Keypoints
- APT31 is attributed to actors operating from Wuhan using front companies (Wuhan XRZ) and contractors to conduct operations.
- The group developed and deployed the RAWDOOR backdoor and dropper, staging payloads via DLL side-loading and installing a service for persistence.
- Spearphishing with tracking links harvested device type and public IPs; attackers targeted family members and SOHO routers to reach better-protected targets.
- Post-exploitation tooling included cracked Cobalt Strike and use of public/cloud services (e.g., GitHub raw) as C2 channels.
- Attack chains included local privilege escalation (noted CVE-2017-0005), SQL injection for lateral movement, and double infections to regain access if implants were removed.
- RAWDOOR dropper timestomps files and creates a Windows service by editing ServiceDll to load the second stage from a dropped MSI.
- Indicators (file hashes, URLs, Yara rules) and YARA signatures for RAWDOOR were published for historical/hunting use.
MITRE Techniques
- [T1598.003] Search Open Websites/Domains – Used tracking links embedded in emails to collect device telemetry and public IPs (‘the emails contained legitimate news article excerpts, accompanied by tracking links… Clicking them allowed attackers to obtain preliminary targeting information, such as the type of device… as well as the public IP address of the recipient.’)
- [T1566] Phishing – Employed spearphishing emails with malicious attachments or links and fake Adobe Flash update pages to deliver malware (‘spearphishing emails containing malicious attachments or links… creating fake Adobe Flash update pages to deploy the EvilOSX malware’).
- [T1574.001] DLL Search Order Hijacking (DLL side-loading) – Staged multiple malware families through DLL side-loading before executing payloads (‘all staged through DLL side-loading’).
- [T1543.003] Create or Modify System Process: Windows Service – Dropper installs second-stage payload as a service and edits registry ServiceDll to point to the dropped MSI (‘drops its payload as %WinDir%Installer~DF313.msi… edits the corresponding registry key manually to set the ServiceDll value to the dropped file’).
- [T1070.006] Indicator Removal on Host: Timestomping – The dropper timestamps the dropped MSI with attributes from calc.exe to hide artifacts (‘The file is timestomped with the attributes of the system’s calc.exe file’).
- [T1102] Command and Control: Web Service – Used GitHub raw and other public hosting as C2 channels (‘uses GitHub as a Command & Control channel (hxxps://raw.githubusercontent[.]com/willbill4/workspaceer/master/9proxy5/ReadMe.txt)’).
- [T1068] Exploitation for Privilege Escalation – Employed a local privilege escalation 0-day in an intrusion chain prior to SQL injection pivoting (‘The hack involved a local privilege escalation 0-day… before exploiting an SQL injection’).
- [T1190] Exploit Public-Facing Application – Used SQL injection to pivot from a compromised subsidiary into a core network (‘before pivoting into the core network from there… before exploiting an SQL injection’).
Indicators of Compromise
- [File Hashes] RAWDOOR binaries and droppers – c3056e39f894ff73bba528faac04a1fc86deeec57641ad882000d7d40e5874be, fade96ec359474962f2167744ca8c55ab4e6d0700faa142b3d95ec3f4765023b, and other hashes (see appendix for additional entries).
- [URLs / Domains] C2 and hosting – hxxps://raw.githubusercontent[.]com/willbill4/workspaceer/ (RAWDOOR C2 on GitHub raw), hxxp://web10111.googlecode.com/svn/10111.txt (RAWDOOR C2 hosted via Google Code).
- [File Names] Dropped installer and payload artifacts – %WinDir%Installer~DF313.msi, ReadMe.txt (used in GitHub repo as C2/config), and other files in the Release folder.
- [YARA / Signatures] Yara rule identifiers and hashes for detection – apt31_rawdoor_dropper (hash c3056e39…), apt31_rawdoor_payload (hash fade96ec…), Yara rules available requiring Yara 4.1.0+.
APT31 technical summary (focused):
APT31 conducted targeted intrusions using a mix of custom and repurposed tooling. Initial reconnaissance frequently started with spearphishing emails that contained legitimate-looking article excerpts and tracking links; clicking those links returned device type and public IP information which the operators used to tailor subsequent access attempts. They specifically targeted less-protected paths to victims—such as family members and SOHO routers—to gain an initial foothold into otherwise hardened environments.
For delivery and execution, the group used DLL side-loading to stage multiple malware families, notably the RAWDOOR dropper which writes a dropped MSI (%WinDir%Installer~DF313.msi), timestomps it using calc.exe timestamps, creates a Windows service, and sets ServiceDll to load the second-stage payload. RAWDOOR samples also used public services (e.g., raw.githubusercontent.com) as C2 channels. Post-exploitation tooling included cracked Cobalt Strike, and the actors used local privilege-escalation 0-days and SQL injection to escalate and pivot; they also employed double infections to ensure persistence if an implant was discovered or removed.
Defensive artifacts and hunting data published with the analysis include multiple SHA256 hashes for RAWDOOR samples and droppers, URLs/domains used as C2 (GitHub raw and Google Code paths), and YARA rules tailored to the dropper and payload (requires Yara 4.1.0+). These technical indicators and the described TTPs (DLL side-loading, service-based persistence, timestomping, web-service C2, and exploitation chains) are suitable for targeted detection and retrospective network/host investigations.
Read more: https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/