{"id":19019,"date":"2024-01-29T15:28:04","date_gmt":"2024-01-29T14:28:04","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=19019"},"modified":"2024-04-12T16:33:23","modified_gmt":"2024-04-12T14:33:23","slug":"analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2024\/01\/29\/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor\/","title":{"rendered":"Analysis of FalseFont Backdoor used by Peach-Sandstorm Threat Actor"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.22.1″ _module_preset=”default” background_enable_color=”off” da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row make_equal=”on” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.22.1″ _module_preset=”default” background_enable_color=”off” custom_padding=”0px||0px||false|false” global_colors_info=”{}”][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

In this article, we will explore the FalseFont Backdoor used by Peach Sandstorm APT to target defense contractors worldwide. The backdoor was initially identified and reported on by Microsoft<\/a>. The malware features data exfiltration and remote access capabilities. It poses as a legitimate application from US Defense and Intelligence Contractor Maxar Technologies, and provides the user with a realistic UI and behavior.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Triage<\/h1>\n

When starting the application we are met, with a login screen. The branding and style match the website of Maxar Technologies. The victim is prompted to login to their account or login as a guest. Logging in as a guest will prompt for some personal data for registration.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/maxar_ui.png” title_text=”maxar_ui” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

We attempted a login with randomly chosen credentials, which resulted in an infinite loading screen. However we did gather some information during the execution as we had our Aurora Agent running on the System. Aurora detected multiple suspicious activities.<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/auroa_overview.png” title_text=”auroa_overview” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The screenshot shows Aurora provided a number of events including multiple warning level events. These events are quite typical for malware establishing persistence. The major event to consider here are the files dropped in AppData and the modification of the autostart registry keys in quick succession. The warning events serve as an urgent indicator for a human analyst to take action. The notice events while often overlooked gave us some valuable information here. They actually revealed the first C2 which as we later found out is responsible for credential stealing.<\/p>\n

After gaining an initial understanding of the malware’s behavior, we proceeded with our in depth analysis reverse-engineering the payload.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Technical Analysis<\/h1>\n

The sample is written in .NET and utilizes the self-contained single-file host feature, encapsulating the managed code within a native bootstrapping application. We’ll begin by, extracting the managed code from the native application bundle using the ILSpy<\/a> decompiler. In the decompiler we can see the individual components of the bundle, which contains a bunch of .NET system libraries and the payload Maxar.dll<\/code> which we can identify using the Maxar.deps.json<\/code> file.<\/span>[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/ilspy_bundle.png” title_text=”ilspy_bundle” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Further analysis of the managed payload will be conducted in dnSpy<\/a>. On first glance we are not dealing with obfuscated or heavily packed code here. We can spot some WPF code which is responsible for the frontend provided by the malware to pose as a legitimate application.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The UI<\/h1>\n

The UI does more than we initially anticipated. We found that all logins are actually sent to a different host than the C2 handling the remote access features. The application offers two options a normal login and a guest login. The guest login will show a fake registration and tell the user to wait for feedback from the team at Maxar, or in this case likely the threat actor. When pressing the login button the agent checks if the email is valid and the password matches the requirements: one capital letter, one special character longer than eight characters. After those checks it contacts the following IP hxxp:\/\/64[.]52[.]80[.]30:8080<\/code> which is hardcoded in the UI code. The entered credentials are transmitted. During the process the agent serves the user with a loading screen. If the credential server successfully received the credentials and responds with a success. The client will show the user a new form asking for personal details like full name, address, email etc. as well as employment history with Maxar Technologies.<\/p>\n

We suspect that the threat actor is collecting this information for espionage or identity theft. During the initialization of the app the actual backdoor is executed which installs persistence and establishes a connection with the actual C2 server for remote access.[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

\u00a0Command and Control<\/h1>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/dnspy_entrypoint.png” title_text=”dnspy_entrypoint” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]After some initial analysis of the entry-point we found the actual core of this backdoor the SignalRHub<\/code> class. This sparked our interest, SignalR is Microsoft’s real-time web API protocol. After further inspection we confirmed that the malware uses the SignalR protocol for its Command and Control (C2) communication. The code presented below unveils the response handlers implemented by the client, offering some insights into the capabilities of this malware.[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/dnspy_namespaces.png” title_text=”dnspy_namespaces” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]All C2 communication is encrypted using AES CBC with a hardcoded key and IV. Encryption is implemented as a separate service in the Core.Agent.Services.Implementationes<\/code> namespace. Communication and command handling are implemented in a modular way using interfaces and services following common C# app development practice. To further understand the capabilities of the client we will analyze the handlers individually.[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The Command Handler<\/h1>\n

Starting with the Command handler, we need to find the implementation of the class as its implemented from an interface. In the implementation we can spot some strings indicating browser credential stealing as well as reverse shells in various forms. Interesting to note: The list of targeted browsers only includes major Chromium based browsers Edge, Chrome and Brave. As indicated by the target paths shown in the screenshot:<\/p>\n

\\Google\\Chrome\\User Data\\
\\BraveSoftware\\Brave Browser\\User Data\\
\\Microsoft\\Edge\\User Data\\<\/pre>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/dnspy_command_handler.png” title_text=”dnspy_command_handler” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]The Command handler implements a number of sub commands ranging from reverse shell to process termination and data exfiltration. The sub commands are implemented in additional services such as the ProcessService<\/code> for reverse shell, process enumeration etc. and the FileStorageService<\/code> for download, upload and file system inspection. Below you can find an overview of all available sub commands of the Command handler.[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Command<\/td>\nFunctionality<\/td>\n<\/tr>\n
Exec<\/td>\nExecute attacker supplied command using Process.Start(). Optional run as Background Task*<\/td>\n<\/tr>\n
ExecUseShell<\/td>\nExecute attacker supplied command using Process.Start() with ShellExecute, RedirectStandardError and RedirectStandardOutput. Optional run as Background Task*<\/td>\n<\/tr>\n
ExecAndKeepAlive<\/td>\nNot implemented just returns “not work”<\/td>\n<\/tr>\n
CMD<\/td>\nRun attacker supplied command trough cmd.exe, if parameters are “pass” run browser credential stealer. Optional run as Background Task*<\/td>\n<\/tr>\n
PowerShell<\/td>\nRun attacker supplied Powershell query. Optional run as Background Task*<\/td>\n<\/tr>\n
KillByName<\/td>\nTerminate process by name<\/td>\n<\/tr>\n
KillById<\/td>\nTerminate process by ID<\/td>\n<\/tr>\n
Download<\/td>\nDownload and unpack zip file from C2<\/td>\n<\/tr>\n
Upload<\/td>\nExfiltrate data from victim system, can upload one or multiple files or entire directories<\/td>\n<\/tr>\n
Delete<\/td>\nDelete file from victim system<\/td>\n<\/tr>\n
GetDirectories<\/td>\nCheck if attacker supplied directory exists and report contents<\/td>\n<\/tr>\n
ChangeTime<\/td>\nChange timeout for next request<\/td>\n<\/tr>\n
SendAllDirectory<\/td>\nSend all Disks and their directory structure<\/td>\n<\/tr>\n
UpadateApplication<\/td>\nDownload update and restart the new agent with a special argument to delete old copies and register new copies of the agent<\/td>\n<\/tr>\n
Restart<\/td>\nRestart the agent with a special argument, check for persistence copies and restart them if found<\/td>\n<\/tr>\n
GetProccess<\/td>\nSend list of all running processes including process name and ID<\/td>\n<\/tr>\n
SendAllDirectoryWithStartPath<\/td>\nSend all sub directories contained in an attacker supplied starting directory<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
* Background Task use CreateNoWindow and WindowStyle Hidden properties[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The GetDir and GetHard Handlers<\/h1>\n
These two handlers are rather simple. The GetDir handler is quite similar to the GetDirectories sub command of the Command handler. It send a list of all files and directories including path, name and create date for an attacker requested directory. In case the attacker does not specify a directory it scans the current one.<\/p>\n
The GetHard handler sends a list of all logical drives to the C2. The list includes the following information: name, drive type, free space and total capacity.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The GetScreen and StopSendScreen Handlers<\/h1>\n
These handlers are on and off switches for the remote screen viewer feature of the backdoor. The GetScreen handler starts the screen viewer which uploads screenshots of the victim’s screen using attacker specified interval, duration, resolution and quality. The screen viewer is run as a new thread capturing the screen and encoding the images as JPEG data then converting it a Base64 string which is send to the C2 server.<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/dnspy_screensaver.png” title_text=”dnspy_screensaver” show_in_lightbox=”on” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The StopSendScreen will stop the screen viewer from if it is still running. We suspect that one reason the threat actor chose SignalR is due to its optimization for real-time data transmission, making it ideal for real-time screen monitoring.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Persistence<\/h1>\n
Another interesting part of this backdoor are it’s persistence mechanisms. The persistence functions are executed in the initialization of the main WPF GUI class. Finding were the actual malicious code started was quite a challenge due to the heavy use of abstraction. The persistence features are implemented tin the Core.Agent.Utilities.Prerequisite<\/code> class. There are multiple components to the process. The CopyMyApp function is the core, it is run immediately on application start. The function first checks if the application has been updated which is indicated by a command line argument on application start. If an update was performed the function will delete the following three files:<\/p>\n
%appdata%\\\\host.exe\n%localappdata%\\\\broker.exe\n%localappdata%\\\\Microsoft\\\\System.exe<\/pre>\n
This step is skipped if no update was performed. Next, the agent checks if the same files have a registry value entry under SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run<\/code>. If it doesn’t find an entry, it replicates itself in all the designated locations and creates new entries in the registry. Each entry uses the file name as the value and the file’s path as data. There also functions to remove the subkeys entirely and one to replace the file paths for the keys, however these functions are not used. We suspect that these have been implemented for future updates to the C2 commands.[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Config<\/h1>\n
While reversing we encountered the Core.Agent.Utilities.Constants<\/code> class which holds config values and encrypted strings. The encrypted strings are outlined into separate methods that call the decryption function and return the result. The strings are decrypted using AES CBC with the same hardcoded key and IV used for the C2 communication. To ease reversal we wrote a simple python script to statically decrypt and inline the strings. The script uses dnlib to parse the binary and decrypt all strings using the hardcoded AES parameters.[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2024\/01\/dnspy_config_decrypted.png” title_text=”dnspy_config_decrypted” _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The screenshot provides a side-by-side comparison of the reverse shell runner before and after clean up. After decryption we can easily read the C2 domain and Mutex as well as filenames and commandline arguments used for update and reset. You can find the full decryption and clean up script on our GitHub<\/a>.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Conclusion<\/h1>\n
The FalseFont backdoor is a complex remote access and data exfiltration tool, with a focus of monitoring the user machine. Most of the features target user files and data structure, considering the lure of this malware the actors likely plan to extract US Defense \/ Intelligence related documents. The screen recording functionality is another vector of data exfiltration allowing the actors to obtain more potentially confidential information from data not stored on disk like E-Mails or chat messages. Along side the standard file exfiltration FalseFont also includes a browser credential stealer, which would potentially allow compromise of high value online accounts. While the malware is complex, the protection scheme seems to neglect strings and other potential malicious indicators. Allowing for rather simple detection of the binaries.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Detection<\/h1>\n
You can find all IOCs and links to the latest version of the detections rules (YARA, Sigma) in our new Github repository<\/a>.<\/p>\n
YARA<\/h2>\n
rule APT_MAL_FalseFont_Backdoor_Jan24 {\n   meta:\n      description = \"Detects FalseFont backdoor, related to Peach Sandstorm APT\"\n      author = \"X__Junior, Jonathan Peters\"\n      date = \"2024-01-11\"\n      reference = \"https:\/\/twitter.com\/MsftSecIntel\/status\/1737895710169628824\"\n      hash = \"364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614\"\n      score = 80\n   strings:\n      $x1 = \"Agent.Core.WPF.App\" ascii\n      $x2 = \"3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA=\" wide \/\/AesIV\n      $x3 = \"viOIZ9cX59qDDjMHYsz1Yw==\" wide \/\/ AesKey\n\n      $sa1 = \"StopSendScreen\" wide\n      $sa2 = \"Decryption failed :(\" wide\n\n      $sb1 = \"{0}     {1}     {2}     {3}\" wide\n      $sb2 = \"\\\\\\\\BraveSoftware\\\\\\\\Brave-Browser\\\\\\\\User Data\\\\\\\\\" wide\n      $sb3 = \"select * from logins\" wide\n      $sb4 = \"Loginvault.db\" wide\n      $sb5 = \"password_value\" wide\n   condition:\n      uint16(0) == 0x5a4d\n      and (\n         1 of ($x*)\n         or all of ($sa*)\n         or all of ($sb*)\n         or ( 1 of ($sa*) and 4 of ($sb*) )\n      )\n}<\/pre>\n
Sigma<\/h2>\n
Process Creation Peach Sandstorm<\/a>
Peach Sandstorm FalseFont Backdoor C2 Communication<\/a><\/p>\n
IOCs<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type<\/td>\nIndicator<\/td>\n<\/tr>\n
SHA-256<\/td>\n364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614<\/td>\n<\/tr>\n
SHA-1<\/td>\nddd18e208aff7b00a46e06f8d9485f81ff4221ea<\/td>\n<\/tr>\n
MD5<\/td>\n6fd5d31d607a212c6f7651c79e7655a3<\/td>\n<\/tr>\n
Mutex<\/td>\n864H!NKLNB*x_H?5<\/td>\n<\/tr>\n
Commandline<\/td>\nSQP’s*(58vaP!tF4
(argument used for Update and Restart)<\/td>\n<\/tr>\n
Filename<\/td>\nMaxar.exe<\/td>\n<\/tr>\n
Path<\/td>\n%localappdata%\\\\Temp\\\\Maxar.exe<\/td>\n<\/tr>\n
Path<\/td>\n%localappdata%\\\\Microsoft\\\\System.exe<\/td>\n<\/tr>\n
Path<\/td>\n%localappdata%\\\\broker.exe<\/td>\n<\/tr>\n
Path<\/td>\n%appdata%\\\\host.exe<\/td>\n<\/tr>\n
URL<\/td>\nhxxp:\/\/64[.]52[.]80[.]30:8080<\/td>\n<\/tr>\n
Domain<\/td>\nhxxp:\/\/digitalcodecrafters[.]com<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Registry<\/h2>\n
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\n- `Value: host.exe Data: %appdata%\\host.exe\n- `Value: broker.exe Data: %localappdata%\\broker.exe\n- `Value: System.exe Data: %localappdata%\\Microsoft\\System.exe<\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=”4.24.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Authors<\/p>\n