· 2015/09/09 14:03

0 x01 profile


Burma is now a country engaged in important political activities. Democratic reforms in 2011 helped create a climate conducive to attracting investors. The country is rich in resources, with a variety of natural resources and a stable labor supply [1]. Despite recent developments, the country still has a long history of ethnic struggle and civil war. Analysts say China and the United States have a lot of influence over myanmar’s internal struggles, especially because China has the advantage of sea lanes, port trade and vital fuel pipelines. Geopolitics argue that the United States may thwart China’s ambitions here for its own sake [2], [3], [4].

APT has members from many countries, including China. The group’s strategic interest is based on malicious software for espionage. Using PlugX (also known as Korplug), a well-known member of the malware family, the malware allows full access to the victim’s machine and network. Recently, multiple plugx-related malware hosted on the Myanmar government main site was observed. In early August 2015, Arbor ASERT had provided information to help Myanmar’s CERT deal with the situation. The initial situation has now been addressed. We can release this information more widely. This report is not intended to fully expose threats that persist throughout the campaign, but the TPP’s (Tactics, Techniques, Procedures) information on threat sources can help other organizations increase awareness and enhance prevention and detection of such attacks.

An initial investigation into the malware found that election-related websites in Myanmar were the hosts of the PlugX malware. Myanmar has discussed a strategic network infection attack similar to the One Palo Alto Networks launched in June 2015 that was affected by the Evilgrab malware. Their study also showed that the 9002 RAT cases use the same infrastructure. Due to the nature of the threat environment, attribution is difficult to find, especially when multiple threat source organizations may be distributed in a centralized place using the same malware. But no matter who launched the attack, knowing the target and TPP’s could be valuable information in a mutating situation to help staff defend against the enemy. This is a constant intellectual battle.

0x02 Myanmar government site distribution PlugX and loader


As of July 30, 2015, several plugx-related malware were stored on myanmar government Web servers. To be exact, Ministry of Information(MOI) Website Hosts Myanma Motion Picture Development Department(MMPDD) related website URLwww.moi.gov[.] MM/MMPDD/Sites…

Figure  1: Screenshot of website containing malware as of July 30, 2015

The binary files of PlugX include moigov.exe, field. exe and fibmapp.exe. The last modification time of the field directory is 2015-07-15 23:33, so it can be assumed that the site was attacked on or before this date. The site is run on Drupal, but the related hazard analysis techniques go beyond the text.

Figure 2: Parent directory reveals last modification of the directory used to store PlugX artifacts

Table  1: A variety of PlugX malware-related content was observed on the Myanmar site

0x03 PlugX moigov.exe sample


Loader (MD5: a30262bf36b3023ef717b6e23e21bd30). Download a call moigov exe PlugX binary files (MD5: d0c5410140c15c8d148437f0f7eabcf7). This PlugX sample has multiple configuration properties. Analysts, accident responders, and researchers can use the Volatility Memory Forensics Framework (github.com/arbor-jjone… And github.com/arbor-jjone…). Get inside information.

It should be noted that in this case PlugX is a variant of P2P and its P2P functionality is disabled in the configuration. These configuration elements are useful for Indicators of Compromise (IOCs) and can also help connect this PlugX sample to other attacks. Analysts must use caution because not all elements are harmless. For example, Google’s open DNS servers 8.8.8.8 and 8.8.4.4 are harmless, but commonly using PlugX or other malware can block DNS filtering/detection or cause it to detect compromised DNS servers. As always, careful analysis is required.

PlugX configuration for moigov.exe, MD5 d0c5410140c15c8d148437f0f7eabcf7

md5: d0c5410140c15c8d148437f0f7eabcf7 cnc: usacia.websecexp.com:53 cnc: appeur.gnway.cc:90 cnc: webhttps.websecexp.com:443 cnc: usafbi.websecexp.com:25 cnc1: webhttps.websecexp.com:443 (TCP / HTTP) cnc2: usafbi.websecexp.com:25 (UDP) cnc3: usacia.websecexp.com:53 (HTTP / UDP) cnc4: appeur.gnway.cc:90 (TCP / HTTP) cnc5: Usafbi.websecexp.com: 25 (TCP/HTTP) cnc6: webhttps.websecexp.com: 443 / UDP (HTTP) DNS: 180.76.76.76 DNS: DNS: 203.81.64.18 DNS: 8.8.8.8 enable_ICMP_p2p: 0 enable_IPproto_p2p: 0 enable_p2P_SCAN: 0 enable_tcp_p2p: 0 enable_udp_p2p: 0 flags1: 4294967295 flags2: 0 hide_dll: -1 http: http://epn.gov.co/plugins/search/search.html icmp_p2p_port: 1357 injection: 1 inject_process: %ProgramFiles%\Internet Explorer\iexplore.exe inject_process: %windir%\system32\svchost.exe inject_process: %windir%\explorer.exe inject_process: %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe install_folder: %AUTO%\McAfeeemOS ipproto_p2p_port: 1357 keylogger: -1 mac_disable: 00:00:00:00:00:00 mutex: Global\VdeBueElStlKd persistence: Service + Run Key plugx_auth_str: open reg_hive: 2147483649 reg_key: Software\Microsoft\Windows\CurrentVersion\Run reg_value: OmePlus screenshot_folder: %AUTO%\McAfeeemOS\NtBXvdMGwtDwrfHs screenshots: 0 screenshots_bits: 16 screenshots_keep: 3 screenshots_qual: 50 screenshots_sec: 10 screenshots_zoom: 50 service_desc: McAfee OmePlus Module service_display_name: McAfee OmePlus Module service_name: McAfee OmePlus Module sleep1: 83886080 sleep2: 0 tcp_p2p_port: 1357 uac_bypass_inject: %windir%\system32\rundll32.exe uac_bypass_inject: %windir%\system32\dllhost.exe uac_bypass_inject: %windir%\explorer.exe uac_bypass_inject: %windir%\system32\msiexec.exe uac_bypass_injection: 1 udp_p2p_port: 1357Copy the code

0x04 PlugX files.exe sample


The Fields.exe sample is famous for several reasons. It also exists at Moi.gov in Myanmar and has much the same structure as the moigov.exe sample above. But some elements are different, such as C2 authentication strings, injected process tables, installation folders, and so on.

PlugX configuration for fields.exe, MD5 809976f3aa0ffd6860056be3b66d5092

md5: 809976f3aa0ffd6860056be3b66d5092 cnc: appeur.gnway.cc:90 cnc: webhttps.websecexp.com:443 cnc: usacia.websecexp.com:53 cnc: usafbi.websecexp.com:25 cnc1: webhttps.websecexp.com:443 (TCP / HTTP) cnc2: usafbi.websecexp.com:25 (UDP) cnc3: usacia.websecexp.com:53 (HTTP / UDP) cnc4: appeur.gnway.cc:90 (TCP / HTTP) cnc5: usafbi.websecexp.com:25 (TCP / HTTP) cnc6: webhttps.websecexp.com:443 (HTTP / UDP) cnc_auth_str: Kpsez-htday dns: DNS: 180.76.76.76 DNS: 8.8.8.8 DNS: 203.81.64.18 enable_ICMP_p2p: 0 enable_ipproto_p2p: 0 enable_p2P_scan: 0 enable_tcp_p2p: 0 enable_udp_p2p: 0 flags1: 4294967295 flags2: 0 hide_dll: -1 http: http://epn.gov.co/plugins/search/search.html icmp_p2p_port: 1357 injection: 1 inject_process: %windir%\system32\svchost.exe inject_process: %ProgramFiles%\Internet Explorer\iexplore.exe inject_process: %windir%\explorer.exe inject_process: %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe install_folder: %AUTO%\MybooksApp ipproto_p2p_port: 1357 keylogger: -1 mac_disable: 00:00:00:00:00:00 mutex: Global\EStZmOzInezFVydxhdE persistence: Service + Run Key plugx_auth_str: open reg_hive: 2147483649 reg_key: Software\Microsoft\Windows\CurrentVersion\Run reg_value: OSEMInfo screenshot_folder: %AUTO%\MybooksApp\hIZu screenshots: 0 screenshots_bits: 16 screenshots_keep: 3 screenshots_qual: 50 screenshots_sec: 10 screenshots_zoom: 50 service_desc: Windows OSEMinfo Service service_display_name: McAfee OSEM Info service_name: McAfee OSEM Info sleep1: 83886080 sleep2: 0 tcp_p2p_port: 1357 uac_bypass_inject: %windir%\explorer.exe uac_bypass_inject: %windir%\system32\dllhost.exe uac_bypass_inject: %windir%\system32\msiexec.exe uac_bypass_inject: %windir%\system32\rundll32.exe uac_bypass_injection: 1 udp_p2p_port: 1357Copy the code

An interesting element is the C2 verification string “kpsez-htday”, which may refer to Kyaukphyu Township in Rakhine State, Myanmar. It is a special economic zone (SEZ). Relevant information can be seen in the picture below [6] :

Figure 3: About KP SEZ from http://kpsez.org/en/about-us-2/

Based on the history [7] [8] [9] [10] of the use of PlugX and the characteristics of the special economic zone, leakage and espionage actions were carried out in favor of the interests of the nation and the state, and the specific situation should be further investigated.

0x05 PlugX fibmapp.exe sample


PlugX configuration, MD5 69754b86021d3daa658da15579b8f08a

md5: 69754b86021d3daa658da15579b8f08a cnc: appeur.gnway.cc:90 cnc: webhttps.websecexp.com:443 cnc: usacia.websecexp.com:53 cnc: usafbi.websecexp.com:25 cnc1: webhttps.websecexp.com:443 (TCP / HTTP) cnc2: usafbi.websecexp.com:25 (UDP) cnc3: usacia.websecexp.com:53 (HTTP / UDP) cnc4: appeur.gnway.cc:90 (TCP / HTTP) cnc5: usafbi.websecexp.com:25 (TCP / HTTP) cnc6: webhttps.websecexp.com:443 (HTTP / UDP) cnc_auth_str: EDMS GM716 dns: DNS: 180.76.76.76 DNS: 8.8.8.8 DNS: 203.81.64.18 enable_ICMP_p2p: 0 enable_ipproto_p2p: 0 enable_p2P_scan: 0 enable_tcp_p2p: 0 enable_udp_p2p: 0 flags1: 4294967295 flags2: 0 hide_dll: -1 http: http://epn.gov.co/plugins/search/search.html icmp_p2p_port: 1357 injection: 1 inject_process: %windir%\system32\svchost.exe inject_process: %ProgramFiles%\Internet Explorer\iexplore.exe inject_process: %windir%\explorer.exe inject_process: %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe install_folder: %AUTO%\EDMSinfos ipproto_p2p_port: 1357 keylogger: -1 mac_disable: 00:00:00:00:00:00 mutex: Global\qZlDbiNRvrLXkhFTgAhdIeESC persistence: Service + Run Key plugx_auth_str: open reg_hive: 2147483649 reg_key: Software\Microsoft\Windows\CurrentVersion\Run reg_value: EDMSinfos screenshot_folder: %AUTO%\EDMSinfos\NHY screenshots: 0 screenshots_bits: 16 screenshots_keep: 3 screenshots_qual: 50 screenshots_sec: 10 screenshots_zoom: 50 service_desc: Windows EDMSinfos Service service_display_name: EDMSinfos Module service_name: EDMSinfos Module sleep1: 83886080 sleep2: 0 tcp_p2p_port: 1357 uac_bypass_inject: %windir%\explorer.exe uac_bypass_inject: %windir%\system32\dllhost.exe uac_bypass_inject: %windir%\system32\msiexec.exe uac_bypass_inject: %windir%\system32\rundll32.exe uac_bypass_injection: 1 udp_p2p_port: 1357Copy the code

0x06 TTP’s in Myanmar recently attacked by Evilgrab


According to the configuration information, this incident may be related to the strategic network infection attack (SWC) launched in June by Palo Alto Networks [5] using Evilgrab malware against the website of the President of Myanmar.

This attack adds an iframe to the target website. In this attack, an iframe was also added to the www.moi.gov.mm website, and analysis of the MOI website revealed that the following script was invoked by the index.html? Q =content% 2FMMPdD-e-services page.

The last line of custom.js contains a hidden iframe that points to html5.php in the Drupal Themes folder:

Html5.php is no longer available on the target site (either removed by attackers, site maintainers or restricted to specific targets), and VirusTotal checks indicate that other html5.php files may provide other services. Especially a MD5 for a1c0c364e02b3b1e0e7b8ce89b611b53 HTML 5. PHP file contains a bundled PlugX Firefox plugin. This browser plug-in simply copies the PlugX binary (named components.exe) into the C:\Windows\tasks directory and executes it. The code is in boostrap.js:

Components. The exe MD5 is 1 c7fafe58caf55568bd5f28cae1c18fd. This particular binary file does not appear to have any action related to attacking Myanmar. However, the strategies, file names, and Web infection methods that bind PlugX all match the Evilgrab attack published by Palo Alto Networks.

The attacker using the browser plug-in method described in this article was discovered simultaneously on Shadowserver. The Defenders of their research will release their results soon. Defenders supports reviewing the data to get additional information on attack activity when published.

In addition to the techniques mentioned above, the same C2 server was observed in both the Evilgrab attack and the PlugX configuration, suggesting that some attacker teams or teams of attackers shared the infrastructure at the time of the attack, as follows:

  • usafbi.websecexp[.]com (port 53)
  • usacia.websecexp[.]com (UDP/53)
  • webhttps.websecexp[.]com (port 443)
  • appeur.gnway[.]cc (TCP/90)

0x07 Possible link to PlugX malware


The configuration list also lists another DNS server (203.81.64.18). It may be running in Myanmar because DNS servers are treated with less suspicion than other DNS servers. At least four PlugX samples were used with this DNS server. CA validation strings can be seen in the following table:

C2-verified string analysis in sample #1 shows that the dates are likely April 9 (04-09) and April 20 (04-20), and sample #2 contains a timestamp of 2015-02-24. The validation string for sample #3 May refer to March 12 and March 20. But at present ASERT lacks evidence to prove that these activities were on these dates. Sample #4 (found at Myanmar. Gov above) may refer to the generic term “Electronic Document Management System”, GM716 may be July 16. EDMS may be related to MYANMAR government’S EDMS [11], [12], although there is no evidence to prove this.

The table of the first malware (eeb631127f1b9fb3d13d209d8e675634) at http://the-casgroup [.] com/Document/doc/DXLS. Exe found and on April 20, 2015 for the first time to submit to the VirusTot Al.

This website seems to belong to “CAS GROUP INTERNATIONAL LIMITED”. “The CAS Group brings along a number of world Innovative Home Automation, Audio Speakers and Digital Signag Products from The USA under one roof into Hong Kong “the-casgroup.com/about.php. On March 30, 2015, analysis found that the domain was connected to us and other malicious samples (MD5: E2eddf6e7233ab52ad29d8f63b1727cd), its function appears to be download http://the-casgroup [.] com/Document/doc. Zip. The malware masqueraded as a fake JPEG file (Invitations. Jepg), as we can see in the screenshot that RUNDLL tried to run Invitations. Some interesting sample strings (sanitized) are shown below:

Downer.dll %s\Thumbs.db %s//%s? %d http://the-casgroup[.]com/Document http://the-casgroup[.]com/Document/doc.zip %s\doc.zip Java Sun Thumbs.db Mode Sun_FlashUpdate.lnkCopy the code

This malicious sample was found on the Naypyitaw Federal Election Commission website www.uecmyanmar[.]org/ dmDocuments… RAR file (MD5: d055518ad14f3d6c40aa6ced6a2d05f2). As of July 30, 2015, this RAR file was still on this website. The file is titled “Preliminary discussions about the election, Invitations \Preliminary discussions about the Election, invitations. LNK “. The.lnk file shows that the modification time is Wednesday, 2015-03-25 2:35:36pm. The target address of.lnk is C:\WINDOWS\ System32 \rundll32.exe Invitations. Jpeg Mode.

The archive also contains a readme.txt file that contains the following wording to ensure execution of the malware.

Found in the same website www.uecmyanmar[.]org/ dmDocuments… . When decompressed, another PlugX sample was obtained. RAR contains the following three files:

Figure 4: Malware found inside RAR file hosted on uecmyanmar site

These three files are unzip to the “PlanProposal\new questionnaire\ PlanProposal” directory, indicating that their target may be to operate myanmar’s Voter participation.

The PlugX configuration also includes an EPN.gov. co(The National Penitentiary School for the National Penitentiary and Prison Institute (INPEC) in Colombia) of the HTTP configuration element, which is intended to provide a command or control service when C2 is unresponsive. The URL looks like this:

Figure 5: External site hosting PlugX Command & Control servers in an encoded form

Other tennant elements such as “PlugX:some tennant points” are played out by Airbus Defence and Space [13] and emergency responders [14]. The Volatility memory Forensics framework may use ASERT’s plugx.py and plugx_structurals.py Volatility plug-ins to analyze plugx configuration elements [15]. The first and last four bytes of each line contain C2 encoding information, previous versions, and port information.

Fireeye’s open source decoding script [16], released in August 2014, can be used here with minor modifications. ASERT modiates the FireEye Python script (plugx_c2_decode. Py) header, version information, port information, the first few bytes, and returns a unique host name.

import sys
s = sys.argv[1][10:-4]
rvalue = ""
for x in range(0, len(s), 2):
  tmp0 = (ord(s[x+1]) - 0x41) << 4
  rvalue += chr(ord(s[x]) + tmp0 - 0x41)
print rvalue
Copy the code

python  plugx_c2_decode.py  DZKSEAAAJBAAFHDHBGGGCGJGOCHHFGCGDHFGDGFGIHAHOCDGPGNGDZJS usafbi.websecexp.com

python  plugx_c2_decode.py  DZKSGAAAFDAAFHDHBGDGJGBGOCHHFGCGDHFGDGFGIHAHOCDGPGNGDZJS usacia.websecexp.com

The PlugX user pointed to the site with the nationally informed government website, but the content of the analysis was outside the report.

0 x08 advice


Relevant authorities inside Myanmar should be aware that the attackers are targeting any special mail messages or network traffic described in this article. Organizations should be aware of PlugX network traffic and should monitor the hosts and networks associated with the PlugX configuration data described in this article. In addition, monitoring P2P PlugX as described by JPCERT [17] is also a wise choice, although this simple sample P2P functionality is disabled. PlugX is just one in a family of malware, and attackers often have a variety of malware to choose from. Given the targeted nature of PlugX attacks, they are likely to continue. IOCs contain the organizations described in this book that may be attacked, discovering the extent of system damage, the damage caused, and organizing emergency measures.

The emergency response personnel should know the characteristics of the targets and operate in appropriate ways to deter their actions. The appropriate response in this case is to look for PlugX (and other malware) and any systems and websites that already show signs of intrusion. If log files containing malicious activity are available, they can be used to identify threatening activity. This allows rescuers to track spear-phish and other attacks to learn information that can help organizations better defend against hazards, limiting their ability to leak sensitive data.

0x09 Appendix 1: “Connection test. exe” Malware Download Technical Analysis


On July 2, 2015, a file named Moigov.exe attempted to download a malware downloader compiled on June 23, 2015 from the MOI website. If downloading the file returns a 404 error during analysis, it is likely that the file has been deleted by the attacker. The original name of the malware downloader was detected by VirusTotal as “Connection test. exe”. For more details, please refer to [18]. This program masquerade as IBM security software AppScan and use the same file name, copyright, version number, publisher, and product value (8.0.650.113) (see binarydb.com [19]).

Because AppScan is often used by developers and security personnel to find vulnerabilities, it is likely that this attack requires a higher level of resource access.

The comparison between AppScan and malware is as follows:

Figure 6: Legitimate AppScan binary

Figure 7: Bogus AppScan binary that downloads PlugX

ICONS for two programs:

The malware downloaders we have chosen to introduce here are quite common and use what Arbor ASERT member Jason Jones described in 2013 as byte technology [21]. Byte technology is often used by malware to obfuscate code. Deobfuscation can be done manually, however there is a Python script for fast Deobfuscation [22]. Unique byte technology can easily obfuscate code.

It is worth mentioning that some Chinese APT malware has also been detected using this technology, but it is not limited to China. Several Delphi-based Chinese malware have used this technique [20]. They are Gh0st RAT, Poison Lvy, IXESHE, Etumbot (for more details on Etumbot, please see 2014-07 ASERT’s briefing “circuits of Etumbot APT Backdoor”), etc.

Before Deobfuscation we saw the byte technique used in the first part of the WinMain function. In this case, the AL register holds the “L” character, the CL register holds the “E”, the BL register holds the “0”, and the DL register holds the “O”. These values combine various static strings to call LoadLibraryA and GetProcAddress. This is the same technique described in ASERT: IDAPython is used to find bytes – “we have seen similar code: characters are loaded into an 8-bit register and then mixed with variables to further confuse the code” [21].

Figure  8: Byte strings technique fills AL, CL, BL, and DL one byte registers (hex on the left, ASCII on the right) with characters

Figure 9: Strings being built (obfuscated on the left, deobfuscated on the right)

You can see that the data strings are combined: kernel32.dll, urlmon.dll (as arguments to the LoadLibraryA call).

Figure 10: Strings being processed after deobfuscation

You can also see CreateProcessA, URLDownloadToFileA(as an argument to call GetProcAddress). After string processing, PlugX malicious downloader UrlMod. Through this URL call URLDownloadToFileA function.

Figure 11: Downloader URL target which downloads PlugX

Figure 12: Calls to LoadLibraryA and GetProcAddress receive the dynamically created strings

Figure 13: The next function (4011F0) specifies the malware download location

Although details of the downloader can be obtained through IDA Pro or other static profilers. But a more convenient way is to use a debugger. The address 00403000 shows the URL for the download. By the way, it also contains “Hello, World!” A string.

Figure 14: .data section reveals downloader details

A handy feature of this string overlay technique is that the machine code it leaves behind is unique and can be detected by certain rules. While these rules are useful, generating these malicious downloaders may use some random registers or random bytes, leading to further confusion in the code.

0 x0a reference


  1. Thediplomat.com/2014/06/cha…
  2. www.wantchinatimes.com/news-subcla…
  3. www.ipcs.org/article/pea…
  4. www.eastasiaforum.org/2015/03/06/…
  5. Researchcenter.paloaltonetworks.com/2015/06/evi…
  6. Kpsez.org/en/about-us…
  7. www.fireeye.com/blog/threat…
  8. www.esecurityplanet.com/malware/rep…
  9. www.infosecurity-magazine.com/news/china-…
  10. blogs.sophos.com/tag/plugx/
  11. www.mcit.gov.mm/content/ego…
  12. www.mcit.gov.mm/sites/defau…
  13. Blog.cassidiancybersecurity.com/post/2014/0…
  14. www.slideshare.net/takahirohar…
  15. Github.com/arbor-jjone…
  16. www.fireeye.com/blog/threat…
  17. Blog. Jpcert. Or. Jp / 2015/01 / ana…
  18. www.virustotal.com/en/file/ac5…
  19. Binarydb.com/file/Connec…
  20. www.ibm.com/developerwo…
  21. Asert.arbornetworks.com/asert-minds…
  22. Github.com/arbor/rever…

0 x0b about ASERT


Arbor NetWorks’ ASERT (Arbor Security Engineering & Response Team) is a network operator that provides world-class network Security research and analysis to help protect the interests of today’s enterprises. ASERT engineers and researchers are the elite team in the organization. They are called “super remediators”, representing the best information security team. Its popularity and repair ability can be reflected in most isPs worldwide.

ASERT shares intelligence briefs and security content feeds with hundreds of International Computer Emergency Response Teams (CERTs) and thousands of network operators. ASERT also operates the largest distributed Honeynet in the world today, monitoring global cyber threats 24/7 atlas.arbor.net. This mission and the resources associated with Arbor Networks bring an impetus to innovation and research on global cybersecurity issues.

To see the Arbor research recently, please visit our news and ASERT information security community portal www.arbornetworks.com/threats/.