APT & Targeted Attacks
Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024
Trend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the malware used by this campaign suggests this was part of a new operation by Earth Kasha.
This blog is a part of a blog series about Earth Kasha. Kindly refer to our blog about the previous campaigns, where we discussed the tactics and targets of Earth Kasha in detail, read here for a deeper understanding,
Introduction
According to research by Trend Micro, a new spear-phishing campaign targeting individuals and organizations in Japan has been underway since around June 2024. An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then. Additionally, NOOPDOOR, known to be used by Earth Kasha, has been confirmed to be used in the same campaign. Based on these findings, we assess this campaign as part of a new operation by Earth Kasha.
Campaign Details
The campaign, observed around June 2024 and attributed to Earth Kasha, employed spear-phishing emails for Initial Access. Specific targets include individuals affiliated with political organizations, research institutions, think tanks, and organizations related to international relations. In 2023, Earth Kasha primarily attempted to exploit vulnerabilities against edge devices for intrusion but this new campaign reveals that they have once again changed their TTPs. This shift appears to be driven by a target change, moving from enterprises to individuals. Additionally, an analysis of the victim profiles and the names of the distributed lure files suggests that the adversaries are particularly interested in topics related to Japan’s national security and international relations.
The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised accounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the recipient to download a ZIP file. Here are some potential email subjects that were observed, likely crafted to attract the interest of the targeted recipients:
- 取材申請書 (Interview Request Form)
- 米中の現状から考える日本の経済安全保障 (Japan's Economic Security in Light of Current US-China Relations)
- [官公庁・公的機関一覧] ([List of Government and Public Institutions])
The files in the ZIP file, which works as the infection vector, vary depending on the period and the target.
Case 1: Macro-Enabled Document
The simplest case involves a document with embedded macros. The infection begins when the document is opened and the user enables the macros. This document file is a malicious dropper that we have named ROAMINGMOUSE. As explained later, ROAMINGMOUSE can extract and execute embedded ANEL-related components (a legitimate EXE, ANELLDR, and encrypted ANEL). Two patterns are observed in this process: one involves dropping a ZIP file and then extracting it, while the other consists of directly dropping the components.
Case 2: Shortcut + SFX + Macro-Enabled Template Document
In other cases, the ZIP file did not directly contain ROAMINGMOUSE. Instead, it included a shortcut file and an SFX (self-extracting) file disguised as a document by changing its icon and extension.
When the shortcut file is opened, it executes the SFX file in the same directory disguised as a .docx file.
The SFX file places two document files into the %APPDATA%\Microsoft\Templates folder. One of these files is a harmless decoy document, while the other, named "normal_.dotm," contains a macro called ROAMINGMOUSE. When the decoy document is opened, ROAMINGMOUSE is automatically loaded as a Word Template file. The behavior of ROAMINGMOUSE after execution is identical to that observed in Case 1.
Case 3: Shortcut + CAB + Macro-Enabled Template Document
A similar case to Case 2 has also been observed, where the shortcut file executes PowerShell, which then drops an embedded CAB file.
The shortcut file contained a PowerShell one-liner in this case, as shown in the figure below. This script dropped and extracted a CAB file embedded at a specific offset within the shortcut file and executed a decoy file. The decoy file then automatically loaded ROAMINGMOUSE as a template file, following the same process as in Case 2.
Malware on Initial Access
ROAMINGMOUSE
The macro-enabled document we created for initial access in this campaign is called "ROAMINGMOUSE." This document acts as a dropper for components related to ANEL. The primary role of ROAMINGMOUSE is to execute the subsequent ANEL payload while minimizing the chances of detection. To achieve this, it implements various evasion techniques.
(Basic) Sandbox Evasion
The ROAMINGMOUSE variant introduced in Case 1 requires the user to enable macros. This variant includes a feature that initiates malicious activity based on specific mouse movements made by the user. This functionality is achieved by implementing a function that responds to the "MouseMove" event, triggered when the mouse hovers over a user form embedded within the document.
This feature ensures that malicious activities do not begin unless specific user interactions occur, which is likely implemented as a sandbox evasion technique. However, it should be noted that many commercial and open-source sandboxes have addressed such sandbox evasion techniques in recent years, making them less effective.
Custom Base64-encoded Payloads
The classification of this as an evasion technique is up for debate; however, it is undeniably one of the distinctive functions of ROAMINGMOUSE. This technique was employed in Pattern 1 of Case 1. ROAMINGMOUSE embeds the ZIP file containing the ANEL-related components by encoding it in Base64 and splitting it into three parts, with one part encoded using a custom Base64 encoding table. The files within the ZIP file are then extracted to a specific path.
This technique may slow down analysis, but it may also be an evasion technique against modern tools that automatically decode Base64 embedded in VBA. Such tools have become more common recently, making this a potential countermeasure.
HEX-encoded Payloads
In some instances, such as in Case 1 and PATTERN 2, we observed cases where the ANEL-related components were directly dropped without being processed through a Base64-encoded ZIP file. Each component was embedded in the VBA code as HEX-encoded strings in these cases.
Execution Through WMI
The dropped files include the following ANEL-related components:
- ScnCfg32.Exe: A legitimate application that loads the DLL in the same directory via DLL sideloading.
- vsodscpl.dll: The ANELLDR loader.
- <RANDOM>: The encrypted ANEL.
ROAMINGMOUSE executes ANEL by running the legitimate application "ScnCfg32.exe," which loads the malicious DLL "vsodscpl.dll" through DLL sideloading. It uses WMI to execute "explorer.exe" with "ScnCfg32.Exe" as an argument during this process.
This approach aims to avoid detection by security products, which are more likely to flag processes like "cmd.exe" when executed directly from a document file, such as a Word document. By bypassing "cmd.exe" and running the program through WMI, they attempt to evade these detection mechanisms.
ANELLDR
We have been tracking the unique loader used to execute ANEL in memory, which we have named ANELLDR. ANELLDR has been observed as early as 2018. In terms of its functionality, the version used in this campaign is identical to the one used in 2018. Beyond its core functionality, ANELLDR is known for using anti-analysis techniques such as junk code insertion, Control Flow Flattening (CFF), and Mixed Boolean Arithmetic (MBA). The ANELLDR observed in this campaign also implemented the same techniques.
Although there is some publicly available information about ANELLDR, a thorough description of its behavior still needs to be provided. We will give a detailed explanation of the loader's functionality.
ANELLDR is activated via DLL sideloading from a legitimate application to begin its malicious activities. Once executed, it enumerates files in the current directory to search for encrypted payload files. Notably, the decryption logic of ANELLDR differs between the initial and subsequent executions.
During the initial execution, ANELLDR calculates the Adler-32 checksum for the last four bytes of the target file, as well as the data up to file size minus 0x34 bytes (where 0x34 bytes accounts for the 0x30 bytes of AES material and 0x4 bytes of checksum, explained later). It then compares the checksum to check whether the target file is the expected encrypted file. If a directory exists at the same level, it recursively processes the files within that directory.
Once the file passed verification, the decryption process begins. For this, the last 0x30 bytes of the file are divided into two parts: the first 0x20 bytes are used as the AES key, while the remaining 0x10 bytes are used as the AES IV. ANELLDR then decrypts the encrypted data (up to the file size minus 0x34 bytes) using AES-256-CBC and executes the payload in memory.
Once ANELLDR successfully decrypts the encrypted payload, it updates the key and IV, re-encrypts the payload using AES-256-CBC, and overwrites the original encrypted payload file with the newly encrypted data. The AES key and IV used in this process are generated based on the file path of the executing file and a hardcoded string. This involves utilizing a custom Base64 encoding, the Blowfish encryption algorithm, and XOR operations, which ensures that the key and IV are unique to the running environment. Since the AES key and IV used for encryption are not embedded in the file, you must know the exact file path where the payload was initially stored to decrypt an encrypted payload file obtained from an infected environment.
The 2nd-stage shellcode
The decrypted data is shellcode-formed and executed in memory. This 2nd-stage shellcode is responsible for loading and executing the final payload, a DLL, in memory. First, the 2nd-stage shellcode attempts to evade being debugged by calling ZwSetInformationThread API with the second argument set to ThreadHideFromDebugger (0x11). Next, it retrieves the address of the encrypted data. To do this, it calls a unique function filled with NOP instructions to obtain the current address in memory. After obtaining this address, it calculates the location of the encrypted payload-related data, which is located immediately after this function.
The encrypted data section is structured in the following format:
ANELLDR decodes the subsequent encrypted data using a 16-byte XOR key. A distinctive feature of this process is that each byte of the encrypted data is XORed with the entire 16-byte key. In other words, the algorithm applies XOR to each data byte 16 times, using a different key byte for each operation.
After the XOR operation, the data is decompressed using the Lempel–Ziv–Oberhumer (LZO) data compression algorithm. Additionally, the first 4 bytes and the Adler-32 checksum of the payload DLL are calculated and compared to verify if the data has been correctly decoded and decompressed. If the integrity check passes, the DLL is dynamically initialized in memory, and the hardcoded export function is called to execute the payload.
ANEL
ANEL is a 32-bit HTTP-based backdoor that has been observed since around 2017 and was known as one of the primary backdoors used by APT10 until around 2018. ANEL was actively developed during that time, and the last version publicly observed in 2018 was “5.5.0 rev1.” However, through this new campaign in 2024, versions “5.5.4 rev1,” “5.5.5 rev1,” “5.5.6 rev1,” and “5.5.7 rev1” have been observed, along with a newly identified version where the version information has been obfuscated.
|
5.5.0 rev1 |
5.5.4 rev1 |
5.5.5 rev1 |
5.5.6 rev1 |
5.5.7 rev1 |
unknown |
| C&C Comm Encryption (GET) | Custom ChaCha20 + random-byte XOR + Base64 | |||||
| C&C Comm Encryption (POST) | Custom ChaCha20 + LZO | |||||
| ChaCha20 Key Generation | Selected from the hardcoded key based on the C&C URL | |||||
Backdoor Command |
|
|
||||
From here, we'll take a closer look at the specific updates and changes in each version.
5.5.4 rev1
This version of ANEL did not introduce any major changes, but a few minor fixes and updates were implemented. One notable change was the removal of the feature that stored an error code in the HTTP Cookie header and sent it to the C&C server, which had been present up to version “5.5.0 rev1.” This feature was previously identified as a detection point for ANEL, so its removal might have been intended to evade detection. Another update involved the version information sent to the C&C server. It now includes information about the OS architecture of the execution environment. Although ANEL is a 32-bit application, when running on a 64-bit OS, the string “wow64” is appended to the version information before being sent to the C&C server.
5.5.5 rev1
Version “5.5.5 rev1” did not include significant changes either. One notable update was the addition of code to renew the local IP address during the initial access to the C&C server.
5.5.6 rev1 / 5.5.7 rev1
In version “5.5.6 rev1,” a new backdoor command was added. ANEL processes the command string received from the C&C server by converting it to uppercase and hashing it with xxHash, then comparing it to a hardcoded hash value to determine the command. In this version, a new command corresponding to the hash value “0x596813980E83DAE6” was implemented.
This command provides the functionality to execute a specified program with elevated privileges (Integrity High) by abusing the CMSTPLUA COM interface, a known UAC bypass technique.
On the other hand, in “5.5.7 rev1”, no additional notable functionality was observed.
Unknown version
After observing version “5.5.7 rev1,” an ANEL variant was detected with obfuscated version information. In this instance, the version information field contained a Base64-encoded string, which resulted in the data “A1 5E 99 00 E7 DE 2B F5 AD A1 E8 D1 55 D5 0A 22” after decoding. This data was concatenated with “wow64” and sent to the C&C server. This change has made it more difficult to track versions and compare functionality.
Post-Exploitation Activities
Tracking the adversary’s activities after installing ANEL revealed that they collected information from the infected environment, such as taking screenshots and executing commands like arp and dir to gather network and file system details. In some cases, additional malware, specifically NOOPDOOR, was also installed.
NOOPDOOR, observed since at least 2021, is a modular backdoor with more advanced capabilities. It appears to work as a further payload Earth Kasha uses, particularly for high-value targets. In this campaign, we believe NOOPDOOR was deployed against targets of special interest to the adversary.
Attribution and Insights
Based on the analysis of the ongoing campaign, Trend Micro assesses that the spear-phishing campaign using ANEL, observed since June 2024, is part of a new operation conducted by Earth Kasha.
The attribution to Earth Kasha is based on the following reasons:
- Until early 2023, Earth Kasha had been conducting campaigns targeting individuals and organizations in Japan via spear-phishing emails as the primary intrusion vector. There are no significant inconsistencies in terms of TTPs or victim profiles.
- NOOPDOOR, believed to be used exclusively by Earth Kasha, was also deployed in this campaign.
- As previously mentioned, there are code similarities between ANELLDR and NOOPDOOR, suggesting the involvement of the same developer or someone with access to both source codes. Therefore, the reuse of ANEL in this campaign is unsurprising and further supports the connection between the former APT10 and the current Earth Kasha.
Trend Micro Vision One Threat Intelligence
To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can proactively protect their environments, mitigate risks, and respond effectively to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
- Guess Who’s Back? The Return of ANEL in the Recent Spear-phishing Campaign by Earth Kasha in 2024
Trend Micro Vision One Threat Insights App
- Threat Actors: Earth Kasha
- Emerging Threats: Guess Who’s Back? The Return of ANEL in the Recent Spear-phishing Campaign by Earth Kasha in 2024
Hunting Queries
Trend Micro Vision One Search App
Trend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Malware detection associated with the spear-phishing campaign by Earth Kasha
(malName:*ANEL* OR malName:*ROAMINGMOUSE*) AND eventName: MALWARE_DETECTION
Malicious IPs used by ANEL in spear-phishing campaign 2024
eventId:3 AND (dst:"139.84.131.62" OR dst:"139.84.136.105" OR dst:"45.32.116.146" OR dst:"45.77.252.85" OR dst:"208.85.18.4" OR src:"139.84.131.62" OR src:"139.84.136.105" OR src:"45.32.116.146" OR src:"45.77.252.85" OR src:"208.85.18.4")
More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.
YARA rule
This YARA rule may be used to find Earth Kasha activity.
Conclusion
Earth Kasha's campaigns are expected to continue evolving, with updates to their tools and TTPs. Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect. It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails. Additionally, it is important to gather threat intelligence and ensure that relevant parties are informed. As this campaign is believed to be ongoing as of October 2024, continued vigilance is necessary.
Indicators of Compromise
The full list of IoCs may be found here.