Posts tagged China

Attack and IE 0day Informations Used Against Council on Foreign Relations

Council on Foreign Relations (CFR.org), a foreign policy web group, has been victim of a targeted attack who seem to be linked to computer hackers traced to China.

Regarding information’s posted on the Washington Free Beacon, infected CFR.org website was used to attack visitors in order to extract valuable information’s. The “drive-by” attack was detected around 2:00 pm on Wednesday 26 December and CFR members who visited the website between Wednesday and Thursday could have been infected and their data compromised, the specialists said.

Through Washington Free Beacon news we know that only Internet Explorer 8 and higher versions have been targeted. A possible Internet Explorer 0day was used to infect visitors computers. We also know that the attack was limited to CFR members and website visitors who used browsers configured for Chinese language characters.

As always, I was curious and tried to have more information’s regarding this attack and potential 0day.

urlQuery.net investigations

On urlQuery.net, we can see that the first submission was done, the 20 December. More interesting is the submission of 21 December on URL “/js/js/news_123432476.html“. “/js/js/” directory seem to be a strange behavior. We can see that a “deployJava.js” was involved by loading this page.

Other URLs are interesting like “/js/js/robots.txt“, “/js/js/today.swf“, “/js/js/news_435435s.html” but all these URLs have been submitted the 27 December and after, and the file are no more available.

jsunpack investigations

On jsunpack we can observe that the “deployJava.js” was submitted the 26 December. All other files have been submitted the 27 December and after, and the file are no more available.

CLEAN MX realtime database investigations

On CLEAN MX we can observe an analysis the 20 December.

Why so many parallel submission ? Ok guys, the infection has started since minimum the 20 December, so not since Wednesday 26 December. Now, if you have some skill in researching information’s and if you are still curious, you will find part of the “drive-by” attack source code. By doing some additional researches I found the source code of the “drive-by” attack, and I can confirm you that this attack has started since minimum the 7 December !

Capture d’écran 2012-12-28 à 22.25.31

Let analyze this source code.

I can confirm that only visitors with Internet Explorer 8 and higher versions have been targeted.

cfr-ie8

But, a fact who was not pointed is if the visitor don’t has Adobe Flash, he will not be part of the party, Flash free Internet Explorer are not targeted.

cfr-flash

I can also confirm that visitors who used browsers configured for Chinese language characters were targeted, but also Taiwanese and American visitors…

cfr-language

If you load the malicious page for the first time, a “visit” named cookie is create with a lifetime of 7 days through the “DisplayInfo()” function. If you have already a cookie, you will no more be exploited until the expiration of the cookie.

cfr-cookie

Then the page is loading the “download” Javascript function. This function is trying a XML HTTP request to a “xsainfo.jpg” file. After some discussion with @binjo, it could be that “xsainfo.jpg” maybe just a clean file, ajax trick to call the “callback” function.

cfr-download

cfr-xmlhttp-xsainfo

xsainfo.jpg” file is maybe “320e0729e1a50fd6a2aebf277cfcad66” found on VirScan and VirusTotal. This file was submitted the 13 December.

The “callback” function verifies if the “xsainfo.jpg” has been loaded and that a “200” HTTP status code has been returned.

cfr-callback-xmlhttp

If the visitor operating system is Windows 7 or Windows 2008 R2, an Office document is opened through the “SharePoint.OpenDocuments” ActiveX control. Depending the way the document is opened the “key” variable is initiated with funny values “boy” or “girl“. I’m not specialist in this domain, maybe one of the blog post reader could provide some more information’s.

cfr-callback-opendocuments

Depending if you are “girl” or a “boy“, the “test” division of the HTML document will be manipulated, a “today.swf” flash object will be loaded plus a “news.html” iframe.

cfr-callback-boy-girl

If you are not a “girl” or a “boy“, you will need to have Java SE 6, but not JSE 7, in order to load the two same files as previously mentioned. If the visitor operating system is Windows XP, the “test” division of the HTML document will be also manipulated, and the two same files are loaded.

cfr-callback-java-xp-2

Unfortunately, actually I didn’t find these two files, but after more discussions with @binjo it could be that the swf is used to setup payload, “news.html” used to trigger the vulnerability.

So if 0day exist, this 0day is surely in “news.html” file, and it is also sure that this targeted attack has not begin on Wednesday, not only targeted visitors who used browsers configured for Chinese language characters.

I keep you in touch if I have additional information’s regarding this potential new Internet Explorer 0day.

Update 1 – 12/29 2am:

FireEye has post some additional information’s regarding the attack. It seem that “today.swf” trigger a heap spray in Internet Explorer in order to complete the compromise. Once the browser is exploited, it appears to download “xsainfo.jpg,” which is the dropper encoded using single-byte XOR (key: 0x83, ignoring null bytes).

What is also new regarding FireEye blog post is that their version is targeting English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. My version of 7 December was only targeting English (U.S.), Chinese (China), Chinese (Taiwan), so the guys had time to release new version of they’re code during this elapse of time. Also they didn’t mention the news.html file.

Update 2 – 12/29 11am:

@binjo has release further information’s regarding “new IE 0day coming-mshtml!CDwnBindInfo object use after free vulnerability”.

Also, I can observe that a certain number of people have samples of the 0day, I could not imagine that an active exploit will not be out before the end of the year.

Update 3 – 12/29 6pm:

AlienVault has publish more detailed information’s regarding the attack and the 0day.

Update 4 – 12/29 10pm:

@_sinn3r is on the way to deliver a Metasploit module for the CFR.org 0day exploit.

Update 5 – 12/30 00am:

Microsoft has release MSA-2794220 and confirm the vulnerability targeting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Internet Explorer 9 and Internet Explorer 10 are not affected by the vulnerability. CVE-2012-4792 has been assigned to this vulnerability.

Update 6 – 12/30 2am:

Metasploit team has release the Microsoft Internet Explorer 0day.

Update 7 – 12/30 11am:

Here under is the code version I found in Google cache as it appeared on 7 Dec 2012 14:12:28 GMT

Got some more samples:

  • Helps.html (a25c13d4edb207e6ce153469c1104223)
  • news.html (76d14311bae24a40816e3832b1421dee)
  • robots.txt (96b01d14892435ae031290cd58d85c2e)
  • xsainfo.jpg (7c713c44e34fa8e63745744e3b7221db)

Java 0Day and the Targeted Nitro Attacks Campaign Analysis

Symantec, Kaspersky Labs, Trend Micro, Sophos and other security vendors continue to surf on the Java 0day targeted attack stuff.

The vendors have agreed, in communion, that Java 0day was potentially used by the Chinese Nitro gang, through spear-phishing campaign. Nitro gang is well-known since another targeted campaign in 2011, reported by Symantec, focusing on organizations in the United States, Bangladesh and U.K.

Nitro gang, potentially the source of the newly discovered Java 0day, is using IP addresses and other characteristics that were common from the 2011 targeted attack, like the same C&C (223.25.233.244 for example) and the same files (“Flash_update.exe” for example).

For Kaspersky Labs, “the attacks have been going on for more than a week“. For Symantec, “the attackers have been using this zero-day for several days since August 22“. For Trend Micro, “Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012“.

As all the vendors agree on the time frame and the source of the attack, we will take a  look on all information’s we can gather around this story.

First C&C server

The first known C&C was “223.25.233.244“, also used in the 2011 campaign. I reported in my previous blog post, that the IP address was well-known since many months. As you will see here under the C&c server is well-known, dropping lot of malwares, with various domain names.

All information’s gathered on this C&C server:

2012-04-18 – Malwr.com Analysis (2819365de89a5e07c2c20b2b462a3487): Analyzed file was “upgrade.exe“, with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-04-20 – Malwr.com Analysis (156d00c795d6d2857fd49f570e894803): Analyzed file was “upgrade.exe“, with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-04-24 – Malwr.com Analysis (af6d20abc953e18a84beac84ea87fce3): Analyzed file was “Flash_updata.exe” with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-04-25 – Malwr.com Analysis (ac1066eeab14150e2ed20e88d8ca1acb): Analyzed file was “flash_updata.exe” with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-06-21 – Malwr.com Analysis (d0d335fbc6d9fdbaf8a0af44ae2944c7): Analyzed file was “update.exe” with DNS request to “goodluck.betr.co” aka “223.25.233.244“.

2012-06-25 – URL Query Analysis (75475): Analyzed URL was “http://admin.fcph.org” aka “223.25.233.244“.

2012-06-26 – URL Query Analysis (75932): Analyzed URL was “http://admin.fcph.org” aka “223.25.233.244“.

2012-07-10 – URL Query Analysis (86487): Analyzed URL was “http://ok.icon.pk” aka “223.25.233.244“. Domain name used during the Java 0day discovery, coincidence ?

2012-07-11 – URL Query Analysis (87414): Analyzed URL was “http://domain.rm6.org” aka “223.25.233.244“.

2012-08-17 – Sophos Analysis (Troj/Agent-XNE): DNS request to “hello.icon.pk” and “admin.fcph.org” aka “223.25.233.244“.

2012-08-20 – Malwr.com Analysis (e2fc730981c1c9c55b961bbbd609c6d3): Analyzed file was “KB2690533.exe” with DNS request to “ok.icon.pk” aka “223.25.233.244“. Interesting “KB2690533.exe” binary name we will search later same occurrences.

2012-08-27 – Malwr.com Analysis (1360ac6d139f19d590bd3b05fa12c8c0): Analyzed file was “upgrade.exe” with DNS request to “admin.fcph.org” aka “223.25.233.244“.

2012-08-27 – URL Query Analysis (147268): Analyzed URL was “http://223.25.233.244“.

2012-08-27 – URL Query Analysis (147552): Analyzed URL was “http://wagoo.fcph.org” aka “223.25.233.244“.

2012-08-27 – Malwr.com Analysis (4a55bf1448262bf71707eef7fc168f7d): Analyzed file was “hi.exe“, the famous one, with DNS request to “ok.icon.pk” aka “223.25.233.244“.

2012-08-27 – Malwr.com Analysis (c0c81cf499136515e22f39e70ef78eec): Analyzed file was “antivirus.exe” with DNS request to “ok.icon.pk” aka “223.25.233.244“, and two HTTP requests to “http://ok.icon.pk/4213538n.txt” and “http://ok.icon.pk/4214189n.txt“.

First reported infected server

The first reported infected server was “ok.aa24.net” with “59.120.154.62” IP address. The related infection URL was “ok.XXXX.net/meeting/index.html” with malicious loaded “applet.jar“. The IP address is located in Singapore. I also reported, in my previous blog post, that the IP address was well known since many months.

Second reported infected server

The second reported, by Symantec the 30 August, infected server was “62.152.104.149“. The related infection URL was “62.152.104.XXX/public/meeting/index.html” with malicious loaded “applet.jar“. The IP address is located in Italia.

Until the 30 August, “index.html” file, present on the second infected server, was an obfuscated JavaScript charging the malicious Java 0day “applet.jar” aka “cve2012xxxx.Gondvv.class” and the Poison Ivy backdoor “Flash_update.exe“. The “index.html” file was part of Gondad exploit kit, like as for the first infected server.

URL Query report that “62.152.104.149” is known since the 2012-08-24 with the same malicious URL. The date is corresponding on the “Last modified” date reported by the infected server. All the files have the 2012-08-24 date, except “1.php“.

Screenshot taken the 29 August

Screenshot taken the 29 August

If you browse the server indexed directories, you can find a Rhino exploit “index.jar“, how is available since 2012-03-16.

Screenshot taken the 29 August

Screenshot taken the 29 August

I you continue to browse the directories, you can also find CVE-2010-3856 Linux exploit “glibc.sh“, used to backdoor the server. These files date are 2011-11-29.

Screenshot taken the 29 August

Screenshot taken the 29 August

As you have seen, all the screenshots were taken the 29 August. I have monitor the server and the files present in the “/public/meeting” directory have change the 30 August, with a new variant of “applet.jar” and some new files like “feq.html” (VirusTotal analysis / Malwr.com analysis). Malwr.com analysis reported a new C&C server aka “12.163.32.15“, how is actually down.

KB2690533.exe C&C dropped binary

The 20 August “KB2690533.exe” file was dropped, from the C&C server, and we can find some additional information’s regarding the file name.

2012-08-16 – URL Query Analysis (133150): Analyzed URL was “http://erp.claridy.com.tw/rndy/download.war/KB2690533.exe” aka “211.72.230.236“.

2012-08-17 Cisco Threat Outbreak Alert: “significant activity related to spam e-mail messages that claim to contain a Security Update for the recipient”. What mean significant ? The spam e-mail message text is looking similar to the spam e-mail message reported by Trend Micro the 30 August. Coincidence, we will see that it is not a coincidence.

Subject: Security Update

Message Body:
Dear,
Because of the office network interfaces changed.Please download the Security Update fot windows XP (KB2690533),and install it. Download address: hxxp://www.microsoft.com/en-us/download/KB2690533.exe

Also the following Chinese web site is reporting some URLs the 2012-08-21 and we can find “http://erp.claridy.com.tw/rndy/download.war/KB2690533.exe“, “http://erp.claridy.com.tw/rndy/download.war/Flash_update.exe” and “http://haitimissionschool.org/updateflashplayer.exe“.

Spam e-email message reported by Trend Micro

In his blog post Trend Micro is reporting some typical spam e-mail message with direct links to Poison Ivy executable in early August 2012.

As you can see this email message is in the same style as the message detected by Cisco the 17 August.

If we search on the username string “alcoauser“, we can find some additional information’s:

2012-08-02 – Another Cisco Threat Outbreak Alert: “significant activity related to spam e-mail messages” with exactly the same content as the content provided by Trend Micro and we can find the “59.120.154.62” server where the 0day was discovered.

Other e-mail message spotted by a Chinese website

In his blog post Trend Micro is reporting another e-email how was spotted in April 2012.

Dear,
If you already have VPN installed on your computer, you’ll be asked to download and install update the next time you start VPN. Once the new update is installed, VPN should function normally.
Download and install the updated:http://www.cisco.com/vpn/upgrade.exe
You must have administrative privileges on your computer to install any VPN client. Please contact your desktop support staff if you need assistance.
Morris Kristi
[email protected]

This e-mail message is in the same style as the previous e-mail messages. The malicious URL was “http://out.hzlo.net/update/upgrade.exe” with IP address “71.216.92.29“. This domain name and IP address were first spotted by ScumWare.orgthe 30 March. Another additional domain name was reported “http://adobe.flash-mail.tk/update/Flash_updata.exe” on the same server the 24 April.

out.hzlo.net” domain name was spotted by 04 April by Clean MX realtime database, but if you take a look on the complete “*.hzlo.net” domain names, you can see that “http://jack.hzlo.net/download/antivirus.exe” was catched the 23 February !

More interesting, the characteristic of the Java 0day spreading was URL like “/public/meeting/index.html” or “/meeting/index.html“. Clean MX realtime database report this URL for the first time for “http://jack.hzlo.net/meeting/index.html” the 02 July.

Conclusion

If they’re was an active targeted Nitro campaign, this campaign has start during February 2012 with different infection vectors. The campaign has been catched many times by different security researchers and vendors, but nobody has raise the alert flag until end of August. I think that nobody has care on the pseudo earlier catched “targeted” campaign, and that the Java 0day was the alert flag.

Second opinion, I really think that the Java 0day was out for a minimum of 2 or 3 months before his public discovery.

And last but not least opinion, I still continue to believe that it was not so targeted as the vendors try to make us believe.

Oracle Java 0day and the Myth of a Targeted Attack

FireEye (@fireeye) were the first to speak around the Oracle Java 0day in a nice blog post “Zero-Day Season is Not Over Yet“. As they mentioned in the blog post it was just a matter of time that a PoC will be released. The tweet was dated from 9:26 PM – 26 August, 2012.

@jduck member of Metasploit team had sufficient information’s contained in this blog post to seek the mentioned infected domain “ok.xx4.net“, how was hosted in China with “59.xxx.xxx.62” IP address and running on “IceWarp/4.1” web server port 80/TCP or 443/TCP. A scan of around 20K servers and the juicy “applet.jar” was found 🙂 Less than 5 hours (2:01 AM – 27 August, 12) later a PoC was available, and less 24 hours later (11:36 AM – 27 August, 2012) the fully functional exploit was added to Metasploit. This exploit is working on Microsoft Windows with Internet Explorer, Firefox & Chrome, but also under Linux with Firefox running the latest version of Java SE 7.0.

Lot of medias, antivirus companies have then try to sold us that this 0day was found in a “targeted” attack, you known the APT stuff.

etc.

But just a moment, why should all new discovered 0day be a part of a “targeted” attacks ? Just do some researches on the Oracle Java 0day origin.

The infected web server is “ok.aa24.net” with “59.120.154.62” IP address. If you take a look on robtex, you can see that the domain name is hosted by afraid.org, a free DNS hoster, involved in many past attacks. First fact, why a “targeted” attack will use a well-known domain name malware hoster ?

The IP address is hosting other domain names and this IP is also known as malware spreader since May 2012 (check SCUMWARE.ORG for all results for 59.120.154.62). Second fact, why a “targeted” attack will use a will know IP address as source of the attack ? You know that all security vendors are selling “reputation” blacklists stuff ?

If you take a look at all the results of SCUMWARE.ORG you can see well-known Trojan and downloaders (Trojan.Win32.Agent.srjf, Win32/Agent.PBJ trojan, Win32/Spindest.A trojan), etc. Third fact, why a “targeted” attack will use so bad malwares to infect a “targeted” target 🙂

Now we will take a look at the source code of “/meeting/index.html” page. Ok, ok, I admit the page is containing an obfuscated JavaScript 🙂 Then just deobfuscate this JavaScript (My pastebin deobfuscated code). We can find some interesting patterns in the JavaScript code like “xiaomaolv“, “woyouyizhixiaomaolv” and “conglaiyebuqi“. All these patterns are Mandarin and Putonghua transliterated pronunciation.

  • woyouyizhixiaomaolv – ??????? – I have a small donkey
  • conglaiyebuqi – ????? – Never played

If you do a simple search on Google, you will find that these stuff were presented at BlackHat USA 2010 in “Balancing the Pwn Trade Deficit“. So these patterns are known since 2 years minimum. Fourth fact, why a “targeted” attack will use known patterns, aren’t anti viruses only good to detect static patterns ? Also guys, not everything how is coming from China is a part of a big conspiracy against the world.

Ok, let continue to analyze the deobfuscated JavaScript code. We can find other interesting patterns like “Gondvv.class“, “gondady” and “gondad“. Here also a simple search on Google and you will find that this code is part a well-known exploit kit, “Gondad Exploit Kit“. Fifth fact, is a “targeted” attack using popular exploit kits ?

Now we will continue with the “hi.exe” file, located in “/meeting/hi.exe” folder. Through malwr.com malware service analysis, you can see that the malware is requesting for “hello.icon.pk” domain name, how is hosted on IP 223.25.233.244 located in Singapore. This malware is catched by 30 of 41 anti viruses on VirusTotal and the domain name is also hosted on afraid.org …. Still a “targeted” attack ?

Just a moment, shouldn’t we not try to download other potential malware hosted on this server ? For example “antivirus.exe“, “officeupdate.exe” and “upgrade.exe” discovered with SCUMWARE.ORG. All these malwares are still available on the infected server and are all detected by a minimum of 25 VirusTotal anti viruses. Still a “targeted” attack ?

Also, what is surprising is that the infected server is still online, shouldn’t a server involved in a “targeted” attack been shutdown by they’re sponsors if they are catched (remember Stuxnet, Flame, etc.) ?

Should I continue with the C&C server how is also known since some months ? I think I will stop here.

What I think, is that cve2012xxxx.Gondvv.class exploit is unique, that the time frame between the discovery and the weaponization of the 0day is also unique. But what I really don’t believe is that this 0day was used in targeted attacks…

More references on the doubt of this “targeted” attack:

Trend Micro – Java Runtime Environment 1.7 Zero-Day Exploit Delivers Backdoor

While some reports have gone on to say that this particular zero-day exploit might be used in targeted attacks, our analysis showed that this may not be the case. The sites where the exploit is hosted are known distributors of various malware. The server that BKDR_POISON.BLW connects to is also a known C&C used by malware. Targeted attacks are known to stay under the radar to successfully operate. The domains/IPs this attack use alone say that there was no intention of staying hidden.

Increasing WEB Proxy CONNECT Request from China

Since 28 August we have detect some increasing Web Proxy CONNECT Request from China. All the source IPs are different and most of these source IPs are only trying one or two connections.

Here under a live graph on the “Web Proxy Connect Request”. An Afterglow visualization, all datas (timestamps, source IPs, source IPs countries, source IPs ASN) are available by clicking on the following link.

1 month SIG 2001675 IDS Events

1 month SIG 2001675 IDS Events

Go to Top