Operation Dragon Castling: APT group targeting betting companies

When analyzing the binary, analysts discovered a potential security issue that allows an attacker to use the updater to communicate with a server controlled by the attacker. This enables malicious actions on the victim's system, including downloading and running arbitrary executables.

To exploit the vulnerability, a registry key under HKEY_CURRENT_USER needs to be modified. By doing this, an attacker gains persistence on the system and control over the update process.

Fake Update Server and Malicious Binary

In the analyzed case, the malicious binary was downloaded from the domain update.wps[.]cn, a domain belonging to Kingsoft. However, the serving IP (103.140.187.16) has no relationship to the company, leading analysts to assume it is a fake update server used by attackers.

The downloaded binary (setup_CN_2052_11.1.0.8830_PersonalDownload_Triale.exe - B9BEA7D1822D9996E0F04CB5BF5103C48828C5121B82E3EB9860E7C4577E2954) drops two files for sideloading:

• QMSpeedupRocketTrayInjectHelper64.exe - a signed Tencent Technology file (a3f3bc958107258b3aa6e9e959377dfa607534cc6a426ee8ae193b463483c341)
• QMSpeedupRocketTrayStub64.dll - a malicious DLL

Malware Execution and Communication with C&C

First Stage: Backdoor Operations

The first stage of the malware is a backdoor communicating with a C&C server (mirrors.centos.8788912[.]com). Before contacting the C&C server, the backdoor performs several preparatory operations:

• Hooks three functions: GetProcAddress, FreeLibrary, LdrUnloadDll
• Reads the C&C domain stored as a wide string in clear text in the binary
• Initializes an object for a JScript class with the named item ScriptHelper
• Uses the ImpersonateLoggedOnUser API Call to re-use a token from explorer.exe
• Redirects HKEY_CURRENT_USER to another user’s registry using RegOverridePredefKey
• Constructs a User-Agent string containing system information

Exfiltration of System Information

The malware exfiltrates the following data:

• Internet Explorer version
• Windows version
• User AgentPost Platform registry values

Execution of JScript Code

After collecting system information, the malware constructs JScript code for execution:

• Defines variables for the C&C domain and a hardcoded key
• Sends an HTTP GET request to /api/connect to receive encrypted JScript code
• Decrypts and executes the received JScript code

Second Dropper: Privilege Escalation and Payload Execution

Privilege Escalation

The second dropper attempts to escalate privileges using COM Session Moniker Privilege Escalation (MS17-012). The malware uses AES-256 encryption to secure its data:

• The encryption key starts at offset 0x8
• The encrypted data starts at offset 0x528
• Uses SHA256 hashing and CryptDecrypt API for decryption

Once the payloads are decrypted and decompressed, bdservicehost.exe is executed to run the next stage.

Loader (CoreX) DLL: Sideloading and Further Execution

Loader Initialization

The Loader (CoreX) DLL is sideloaded during the second dropper stage and hooks two API functions:

• GetProcAddress
• FreeLibrary

Decryption of Embedded Data

The main code checks if it was loaded by regsvr32.exe and then decrypts a file stored as syscfg.dat. The decryption process:

• Uses the computer name as the key
• Uses qwertyui12345678 as the IV
• Employs AES-256 encryption

Evasion and Execution of Shellcode

The malware performs evasive actions:

• Checks if ekrn.exe (ESET Kernel service) is running
• Attempts to remap ntdll.dll to bypass security hooks
• Decompresses and executes shellcode to load the next-stage DLL
• Enumerates Zw functions* to bypass security solutions

Core Module: Malware Operations

Core Module Responsibilities

The core module is a single DLL that handles:

• Setting up the malware’s working directory
• Loading configuration files
• Updating its code
• Loading plugins
• Beaconing to C&C servers and waiting for commands

Malware Persistence and Evasion Techniques

The core module:

1. Verifies execution conditions

• Ensures it is executed by spdlogd.exe
• Terminates if executed by rundll32.exe

2. Uses message callbacks for execution

• Creates a window with ID 0x411 for executing functions

3. Loads configuration files

• Searches for inst.dat and smcache.dat to determine its working directory and C&C details

4. Creates a log file based on the victim’s username and malware campaign ID

Malware Communication with C&C Servers

Initial C&C Contact

The malware sends a base64-encoded LZNT1-compressed buffer to the C&C, containing:

• Generated UUID
• Victim’s username, OS version, architecture
• DNS and BIOS names
• Campaign identifier from smcache.dat or comment.dat

HTTP Communication Setup

The core module opens two persistent HTTP request handles:

• POST request: Sends an empty buffer to /connect
• GET request: Retrieves data from the C&C

Malware Plugins

The core module loads multiple plugins to expand its functionality:

Core Plugin

• Manages additional plugins
• Stores plugin binaries as kbg.dat

Zload Plugin (Atomx.dll, xps1.dll)

• Persistence setup by modifying Windows SSPs
• Creates a backdoor user account
• Uses UAC bypass techniques
• Hides the malware by renaming processes

MecGame Plugin

• Executes spdlogd.exe
• Registers an RPC interface for further communication

MulCom Plugin

• Provides backdoor functionality
• Communicates over HTTP and TCP protocols
• Uses RC4 encryption and aPack compression
• Supports proxy authentication (SOCKS4, SOCKS5, NTLM, etc.)

Conclusion

This malware campaign employs multiple layers of evasion, persistence, and privilege escalation techniques. It leverages malicious updates, sideloaded DLLs, and advanced encryption methods to maintain control over infected systems. Security teams should monitor registry modifications, network traffic anomalies, and process injections to detect and mitigate these threats.