APT32 Malware’s Use Of New Downloader Critical To Its Propagation Success

APT32 malware has been covered here in Hackercombat recently, and we are set to update you of the latest findings from Palo Alto Networks. KerrDown, the newly developed special downloader that APT32 malware package use in order to propagate itself faster than ever before. Asia-Pacific region is the main target of the KerrDown-based APT32, also known as OceanLotus in this part of the world. Updated to use two channels of system penetration, the malware can pretend to be an MS Office file loaded with a malformed macro and it can also use DLL side-loading penetration using an innocent-looking rar file.

“Our analysis began with an active mime document, something we’ve seen OceanLotus use before but this time involving a new payload, KerrDown. Once the victim opens the lure document, which includes an image file with a message in Vietnamese which that asks the victim to enable macros to view the contents of the file. At first glance the document may look like there is no other content other than the notification to enable macros. However, a closer look reveals two different base64 blobs inserted in the page in separate tables and the font size has been changed to 1 which may deceive victims to overlook the content,” explained Vicky Ray, Unit 42’s Principal Researcher.

The malware will install a malicious dll file pretending to be a PNG image file named main_background.png in the path C:\Users\Administrator\AppData\Roaming. The function of the dll is to download the payload, depending on the architecture of the machine, both 32-bit and 64-bit payloads are supported. The payload kuss32.gif is downloaded if the PC is running 32-bit Windows, while kuss64.gif is downloaded if the machine is running a 64-bit version of Windows.

“As we can see in this case, the purpose of the malware is to download and execute the Cobalt Strike Beacon payload in memory. Though Cobalt Strike is a commercial penetration testing tool, various threat actors are known to have used it in their campaigns,” added Kaoru Hayashi, Field Chief Security, Palo Alto Japan.

If the malware is not successful in propagation using the MS Office file format, it will switch to using dll side-loading method, through the use of a malformed rar file. The rar file itself contains a Word 2007 version of the word executable, using it as a launchpad for the dll file. The file itself contains a list of shellcodes which will be executed one after another.

“As we can see in this case, the purpose of the malware is to download and execute the Cobalt Strike Beacon payload in memory. Though Cobalt Strike is a commercial penetration testing tool, various threat actors are known to have used it in their campaigns. We also observed all the samples were compiled during the weekdays – between Monday to Friday. Therefore, it is clear that the OceanLotus group works during weekdays and takes a break during the weekends,” said Ray.

Palo Alto Networks continue to perform observations on the samples of the malware code in the wild, as it concludes that APT32 will continue to evolve. The virus authors are motivated to further improve the code base in order to create more ways for the malware to propagate beyond the MS Office and dll-injection routine the malware currently possess.