Scenario:

A ticket was opened pertaining to a potential malware threat. The ticket contains multiple file attachments that are presumed to be malware samples.

PREPARATION

Downloaded the malware samples from intelligence site and extracted them in their own directory:

There are 5 DLL samples in total

Created a simple Bash script to retrieve the SHA256 hashes of the DLLs (there are only 5 files, but this should be standard practice anyway):

I also modified the script to get the SHA1 hashes in another file, but that is redundant to picture here.

SAMPLE: pRsm.dll

VirusTotal mass flags this DLL as a Trojan

Opening the sample in VirusTotal’s graph editor, we see that the DLL itself is a bundle of 5 files and, in one of the attack instances, there was a name given that looked like it may be the name of the malware framework, so I looked it up and confirmed this: MgBot

APT GROUP: Daggeryfly (aka, Evasive Panda)

And the APT group appears to be called both Daggerfly and Evasive Panda, and this APT is known for using the MgBot malware framework to spy on victims for cyberespionage purposes:

(fascinating article about the technical capabilities at this page: Evasive Panda leverages Monlam Festival to target Tibetans)

In line with the “spying” capabilities, according to the security article [Daggerfly: APT Actor Targets Telecoms Company in Africa

Symantec Enterprise Blogs](https://www.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot), this particular DLL’s job is to capture audio from the system:

And MITRE ATT&CK returns the Technique associated with the audio capture in the MgBot malware framework analysis:

According to the article at Evasive Panda APT group delivers malware via updates for popular Chinese software, the first malicious download link was:

And this article also neatly displays what the functions of the 5 DLLs we have in our samples folder were:

• cbmrpa.dll — “captures text copied to the clipboard and logs information from the USBSTOR registry key.”
• maillfpassword.dll — “steals credentials from Outlook and Foxmail email client software.”
• pRsm.dll — “captures input and output audio streams.”
• qmsdp.dll — “a complex plugin designed to steal the content from the Tencent QQ database that stores the user’s message history. This is achieved by in-memory patching of the software component KernelUtils.dll and dropping a fake userenv.dll DLL.”
• wcdbcrk.dll — “information stealer for Tencent WeChat.”

In short, the malware steals info from the clipboard, audio, messages, email credentials, and apparently other assets that aren’t included in our particular scenario.

The APT group also naturally had set up a C2 botnet beforehand at the following IPs:

Beyond Windows executables, it also looks like one of the C2 IP addresses has also been associated with Android files as well:

Badge for solving this challenge: Friday Fixer Badge.