The “Enfal” APT is back!

Check out our paper, “The Enfal APT is Back” for better view

Introduction

TRAPMINE has discovered ongoing series of targeted attacks against some government institutions. Most of the government instutions targeted by attackers are located in Kazakhstan, Mongolia, Vietnam and Russia.

After the quick analysis of exploits and malware used in the campaign, we have identified that it’s the same group behind Lurid / Enfal APT attacks.

It was unclear who is behind the Lurid / Enfal attacks but there were some connections with threat actors in China.  We believe that the current attack campaign has some connections with threat actors in North Korea.

Who is behind the attack?

When we analyze this campaign, we see that attackers choosed specific targets. Especially attackers targeted some key researchers from national strategic research centers and institutes. It is common that these targeted researchers usually work on subjects related with North Korea. Some targeted researchers have various publications on economics & politics of North Korea. This is why we are suspicious that attackers can be sponsored by North Korea.

Attack Vector

Attackers usually send some phishing emails to targets with DOC document attached. The document exploits a well-known vulnerabilities in Microsoft Office application such as CVE-2012-0158 etc.

Sample email used in attacks

Technical Analysis

Shellcode in the exploit is xor encrypted and the key is “9E”.  It’s easy to decrypt it in memory and learn what it does. As we understand, it drops a file called “xpsfiltsvc.tmp” and save it registry for Auto Run. It’s a downloader actually.

There are several exports of DLLs such as XpsRegisterServer, XpsUnregisterServer, StartAddress etc.  It’s possible to load dll with “XpsRegisterServer” parameter through rundll32.exe

The downloader is very interesting. Attackers have some cool tricks such as simulating GetProcAddress in an alternative way. As we see ,  LoadLibrary is not followed by GetProcAddress as usual.

Instead of GetProcAddress , they check EAT through ImageDirectoryEntrytoData by calling sub_10001738;

They specify the three bytes of the function will be called from the library.  Then they scan all EAT through ImageDirectoryEntrytoData  and compare these bytes with function names to match.

As you can see below,  they don’t call GetProcAddress(wininet.dll, InternetConnectA).  For getting address of InternetConnectA,  their sub-function checks EAT and find which proc’s  3th byte is “e”, 8th byte is “C” and 15th byte is “A”. So, the malware never store these function names as string in binary and it’s awesome bypass trick.

The downloader communicates “question.eboregi.com” domain to download actual malware.

YARA Rule

rule Enfal_Downloader {
meta:
description = "Enfal Downloader YARA Rule"
author = "TRAPMINE"
date = "2015/05/07"
sha1 = "695f73cf0f85ebaca280e265b9acefc8967ce1cb"

strings:

$st1 = “DF64159.TMP” fullword
$st2 = “iphlpsvc.tmp” fullword
$st3 = “XpsUnregisterServer” fullword
$st4 = “XpsRegisterServer” fullword
$st5 = “{86A43R7C-F91F-4054-9076-301AC5EC03F7}” fullword

condition:
uint16(0) == 0x5A4D and all of ($st*)

}