Alexey Shulmin & Andrey Dolgushev, Kaspersky Lab

In the middle of 2017, Kaspersky Lab experts discovered a new malicious threat that is believed to be related to the famous PLATINUM APT group, which had been widely regarded as inactive. They named the campaign ‘EasternRoppels’.

The attack featured a multi-stage approach: first, the operators used WMI subscriptions to run an initial Powershell downloader that, in turn, downloaded another small Powershell backdoor. We collected many initial WMI Powershell scripts and noticed that they had different, hardcoded command and control (CnC) addresses, different encryption keys, salt for encryption (also different between each initial loader) and active hours (meaning the malware works only during a certain period of time every day). CnCs were located on free-of-charge hosting services and the attackers also made heavy use of many Dropbox accounts (for storing the payload and exfiltrated data). The second backdoor in this APT killchain can perform a very limited set of commands: download or upload a file, run a Powershell script, and undertake the initial fingerprinting of a system. We researched this operation and discovered that it was a targeted attack, and among its targets were high-profile victims in the APAC region: governments and air forces. But one thing remained unclear for us: why does the second backdoor have such limited functionality?

At the time we were researching another threat, the victims of which were also in the APAC region. We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive after a reboot. This backdoor shares several similarities with the second Powershell backdoor described above: it has hardcoded active hours, it uses free-of-charge domains as CnCs, and more. But, at the same time, this backdoor has some really interesting features. For example, it is able to hide all communication with its CnC by using text steganography methods.

After deeper analysis we understood that the two campaigns are connected. Among other things, both attacks used the same domain to store exfiltrated data, and we also discovered that some victims were infected by both malwares at the same time. It is worth mentioning that in the second campaign all executable files are protected with a run-time crypter and this crypter also stores the payload using steganography.

We created many detection signatures based on the backdoor from the second attack and found a lot of samples packed with the same crypter. We unpacked them and learned that some of them were used in previous PLATINUM campaigns, and that the backdoor configuration files look like configuration files from PLATINUM attacks. At the same time, the remainder of the samples were not related to any previously known attack, so they are probably new components and malware used by the PLATINUM group. These facts allowed us affirm with high probability that the PLATINUM group is behind both these attacks.

In our presentation, we will provide additional details about the EasternRoppels campaign (which is still active): we will explain about their main backdoor and its functionality, and describe the new technologies for this APT group (steganography, WMI subscriptions, new and interesting crypters). We also provide additional information on other malicious tools that were used in this campaign and show the victimology. It is very interesting that a number of high-profile victims were infected, including some ministries, air forces and the federal police forces of some countries in APAC.