Tag Archives: alg.exe

Dark South Korea and Discovered PuTTY Tools Behaviours

By analyzing one of the Dark South Korea dropper, I discovered interesting behaviours associated with the PuTTY binaries installed in “%TMP%” Windows folder. These behaviours could be considered as expected, but they could be used more efficiently in the future.

The two installed binaries are “alg.exe“ and “conime.exe“ used to upload “~pr1.tmp” bash file to *NIX targets discovered in configuration files of mRemote and SecureCRT.

alg.exe“ is “plink.exe“ a PuTTY tool acting as a command-line interface to the PuTTY back ends, and “conime.exe” is “pscp.exe” PuTTY tool acting as a SCP client, i.e. command-line secure file copy. These two binaries are legit and don’t contain any associated malwares, they are only used by a malware as support tools.

If mRemote is installed, the dropper extract all required information’s (credentials, ports, ip/domain) from “confCons.xml” configuration file, and use an encryption method vulnerability in mRemote to decrypt it the stored password. After exploitation of the vulnerability, “conime.exe” is used to drop the bash file on the targeted servers.

If the latest version of SecureCRT is installed, the dropper extract all required information’s (credentials, ports, ip/domain) present in “*.ini” configuration files. Each saved connection in SecureCRT use it ones “*.ini”. It seem that an unknown vulnerability was present in previous versions of SecureCRT in order to decrypt the stored password. But in the latest version of SecureCRT, this vulnerability don’t seem to be present. So when “conime.exe” try to connect to the targeted servers the authentication fails due to a bad password.

SecureCRT-2

During my research on the potential SecureCRT vulnerability, I was intrigued by “conime.exe” by access tentatives to the registry keys of PuTTY software “HKCU\Software\SimonTatham\PuTTY\Sessions” and “HKCU\Software\SimonTatham\PuTTY\SshHostKeys“.

PuTTY-1

I decided to install PuTTY, like a majority of sysadmin’s, and create an entry corresponding to potential server also recorded in SecureCRT software.

PuTTY-2

SecureCRT-1

Then I execute the dropper one more time and discovered that “conime.exe“, as expected, has access the PuTTY registry keys related to the targeted server “HKCU\Software\SimonTatham\PuTTY\Sessions\192.168.178.54“. The dropper authentication tentative was still unsuccessful, du to the wrong password.

PuTTY-3

But I also observed that “conime.exe” was also trying to access another registry key of PuTTY “HKCU\Software\SimonTatham\PuTTY\SshHostKeys\rsa2@22:192.168.178.54“.

PuTTY-4

I decided then to create a private and public SSH key, and to configure my putty session to support this SSH private key authentication. The private key wasn’t protected by a passphrase.

PuTTY-5

I execute the dropper one more time and observed a successfull authentication on the targeted server. “conime.exe” was using the private key path present in PuTTY registry key.

PuTTY-6

My final test was to remove the private key from the PuTTY configuration and use “pageant.exe“, an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink. I loaded my private key in “pageant.exe” and executed the dropper one more time. Same result as the previous one, a successfull authentication on the targeted server.

Conclusions

  1. By analyzing one of the Dark South Korea dropper, with associated vulnerabilities in mRemote and SecureCRT, we can observ that the “bad guys” have use old vulnerabilities in old softwares in order to infect *NIX servers. Why use these old vulnerabilities, if you can simply target PuTTY when it is used with private keys.
  2. Never generate a private key without a passphrase
  3. Don’t let PuTTY Pageant run with charged private keys.

Dark South Korea Total War Review

As mentioned by different medias, security vendors and security researchers some South Korean banks and broadcasting organizations went dark Wednesday 20 March, victim of a cyber attack. Initial impacted broadcaster were KBS, MBC and YTN, and impacted banks were Cheju, Nonghyup and Shinhan.

But by analyzing all the events related to this cyber attack we can see that the campaign was more extended in time as mentioned and also more complex to understand. The campaign is composed by different samples, created potentially by different authors with different objectives. We can divide the reported samples in different categories:

  • Wipe: Objective of these samples is to erase all data’s of affected targets.
  • Drop & Wipe: Objective of these samples is to drop a wiper to erase all data’s of affected targets.
  • Drop & Wipe & Deface: Objectives of these samples are to drop a wiper to erase all data’s and deface website hosted by affected targets.
  • Drop & Backdoor: Objective of these samples is to install a backdoor, or trojan, on the affected targets.
  • Unknown: These samples are potentially not related to the campaign.

I will try, through this blog post, to provide you the most reliable information’s as possible regarding the Dark South Korea campaign.

According to different sources, and announced by the South Korean security provider AhnLab the Thursday 21 March, “bad guys” got access to AhnLab Policy Center and HAURI ViRobot ISMS, asset management tools, through stolen credentials in order to massively spread Trojan.Jokra. But, regarding the latest news announced the 29 March, it seem that AhnLab APC product was vulnerable to a login authentication bypass and that  this vulnerability was used by the bad guys in order to get access to APC and spread the malware.

On Wednesday 20 March, AhnLab stocks gains of 6.5 percent (75,100 KW to 80,000 KW) from stemming from expectations of demand for online security software following the hacking incident. But after the 21 March AhnLab announcement, stocks were down 3.6 percent (from 80,000 KW to 74,700 KW). Since 21 March, AhnLab stocks have fallen from 74,700 KW to 68,100 KW.

AhnLab Stocks. Source: Korea Exchange
AhnLab Stocks. Source: Korea Exchange

KCC reported that around 47 800 units were impacted by this cyber attack. You will find in the following graphical representation of known impacts. This graphical representation has been inspired by the work of @piyokango, a must read blog post !

Dark-South-Korea-1.1

Also translated from @piyokango work, the associated event timeline. Through this timeline you can better understand all the actors and impacts involved in this cyber attack.

Dark South Korea Events Timeline

DateTimeEvent
3/20At around 2pmFinancial and broadcasting organizations computers stop suddenly and cannot restart
2:25pmKCC start to receive incident reports
2:35pmKCC & KISA confirm outages on financial and broadcasting organizations
2:40pmYTN TV report the incidents
2:50pmSouth Korea presidence acknowlege the incidents
3pmKISA raise his alert level
3:05pmNongHyup Bank initiate blocking measures
At around 3pmShinhan bank central server is down
At around 3pmCyber police announce the possibility of an attack and start the investigation
3:10pmSouth Korean army raise his alert level
3:20pmShinhan bank business recovery
4:20pmNongHyup bank business recovery
At around 4pmMBC TV internal network reported as impacted
At around 4pmExtended opening hours after 6pm for banks
5:49pmAhnLab anti-virus engine is updated
6:40pmAhnLab distribute counter measures
At around 9pmKBS internal information system reported as impacted
3/216:30amMBC Gyeongnam TV internal network is stopped
7:25amKBS TV internal network business recovery, except for PC's
11:30amKCC chairman visit KISA
At around 5pm16 NongHyup bank offices still not able to recover
3/22At around 6am87% of NongHyup bank cooperatives and 78% of they're ATM's have been recovered
At around 3pmKCC report that China attribution was a mistake.
3/24At around 6pmNongHyup bank add some additional counter measures
NongHyup bank full business recovery
3/25At around 6amNongHyup bank segregate internal and external network (lol)
10:30am to 1:45pmTime zone attacks reported and security warning raised by AnhLab
International cooperation requested for investigations
3/269:21amAdditional counter measures provided by AhnLab
9:40am6 YTN TV affiliates overloaded by traffic
10:40amNetwork overload disrupting 8 municipalities web sites (Seoul, Gyeonggi, Incheon, Gwangju, Jeonnam, Jeonbuk, Gangwon, Jeju).
11:22amNetwork overload disrupting 7 South Korean regions.
11:50amMilitary experts join the public-private incident response task force
00:04pm Network failure recovery
01:40pm to 02:30pmDaily NK web site disrupted and posts deleted
Free North Korea TV web site disrupted
02:00pm to 02:15pmMinistries web site disrupted
02:30pm to around 05pmOther North Korean activists web sites disrupted
3/27-The Financial Services Commission announce special inspections on targeted financial institutions
3/28-YTN TV web site recovery
3/2911:09amAhnLab announce that APC was vulnerable to a authentication bypass weakness
-Response Team announce return to normalization
DateTimeEvent
Source : piyolog (http://d.hatena.ne.jp/Kango/20130323)

The actual investigation results point that foreign source IPs ( 3 european countries and US, but not China) were discovered as potential source of the attack, and that a potential of 14 variants of the malware were discovered and analyzed.

Security firm Xecure Lab has provide some information’s regarding Dark South Korea, malwares hash are available with some detailed analysis. Also malwares samples were available on private groups and on contagio. Based on these hashes and samples, you can find here under an analysis.

Samples Analysis

Presumed Dropper(s)
MD59263E40D9823AECF9388B64DE34EAE54
Size417.5 KB
Compilation timedatestamp2013-03-20 04:07:02
Modify DateNone
File mapping objectNone
Resource language(s)English & Korean
StringsN/A
URLNone
Other namesAPCRunCmd.DRP - K10

This executable drop “AgentBase.exe” (db4bbdc36a78a8807ad9b15a562515c4), “alg.exe” (e45cd9052dd3dd502685dfd9aa2575ca), “conime.exe” (6a702342e8d9911bde134129542a045b) and “~pr1.tmp” (dc789dee20087c5e1552804492b042cd) in “%TMP%“, then execute “AgentBase.exe“. Remarks: Also known as K10 by Xecure Lab, mentioned as a wiper, but it is a dropper. This sample could be categorized as Drop & Wipe.

Also, dropped “AgentBase.exe” is known as K01 on Xecure Lab, mentioned as a wiper only. “AgentBase.exe” is a Windows wiper, but also the dropper for *NIX batch wiper aka “~pr1.tmp“. More information’s in the “9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis” chapter of this blog.

MD550E03200C3A0BECBF33B3788DAC8CD46
Size24 KB
Compilation timedatestamp2012-07-06 12:24:18
Modify DateNone
File mapping objectFFFFFFF-198468CD-6937629023-EF90000000
Resource language(s)None
Stringshello
URLhxxp://www.skymom.co.kr/rgboard/addon/update/update_body.jpg
Other namesK06

It seem that “update_body.jpg” (a03ae3a480dd17134b04dbc5e62bf57b), first seen the 2012-08-28 04:31:52, is the same as mentioned on SCUMWARE the 2012-08-30. You can find this sample on malware.lu. Symantec and McAfee have try to create a relation based on the used packer and on some common compilation paths. But like McAfee, I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. Known as K06 on Xecure Lab. This sample could be categorized as Drop & Backdoor, or Unknown.

MD5E4F66C3CD27B97649976F6F0DAAD9032
Size24 KB
Compilation timedatestamp2012-07-06 12:24:18
Modify DateNone
File mapping objectFFFFFFF-198468CD-6937629023-EF90000000
Resource language(s)None
Stringshello
URLhxxp://www.anulaibar.com/e107/e107_files/js/e107_001.cab
Other namesK05

Here also, I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. Known as K05 on Xecure Lab and mentioned by McAfee. This sample could be categorized as Drop & Backdoor, or Unknown.

MD52F9AF723E807FF44C2684E5D644EBE46
Size38.8 KB
Compilation timedatestampNone
Modify Date2013:03:17 23:41:07
File mapping objectNone
Resource language(s)None
StringsNone
URLNone
Other names고객계좌내역.rar - K08

Known as K08 on xsecure-lab.com, and like the guys of Xecure Lab. I don’t see any relations between this dropper and the 03.20 Dark South Korea campaign. F-Secure has try to link this sample to the campaign. This sample could be categorized as Unknown.

MD5530c95eccdbd1416bf2655412e3dddb
SizeUnknown
Compilation timedatestampUnknown
Modify DateNone
File mapping objectUnknown
Resource language(s)Unknown
StringsHASTATI. / PR!NCPES and other unknowns
URLUnknown
Other namesUnknown

This sample was mentioned by Symantec and AhnLab the 23 March. Particularities of this sample is that he will drop 2 files and inject 1 the files into “LSASS.exe” process as a DLL. Also this sample will be executed any years the 20 March at 2pm and wipe MBR with “HASTATI.” and “PR!NCPES” strings. Unfortunately I wasn’t able to find this sample. This sample could be categorized as Drop & Wipe.

MD5e823221609b37e99fbbce5b493a02f68
Size236.0 KB
Compilation timedatestamp2013-03-19 23:57:06
Modify DateNone
File mapping objectNone
Resource language(s)Korean
StringsMICRO_ESENCIAL0192301 / Alerter / Sens / Hacked By Whois Team / morpsntls.exe / and bunch of others
URLNone
Other namescmsvrts.exe / K07

This sample was also mentioned the 20 March by different medias, security vendors and researchers. He was used to against LG UPlus Corp showed a page that said it had been hacked by a group calling itself the “Whois Team“.

hackedbywhoisteam

Particularities of this sample is that he seem to be triggered only in certain conditions, and this condition seem to be related to certain time zone, as mentioned by AhnLab the 23 March. The sample drop “mp.swf“, “lf.mp3“, “24mhk04.gif“, “25z18pg.jpg” files, adds “MICRO_ESENCIAL0192301” as mutex, modify  the “SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” following registry entries, overwrite all “.html“, “.htm“, “.aspx“, “.asp“, “.jsp“, “.do“, “.php” files with its code, terminate Windows Alerter service (Alerter) and Windows System Event Notification Service (Sens), and drop all the MBR datas. This sample could be categorized as Drop & Wipe & Deface.

Presumed Wiper(s)

Symantec, Tripwire, Xecure Lab and contagio reported hashes of different wipers. Here under an analysis of these wipers with some corrections.

MD50a8032cd6b4a710b1771a080fa09fb87
Size24 KB
Compilation timedatestamp2013-01-31 10:27:18
File mapping objectJO840112-CRAS8468-11150923-PCI8273V
StringsPR!NCPES / HASTATI. / \Temp\~v3.log
Check "~v3.log"No
Task killpasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot)
Wiper timingImmediate
Shutdownshutdown -r -t 0
Other namesmb_join.gif / mb_join.exe / K03
Mentioned bycontagio & Symantec

Despite file “~v3.log” is present in “C:\WINDOWS\Temp\” directory, the wiper is running directly. This sample could be categorized as Wiper.

MD55fcd6e1dace6b0599429d913850f0364
Size24 KB
Compilation timedatestamp2013-01-31 10:27:18
File mapping objectJO840112-CRAS8468-11150923-PCI8273V
StringsHASTATI.
Check "~v3.log"No
Task killpasvc.exe (AhnLab Policy Agent) / Clisvc.exe (Hauri ViRobot)
Wiper timingImmediate
Shutdownshutdown -r -t 0
Other namesAmAgent.exe / OthDown.exe / K04
Mentioned bycontagio & Symantec & Tripwire

This sample could be categorized as Wiper.

MD5db4bbdc36a78a8807ad9b15a562515c4
Size24 KB
Compilation timedatestamp2013-01-31 10:27:18
File mapping objectJO840112-CRAS8468-11150923-PCI8273V
StringsPRINCPES / HASTATI. / \Temp\~v3.log
Check "~v3.log"Yes
Task killpasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot)
Wiper timingNot immediate if ~v3.log is present
Shutdownshutdown -r -t 0
Other namesApcRunCmd.exe / K01
Mentioned bycontagio & Symantec & Tripwire

This sample is taking care of the “~v3.log” presence in “C:\WINDOWS\Temp\” directory. If the file is present the wipe process is not started. This sample could be categorized as Wiper.

db4bbdc36a78a8807ad9b15a562515c4

But you have to take in consideration that this sample is normally executed by 9263E40D9823AECF9388B64DE34EAE54 dropper, and that a complete process will be analyzed in the “9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis” chapter of this blog.

MD5f0e045210e3258dad91d7b6b4d64e7f3
Size24 KB
Compilation timedatestamp2013-01-31 10:27:18
File mapping objectJO840112-CRAS8468-11150923-PCI8273V
StringsPRINCPES / HASTATI. / \Temp\~v3.log
Check "~v3.log"Yes
Task killpasvc.exe (AhnLab Policy Agent) / clisvc.exe (Hauri ViRobot)
Wiper timingNot immediate if ~v3.log is present
Shutdownshutdown -r -t 0
Other namesApcRunCmd.exe / K02
Mentioned bycontagio

Like the previous wiper, if “~v3.log” is present in “C:\WINDOWS\Temp\” directory, the wipe process is not started.

f0e045210e3258dad91d7b6b4d64e7f3

This sample seems also to be part of a another dropper actually not publicly known. This sample could be categorized as Wiper.

As you can see, all of the wipers use the “HASTATI” string in order to overwrite MBR data’s. As reported by security vendors, “Hastati” term refers to a class of infantry in the armies of the early Roman Republic. “PRINCPES” term, also used to overwrite MBR data’s, could also refer to the “Principes” who were veteran soldiers of the Roman Pre-Marian Army. Are the “bad guys” fan of Roman Army, or fan of Total War game ?

Also an interesting relation between the “HASTATI” string used to overwrite MBR data’s, is that KBS TV website was defaced the 21 March with a “Defaced by HASTATI” message and symbol representing the class of infantry in the armies of the early Roman Republic.

defacedbyhastati

9263E40D9823AECF9388B64DE34EAE54 Dropper Analysis

In this chapter of this long blog post we will analyze some behaviors of 9263e40d9823aecf9388b64de34eae54 dropper.

As mentioned by different security vendors or researchers, when executed the dropper will extract 4 files into Windows “%TMP%” directory. These files are “alg.exe“, “conime.exe“, “~pr1.tmp” and “AgentBase.exe“.

dropped-files

alg.exe” (e45cd9052dd3dd502685dfd9aa2575ca) is the “plink.exe” PuTTY tool acting as a command-line interface to the PuTTY back ends. This binary has been compiled the 2013-02-15 at 08:12:58.

conime.exe” (6a702342e8d9911bde134129542a045b) is the “pscp.exe” PuTTY tool acting as a SCP client, i.e. command-line secure file copy. This binary has been compiled the 2006-03-13 at 14:32:44.

~pr1.tmp(dc789dee20087c5e1552804492b042cd) is a bash script who will be dropped and executed on *NIX servers in certain conditions.

AgentBase.exe” (db4bbdc36a78a8807ad9b15a562515c4) is the wiper mentioned in the previous chapters of this blog post.

After installing these files, the dropper will check the presence of “~v3.log” file in “C:\WINDOWS\Temp\” directory.

If the file “~v3.log” is not existing “AgentBase.exe” wiper will be executed, killing AhnLab Policy Agent (pasvc.exe) and Hauri ViRobot ISMS Client (clisvc.exe), then erasing all data’s.

If the file “~v3.log” is existing, the dropper start to check the presence of configuration file “confCons.xml” of mRemote program, developed by Felix Deimel, and the presence of configuration files of SecureCRT program, developed by VanDyke Software, Inc.

program-presence-check

For mRemote, the dropper copy all data’s, related to SSH connexions with root login, present in “confCons.xml” configuration file and exploit a vulnerability present in the password storage engine of this program. When you save connections in mRemote it outputs all of that data into an XML report “confCons.xml“. The passwords are saved in an encrypted format, however this is trivial to circumvent. So despite the passwords are saved in encrypted format it is easy to decrypt them. This vulnerability was discovered and published by Cosine Security the 2 Jun 2011. Support of mRemote has been stopped in 2012.

Once the mRemote vulnerability is exploited, the dropper start a new process to execute “conime.exe” binary, in order to drop the “~pr1.tmp” file into “/tmp/cups” on the targeted server:

C:\Users\ERICRO~1\AppData\Local\Temp\conime.exe  -batch -P 22 -l root -pw test C:\Users\ERICRO~1\AppData\Local\Temp\~pr1.tmp 192.168.178.54:/tmp/cups

After upload of “cups” file, the dropper will execute this file through the following command.

C:\Users\ERICRO~1\AppData\Local\Temp\conime.exe  -batch -P 22 -l root -pw test 192.168.178.54 “chmod 755 /tmp/cups;/tmp/cups

For SecureCRT, the dropper is also copying all data’s, related to SSH connexions with root login, present in “*.ini” configuration files. Each saved connection in SecureCRT as it ones “*.ini” file who will be parsed by the dropper. The passwords are also saved in an encrypted format.

SecureCRT-Config-fILES

With the latest version of SecureCRT (7.0.3), the dropper is unable to decrypt the password, but will try to connect to targeted servers with a wrong password. So there is surely a similar vulnerability as for mRemote in previous versions of SecureCRT, but wasn’t able to find it.