Trojan.Win32.APT27

General Explanation

Type: APT

Degree of destruction: high

Prevalence: average

What is APT?

APT is the abbreviation of Advanced Persistent Threat. As its name speaks, this threat uses a persistent, secret, and advanced hacking technique to reach a system and will remain inside the user’s system with malicious consequences for a long time. Contrary to conventional and low-level cyber-attacks which mostly are an attempt by black hat hackers and aims to quickly access the system and reaches financial goals as soon as possible, APT attacks are done to reach goals with high-value information such as governmental organization and big companies, and the ultimate goals of attackers are to steal information in a long period of time. Another problem of being infected with APT malware is the possibility of leaving a backdoor in the system for the attackers to come back whenever they want.

What is APT27 malware?

The Emissary Panda group which is also known by the names of TG-3390, Bronze Union, APT27, and Lucky Mouse, is a malware preparation and producer group which was active during the past 10 years and most productions were malware that was designed and produced for spying and stealing information. The past goals of this group are Saudi Arabia, UAE, and Mongolia.

The new wave of attacks on this group has begun in the year 2019 and there have been reports of attacks in multiple countries such as Mongolia, UAE, and also Iran.

Technical Explanation

Signs of infection

The symptoms which can be seen after the system is infected are as follows:

  • Viewing registry keys in HKLM\Software\classes and HKCU\Software\classes paths which include the following extensions. There are some strings stored encrypted inside these keys.

D9B449EC8D04883DC38EB2ADBF2783FB
DHSFSGD375678FDHS237826WFS278346
ll37389743nxshkhjhgee
HjDWr6vsJqfYb89mxxxx

  • Viewing files with the following paths and titles:

The following paths have been viewed in the infected systems. Except for the first case that its existence means definite infection, other cases are also visible in normal systems, because malware copies its infected malware files in the following paths and with the name of healthy files.

sys.bin.url
C:\ProgramData\systemconfig\INISafeWebSSO.exe
C:\ProgramData\systemconfig\kwpsinvfy.exe
C:\ProgramData\vf_host\VFTRACE.dll
C:\ProgramData\plugin_host\PYTHON33.dll
C:\Windows\AppPatch\Custom\GameuxInstallHelper.dll
C:\ProgramData\vf_host_update\VFTRACE.dll
C:\ProgramData\VFTRACE.dll
C:\ProgramData\ThunderBrowser\libcef.dll
C:\Program Files\Silverlight\sllauncher.exe
C:\Program Files\Silverlight\sllauncherENU.dll
C:\Program Files\Silverlight\thumb.dat
C:\WINDOWS\pcawhere\thinprobe.exe
C:\WINDOWS\pcawhere\thinhostprobedll.dll
C:\WINDOWS\pcawhere\thumb.db
C:\Documents and Settings\All Users\Application Data\sysupdate\pdh.dll
C:\Documents and Settings\All Users\Application Data\sysupdate\kwpsinvfy.exe
C:\Users\All Users\sysupdate\pdh.dll
C:\Users\All Users\sysupdate\kwpsinvfy.exe

  • The list of auto-run commands in the infected systems is as follows:

"C:\ProgramData\systemconfig\INISafeWebSSO.exe" /update
"C:\ProgramData\systemconfig\kwpsinvfy.exe" /update
"C:\Documents and Settings\All Users\Application Data\systemconfig\gdf.exe" /update

 

  • Creating a special Mutex with a specific name and by malware by use of Username and Defender string

Function explanation

This malware uses a very classic attack named DLL hijacking. The malware package is involved a healthy execution file, a DLL file, and a data file (set of 3 files) altogether.

The function mechanism acts this way the execution file which is the healthy and known software file, to work right needs an auxiliary DLL file and will upload the DLL file as soon as it is executed. In this attack, there is an infected DLL instead of the main DLL file which will be put beside the exe file so that the healthy execution file will mistakenly upload the infected file to run and unintentionally will run the infected code. To prevent detection, the main code of malware will not also be put in the dll, but the infected dll just acts as a translator and a decoder of the encrypted data file alongside the original file. Most of the healthy exe files such as gdf.exe, thunderbrowser.exe, sllauncher.exe, and ve_host.exe are used for this goal. For this reason, detecting APT malware by system persistent security methods is very hard and complex work that needs advanced techniques.

After start executing by execution file, the program will recall a function from the dll which dll will decrypt the encrypted contents and will store it in memory. In the end, dll will guild the execution to execute malicious encrypted code.

This version just like other APTs has a command and control server that can receive instructions from the server and send the received information.

How to deal with it and disinfect the system

The Padvish antivirus will detect this malware by the name of Trojan.Sin32.APT27 and will delete it from the system. To ensure of not infected with this malware, use Padvish quick scan, and if you view a log, call the Padvish support team.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>