is used to side-load RasTls.dll using DLL search-order hijacking leading to the execution of Cotx RAT malware. Once executed the RasTls.dll file next resolves the addresses of the DLL libraries it is programmed to access and ensures that it is only running in one of five predetermined processes. These processes are winword.exe, excel.exe, powerpnt.exe, eqnedt32.exe, and acrord32.exe. The first four of these processes are associated with Microsoft Word, Excel, and PowerPoint exploits, as well as the Equation Editor exploit used by the initial malicious RTF in this campaign. The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above. The inclusion of the processes excel.exe and powerpnt.exe suggests that this stage one malware may be capable of utilizing .xls and .ppsx files as droppers. Researchers at SectorB06 [4] have noted this stage-one payload and indicated that throughout the above process it is running a “CheckRemoteDebuggerPresent” function to prevent analysis and debugging by researchers.

Malware: Cotx RAT

The RasTls.dll contains the Cotx RAT code. The malware is written in C++ using object-oriented programming. We named it by borrowing the name of the location of its stored configuration. The encrypted configuration is stored in the side-loaded DLL file RasTls.dll in a PE section named “.cotx”. The current encrypted configuration is also stored in the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Java\user”.

The configuration data is AES-192-encrypted using CBC mode and base64-encoded. We determined that the encryption key was "98151137ab12780969b2c3612072018709a83a3352466a8b" (hex-encoded) and the initialization vector “IV” was “2042123224315117031b1a0a3ccda53f” (hex-encoded). In plaintext the configuration appears as follows:

*\x00\x00\x00217.69.8.255|||1.187.1.187|mark3|P@SSaw1||\x00\x00

The first four bytes contain the size of the configuration (42-bytes). The configuration is pipe delimited and contains:

1. C&C host 1
2. C&C host 2
3. C&C host 3
4. Definition of two C&C ports
   1. An example string looks like an IP address: "1.187.1.187"
   2. The string is split on "."
   3. Port 1 is defined by (piece0 << 8) + piece1 = (1 << 8) + 187 = 443
   4. Port 2 is defined by (piece2 << 8) + piece3 = (1 << 8) + 187 = 443
   5. Alternatively, if the string is not an IP address, but looks like a host, it will resolve the host into an IP address and calculate the ports using the resolved address
5. "mark" field - sent in the C&C beacon
6. "passwd" field - sent in the C&C beacon
7. Proxy IP and port
   1. Discovered by searching the IPv4 TCP connection table for established connections with remote ports using common proxy ports (3128, 8080, 808, 1080)
   2. Or via WINHTTP_OPTION_PROXY

For persistence, Cotx stores files in a directory “Intel\Intel(R) Processor Graphics”. The location of this folder varies among samples with both the %AppData% and %PROGRAMFILES% directories being observed.

The command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS encrypted communication. The initial beacon contains “|”-delimited system information. The data included in the beacon is Zlib compressed and encrypted with AES-192 in CBC mode utilizing the same keys as the configuration. The following values are included:

• "id" value from "software\\intel\\java" subkey
• Computer name
• "mark" field from configuration
• Username
• Windows version
• Architecture
• Possible malware version. "0.9.7" is hardcoded in the analyzed sample
• Local IP addresses
• First adapter's MAC address
• Connection type (https or _proxy)
• "password" field from configuration

Commands from the C&C are received from the malware beacon. This data is AES-encrypted. We observed the following commands:

• 0 - Keep alive, sets a "poll again" flag and sends an empty response to C&C
• 1 - Sets "id" value in "software\\intel\\java" subkey, sends an empty response to C&C
• 2 - Get directory info or drive info
• 5 - Open command shell
• 6 - Open command shell as logged in user
• 7 - Send command to command shell
• 8 - Copy file
• 9 - Delete file
• 10 - Read file
• 11 - Check for filename. If doesn't exist, check for filename with ".ut" extension. If it exists, send file size back to C&C
• 12 - Write file
• 13 - Screenshot
• 14 - Process listing
• 15 - Kill process
• 16 - Send current configuration to C&C
• 17 - Update config in registry and ".cotx" PE section
• 18 - Set sleep time
• 19 - Close C&C comms
• 20 - Uninstall and remove self
• 21 - Get list of installed software
• 22 - Kill command shell
• 23 - Exit malware
• 24 - Send a "Ctrl-C" to the command shell and exit
• 25 - Execute an executable

Malware: Poison Ivy

TA428 threat actors also delivered Poison Ivy malware payloads. In a limited number of cases, we observed attachments utilizing the 8.t dropper methodology described above. However, the majority of Poison Ivy payloads were dropped as PE files named OSE.exe when the RTF attachment was executed and an Equation Editor vulnerability was successfully exploited. The Poison Ivy samples all communicated with the IP 95.179.131[.]29. We identified earlier variants of Poison Ivy malware that utilized the above IP via open source research, which used the file names bubbles.exe and sfx.exe. Examination of the Poison Ivy malware configurations indicated that all samples shared the password “3&U<9f*lZ>!MIQ” while campaign and group IDs, as well as mutexes varied across campaigns.

We identified significant operational overlap between Cotx RAT campaigns and Poison Ivy campaigns. Specifically, on several occasions users that were unsuccessfully targeted with Cotx RAT malware were later targeted with messages distributing Poison Ivy. Users were also targeted by Poison Ivy malware on successive occasions indicating the adversary’s persistent nature in attempting to compromise targets via spear phishing. In one example, a targeted user received an unsuccessful phishing email attempting to deliver Cotx RAT followed by a Poison Ivy phishing email seven days later. In addition to a shared targeting list, analysts observed adversary reuse of free email sender accounts to deliver both Cotx RAT and Poison Ivy malware to different users. It appears the adversary sender accounts utilized delivery TTPs and payloads interchangeably from March through April 2019. This vacillation of tactics further enforces Proofpoint’s classification of these campaigns under a single operation.

C&C Infrastructure

An examination of the separate C&C infrastructure utilized by Cotx RAT and Poison Ivy payloads revealed further overlaps between these campaigns. A review of passive DNS information indicated that the C&C IPs hosted subdomains that share the root domain vzglagtime[.]net. We found that the Poison Ivy C&C IP hosted the domains f1news[.]vzglagtime[.]net and news[.]vzglagtime[.]net. The Cotx RAT C&C IP hosted the hostname mtanews.vzglagtime[.]net. The latter of these domains was previously reported by security researchers to have been a C&C address observed in a malware implant targeting the East Asian Telecommunications and Transportation sectors in January 2019. The presence of related domain registrations on disparate malware IP infrastructure also contributed to analysts’ decision to classify these campaigns collectively under Operation LagTime IT.

Conclusion

Proofpoint analysts assess that Operation LagTime IT is likely a continuation of targeted activity by APT actors aligned with Chinese state interests. This operation, centered around East Asian governmental agencies, may represent efforts to satisfy espionage and intelligence requirements relative to China’s regional neighbors. While not revolutionary in its approach or malware design, TA428 actors demonstrated significant persistence in compromising victims and utilized custom malware. The defined scope of targeting in this operation including government information technology agencies demonstrates a focus on high-value targets. While ultimately the motivation for this APT campaign remains opaque, what is certain is that TA428 persists in targeting users responsible for the orchestration of governmental systems in East Asia. 

References

[1] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf

[2] https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain

[3] https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt

[4] https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/

Indicators of Compromise (IOCs)

ET and ETPRO Suricata/Snort Signatures

2836210          ETPRO TROJAN SSL/TLS Certificate Observed (SectorB06 Dropper)