Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them.
How these tools are used
While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle.
Figure 1. Traditional APT lifecycle
Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities.
Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits.
Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time.
Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks.
The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools.
In addition, this is not a complete listing of tools since that is impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns.
Word of caution
Identifying these tools does not necessarily imply that you have been compromised or fallen victim to an APT attack. The IOC’s contain both MD5s of the compiled apps/scripts, and/or unique strings within the code prior to being compiled. Minor modifications to these files can change the MD5 hash, so this is a limited method for identification of these applications/scripts. Also note that the phase of usage is generic for when Trend Micro typically sees these tools used. These tools are sometimes used in other stages of APT attacks. Some of them also have valid use cases where there are business needs for using the application. (Some examples include Netbox, dbgview, sdelete, etc.)
|Tool Name||Description||Typical Phase of Usage||Indicators of Compromise (IOC)|
|GETMAIL||Typically used to ascertain mail archives and mail out of those archives.||Exfiltration||Unique String: Lu’s Crazy Profile (democode) Saved File Name: >=3 digit number-attach.doc|
|Netbox||For hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the backend to support operational tasks. (Netbox also has valid uses, and is not a direct indicator of compromise)||Attack, Exfiltration, Persistence||N/A|
|Pwdump||Dumps password hashes from the Windows registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.||Lateral Movement||MD5: 0xDD2EF0D6487385839BBF7863FE450CC5|
|Cachedump||A program for extracting cached password hashes from a system’s registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.||Lateral Movement||MD5: 5065266fbad9362d5a329c5388627ea5|
|Lslsass||Dumps active login session password hashes from windows processes. It is used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.||Persistence, Lateral Movement||MD5:ede305561db6f7ca1783e0fc75d0db14|
|mapiget||This is for collecting emails directly from Outlook, prior to ever getting archived. It is then dumped to text files.||Persistence, Lateral Movement||Unique String: WNetCancelConnection2W Saved File Name: 5-mail.txt, mail.txt|
|HTRAN||Connection bouncer, redirects TCP traffic destinted for one host to an alternate host. It is also used to help obfuscate source IP of an attacker. It allows the attacker to bounce through several connections in the victim country, confusing incident responders.||Attack, Exfiltration, Persistence||MD5:e0c14f98c4d4b995f00d49616bf9ba57, 2edfe2b5238c8f49130f2a2f85e33c18, 1725e68e574e4b077f7d16f7fa30d984, 7e3bb01afb4c50da526d142fdf444688, 3548ea689e06a2599bdd1bdb909abb75,|
|Windows Credential Editor (WCE)||A security tool that allows to list logon sessions and add, change, list and delete associated credentials||Persistence, Lateral Movement||MD5:bd73c74819d8db09c645c738bbd3f5b9, df840ac27051d26555a109cc47d03fe4|
|Lz77.exe||It is used as a compression application to help exfiltrate data. This is commonly seen in Winrar, 7zip, and Winzip.||Exfiltration||MD5: 2238453fd8225baff0d52bf64361b4fd|
|Gsecdump||Grabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in victim environment and pass-the-hash style attacks.||Lateral Movement||MD5: 57F222D8FBE0E290B4BF8EAA994AC641, 875f3fc948c6534804a26176dcfb6af0, 8ee24ad5b849877907304de566fb6dc6|
|ZXProxy (A.K.A AProxy)||Proxy functionality for traffic redirection. This helps redirect HTTP/HTTPS connections for source obfuscation. We have seen it used in data exfiltration.||Exfiltration, Persistence||MD5: 0xEB36A5EF6A807FB7B2E2912E08B4882D, 0x69F5A988B4F3A3E5D300D489C9707CD6, 286760651edfe6a8b34988004156b894|
|LSB-Steganography||Uses steganography techniques to embed files into images. This helps with data exfiltration as well as during the initial compromise of a traditional APT attack.||Initial Compromise, Exfiltration||MD5: c188ef350f1ee0e5fa6f6ef2e70231bc|
|UPX Shell||Used to help pack code for malware used in APT campaigns. This tool helps prevent reverse engineering and code analysis.||Attack, Persistence||MD5: 1281478d409de246777472db99f58751|
|ZXPortMap||Traffic redirection tool, which helps to obfuscate the source of connections.||Persistence, Exfiltration||MD5: 9a7b9caae7b8b3a2b5d68e6880b6d0a4, 2fdbb3ee0edc5e589ea727bbc2cd6d50|
|ZXHttpServer||Small HTTP server that is deployable and extremely flexible. We have seen it used when attempting transfer of some files.||Exfiltration||Unique String: ZXHttpServer, ZXHttpServer.exe|
|Sdelete||Secure deletion tool. Allows for secure deletion to make forensic recovery difficult- therefore complicating incident response procedures.||Persistence, Cover||MD5: e189b5ce11618bb7880e9b09d53a588f|
|Dbgview||An application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP||Persistence, Lateral Movement||MD5: cea66497fa93db4b0dd33438a2a5d6bd|
Many of these tools are copied to victim machines, and are often never removed by the APT actors for whatever reason. If you happen to see tools that are similar in function to the tools listed above, I think it warrants a closer look at the tools, and how they are being used in your environment.
What Can Be Done
There are many things that can be done to help prevent the installation of these applications onto your organizational machines such as the following:
- Utilize application white listing where necessary to prevent these items from being installed/used on your systems.
- Include SIEM resources in your organizational budget for robust logging. This will help forensically should it be needed.
- Remove local administrator rights for users. This will help prevent new applications are installed in the traditional fashion. While some of these applications don’t require install to work, not having administrator rights will limit what these applications can do.
Many of the tools listed above will be blocked by Trend Micro products, which classify them as malicious. Here are some additional recommendations on what to do when you see these applications being used in malicious means:
- Look at firewall, system, security, proxy, and other logs that your system is logging to identify usage patterns of the tools. Look for communication on erroneous ports as well as traffic to IP space that is not typical to the user.
- Utilize IOCs (indicators of compromise) to locate similar filenames or MD5/SHA hashes for applications similar to above. Focus on path of utilization as well as filename oddities. (Such as an app named xzz.exe, which would raise a red flag)
- Utilize WMIC to create a script that can search throughout your entire organizational Active Directory trees and look for unique identifiers of these tools.
- Create a list of bad applications unique to your organization. Utilize these lists and native toolsets to each operating system to locate questionable tools. Tools for Windows like PsExec work well for this. On Linux systems, dpkg-query or qpkg work well for this.