APT38 CryptoSpy

A chain that replicates the TraderTraitor malware distributed by APT38. Host the cryptoSpy payload for a user to download. Once downloaded wait for the user to click the malicious update button, which will download a pneuma agent from the Operator API. The pneuma agent named "cryptoSpy" will callback into Operator and run a queued TTP that retrieves the user's information.

2022-06-07

Professional

Authors:bartimus

TTP Tuesday: APT38 - CryptoSpy

Replicating TraderTraitor

Theme Overview

We are just off the heels of last week’s chain that replicated WannaCry. This week we are looking at APT38’s crypto attacks. You can replicate many things, but replicating an entire blockchain seemed a little extreme. This week’s chain concentrates more on the way initial access was gained according to CISA.gov.

Custom Malware

Anytime I see a way for me to write something custom, I like to take advantage of the situation. So just because this chain might not have a lot of TTPs, it doesn’t mean there isn’t a lot going on in the background. According to CISA, the government refers to the malware used by APT38 in these attacks as “TraderTraitor”. The malware is an electron-based nodeJS application, like Operator just minus the malware part😜.

This means I needed to write a piece of malware with a graphical user interface (GUI). Due to my less than average Javascript skills, I decided I would take up the challenge using Go and the pretty awesome “Fyne” library. I needed to replicate this part of CISA’s report: “The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools.” Now since most open-source projects wouldn’t appreciate me using their project to pass out malware, I wrote a simple application from scratch.

Nothing fancy, just an application that looks like it is giving you the most recent prices for Bitcoin and Ethereum, then asks if you would like to update. This is done to fit the next part of the CISA report: “Within the code is a function that purports to be an update, with a name such as UpdateCheckSync(), that downloads and executes a malicious payload”. In our case, the malicious payload is a pneuma agent which gets downloaded and launched once you click the “Update” button.

To handle the callback, the malware will check for a file called “config.json” in the same directory as the binary. If a “config.json” file is not found, the malware will fall back to parsing its binary name (similar to the technique used in the Goldilocks chain). This will use that data to download pneuma from a Redirector or your Operator instance and attempt to connect back to that same IP (to keep complexity at a minimum, we are using Operator’s default ports).

Some new techniques regarding Operator

The final 2 TTPs are utilizing some less seen techniques in Operator. After hosting the link to the CryptoSpy binary, we immediately start asking Operator if our expected CryptoSpy (pneuma) agent has called back successfully. When the CryptoSpy agent calls back in, the last TTP will then queue an identification TTP to check the username and groups of the user. These TTPs will be released in a more generic form, enabling them to be easily added to your own chains. This will allow you to specify the name of the expected agent and the ID of the TTP you would like to queue.

Watch a demonstration: APT38 CryptoSpy

Feeling a bit more adventurous?

The malware’s update function is named the same as in the CISA report. Try throwing it in a reverse engineering tool (like Ghidra) to see if you can follow the information flow! Everything in the binary should be pretty straightforward and might give you the opportunity to get your feet wet with some basic reverse engineering.

A few questions you might want to try and answer are:

How does the price update?
Can you find the two functions that are used to identify the callback IP?
What are some of the strings embedded in the binary?

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Source: https://feed.prelude.org

Execute this chain

Download Operator (1.7.1)

Learn about Operator

TTPs

Host cryptoSpy payload

Wait for cryptoSpy callback

Queue TTP for cryptoSpy agent

Other chains in this theme

APT38 Pharmaceutical Attacks

2022-06-28

Bypass MOTW execution restriction using a file archive.

APT38 WannaCry

2022-05-31

Perform lateral movement using EternalBlue and DoublePulsar exploits.

APT38 Sony Hack

2022-05-24

A Prelude portrayal of the 2014 hack on Sony attributed to APT38.

APT38 DarkSeoul

2022-05-16

Destructive Master Boot Record (MBR) wiper malware.

About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.

Follow @preludeorg on Twitter for new chains and more.

Join the Prelude Discord to discuss chains and more.

Keep up to date with code changes and community activity on Github

preludesecurity.com Careers Tactics & Techniques Attack themes

Privacy Policy support@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.