Threat Research

APT28’s OCEANMAP Backdoor

OCEANMAP: This sophisticated backdoor, attributed to the notorious Russian cyber espionage group APT28 (also known as Sofacy or Fancy Bear), was initially identified by CERT-UA. Let’s break down.

Key Features:

  • On December 28, 2023, CERT-UA reported a cyber attack attributed to APT28 (also known as Fancy Bear), a Russian cyber espionage group.
  • The attack involved a new C# based backdoor named “OCEANMAP.”
  • Written in C#, it searches for other instances of itself by comparing process IDs and terminates any conflicting processes.
  • It maintains persistence by creating an Internet Shortcut (.URL file) in the Startup Folder, launching itself upon system restart.
  • Executes commands via the IMAP Protocol, communicating with the C2 server (Mail Server).
  • Notably, it uses filenames containing “_tmp.exe” for specific checks.
  • Initiates by invoking the connect() method to communicate with the C2 server.

Analysis and findings

The malicious software program is designed to systematically identify and acquire the directory path leading to the Startup folder. Additionally, it locates the position of the executable file within the system, and it also ascertains the unique identifier of the currently running process.

OCEANMAP

The executable file conducts a check to confirm if a duplicate process bearing an identical name is presently active on the system. Should it discover such a process, it proceeds to terminate the identified process by executing the ‘taskkill’ command, as demonstrated in the following example.

OCEANMAP

In the event that the name of the executable file includes the string “_tmp.exe”, the malevolent code sample proceeds to alter the name of the executable by removing the “_tmp” portion. Subsequently, it initiates the execution of the newly named executable file.

OCEANMAP

The malware ensures its continuous operation by generating an Internet shortcut named “EdgeContext.url” within the Startup folder. This shortcut is configured to automatically execute the associated executable file.

OCEANMAP

The malware is programmed with a function titled “execute,” which is invoked using the parameter “dir” to carry out its operations.

OCEANMAP

The procedure attempts to establish a connection with two IMAP servers by utilizing credentials that are embedded within the code. It is suspected that these mail servers had been previously infiltrated and compromised by the perpetrator of the threat.

OCEANMAP

OCEANMAP

The malicious binary file initiates a TcpClient object and subsequently retrieves the server’s response through the execution of the Read function.

OCEANMAP

The sample initially attempts to establish a connection with the primary IMAP server and perform a login using the pre-set credentials. In the event that this initial attempt is unsuccessful, it then proceeds to reach out to a secondary IMAP server.

OCEANMAP

The software incorporates two distinct commands, namely “changesecond” and “newtime.” Given that the “changesecond” command diverges from the expected set, the process consequently triggers the “Program.run” method to handle it.

OCEANMAP

The command is executed by initiating a cmd.exe process. The dir command is employed to enumerate all the files and directories present in the current directory.

OCEANMAP

The output produced by the command is amalgamated with several pieces of information: the username, the current date and time, and a variable referred to as “name_id.” This particular variable is derived by applying Base64 encoding to a combination of the system’s hostname, the username, and the version of the operating system being used.

OCEANMAP

OCEANMAP

The email that has been formulated is subsequently incorporated into the Inbox folder by utilizing the IMAP “APPEND” command. This command facilitates the addition of the email to the folder without altering any existing messages.

The malware remains in a state of readiness, awaiting further instructions to carry out additional commands.

OCEANMAP

The binary is equipped with a function named **”findText”**. This function is specifically utilized to scour the mail server for particular emails that match certain criteria or contain specific text.

OCEANMAP

The process is programmed to search for specific emails located within the Draft folder, as depicted in the provided figure. This action is likely part of the malware’s functionality to identify and interact with particular messages that meet its criteria for further operations or data extraction.

OCEANMAP

The emails that feature the “name_id” variable within their subject line are selected and retrieved from the mail server. This action is part of the malware’s programmed behavior to identify and interact with specific communications that are relevant to its operational objectives.

OCEANMAP

The malevolent sample acquires the content of the email, which will then be scrutinized to extract a new command for execution. This process is a part of the malware’s operational procedure to continuously receive and implement directives via email communications.

OCEANMAP

OCEANMAP

Upon the successful extraction of the commands, the malware is programmed to erase all the emails to conceal its tracks and maintain operational stealth.

OCEANMAP

The commands, once they have been Base64-decoded, are executed through the cmd.exe process. This allows the malware to carry out the instructions it has received.

OCEANMAP

When the “changesecond” command is executed, the malware follows a different operational sequence. It starts by renaming the executable file, appending the “_tmp” string to its name. Then, it alters the pre-configured credentials and the settings for the mail servers. The initial set of credentials is replaced with the second set, and the second set is updated with new values. To complete the process, the malware launches the newly named executable by invoking the Process.Start method. This sequence of actions allows the malware to modify its behavior and potentially evade detection.

OCEANMAP

Upon the execution of the “newtime” command, the malware adjusts the “newtime” variable, which determines the duration of the pause between each iteration—defaulting to 60 seconds. This variable is then filled with zeros until it reaches a total size of 100 bytes. This padding ensures that the variable maintains a consistent byte length, potentially for the purposes of alignment or meeting a protocol specification.

OCEANMAP

OCEANMAP

Indicators of Compromise

SHA256

24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04

Mail servers

74.124.219.71

webmail.facadesolutionsuae.com

Processes spawned

taskkill /F /PID <PID>

cmd.exe /c dir

File created

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EdgeContext.url

MITRE ATT&CK TACTICS AND TECHNIQUES Covered by GRA:

Tactic Technique ID GRA Detection
Command and Control Non-Application Layer Protocol T1095 3
Lateral Movement Exfiltration Over Web Service T1567 0
Initial Access Remote Services T1021 12
Execution Phishing T1566 1
Execution Command and Scripting Interpreter T1059 0
Execution PowerShell T1059.001 0
Execution User Execution T1204 0
Execution Malicious Link T1204.001 0
Execution Malicious File T1204.002 0
Credential Access OS Credential Dumping T1003 6
Persistence, Privilege Escalation Boot or Logon Autostart Execution T1547 1
Persistence, Privilege Escalation Registry Run Keys / Startup Folder T1547.001 19
Collection Data from Local System T1005 0
Command and Control Application Layer Protocol T1071 2
Command and Control Mail Protocols T1071.003 0
Command and Control Data Encoding T1132 2
Command and Control Standard Encoding T1132.001 2
Command and Control Protocol Tunneling T1572 0

 

About the Author:Rudra Pratap

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.