Threat

Intelligence
Winnti APT group docks in Sri Lanka for
new campaign

TLP: CLEAR

September 2022 updated: 10/18/22

Table of Contents

• Overview 3

• The attack 4

• First stage - DBoxAgent 5

• Ofcpic.dll - DBoxAgent analysis 6

• Second stage - SerialVlogger 12

• libcef.dll - SeriallVlogger analysis 12

• Third stage - VLOG.IPDB 15

• Fourth stage - KEYPLUG 17

• Attribution 18

• Sri Lanka and China - A little bit of history 18

• Sri Lanka and China - Current situation 19

• Conclusion 21

• Indicators of Compromise (IOCs) 22

 3

Overview
This blog post was authored by Roberto Santos, Hossein Jazi and Jérôme Segura

In early August, the Malwarebytes Threat Intelligence team identified a new attack targeting
government entities in Sri Lanka. The threat actors used multiple layers of protection and
techniques to make analysis harder and hide their final payload.

However, based on tactic, techniques and procedures (TTPs) as well as code similarities we
believe that this attack falls under the Winnti umbrella. Winnti is a Chinese state-sponsored
effort of different threat actors that have conducted cyber espionage and financially motivated
operations since 2012.

This new campaign started on August 4th and has been active since at least the middle of
August. Interestingly during the same time, the Chinese vessel Yuan Wang 5 (which tracks
rocket and spacecraft launches for China), arrived and docked at the naval port of Hambantota
located in Sri Lanka. Neighboring India views the vessel as a risk to its national security and the
US Department of Defense believes it is operated by China's People's Liberation Army Strategic
Support Force (PLA-SSF division). All this situation happened during a very difficult time for
Lankans. We will briefly analyze this situation at the end of the report.

We identified several payloads being dropped in this campaign, including a backdoor that was
new to us that we call DBoxAgent due to its use of Dropbox as a command and control server.
Victimology analysis helped us to confirm our assumption of the Winnti threat group behind
this attack with the KeyPlug malware used as final payload.

In this blog post we will review the chain of events and go through the different layers of
protection that make this attack stealthy and show that Winnti continues to be active and
expand its reach in the South Asia region.

We shared our initial findings with Dropbox who immediately took action to stop this malicious
activity. We would like to thank the Dropbox threat intelligence team for their response.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 4

The attack

Sri Lanka has been going through a number of crises during the past year including mass
protests while the country's economy is collapsing. Indeed, the United Nation relayed a call
from humanitarian agencies that Sri Lanka's economic crisis requires immediate global
attention .

Interestingly, the attack we observed is being distributed via an ISO image masquerading as a
document containing information about economic assistance ( economic assistance.iso )
hosted on Google Drive. Metadata from VirusTotal indicates that this particular file was first and
subsequently uploaded from Sri Lanka (country code LK). We were also able to further confirm
that victims were in the (UTC+05:30) time zone, and more specifically in Sri Jayawardenepura
which is the country's administrative capital.

An overview of the attack can be seen in the next image, revealing the use of Dropbox as
command and control server to help distribute several payloads, including the KeyPlug
malware. Sandbox analysis of the sample can be found here .

Killchain

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 5

First stage - DBoxAgent

As stated, attackers used the ongoing situation in Sri Lanka to lure victims. The initial ISO file
that victims have executed was named "economic assistance.iso". This ISO file contained 3 files:

- A LNK file showing a folder icon that is a shortcut for the following command: "C:
\Windows\System32\cmd.exe /c des.exe"

- An executable named des.exe

- A DLL file named ofcpipc.dll

Content for economic assistance.iso

It would be easy for an unexperienced user to think that the LNK file is a folder. Instead, after
clicking on the shortcut, des.exe is executed. This binary appears legitimate as it has 0
detection in VirusTotal and is part of by Trend Micro AV.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 6

des.exe signature info

Ofcpic.dll - DBoxAgent analysis

However, ofcpipc.dll does have some detections and is the one containing malicious code.
des.exe is a legitimate executable used to perform DLL SIDELOADING in order to execute
ofcpipc.dll . This maliciously crafted DLL mimics the original DLL, containing all original exports
and an additional one, named OIPC_InitPlus :

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 7

Extra import in Ofcpic.dll

Looking at DLL_Main, what we have in here are basic checks and initialization. The malware
expects to be executed in a very specific way; it will skip execution when launched directly
using rundll (to avoid being detected by some sandboxes) and also it expects to be located in
the %PUBLIC% folder.

DLL skip execution generated by rundll

Moving forward to the main functionality, when all the required conditions are satisfied a buffer
contained in its data section will be decoded and allocated to a new memory region. This
allocated memory will contain shellcode that implements the malicious functionality.

The most common way to execute shellcode is directly using a jmp or a call instruction to the
pointer. Instead, attackers placed a hook in the __security_init_cookie() function (a well known
function in executables compiled with Visual Studio), part of des.exe . Remember that des.exe
was the original signed executable. This is important, as using this technique may be not
detected by many AV vendors.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 8

The following diagram shows how the injection is performed:

DBoxAgent memory layout during injection process, step by step

The shellcode is a backdoor that gives the ability for attackers to control the victim's machine.
We named this new backdoor DBoxAgent as it uses Dropbox as C&C. This way, attackers are
able to circumvent network protection tools, as all communications are sent and received
through Dropbox API. They used the following authentication: Bearer
_ah6koSKE8UAAAAAAAAAAXV5lH_zm1T-xVCTqyhty3cq8U7kTb9E4y2XMPDdasKV .

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 9

Inside Dropbox, attackers created a folder tree. In a nutshell, DboxAgent will be uploading
stolen data to Dropbox and downloading code to execute, using polling. Dropbox folder
created by the attackers could be something like that:

Attacker's view of files contained in Dropbox

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 10

Every folder under users represents a victim. The names were generated by using a
concatenation of ethernet adapters MAC addresses found in their machines:

Attackers have used ETHERNET MAC Addresses to identify victims

Here is a description for those files and folders that could be found at attackers Dropbox
generated account:

info.txt

This file is created when the victim runs the malware, and contains the output generated by the
command systeminfo .

down (folder)

Here, attackers will place files that will be dropped to the victim's machine. The malware will
look for a special file called DownConfig.txt that contains the filename to download.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 11

Code responsible of fetching and dropping files to victims computers

We have found 3 different files (payloads) in here named jcef_helper.exe , libcef.dll and
vlog.ipdb .

upload (folder)

Used for recovering files from victims' computers. There is a special file called
UploadConfig.txt , where attackers place the names of the files to steal from victims.

shell (folder)

Used to send and receive commands via CmdConfig.txt . Files with random numbers are the
output generated by these commands. All communications are performed using the Dropbox
API via the (encrypted) HTTPS protocol. However, attackers adde an extra security layer. All
files, commands and outputs are stored and sent using custom encoding. Note that these tiny
encoders are common signatures in Winnti attacks:

Algorithm used to protect files (DBoxAgent)

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 12

Second stage - SerialVlogger

By using DBoxAgent, attackers had already full control of their victim's machine. They were able
to steal information and also to deploy additional pieces of malware. In that regard, only
selected victims received this second stage that used jcef_helper.exe , libcef.dll and vlog.ipdb
files.

Jcef_helper is not malicious and, as with des.exe , it was used just as a means to execute
libcef.dll . This jcef_helper is the legitimate Java Chromium Embedded Framework helper,
signed by JetBrains .

Jcef_helper.exe signature info

libcef.dll - SeriallVlogger analysis

In that case, the DLL was packed with VMProtect. As in the first stage, the same procedure is
followed to execute this malicious DLL. Functionality in fact is pretty similar to the first bytes
seen in DBoxAgent, where a buffer was decoded and then executed using a hook placed in the
address for __security_init_cookie() . However, it has some interesting points to dig in.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 13
First of these peculiarities is that SerialVlogger won't inject anything contained in any buffer
inside it. Instead, SerialBlogger will look for a special file named vlog.ipdb (remember that
vlog.ipdb was one of the files dropped along).

SerialVloger code extract, showing how it will open vlog.ipdb and terminate execution when not
found

As it can be seen, execution will not continue in case vlog.ipdb does not exist. After that, the
malware will use GetVolumeInformationA to query properties about C:. Specifically, the
SerialNumber of the drive is what attackers are interested in. They will use this serial number as
a key to decrypt vlog.ipdb , using the following algorithm.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 14

Similar algorithms have been found as part of past attacks attributed to Winnti:

Algorithm used to unprotect vlog.ipdb file

That means that every victim will have its own different copy of the vlog.ipdb file. Attempts to
run vlog.ipdb files in a different machine will result in a crash. Attackers have made a pretty
good in disguising these files, as vlog.ipdb files have an entropy close to 8. The decoding
algorithm can be seen as follows in a Python implementation:

Algorithm used to unprotect vlog.ipdb file, in Python

A quick note about the algorithm: part1 is not produced using the key or the buffer. After a few
rounds it will tend to 7. Part1 will just add an extra rotation to the leading bytes (at the end, this
does not affect the randomness). We don't know why attackers decided to go that way, but
probably they wanted to add an extra protection layer to first bytes, as in first rounds
complexity is a little higher. So, discarding this part1 as complexity source, the algorithm is
pretty simple. It consists of multiplying the key with the iteration value, and simply xoring then
with the encoded buffer.

Finally, this file will decrypt vlog.ipdb contents and will place a hook in __security_init_cookie() ,
so the vlog.ipdb content will be executed later instead of the original jcef_helper.exe file.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 15

Third stage - VLOG.IPDB

Vlog.ipdb is a tiny DLL loader, capable of running a DLL that is encrypted inside the shellcode
itself. To do so, it will first locate its own address by using the well known call - pop scheme,
shown in the next image:

Vlog.ipdb will first fetch RIP value

After that, it will locate the DLL inside it using its relative offset. This time, attackers went more
standard and encrypted the DLL using regular RC4:

RC4 decryption algorithm

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 16

The RC4 key is contained inside the vlog.ipdb shellcode. This key was found in our sample
xored with the value 0x63. The used key was ytveX05lCYreUzo4 :

RC4 key was protected by a simple xor

This loader will use some Windows APIs by first fetching the kernell32.dll location (using the
PEB) and then fetching the required libraries using its name. Malicious shellcode uses hash
algorithms or CRCs in order to hide these required function names to avoid triggering alarms.
The malware hashes all function names (bruteforce style) and when one matches that means
the required function has been found.

The used hash algorithm has clear similarities with other known algorithms and was used once
before, in an old malware called Nuclear Bot (NukeBot) described here . It turns out that the
source code was leaked at some point, so attackers could have developed this one inspired by
the old Nuclear Bot.

NuclearBot hashing algorithm (source netscout.com) and vlog.ipdb's are identicalCaption

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 17

Fourth stage - KEYPLUG

After all these steps, attackers managed to inject shellcode that was encrypted in a file called
vlog.ipdb . Every vlog.ipdb had a different hash (as these were encrypted using different serial
numbers). However, after decoding them, we found that the injected file was the same for all
victims.

Interestingly, vlog.ipdb was found protected twice, one protection due to DBoxAgent and one
due to SerialVloger and is a backdoor that matches the KEYPLUG family. This report also
describes some of the functionality carried out by KEYPLUG at the end of it. The following
configuration was used:

WSS://162 [.]159.200.0/24;162[.]159.36.0/24;172[.]67.192.0/24;104[.]27.96.0/24:443| WSS://162

[.]159.200.0/24;162[.]159.36.0/24;172[.]67.192.0/24;104[.]27.96.0/24:443 |360| 5 |1|
dash[.]lcmbk.com:443

The backdoor relies on the websocket protocol to carry out its activities:

Keyplug (Windows version) code fragment, establishing communication using websockets

By using this backdoor, attackers were able to fully control victims' machines. We can see why
attackers protected that final stage. Keyplug is a very complete and complex backdoor with 4
different modes (HTTP, TCP, UDP and Websockets). This sample is truly an advanced piece of
malware, so we may cover it in a future report.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 18

Attribution
This whole attack has Winnti signatures fingerprints all over it. The most significant one
probably is the use of KeyPlug malware, which is exclusively used by this group, and most likely
developed by them. We have seen multiple custom encoding algorithms (as the one described
in DBoxAgent or the one found in SerialVlogger) that are also a team signature.

The usage of VMProtect in some of the intermediate files is a known TTP for Winnti. Finally,
victimology also matches with the group's usual targets. It is true that attacks in Sri Lanka
haven't been documented yet, but China's interests in this island is not something new. Next
lines will cover these possible interests.

Sri Lanka and China - A little bit of history

Sri Lankan recent history is defined by its long civil war. This war was almost 30 years long and
ended in 2009 . The main reasons were disputes between Tamils (with the LTTE group
Liberation Tigers of Tamil Eelam) and the Sinhalese, which represented the majority of the
population and the government. In 2005, Mahinda Rajapaksa won the national elections, and
during his mandate LTTE was defeated. That increased the popularity of Rajapaksa's clan and
many of its family members where later included in political institutions .

However, it is believed that Rajapaksa brought a secret ally that supported their victory. An
interesting article Riding with the Devils: China’s Role in the Cambodian and Sri Lankan
Conflicts talks about Rajapaksa's victory " China became the most important military ally and aid
provider [...] According to Stockholm International Peace Research Institute (SIPRI) data, China
has exported arms worth US$638 million to Sri Lanka [...] China clearly turned out to be the main
provider of weapons for Sri Lanka[...] ". We can see that China's interests in Sri Lanka began
decades ago.

After the war, China kept showing interests in the country. Rajapaksa leveraged that interest to
finance numerous projects, like the Lotus Tower ($113 million), the Rajapaksa International
Airport ($250 million) or the Hambantota International Port ($1.5 Billion). All of these were
financed by China or Chinese companies. Moreover, Sri Lanka started to build a dangerous
debt.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 19

Columbus Lotus Tower

In the case of Hambantota, CMPort (China Merchants Port) ended up obtaining a 99 year lease
in 2017, as Sri Lanka couldn't afford the cost. Even though the use of the port was intended for
commercial purposes, we can see how this agreement already triggered some alarms. For
instance, Anjelina Patrick, Research Associate at the National Maritime Foundation (NMF) wrote
"[...] internal security of the port will be controlled only by the Chinese company, thus providing a
loophole to Chinese employ the military for the internal security role. Therefore, the Lankan
government has indicated that [...] it would neither affect the sovereignty of the country nor lead
to any inimical military presence" . She also expressed concerns about the Chinese debt trap.

This debt trap has even been claimed by individuals like Richard Moore , the head of Britain's
foreign intelligence agency (MI6): "China lends money to other countries, which end up having
to cede control of key assets if they can't meet their debt repayments [...] One example often
cited by critics of China is Sri Lanka, which years ago embarked on a massive port project in
Hambantota with Chinese investment".

Sri Lanka and China - Current situation

Sri Lanka's financial problems became worse over time. Corruption, COVID-19, terrorism, debts
and wrong financial decisions ended up in a bankrupt country. Gotabaya Rajapaksa (Mahinda

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 20
Rajapaksa's brother and president at the time) finally left the country in July 2022. At the time of
writing, the country faces an inflation of around 80%, and a debt near 120%. The population is
experiencing serious troubles as basic needs are often not met and foreign aid to get out that
situation is needed.

We have seen how China has demonstrated interest about the island, and played an important
role in its fate. Sri Lanka's location in South Asia is strategic for China as it has open access to
the Indian Ocean and is close to India. Looking at this cyberattack, it happened in mid August
just when the Yuan Wang 5 Chinese ship docked at Hambantota's port.

Sri Lanka's location is attractive due to its proximity to India and Indian Ocean

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
 21

Conclusion
Winnti remains active and its arsenal keeps growing as one of the most sophisticated groups
nowadays. We have never seen Winnti use Dropbox as C&C before but it seems that using these
cloud services for malicious purposes has become more popular among actors.

Some may think that China is taking advantage of Sri Lanka's weaknesses and that the PLA
could have in mind military activities at Hambantota. China's military expansion is something
that has already happened. Back in 2017, we saw how they opened the PLA Djibouti base , a
naval base located in the horn of Africa (Djibouti also has a big debt owed to China ).

China's version is that the ship " was conducting scientific research in accordance with
international law" . On the other hand, "US Defense Department says the ship is under the
command of the People's Liberation Army (PLA)[...]" and in particular, under Strategic Support
Force (SSF) "a theater command-level organization established to centralize the PLA's strategic
space, cyber, electronic, information, communications, and psychological warfare missions and
capabilities" More information here and here . Of course, we cannot state that both events
(cyberattack and ship arrival) are related but we just point out how both happened at the same
time along with China's existing interests in Sri Lanka.

Western countries have also made some moves. Geopolitically, it would be a poor decision to
leave Sri Lanka with China as the only alternative. The Indian and Sri Lanka governments have
been in talks about debt restructuring and it is expected that the IMF will approve a $3 billion
loan to the country in December.

Once we identified this campaign, we reached out to Dropbox and they immediately disable the
account that was used as a C&C server. Malwarebytes customers are protected against this
attack; the new backdoor we found is detected as Trojan.DBoxAgent.

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
22

Indicators of Compromise (IOCs)

Indicator Type Description

hxxps://
drive[.]google[.]com/u/1/
uc? ISO download link on
URL
id=1BzqN5BUfLJ8a0LRfKNa Google Drive
RdL4e1jg8X2PU&export=do
wnload

a9d967243678d31ba5027d
1802fbc1606c10b7743d6d SHA256 Hash ISO file
6851eddc32b9281eb2f6

1fd0018a96a1171470f84d4
d745cf11c246b785d3b60fb SHA256 Hash ISO file
957c0677399d597291

be7f7955a296874f238da6e
c5b63ffec995429ee1833e7 SHA256 Hash Shortcut (LNK) file
fbcc294e36eeacbca4

904189ef4cec6ad4603918
e63e0b2e477cb11503315a SHA256 Hash DBoxAgent
d3822437ee75920793f4

8dc38dcd26c62e93c81e7f
4408b83ec4d2adfe9a06cf SHA256 Hash SerialVLogger
ebef0de945b338ec3c8b

206e93703e8d518ebe750
593ff0c41b3c7ec3fd2fda2e SHA256 Hash Loader
107341ebc2889ee061c

SHA256 Hash KeyPlug

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes
23

Indicator Type Description

67baf182cad7c65df8fe392
0d6b58293c5e0c9cb574d
43abd045077a1d33fc67

dash[.]lcmbk[.]com Domain Winnti-APT

Winnti APT group docks in Sri Lanka for new campaign - © Malwarebytes