Uncovering APT-C-41 (StrongPity) Backdoor

Tool of Turkish Espionage and Cyber Crime Group.

Image for post

In this blog, i will be uncovering backdoor deployed by Turkish APT group APT-C-41(aka StrongPity) backdoor recently targeting Europe countries. APT-C-41 is known for conducting cyber crime and espionage operations against financial, industrial and educational sectors. Recent activities of APT-C-41 are caught since Nov of last year.

Static and Dynamic Analysis

Static Analysis(Basic)

File Information

Its 32bit malware.

Image for post
Image for post
It’s the unpacked sample.
Image for post
Here’s the view of unpacked backdoor.

Static Analysis (Advanced)

For starting with the advanced static analysis lets see the exports. In exports there is only one function , which is start function.

Image for post
exports of APTC41 backdoor.

start function:

Mainly in this function there are two functions, system_info_fetcher() and sort_of_main_function_for_access_scrambling_dll_loading(). Where the system_info_fetcher function is to fetch the system information for triage, whereas the sort_of_main_function_for_access_scrambling_dll_loading function is being deployed for the controlling access controls on systems, scramble up data and loading the dlls.

Image for post
Image for post
Code & Call Graph of start(entry) function.

system_info_fetcher function

This function is basically made for getting all information of information of system using GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter function.

Image for post
Image for post
Code & Call Graph of system_info_fetcher function.

sort_of_main_function_for_access_scrambling_dll_loading function:

This function is responsible for the controlling access controls , setting up exceptions , applying anti analysis techniques and calling WinMain function.

Image for post
Image for post
Call graph & Code of sort_of_main_function_for_access_scrambling_dll_loading function.

WinMain function

Moving on to backdoor WinMain function, which is used to have calling seven functions.

GetModuleHandleA, GetProcAddress, GetLastError, callr_of_system_info_fetcher_for_win_main, Sleep, downld_plugin_from_C2.

firstly using the module of kernel32 is being loaded then after that the go_for_callr_of_dll_main() function is being executed which is main function for loading dlls for exploitation.

Then after that, callr_of_system_info_fetcher_for_win_main function is called which is used for fetching system information for the WinMain function. Then for sometime Sleep function is called for hiding the activities from user. Then for downloading plugin from C&C (command and control server) it uses downld_plugin_from_C2 function.

Image for post
Image for post
Code & Call Graph of WinMain function.

make_requests_to_C2 function:

This module of APT-C-41 backdoor is responsible for making requests to the Command and Control Server (aka C&C/C2) using functions like WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpSendRequest, WinHttpReceiveResponse.

Image for post
Image for post
Call Graph & Code of make_requests_to_C2 function.

downld_plugin_from_C2 function:

This function is deployed for downloading plugins from C2 using the functions like get_files_loaded_from_C2.

Image for post
Image for post
Code & Call Graph of downld_plugin_from_C2 function.

get_files_loaded_from_C2 function:

This function is mainly used for loading the files from command and control server.

Image for post
Image for post
Call Graph & code of get_files_loaded_from_C2 function.

load_plugin_from_C2 function:

This function is available for loading the plugins from the C2.

Image for post
Image for post
Call Graph & code of load_plugin_from_C2 function.

C2_operating_for_file_removals function:

In this function, the C2 operations are being crafted for file removals.

Image for post
Image for post
Call graph & code of C2_operating_for_file_removals function.

Dynamic Analysis:(Advanced)

For dynamic analysis , i had set the few breakpoints in the start function:

..:- system_info_fetcher

..:- sort_of_main_function_for_access_scrambling_dll_loading

Luckily the breakpoints gets hits for this sample.

Image for post
In IDA Setting up breakpoints in start function.

As the debugger hits at first breakpoint in start function following dlls are being loaded .

Image for post
Text view of IDA hitting at system_info_fetcher function in start function.
Image for post
Graph view of IDA hitting at system_info_fetcher function in start function.

Soon after first breakpoint the debugger gets hits at the “004024FE” in WinMain function.

Image for post
Image for post
Graph view & Text View of IDA hitting at 004024FE location in WinMain function.

Then after that , the breakpoint is being hit at “75492E09”.

Image for post
Text View of IDA hitting at 75492E09 location.

As the execution of debugger continues, the debug gets hit at the debugbreak in sub-routine “sub_77870530" which is just having the debugbreak function in it.

Image for post
Image for post
Graph view & Text View of IDA hitting at “sub_77870530” sub-routine.

Since, execution on that debugbreak stops due to “debug trap” that is hardware interrupt and what that means is that debugger gets hits at the hardware breakpoint and after such interrupt no execution of debugging instruction will take place in memory and execution will only loop around the debug trap only.

Image for post
Graph view & Text View of IDA hitting at debug trap (Hardware Interrupt aka Hardware Breakpoint).

So by stopping the debugging and setting again two breakpoints :

..:- load_plugin_from_C2

..:- make_requests_to_C2 .

When the first debugger breakpoints gets hit results are as shown below.

Image for post
Image for post
Image for post
Graph view & Text View of IDA hitting at get_files_loaded_from_C2 sub-routine.

while executing further the execution gets to second breakpoint “make_requests_to_C2"

Image for post
Image for post
Image for post
Text View & Graph view of IDA hitting at make_requests_to_C2 sub-routine.

Since, execution on that debugbreak stops again due to “debug trap” and after such interrupt no execution of debugging instruction will take place in memory and execution will only loop around the debug trap only.

Image for post
Image for post
Graph view & Text View of IDA hitting at again at debug trap (Hardware Interrupt aka Hardware Breakpoint).

Indicators of Compromise(IOCs) and Detections

Network [ C2 Communications]

91[.]219[.]238[.]31

Att&ck IDs

T1059, T1055, T1497, T1027, T1027.002, T1124, T1518.001, T1057, T1010, T1018, T1083, T1082, T1056, T1560, T1573, T1095, T1071.

Att&ck Mitre Techniques

Image for post

Sample from Report

StrongPity Backdoor:

MD5: d7c62bc2a06d5abd872152ec87c64c8b

SHA1: 38ce3668ddfb00166ce6f68687d17c4a6cc91178

SHA256: f81d16d98d7c5423e8f231fe47778b0824360fb41525fd545097bb8e700e1a8d

YARA Signature:

Image for post

Thank you for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store