APT40 goes from Template Injections to OLE-Linkings for payload delivery
I came across a maldoc on VirusTotal that is named to phish and the timing when this maldoc appeared was also pretty “coincidental” with the recent political situation in Malaysia. I’m curious enough to look into this maldoc further.
According to MyCERT’s post[1] in Feb 2020, a set of malware had been found to be targeting Malaysian Government officials, and these were attributed to APT40. Extensive analysis of these files had been done by various researchers and we know the malware families involved are DADJOKE[2] and DADSTACHE[3]. On 27 Feb 2020, this new maldoc surfaced on VirusTotal delivered a variant of DADSTACHE. This new maldoc is interesting, because it employed a different technique of fetching the final payload.
I’ve compiled the following information regarding the different malicious documents used by APT40 against Malaysia:
In the latest document (below, MD5 571EFE3A29ED1F6C1F98576CB57DB8A5), it employed a very different method in fetching the final payload. It goes through 3 “fetching layers” of OLE-linkings to finally arrive at DADSTACHE execution. At the last layer, the RTF document makes use of “CVE-2017–0199” to execute the VBScript within a HTA file. The actual target of this maldoc is unknown, though the file was uploaded to VirusTotal by a user in Malaysia.
I think one reason for incorporating so many “fetching layers” is to allow layers to change dynamically — at any point in time, “Report.docx”, “out.rtf”, “M.png” and “dbgeng.dll” can be altered at the attackers’ side to fetch different files or to connect to different URLs. Previously the payloads are already embedded into the malicious document and thus difficult to change after deployment.
DADSTACHE is first observed to be delivered through the maldoc (MD5: A827D521181462A45A7077AE3C20C9B5). Also notice how this maldoc’s embedded objects’ names look different from the ones in the previous maldocs in the list.
I’ll do an analysis walkthrough of the DADSTACHE payload in the next post ;)
References:
[1] https://www.mycert.org.my/portal/advisory?id=MA-770.022020
[2] https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache
~~
Drop me a DM if you would like to share findings or samples ;)
