Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

APT-C-00 HailianhuaAPT-C-00 (Hailianhua) is a government-backed foreign hacker organization that primarily targets enterprises and government departments in East Asian countries. The 360 Advanced Threat Research Institute has been continuously monitoring the latest attacks from the Hailianhua organization.

I. Overview

Recently, the 360 Advanced Threat Research Institute captured a suspicious Trojan loader during routine threat hunting. Analysis revealed that its development environment and execution process are quite similar to those of the Hailianhua organization. It currently maintains an excellent evasion effect with zero detections.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

II. Sample Analysis

MD5

64062595582c36d0aed322e98108ff4b

File Type

DLL Dynamic Link Library

File Size

824,320 Bytes

The sample entry dynamically retrieves the required API functions using hash algorithms.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

The exported function MPI_Init creates a mutex “Global\MicrosoftMPI” to ensure single instance execution. Command line parameter validation is used to evade conventional automation processes. Once the parameter check passes, the command line is added to the registry startup item “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftMPI” for persistence, and finally, the function that executes the Shellcode is set as a VEH exception handler callback function, waiting for the right moment to be called.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

It calls the exported function located at 0x1800760F0 to load the system file certmgr.dll, using a module hollowing technique to replace the code in the certmgr module’s .text section with Shellcode.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

Shellcode is used to reflectively load the Havoc RAT[1].

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

III. Correlation Analysis

The sample is a DLL file, and most of the exported functions point to the same function address, suggesting that the sample itself is loaded using a white exploitation method, consistent with the common tactics and techniques of the Hailianhua organization.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

The sample was developed using Mingw-w64, consistent with the development environment of the Hailianhua organization in recent years.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

This captured sample uses the same algorithm as previously known phishing samples to dynamically retrieve API addresses during the initialization phase.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

The Hailianhua organization’s loader typically involves creating mutexes, checking command lines, and persistence during the initialization steps. For persistence, previous loaders have directly written to the registry and decrypted Shellcode to write registry startup items. Additionally, the bait document release step may involve the loader opening a bait document from a phishing archive or embedding it within the loader itself. Each attack round varies slightly but is generally similar.

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

Suspected APT-C-00 (Hailianhua) Delivery of Havoc Trojan

IV. ATT&CK

Persistence

(TA0003)

Defense Evasion

(TA0005)

Registry Startup Items/Startup Folder

(T1547.001)

DLL Side-Loading

(T1574.002)

Process Hollowing Execution Code

(T1055.012)

SummaryBe cautious of unknown links and attachments: Do not click on links in emails or messages, especially those from unfamiliar or suspicious sources. Even messages from familiar contacts should be carefully verified.Employee security awareness training: Regularly conduct cybersecurity training for employees, simulating phishing attacks to help them recognize phishing emails and other online threats.Network segmentation and isolation: Separate critical business systems, data storage, and employee networks, using firewalls and access control lists to restrict access between segments, preventing attackers from moving laterally after an intrusion.Regularly review and patch vulnerabilities: Conduct regular security audits and penetration testing to promptly identify and fix vulnerabilities, reducing the likelihood of exploitation.Appendix IOC

MD5

64062595582c36d0aed322e98108ff4b

2ca07512ba04df5d2d22a2c97d83cd5f

860c9bc3c291de45856218c2059e1117

ca1376132df84cb3be08d43114ad32d7

2da7798e8f7fbeafefbd297e3be5b21b

6725c332b0fe684fbc94df399ab726bc

963448d96d81138413f192dd80558d76

C&C

144.202.46.221[:]443

46.37.124.147[:]80References

[1]https://github.com/HavocFramework/Havoc

Team IntroductionTEAM INTRODUCTION360Advanced Threat Research InstituteThe 360 Advanced Threat Research Institute is the core capability support department of the 360 Enterprise Security Group, composed of senior security experts from 360, focusing on the discovery, defense, handling, and research of advanced threats. It has been the first to capture several well-known 0-day attacks globally, such as Double Kill, Double Star, and Nightmare Formula, and has exclusively disclosed advanced actions of multiple national-level APT organizations, gaining widespread recognition both inside and outside the industry, providing strong support for 360 in safeguarding national cybersecurity.

Leave a Comment