The Traffic and Telecom Computer Emergency Response Team (TTC-CERT) recently conducted an analysis on several suspicious files received from a security agency in Thailand. Upon examination, it was discovered that these files were dangerous and intended for remote access control of targeted computers, part of a cyber attack campaign known as BangkokShell. This campaign primarily targets security agencies within Thailand, employing complex malware to carry out cyber espionage.
During the analysis, TTC-CERT found that the attacker group created a Windows Service named “myautotimeservice” in advance, with the purpose of running a Portable Executable (PE) file. This PE file then loads a dangerous Dynamic-link Library (DLL) named “LTDIS13n.dll” using a technique called DLL Side-loading. The LTDIS13n.dll file is a malicious loader that contains an obfuscated payload, which later deobfuscates into an even more dangerous Shellcode file. This Shellcode file is injected directly into the main Memory, without creating any files on the Filesystem.
The discovered Shellcode is a Remote Access Trojan (RAT) that utilizes Stackstrings technique to embed URL values for command and control (C2) operations. Remarkably, the domain and subdomain names of these C2 operations closely resemble those used within the internal network of the targeted security agencies. Furthermore, the Shellcode establishes a connection with the C2 via HTTPS protocol on port 443, receiving commands encrypted with an XOR Cipher algorithm. These commands are deciphered through XOR Operation using a 31-byte XOR Key, which is dynamically assigned an index value in each round of the XOR Operation. Thus, the actual XOR Key used is unique for each round. The Shellcode executes received commands using Living Off the Land Binaries (LOLBins) technique, mainly through Windows Command Shell (CMD) and PowerShell. Additionally, the Shellcode has the capability to directly inject code. Based on these characteristics, TTC-CERT has named this malware Trishul RAT.
To provide a comprehensive overview of this attack, TTC-CERT has depicted the working mechanism of the malware in a diagram.
Following the analysis, TTC-CERT has extracted Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) from the suspicious files. Using this information, TTC-CERT has developed detection rules in the form of YARA and Sigma Rules. These rules can be utilized by organizations for monitoring, hunting, and responding to cyber incidents.
TTC-CERT has released this analysis report to inform and provide valuable information to organizations in Thailand regarding cyber risks and threats. Moreover, if an organization is connected to TTC-CERT’s MISP system, IOCs, YARA and Sigma Rules related to this analysis will be automatically sent to their MISP for further processing.
For readers interested in a detailed analysis, please refer to the AMAR-231199-1.v1 Malware Analysis Report by TTC-CERT.
You can download the YARA Rule “bangkokshell_trishul_rat” and “bangkokshell_dll_loader_v3” for the topics discussed in this report from the TTC-CERT GitHub repository. Additionally, the Sigma Rule “BangkokShell Operation, DLL Side-loading leveraging Windows Service” is also available for download.
Source: TTC-CERT, AMAR-231199-1.v1 Malware Analysis Report
Leave a Comment