This post is also available in: 日本語 (Japanese)
Taiwan has been a regular target of cyber espionage threat actors for a number of years. Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry in Asia.
In early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack towards the Secretary General of Taiwan's Government office – Executive Yuan. The Executive Yuan has several individual boards which are formed to enforce different executing functions of the government. The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs. Given the important functions undertaken by the Executive Yuan office, it is not a surprise that they were targeted. The second attack was against an energy sector company also located in Taiwan.
The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT. This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.
Figure 1 shows the spear phishing email which was sent to the Secretary General of Executive Yuan. The email is spoofed so that it appears as though it was sent from a staff member at the Democratic Progressive Party (DPP).
Figure 1. Spear-phishing email with malicious attachment.
The document attached to this e-mail exploits CVE-2012-0158, a Microsoft Office vulnerability. This process is described in the Malware Analysis section later in this report, but one interesting aspect of this malicious was the decoy document the attacker chose to deploy.
As we have noted in many earlier reports, attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate. After infecting the computer, the display a clean document to the victim that contains content that is relevant to them.
The decoy document used in this case is a spreadsheet with four tabs, respectively titled “example,” “0720,” “0721,” and “1041109 full update”. All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People's Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities. The overarching theme of the spreadsheet is documenting protestor activity and/or progressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by progressive supporters. Because we were unable to find the spreadsheet online, and there is specific persona data included related to these movements and protests, we are not including any screen shots except for the one below.
Figure 2. The four tabs in the decoy spreadsheet.
The “example” spreadsheet tab is exactly as described – it contains the headers and suggested information within two of the remaining three tabs. The headers themselves translate, from left to right, to “responsible department,” “issue,” “developments this week,” “political situation judgment,” and “related information.” The tab labeled 0721 only has the matching headers and no additional information. None of the information in the spreadsheet relates to activities past 2015, and there are references made to the then upcoming January 16, 2016 elections in Taiwan. In that election the DPP won, displacing the Chinese Nationalist Party (KMT) for only the second time in history, and with Taiwan’s first female President.
The spreadsheet labeled 0720 refers to the Anti-Black Box Movement, which was a protest by Taiwanese high school students against certain proposed curriculum changes. The use of “black box” by the protestors is in reference to former Taiwanese President Ma Ying-Jeou’s government and its lack of transparency concerning government decisions. Protestors occupied Taiwan’s Ministry of Education last July. A resolution passed by Taiwan’s legislature and approved by the Executive Yuan in May of this year delayed implementing that curriculum until 2020 to allow time for the act to be amended.
The Anti-Black Box Movement is related to the Sunflower Student Movement, a coalition of both student groups and other civic organizations that protested the Cross-Strait Trade Agreement between Taiwan and the PRC, feeling it would hurt Taiwan’s economy and increase the PRC’s sway over the island. On March 17 2014, the KMT, the ruling party at the time, tried to force a vote without a previously agreed clause by clause review with the DPP. The following evening protesters occupied the Legislative Yuan, the first time that had occurred Taiwan’s history. On March 23 of the same year, after then President Ma re-affirmed he supported the pact and would not alter or drop it, protestors occupied the Executive Yuan where over 150 were injured and 61 arrested.
The final tab contains the most information of the three and has different headers. From left to right, the headers are titled “responsible person(s),” “summary of issues and major groups,” “crisis simulation, political judgment, and recommendations,” “degree of tension,” and “participating members.”
- Information related to the November 2015 "Autumn Struggle" protest, which is an annual protest first done in 2013.
- Information on a Taichung City government development proposal being protested largely on environmental impact grounds, and protestor demands.
- Army 1st Special Forces veterans attempt to receive compensation for alleged illegal extension of forced military service
- The recently settled case where toll workers forced into unemployment by the Taiwanese government’s agreement with the Far Eastern Electronic Toll Collection Company to create a national electronic toll collection system ended up resulting in the 2013 layoffs of hundreds, who have since protested for new jobs as well as lost severance and pension.
- Kaohsiung refinery closing and protestor demands, also largely related to environmental effects and necessary cleanup; the refinery officially closed at the end of December 2015
- Closely watching any trade agreements between the Malaysian government and Taiwan
- Potential environmental and current residential issues related to the development of the Aerotropolis around Taoyuan International Airport, which is intended to create a major transportation hub and industry center for Asia with infrastructure for corporate research and development, conference centers, and other facilities.
- The Puyu Development Plan, which is part of Taiwan’s Knowledge-based Economy plan
- Taiwan’s 12-year compulsory education plan
- Anti-Black Box Movement demands and recent activity
- Improving working conditions for Taiwanese firefighters
- Pension reforms
- The Nest Movement, which started in 2014 and is related to the older “Shell-less Snail Movement,” focused on affordable housing, neighborhood and urban development, ending forced demolition and relocation, property tax reform, and related housing issues
- The Environmental Impact Assessment (EIA) voted on by the Environmental Protection Bureau (EPB) for the Dongshi-Fengyuan Expressway, part of the National Highway #4 Project and anti-eviction efforts
- Kaohsiung water quality issues and related projects
- Same sex marriage legalization
- Protecting old trees in Kaohsiung amidst construction for a new “green” library; most of the designated “precious trees” are rare exotic species
- Indigenous peoples in Kaohsiung land return
- Activities against the Miramar Resort Village, including the revocation of the EIA, forcing development to halt
- Lowering the voting age in Taiwan from 20 to 18
The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158, which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors. This matches with known Tactics, Techniques, and Procedures (TTPs) for Tropic Trooper, targeting both government institutions and also the energy industry in Taiwan.
The delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an OLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel's built-in encryption capability, which stores XLSX ciphertext and the information needed for decryption in an OLE document.
Type: CDF V2 Document, No summary info
Size: 327128 bytes
Table 1. Details of the malicious document attached to the e-mail.
The embedded shellcode enumerates open handles for a file with a size greater than 0xa6f0 (Decimal - 42736) bytes. It will then set the file pointer to 0xa6e8 (Decimal - 42728) and starts looking for the following delimiter:
If it finds this delimiter, the shellcode knows it is working with the correct file and continues by reading 0x600 (decimal 1536) bytes following this delimiter. The shellcode then decrypts the first 0xc0 (decimal 192) DWORDs of the data read from the file using an XOR algorithm that decrypts one DWORD of ciphertext at a time with 0x29f7c592. The resulting cleartext is a second piece of shellcode that continues carrying out further functionality.
The secondary shellcode starts by resolving the following API functions using a ROT13 hashing algorithm:
Immediately following these API functions there are three DWORDS; one used to locate the payload embedded within the exploit file, one for the size of the payload, and one for the size of decoy document. The two size values are added together to get the length of the ciphertext that the shellcode will decrypt. In the sample we analyzed, the following values were present, showing that the payload is at offset 0xabc0 and has a size of 0x45218:
DWORD offset_toPayload; (0ABC0h)
DWORD payload_Size; (1C600h)
DWORD decoy_Size; (28C18h)
The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon' and sets the value to the "Shell" subkey to the previously created string. Ultimately, the following registry key is created for persistence:
"explorer.exe,rundll32.exe "C:\Documents and Settings\Administrator\Application
It then uses the "offset_toPayload" value as an offset that it will read 283160 (45218h) bytes from the XLS file. The shellcode then enters a decryption loop to convert the embedded payload from ciphertext to cleartext. The algorithm uses the length of the ciphertext negated as the initial encryption key, which it bit rotates right by 1 to adjust the key for each of decryption. It will use this key to decrypt four bytes of the ciphertext with the XOR operation until all the ciphertext is decrypted. During each iteration of the decryption process, the algorithm will check to make sure the four bytes of ciphertext are not equal to the key or equal to zero before decrypting the ciphertext. The following table contains the first five rounds of the algorithm to explain the decryption process:
|0||~0x45218 = 0xFFFBADE8 >> 1 = 0x7FFDD6F4||0x7F6D8CB9||0x00905a4d = MZ\x90\x00|
|1||0x7FFDD6F4 >> 1 = 0x3FFEEB7A||0x3FFEEB79||0x03 = \x03\x00\x00\x00|
|2||0x3FFEEB7A >> 1 = 0x1FFF75BD||0x1FFF75B9||0x04 = \x04\x00\x00\x00|
|3||0x1FFF75BD >> 1 = 0x8FFFBADE||0x8FFF4521||0xFFFF = \xff\xff\x00\x00|
|4||0x8FFFBADE >> 1 = 0x47FFDD6F||0x47FFDDD7||0xB8 = \xb8\x00\x00\x00|
|5||0x47FFDD6F >> 1 = 0xA3FFEEB7||0x00000000||0x00000000 = \x00\x00\x00\x00|
|6||0xA3FFEEB7 >> 1 = 0xD1FFF75B||0xD1FFF71B||0x40 = \x40\x00\x00\x00|
|7||0xD1FFF75B >> 1 = 0xE8FFFBAD||0x00000000||0x00000000 = \x00\x00\x00\x00|
|8||0xE8FFFBAD >> 1 = 0xF47FFDD6||0x00000000||0x00000000 = \x00\x00\x00\x00|
|9||0xF47FFDD6 >> 1 = 0x7A3FFEEB||0x00000000||0x00000000 = \x00\x00\x00\x00|
|10||0x7A3FFEEB >> 1 = 0xBD1FFF75||0x00000000||0x00000000 = \x00\x00\x00\x00|
|11||0xBD1FFF75 >> 1 = 0xDE8FFFBA||0x00000000||0x00000000 = \x00\x00\x00\x00|
|12||0xDE8FFFBA >> 1 = 0x6F47FFDD||0x00000000||0x00000000 = \x00\x00\x00\x00|
|13||0x6F47FFDD >> 1 = 0xB7A3FFEE||0x00000000||0x00000000 = \x00\x00\x00\x00|
|14||0xB7A3FFEE >> 1 = 0x5BD1FFF7||0x00000000||0x00000000 = \x00\x00\x00\x00|
|15||0x5BD1FFF7 >> 1 = 0xADE8FFFB||0xADE8FEF3||0x108 = \x08\x01\x00\x00|
|16||0xADE8FFFB >> 1 = 0xD6F47FFD||0xD84E60F3||0xEBA1F0E = \x0e\x1f\xba\x0e|
|17||0xD6F47FFD >> 1 = 0xEB7A3FFE||0x26738BFE||0xCD09B400 = \x00\xb4\x09\xcd|
|18||0xEB7A3FFE >> 1 = 0x75BD1FFF||0x39BCA7DE||0x4C01B821 = \x21\xb8\x01\x4c|
|19||0x75BD1FFF >> 1 = 0xBADE8FFF||0xD28AAE32||0x685421CD = \xcd!Th|
|20||0xBADE8FFF >> 1 = 0xDD6F47FF||0xAD4F3496||0x70207369 = is p|
|21||0xDD6F47FF >> 1 = 0xEEB7A3FF||0x9CD0CC8D||0x72676F72 = rogr|
|22||0xEEB7A3FF >> 1 = 0xF75BD1FF||0x947BBC9E||0x63206D61 = am c|
|23||0xF75BD1FF >> 1 = 0xFBADE8FF||0x94C3869E||0x6F6E6E61 = anno|
|24||0xFBADE8FF >> 1 = 0xFDD6F47F||0x98B4D40B||0x65622074 = t be|
|25||0xFDD6F47F >> 1 = 0xFEEB7A3F||0x909E081F||0x6E757220 = run|
Table 2. Decrypting the payload
As you can see from the table above, the algorithm decrypts what is an embedded portable executable that acts as the payload in this attack. The embedded payload is written to %APPDATA\Identities\Identities.ocx and has the following attributes:
Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size: 116224 bytes
Compiled: 2016-05-23 07:00:51
The decoy document, described in the section above, is saved to %TEMP%\進步議題工作圈議題控管表.xlsx and has the following attributes:
Type: Zip archive data, at least v2.0 to extract
Size: 166936 bytes
Last Modified By: Windows 用户
Created: 2016:07:21 03:15:34Z
Modified: 2016:07:21 07:30:17Z
The shellcode will move the decoy document to the location of the originally executed XLSX file and will create the following command:
cmd /c start excel /e “<path to original XLSX file, now decoy
Before running the above command to open the decoy document, the shellcode enumerates the running processes on the system, specifically looking for processes created for an executable with a filename that starts with “avp.”, presumably in an attempt to find Kaspersky’s antivirus process. If the process is found, the shellcode will not open the decoy document and exits.
The shellcode does not launch the payload, rather it relies on the registry key it created for persistence to execute the payload when the user reboots the system, meaning during dynamic analysis the execution of the payload may be missed.
Delivered Payload – Poison Ivy
When the system starts up, the persistence registry key will launch the Identities.ocx payload and call its “SSSS” exported function. The “SSSS” function checks to make sure that the DLL is running within the context of a “rundll32.exe” process and then begins piecing 0x141B bytes of data together in the correct order to build the shellcode of the Poison Ivy Trojan.
We found and parsed the following configuration from the Poison Ivy shellcode:
Campaign ID: MyUser
Group ID: MyGroup
C2 Cnt: 3
- C2 #0: 126.96.36.199:443
- C2 #1: news.hpc.tw:53
- C2 #2: account.sino.tw:80
Comm Key: twone
Auto-remove Dropper Flag: 1
Active Setup value name: StubPath
Default browser path reg key: SOFTWARE\Classes\http\shell\open\command
Active Key registry key: Software\Microsoft\Active Setup\Installed Components\
Looking for more samples which exhibited the same file structure, encryption and obfuscation to deliver the above Poison Ivy sample yielded only two additional samples. In the other two instances the delivered payloads were respectively PCShare and Yahoyah. PCShare has not been previously associated with Tropic Trooper, but in addition to the aforementioned overlaps, the two samples have passive DNS overlap with some known Tropic Trooper infrastructure. For those reasons, we assess with limited confidence the group is also using this malware family.
Figure 3. The limited ties between C2 infrastructure used by Yahoyah samples (top) and PCShare malware samples (bottom).
The below table shows the details of the documents, payload delivered and the C2 servers used for communications.
It is interesting to see that the exploit documents we found had either low or no detections on most popular antivirus engines, showing that the threat actors behind this campaign have been having considerable success in bypassing static analysis undertaken by traditional antivirus solutions with this technique.
We further expanded our search using the AutoFocus Threat Intelligence platform on the IOCs extracted from the PIVY, PCShare and Yahoyah payloads and found 42 samples which either matched unique behaviors, the unique PIVY mutex or had common C2 infrastructure. The hashes of all the samples found are given in the appendix section at the end of this blog.
Figure 4 below shows the compilation timestamps of the payload samples found using AutoFocus. Given some of the payloads that were used in recent attacks, which were compiled months before, it shows that the threat actor group continues to reuse the payload within their exploit documents.
Figure 4. Payload Compilation Timelines
The below Maltego graph shows some of the shared infrastructure which have been used by Tropic Trooper. The complete list of indicators on the graph can also be found in the appendix section of this report.
Figure 5 Maltego graph of Tropic Trooper infrastructure
The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years. In addition to using Yahoyah malware, we were able to confirm they are also using Poison Ivy and possibly PCShare malware families. They are also still exploiting CVE 2012-0158, as are many threat actors. Palo Alto Networks customers are protected from Tropic Trooper’s malicious activities by:
- WildFire correctly identifies all related malware as malicious
- The C2 infrastructure are classified as malicious in PAN-DB
- Traps prevents exploitation of CVE-2012-0158
Autofocus customers can discover additional information on Tropic Trooper via the following AutoFocus tags:
Samples matching unique indicators, behaviors and C2 infrastructure from the payload extracted out of the malicious documents:
|C2 HTTP requests|