Plug n Panda – APT Group

Back to Posts

Plug n Panda – APT Group

Reading Time: 7 minutes

“Plug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China.

This APT was first observed in the first months of 2022 during an Incident Response activity.

The following article makes an in-depth analysis on how this group erases his traces to stay undetected after carrying out an attack probably because his targets are Organizations serving mission-critical environments, as in the managed case.

Is not yet known why this information is useful to the APT group nor for who they may work, anyway they seem to attack specific targets in order to find specific information regarding TELCO companies.

Other similar attacks documented on the internet that get close to “Plug N Panda” ideals and methods are listed below:

For an in-depth Threat Actor analysis a dedicated article will follow

INITIAL ACCESS

One Way or Another

“Plug N Panda” attack starts with external reconnaissance targeted to identify any critical CVE that can give remote access through exploitation. It’s not that uncommon for companies in the specific target industry to expose some services to manage IoT devices or MSPs activities. If the previous way demonstrates not to be viable, then “Plug N Panda” is going to buy leaked accounts with SSL-VPN access to finally gain internal access into the target infrastructure. Recently analyzed attacks show a pattern that repeats until a total compromise of target infrastructure is achieved.

Talisman PlugX – A DLL sideloading technique

In this article we are going to analyze an uncommon way to execute a ransom payload through an actual Antivirus Product’s digitally signed executable.

In addition, this specific case is pretty tricky to examine through dynamic analysis, in fact many of the executed child processes and commands are obfuscated using (apparently) nonsense numeric strings as parameters that will be lately replaced in memory as you will see in the following analysis.

Technical Details – (Log.dll) Static Analysis

DLL IMPORTS

Plug n Panda – DLL imports

As it can be seen the malware loads “Kernel32.dll”, “psapi.dll” and “Shlwapi.dll”. Those dynamic link libraries grant the binary access to almost all core Windows functions, process handlings and DLL utilities.

Plug n Panda – DLL Function calls

Just by looking at them it is easy to suppose that a process injection / hollowing is likely to happen.

PE Sections

PE directories don’t disclose too much information, but the fact that some areas may be packed with “UPX1” packer.

Plug n Panda – DLL BinarySections

Plug n Panda – PE DirectoriesThe “Optional Header” section confirms the previous statement like the Binary Sections do.

Plug n Panda – Optional Header

Arguments list

Log.dll has three arguments for “run”, “nodel” and config file path for “config.ini”.

Plug n Panda – Arguments

Unfortunately, “config.ini” file is fully encrypted. Part of its content, extensions of files that won’t be encrypted and the extension (.k1.k2.k3) added on encrypted files, is shown below, after having been recovered from memory through dynamic analysis.

Plug n Panda – Excluded file extensions

Another information gathered from memory is a list of all the processes that are being checked for execution (probably to kill them) as it is shown in the next snippet:

Plug n Panda – config.ini (snippet)

Reading the software list carefully, it is possible to notice a Chinese named software “zhudongfangyu” that resemble to be “360 安全 卫士 (360 Safe Guard), a common security software for Chinese users developed by Qihoo360.

Anti-Debugging INT 3 Function

Plug n Panda – “int 3” Debugger Traps

During reverse engineering we encountered (as expected) an “int 3” anti-debugging function, this piece of code is a specific opcode that has the purpose to call debugger at runtime looping the process and preventing the execution to proceed. This kind of techniques are avoided by replacing all the references pointing to this function with “nop” instructions.

Low Level Syscalls

During execution many low level system calls have been detected, those are commonly used by attackers to hide their tracks by interacting with the OS at the lowest possible userland level.

Plug n Panda – Low level Syscalls routine

This type of Syscalls can lead to Security software bypass and they make reverse engineer’s life harder because of the absence of usual imports that generally describe binary runtime activities.

Technical Details – Dynamic Analysis

Plug n Panda – Ransomware Attack files

Brief description and hashes:

  • exe (MD5: 6F0254412736E446B49E9DC0A08337D9) à BitDefender service executable with valid Digital Signature
  • ini (MD5: D00E4E18825F67A3CA1A190F01B18175) à Encrypted configuration file
  • dll (MD5: 10866465A9B0C56AF2CD093B80CDBC9F) à Ransomware main binary

To execute the main payload, it is necessary to spawn a cmd or powershell shell using the following command

bdsrv.exe –run=3306 –nodel=1

where “–run=3306” switch sets the main workflow that will be used to kill (in this case) mysql related services. Anyway the payload does not start using any parameter other than “3306”.

“–nodel=1” tells the malware to either delete itself or not, the value can be “0” for malware deletion or “1” to let it stay resident in the specified path.

Plug n Panda – Ransomware DLL sideloading technique

From now on “Notepad.exe” will be the container for the payload “log.dll” and the malicious environment is ready to start disabling some core Windows functionalities and services to ensure a complete machine encryption that does not forget to move laterally using GPOs and Shared Folders.

Plug n Panda – GPO for infrastructure malware deploy

Plug n Panda – Process Execution Tree

Following a list of all commands executed by the payload:

  1. Disable Shadow Copies via “vssadmin.exe”
  2. Create a secondary partition via “bcedit.exe” and sharing it with the network
  3. Delete and disable Windows backups via “wbadmin.exe”
  4. EVTX Application and System deletion via “wevutil.exe”
  5. Stop the following services via “net1.exe” / “net.exe”
    1. MSDTC
    2. SQLSERVERAGENT
    3. MSSQLSERVER
    4. Vds
    5. SQLWriter
    6. SQLBrowser
    7. MSSQL$CONTOSO1 (CONTOSO1 will then be replaced in memory with the attacked domain name)
  6. Use NETSH to disable some Microsoft Defender components
  7. Create a copy of itself and all the files it needs for operations in \\Sysvol\
  8. Create Group Policies to force payloads execution previously copied in \\Sysvol\  for the entire domain infrastructure

As we can clearly see all the command arguments executed by the hollowed notepad process are obfuscated using a long “1” char repetition that will be replaced at runtime after the utility process memory has been fully allocated.

Plug n Panda – Child commands with “nonsense” arguments (1)

Plug n Panda – Child commands with “nonsense” arguments (2)

 

Data encryption begins in a separate process from the BitDefender executable (Notepad.exe Main Thread) as seen in the image below.

Plug n Panda – Notepad.exe process execution snippet

Prevention & Hunting

Yarix Labs is constantly working to trace APT Groups movements by profiling techniques and attack patterns to provide one of the bests Security Services to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.

APPENDIX

Indicators of compromise

What follows are all the IoCs identified during malwares analysis done to draft the current article

 

Tipo di dato Valore
File Nome Config.ini
MD5 d00e4e18825f67a3ca1a190f01b18175
SHA1 3396ef99e0d6fdda346d5f4fb63a31a2b54ce382
SHA256 8b8b9bf67b56e391f542b05c2e3a8e85792518a61e52f109cf79950d7df7a03a
File Nome Log.dll
MD5 6f0254412736e446b49e9dc0a08337d9
SHA1 ed6a5b6b5d9972eb7f8638fa1b96259c98f17231
SHA256 377a571880201f637a4694fa9b5ad23f6bcf958192bd19d55dd0a05a8a5f66d0

 

 

 Author

Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.

Share this post

Back to Posts