A Deep Dive Into the APT28’s stealer called CredoMap

APT 2个月前 admin
442 0 0

Prepared by: Vlad Pasca, Senior Malware & Threat Analyst

Executive summary

CredoMap is a stealer developed by the Russian APT28/Sofacy/Fancy Bear that was used to target users in Ukraine in the context of the ongoing war between Russia and Ukraine. The malware was initially discovered by Google and CERT-UA. The threat actor weaponized a document to exploit the Follina (CVE-2022-30190) vulnerability that would result in downloading the .NET stealer. The malware aims to steal the credentials and cookies from Google Chrome, Mozilla Firefox, and Microsoft Edge. The data exfiltration is done by sending information to a possibly compromised C2 server via the IMAP email protocol.

Analysis and findings

SHA256: 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

The process retrieves the path of the current executable and then connects to a hard-coded C2 server (162.241.216.236) on port 143 (IMAP) using hard-coded credentials:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 1
A Deep Dive Into the APT28’s stealer called CredoMap
Figure 2

The malware creates a TcpClient object, obtains a client stream for reading and writing, and then reads the response from the server:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 3

The binary performs the login operation and reads the response using the Read method:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 4

It selects the INBOX folder using the SELECT command and performs multiple function calls that steal the browsers’ credentials and cookies:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 5
A Deep Dive Into the APT28’s stealer called CredoMap
Figure 6

The sample verifies if the file “\Google\Chrome\User Data\Default\Network\Cookies” exists in the Local AppData folder by calling the File.Exists function:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 7

The File.Copy method is used to copy the above file to a new file called “cc”:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 8

The malicious binary opens a connection to the Cookies database and executes an SQL query that extracts some fields:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 9

The process opens and reads the file called “Local/Google/Chrome/User Data/Local State” using File.ReadAllText. It extracts the Base64-encoded random key that is encrypted with DPAPI from JSON([“os_crypt”][“encrypted_key”]). The key is Base64-decoded and decrypted via a function call to ProtectedData.Unprotect:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 10

The binary creates an AESEngine object, an AEADParameters object containing the decrypted AES-128 key and the nonce (12 bytes), and calls the GcmBlockCipher.Init function with a “False” parameter (decryption operation):

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 11

The “encrypted_value” extracted from the Cookies database is decrypted using the ProcessBytes and DoFinal methods:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 12

The resulting values are stored in a dictionary that has the keys as "host_key" with values "name=<Decrypted encrypted_value>;”, as highlighted in the figure below.

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 13

Finally, the process serializes the dictionary to a JSON string using JsonConvert.SerializeObject:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 14

The data exfiltration occurs by issuing a valid IMAP APPEND command. The “From” field is set to the username obtained from the Environment.UserName property, the “Subject” field is set to the current date and time on the computer obtained from the DateTime.UtcNow property, and the JSON string is also included in the command (see figure 15).

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 15

The malware verifies if the file “\Google\Chrome\User Data\Default\Login Data” exists in the Local AppData folder using File.Exists:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 16

The File.Copy function is utilized to copy the above file to a new file called “cp”:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 17

The binary opens a connection to the Login Data database and executes an SQL query that extracts the “action_url”, “username_value”, and “password_value” fields:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 18

The malicious process reads the file “Local/Google/Chrome/User Data/Local State” found in the AppData directory and deserializes it using the JsonConvert.DeserializeObject method:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 19
A Deep Dive Into the APT28’s stealer called CredoMap
Figure 20

The sample extracts the Base64-encoded random key that is encrypted with DPAPI from [“os_crypt”][“encrypted_key”]. The key is Base64-decoded and decrypted via a function call to ProtectedData.Unprotect:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 21

The encrypted “password_value” field is decrypted using a function that will be explained below:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 22

The first 12 bytes after skipping 3 bytes (version tag) from “password_value” represent the AES nonce, and the rest of the information is the ciphertext, as displayed in the figure below.

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 23

As in the first case, the “password_value” field is decrypted by calling the ProcessBytes and DoFinal functions:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 24

However, not all the passwords might be encrypted using AES-GCM. In the case of older versions of Chrome, the threat actor tries to decrypt the passwords using the ProtectedData.Unprotect API:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 25

As we can see in figure 26, the process computes a string containing "action_url", "username_value", and the decrypted “password_value” field that was obtained using the 1st method of decryption or the 2nd method of decryption, respectively:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 26

The credentials exfiltration occurs, in the same way, using an IMAP command to the C2 server.

The binary checks if the directory “Mozilla\Firefox\Profiles\” can be located in the AppData folder (see figure 27).

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 27

The malware is looking for a file called “cookies.sqlite” in the profile folders. The “cookies.sqlite” database is copied to a file called “fc”:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 28

The sample runs the "SELECT * FROM moz_cookies" SQL query to retrieve the Firefox cookies:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 29

A new dictionary is created having the keys as “host” with values “name=value;”, as shown in the figure below.

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 30

The dictionary is serialized to JSON and will be exfiltrated via IMAP.

The executable verifies if the following files can be identified in the profile folders:

  • logins.json

  • key4.db

  • cert9.db

  • signons.sqlite

  • key3.db

  • cert8.db

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 31

If any of the above files exist, it is copied to the current directory, and its content is encoded using Base64. The file location and the Base64-encoded content are exfiltrated using the IMAP protocol. Finally, the newly created files are deleted using File.Delete:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 32

The File.Exists function is used to check if the file “\Microsoft\Edge\User Data\Default\Login Data” exists in the Local AppData directory:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 33

The above file is copied to a new file called “ep”, as highlighted in figure 34.

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 34

The sample executes the following SQL query that extracts usernames and encrypted passwords from the “logins” table:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 35

The “password_value” field is decrypted by calling the decrypt function that was also used to decrypt the Chrome credentials:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 36

In the case of older versions of Microsoft Edge, the process tries to decrypt the passwords using the ProtectedData.Unprotect function:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 37

The malware creates a string containing "action_url", "username_value", and the decrypted “password_value” field that was obtained using one of the two decryption methods:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 38

The executable verifies if the file “\Microsoft\Edge\User Data\Default\Network\Cookies” can be found in the Local AppData folder (see figure 39).

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 39

File.Copy is used to copy the above file to a file called “ec”:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 40

The following SQL query is run by the malware, which extracts some fields from the “cookies” table:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 41

The binary extracts the Base64-encoded key that was encrypted with DPAPI from “%LocalApplicationData%\Microsoft\Edge\User Data\Local State”. The key is decrypted via a function call to ProtectedData.Unprotect:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 42

The “encrypted_value” field is decrypted using the AES key extracted above by calling the ProcessBytes and DoFinal methods:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 43

The function result is a dictionary containing the relevant information that is serialized using JsonConvert.SerializeObject:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 44

All the files that were copied to the current directory are deleted using the File.Delete function:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 45

The malicious process sets Normal attributes for a file called “SQLite.Interop.dll,” which Malwarebytes found that it’s downloaded from the C2 server along with the initial executable. The DLL file is deleted using File.Delete and another deletion function implemented by the malware:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 46

The implementation of the deletion function consists of creating a cmd.exe process that deletes the DLL file shown above:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 47

The process deletes the initial executable and then exits:

A Deep Dive Into the APT28’s stealer called CredoMap
Figure 48

 

Indicators of Compromise

C2 server

162.241.216.236

SHA256

2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

Processes spawned

cmd.exe “/C Del <Files>”

YARA rule to detect the threat

rule CredoMap_APT28

{

meta:

author = "Vlad Pasca - SecurityScorecard"

Date = "2022-09-16"

strings:

$s1 = "\\cookies.sqlite" fullword wide

$s2 = "SQLite.Interop.dll" fullword wide

$s3 = "Subject:" fullword wide

$s4 = "$ LOGIN" fullword wide

$s5 = "/C Del" fullword wide

condition:

(uint16(0) == 0x5A4D) and (4 of ($s*))

}

原文始发于SecurityScorecard:A Deep Dive Into the APT28’s stealer called CredoMap

版权声明:admin 发表于 2022年10月3日 下午9:19。
转载请注明:A Deep Dive Into the APT28’s stealer called CredoMap | CTF导航

相关文章

暂无评论

暂无评论...