MirageFox: APT15 Resurfaces with New Malware Tools - Intezer
Analyze and classify 50 suspicious files per month for free. Get Started

MirageFox: APT15 Resurfaces With New Tools Based On Old Ones

Written by Jay Rosenberg

    First Name
    Last Name
    Job Title
    Company
    Email
    Country

    Join our free community
    Get started
    Share Article
    FacebookTwitterLinkedIn

    APT15 Background

    Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government. The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.

    APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. They are known for “living off the land,” meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target. Other names for the group are Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.

    There are many articles and researches online about APT15 and their activities, the most recent one by NCC Group; although posted in March 2018, it refers to a campaign in 2017. In addition, although the 2017 campaign has been documented, during our research regarding MirageFox, we found a recently uploaded binary (6/8/2018) from the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected with only 7/66 detections on VirusTotal

    APT15 Code Reuse

    We found the new version of the RAT on VirusTotal hunting, by a YARA signature we created based off code only found in Mirage and Reaver, both attributed to Chinese government affiliated groups. After seeing that these binaries were new uploads to VirusTotal, with very few detections, we analyzed them using Intezer Analyze™ to see if we could find any code reuse.

    APT15

    (https://analyze.intezer.com/#/analyses/d00b6787-0078-4148-aec3-a66779a22ba5)

    As can be seen in this code reuse analysis report (SHA256: 28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a), there is shared code with Mirage and Reaver. The compilation timestamp is from June 8, 2018 while the upload date to VirusTotal was June 9, 2018.

    Mirage and Reaver

    (VirusTotal)

    On VirusTotal, we can see there are only 10/66 detections for this binary, 11/66 for another similar version of MirageFox (SHA256: 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5), and 9/64 for the third MirageFox binary that was uploaded (SHA256: b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2).

    Here’s a couple examples of code reuse similarities found in the Mirage family between one of the newer binaries and older ones.

    Remote Shell:

    Mirage family

    The function above is seen throughout many of the binaries in the Mirage family and is executed when a command is sent from the C&C. It is responsible for executing commands in cmd.exe (later down in the functions, not seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA).

    Configuration Decryption:

    Configuration Decryption

    Another small, but same important function in the photo above, is the function for decrypting the data containing the C&C configuration. Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the C&C server, the port, name of the binary, a sleep timer, and what Palo Alto calls a “campaign identifier.”

    Technical Details

    At this moment, we were unable to retrieve the original infection vector and other information regarding what other tools the APT15 group is using to attack their targets. We are able to come up with a few very interesting conclusions about what is going on here, although we cannot say for sure what the case is without the full context.

    Firstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for the modules, the name field is filled with a string MirageFox_Server.dat.

    APT15 group

    Evidently in the image, you can see there is an exported function. The MirageFox binaries export a function called dll_wWinMain, the name of an export in vsodscpl.dll, a module by McAfee that is loaded by a few of their executables that import and call this function. This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process. DLL hijacking techniques have been seen in the past with the APT15 group. The problem here is that once the export is called the first time, the module renames itself to sqlsrver.dll and there is no evidence within the module of any type of persistence. By renaming it to this, the future executions of the RAT will not be through a McAfee binary. The future persistence could be setup through another component of the malware or even a command sent by the C&C to the infected computer.

    The most interesting part is the decrypted C&C configuration, as can be seen in the image below.

    Decrypted Config:

    C&C IP: 192.168.0.107

    Port: 80

    Sleep Timer: 30000

    Campaign Identifier: Mirage

    If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address. If you read the report mentioned above about RoyalAPT by NCC Group, it is mentioned that APT15 infiltrated an organization again after stealing a VPN private key, therefore we can assume this version was tailor made to an organization they have already infiltrated and are connecting to the internal network using a VPN.

    The rest of MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs.

    Conclusion

    There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries. As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.

    IOCs

    MirageFox

    28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a

    97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5

    b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2

    RoyalAPT

    016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734

    RoyalAPT C&C

    buy.healthcare-internet[.]com

    Mirage (w/ Same C&C Config Decryption)

    5787eff4b4d6ee5b4c5457c9af5e2f2e3c75204b5989606b1faa9b944dc49a30

    b6bd5d8f5a824db05c37dde459b60a5571df87966e00390f2df56628da49b856

    b9403fb1e3743617bcdf8c1e5dd332c325c1e1f2e79bef166261fec0091880cf

    ffaddb93042243926a964864e21a28365807ac5be843f5e690f9916cddbbd55b

    b0a2923e817ac982c89510e4bd8eab68892ee51e5fa625bd806508a4b701aa78

    da4dbc738d069fbcc9b96ab4af2bd3f7a87c7b69a4b47071e099e36b481dfa01

    f633df1fb42666f62eb23fd70dac4e3c0c4908af123f9335f3b58e6ea205df8a

    e67e58bc736bd54e6915cb43af5f3c332da3592839a5a4884ba141b089310815

    1534432fafb21c0479343bc2d9f3991e56c75baa41c54b3470d41055bb578f8f

    27a0ce9761363f6a1eafc719b96bbe1f9a426e50e8b5abf84db963efddb89a8d

    d22c2ef1453d5575e05a673777931e07c44734fe467a77969bebe86e26aacf98

    f85023ae81917a7fae0d987134a968ffad346d5c3b35d3a98e237419dd334696

    24b3c3527a2431d1c1dd27fe6566ddcaa8e4b92e31e468bb733e827350830a14

    57550ab2d20a757b24137ab764a2e9bf644fd8e1f4313bca22e04db7fa608cc2

    4d45ddc35abf77cded21bafe5483d345585c1d84f52a101a65ebfda88be5ad7d

    421f4c83898ff3ae9b2a94621140ef770888a8a0914b163cdae4690433173899

    c27fb5fd362fdaec2e344564f76197d01e1dc463ee3552b16452fc41e67f2709

    cec9c4e48fad6e4c2b7cf4bc34d357893ef878e8be076c9f680f297e06184c20

    Jay Rosenberg

    © Intezer.com 2021 All rights reserved