Decrypt "sea Lotus" organization (domain control detection and defense)

01  It's just beginning to show

When I see this alarm , I knew it was not as simple as I thought .ps: The first picture can't be found ...

Sea lotus Gang , Belonging to Southeast Asia APT organization , They may have military backgrounds , In the continuous tracking of many APT In the organization , They are not the one with the strongest technical background , But it is the most lasting one . The gang is 2012 In, it began to attack and invade all kinds of key fields in China for a long time , So far, it has been at least the first 11 A year , In those days, little kids could already make soy sauce , They are still attacking .

According to the user's description , After the product is put on the shelves, the machine keeps warning , There have been seven or eight alarms in the conversation , And the alarm interval is basically the same , From this point, we can definitely fall back to the company .

Something tells me , These are definitely not the only ones that have fallen , Every time the sea lotus appears , Will catch a large number of broilers , With fully “ white ” Connect back to the address of , Due to the completely normal address plus the fully encrypted traffic , Give Way APT The difficulty of troubleshooting has soared .

02  reminisce

On the way to the emergency , I thought about their “ Deeds ”. Borrowing a picture from the intelligence agency can roughly describe their past .

And their usual invasion methods ： Harpoon 、 Water pit 、 A social worker 、 Rub hot spots and so on . 

However, since the 2020 Year begins , Sea lotus gradually began to abandon the traditional harpoon fishing invasion , Turn to long-term tracking and mining of website vulnerabilities , Even recently, it was found that the upstream supply chain was attacked for poisoning .

Then there is the common sea lotus “ White and black ” Use patterns , Combined with various ways of confusion ： Flower instruction 、 shell 、 Combine rar Self decompression 、 Combination macro virus and so on .

It seems that they do everything they need , Never give up until you reach your goal . indeed , In foreign tracking and analysis, hailua is indeed like a group of diligent office workers , Have a regular schedule 、 Orderly organization ......

“ here we are ”, The driver's greeting woke me up from my thoughts , I looked up and saw that I had arrived at the customer's site , It's time to start the on-site emergency .

03 The whole

According to the monitoring display of flow detection equipment , There is active extranet access to the sea lotus domain name or IP Machine , also TDP Through the association retrieval of the characteristic behavior of the sea lotus in the flow , Many fallen machines have been caught .

Coordinate the client to get on the computer and obtain evidence , Conduct on-site troubleshooting on one of the hosts , First, use the threat retrieval tool to locate the network , Determine the initiation process .

Search tools , It can quickly retrieve the domain name or IP The process of , It is convenient to quickly locate malicious programs in emergency response .

Found as svchost After the process connects back to the malicious domain name , Guess the possibilities ：1. Service startup ;  2. Tamper with the original program ; Use Microsoft's official Autoruns Conduct service troubleshooting . 

Sure enough, I found a planned task created by non users using software in the planned task . In fact, there is a small detail here ,Autoruns You can check the digital signature certificate of the software , When software without certificates is detected, it will display a pink background , It is not shown here because the sea lotus uses the white plus black method , Use normal white files to load their own malicious dll To achieve . 

After locating the process path, we found the malicious in the directory dll file , And lotus skillfully adjusted the file modification time to the modification time of normal files in the current directory .

When I'm glad I found the Trojan horse , I can't help wondering whether this level of Trojan anti-virus software is difficult to detect ？ By the way, I took a look at sharuan , Only then discovered that the Trojan horse implantation path is the white list path of killing software . 

In fact, the horse of sea lotus is not difficult to kill , Many killer softwares can be detected , But they make good use of all kinds of low-end but practical hiding methods , In this case, lotus put the malicious Trojan horse into the white list directory commonly used in user scenarios , As a result, it can't be found at all when killing soft timing scanning .

04 The fog dissipated

After locking the Trojan , Continue to track relevant traces and logs . The specific creation time of the planned task is found in the planned task log , It can be estimated that the invasion time of lotus at sea is 2021 year 8 month 19 Japan 15:36:10.

Even if the hacker clears the log , When creating a scheduled task, it will be in C:\Windows\System32\Tasks\ or C:\Windows\SysWOW64\Tasks Generate a file named after the scheduled task , The creation time is the intrusion time . 

Continue to analyze the system log , Suspicious account login behavior is found in the security log , The login method is NTLMv2 authentication , But the user of this machine will not and does not need to log in to the target machine , It can be judged as PTH Traverse intrusion .

From the above analysis, we can draw a conclusion , After hailianhua invaded this machine through the intranet, it added a planning task and issued a malicious Trojan . 

But goose, you think it's over like this ？ did not .

The traceability results of a single fallen machine are extremely limited , In the subsequent analysis, it is found that a software has the function of recording process , According to the inspection log before and after the invasion time, it is found that hailua uses sc Command remote configuration file , Be able to use sc Command control remote server , Prove that the large probability of domain control is taken .

Then I found that sea lotus used certutil Command to download files in the intranet for horizontal movement . 

Here is another tip ,certutil The remote download method will be in

%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\

There is a distribution cache under the equal path , You can directly use Notepad to view .

Go on with the analysis , Find out svchost Listening for abnormal port 8901.

Use netsh interface portproxy show all View forwarding of all ports , Sure enough, I found that 445 Port forwarded to 8901 port , Used to hide whereabouts . 

05 context

According to the connection address and network access relationship , We scan all terminals , Finally, more than ten rebound springboards were combed out 、 Hundreds of lost controlled hosts , The user's intranet is basically fully monitored .

Continuous analysis from the flow , The most serious problem is to find a public cloud disk address from the traffic , From the correlation analysis, we can confirm , It is used by the sea lotus organization to return the obtained data information , And the whole flow TLS encryption , The leakage cannot be obtained .

luckily , The user's important data network is completely physically isolated from the office network , That network has not been invaded .

Summarize all the findings above , In series, the invasion process of sea lotus is shown in the figure below :

Think about the whole emergency process , It's not hard to see ,APT The attack tactics of the organization are not so high-end , It's no use 0day The flying scene appears , It is more about taking advantage of the weakness of safety awareness ,1day Or open vulnerabilities to attack .

Compared with all kinds of domestic offensive and defensive drills now, they are magnificent 0day Mutual attack scene ,APT Organize this “ Polish makes no sound ” Continuous penetration of , More difficult to detect .

06  Postscript

In the follow-up, I made statistical analysis on the data of more than 100 of the failed hosts , You can see the sea lotus from 7 The invasion began in January , It peaked in the second month , That is, a large number of Intranet hosts were won in a short time , accord with APT Common intrusion curves .

Compared with intrusion time statistics , I pay more attention to the statistics of active duration , After statistics , Lotus's demand for lasting rights protection of the fallen machine is declining , Of course, part of it is caused by the later plugging problem , But many of them were voluntarily abandoned by Lotus , It is inferred that edge assets are released to better hide themselves .

therefore , Facing such a cunning APT organization , The emergency response team will continue to track and explore , Firmly maintain information security .