TaxOff: um, you’ve got a backdoor…

Author: 

Vladislav Lunin, Senior Specialist of the Positive Technologies Expert Security Center Sophisticated Threat Research Group

1. A new group was discovered targetting Russian government structures: TaxOff.
2. TaxOff phished using legal and financial emails.
3. TaxOff used the Trinper backdoor in its attacks.
4. Trinper is a multithreaded backdoor written in C++ with flexible configuration using the template method as a design pattern, STL containers, and a buffer cache to improve performance. It has numerous malicious capabilities.

In Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks on Russian government agencies. We were unable to establish any connection with known groups using the same techniques. The main goal was espionage and gaining a foothold to follow through on further attacks. We dubbed the group TaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which we named Trinper after the artifact used to communicate with C2.

TaxOff uses phishing emails. We found several of them, including one with a link to Yandex Disk with malicious content for 1C and another with a fake installer for special software used by government employees to submit annual income and expense reports. This software is updated every year and targeted by attackers who distribute malware pretending to be updates.

One email had a link to Yandex Disk with the file Materials.img containing the following:

• DCIM.lnk — a shortcut used to start the Trinper backdoor
• drive.google.com — the Trinper backdoor
• Encrypteddata — merged encrypted RAR archives with trimmed headers 
• История поисков.html — a phishing form like the image below

The other vector contained the Spravki BK software used by government employees in Russia to submit income and expense reports. This software has also been targeted by group to spread the Konni backdoor as the renamed WEXTRACT.EXE.MUI file usually responsible for extracting compressed CAB files. In our case, it contains two executable files instead: bk.exe (Figure 2, Spravki BK) and DotNet35.exe, the Trinper backdoor.

Similar to CAB files, the RCData resource section contains attributes of the execution sequence of the files it stores. The first attribute, RUNPROGRAM, contains instructions to execute a specific program or command at the start and launches bk.exe.

The second attribute, POSTRUNPROGRAM, contains instructions to launch the executable file after RUNPROGRAM has been executed. So after bk.exe is run, DotNet35.exe is launched.

To improve general understanding of how the backdoor works, the sections below include an explanation of its architecture, STL, design pattern, custom serialization, and buffer cache as a preface to its functional description.

Like any other multithreaded application, Trinper is built on a parallel programming paradigm, specifically thread parallelism. Tasks are broken down into sequential steps as shown on the diagram below, each of which can be performed in parallel with others.

One aspect of thread parallelism is data transfer between threads using global variables that can be divided into the following groups:

1. Group 1 include a container for storing instances of the class communicating with C2 (CommHTTP_instance).
2. Group 2 include a container for storing information about code injections (map_TaskInject).
3. Group 3 include containers for storing running commands (vector_RunningTasks, deque_shared_RunningTasks, map_RunningTasks).
4. Group 4 include containers for storing the operation of background commands (map_shared_ptr_BgJobs, deque_BgJobKeylogger, unordered_map_BgJobKeylogger).

The Standard Template Library provides a set of common generic algorithms, containers, means of accessing their contents, and various functions in C++ used by the backdoor. The main sign of STL runtime is the error messages for various containers.

std::string and std::wstring

Strings are objects represented as a sequence of characters. Symbols can either have ASCII or wide encoding, which makes these containers clearly distinguishable. In std::string, the maximum length of the predefined buffer can’t exceed 15 bytes, otherwise a heap buffer will be allocated. As for std::wstring, the length of the predefined buffer can’t exceed 7 bytes. This runtime is for comparing the length of the stored string and possible subsequent allocation of a heap buffer, which allows one of the containers used to be determined precisely.

std::vector<T>

Vectors are containers for array-like sequences that can vary in size. One way to recognize the runtime of a vector is to compare successive memory addresses and then assign a new value to one of them. If the pointer to the first vector element is equal to the pointer to the last element (for example, when adding a new element), then the vector will have to change its current size, allocate additional memory before adding it, and redefine the pointer to the last element.

To avoid creating structures manually, we need to include header files. To determine their location, we run the x86/x64 Native Tools Command Prompt for VS 20XX (depending on the bit depth of the executable file) and enter the echo %INCLUDE% command. Then we copy all the paths and paste them in Options > Compiler > Include directories. We also specify -target x86_64-pc-win32/i386-pc-win32 -x c++ as arguments to include C++ header files.

In most cases, the element type of containers is set at compile time, so you can’t just include a vector header file (for example) and expect all the element types to be included. Instead, you need to create a separate header file where the container element type will be defined explicitly.

A design pattern in software engineering is a recurring architectural construct offering a solution to a design problem within a frequently occurring context. This is a rare find in malicious code and indicates that the programmer who wrote the backdoor is an experienced professional. The backdoor uses the template method, which is a behavioral design pattern that defines the skeleton of an algorithm and defers certain steps to subclasses. The pattern allows subclasses to redefine the algorithm’s steps without changing its overall structure.

This backdoor pattern is used to create command subclasses that are inherited from the base class and redefine its methods and fields.

In addition to encryption, the backdoor uses custom serialization to store the configuration and increase flexibility, as it allows fields to have multiple values in the same token.

For example, if a container token is negative, then it has another container in its value that may also only be part of a sequential nesting of containers or unequivocally determine the value of the token (for example, store a string).

A buffer cache is a data structure designed for the temporary storage of data to speed up access to it. The Trinper backdoor uses caching to reduce access time to frequently used data, minimize latency, and improve overall program performance.

At the start, the backdoor deserializes the configuration and gets the name it should have. If it’s different, execution is stopped, but if the names match, the backdoor continues initialization and calls a function to obtain information about the victim’s computer and collect it with the following type of VictimInfo structure:

struct struct_VictimInfo
{
	DWORD magic;
	struct_VictimData VictimData;
};

struct struct_VictimData
{
	GUID guid;
	BYTE pbSecret[16];
	BYTE UserNameW[64];
	BYTE hostname[32];
	BYTE disks[32];
	BYTE h_addrs[20];
	DWORD KeyboardLayout;
	BYTE dwOemId;
	BYTE val_64;
	BYTE dwMajorVersion;
	BYTE dwMinorVersion;
	BYTE Authority;
	BYTE FileNameW[64];
	BYTE AdaptersAddresses[6];
};

The fields of the VictimInfo structure have the following purposes:

After filling in the VictimInfo structure, the backdoor creates and runs these class instances for execution in different threads:

• CommHTTP — the class for the thread for communication with C2 servers
• BgJobFileCapture — the class for the thread that monitors the file system
• BgJobKeylogger — the class for the thread where keystrokes will be intercepted

In its thread, the CommHTTP class parses the deserialized configuration it will use to communicate with C2, generates a session key for AES-128-CBC (with the initialization vector equal to zero), imports the public RSA key, and enters a communication loop with C2 servers where:

• Commands are received
• Results about command operations are received and sent

An instance of the BgJobFileCapture class monitors the file system in its thread, loops through all connected disks, and searches recursively for .doc, .xls, .ppt, .rtf, and .pdf files stored on disks. It also stores execution results in a map with a key (file name) and value (the structure containing information about the file, including its contents).

An instance of the BgJobKeylogger class intercepts keystrokes in its thread and stores them in a deque, with data from the clipboard stored in an unordered map.

The configuration is encrypted and stored in the .data section, and decryption is carried out with a one-byte key for a regular Xor operation.

Here’s what the decrypted and deserialized configuration structure looks like:

struct struct_Config
{
	DWORD sleep_time;
	DWORD size;
	std::wstring UserAgent;
	std::wstring wstr_x86;
	std::wstring wstr_x64;
	std::vector<std::wstring> C2;
	QWORD *public_key;
	QWORD public_key_len;
	struct_Commands Commands;
	struct_TaskResults TaskResults;
};

struct struct_Commands
{
	std::wstring Uri;
	std::vector<std::string> Headers;
	struct_CommandsResponse CommandsResponse;
	struct_CommandsHeaders CommandsHeaders;
	QWORD HelloMessage;
	QWORD HelloMessageLen;
};

struct struct_CommandsResponse
{
	std::string TagOpen;
	std::string Encoder;
	std::string TagClose;
};

struct struct_CommandsHeaders
{
	std::string Header;
	std::string TagOpen;
	std::string Encoder;
	std::string TagClose;
};

struct struct_TaskResults
{
	std::wstring Uri;
	std::vector<std::string> Headers;
	struct_TaskResultsData TaskResultsData;
	struct_TaskResultsHeaders TaskResultsHeaders;
};

struct struct_TaskResultsData
{
	std::string TagOpen;
	std::string Encoder;
	std::string TagClose;
};

struct struct_TaskResultsHeaders
{
	std::string Header;
	std::string TagOpen;
	std::string Encoder;
	std::string TagClose;
};

The fields of the Config structure have the following purposes:

All communication with C2 is carried out by an CommHTTP class instance using calls to WININET.DLL library network functions. Information about the victim’s computer and session key is encrypted with the public RSA key, encoded using Base64, and sent to C2 in the Config.Commands.CommandsHeaders header with Config.Commands.HelloMessage in the request data. The commands received from C2 in response are enclosed between the Config.Commands.CommandsResponse.TagOpen and Config.Commands.CommandsResponse.TagClose markers and encoded using Base64. The task results are encrypted with the AES-128-CBC session key, encoded using Base64, and enclosed between the Config.TaskResults.TaskResultsData.TagOpen and Config.TaskResults.TaskResultsData.TagClose markers in the request data to C2.

For example, below is a backdoor request to C2 to receive commands. The greeting message in the data is mid=76&mod=TRINP, and you can see that the User-Agent header doesn’t display the content received from Config.UserAgent correctly. This is due to an error passing the header value to InternetOpenW. The problem is that InternetOpenW tries to convert the string for User-Agent from wide to ASCII encoding, but does so incorrectly because the pointer to the values from the configuration is passed incorrectly, leading to an undisplayable string generated at the output.

As mentioned earlier, commands are invoked not by calling a specific function, but by instantiating classes and adding them to a smart pointer wrapper to be added to a deque for execution, and then retrieved from there and called in the main thread loop. The table below includes descriptions of the commands.

The TaxOff group tricks users by baiting them with time-sensitive material they’re expecting at work and attack using a sophisticated multithreaded backdoor called Trinper. After establishing persistent access to compromised systems, they can effectively manage multiple tasks simultaneously and follow through on various malicious actions without significantly impacting system performance. Multithreading provides a high degree of parallelism to hide the backdoor while retaining the ability to collect and exfiltrate data, install additional modules, and maintain communications with C2. This combination of convincing bait and a sophisticated multithreaded backdoor makes TaxOff’s attacks particularly dangerous and difficult to detect and prevent, highlighting the need for continuous user awareness of cyberthreats and the implementation of multi-layered security measures for protection.

rule PTESC_apt_win_ZZ_TaxOff__Backdoor__Trinper{
    strings:
        $s1 = "Task"
        $s2 = "TaskCd"
        $s3 = "TaskCmd"
        $s4 = "TaskExec"
        $s5 = "TaskGetRunningTasks"
        $s6 = "TaskInject"
        $s7 = "TaskDie"
        $s8 = "TaskJobConf"
        $s9 = "TaskKillTask"
        $s10 = "TaskReadFile"
        $code1 = {E8 ?? ?? ?? ?? 44 38 60 ?? 75 ?? 66 39 58 ?? 72 ?? 48 8B 40 ?? 8B 08 EB ??}
        $code2 = {48 89 4C 24 ?? 48 8B 44 24 ?? 0F B6 40 ?? 85 C0 75 ?? 48 8B 44 24 ?? 0F B7 40 ?? 83 F8 ?? 7D ?? 33 C0 EB ?? 48 8B 44 24 ?? 48 8B 40 ?? 8B 00 C3}
    condition:
        ((uint16(0) == 0x5a4d) and (all of($s*)) and (any of($code*)))
}