

SHA256s | Name | VirusTotal Date | PE Timestamp | C2 | Family |
a142625512e 5372a172859 5be19dbee23 eea50524b48 27cb64ed5aa eaaa0270b | RavAudio64.exe | 2019-12-03 | 7 Jan 2010 | menu.thehuguardian[.]com | Ketrum1 |
271384a078f 2a2f58e14d77 03febae8a28c 6e2d7ddb00a3 c8d3eead 4ea87a0c0 | – | 2020-05-16 | 13 May 2020 | www.thehuguardian[.]com | Ketrum2 |
aacaf0d4729 dd6fda2e452 be763d209f9 2d107ecf24d 8a341947c54 5de9b7311 | – | 2020-05-17 | 13 May 2020 | www.thehuguardian[.]com | Ketrum2 |
表1
C2已于2019年底注册,这使我们相信第一个PE时间戳已被篡改,而后两个时间戳至少接近实际的编译日期。 同样重要的是要注意,C2已在中国注册并于5月中旬停止运营。 两全其美 我们记录了后门之间的一些有趣的区别:Ketrican | Okrum | Ketrum1 | Ketrum2 | |
Identify installed proxy servers and use them for HTTP requests | ❌ | ✅ | ✅ | ✅ |
Special folder retrieval using registry key[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] | ✅ | ❌ | ✅ | ✅ |
The response from the server is an HTTP page with backdoor commands and arguments included in the HTML fields | ✅ | ❌ | ❌ | ✅ |
Backdoor commands are determined by a hashing value received from C2 | ❌ | ✅ | ❌ | ❌ |
Communication with the C&C server is hidden in the Cookie and Set-Cookie headers of HTTP requests | ❌ | ✅ | ✅ | ❌ |
Impersonate a logged in user’s security context | ❌ | ✅ | ✅ | ❌ |
Create a copy of cmd.exe in their working directory and use it to interpret backdoor commands | ✅ | ❌ | ✅ | ❌ |
Usual Ke3chang backdoor functionalities – download, upload, execute files/shell commands and configure sleep time | ✅ | ✅ | ✅ | ✅ |
Screenshot-grabbing functionality | ❌ | ❌ | ✅ | ❌ |
表2
KETRUM 1 Ketrum 1示例已于2019年12月上载到VirusTotal。如果可以获取SeDebugPrivilege,则此版本将自身注册为“ WMI Provider Host”服务;否则,它将在启动目录中创建一个条目。 如上表所示,此示例包含了Okrum的许多功能,但是,它放弃了更高级的Okrum功能,例如通过导出提供反射注入以及使用散列来接收命令ID。 过去,APT15使用IWebBrowser2 COM接口来管理其网络通信。这次,Ketrum开发人员放弃了这项技术,使用了简单的HTTP API:





Command ID | Description |
1 | Adjust sleep time |
2 | Execute a shell command |
3 | Upload a file |
4 | Download a file |
5 | Execute a file |
7 (there is no 6) | Execute a shell command with adjusted sleep time |
8 | Adjust execute shell sleep time |
9 | Download “Notice” file to working directory – * it is unclear how this is used |
表3
代码重用 除了底层实现和系统API的使用之外,这两个Ketrum样本都类似于以前的Ke3chang工具的布局。即使在两个Ketrum示例中,用于实现相同功能的低级API之间也存在差异。例如,在整个系列中使用不同的API来实现文件上传功能。读取文件时,通常使用0x20000的常量值:



未经允许不得转载:x-sec » APT15代码库2020的演变