In April 2020, CyCraft observed highly malicious cyber activity in several Taiwan government agencies. Some of these attacks have been attributed to the same threat actor due to similar techniques, tactics, and procedures — the most important of which is the utilization of Skeleton Keys and Owlproxy malware.
This article is Part 2 of a series of articles. Part 1: Waterbear Malware.
What is a Skeleton Key?
In 2014, Dell Secureworks Counter Threat Unit observed the earliest use of a digital Skeleton Key. Their observed Skeleton Key was able to bypass authentication on Active Directory (AD) systems implementing single-factor verification (T1556.001 Modify Authentication Process: Domain Controller Authentication). Using this method, much like how a physical Skeleton Key can open any door in a house, a digital Skeleton Key gives its user unfettered access to remote access services.
In 2019, CyCraft observed a possible China-sponsored APT group, APT Chimera, target the Taiwan semiconductor industry in a year-long campaign. Chimera added extracted key code snippets from both Mimikatz and Dumpert to their customized Skeleton Key. The Chimera Skeleton Key sought to bypass API monitoring, which is widely used in anti-virus and EDR products, by directly invoking syscalls and implementing high-level API logic.
“Even though several of the April 2020 attacks use the same techniques as APT Chimera, available evidence and artifacts in the April 2020 attacks do not suggest attribution to APT Chimera. However, this does suggest that China-based APT groups may share malware, tools, or even similar techniques. This sharing of tools, techniques, and malware adds difficulty to the attribution process.”C.K. Chen, CyCraft Senior Researcher
What is Owlproxy?
Owlproxy is one of the primary malware discovered in several of the April 2020 incidents. In order to bridge the internet and intranet, the threat actor used this malware with backdoor functionality to tunnel in and out of the network. This backdoor functionality enables threat actors to launch any commands directly into the target system. While the program database (PDB) information is resident in the binary, the malware’s name, Owlproxy, comes from the project name of the PDB file.
How to inject a Skeleton Key
The malware, tncpb.exe, would first drop msehp.dat, which also contained Windows Event Manageex.dll, Mimikatz.dll and Mimikatz.sys (with the name WinHelp.sys). While Windows Event Manageex.dll was loading, it would also invoke Mimikatz.dll for a Skeleton Key. If it fails to open lsass, Mimikatz.sys would be loaded as the alternative to unprotect Isass.exe (T1003.001 OS Credential Dumping: LSASS Memory). As a result, the Skeleton Key would be injected, and the attackers could then gain unfettered access to the domain endpoints.
The wmipd.dll is the main remote administration tool (RAT) in this attack. The most important characteristic of this malware is that it is an HTTP proxy (T1071.001 Application Layer Protocol: Web Protocols) with backdoor functionality. This malware can be accessed via port 80 to execute commands (T1059.003 Command and Scripting Interpreter: Windows Command Shell) and proxy traffic in and out of the victim’s network.
family: Owlproxy (family name first designated by TrendMicro)
filetype: PE32+ executable (DLL) (GUI) x86–64, for MS Windows
wmipd.dll uses WinHTTP API to create an HTTP server on port 80 with these endpoints:
http[:]//+:80/servlet/ (General backdoor, execute any commands) http[:]//+:80/servlet/pp/ (HTTP to tcp proxy)
file_path: %WINDIR%\System32\Windows Event Manageex.dll http[:]//127.0.0[.]1/servlet/ http[:]//127.0.0[.]1/servlet/pp/ http[:]//127.0.0[.]1/servlet/pp/$NUMBERS
Stage One: tncpb.exe
The first stage malware tncpd.exe will drop msehp[.]dat, which further contains Windows Event Manageex.dll, Mimikatz.dll, and WinHelp[.]sys (Mimikatz.sys). The mission of tncpb[.]exe is to load Windows Event Manageex[.]dll — the linchpin of the attack.
Stage Two: Windows Event Manageex.dll
This malware has been designed for persistence. After it is dropped by tncpb.exe, Windows Event Manageex.dll self-installs. The previous stage malware (tncpb.exe) is then deleted (T1070.004 Indicator Removal on Host: File Deletion). The next stage malware (Mimikatz.dll), designed for credential access, is then triggered.
filename: Windows Event Manageex.dll
filetype: PE32+ executable (DLL) (GUI) x86–64, for MS Windows
- Windows Event Manageex.dll self installs.
- Windows Event Manageex.dll uses CreateThead() to delete tncpb.exe at location: C:\$Recycle.Bin\tncpb.exe (T1074.001 Data Staged: Local Data Staging).
- Execute Mimikatz[.]dll in memory.
- Windows Event Manageex.dll uses CreateThread() to dropC:\Windows\system32\Windows Event Manageex.dll (Mimikatz.sys) from msehp.dat#3(x)
- Windows Event Manageex.dll deletes C:\$Recycle.Bin\tncpb.exe(T1070.004 Indicator Removal on Host: File DeletionT1074.001 Data Staged: Local Data Staging)
event: “Global\\Microsoft Windows CriticalRestore Event” file_path: $SystemDirectory\wbem\msehp.dat
Stage Three: Mimikatz.DLL
A customized modification of the original Mimikatz, Mimikat.dll was designed to specifically inject the Skeleton Key to allow the attackers persistent, unfettered Lateral Movement across the network. This was an interesting approach as Skeleton Keys aren’t typically used for credential access. Once injected, the modified Skeleton Key modifies the original execution logic of lsass.exe and then injects the backdoor password. This malicious behavior is similar to legit user behavior, which helps this particular technique evade detection. In case the injection fails (cannot gain access to lsass.exe), an alternative approach is taken; the kernel driver WinHelp.sys is installed and unprotects lsass.exe, allowing the DLL malware to inject the Skeleton Key once again. Once the Skeleton Key injection is successful, the kernel driver will be unloaded.
filetype: PE32+ executable (DLL) (console) x86–64, for MS Windows
1. Inject Skeleton Key (first attempt)
If successful: createEvent(L”Global\\Debug_Windows_Dump_Event”)If signature not found: createEvent(L”Global\\Windows_MemoryDump_Event”)If OpenProcess failed: load mimikatz driver (WinHelp.sys) Unprotect lsass.exe Inject Skeleton Key again Unload mimikatz driver
2. Delete mimikatz driver
file_path: $SystemDirectory\wbem\msehp.dat file_path: $SystemDirectory\Drivers\WinHelp.sys
WinHelp.sys is the Mimikatz driver used to unprotect lsass[.]exe.
filetype: PE32+ executable (native) x86–64, for MS Windows
cert_serial: 5f78149eb4f75eb17404a8143aaeaed7 cert_fingerprint: 31e5380e1e0e1dd841f0c1741b38556b252e6231
The certificate embedded in the driver is signed by 上海域联软件技术有限公司 (Shanghai Yulian Software Technology Co., Ltd.).
The following MITRE ATT&CK techniques were observed in this attack.
Command And Control
1. Add listed IOCs to preventative solution blacklists.
2. Adjust detection and response solutions to detect listed IOCs.
3. Scan network for port 80 in non-server endpoints.
4. Remove Skeleton Keys*
*Be sure to first remove any malware that will inject the Skeleton Key, including Windows Event Manageex.dll as it is self-installing. Then, reboot the endpoint to clean up the modified memory.