91vYTTiZ

1ANALYSIS-IN-DEPTH
2• Tick Group of Korean Companies
3'USB Usage Attack Technique' in-depth analysis
4ASEC REPORT Vol.95 | Security Trend
5There is a group of threats that have been steadily attacking since 2008 to the second quarter of 2019. Aka 'Tick'
6The group, which is called the group, has been in full-fledged domestic activity since 2014. These are the defense industry
7Including defense and political organizations, security, IT and electronics industries.
8I have.
9In addition, the Tick (Tick) group grasps the security vulnerabilities of attack targets in advance,
10It is known to have. Especially, the attack of Tickusb
11, It can infect a secure USB flash drive (USB memory) that is in use by an enterprise and propagate the malicious code
12As a result, the domestic IT environment and infrastructure are already considerable.
13.
14In this report, we aim at major domestic corporations and corporations and use USB flash drive to get information
15Tick ​​Attack Taking centering on actual attack cases of group AhnLab Security
16The correlation of the Tickusb malicious code analyzed by the Emergency-response Center (ASEC)
17Law and so on.
1820
19Domestic companies
20 
21Tick ​​Group 'USB Usage
22Attack technique 'in-depth analysis
23Detailed analysis of malicious code
24Analysis-In-Depth
25ASEC REPORT Vol.95 | Security Trend 21
261. Tickusb Attack Trends
27'Tickusb' is a tick attack group that uses USB flash drives to leak confidential information of domestic companies.
28Malicious code was created for the purpose of detecting malicious code from spring 2014 to November 2017. [Figure 2-1]
29Tickusb malicious code used by tick attack group. Some variations of Tickusb
30It exists as a dock file, but it is mostly composed of DLL file and EXE file.
31Figure 2-1 | Tickusb whole relationship diagram
32When a malicious DLL file is run, it creates a log file in a specific path and checks for a USB flash drive connection
33All. If your system has a USB flash drive connected, run a malicious EXE file and download additional files
34It is also said. Malicious EXE files perform slightly different functions depending on the variation,
35Collect information about the files in the drive. Some variants modulate the EXE file in the USB flash drive.
36After connecting the USB flash drive with the final modified EXE file to another system,
37When run, the computer is also infected with Tickusb.
38[Figure 2-2] is a timeline showing the change of Tickusb malicious code.
39ASEC REPORT Vol.95 | Security Trend 22
40Figure 2-2 | Tickusb Timeline
41The initial version is supposed to be made before 2014, and the 2014 version with the file name cryptbase.dll
42The brother appears. In September 2014, a variant was created that modifies an EXE file in a USB flash drive.
43All. In 2015, a variant of the DLL and EXE files will be created, and at the beginning of June 2015,
44I used a tool to patch malicious files on my system and load malicious DLLs. 2016
45From October to November 2017, change the filename of the malicious DLL to wincrypt.dll.
46[Table 2-1] summarizes major attacks using Tickusb in chronological order.
47When to Discover File Contents
482014.3? .Exe September 2012 production estimate. In 2018, Unit 42 released its analysis for the first time and other Tickusb
49Estimated to be an early version of Tickusb with significantly different variants and code.
502015.4 CRYPTBASE.dll December 2014 Production Estimate. DLL single type.
51System information and USB Flash Drive file information collection.
522015.6 BrStMonW.exe, BrWeb.dll, wsmt.exe
53Modify the BrStMonW.exe file associated with the Brother printer and load the BrWeb.dll file.
54Download the msupdata.exe file.
55My EXE file tampering with USB Flash Drive and ALYAC25.exe file patch.
562015.6 CRYPTBASE.dll, svcmgr.exe February 2015 Production Estimate. Check for a specific secure USB connection. My EXE file in USB Flash Drive
57Modulation and patches the ALYAC25.exe file.
582015.7? .Dll (Unidentified), ctfmon.exe Estimated production in September 2014. USB Flash Drive ALYAC25.exe with my EXE file tampering
59File patch.
602015.7 CRYPTBASE.dll, svcmgr.exe (uncertain) November 2014 production estimates.
612016.10 Wincrypt.dll, wsmt.exe (Uncertified) -
622017.01 Wincrypt.dll, wsmt.exe (Uncertified) -
632017.11 Wincrypt.dll DLL single type.
64Table 2-1 | Major attacks using Tickusb
65ASEC REPORT Vol.95 | Security Trend 23
66Tickusb's dropper was discovered in March 2014. The build date of the malicious code generated is 2012
67It is probable that it has been active since 2014, due to the fact that it is a monthly one. This variant is different
68The Tickusb variant is different from the code and is estimated to be an early version of Tickusb.
69In April 2015, a variant of Tickusb, Cryptbase.dll, was discovered. Unlike other Tickusb variants, DLL
70It is a file-only type. Windows has the same export function as the normal CRYPTBASE.dll file
71And the file path found is% ProgramFiles% \ common files \ java \ java update \ cryptbase.dll
72to be. It is assumed that the Java related program is loaded when it is executed.
73The attack that occurred on June 1, 2015 found a variant consisting of a DLL file and an EXE file. attacker
74Patches the Brother printer driver file BrSrMonW.exe and executes the corresponding file
75I have loaded BrWeb.dll, a malicious DLL file. EXE file contains EXE from USB flash drive
76The ability to find and modify files has been added. In addition, other than Tickusb malicious code
77Secure unlock win.exe which acts as a dropper and asp server which acts as downloader.
78A bisodown deformation and a ghostdown deformation were further found.
79In October 2016, a variant of Tickusb, wincrypt.dll (16572393021beea366679e80cc78610c)
80A variant with the same filename was discovered by November 2017.
812. Malicious code analysis
82Tickusb Malware related dropper, downloader, etc. have been found, but specific infection method still not confirmed
83It was not. However, with the disassembled installation files and USB flashes infected with Tickusb
84As a result of comparing and analyzing the file modulation codes in the drive, some of the droppers are EXE waves
85It was confirmed as work. In addition, an attacker can not run Tickusb malware automatically when booting Windows,
86ASEC REPORT Vol.95 | Security Trend 24
87Is executed only when it is executed. This is to prevent the user from finding malicious code
88It looks for purpose. Let's look at the droppers, downloaders, patchers, and loaders that an attacker used in Tickusb attacks.
892-1) Dropper
90Tickusb malware has been found to be associated with several droppers.
91One of them, Aya.exe (b76d2b33366c5ec96bc23a717c421f71) is a Go game file, and [Figure 2-3]
92When the game is launched, as in the initial version of Tickusb (6f665826f89969f689cba819
93d626a85b are generated. The Aya.exe file was collected in March 2014 in AAPL and the build of the dropped file
94Time seems to have worked before 2014.
95Figure 2-3 | Aya.exe execution screen
96The Secure Unlock win.exe file (bb8c83cfd133ab38f767d39605208a75)
97The dropper used in domestic attack in early June, the normal program is a modulated form and the program is executed
98, It creates wsktray.exe file (3c6e67fc006818363b7ddade90757a84) in the temporary folder. Also
99ASEC REPORT Vol.95 | Security Trend 25
100When creating a file, it adds a garbage value to the end of the file, which is more than 34 megabytes in length. At this time,
101A file is a variant of Bisodown that downloads another malware.
102Another dropper, Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2),
103pNDPS (V2.11) .exe (c865b83a2096642b0de3e2880e63ab0e), NEW_GOMPLAYERSETUP.
104exe (0a4bec5fc88406d126aa106a7c0aab87) uses the same Bisodown transform file (e470
105b7538dc075294532d8467b1516f8), of which SecretZone.exe and pNDPS (V2.11).
106The exe file is assumed to be infected by the Tickusb variant.
1072-2) Downloader - Ghostdown
108Tickusb On a system infected with malware, a ghostdown that acts as anRespectively.
109Ghost Down is the first malicious code found in February 2013 that has been active until February 2018,
110Last Name Code (4868fd194f0448c1f43f37c33935547d, 62ee703bbfbd5d77ff4266f9038c3c6c) Also,
111Found.
112Figure 2-4 | Characteristic string of ghost-down variant malicious code (4868fd194f0448c1f43f37c33935547d)
113ASEC REPORT Vol.95 | Security Trend 26
114Figure 2-5 | Encrypted C & C string decryption result
115[Figure 2-4] shows the characteristic string of the ghost-down variant malicious code. API, connection address, etc.
116The main string is encrypted, and the initial version has the address and key string it connects to with the XOR 0xDF key
117It is encrypted.
118Figure 2-6 | iff.exe execution screen
119The initial variant of ghostdown is to use www.poi.cydisk.net, www.kot.gogoblog.net, etc. as a C & C server.
120All of these addresses were created with the service www.dnserver.com. Figure 2-5 shows the encrypted C & C
121This is the result of decoding the string. This allows the ghost-down variant found in the Tickusb infection system in 2016
122C & C address is www.memsbay.com:443, and you can see that you have used the cloud service.
1232-3) Patcher - iff.exe
124Iff.exe (e84f29c45e4fbbce5d32edbfeec11e3a) acts as a patcher to modulate the EXE file
125Execute a specific EXE file or load a specific DLL file. The iff found in the Tickusb infection system.
126The exe file is assumed to be an additional file after the attacker has infiltrated the system.
127ASEC REPORT Vol.95 | Security Trend 27
128iff.exe is a file modification method, a file to be modulated, a file to be executed or a DLL file to be loaded as shown in [Figure 2-6].
129It is input as argument value.
130The -b option modifies the executable file by adding it to the end of the target EXE file, and the -l option causes the target EXE
131Modify the file to load a specific DLL file.
132As shown in [Figure 2-7], there is '.texe' which is infection identification string in EXE file modulated by iff.exe.
133Figure 2-7 | Patch Results by iff.exe 1
134You can also change the jump command to the entry point (entry point)
135Let the command execute first.
136Figure 2-8 | Patch Contents by iff.exe 2
137ASEC REPORT Vol.95 | Security Trend 28
138The code added with the -b option in [Figure 2-9] requires the necessary API (Application Programming Interface)
139After loading the file, load the contents of the executable file at the end of the modified file in the% temp% folder.
140Create it as a file and execute it. According to the text of the executable screen of the iff.exe file, download another malware
141It seems to be for the purpose of adding an adder to download.
142Figure 2-9 | Additional code by iff.exe -b
143Also, the executable file to be executed by MZ is added to the end of the modulated file as shown in [Figure 2-10]. therefore
144The total file length increases by the length of the file appended to the end of the file.
145Figure 2-10 | Code at the end of the modulated file
146The -l option overwrites the code that finds a blank area in the target EXE file and loads the specified DLL file. follow
147If there is not enough free space in the file, no file tampering will occur and even if file tampering occurs
148ASEC REPORT Vol.95 | Security Trend 29
149There is no change in the file length of the target EXE file.
1502-4) Loader - BrStMonW.exe
151The attacker used the iff.exe file on June 1, 2015 to download Brother's printer program
152I have patched the BrStMonW.exe file (d536f5f929ddd2472a95f3356f7d835c). Through this patch,
153When I run the BrStMonW.exe file, which has more role, I have modified it to load the malicious BrWeb.dll file first.
154Also, modify the entry point (Entry Point) as shown in [Figure 2-11] and add the code address
155'0x004972EF' was executed first.
156Figure 2-11 | Entry points modified with JMP code
157Another characteristic is that since the arbitrary code is overwritten in the blank area of ​​the BrStMonW.exe file,
158There is no change in file length even after modulation. The code for the modified BrStMonW.exe file is shown in [Figure 2-12]
159.
160ASEC REPORT Vol.95 | Security Trend 30
161Figure 2-12 | Modified BrStMonW.exe
162Figure 2-13 | Added specific DLL loading code
163The code added by iff.exe will load the specific DLL (BrWeb.dll) file into memory as shown in [Figure 2-13].
164And then execute it.
165Therefore, only when the printer is used, Tickusb malicious code is executed,
166it's difficult.
167Using a patcher, such as iff.exe, an attacker can break into the system and select a program
168You can run additional malicious code through the process of patching.
169ASEC REPORT Vol.95 | Security Trend 31
1703. Tickusb strain analysis
171Tickusb is usually made up of DLL files and EXE files, some of which are DLL files or EXE files
172In the form of a single file. Tickusb DLL file to connect USB flash drive from system
173If it is connected, it executes malicious EXE file. The EXE file that is executed at this time,
174And modifies the executable file in the flash drive. The DLL file that configures Tickusb
175Let's examine the EXE file in detail.
1763-1) Tickusb DLL Analysis
177The files used as Tickusb DLL files are BrWeb.dll, CRYPTEBASE.dll, and wincrypt.dll. double
178The CRYPTEBASE.dll file is the same as the Windows filename that provides password-related functionality. As well as
179It has the same Export function as CRYPTBASE.dll in Windows,
180You can load the CRYPTBASE.dll file when a program with Malignant CRYPTBASE.
181A program that loads a dll is assumed to use the cryptographic function.
182The Tickusb DLL file acts as a loader, and it contains the name of the log file to execute, the path of the EXE file to execute,
183Drive type, and so on. [Figure 2-14] is the main string of the Tickusb DLL file.
184Figure 2-14 | Key string for Tickusb DLL file
185ASEC REPORT Vol.95 | Security Trend 32
186The Tickusb DLL CRYPTBASE.dll (bcb56ee8b4f8c3f0dfa6740f80cc8502), which was discovered in April 2015,
187There is no additional EXE file in the form of DLL file alone. When the DLL is executed, the Credentials.dat file
188And creates a TAG file (C: \\ WINDOWS \\ system32 \\ CatRoot \\ {375EA1F-1CD3-22D3-7602-
18900D04ED295CC} \\ TAG) and collect system information with netstat.exe. In addition,
190Verify that VPN_Cliend.exe and IPPEManager.exe are present on the server.
191The Tickusb DLL, BrWeb.dll (9b31a5d124621e244cede857300f8aa6), found in June 2015,
192(Brother) and disguised as a printer related file, C: \ Program Files (x86) \ browny02 \ brother
193And C: \ Program Files (x86) \ ControlCenter4. As shown in [Figure 2-15]
194It is loaded when the corresponding EXE file is executed by patching BrinterMon.exe, which is a linter related file, and the BrWeb.dll file
195Credentials.csv (% USERPROFILE% \ AppData \ Roaming \ Microsoft \ Credentials \
196Credentials.csv).
197Figure 2-15 | Tickusb relationship that occurred in June 2015
198ASEC REPORT Vol.95 | Security Trend 33
199It also creates a mutex called 'WinsMutexIII' and creates three threads. First thread
200(0x10004774) indicates that if a USB flash drive is connected to the system, the wsmt.exe file (C: \
201WINDOWS \ System32 \ migration \ WSMT \ wsmt.exe). Second thread (0x100045cd)
202Reads the basev1.xsd file (C: \ Windows \ schemas \ AvailableNetwork \ basev1.xsd)
203Find a specific process through Windows (FindWindow). Process lease you are looking for in basev1.xsd
204It is presumed that it contains. The third thread (0x100035f0) checks the system date,
205For Sundays and Thursdays, download the file from http://update.saranmall.com/script/main.html
206Create and run the MSUPDATA.EXE file.
207msupdata.exe is a file name often used as a downloader by the Ticking attack group, and since October 2016
208Changed the file name to wincrypt.dll file. Variants with this filename will be found by November 2017
209.
2103-2) Tickusb EXE Analysis
211Tickusb EXE file collects file list in USB flash drive or modifies EXE file
212, And it was confirmed as a file such as cftmon.exe, svcmgr.exe, and wsmt.exe.
213Within that EXE file,Strings related to infections, logs associated with USB flash drives, etc.
214And the main string is shown in [Figure 2-16].
215Figure 2-16 | Key string of Tickusb EXE file
216ASEC REPORT Vol.95 | Security Trend 34
217The EXE variant found in June 2015 (29875836605c26f7c78fc91bb2cff95d) is in the USB flash drive
218The ability to collect file information and modulate EXE files has been added.
219When the EXE file is executed, the FlashHistory.dat file (C: \ Users \
220Default \ AppData \ Local \ Microsoft \ Windows \ History \ FlashHistory.dat).
221Figure 2-17 | File contents of FlashHistory.dat
222For some variants, find and modify the EXE file on a USB flash drive. Of the target EXE file to be modulated
223At the end, you can add a specific file (for example, C: \ Windows \ AppPatch \ Custom \ Custom64 \ apihex.dat)
224It is a way to execute.
225For some Tickusb found between 2012 and 2014, certain secure USB flash drives from domestic companies
226It is confirmed that the data is read from a specific area of ​​the USB drive and executed.
227. Such attacks are estimated to be aimed at attacking networked enterprise systems.
2284. EXE analysis modulated by Tickusb transformation
229As we have seen, some of the Tickusb variants have evolved to find and manipulate EXE files in USB flash drives.
230ASEC REPORT Vol.95 | Security Trend 35
231Perform sexual activity. Modified EXE files will have their entry points modified to execute specific code,
232Execute the executable file added at the end. The added executable file is not verified, but with a modified file
233The executable file is assumed to be an downloader.
234Figure 2-18 | Modulated EXE
235Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2) serving as a dropper
236pNDPS (V2.11) .exe (c865b83a2096642b0de3e2880e63ab0e) is the same downloader (e470b7538dc
237075294532d8467b1516f8).
238The Tickusb variant that was discovered in June 2015 finds the EXE file on a USB flash drive and writes the apihex.dat file
239(C: \ Windows \ AppPatch \ Custom \ Custom64 \ apihex.dat) to the end of the EXE file.
240Modify the work.
241As a result of the analysis, it is confirmed that the code added to the modified EXE file is similar to the code of the file known as the dropper
242. Therefore, these files are assumed to be EXE files modulated from Tickusb variants, not droppers. [Drawing
2432-19] is a comparison of the codes of the two files.
244ASEC REPORT Vol.95 | Security Trend 36
245Figure 2-19 | Comparing the Tickusb infected file code with the file known as the dropper
246Other infection identifiers are also similar. As shown in [Figure 2-20], the EXE file modulated by Tickusb transformation is characterized
247It contains '.texe' as an example.
248Figure 2-20 | Tickusb dropper containing '.texe' string
249Figure 2-21 | The initial Tickusb dropper that contains the string '.ext'
250A file that drops an early version of Tickusb found in March 2014 (b76d2b33366c5ec96bc23a717c42
2511f71) contains '.ext' as an infection identifier as shown in [Figure 2-21]. This file also has a dropper
252It is presumed that the file is likely to be modified by a non Tickusb variant.
253ASEC REPORT Vol.95 | Security Trend 37
2545. Analyze additional installation files
255In the Tickusb malware-infected system, the keylogger, ARP spoofer,
256Port Scanner, and Mimikatz were added. These chusens used in the Tickusb attack
257Let's look at the installation file.
2585-1) Keylogger Type C
259Keyloggers have been found in some of the Tickusb infection systems. Found between April 2017 and February 2018
260The keyloggers mainly used file names such as apphelp.dll, linkinfo.dll, and netutils.dll.
261The key string used in the keylogger is shown in [Figure 2-22], and the key content entered by the user is debug.log
262In the file.
263Figure 2-22 | Keylogger key string
2645-2) ARPspaper (ARPSpoofer) - hwp70.exe
265The attacker carried out the attack by disguising it as a file related to the program. Of a system infected with Tickusb
266The malicious EXE file hwp70.exe (026ae46934eca5862db4) from the Hangman Hangul folder (C: \ HNC \ Hwp70)
267dfc8c88c720a) was found.
268ASEC REPORT Vol.95 | Security Trend 38
269A hijack that causes ARP spoofing (ARPS spoofing)
270It is presumed to be one purpose, and the execution screen is as shown in [Figure 2-23].
271Figure 2-23 | Hijack (hijack) execution screen
2725-3) Port Scanner ScanLine - l.dat
273The attacker will be able to scan files that have Packed Scanning Line (ScanLine), the port scanner of Foundstone in 2016
274(a353b591c7598a3ed808980e2b22b2a2) was used in the attack. In many systems,
275RAM has been used, and the file names used are msp.exe, ls.tmp, and sl-p.exe.
276[Figure 2-24] is the screen where the scan line is executed.
277Figure 2-24 | ScanLine execution screen
278ASEC REPORT Vol.95 | Security Trend 39
2795-4) Mimikatz - mi.exe, mi2.exe
280The attacker could use the Mimikatz variant mimi 2.1 (3fe76cf644e045b8620d577c2
281366630a) and mimi 2.1.1 (b108df0bd168684f27b6bddea737535e). File name
282Also, mi.exe, mi2.exe which is mainly used in tick attack group.
283[Figure 2-25] and [Figure 2-26] are execution screens of mimi 2.1 and mimi 2.1.1, respectively.
284Figure 2-25 | mimi 2.1 launch screen
285Figure 2-26 | mimi 2.1.1 launch screen
286ASEC REPORT Vol.95 | Security Trend 40
2876. Conclusion
288Most major corporations and organizations use networked systems, so security updates
289It is easy to overlook, or neglect security regulations. Since 2008, for the past 10 years,
290The Tick attack group, which is constantly attacking companies,
291Spear Phishing, Watering hole attack as well as USB flash drive
292EXE files to infect malicious code by using various attack techniques, such as continuous attacks
293I have done.
294In particular, in order to prepare for attacks such as Tickusb,
295Do not use USB flash drive, hash before running executable in USB flash drive
296Etc. to check whether there is no malicious code infection during the file transfer process.
297You need to be careful.
298The V3 family detects the corresponding Tickusb-related malicious code with the following diagnosis.
299<V3 Family Diagnostics>
300- HackTool / Win32.Hijack
301- HackTool / Win32.Mimikatz
302- HackTool / Win32.Tickpatcher
303- Trojan / Win32.Agent
304- Trojan / Win32.Homamdown
305- Trojan / Win32.Loader
306- Trojan / Win32.Tickusb
307ASEC REPORT Vol.95 | Security Trend 41
3087. Indicators of Compromise (IoC)
309Representative file name
310apphelp.dll
311BrWeb.dll
312CRYPTBASE.dll
313igfext.exe
314linkinfo.dll
315msupdata.exe
316svcmgr.exe
317wincrypt.dll
318wsmt.exe
319Hashes (md5)
320-Downloader: Bisodown
3213c6e67fc006818363b7ddade90757a84
322e470b7538dc075294532d8467b1516f8
323-Downloader: Ghostdown
3244868fd194f0448c1f43f37c33935547d
32562ee703bbfbd5d77ff4266f9038c3c6c
326-Tickusb
32715e72d83caaf1fe9e72e72b633ec5dfb
32816572393021beea366679e80cc78610c
329ASEC REPORT Vol.95 | Security Trend 42
33029875836605c26f7c78fc91bb2cff95d
33146c9fb12187c08f9da3429c047a41fd8
3324aadf927e5c2aa43b90d4b830c331a69
333599c4110aed58aa75d2322b4232a6855
3346f665826f89969f689cba819d626a85b
3359b31a5d124621e244cede857300f8aa6
336ad33da0d9507e242eb344b313454cea9
337bcb56ee8b4f8c3f0dfa6740f80cc8502
338ca99ea5f1ece7430243d8322445d1a1c
339dfba5e8019be5e400d53afeba83d6d93
340-Keylogger
341220bf51185cd7ccc0aa64229c434ce1a
34227dbf927e85e00f14ee9be56711a5246
3437f98ff2b6648bd4fe2fc1503fc56b46d
344b79ef5a004e26c3d491eca895c59fb86
345-Tools
346026ae46934eca5862db4dfc8c88c720a
3473fe76cf644e045b8620d577c2366630a
348a353b591c7598a3ed808980e2b22b2a2
349b108df0bd168684f27b6bddea737535e
350e84f29c45e4fbbce5d32edbfeec11e3a
351ASEC REPORT Vol.95 | Security Trend 43
352Domains, URLs and IP address
353127.0.0.1/jscript/timepill.html
354pre.englandprevail.com/km/news/index.htm
355update.saranmall.com/script/main.html
356www.memsbay.com:443