Backdoor - My Analysis

What is ApolloShadow?

ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. -Malpedia

Small Story

This malware is used in a campaign where Secret Blizzard has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position. Microsoft has written report about this malware in 2025-07-31. Which I didn't actually read because, I wanted to find out everything by myself and have some practice. The sample is provided in MalwareBazaar thanks to "smica83".

Static Analysis

This time, I want to write about analysis part-bypart, like this. Static Analysis of malware actually reveals a lot. It is a 64-bit C++ compiled executable with NX stack and ASLR is enabled by default. The sections of the executable are: .text, .rdata (and _RDATA) , .data, .pdata, .rsrc, .reloc The entropy of sections are under 7, which means executable is not packed, just checking out executable in ghidra also reveals it is not ecrypted but it uses some encryption for sure.

Strings

The questionable and uncommon strings I found were:

Location	String Value	String Representation	Data Type
140022948	0123456789abcdefghijklmnopqrstuvwxyz	"0123456789abcdefghijklmnopqrstuvwxyz"	ds
140022998	0123456789abcdefghijklmnopqrstuvwxyz	"0123456789abcdefghijklmnopqrstuvwxyz"	ds
14002a0d0	September	u"September"	unicode
14002a0e8	October	u"October"	unicode
14002a0f8	November	u"November"	unicode
14002a110	December	u"December"	unicode
14002a138	MM/dd/yy	u"MM/dd/yy"	unicode
14002a150	dddd, MMMM dd, yyyy	u"dddd, MMMM dd, yyyy"	unicode
14002a178	HH:mm:ss	u"HH:mm:ss"	unicode
14002cf78	south-korea	u"south-korea"	unicode
14002cf90	trinidad & tobago	u"trinidad & tobago"	unicode
14002cfb8	united-kingdom	u"united-kingdom"	unicode
14002cfd8	united-states	u"united-states"	unicode
14002e0c8	de-DE	u"de-DE"	unicode
14002e248	sl-SI	u"sl-SI"	unicode
14002e350	hi-IN	u"hi-IN"	unicode
14002e3e8	bn-IN	u"bn-IN"	unicode
1400316f0	certutil.exe -f -Enterprise -addstore	u"certutil.exe -f -Enterprise -addstore "	unicode
140031740	root	u"root"	unicode
140031780	timestamp.digicert.com	u"timestamp.digicert.com"	unicode
1400317b0	/registered	u"/registered"	unicode
1400317d8	HTTP/1.0	u"HTTP/1.0"	unicode
140031e20	ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz0123456789+/	u"ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz0123456789+/"	unicode

As you can see I didn't actually list every string possible, like keyboard and date related strings. But just looking at these strings we can see it utilizes cerutils.exe and does Internet related things. Also we can see it (probably) send request to timestamp.digicert.com, if you don't know what it is used for, a little research reveals: "DigiCert's timestamp service, accessible at http://timestamp.digicert.com, is primarily used to cryptographically timestamp digital signatures on software code, documents, or other files. This service ensures that the signature remains valid even after the original signing certificate expires or is revoked, providing long-term trust and integrity for signed materials"

So this (even though we don't have any proof yet) reveals, malware uses this technique to show some malicious executable legit.

Imports

Luckily for most of the functions (maybe all) executable doesn't use dynamic API resolution technique. So we can already get a lot about malware's purpose. Next I want to list some common APIs used in malwares.

Functions
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
InternetCloseHandle
InternetConnectW
CreateDirectoryW
WriteFile
GetTempPathW
CreateFileW
DeleteFileW
CreateThread
CreateProcessW
RegEnumValueW
RegOpenKeyW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
GetProcAddress
FreeLibrary
LoadLibraryExW

These are some functions that caught my eye, which commonly found in malwares. I don't think explaining every function purpose is important, as their name alone explains a lot. But if you don't know any of them check out microsoft documentation.

Junk Functions?

Even though it mostly looks like, malware is not obfuscated a single bit, there are some functions which make 0 sense and probably used for wasting researcher's time.

1|700

Even though these doesn't make sense in static decompilation (and disassembly of these functions are mostly broken), we might get something from these in dynamic analysis.

The things is, main part of the malware is as clear as it can be, so that is a little bit weird:

1|900

Dynamic Analysis

Dynamic execution shows some results of adding and sdjusting some registry keys and sending requests to http://timestamp.digicert.com, the request I caught for my sample of malware was: /request=DQAAAAAAAAAOAAAAAAAAABMAAAAIAAAABAAAAAIAAAAFAAAAAAAAAA8AAAAAAAAA&t=MTkyLjE2OC4xMjIuOTUgMFItMFQtMAAtMKMtMBAtMAQNCjEyNy4wLjAuMSANCi==

The t variable decodes to: 192.168.122.95 0R-0T-0�-0-0-0 127.0.0.1

I couldn't get much about that ip address, the only thing shodan gave me was: Microsoft RPC Endpoint Mapper d95afe70-a6d5-4259-822e-2c84da1ddb0d version: v1.0 protocol: [MS-RSP]: Remote Shutdown Protocol provider: wininit.exe ncacn_ip_tcp: 192.168.122.95:49152 ncalrpc: WindowsShutdown ncacn_np: \\WIN-H1K3TN5SIJM\PIPE\InitShutdown ncalrpc: WMsgKRpc067700

Windows Registry Changes

Keys Added

Registry Key
`HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7`
`HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7`
`HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7`
`HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\DE5973EDDDE83761DBD52BF41561922D2FE9BA30`
`HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\6AA75533FCA445212D4FA39F9A691B8327A004DB`
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts`
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`
`HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\CA\Certificates\DE5973EDDDE83761DBD52BF41561922D2FE9BA30`
`HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\6AA75533FCA445212D4FA39F9A691B8327A004DB`

Values Added

Registry Path	Value Name	Value Data
`HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7`	Name	"szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"
`HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7`	Name	"szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"
`HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7`	Name	"szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"
`HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\DE5973EDDDE83761DBD52BF41561922D2FE9BA30`	Blob	03 00 00 00 ...
`HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\6AA75533FCA445212D4FA39F9A691B8327A004DB`	Blob	03 00 00 00 ...
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`	LocalAccountTokenFilterPolicy	0x00000001
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`	UpdatusUser	0x00000000
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications`	41C64E6DA318D055	01 00 04 80 ...
`HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System`	LocalAccountTokenFilterPolicy	0x00000001
`HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\CA\Certificates\DE5973EDDDE83761DBD52BF41561922D2FE9BA30`	Blob	03 00 00 00 ...
`HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\6AA75533FCA445212D4FA39F9A691B8327A004DB`	Blob	03 00 00 00 ...

User-Specific Values Added

Registry Path	Value Name	Value Data
`HKU\S-1-5-21-404113094-2314533783-440825805-1001\SOFTWARE\Classes\Local Settings\MuiCache\152\417C44EB`	@%systemroot%\system32\wsdapi.dll,-200	"Trusted Devices"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001\SOFTWARE\Classes\Local Settings\MuiCache\152\417C44EB`	@C:\Windows\System32\AppxPackaging.dll,-1001	"Trusted Packaged App Installation Authorities"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001\SOFTWARE\Classes\Local Settings\MuiCache\152\417C44EB`	@%SystemRoot%\System32\SessEnv.dll,-101	"Remote Desktop"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001\SOFTWARE\Classes\Local Settings\MuiCache\152\417C44EB`	@%SystemRoot%\System32\CertCA.dll,-304	"Endorsement Key Trusted Root Certification Authorities"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001\SOFTWARE\Classes\Local Settings\MuiCache\152\417C44EB`	@%SystemRoot%\System32\CertCA.dll,-305	"Endorsement Key Intermediate Certification Authorities"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001_Classes\Local Settings\MuiCache\152\417C44EB`	@%systemroot%\system32\wsdapi.dll,-200	"Trusted Devices"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001_Classes\Local Settings\MuiCache\152\417C44EB`	@C:\Windows\System32\AppxPackaging.dll,-1001	"Trusted Packaged App Installation Authorities"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001_Classes\Local Settings\MuiCache\152\417C44EB`	@%SystemRoot%\System32\SessEnv.dll,-101	"Remote Desktop"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001_Classes\Local Settings\MuiCache\152\417C44EB`	@%SystemRoot%\System32\CertCA.dll,-304	"Endorsement Key Trusted Root Certification Authorities"
`HKU\S-1-5-21-404113094-2314533783-440825805-1001_Classes\Local Settings\MuiCache\152\417C44EB`	@%SystemRoot%\System32\CertCA.dll,-305	"Endorsement Key Intermediate Certification Authorities"

Issue

I just realized to move on with malware we actually need a response from C2 server, which will not be possible in my case and I couldn't find any network logs or anything related to this incident. So I had to check out microsoft's report about this case. The "junk code" we found earlier is actually used later on for malware to decrypt some strings as written in microsoft's report. So this was actually all I could do about this malware, to dive deep in, check out the microsoft's report.