85.txt

Group Background
DuNaoChong, also known as Donot, is internally tracked by Qi An Xin with the ID APT-Q-38. This group mainly targets South Asian countries such as Pakistan, Bangladesh, and Sri Lanka, conducting cyber espionage against government agencies, defense and military sectors, diplomatic departments, and key business figures to steal sensitive information. DuNaoChong possesses dual-platform attack capabilities on Windows and Android. In previous attacks, it often spread malicious code through spear-phishing emails carrying Office vulnerabilities or malicious macro documents and via Android APKs.

Incident Overview
Recently, Qi An Xin Threat Intelligence Center discovered that the DuNaoChong group is using PDF documents as lures in their attack campaigns, potentially affecting countries in South Asia like Pakistan and Bangladesh. The attackers employ two specific attack methods:

Directly disguising malicious EXE files as PDF icons, tricking victims into thinking they are opening a PDF document but actually executing the EXE.

A more elaborate method where the lure PDF contains phishing links to malicious PPT files; once downloaded and opened by victims, the PPT executes macro code. Apart from initially using PDFs as lures, this second method aligns with previous DuNaoChong attacks that delivered malicious macro documents directly.

The lure PDF intentionally blurs its content and uses fake prompt messages instructing victims to click “Download” to access the document content online. Once victims click on designated areas in the PDF, a network request is triggered, eventually redirecting to a webpage hosting the malicious PPT download.

EXE Disguised as PDF
Basic information about the EXE malware disguised as a PDF document is as follows. Before detailed analysis, preliminary info was obtained from the Qi An Xin Intelligence Sandbox (https://sandbox.ti.qianxin.com/sandbox/page):

Sandbox report link: https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZT5fv50h6wn_HCy8ts6

Sample filename: -

Sample MD5: 893561ff6d17f1e95897b894dde29a2a

Sample type: PE32 EXE

Sample size: 1.85 MB (1,942,112 bytes)

Sandbox Analysis
After uploading to the Qi An Xin Intelligence Sandbox, the sample received a maliciousness score of 10 based on intelligent behavioral analysis.

Suspicious behaviors include sending POST requests to totalservices[.]info, dropping a BAT file named djkggosj.bat, and executing it via cmd.exe.

Although the sample is an EXE, it uses a PDF icon, clearly as disguise. The file metadata references game software information and carries a digital signature from "Ebo Sky Tech Inc."

The host behavior section shows the sample spawns a cmd.exe subprocess that executes the BAT file stored in the FROX directory created by the sample. The BAT file is both created and deleted during execution.

Network activity reveals HTTPS communication with the remote server totalservices[.]info via POST requests.

Detailed Analysis
The sample contains numerous "01" strings, which are binary forms of the ASCII codes of original strings.

Some of these encoded strings serve as XOR decryption keys used to restore API names and other imported strings.

The sample first creates the directory "%LocalAppdata%\TEMP\FROX\" and drops djkggosj.bat there. The BAT file sets a scheduled task named PerformTaskMaintain to maintain persistence.

It then creates a mutex named "08808" and collects device information, including CPU model, OS product name and build number, username, hostname, CPU ProcessorID, and installed software list.

The collected info is AES encrypted and Base64 encoded, appended to "batac=" as POST request data sent to:
"hxxps://totalservices.info/WxporesjaTexopManor/ptomekasresdkolertys"

The malware decides whether to download follow-up payloads based on the C2 server’s response. The follow-up payload named socker.dll is requested with a data field containing an encrypted string concatenating victim ID info (username, hostname, ProcessorID). The download URL is:
"hxxps://totalservices.info/vrptpvabkokamekastra/N1/SA"

The downloaded DLL is saved as "%LocalAppdata%\moshtmlclip\socker.dll". Another BAT file "%LocalAppdata%\Temp\FROX\sfs.bat" is dropped to create a scheduled task named MicrosoftVelocity that launches socker.dll by executing its exported function "?ejjwed@@YAHXZ".

Since socker.dll has not yet been captured, further analysis of subsequent payload functionality is unavailable at this time.

PDF Phishing Attack Chain
The Turla group’s another attack method using PDF bait involves delivering a PPT with malicious macros via phishing links embedded in the PDF. Relevant sample information is as follows.

MD5	Filename	Description
5af77f4a63089011563bd3fcd02d56e0	NDC-Course.pdf	PDF containing a link to download a malicious PPT
eb5d23a6a200016ba9b2d0085e58b586	Assets 2024.pdf	PDF containing a link to download a malicious PPT
0f4f32b97c7bde0824b0fd27fe3ec4b0	NDC-Course.ppt	PPT with malicious macros
d3ff126dc3e69d7f2d660a504b499cc4	-	PPT with malicious macros
a0dbb4f8dbc5df628f03d60ed4a79d29	Assets 2024.ppt	PPT with malicious macros
bcc0f690f330be4321365f6fd1330d95	PLAIN.dll	DLL that reports collected information to C&C server and downloads subsequent payloads
2c2176d9a74851dd30525a87bf0794ca	PLAIN.dll	DLL that reports collected information to C&C server and downloads subsequent payloads
bdc40a26cd02e33e5b83a9573125793e	PLAIN.dll	DLL that reports collected information to C&C server and downloads subsequent payloads
8e91d5ab926daca6f4db41ba8a918ffd	PLAIN.dll	DLL that reports collected information to C&C server and downloads subsequent payloads
fa6cd1543db5156e7063db87b3241f26	PLAIN.dll	DLL that reports collected information to C&C server and downloads subsequent payloads
df2ef826d0a398772f2373cd7303d58b	PLAIN.dll	DLL that reports collected information to C&C server and downloads subsequent payloads

Taking sample Assets 2024.pdf (MD5: eb5d23a6a200016ba9b2d0085e58b586) as an example, it contains a link to download the PPT:
"hxxps://sharetobijoy.buzz/2024/filez/uploadz/invite25.php?id=19112".

The malicious macros in the PPT execute different shellcode depending on whether the system is 64-bit or not.

The shellcode is a two-stage downloader commonly used by Turla. Taking the 32-bit shellcode as an example, the first-stage shellcode fetches the next stage from:
"hxxp://diffgrinder.info/PNubW5l8DVqKlNbo/zFsDitREUBbsbeB815VkWnKpuXN4bhXUg3MFC7txkrV5beqf.png",
which is decrypted and executed as the second-stage shellcode.

The second-stage shellcode then downloads the next stage from:
"hxxp://diffgrinder.info/PNubW5l8DVqKlNbo/zFsDitREUBbsbeB815VkWnKpuXN4bhXUg3MFC7txkrV5beqf.mp3",
saving it as "%temp%\meaBRlIGkgtELpU\ksHWqKqg.dll". It writes the four-byte sequence "4D 5A 90 00" to fix the DOS header, then loads the DLL into memory and calls its exported function "LOPP".

ksHWqKqg.dll (MD5: 2c2176d9a74851dd30525a87bf0794ca) has two exported functions, LOPP and VelocitySpeed. The DLL’s functionality is consistent with the previously described EXE program malicious behavior disguised directly as a PDF.

(1) LOPP
This function mainly handles persistence operations. It drops a cross.bat file, creates a scheduled task named PerformTaskMaintain, executes the exported function VelocitySpeed from "%temp%\FROX\PLAIN.dll", and copies the DLL itself as "%temp%\FROX\PLAIN.dll".

(2) VelocitySpeed
This function is responsible for interaction with the C&C server and fetching subsequent payloads. It collects information from the infected device (CPU model, OS product name and build number, username, hostname, CPU ProcessorID, installed software list), encrypts it, and sends it to the C&C server. The AES encryption IV and key are as follows, identical to those in the EXE sample.

If the server response meets conditions, it continues fetching the subsequent payload socker.dll from the C&C server, saves it as "%LocalAppdata%\moshtmlclip\socker.dll", drops sfs.dat, and creates a scheduled task to start socker.dll.

Attribution
The phishing attack chain starting with PDF document bait is highly consistent with Turla’s previous attack methods [1]. Similarities include shellcode coding features, URL formats for fetching subsequent payloads, use of 01 encoding in strings, and use of BAT files to set scheduled tasks for running other components.

The EXE disguised as PDF and PLAIN.dll are nearly identical in code and malicious behavior. Moreover, the EXE retains the 01 encoding of "PLAIN.dll" and its compile and digital signature timestamps are after PLAIN.dll’s active attack use. Therefore, it is reasonable to conclude the EXE is rewritten from PLAIN.dll, and the attacker uses the EXE disguised as PDF possibly to simplify the attack process or change the attack method.

Summary
The captured attack samples belong to the early stage components of the Turla attack chain. The subsequent payloads obtained from the C&C server (e.g., socker.dll) are likely used for further intelligence collection. Using PDFs as bait is rare in this group’s previous attacks, but the attack process still follows Turla’s usual tactics. Overall, the changes are minor, indicating this attack chain remains reliably effective in Turla’s cyber espionage operations.d:\攻击报告收集\奇安信-27\金眼狗团伙近期活动跟踪.txt