Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations



Category: Unit 42

From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We chose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time. The attackers used different command and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone. The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory.

We were also able to find a post-compromise tool along with the two RATs, which afforeded us insight into one of the tools the attackers used once they gained a foothold inside an organization. In addition to Trochilus and MoonWind we found Mimikatz, a popular credential harvesting tool.

Further research led us to additional MoonWind samples using the same C2 (dns[.] webswindows [.]com) but hosted on a different compromised but legitimate website.  The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files, while in the November attacks the RATs were stored as executables. We were not able to find additional tools, but the attackers again compromised a legitimate Thai website to host their malware, in this case the student portal for a Thai University.

MoonWind Analysis

The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan, we have named it MoonWind, by combining the BlackMoon compiler artifacts with the embedded string below:

E:\StarWind\FW__Project_RTPD-PIBICs\Table.ini

When MoonWind first runs, it will copy itself to one of the following locations with a filename of ‘svcohos.exe’:

  • C:\Documents and Settings\All Users\Ufyaginptxb\
  • C:\Users\All Users\
  • C:\PorgramData\
  • C:\Program Files\Common Files\

It then executes a new instance of itself in a new process. Also, it will remove the original file via the following command that is executed in a batch script named ‘date.bat’.

During this routine, a randomly generated victim identifier will be created and written to a file named ‘micr.ini’. This file is located in the same path as the malware. The following contents represent an example of a victim ID contained in this file:

During the install routine, the malware will also setup a timer that will execute a file named ‘sevrsvos.exe’. This sample (815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201) acts as a runtime persistence mechanism. It installs itself as a service with the following properties:

Service Name: Windows  Ejlptxtxbfjn Rvzd
Display Name: Windows  Ejlptxtxbfjn Rvzd
Description: Windows  Ejlptxtxbfjn Rvzd Hlptxbfjnr
Startup Type: Automatic

This service serves the single purpose of checking every 60 seconds if the ‘svcohos.exe’ process is running. If not, the service will spawn a new instance of it. In doing so, this secondary malware sample acts as both a runtime persistence mechanism, as well as a persistence mechanism across reboots.

After installation, a keylogging routine begins. The malware writes keystrokes and window information to a filename in the present working directory with the following filename:

jop[year][month][day][hour][minute][seconds].zip

Additionally, it writes a ‘win.ini’ file that contains this file path above.

The malware proceeds to collect the following victim information:

  • Hostname
  • Username
  • Windows version
  • IP address
  • Current time
  • RAM amount
  • Number of total drives
  • Number of removable drives
  • Unique victim identifier

After this information is aggregated, MoonWind enters its command and control loop, and begins reaching out to the servers and ports specified in its configuration embedded in the svcohos.exe file. The following remote hosts were specified in this particular sample:

dns.webswindows[.]com|80
dns.webswindows[.]com|443
dns.webswindows[.]com|53
dns.webswindows[.]com|8080

While the ports associated with this sample’s configuration pertain normally to HTTP, HTTPS, or DNS, network communication takes place via raw sockets. The malware first receives data, which has the following format as shown in Figure 1:

moonwind_1

Figure 1 C2 to MoonWind communication

Digging into the packet further, we can break out individual pieces, as seen in Figure 2:

moonwind_2

Figure 2 MoonWind network communication packet format

The encrypted data portion is encrypted via RC4 with the following static key:

HHSADh!@#$YUAGEWYGhjfsjd5465fsaQWAFGDA/jfdafdjhhasgfh==

In the above example, the encrypted data decrypts to ‘\x20\x20\x20\x20\x20\x20’, or six spaces. This particular command requests that the malware send the previously collected victim information.

The data returned by MoonWind has the same format, however, uses the following static key for encryption instead:

SSHqWSSAFdhjklfahj!@##4*&&!!HQ12785452!@!!$$$32#@$$11!!

An example of such data returned by the malware can be seen below in figure 3.

moonwind_3

Figure 3 MoonWind to C2 communication

When decrypted, we see the data shown in Figure 4. Note that the first six bytes contains the return command (‘WYR002’), followed by the payload. The payload contains information previously discussed, delimited by ‘*/*’. Certain variables, such as ‘cdg’ and ‘ip’ are hardcoded. We also see what is most likely a malware versioning string at the end (V2.1). This string is also hardcoded to the sample.

moonwind_4

Figure 4 Decrypted data sent by MoonWind

In total, MoonWind has 73 possibly commands that it can accept. We have not yet fully researched all of the commands, but the majority of them have been identified, as we can see in the Appendix.

Conclusion

Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity. The activity dates to at least 2013 and has ties to multiple reports by other researchers. It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity, indicating they are not only still active but continuing to evolve their playbook.

Palo Alto Networks customers are protected from this threat in the following ways:

  • The malware discussed in this report is blocked by WildFire and Traps
  • The domain names included in this report are blocked by Threat Prevention

AutoFocus subscribers can investigate the activities further with the following tags:

Appendix

MoonWind Commands

Command Description Response Command Notes
\x20\x20\x20\x20\x20\x20 Returns collected victim information. WYR002
WYR002 Null command. None
WYR003 Spawns message box that allows victim to send a message. WYR003
WYR005 Modifies services. WYR005 Subcommands of either ‘fuwu’ (create service), ‘exit’ (stop service), ‘stop’ (pause service), ‘reun’ (continue service), or ‘yrun’ (start service)
WYR006 Returns a list of running processes. WYR006
WYR007 Kills specified process. None
qdcmdl Spawns an interactive shell. cmdok1
WYR009 Send command to interactive shell and receive results. WYRCCC
WYR010 Terminates interactive shell. None
WYR011 Get size of disks. WYR011
WYR012 Returns space of given directory. WYR012
WYR013 Return a directory listing of specified directory (C:\ default). WYR013
WYR014 Execute specified command. None
WYR015 Open specified command with ShellExecuteA. None
WYR016 Open specified command with ShellExecuteA (Hidden). None
WYR018 Perform directory listing with file attributes. WYR018
xiazai Read contents of file specified. wrdown
cxqdcx Restart MoonWind. None Uses %TEMP%/restart.bat to perform restart.
pingmu Return screen resolution. pmgksj
qdkzpm Unknown.
jixujj Unknown.
sbkzxx Performs various mouse actions. None Subcommands of either ‘sj’ (double left-click), ‘yk’ (move to position and right-up), ‘zk’ (move to position and right-down), ‘zx’ (move to position and left-up), or ‘yd’ (move to position and left-down)
xhpmkz Unknown.
axjpsj Submits keyboard inputs. None
ksjljp Starts keylogging functionality. None
tzjljp Stops keylogging functionality. None
hqjljp Return keylogging data. jpjlhq
scjpjl Deletes the keylogging file. None
xzcxzs Uninstalls malware. None Uses ‘x.bat’ to accomplish uninstall. Written to present working directory (PWD) of malware.
httpxx Unknown.
zaicif Unknown.
xiaokl Unknown.
juxuxi Null command. None
shangc Unknown.
ecscwj Unknown.
scwjwb Unknown.
scmlcj Creates specified directory. mlwzcj
ycxiaz Unknown.
zcycxz Unknown.
ycxjml Creates specified directory. None
xjwjcj Writes specified file with provided contents. None Command format is

‘[filename]|[data]’.

shanwj Deletes specified file. None
shanml Removes specified directory. None
gengmj Moves specified file. None Command format is ‘[src]|^|[dst]’.
ycgwjj Sets hidden attribute on specified file. None
copywj Copies specified file. copyok Command format is ‘[src]^|^[dst]’.
fzmlwj Copies specified directory. copyok Command format is ‘[src]^|^[dst]’.
sdxtcs Unknown.
qypxxl Get disk space of specified drive. qdypxx
scdqwj Unknown.
wyycwj Unknown.
xzwcsc Unknown.
xzwcyx Executes specified command within batch script. None Uses ‘boot.bat’ to accomplish uninstall. Written to PWD of malware.
dwjjxc Unknown.
dwjcwj Unknown.
dqscds Returns filesize of specified file. qcwjcd
sjkqzd Unknown.
sswjsj Finds specified file and returns results including attributes. wjsswb
dwjsjx Unknown.
xzbwza Unknown.
hqurl1 Returns C2 configuration of MoonWind. qcsxdz
ghsxip Writes data to win.dll and loads it. sdczip
khljcg Unknown.
dqyxml Unknown.
gxycwj Unknown.
gxwjbc Unknown.
gxwjok Unknown.
fxgxcs Unknown.
gxwjsy Open specified command with ShellExecuteA. None
gxyxcx Unknown.
bddkzf Unknown.
scwjdx Unknown.
xzwjdx

Indicators of Compromise

MoonWind

fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928
ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c
e31679b82be58ace96b1d9fdfc2b62b6e91d371ed93957e0764cd7c464b04b9d
f2589745671949422b19beec0856ca8b9608c02d5df4402f92c0dcc9d403010b

MoonWind Persistence Mechanism

815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201

Trochilus

59f8a31d66f053f1efcc8d7c7ebb209a8c12233423cc2dc3673373dde9b3a149

webswindows[.]com
192.225.226[.]195

ignite17-social-cover-img-facebook-820x340

Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS