ESET researchers have found Hodur, a beforehand undocumented Korplug variant unfold by Mustang Panda, that makes use of phishing lures referencing present occasions in Europe, together with the invasion of Ukraine
ESET researchers found a still-ongoing marketing campaign utilizing a beforehand undocumented Korplug variant, which they named Hodur as a consequence of its resemblance to the THOR variant beforehand documented by Unit 42 in 2020. In Norse mythology, Hodur is Thor’s blind half-brother, who’s tricked by Loki into killing their half-brother Baldr.
Key findings on this blogpost:
- As of March 2022, this marketing campaign continues to be ongoing and goes again to at the least August 2021.
- Known victims embrace analysis entities, web service suppliers, and European diplomatic missions.
- The compromise chain consists of decoy paperwork which might be incessantly up to date and relate to occasions in Europe.
- The marketing campaign makes use of a customized loader to execute a brand new Korplug variant.
- Every stage of the deployment course of makes use of anti-analysis methods and control-flow obfuscation, which units it other than different campaigns.
- ESET researchers present an in-depth evaluation of the capabilities and instructions of this new variant.
Victims of this marketing campaign are seemingly lured with phishing paperwork abusing the newest occasions in Europe equivalent to Russia’s invasion of Ukraine. This resulted in additional than three million residents fleeing the conflict to neighboring nations, resulting in an unprecedented disaster on Ukraine’s borders. One of the filenames associated to this marketing campaign is Situation on the EU borders with Ukraine.exe.
Other phishing lures point out up to date COVID-19 journey restrictions, an authorised regional support map for Greece, and a Regulation of the European Parliament and of the Council. The final one is an actual doc accessible on the European Council’s web site. This reveals that the APT group behind this marketing campaign is following present affairs and is ready to efficiently and swiftly react to them.
- South Sudan
- South Africa
- Diplomatic missions
- Research entities
- Internet service suppliers (ISPs)
Based on code similarities and the various commonalities in Tactics, Techniques, and Procedures (TTPs), ESET researchers attribute this marketing campaign with excessive confidence to Mustang Panda (often known as TA416, RedDelta, or PKPLUG). It is a cyberespionage group primarily focusing on governmental entities and NGOs. Its victims are largely, however not solely, positioned in East and Southeast Asia with a concentrate on Mongolia. The group can also be recognized for its marketing campaign focusing on the Vatican in 2020.
While we haven’t been in a position to establish the verticals of all victims, this marketing campaign appears to have the identical focusing on goals as different Mustang Panda campaigns. Following the APT’s typical victimology, most victims are positioned in East and Southeast Asia, together with some in European and African nations. According to ESET telemetry, the overwhelming majority of targets are positioned in Mongolia and Vietnam, adopted by Myanmar, with just a few within the different affected nations.
Mustang Panda’s campaigns incessantly use customized loaders for shared malware together with Cobalt Strike, Poison Ivy, and Korplug (often known as PlugX). The group has additionally been recognized to create its personal Korplug variants. Compared to different campaigns utilizing Korplug, each stage of the deployment course of makes use of anti-analysis methods and control-flow obfuscation.
This blogpost incorporates an in depth evaluation of this beforehand unseen Korplug variant used on this marketing campaign. This exercise is a part of the identical marketing campaign lately lined by Proofpoint, however we offer extra historic and focusing on info.
Mustang Panda is understood for its elaborate customized loaders and Korplug variants, and the samples used on this marketing campaign showcase this completely.
Compromise chains seen on this marketing campaign comply with the everyday Korplug sample: a respectable, validly signed, executable susceptible to DLL search-order hijacking, a malicious DLL, and an encrypted Korplug file are deployed on the goal machine. The executable is abused to load the module, which then decrypts and executes the Korplug RAT. In some circumstances, a downloader is used first to deploy these recordsdata together with a decoy doc. This course of is illustrated in Figure 2.
What units this marketing campaign aside is the heavy use of control-flow obfuscation and anti-analysis methods at each stage of the deployment course of. The following sections describe the habits of every stage and take a deeper have a look at the protection evasion methods utilized in every of them.
We haven’t been in a position to observe the preliminary deployment vector, however our evaluation factors to phishing and watering gap assaults as seemingly vectors. In situations the place we noticed a downloader, the filenames used counsel a doc with an attention-grabbing topic for the goal. Such examples embrace:
- COVID-19 journey restrictions EU evaluations checklist of third nations.exe
- REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exe
- Situation on the EU borders with Ukraine.exe
To additional the phantasm, these binaries obtain and open a doc that has the identical identify however with a .doc or .pdf extension. The contents of those decoys precisely mirror the filename. As proven in Figure 3, at the least certainly one of them is a publicly accessible respectable doc from the European Parliament.
Although its complexity has elevated over the course of the marketing campaign, the downloader is pretty easy. This improve in complexity comes from extra anti-analysis methods, which we cowl later on this part.
It first downloads 4 recordsdata over HTTPS: a decoy doc, a respectable executable, a malicious module, and an encrypted Korplug file. The mixture of these final three elements to execute a payload through DLL side-loading is usually known as a trident and is a way generally utilized by Mustang Panda, and with Korplug loaders normally. Both the server addresses and file paths are hardcoded within the downloader executable. Once every part is downloaded, and the decoy doc opened to distract the sufferer, the downloader makes use of the next command line to launch the respectable executable:
cmd /c ping 126.96.36.199 -n 70&&”%temp%
This ping command each checks web connectivity and introduces a delay (by way of the -n 70 choice) earlier than executing the downloaded, respectable executable.
The downloader makes use of a number of anti-analysis methods, lots of that are additionally used within the loader and remaining payload. Additional obfuscation has been added to new variations over the course of the marketing campaign with out in any other case altering their purpose.
In early variations of the downloader, junk code and opaque predicates had been used to hinder evaluation, as proven in Figure 4, however the server and filenames are plainly seen in cleartext.
In later variations, the recordsdata on the server are RC4 encrypted, utilizing the bottom 10 string illustration of the file measurement as the important thing, after which hex-encoded. This course of is illustrated within the Python snippet beneath. The reverse operations are carried out client-side by the downloader to recuperate the plaintext recordsdata. This is probably going carried out to bypass network-level protections.
from Crypto.cipher import ARC4
key = “%d” % len(plaintext)
rc4 = ARC4.new(key)
cipher_content = rc4.encrypt(plaintext).hex().higher()
These variations substitute using cleartext strings with encrypted stack strings. They are nonetheless hardcoded within the file, however the obfuscation surrounding them, and using totally different keys, makes it onerous to decrypt them statically in an automatic method. This identical method is used closely within the subsequent phases. Encrypted stack strings are additionally used to obfuscate calls to Windows API capabilities.
First, the identify of the goal operate is decrypted and handed to a operate. This operate obtains a pointer to the InMemoryOrderModuleList discipline of the PEB (Process Environment Block). It then iterates over the loaded modules, passing every deal with to GetProcAddress together with the operate identify till the goal operate is efficiently resolved. Part of this course of could be seen in Figure 5.
As is frequent with Korplug, the loader is a DLL that exploits a side-loading vulnerability in a respectable, signed executable. We have noticed many various functions being abused on this marketing campaign, as an illustration a susceptible SmadAV executable beforehand seen by Qurium in a marketing campaign attributed to Mustang Panda that focused Myanmar.
The loader exports a number of capabilities. The actual checklist varies relying on the abused software, however in all circumstances, solely certainly one of them does something of consequence. In all the loaders we noticed, that is the exported operate with the best load tackle. All the opposite exports, and the library’s entry level, both return instantly or execute some do-nothing junk code. Many of those exports have names that include random lowercase letters and level to the identical tackle as proven in Table 1.
Table 1. Functions exported by a Hodur loader. The createSystemFontsUsingEDL export is the one which hundreds the ultimate malware stage on this model.
The loader operate obtains the listing from which the DLL is operating utilizing GetModuleFileNameA and tries to open the encrypted Korplug file it incorporates. That filename is hardcoded within the loader. It reads the file’s contents right into a regionally allotted buffer and decrypts it. The loader makes this buffer executable utilizing VirtualDefend earlier than calling into it at offset 0x00.
Windows API operate calls are obfuscated with a special method than that used within the downloader. Unlike the loader, which incorporates the names of its capabilities (as proven in Table 1 above), solely the 64-bit hashes of the Windows API operate calls are current within the binary. To resolve these capabilities, the loader traverses the export lists of all loaded libraries through the InMemoryOrderModuleList of the PEB. Each export’s identify is hashed, then in comparison with the anticipated worth. The FNV-1a hash algorithm, lately introduced again into the mainstream by the Sunburst backdoor, has beforehand been utilized by Mustang Panda, in Korplug loaders documented by XORHEX, to resolve GetProcAddress and LoadLibraryA, though it was not recognized by identify in that evaluation. In this model, nonetheless, it’s used for all API capabilities.
Korplug (often known as PlugX) is a RAT utilized by a number of APT teams. In spite of it being so extensively used, or maybe due to it, few studies extensively describe its instructions and the data it exfiltrates. Its performance shouldn’t be fixed between variants, however there does appear to exist a major overlap within the checklist of instructions between the model we analyzed and different sources such because the Avira report from January 2020 and the plugxdecoder undertaking on GitHub.
As beforehand talked about, the variant used on this marketing campaign bears many similarities to the THOR variant, which is why now we have named it Hodur. The similarities embrace using the SoftwareCLASSESms-pu registry key, the identical format for C&C servers within the configuration, and use of the Static window class.
As anticipated for Korplug payloads, this stage is simply ever decrypted in reminiscence by the loader. Only the encrypted model is written to disk in a file with a .dat extension.
Unless said in any other case, all hardcoded strings mentioned on this part are saved as encrypted stack strings.
In this module, Windows API capabilities are obfuscated by way of a mixture of the strategies utilized in earlier phases. LoadLibraryA and GetProcAddress are resolved through the FNV-1a hashing method and stack strings are decrypted and handed to them to acquire the goal operate.
Once decrypted, the payload is a legitimate DLL that exports a single operate. In virtually all noticed samples from this marketing campaign, this operate is known as StartDefend. However, launching it straight through this export or its entry level is not going to execute the primary payload and the loading course of is kind of intricate.
As defined within the earlier part, the file is decrypted in reminiscence as a steady blob by the loader and the execution begins at offset 0x00. The PE header incorporates shellcode, proven in Figure 6, that calls a particular offset that corresponds to the module’s single export.
This operate parses the PE blob in reminiscence and manually maps it as a library right into a newly allotted buffer. This consists of mapping the varied sections, resolving imports and, lastly, utilizing DLL_PROCESS_ATTACH to name the DLL entry level. Once once more, opaque predicates and junk code are used to obfuscate the aim of this operate.
The entry level of the correctly loaded library is then known as with the non-standard worth of 0x04 for the fdwReason parameter (solely values from 0x00 to 0x03 are presently outlined). This particular worth is required to get it to execute its most important payload. This easy examine prevents the RAT from being trivially executed straight with a generic software like rundll32.exe.
The backdoor first decrypts its configuration utilizing the string 123456789 as a repeating XOR key. Once decrypted, the configuration block begins with ########. The format of the configuration varies barely between samples, however all of them comprise at the least the next fields:
- Installation listing identify. Also used because the identify of the registry key created for persistence. This worth roughly corresponds to the identify of the abused software with three random letters appended (e.g., FontEDLZeP or AdobePhotosGQp)
- Mutex identify
- A worth that’s both a model or ID string
- List of C&C servers. Each entry consists of IP tackle, port quantity, and a quantity indicating the protocol to make use of with that C&C
The backdoor then checks the trail from which it’s operating utilizing GetModuleFileNameW. If this matches %userprofile% or %allusersprofile%, the RAT performance will probably be executed. Otherwise, it would undergo the set up course of.
To set up itself, the malware creates the aforementioned listing below %allusersprofile%. Using SetFileAttributesW, it’s then marked as hidden and system. The susceptible executable, loader module, and encrypted Korplug recordsdata are copied to the brand new listing.
Next, persistence is established. Earlier samples achieved this by making a scheduled job to be run at boot through schtasks.exe. Newer samples add a registry entry to Software programMicrosoftWindowsCurrentModelRun, attempting the HKLM hive first, then HKCU. This entry has the identical identify because the set up listing with its worth set to the newly copied executable’s path.
Once persistence has been arrange, the malware launches the executable from its new location and exits.
The RAT performance of the Hodur variant used on this marketing campaign largely strains up with different Korplug variants, with some extra instructions and traits. As now we have beforehand said, although, detailed analyses of Korplug instructions are few and much between, so we purpose to offer such an evaluation within the hopes of aiding future analysts.
When on this mode, the backdoor iterates by way of the checklist of C&C servers in its configuration till it reaches the top or receives an Uninstall command. For every of these servers, it processes instructions till it receives a Stop command or encounters an error.
Hodur’s preliminary handshake could be carried out over HTTPS or TCP. This is set by a price within the configuration for that individual C&C server. Subsequent communication is at all times carried out over TCP utilizing a customized protocol that we describe on this part, together with the instructions that may be issued. Hodur makes use of sockets from the Windows Sockets API (Winsock) that assist overlapped I/O.
Following the preliminary handshake, Hodur’s communications contain TCP messages that include a header, with the construction described in Table 2, adopted by a message physique that’s normally compressed utilizing LZNT1 and at all times encrypted with RC4. Messages whose Command quantity header discipline have the 0x10000000 bit set (people who comprise file contents for the ReadFile and WriteFile instructions, described in Table 3) have encrypted however not compressed message our bodies. All encrypted message our bodies use the hardcoded key sV!e@T#L$PH% with a four-byte random nonce (the worth at offset 0x00 within the header) appended to it.
Table 2. Header format used for communication between the C&C and the backdoor
|0x00||Nonce||Random nonce appended to the RC4 key.|
|0x04||Command quantity||This discipline signifies the command to run or the command that induced this response to be despatched.|
|0x08||Length of physique||Length of the message physique. It appears that this discipline isn’t checked by the shopper for messages from the C&C server.|
|0x0C||Command exit standing||The return or error worth of the command that was run. This discipline shouldn’t be checked by the shopper in messages acquired from the C&C server.|
Hodur’s C&C message headers are transmitted within the clear, adopted by variably sized (the worth at offset 0x08 of the header) message our bodies. The format of the message physique varies per command, however as soon as decrypted and decompressed, values of variable size (like strings) are at all times at a message physique’s finish and their offset within the physique is saved as an integer within the corresponding message discipline.
Like the model described by Avira, Hodur has two teams of instructions – 0x1001 and 0x1002 – every with its personal handler. The C&C server can set which group to pay attention for by sending the corresponding ID because the command quantity when a shopper shouldn’t be already in one of many two modes. It will proceed to pay attention for a similar group till it receives the Stop command, or an error happens (together with receiving a message with an invalid Command quantity in its header).
The first group, 0x1001, incorporates instructions for managing the execution of the backdoor and doing preliminary reconnaissance on a newly compromised host. As these instructions take no arguments, messages despatched by the C&C server consist solely of the headers. Table 3 incorporates a listing of those instructions. The GetSystemInfo command is described in additional element beneath. Note that no command names are current within the RAT; they had been both taken from earlier analyses or offered by us.
Table 3. Commands in group 0x1001
|ID||Name||Description||Data in shopper response|
|0x1000||Ping||Sent by the shopper when it begins listening for instructions from this group.||Between 0 and 64 random bytes|
|0x1001||GetSystemInfo||Get details about the system.||See Table 4|
|0x1002||ListenThread||Start a brand new thread that listens for group 0x1002 instructions.||None|
|0x1004||ResetConnection||Terminate with WSAECONNRESET.||N/A|
|0x1005||Uninstall||Delete persistence registry keys, take away itself and created folders.||None|
|0x1007||Stop||Set registry key SystemCurrentControlSetControlNetworkallow to 1 and exit.||N/A|
The GetSystemInfo command collects intensive details about the system, as detailed in Table 4. If it doesn’t exist already, the SoftwareCLASSESms-puCLSID registry key’s set to the present timestamp, attempting HKLM first then HKCU. The worth of this key’s then despatched within the response.
Table 4. Response physique format for the GetSystemInfo response
|0x00||Magic bytes 0x20190301||0x38||Suite masks|
|0x04||Client IP tackle of the C&C socket||0x3A||Product kind|
|0x08||Server IP tackle of the C&C socket||0x3C||0x01 if the method is operating as WOW64|
|0x0C||RAM in KB||0x40||System time – yr|
|0x10||CPU clock charge in MHz||0x42||System time – month|
|0x14||Display width in pixels||0x44||Timestamp of first run (offset)|
|0x18||Display peak in pixels||0x46||Service pack model string (offset)|
|0x20||Current tick rely||0x4A||Username (offset)|
|0x24||OS main model||0x4C||Computer identify (offset)|
|0x28||OS minor model||0x4E||Mutex identify (offset)|
|0x2C||OS construct quantity||0x50||Unknown|
|0x30||OS platform ID||0x52||List of machine IP addresses (offset)|
|0x34||Service pack main model||0x54||Always two 0x00 bytes|
|0x36||Service pack minor model|
The 0x1002 group incorporates instructions that present RAT performance, as detailed in Table 5. Some of those take parameters offered within the command’s message physique. The DiscoverFiles command is described in additional element beneath. Again, be aware that no command names are current within the RAT; they had been both taken from earlier analyses or offered by us.
Table 5. Commands in group 0x1002
|ID||Name||Description||Data in C&C request||Data in shopper response|
|0x1002||Ping||Sent by the shopper when it begins listening for instructions from this group.||N/A||None|
|0x3000||ListDrives||List all mapped drives (A: to Z:) and their properties.
All 26 entries are despatched again in a single message physique. Drives that aren’t current have all fields set to 0x00.
|None||· Drive kind
· Total measurement
· Space accessible to person
· Free area
· Volume identify (offset)
· File system identify (offset)
|0x3001||ListDirectory||List the contents of the required listing. The shopper sends one response message per entry.||Directory path||· Is a listing?
· File attributes
· File measurement
· Creation time
· Last write time
· Filename (offset)
· 8.3 filename (offset)
|0x3002||Sent by the shopper when it has completed executing the ListDirectory command.||N/A||None|
|0x3004||ReadFile||Read a file in chunks of 0x4000 bytes.||· Creation time
· Last entry time
· Last write time
· Has offset
· Offset in file
· File measurement
· File path
|0x10003005||Chunk of learn file data.||N/A||Read data|
|0x10003006||Sent by the shopper when it has completed executing the ReadFile command.||N/A||None|
|0x3007||WriteFile||Write to a file and restore earlier timestamp.
Creates dad or mum directories in the event that they don’t exist.
|· Creation time
· Last entry time
· Last write time
· Has offset
· Offset in file
· File path (offset)
|0x10003008||Sent by the server with data to write down to the file.||Data to write down||N/A|
|0x10003009||Sent by the server when the WriteFile operation is full.||None||N/A|
|0x300A||CreateDirectory||Create a listing.||Directory path||None|
|0x300B||CanReadFile||Try to open a file with learn permissions.||File path||None|
|0x300C||DesktopExecute||Execute a command on a hidden desktop.||Command line to execute||PROCESS_INFORMATION construction for the created course of.|
|0x300D||FileOperation||Perform a file operation utilizing SHFileOperation.||· wFunc
· pFrom (offset)
· pTo (offset)
|0x300E||GetEnvValue||Get the worth of an setting variable.||Environment variable||Environment variable worth.|
|0x300F||CreateProgramDataDir||Creates the listing %SYSTEMpercentProgramData, optionally with a subdirectory.||Subdirectory relative path (non-obligatory)||None|
|0x3102||DiscoverFiles||Recursively search a listing for recordsdata matching a given sample.||· Starting listing
· Search sample
|See response physique format in Table 6.|
|0x7002||DistantShell||Start an interactive distant cmd.exe session.||None||None|
|0x7003||Result of the final command run.||N/A||Command output|
Starting from the offered listing, this command searches for recordsdata whose names match the given sample. This sample helps the identical wildcard characters because the Windows DiscoverFirstFile API. For every matching file, the shopper sends a response message with its physique within the format described in Table 6.
Table 6. Format of the response physique for the DiscoverFiles command
|0x00||File attributes||0x24||Folder path (offset)|
|0x04||File measurement in bytes||0x26||Filename (offset)|
|0x0C||Creation time||0x28||8.3 filename (offset)|
|0x1C||Last write time|
One response message with an empty physique is shipped as soon as the search is accomplished.
The decoys used on this marketing campaign present as soon as extra how rapidly Mustang Panda is ready to react to world occasions. For instance, an EU regulation on COVID-19 was used as a decoy solely two weeks after it got here out, and paperwork concerning the conflict in Ukraine began getting used within the days following the start of the launch of the invasion. This group additionally demonstrates a capability to iteratively enhance its instruments, together with its signature use of trident downloaders to deploy Korplug.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at firstname.lastname@example.org.
ESET Research now additionally presents non-public APT intelligence studies and data feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
|SHA-1||Filename||ESET detection identify||Description|
|10AE4784D0FFBC9CD5FD85B150830AEA3334A1DE||N/A||Win32/Korplug.TC||Decrypted Korplug (dumped from reminiscence).|
|FDBB16B8BA7724659BAB5B2E1385CFD476F10607||N/A||Win32/Korplug.TB||Decrypted Korplug (dumped from reminiscence).|
|7E059258CF963B95BDE479D1C374A4C300624986||N/A||Win32/Korplug.TC||Decrypted Korplug (dumped from reminiscence).|
|39863CECA1B0F54F5C063B3015B776CDB05971F3||N/A||Win32/Korplug.TD||Decrypted Korplug (dumped from reminiscence).|
|0D5348B5C9A66C743615E819AEF152FB5B0DAB97||FontEDL.exe||clear||Vulnerable respectable Font File Generator executable.|
|C8F5825499315EAF4B5046FF79AC9553E71AD1C0||Silverlight.Configuration.exe||clear||Vulnerable respectable Microsoft Silverlight Configuration Utility executable.|
|D4FFE4A4F2BD2C19FF26139800C18339087E39CD||PowerDVDLP.exe||clear||Vulnerable respectable PowerDVD executable.|
|65898ACA030DCEFDA7C970D3A311E8EA7FFC844A||Symantec.exe||clear||Vulnerable respectable Symantec AntiVirus executable.|
|7DDB61872830F4A0E6BF96FAF665337D01F164FC||Adobe Stock Photos CS3.exe||clear||Vulnerable respectable Adobe Stock Photos executable.|
|C13D0D669365DFAFF9C472E615A611E058EBF596||COVID-19 journey restrictions EU evaluations checklist of third nations.exe||Win32/Agent_AGen.NJ||Downloader.|
|062473912692F7A3FAB8485101D4FCF6D704ED23||REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exe||Win32/TrojanDownloader.Agent.GDL||Downloader.|
|58B6B5FD3F2BFD182622F547A93222A4AFDF4E76||PotPlayer.exe||clear||Vulnerable respectable executable.|
|locvnpt[.]com||103.79.120[.]66||2021-05-21||Download server. This area was beforehand utilized in a 2020 marketing campaign documented by Recorded Future.|
MITRE ATT&CK methods
This desk was constructed utilizing model 10 of the MITRE ATT&CK framework.
|Resource Development||T1583.001||Acquire Infrastructure: Domains||Mustang Panda has registered domains to be used as obtain servers.|
|T1583.003||Acquire Infrastructure: Virtual Private Server||Some obtain servers utilized by Mustang Panda seem like on shared internet hosting.|
|T1583.004||Acquire Infrastructure: Server||Mustang Panda makes use of servers that seem like unique to the group.|
|T1587.001||Develop Capabilities: Malware||Mustang Panda has developed customized loader and Korplug variations.|
|T1588.006||Obtain Capabilities: Vulnerabilities||Multiple DLL hijacking vulnerabilities are used within the deployment course of.|
|T1608.001||Stage Capabilities: Upload Malware||Malicious payloads are hosted on the obtain servers.|
|Execution||T1059.003||Command and Scripting Interpreter: Windows Command Shell||Windows command shell is used to execute instructions despatched by the C&C server.|
|T1106||Native API||Mustang Panda makes use of CreateProcess and ShellExecute for execution.|
|T1129||Shared Modules||Mustang Panda makes use of LoadLibrary to load extra DLLs at runtime. The loader and RAT are DLLs.|
|T1204.002||User Execution: Malicious File||Mustang Panda depends on the person executing the preliminary downloader.|
|T1574.002||Hijack Execution Flow: DLL Side-Loading||The downloader obtains and launches a susceptible software so it hundreds and executes the malicious DLL that incorporates the second stage.|
|Persistence||T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||Korplug can persist through registry Run keys.|
|T1053.005||Scheduled Task/Job: Scheduled Task||Korplug can persist by making a scheduled job that runs on startup.|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information||The Korplug file is encrypted and solely decrypted at runtime, and its configuration data is encrypted with XOR.|
|T1564.001||Hide Artifacts: Hidden Files and Directories||Directories created in the course of the set up course of are set as hidden system directories.|
|T1564.003||Hide Artifacts: Hidden Window||Korplug can run instructions on a hidden desktop. Multiple hidden home windows are used in the course of the deployment course of.|
|T1070||Indicator Removal on Host||Korplug’s uninstall command deletes registry keys that retailer data and supply persistence.|
|T1070.004||Indicator Removal on Host: File Deletion||Korplug can take away itself and all created directories.|
|T1070.006||Indicator Removal on Host: Timestomp||When writing to a file, Korplug units the file’s timestamps to their earlier values.|
|T1036.004||Masquerading: Masquerade Task or Service||Scheduled duties created for persistence use legitimate-looking names.|
|T1036.005||Masquerading: Match Legitimate Name or Location||File and listing names match anticipated values for the respectable app that’s abused by the loader.|
|T1112||Modify Registry||Korplug can create, modify, and take away registry keys.|
|T1027||Obfuscated Files or Information||Some downloaded recordsdata are encrypted and saved as hexadecimal strings.|
|T1027.005||Obfuscated Files or Information: Indicator Removal from Tools||Imports are hidden by dynamic decision of API operate names.|
|T1055.001||Process Injection: Dynamic-link Library Injection||Some variations of the Korplug loader inject the Korplug DLL right into a newly launched course of.|
|T1620||Reflective Code Loading||Korplug parses and hundreds itself into reminiscence.|
|Discovery||T1083||File and Directory Discovery||Korplug can checklist recordsdata and directories together with their attributes and content material.|
|T1082||System Information Discovery||Korplug collects intensive details about the system together with uptime, Windows model, CPU clock charge, quantity of RAM and show decision.|
|T1614||System Location Discovery||Korplug retrieves the system locale utilizing GetSystemDefaultLCID.|
|T1016||System Network Configuration Discovery||Korplug collects the system hostname and IP addresses.|
|T1016.001||System Network Configuration Discovery: Internet Connection Discovery||The downloader pings Google’s DNS server to examine web connectivity.|
|T1033||System Owner/User Discovery||Korplug obtains the present person’s username.|
|T1124||System Time Discovery||Korplug makes use of GetSystemTime to retrieve the present system time.|
|Collection||T1005||Data from Local System||Korplug collects intensive data concerning the system it’s operating on.|
|T1025||Data from Removable Media||Korplug can accumulate metadata and content material from all mapped drives.|
|T1039||Data from Network Shared Drive||Korplug can accumulate metadata and content material from all mapped drives.|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||Korplug could make the preliminary handshake over HTTPS.|
|T1095||Non-Application Layer Protocol||C&C communication is completed over a customized TCP-based protocol.|
|T1573.001||Encrypted Channel: Symmetric Cryptography||C&C communication is encrypted utilizing RC4.|
|T1008||Fallback Channels||The Korplug configuration incorporates fallback C&C servers.|
|T1105||Ingress Tool Transfer||Korplug can obtain extra recordsdata from the C&C server.|
|T1571||Non-Standard Port||When Hodur performs its preliminary handshake over HTTPS, it makes use of the identical port (specified within the configuration) as for the remainder of the communication.|
|T1132.001||Data Encoding: Standard Encoding||Korplug compresses transferred data utilizing LZNT1.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Data exfiltration is completed through the identical customized protocol used to ship and obtain instructions.|