OCEANMAP: This sophisticated backdoor, attributed to the notorious Russian cyber espionage group APT28 (also known as Sofacy or Fancy Bear), was initially identified by CERT-UA. Let’s break down.
The malicious software program is designed to systematically identify and acquire the directory path leading to the Startup folder. Additionally, it locates the position of the executable file within the system, and it also ascertains the unique identifier of the currently running process.
The executable file conducts a check to confirm if a duplicate process bearing an identical name is presently active on the system. Should it discover such a process, it proceeds to terminate the identified process by executing the ‘taskkill’ command, as demonstrated in the following example.
In the event that the name of the executable file includes the string “_tmp.exe”, the malevolent code sample proceeds to alter the name of the executable by removing the “_tmp” portion. Subsequently, it initiates the execution of the newly named executable file.
The malware ensures its continuous operation by generating an Internet shortcut named “EdgeContext.url” within the Startup folder. This shortcut is configured to automatically execute the associated executable file.
The malware is programmed with a function titled “execute,” which is invoked using the parameter “dir” to carry out its operations.
The procedure attempts to establish a connection with two IMAP servers by utilizing credentials that are embedded within the code. It is suspected that these mail servers had been previously infiltrated and compromised by the perpetrator of the threat.
The malicious binary file initiates a TcpClient object and subsequently retrieves the server’s response through the execution of the Read function.
The sample initially attempts to establish a connection with the primary IMAP server and perform a login using the pre-set credentials. In the event that this initial attempt is unsuccessful, it then proceeds to reach out to a secondary IMAP server.
The software incorporates two distinct commands, namely “changesecond” and “newtime.” Given that the “changesecond” command diverges from the expected set, the process consequently triggers the “Program.run” method to handle it.
The command is executed by initiating a cmd.exe process. The dir command is employed to enumerate all the files and directories present in the current directory.
The output produced by the command is amalgamated with several pieces of information: the username, the current date and time, and a variable referred to as “name_id.” This particular variable is derived by applying Base64 encoding to a combination of the system’s hostname, the username, and the version of the operating system being used.
The email that has been formulated is subsequently incorporated into the Inbox folder by utilizing the IMAP “APPEND” command. This command facilitates the addition of the email to the folder without altering any existing messages.
The malware remains in a state of readiness, awaiting further instructions to carry out additional commands.
The binary is equipped with a function named **”findText”**. This function is specifically utilized to scour the mail server for particular emails that match certain criteria or contain specific text.
The process is programmed to search for specific emails located within the Draft folder, as depicted in the provided figure. This action is likely part of the malware’s functionality to identify and interact with particular messages that meet its criteria for further operations or data extraction.
The emails that feature the “name_id” variable within their subject line are selected and retrieved from the mail server. This action is part of the malware’s programmed behavior to identify and interact with specific communications that are relevant to its operational objectives.
The malevolent sample acquires the content of the email, which will then be scrutinized to extract a new command for execution. This process is a part of the malware’s operational procedure to continuously receive and implement directives via email communications.
Upon the successful extraction of the commands, the malware is programmed to erase all the emails to conceal its tracks and maintain operational stealth.
The commands, once they have been Base64-decoded, are executed through the cmd.exe process. This allows the malware to carry out the instructions it has received.
When the “changesecond” command is executed, the malware follows a different operational sequence. It starts by renaming the executable file, appending the “_tmp” string to its name. Then, it alters the pre-configured credentials and the settings for the mail servers. The initial set of credentials is replaced with the second set, and the second set is updated with new values. To complete the process, the malware launches the newly named executable by invoking the Process.Start method. This sequence of actions allows the malware to modify its behavior and potentially evade detection.
Upon the execution of the “newtime” command, the malware adjusts the “newtime” variable, which determines the duration of the pause between each iteration—defaulting to 60 seconds. This variable is then filled with zeros until it reaches a total size of 100 bytes. This padding ensures that the variable maintains a consistent byte length, potentially for the purposes of alignment or meeting a protocol specification.
24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04
74.124.219.71
webmail.facadesolutionsuae.com
taskkill /F /PID <PID>
cmd.exe /c dir
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EdgeContext.url
Tactic | Technique | ID | GRA Detection |
Command and Control | Non-Application Layer Protocol | T1095 | 3 |
Lateral Movement | Exfiltration Over Web Service | T1567 | 0 |
Initial Access | Remote Services | T1021 | 12 |
Execution | Phishing | T1566 | 1 |
Execution | Command and Scripting Interpreter | T1059 | 0 |
Execution | PowerShell | T1059.001 | 0 |
Execution | User Execution | T1204 | 0 |
Execution | Malicious Link | T1204.001 | 0 |
Execution | Malicious File | T1204.002 | 0 |
Credential Access | OS Credential Dumping | T1003 | 6 |
Persistence, Privilege Escalation | Boot or Logon Autostart Execution | T1547 | 1 |
Persistence, Privilege Escalation | Registry Run Keys / Startup Folder | T1547.001 | 19 |
Collection | Data from Local System | T1005 | 0 |
Command and Control | Application Layer Protocol | T1071 | 2 |
Command and Control | Mail Protocols | T1071.003 | 0 |
Command and Control | Data Encoding | T1132 | 2 |
Command and Control | Standard Encoding | T1132.001 | 2 |
Command and Control | Protocol Tunneling | T1572 | 0 |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.