Researchers have recently revealed a research paper regarding Operation Earth Kitsune. It is a watering hole campaign whose main motive is to steal data by negotiating different websites.
Operation Earth Kitsune has targeted the Korean diaspora that generally exploits flaws in different web browsers like Google Chrome and Internet Explorer so that they can easily extend the backdoors.
During the investigation, Trend Micro also discovered two new espionage backdoors that are connected with the campaign: AgfSpy and DneSpy.
According to the Trend Micro report, there is extensive use of SLUB malware in operation. The main motive for using SLUB malware is that it will help in exfiltrating the data.
C&C servers of DneSpy and agfSpy
This operation has been planted in several countries, and it has used all inexpensive external resources. However, the threat actors, by using the budget service provider, had set up a service for the different samples.
More importantly, the DneSpy applied a dynamic C&C discovery device that will initially connect to whoami2[.]ddns[.]net, and after that, it will receive all kinds of data regarding the master server whoamimaster[.]ddns[.]net.
DneSpy also delivers AgfSpy, and it performs all its task by using the CreateMutex technique incase the AgfSpy is already installed on the system. The threat actors have a specific level of resiliency through deployment.
DneSpy Espionage Backdoor
DneSpy has several features that make it look great. It accumulates data, takes screenshots, and downloads and performs the latest version of other ill-disposed elements present in the affected system. This malware is mainly created to accommodate a “policy” file in JSON format with all the instructions and commands to perform.
More importantly, the file that has been sent by the C&C server can be modified and updated over time, and this update makes DneSpy stronger, resilient, and well-designed. All the output of the executed command are being zipped, encrypted, and exfiltrated to the C&C server.
DneSpy C&C communication
Once dneSpy is done with execution after that, it generates a unique ID for its victim, which is based on the system parameters by administering all the commands. And after that, the unique victim ID is being used to track unique first-time infections, and the C&C server makes decisions that are based on that information.
However, DneSpy utilizes several obfuscation string mechanisms in the same binary, but some situations use either the XOR encryption or the ROT cipher. After that DneSpy produces a directory or account on the C&C server to record a new victim name. The behavior of C&C is very pivoting; that’s why the central C&C server’s reply is the next-stage C&C server’s domain/IP.
DneSpy initially assigns an HTTP GET request to obtain a “crypted_package ” “to get the policy.txt file; after receiving the response, a “crypted_package” file is generated on the disk. Later the file gets decrypted to “crypted_package.zip.”
The exfiltration is performed by using an HTTP multipart request, and all the temporary files get deleted after exfiltration. Once the exfiltrate procedure is done, a screenshot is taken and uploaded together with the accomplished command’s result.
AgfSpy Espionage Backdoor
The AgfSpy backdoor regains all the configuration and commands from its C&C server. And all these commands enable the backdoor to perform shell commands and send the execution results back to the server. AgfSpy has the feature like it identifies directories and then list them up, upload, download, and execute files, between other functions.
AgfSpy C&C server communication
AgfSpy only interacts with one C&C server, and more importantly, agfSpy doesn’t have the pivoting capabilities as dneSpy has. The researchers have obtained two different domains in several agfSpy samples while observing the prevailing campaign.
Apart from this, the researchers affirmed that agfSpy and dneSpy are quite comparable except for the use of a separate C&C server and several formats in message exchanges. That’s why agfSpy uses its individual C&C server mechanism to receive commands, while the dneSpy uses its own.