APT-K-47 Organization Launches Espionage Attacks Using a New Trojan Tool

Author: K&XWS@Knownsec 404 Advanced Threat Intelligence Team
Chinese version: https://paper.seebug.org/3115/

1 Summary

APT-K-47, also known as Mysterious Elephant, is an APT organization whose activity details were first disclosed by Knownsec 404 Advanced Threat Intelligence Team. In-depth analysis of APT-K-47’s techniques, tactics, tools, and operational objectives reveals shadows of several other APT groups in South Asia, including but not limited to Sidewinder,Confucius and Bitter.

APT-K-47’s technical and tactical approaches are largely similar to other South Asian groups, primarily revolving around social engineering. Phishing attacks are initiated by delivering bait based on current events, with initial attack vectors often exploiting vulnerabilities in CHM files, document vulnerabilities (such as CVE-2017–11882), and WinRAR software vulnerabilities. According to our continuous monitoring data, the targets of this organization include Russia, Pakistan, Bangladesh and the United States.

In August 2023, Knownsec 404 Advanced Threat Intelligence Team disclosed the attack tool ORPCBackdoor from the emerging APT organization APT-K-47 originating from South Asia. Since then, the team has been closely monitoring the activities of this organization. Recently, we detected a new wave of APT-K-47’s attack activities and uncovered some previously undisclosed attack weapons. The core tool of this organization remains ORPCBackdoor. In this latest attack, the organization utilized a yet-to-be-disclosed Trojan tool to successfully infiltrate systems.

Subsequently, they downloaded ORPCBackdoor and other malicious payloads, conducted disk directory traversal, and exfiltrated target files to C2. Additionally, the organization stole password information from the target computer browsers and transmitted it back. In the following sections, we will elaborate on the details of the findings from this tracking operation.

2 Attack Details

The recent discovery of attack activities involves the utilization of undisclosed Trojan programs (Trojan 1, named WalkerShell due to its inclusion of the specific string “walker”, and Trojan 2 named Nimbo-C2). Upon analysis, it was found that the attackers downloaded a total of three different malicious payloads, including ORPCBackdoor, a Trojan specifically designed to steal Chrome browser password records (named DemoTrySpy), and a backdoor program for downloading and executing shellcode (named NixBackdoor). The overall attack chain is depicted in Figure 1.

Figure 1: Overall Attack Chain

In this batch of attack activities, we have identified two primary attack paths employed by the attackers:

1. The attackers implant the Nimbo-C2 Trojan on a compromised machine and then use PowerShell to download the DemoTrySpy tool. This tool is responsible for stealing browser passwords, packaging them into local files, and then transmitting these files back to a dedicated server for file exfiltration.

2. On another compromised machine, the attacker implants the WalkerShell trojan, which traverses the disk and uploads files of interest to a dedicated file storage server.Simultaneously, the attackers use PowerShell to download DemoTrySpy tool for stealing usernames and passwords from the browser. Additionally, they use PowerShell to download and execute ORPCBackdoor, thereby achieving long-term remote control of the compromised machine.

Below, we will conduct a detailed analysis of the attack weapons involved in the figure.

2.1 Description of WalkerShell

WalkerShell is a malicious program written by C#. When executed, it first utilizes the polor function to obtain the hostname and username of the target host, as illustrated in Figure 2 below.

Figure 2: Execution Process of WalkerShell

The primary function of the polor function is to execute the command passed in through parameter 1 using cmd and return the final result via parameter 2, as detailed in Figure 3 below.

Figure 3: polor Function

Ultimately, the program appends the collected information with the `~walker` string, adds an Author field in the header, and writes the processed data into this field to transmit the gathered data back. It extracts the value of the `Cmn` field from the header returned by the server and returns it, as depicted in Figure 4 below.

Figure 4: Processing and Returning Data

The data returned from the server is presented in Table 1 as follows:

Table 1: List of WalkerShell Commands and Functional Descriptions

If the returned data is a cmd command, the format of the transmitted data is:
`[username] +“ ”+ [pcname] + “~endow~$[command]$”`, as shown in Figure 5.

Figure 5: Format of Transmitted Data

2.2 Description of DemoTrySpy

DemoTrySpy is named for its pdb path containing DemoTry and its main function of data exfiltration, as shown in Figure 6.

Figure 6: DemoTrySpy Path

In the export table of DemoTrySpy, we found a partial code implementation of the open-source project cJSON. This code snippet is integrated into the malicious program and is intended for subsequent parsing of JSON format data contained in the Local State of Chrome browser user data, as detailed in Figure 7.

Figure 7: Detailed Content

Upon execution, the program will set its window to a hidden state, as shown in Figure 8.

Figure 8: Setting Itself to Hidden

Next, the program will create `C:\Users\Public\Documents\tmpA10.tmp` and write hardcoded data headers into it, as shown in Figures 9 and 10.

Figure 9: Creating tmpA10.tmp File

Figure 10: Writing hardcoded data headers into Header

The program attempts to retrieve the storage directory for Chrome browser user information. If Chrome browser is not present on the current host, it skips the subsequent logic, as shown in Figure 11.

Figure 11 ：Attempt to Retrieve User Information Storage Directory

If Chrome browser exists, the program will copy the data from Local State to `C:\Users\Public\Documents\loc.tmp`, as shown in Figure 12.

Figure 12：Copy Data

The program then copies the data from the Login Data to the file `C:\Users\Public\Documents\log.tmp`, as shown in Figure 13.

Figure 13： Copy Data

The subsequent main logic involves the program retrieving the `encrypted_key` from Login data and decrypting the key using DPAPI, as shown in Figure 14.

Figure 14: Obtaining the encrypted_key

Then, the program connects to the Login Data file using sqlite3 (the file is a sqlite3 database file) to retrieve the values of the password, username_value, and url fields. It decrypts the data using the decrypted key obtained earlier, as shown in Figure 15.

Figure 15: Decrypting Data

The decrypted data is eventually written into the tmpA10.tmp file, with the data format illustrated in Figure 16.

Figure 16: Writing Data

DemoTrySpy does not have its own functionality to transmit the gathered information. Attackers will utilize WalkerShell to transmit tmpA10.tmp, for instance, using commands like type or curl post, as illustrated in Figure 17.

Figure 17：Data Transmission

2.3 NixBackdoor Description

The naming of NixBackdoor originates from its executable file name, Nix.exe. Due to the simplicity of its overall functionality and small code size, without any other special strings, it is named accordingly. When executed, NixBackdoor creates a new thread, as shown in Figure 18.

Figure 18: Creating a New Thread

The main function of the thread is connect to `recentupdate.sytes.net:6364`. Initially, it retrieves the length of the subsequent shellcode from the server, followed by fetching the subsequent shellcode, as shown in Figure 19.

Figure 19: Retrieving Shellcode

NixBackdoor modifies the shellcode permissions and then jumps to execute, as shown in Figure 20.

Figure 20：Modify shellcode permissions

2.4 ORPCBackdoor Description

Due to the detailed analysis of ORPCBackdoor in the previous article “[APT-K-47 “Mysterious Elephant”, a new APT organization in South Asia," further elaboration on it will be omitted in this instance.

2.5 NimBo-C2 Description

NimBo-C2 is an open-source projectavailable on GitHub. It is a lightweight and straightforward command and control (C2) framework. The server-side is written in Python, while the client-side is written in Nim and supports both Windows and Linux operating systems. NimBo-C2 enables a wide range of remote control functionalities, as depicted in Figure 21.

Figure 21：NimBo-C2 Project

3 Summary

In this analysis, we identified the attack activities of APT-K-47 organization, which differ significantly from the previously exposed attacks using ORPCBackdoor. In the 2023 attacks, the organization deployed ORPCBackdoor by sending phishing emails containing malicious CHM attachments. However, in this latest attack, they opted for WalkerShell as the initial intrusion vector to download ORPCBackdoor. Additionally, we observed that the organization conducted several other attack activities during the same period. Further details of these findings will be shared in subsequent analysis reports.

4 IOC

**HASH：**

b087a214fb40e9f8e7b21a8f36cabd53fee32f79a01d05d31476e249b6f472ca DemoTrySpy
74ba5883d989566a94e7c6c217b17102f054ffbe98bc9c878a7f700f9809e910 ORPCBackdoor
c4817f3c3777b063f0adbc1c8e4671da533f716bab7ad2c4b9bc87295df67334 nimbo-c2
85a6ac13510983b3a29ccb2527679d91c86c1f91fdfee68913bc5d3d01eeda2b walkershell

**C&C：**

outlook-web.ddns[.]net ORPCBackdoor C2