From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We chose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time. The attackers used different command and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone. The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory.
We were also able to find a post-compromise tool along with the two RATs, which afforeded us insight into one of the tools the attackers used once they gained a foothold inside an organization. In addition to Trochilus and MoonWind we found Mimikatz, a popular credential harvesting tool.
Further research led us to additional MoonWind samples using the same C2 (dns[.] webswindows [.]com) but hosted on a different compromised but legitimate website. The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files, while in the November attacks the RATs were stored as executables. We were not able to find additional tools, but the attackers again compromised a legitimate Thai website to host their malware, in this case the student portal for a Thai University.
The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan, we have named it MoonWind, by combining the BlackMoon compiler artifacts with the embedded string below:
When MoonWind first runs, it will copy itself to one of the following locations with a filename of ‘svcohos.exe’:
- C:\Documents and Settings\All Users\Ufyaginptxb\
- C:\Users\All Users\
- C:\Program Files\Common Files\
It then executes a new instance of itself in a new process. Also, it will remove the original file via the following command that is executed in a batch script named 'date.bat’.
cmd /c timeout /t 6 & del "C:\ProgramData\Ufyaginptxb\svcohost.exe" & del date.bat
During this routine, a randomly generated victim identifier will be created and written to a file named 'micr.ini'. This file is located in the same path as the malware. The following contents represent an example of a victim ID contained in this file:
During the install routine, the malware will also setup a timer that will execute a file named 'sevrsvos.exe'. This sample (815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201) acts as a runtime persistence mechanism. It installs itself as a service with the following properties:
Service Name: Windows Ejlptxtxbfjn Rvzd
Display Name: Windows Ejlptxtxbfjn Rvzd
Description: Windows Ejlptxtxbfjn Rvzd Hlptxbfjnr
Startup Type: Automatic
This service serves the single purpose of checking every 60 seconds if the 'svcohos.exe' process is running. If not, the service will spawn a new instance of it. In doing so, this secondary malware sample acts as both a runtime persistence mechanism, as well as a persistence mechanism across reboots.
After installation, a keylogging routine begins. The malware writes keystrokes and window information to a filename in the present working directory with the following filename:
Additionally, it writes a 'win.ini' file that contains this file path above.
The malware proceeds to collect the following victim information:
- Windows version
- IP address
- Current time
- RAM amount
- Number of total drives
- Number of removable drives
- Unique victim identifier
After this information is aggregated, MoonWind enters its command and control loop, and begins reaching out to the servers and ports specified in its configuration embedded in the svcohos.exe file. The following remote hosts were specified in this particular sample:
While the ports associated with this sample’s configuration pertain normally to HTTP, HTTPS, or DNS, network communication takes place via raw sockets. The malware first receives data, which has the following format as shown in Figure 1:
Figure 1 C2 to MoonWind communication
Digging into the packet further, we can break out individual pieces, as seen in Figure 2:
Figure 2 MoonWind network communication packet format
The encrypted data portion is encrypted via RC4 with the following static key:
In the above example, the encrypted data decrypts to ‘\x20\x20\x20\x20\x20\x20’, or six spaces. This particular command requests that the malware send the previously collected victim information.
The data returned by MoonWind has the same format, however, uses the following static key for encryption instead:
An example of such data returned by the malware can be seen below in figure 3.
Figure 3 MoonWind to C2 communication
When decrypted, we see the data shown in Figure 4. Note that the first six bytes contains the return command (‘WYR002’), followed by the payload. The payload contains information previously discussed, delimited by ‘*/*’. Certain variables, such as ‘cdg’ and ‘ip’ are hardcoded. We also see what is most likely a malware versioning string at the end (V2.1). This string is also hardcoded to the sample.
Figure 4 Decrypted data sent by MoonWind
In total, MoonWind has 73 possibly commands that it can accept. We have not yet fully researched all of the commands, but the majority of them have been identified, as we can see in the Appendix.
Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity. The activity dates to at least 2013 and has ties to multiple reports by other researchers. It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity, indicating they are not only still active but continuing to evolve their playbook.
Palo Alto Networks customers are protected from this threat in the following ways:
- The malware discussed in this report is blocked by WildFire and Traps
- The domain names included in this report are blocked by Threat Prevention
AutoFocus subscribers can investigate the activities further with the following tags:
|\x20\x20\x20\x20\x20\x20||Returns collected victim information.||WYR002|
|WYR003||Spawns message box that allows victim to send a message.||WYR003|
|WYR005||Modifies services.||WYR005||Subcommands of either 'fuwu' (create service), 'exit' (stop service), 'stop' (pause service), 'reun' (continue service), or 'yrun' (start service)|
|WYR006||Returns a list of running processes.||WYR006|
|WYR007||Kills specified process.||None|
|qdcmdl||Spawns an interactive shell.||cmdok1|
|WYR009||Send command to interactive shell and receive results.||WYRCCC|
|WYR010||Terminates interactive shell.||None|
|WYR011||Get size of disks.||WYR011|
|WYR012||Returns space of given directory.||WYR012|
|WYR013||Return a directory listing of specified directory (C:\ default).||WYR013|
|WYR014||Execute specified command.||None|
|WYR015||Open specified command with ShellExecuteA.||None|
|WYR016||Open specified command with ShellExecuteA (Hidden).||None|
|WYR018||Perform directory listing with file attributes.||WYR018|
|xiazai||Read contents of file specified.||wrdown|
|cxqdcx||Restart MoonWind.||None||Uses %TEMP%/restart.bat to perform restart.|
|pingmu||Return screen resolution.||pmgksj|
|sbkzxx||Performs various mouse actions.||None||Subcommands of either 'sj' (double left-click), 'yk' (move to position and right-up), 'zk' (move to position and right-down), 'zx' (move to position and left-up), or 'yd' (move to position and left-down)|
|axjpsj||Submits keyboard inputs.||None|
|ksjljp||Starts keylogging functionality.||None|
|tzjljp||Stops keylogging functionality.||None|
|hqjljp||Return keylogging data.||jpjlhq|
|scjpjl||Deletes the keylogging file.||None|
|xzcxzs||Uninstalls malware.||None||Uses ‘x.bat’ to accomplish uninstall. Written to present working directory (PWD) of malware.|
|scmlcj||Creates specified directory.||mlwzcj|
|ycxjml||Creates specified directory.||None|
|xjwjcj||Writes specified file with provided contents.||None||Command format is
|shanwj||Deletes specified file.||None|
|shanml||Removes specified directory.||None|
|gengmj||Moves specified file.||None||Command format is ‘[src]|^|[dst]’.|
|ycgwjj||Sets hidden attribute on specified file.||None|
|copywj||Copies specified file.||copyok||Command format is ‘[src]^|^[dst]’.|
|fzmlwj||Copies specified directory.||copyok||Command format is ‘[src]^|^[dst]’.|
|qypxxl||Get disk space of specified drive.||qdypxx|
|xzwcyx||Executes specified command within batch script.||None||Uses ‘boot.bat’ to accomplish uninstall. Written to PWD of malware.|
|dqscds||Returns filesize of specified file.||qcwjcd|
|sswjsj||Finds specified file and returns results including attributes.||wjsswb|
|hqurl1||Returns C2 configuration of MoonWind.||qcsxdz|
|ghsxip||Writes data to win.dll and loads it.||sdczip|
|gxwjsy||Open specified command with ShellExecuteA.||None|
Indicators of Compromise
MoonWind Persistence Mechanism
Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017
Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.