0x00 Preface

---

Recently, six tools from APT34 were leaked. This article analyzes PoisonFrog and Glimpse solely from a technical perspective.

References:

https://malware-research.org/apt34-hacking-tools-leak/amp/

0x01 Introduction

---

This article will cover the following:

  • Analysis of PoisonFrog
  • Analysis of Glimpse
  • Summary

0x02 Analysis of PoisonFrog

---

The corresponding leaked file is named posion frog

Includes two parts of files:

  • agent, containing the file poisonfrog.ps1, which is a Trojan program implemented via PowerShell
  • server side, corresponding to the Trojan control end, developed using Node.js

1. Functions implemented by the agent

1. Releases three files in the %public%\Public folder

  • dUpdater.ps1
  • hUpdater.ps1
  • UpdateTask.vbs

The specific functions of the released files are as follows:

(1) dUpdater.ps1

  1. Generates a unique identifier for the current system
  2. Reads the proxy settings of the current system
  3. Downloads files from the C2 server via HTTP protocol
  4. Performs further operations based on the content of the downloaded files, including executing commands, uploading files, and downloading files

(2) hUpdater.ps1

  1. Generate a unique identifier for the current computer
  2. Create the following folders
  • %public%\Public\
  • %public%\Public\\reveivebox
  • %public%\Public\\sendbox
  • %public%\Public\\done
  1. Receive control commands from C2 server via DNS A records
  2. Execute commands and return results

(3)UpdateTask.vbs

Content as follows:

command0 = "Powershell.exe -exec bypass -file C:\Users\Public\Public\hUpdater.ps1"
set Shell0 = CreateObject("wscript.shell")
shell0.run command0, 0, false
command1 = "Powershell.exe -exec bypass -file C:\Users\Public\Public\dUpdater.ps1"
set Shell1 = CreateObject("wscript.shell")
shell1.run command1, 0, false

Used to load PowerShell scripts dUpdater.ps1 and hUpdater.ps1

2. Create two scheduled tasks

  • Named \UpdateTasks\UpdateTask, runs every 10 minutes, executes UpdateTask.vbs with current user permissions
  • Named \UpdateTasks\UpdateTaskHosts, runs every 10 minutes, executes UpdateTask.vbs with System permissions

2. Analysis of the server side

Implemented via Node.js

Requires installation of third-party packages via npm before use; specific installation commands are located in the file install_packages.bat

index.js is the main program

To prevent misuse, the code for the control side is not analyzed in detail, nor are specific setup methods provided

Note:

In my previous articles 'Node.js in Penetration Testing—Implementation of a Downloader' and 'Node.js in Penetration Testing—Hiding Real Code Using C++ Addons', I introduced the use of Node.js. Basic knowledge of Node.js can be referenced from these articles

Using Node.js to implement the server side has the following advantages:

  • Simple and easy-to-understand syntax
  • Lightweight and efficient
  • Can be deployed simultaneously on Windows and Linux systems

3. Public clues about this tool

  1. APT34 used CVE-2017-11882 to spread this Trojan, and FireEye analyzed the sample:

https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

  1. Palo Alto Networks named it Early BondUpdater, analysis materials of the sample:

https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/

0x03 Analysis of Glimpse

---

The corresponding leaked file is named Glimpse

Includes four parts of files:

  • Agent, containing four files: dns.ps1, dns_main.ps1, refineddns_main.ps1, and runner_.vbs
  • Panel, containing a C# developed interface program, which is the graphical Trojan control interface
  • Server, a Node.js developed Trojan control interface
  • Read me.txt, configuration documentation

1. Functions implemented by the agent

The functions of the three files dns.ps1, dns_main.ps1, and refineddns_main.ps1 are identical

The original version is dns_main.ps1

dns.ps1 and refineddns_main.ps1 only replace variable names with meaningless obfuscated strings

The functionality of dns_main.ps1 is as follows:

  1. Create the folder %public%\Libraries
  2. Check if the file %public%\Libraries\lock exists
  • If it does not exist, create the file and write the PID of the current PowerShell process
  • If the file exists, read its creation time; if it has been more than 10 minutes since creation, exit the process and delete the lock file
  1. Generate a unique identifier for the current system and write it to the file %public%\Libraries\quid
  2. Create the following folders:
  • %public%\Libraries\files
  • %public%\Libraries\
  • %public%\Libraries\\reveivebox
  • %public%\Libraries\\sendbox
  • %public%\Libraries\\done
  1. Receive control commands from the C2 server via DNS A records or DNS TXT records
  2. Execute commands and return results

2. Analysis of the server

Implemented via Node.js

Before use, third-party packages must be installed via npm; specific installation commands are located in the file Read me.txt

Compared to PoisonFrog, Glimpse has optimized its code structure and added the functionality of transmitting data via DNS TXT records

To prevent misuse, the code of the control side is not analyzed in detail, nor are specific setup methods provided

3. Public clues about this tool

  1. Palo Alto Networks named it Updated BondUpdater; analysis materials of the sample:

https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

0x04 Summary

---

For PoisonFrog and Glimpse, although the tool source code was leaked this time, their samples were captured as early as 2017 and have been thoroughly analyzed. Personally, I believe there is no risk of large-scale misuse of these tools. Additionally, using the DNS protocol to transmit data is a very old method, and I do not think this tool will lead to an upgrade in malware technology.