Threat Intelligence

Assassinations of "MiniNinja" in Various APAC Countries

10.22.2021Cyber Threat Intelligence
TeamT5 discovered a new remote administration tool (RAT), which we dubbed as MiniNinja, being used in several Chinese APT campaigns. TeamT5 has observed countries across different APAC regions, including Taiwan, Russia, Kyrgyzstan, Uzbekistan, Vietnam, the Philippines, and Pakistan, being targeted and attacked by this malware. The impacted industries include governments, energy, IT, telecommunication and engineering. MiniNinja is a complex malware that uses several advanced techniques to prevent itself from being detected and analyzed. Further, its wide targeting scope also attracted our attention. In this report, we will introduce the technical detail of our analysis.
MiniNinja was first discovered in the wild in a targeted attack against Taiwanese government agencies in early March 2021. The actor leveraged the ProxyLogon vulnerability (CVE-2021-26855) to compromise an email server and further implanted CobaltStrike Beacon and MiniNinja RAT in the victim network environment. This information was also disclosed in an ESET report[1] about a "Websiic Campaign" using the ProxyLogon vulnerability. TeamT5 noticed the existence of this new malware and started tracking its activities. Since then, TeamT5 has observed its footprints in Vietnam[2], Pakistan and the Philippines, possibly also implanted in victim hosts via the ProxyLogon vulnerability. Its latest activities were spear phishing email attacks against Russia and Uzbekistan in September 2021. TeamT5 is still uncertain of the attribution of these attacks. However, we possess high confidence that this is a new tool used by Chinese APT based on its TTPs and C2 infrastructure.
To bypass antivirus detection, MiniNinja is encrypted as a binary blob in a binary payload file. It might have one to multiple loader components in native PE or .Net, but basically the loaders do similar tasks. The loader components will decrypt and run it in memory via reflective DLL injection techniques. Its loader firstly checks the first 4 bytes of the payload file and decrypts the content by using 3DES (112bit) algorithm in case of header check passes:

The decrypted buffer might be passed to a second stage loader for further processing if there are multiple loader components. The loader will then decode the content by custom decoding methods and LZSS decompression algorithm. The decoded payload is a PE file with its PE header erased and it is just the MiniNinja RAT. Finally, the loader will locate its export function "Debug" and start execution from there:

In a payload collected from some Taiwanese victims, there is a PDB string left by the developer (only in memory) and thus we name this malware MiniNinja:

The decrypted malware configuration block contains Mutex string, C2 URL, HTTP Header information, sleep time, etc.:

Upon execution, the following victim host information will be collected:
  • System info
  • OS version
  • Hostname
  • IP addr
  • Process name
  • Process ID
The above data would be encoded with XOR encode and custom base64 encode. Finally, the encoded result would be sent to its C2 via POST:
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv 11.0) like Gecko
Content-Length: 474
Pragma: no-cache

MiniNinja is a full-featured RAT that supports commands for file, process, memory, shell or account operations. Its supported functions are listed below in the Command Table.

Command Table

Supported command:
0x4E20Heart beat
0x4E21Init dwProcessId
0x4E22Change sleep time
0x4E26set close_socket to 0
0x4E2BGet Command Result(call WriteFile,PeekNamedPipe,ReadFile)
0x4E2DIterateProcess then TerminateProcess
0x4E34 ~ 0x4E47File Operations
0x4E34List Disk Driver
0x4E48 - 0x4E51Socket Operations
0x4E48Connet Host
0x4E49Check socket status
0x4E4ASend Data to Host
0x4E4BRecv Data from Host
0x4E4CClose socket
0x4E4DConnect Host
0x4E5C ~ 0x4E65Memory Operations
0x4E5Cstring copy
0x4E5Dstring copy
0x4E5Estring copy
*0x4E5F,0x4E60Execute Plugin? (CreateProcess, process Injection and createthread)
*0x4E61,0x4E62FileMapping(Write data)
*0x4E65Close File Handler
0x5208List c2 configuration
0x4E52List Process
0x4E53IterateProcess,kill process
0x4E54Process Injection
0x4E55CreateThread for running DLL export function
0x4E56Read FileMap data(OpenFileMappingA -> robject_,custom_base64)
0x4E57Exit Dll function?(robject_, UnmapViewOfFile)


  • (TW compromised host)


*Image courtesy of Pixabay
10.22.2021Cyber Threat Intelligence

Related Post

Technical Analysis

Apache HTTP Server Vulnerabilities in Windows (CVE-2021-41773 & CVE-2021-42013)

vulnerability research , cyber security, Apache HTTP Server, IoC, 威脅情資, 資安情資, cyber threat intelligence, threat hunting