Wintapix / PowerExhange

Affected platforms: Windows Impacted parties: Windows Users Impact: Allows remote code execution and persistent access to the host (backdoor) and the rest of the network (proxy)

On 22nd May 2023 Fortinet team released a report where they have monitored suspicious executables that make use of open-source tools and frameworks. It was found that a Microsoft driver called WinTapix.sys which was using the Donut project. Donut* is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.

Another variant of the WINTAPIX driver with the SRVNET2.SYS name was also detected. Though these drivers were compiled in May 2020 but were first-time suspected only in Feb 2023.

The targeted countries are Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. Based on previous similar use of Donut (social-media-software) it is suspected that the same or related Iranian team is behind this attack. It known that Microsoft Exchange is a favourite target of Iranian Hackers. The Iranian nation-stage actor APT34 (aka OilRig) had also adopted similar approach.

Wintapix uses multiple open-source common use tools to protect itself from reverse engineering and decomplication. It creates shellcode to establish backdoor and proxy once any injectable process is found. Then it hides behind processes generally used in Microsoft environment, hence becomes very difficult to be detect by antivirus and other Security Operation and threat hunting applications. Once the backdoor and proxy is established, the proxy routes communication to the Command-and-Control centre. Though it claims to use Private Key (indicative of Asymmetric Cryptography) but in fact it is encrypted by XOR poor implementation of encryption. It also uses various techniques and tools to throw off the trail to catch it.

Once deployed, it makes changes in Registry to achieve persistence. The changes are made in such a manner that even in safe-mode it stays hidden and functional. If the malware is deleted, it has functionality to persist and recreate the malware at the same location.

Some researchers have pointed out that the binary, which masquerades as a PDF document, functions as a dropper to execute the final payload WINTAPIX and they named the operation as PowerExchange. It implies that phsing is the prefered route of infection with PDF as bait.

Another approach used by PowerExchange is that it uses PowerShell and employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system.

Image Source: New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government (thehackernews.com)

Important Details

Following are important details for the practitioners (more can be found at Fortinet)

IOCs

Filename

Sha256 SRVNET2.SYS f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d

WinTapix.sys 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e WinTapix.sys 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330 Injected Shellcode aae9c8bd9db4e0d48e35d9ab3b1a8c7933284dcbeb344809fed18349a9ec7407 .Net payload 27a6c3f5c50c8813ca34ab3b0791c08817c803877665774954890884842973ed

MITRE ATT&CK Matrix

The following MITRE ATT&CK overlay contains TTPs associated with the deployment, installation and execution of the WinTapix driver and associated backdoor identified by FortiGuard Labs.

Attack Flow

The Nation State attacks are difficult to detect and pursue because multiple teams work on the project in a coordinated manner. Therefore, capacity building (people, technlogy, tools and techniques) for threat hunting is critical for nation-cyber-defence.

* Project Donut is basically an open-source, feature-rich, and highly privacy-friendly social media platform. It is not a replication of Facebook. It’s a platform that has been built for community-oriented collaborations, in a customized way. It’s built on the Node.js framework that helps other communities to set-up their own platform.

-----END----