MAR-10271944-3.v1 – North Korean Trojan: BUFFETLINE
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as BUFFETLINE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. This report looks at a full-featured beaconing implant. This sample uses PolarSSL for session authentication, but then utilizes a FakeTLS scheme for network encoding using a modified RC4 algorithm. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration. For a downloadable copy of IOCs, see MAR-10271944-3.v1.stix. Submitted Files (1)52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695 (smss.exe) IPs (2)107.6.12.135 210.202.40.35 Findings52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695Tagstrojan Details
Antivirus
YARA Rules
ssdeep Matches
PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThe sample performs dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide it’s usage of network functions. The sample obfuscates strings used for API lookups as well as the strings used during the network handshake using a modified RC4 algorithm. A Python 3 script to decrypt the obfuscated strings is given below. Note: The hardcoded command and control (C2) IP’s are not obfuscated, but appear in plaintext within the executable. --Begin Python 3 Decode Script-- def decode_string(enc, key=0x15b3): --End Python 3 Decode Script-- --Begin C2 IP and Port-- 107.6.12.135:443 --End C2 IP and Port-- The sample attempts to perform a PolarSSL handshake to initiate a connection to each of these hardcoded C2 IPs using TLS version 1.1. It uses the PolarSSL server_name extension with the Server Name set to "!Q@W#E$R%T^Y&U*I(O)P". The PolarSSL certificate and private key are provided below. --Begin PolarSSL Certificate-- ----BEGIN CERTIFICATE----- --End PolarSSL Certificate-- --Begin Private Key-- -----BEGIN RSA PRIVATE KEY----- --End Private Key-- After the TLS authentication is completed this particular sample does NOT use the session key that is generated via TLS. Instead, it uses a FakeTLS scheme, where a 'fake' TLS packet header is prepended to the packet data which is encrypted with custom xor encryption scheme. The FakeTLS packet format and a Python 3 script to decrypt network traffic is given below. --Begin FakeTLS Packet Structure-- 17 03 02 <2 Byte data length> <4 Byte Key> <data> --End Fake TLS Packet Structure-- Note: Each "Key" is generated by the sender rand( ). --Begin Python 3 Network Communication Decode Script-- def decode_pkt(enc, key): addVal = len(enc) * key & 0xff --End Python 3 Network Communication Decode Script-- After the TLS authentication, the sample performs a handshake with the C2, where hardcoded 32 Byte strings are exchanged, as well as a Victim ID and the Victim Internal IP. After this exchange, the implant sends it’s Victim Information (Figure 2), and then waits for tasking from the C2. Screenshots
Figure 1 - Configuration Structure.
Figure 2 - Victim Information Structure.
Figure 3 - Implant Functionality.
Figure 4 - Session Structure. 107.6.12.135Tagscommand-and-control Ports
Relationships
DescriptionHardcoded C2 IP. 210.202.40.35Tagscommand-and-control Ports
Relationships
DescriptionHardcoded C2 IP. Relationship Summary
Mitigation// The following Snort rule can be used to detect the FakeTLS handshake packets by targeting to a alert tcp any any -> any any (msg:"Malware Detected"; content:"PolarSSL"; pcre:"/ \x17\x03\x02\x00\x23.{39}\x17\x03\x02/"; rev:1; sid:99999999;) RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov. |
Revisions
February 14, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.