Stately Taurus Targets Myanmar

Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks

The recent ethnic rebel attacks in Myanmar have put the Myanmar junta and surrounding countries on high alert. Since October 2023, a rebel alliance called the Three Brotherhood Alliance (3BHA) has been attacking Myanmar’s military across its northern regions, reportedly seizing its junta outposts and military positions. This activity has been cause of concern to China, as important trade routes have come under control of and have been destroyed by 3BHA, causing China to call for a ceasefire. Following the attacks, a meeting of Myanmar’s National Defence and Security Council (NSDC) on November 8th resulted in the junta leader General Min Aung Hlaing commenting that the country could splinter as a result of the 3BHA offensive. Five days later, martial law was declared across the northern Shan state. While these events do not seem to receive much international attention, the Association of Southeast Asian Nations (ASEAN) defense ministers have been calling for Myanmar to implement the in 2021 established Five-Point Consensus peace plan. So far, Myanmar’s military junta has failed to implement this plan, leading to Myanmar being barred from ASEAN until the plan progresses.

As these developments unfold, CSIRT-CTI has identified two campaigns exhibiting strong indications of being connected to Stately Taurus (alias Bronze President, Camaro Dragon, Earth Preta, Mustang Panda, Red Delta and Luminous Moth), both assessed to have targeted the Myanmar Ministry of Defence and Foreign Affairs. Both campaigns strongly appear to leverage techniques, tactics and procedures (TTPs) that are related to both historic and more contemporary Stately Taurus activity. The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious Dynamic-Link Libraries (DLLs). Moreover, a significant number of campaigns attributed to this threat actor have been reported to disguise network traffic by making it appear to be related to Microsoft update traffic.

Stately Taurus has been performing cyberespionage activities since at least 2012 and is widely believed to be a Chinese Advanced Persistent Threat (APT) tasked with intelligence collection. Previously, attacks targeting government entities and non-profits across North America, Europe and Asia believed to have politically significant information were attributed to this group.

Campaign #1: Analysis of the third meeting of NDSC.zip

The first campaign observed took place on November 9th 2023 and came under our attention after a malicious archive was submitted to VirusTotal with the name Analysis of the third meeting of NDSC.zip. Upon extracting this archive, victims are shown the image in Figure 1 containing a (legitimate, signed) decoy executable and a malicious DLL in the same folder. 

IOC Value
Analysis of the third meeting of NDSC.zip b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18
Analysis of the third meeting of NDSC.exe ce4f7e7ce82a5621b5409ccb633e27269a05ce17d1b049feda9fbc4793e6c484
BrMod104.dll 2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87

The executable in this archive is, as mentioned, a legitimate binary originally signed by B&R Industrial Automation GmbH, which points towards engineering firm Bernecker & Rainer. Though the provided certificate expired on May 23rd 2020, it is still considered signed and valid by both Windows and VirusTotal.

Figure 4: Overview of PUBLOAD malware events

Upon execution of the decoy binary, the threat actor leverages DLL Search Order Hijacking to side-load the malicious DLL with a timestamp of 03-11-2023 (shown in Figure 3). After loading the DLL, its first activity is to check for supported languages on the system, after which it performs a check whether persistence has previously been obtained. It does so by determining the presence of command line arguments. If a command line argument is not present, it proceeds by copying itself and the DLL to C:\ProgramData\gameinstall. Once copied, a standard CurrentVersion autorun key is created with the name gameestrto and value C:\\ProgramData\\gameinstall\\Analysis of the third meeting of NDSC.exe starmygame.

\REGISTRY\USER\S-1-5-21-578104441-166916572-4098306029-1000\Software\Microsoft\Windows\CurrentVersion\Run\gameestrto = "C:\\ProgramData\\gameinstall\\Analysis of the third meeting of NDSC.exe starmygame"

This particular command line argument starmygame added to the autorun key is indicative of earlier-achieved persistence, as the malware creates the autorun key to run future executions with this argument. This causing the execution flow to skip over the conditional on address 0x100027ba as shown in Figure 4. Further down the function, any present command line arguments are validated to match the originally set value, which triggers further cryptographic operations leading to C2 communication.

Following the achievement of persistence, preparation is made to ping a C2 server at 123.253.32.15 and register the device. Similar to the campaign described by Lab52, it uses a standard protocol to do so. However, where previously the magic bytes were 17 03 03, these seem to have changed to 46 77 4d. These magic bytes are consistent throughout the requests and responses. This leads to the following protocol:
<46 77 4d>+<payload size>+<payload>.

This standard is used for all communication, even after infection. For the initial connection, the payload is also the similar: <tickcount>+<computername>+<username>. This payload is RC4-encrypted and sent to the C2 server as shown in Figure 6. The threat actors attempt to disguise the traffic as Microsoft update traffic by adding the Host: www.asia.microsoft.com and User-Agent: Windows-Update-Agent headers.

The response of the C2 server to this initial connection is a piece of shellcode that is publicly documented as PUBLOAD. This shellcode, which is also RC4 encrypted, is downloaded as a DAT file and is decrypted to the second stage malware, which is a PlugX implant. Following the Lab52 research, it could be confirmed that the same type of protocol scheme is used for continued communication with the C2 server in this case. This sample too no longer impersonates www.asia.microsoft.com, but switches to www.download.windowsupdate.com the moment it starts taking commands.

IOC Value
C2 IP address 123.253.32.15
Spoofed Host Header Host: www.asia.microsoft.com
Spoofed Host Header www.download.windowsupdate.com
User Agent Windows-Update-Agent
Autorun key gameestrto
CLI argument starmygame

Campaign #2: ASEAN Notes.iso

The second campaign was observed after being uploaded from the US and Myanmar to VirusTotal on January 17th, 2024. In the timeline surrounding the conflict in Myanmar, this is coherent with Myanmar’s junta leader meeting with a special envoy of ASEAN on January 11th in context of the violence in Myanmar. The malware sample involves an Optical Disc Image (ISO) containing LNK shortcuts, extended with a similar but slightly deviating methodology as described in campaign #1. This too matches previously documented Stately Taurus TTPs aiming at deploying a PlugX implant through multiple stages, though the delivery matches the TONESHELL malware as documented by TrendMicro.

Figure 10: Overview of TONESHELL malware events

When opening the ISO file, the victim is shown a set of LNK files and a folder structure with multiple layers named _. In addition to the ASEAN 2024.lnk file, the Mofa memo.lnk file potentially refers to the Myanmar Ministry of Foreign Affairs (MOFA), as it aligns with the narrative and is indicative of context. All LNK files (parsed with LnkParse3) are programmed to display a PDF icon to trick the user and start the office.exe binary in the directory structure below. This binary is again legitimate and signed by Microsoft. The hash of this file shows up on VirusTotal as GetCurrentRollback.exe, which is typically present in the Windows 10 Upgrade assistant. After this binary is executed, the same type of DLL side-load is performed as in the first campaign with a DLL-file called GetCurrentDeploy.dll

This campaign proceeds identical to the TrendMicro analysis and attempts to register the device with C2. The report mentions that TONESHELL supports up to ten C2 addresses and seems to contain two IP addresses in this case (103.159.132.80 and 37.120.222.19). The former is present in the same subnet as is documented by CheckPoint and the latter is resolved from a hardcoded domain name in the binary, openservername.com. Remarkable is that this domain only resolves when a subdomain of www is added.

Upon execution of one of the LNK files, similar steps are taken as in campaign one. It executes the office.exe binary down in the _ directory structure and side-loads GetCurrentDeploy.dll. By doing so, it triggers the same functionality as campaign #1, verifying command line arguments and copying both files to a different directory. The only difference, which is characterising for TONESHELL, is that these copies are dropped in %PUBLIC% instead of C:\ProgramData\gameinstall.

At the time of writing, the C2 servers that the malware attempts to communicate with seem unresponsive. Further staging of the PlugX implant beyond findings in the binary using this sample can therefore not be verified.

IOC Value
ASEAN Notes.iso a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c
ASEAN 2024.lnk, NS.lnk, MS.lnk, Mofa memo.lnk e537c5da268c6a08d6e94d570e8efb17d0ca3f4013e221fadc4e0b3191499767
office.exe 0d0981941cf9f1021b07b7578c45ed4c623edb16ad03a256c4cd9aaf900d723d
GetCurrentDeploy.dll 51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7
C2 IP address 103.159.132.80
C2 IP address 37.120.222.19
C2 Domain openservername.com
Autorun key gameestrto
CLI argument StarWegameToyOU

Linking the Two Campaigns

Though the malware staging of the second campaign could not be investigated, the found similarities between the first and second campaign are strong enough in order to relate the two with high confidence. Multiple indicators have been found that can attribute these attacks to Stately Taurus. Adding strength to the attribution is the ongoing controversy in Myanmar and its importance to China, which these samples seem to play into. Overall, the following similarities between the two campaigns were found.

Tactics, Techniques and Procedures

The malware samples itself were, even though different on the outside, very similar in TTPs. Both samples, one PUBLOAD and the other TONESHELL and both containing the publicly documented indicators, leveraged DLL Search Order hijacking in legitimate software to launch a stager in an attempt to download the second stage malware. Though the C2 traffic of the second campaign could not be verified, the present cryptographic functions imply that the binary was prepared for decryption. Furthermore, both samples created an autorun key with the same naming scheme (gameestrto) and persistence control mechanism by adding command line arguments to the autorun key (starmygame, StarWegameToyOU). Lastly, the binary code checking for these command line arguments are shared code and near-identical, also containing the same typing errors (erro task, erro blue). A notable additional detail in BrMod104.dll is a debug string referring to a Program Database (PDB) file at E:\work\newply\Release\new4chongf.pdb. All details considered and given the timeline of occurrence it is probable that these samples might be related and, looking at intelligence publications that classify the observed behaviour as belonging to Stately Taurus-related malware families, are used in a Stately Taurus campaign.

Infrastructure

When investigating the two C2 servers on Censys, different certificates are registered for the two hosts. However, the same Common Name with value WIN-9JJA076EVSS was used for both hosts. Moreover, both IP addresses are on Autonomous System 55720 (GIGABIT-MY Gigabit Hosting Sdn Bhd in Kuala Lumpur, Malaysia). Both this Common Name and AS number have been extensively documented in relation to this threat group. Of these publications, a publication by Thailand Telecommunications Sector CERT (TTC-CERT) on January 19th 2024 actually describes this Common Name as a common denominator for Stately Taurus C2 infrastructure in response to the SolidPDFCreator campaign against the Philippines that was documented by Talos Intelligence in November 2023.

Conclusion

Following the rebel attacks in northern Myanmar, China has expressed concern regarding its effect on trade routes and security around the Myanmar-China border. Myanmar’s military junta has had two meetings with the National Defence and Security Council and with ASEAN to discuss further plans. We assess that these campaigns are targeted at the Myanmar Ministry of Defence and Foreign Affairs, aligning with the developments in the country.

Due to the historic reporting of the observed Tactics, Techniques and Procedures and their similarity, it is highly likely that these attacks can be attributed to Stately Taurus, one of the most active Chinese APT groups. Stately Taurus operations are known to align with geopolitical interests of the Chinese government, including multiple cyberespionage operations against Myanmar in the past. As this group targets not only Asian, but also European and North American countries, it is advised to deploy countermeasures in order to defend against this group.

Indicators of Compromise

IOC Value
Analysis of the third meeting of NDSC.zip b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18
Analysis of the third meeting of NDSC.exe ce4f7e7ce82a5621b5409ccb633e27269a05ce17d1b049feda9fbc4793e6c484
BrMod104.dll 2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87
ASEAN Notes.iso a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c
office.exe 0d0981941cf9f1021b07b7578c45ed4c623edb16ad03a256c4cd9aaf900d723d
GetCurrentDeploy.dll 51d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d7
ASEAN 2024.lnk, NS.lnk, MS.lnk, Mofa memo.lnk e537c5da268c6a08d6e94d570e8efb17d0ca3f4013e221fadc4e0b3191499767
C2 IP address 123.253.32.15
C2 IP address 103.159.132.80
C2 IP address 37.120.222.19
C2 Domain openservername.com
Certificate CN WIN-9JJA076EVSS
Autorun key gameestrto
CLI argument starmygame
CLI argument StarWegameToyOU

READ MORE HERE