Category Archives: Reverse Engineering

CVE-2015-6172 BadWinmail found exploited in the wild

Conclusion: It seem that AV vendors did a big mistake and blocked thousands of legit emails and by consequence also disclosed the content of certain of these emails on Internet, like DRP plan of banks…
All detected samples have now reduced they’re detection rate to only marginal anti-viruses. But clearly F-Secure and BitDefender were detecting and blocking thousands of emails during the last days. For the moment, we have no explanation from the anti-virus vendors.
I would like to thanks @_clem1, @Kafeine and @PhysicalDrive0 for they’re support in these clarifications.

 

On December 8th 2015, Microsoft released, during his regular Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins, MS15-131 concerned Microsoft Office and fixed 6 privately reported vulnerabilities.

One of the 6 vulnerabilities fixed in MS15-131, CVE-2015-6172 vulnerability raised particular attention of the security community. This vulnerability, named Outlook “letterbomb” or “BadWinMail“, would allow an attacker to sneak past Outlook’s security features. The vulnerability affects Office 2010 and later, as well as Microsoft Word 2007 with Service Pack 3.

This vulnerability has been discovered and privately reported to Microsoft by Haifei Li of Intel Security IPS Research Team. The security researcher published a paper describing the vulnerability accompanied by a demonstration video.

Unfortunately it seem that this vulnerability is actually exploited and was exploited before the release of Microsoft security patch.

Two files “FW Joseph J. Durczynski.rtf” (957a8d9d6bf7a0e54ad7eb350c930232) and “FW Philip Services Corp. et al..rtf” (20e184a415cd71eee1cea83df262f814) were submitted to VirusTotal the 27 December and detected as exploit of CVE-2015-6172.

FW Philip Services Corp. et al..rtf” file seems to be related to PSC Industrial Services. PSC claim to be the leading provider of specialty maintenance services and technology solutions to the critical energy infrastructure in the United States.

FW Joseph J. Durczynski.rtf” file seems to be related to Systech Environmental Corp and to particularly a certain Joe Durczynski working for Systech Environmental Corp.

By doing additional researches I found a third sample “_WRF_0CE7DC0E-AB99-4196-8DC2-F818ABF7C29A_.tmp” (52c4096e99126851736715c34b1f50a5) submitted on malwr the 23 December. This sample was also submitted on VirusTotal the 23 December and also recognised as exploit of CVE-2015-6172.

One additional file “FW RFQ.rtf” (fab9cfbc629fb3c3eb541fdaf8169ee1), reported to me by @PhysicalDrive0, targeting PGM Corp. PGM is a full service precision manufacturing corporation specialising in precision CNC machining, turning, grinding and assembly.

7328bf73af839bfc05e5cae177d60ca06cddc52beeee51fb2268f9a8b98d24fa

Interesting informations are the strings in the static analysis of the 23th December malwr sample.

Subject of the email was “FW: Disaster Recovery – home binder” and this email is an internal mail exchange of Safe Credit Union organisation. Also the mail containing the malware was sent the Tuesday, 8th September 2015.

It seem to be quiet urgent to patch if you didn’t already did it, but that seem to be more and more sure is that CVE-2015-6172 was used in the wild before the release of the Microsoft December patch.

Additional samples are actually submitted:

MS13-051 / CVE-2013-1331 What We Know About Microsoft Office Zero Day

MS13-051 Microsoft Office bulletin was release Tuesday 11th 2013 during the traditional Patch Tuesday. This bulletin fix one vulnerability,  CVE-2013-1331, with a base CVSS score of 9.3 and targeting Microsoft Office 2003 and Office for Mac (2011). This vulnerability allow  remote code execution and was reported by Andrew Lyons and Neel Mehta of Google Inc.

Microsoft has also release additional information’s and it appears that some “bad guys” were using this vulnerability as a zero-day in targeted attacks. The vulnerability is related on how Microsoft Office render malformed PNG files leading to a classic stack based buffer overflow.

Malicious Office documents were referencing a malicious PNG file loaded from Internet and hosted on a remote servers. Remote servers were using scripts in order to avoid multiple times exploitation from the same source. Microsoft believe that attacks were limited to Indonesia and Malaysia.

Microsoft provided some examples of URLs invoked by the malicious Office document, and some hashes of the malicious Office binary format documents.

  • hXXp://intent.nofrillspace.com/users/web11_focus/4307/space.gif
  • hXXp://intent.nofrillspace.com/users/web11_focus/3807/space.gif
  • hXXp://mister.nofrillspace.com/users/web8_dice/3791/space.gif
  • hXXp://mister.nofrillspace.com/users/web8_dice/4226/space.gif
  • hXXp://www.bridginglinks.com/somebody/4698/space.gif
  • hXXp://www.police28122011.0fees.net/pages/013/space.gif
  • hXXp://zhongguoren.hostoi.com/news/space.gif
Information Gathering on “intent.nofrillspace.com

By doing some researches we can find a Google cached Excel document mentioning this domain name the 2011-12-29. Domain name is mentioned as a gateway for malicious activities. Actually the web site is down, but associated IP was 80.93.50.73, hosted in the Russian Federation.

No Frill Space” is a hosting company offering free web spaces. The company web site was still up, regarding WayBack Machine, the May 28th 2013. No additional information’s are available.

intent.nofrillspace.com-document

Information Gathering on “mister.nofrillspace.com

By doing some researches we can find a Google cached web page as it appeared on 27 May 2013. Since, like the previous domain, the web site is no more available. No additional information’s are available.

mister-nofrillspace-com-webpage

Information Gathering on “www.bridginglinks.com

Like “No Frill Space“, “BRIDGING LINKS” is a hosting company offering free web spaces. The company web site was still up, regarding WayBack Machine, the May 21th 2013. “www.bridginglinks.com” was hosted on 85.17.143.51 located in Netherlands.

If we take a look on urlQuery, we can see a submission dating of April 4th 2013, mentioning an interesting URL “hXXp://www.bridginglinks.com/somebody/4698/vw.php“. As you can see the path is the same as the path mentioned by Microsoft. “vw.php” could be one of the file used to avoid multiple times exploitation.

Joe Sandbox is also referencing Report 1482, no more available, that refer a URL “hXXp://www.bridginglinks.com/somebody/4688/vw.php?i=b95146-8a76c6cb7d84148d95ab5a4921b3839c” and a name of a Word document “virus_suspected.doc“. Associated MD5 of the document is “714876fdce62371da08c139377f23d76“, was submitted March 3th 2013, with a file size of 113.0 KB.

my-sample

With the MD5 we can found a VirusTotal sample. Creation date of this document was February 25th 2013. Title of the document is “VN h?c gì t? v? Philippines ki?n TQ” that seem to be Vietnamese and could be translated to “VN learn from China’s conditions for Philippines“.

Document title seem to be related to the events of beginning of this year between China and Philippines regarding territory conflicts.

Here under a screenshot of the sample

CVE-2013-1331-sample

@mwtracker also submitted a sample on Cryptam June 13th 2013.

Update of June 16th 2013

After doing some further investigations we noticed another Word sample (f85eaad502e51eafeae0430e56899d9b) submitted to VirusTotal October 28th 2009 and that has a creation date of October 26th 2009. A re-submission of this sample clearly detect CVE-2013-1331 !

By analyzing this sample title of the document is “The corruption of Mahathir” from autor “585“. “The corruption of Mahathir” document is a reference to Mahathir Mohamad a Malaysian politician who was the fourth Prime Minister of Malaysia, and the document is an adaptation of a Bangkok Post article to remind people how the country has been damaged by Dr M, UMNO and his cronies.

The-corruption-of-Mahathir

Like the previous sample, this sample is referencing “www.bridginglinks.com” and has exactly the same patterns.

space-gif-2

Update of June 17th 2013

Microsoft has reference some hashes of the malicious Office documents. Here under more detailled information’s on these documents. All these malicious documents are actually only detected by Avast and Symantec.

35a6bbc6dda6a1b3a1679f166be11154 Office document

Document theme is related to telecommunications and has “Telco – XX??2013??????????” as title, that could be translated to “Telco – XX company in 2013 described the core network building program“. The document was created Wednesday March 6th 2013 and last saved by “abc“. The document initiate connexions to “hXXp://zhongguoren.hostoi.com/news/space.gif“.

zhongguoren-office-doc

zhongguoren-link

fde37e60cc4be73dada0fb1ad3d5f273 Office document

Document theme is related to Susilo Bambang Yudhoyono an Indonesian politician and retired Army general officer who has been President of Indonesia since 2004. Document title is “Macam-macam critis terhadap SBY dan gerakan kabinet di situs Gerakan Anti SBY II” that could be translated to “Various critis against SBY cabinet and movement at the site of the anti SBY II“. The document was created Monday October 31th 2011 and last saved by “xmuser“. The document initiate connexions to “hXXp://mister.nofrillspace.com/users/web8_dice/4226/space.gif“.

mister-office-doc

mister-link

2f1ab543b38a7ad61d5dbd72eb0524c4 Office document

Document theme is related to Chinese zodiac previsions for 2011, and document title is “Forecast for 2011“. The document was created Monday February 7th 2011 and last saved by “xmuser“. The document initiate connexions to “hXXp://intent.nofrillspace.com/users/web11_focus/3807/space.gif“.

intent-office-doc

intent-link

28e81ca00146165385c8916bf0a61046 Office document

Document theme is Malaysian Telco. The document was created by “PDRM” and last saved by “abc“, also creation date of the document is Sunday October 14th 2012. The document initiate connexions to “hXXp://www.police28122011.0fees.net/pages/013/space.gif“.

police28122011-office-doc

police28122011-link

7eb17991ed13960d57ed75c01f6f7fd5 Office document

Document theme is Indoleaks, an Indonesian equivalent of Wikileak, and document title is “Indoleaks, ‘Wikileaksnya’ Indonesia“. The document was created by “3565“, last saved by “xmuser” and created Sunday January 23th 2011. The document initiate connexions to “hXXp://mister.nofrillspace.com/users/web8_dice/3791/space.gif“.

mister-office-doc2

mister-link2

70511e6e75aa38a4d92cd134caba16ef Office document

Document theme is surveillance devices with document title “Top 11 Aerial Surveillance Devices“. The document was last saved by “xmuser” and created Tuesday January 3th 2012. The document initiate connexions to “hXXp://intent.nofrillspace.com/users/web11_focus/4307/space.gif

intent-office-doc2

intent-link2

Conclusions

Here under a recap table of all behaviors

MD5AuthorLast Saved ByCreation DateLast Saved DateDomainParams
714876fdce62371da08c139377f23d76SYSTEMSYSTEM2013-02-242013-02-24www.bridginglinks.com95146-555210c567278074917c1d11f25a6221
f85eaad502e51eafeae0430e56899d9b585-2009-11-262009-11-26www.bridginglinks.com41977-9c477a3c3bf9724fbd985772f6c50ef0
35a6bbc6dda6a1b3a1679f166be11154Userabc2013-03-062013-03-06zhongguoren.hostoi.com2064-ccca749e1a0e6806503c83048bb643d3
fde37e60cc4be73dada0fb1ad3d5f273-xmuser2011-10-312011-10-31mister.nofrillspace.com81425-3b068ea3d53786a94aaa715c7692a0a1
2f1ab543b38a7ad61d5dbd72eb0524c4-xmuser2011-02-072011-02-07intent.nofrillspace.com67575-80f27a85a4383ea2f92e8ba46c728ba3
28e81ca00146165385c8916bf0a61046PDRMabc2012-10-142012-10-14www.police28122011.0fees.net013-8354f8a7f3c21f58d7dbfa2a943c88b8
7eb17991ed13960d57ed75c01f6f7fd53565xmuser2011-01-232011-01-23mister.nofrillspace.com66995-83fcb7c8e552c81da5611e93a856a399
70511e6e75aa38a4d92cd134caba16ef-xmuser2012-01-032012-01-03intent.nofrillspace.com84435-81782ff9e4e204717db82d2e43a76f2d

My personal opinion is that:

  • I can clearly confirm that the zero-day was exploited in the wild since minimum February 2013 October 2009
  • the campaign was active since a while and has surely target other victims than previously thought.

I will keep you in touch with additional information’s.

Department of Labor Watering Hole Campaign Review

On April 30th, the watering hole campaign was published on a private mailing list and the May 1st, Invicia and AlienVault publicly reported, with technical details, that United States Department of Labor (DOL) Site Exposure Matrices (SEM) website had been compromised and was hosting malicious code. This malicious code was used in watering hole attack targeting at first employees of US Dept of Energy that work in nuclear weapons programs. This malicious code was also used to gather information’s on the visitors of the compromised website.

The exploit used in this campaign was firstly reported as CVE-2012-4792, an Internet Explorer 0day used in December 2012 in CFR.org watering hole campaign and patched by Microsoft in January 2013. Despite the patch release some forks of this exploit were still used in targeted attacks against political parties, political dissidents, online medias and human right activists.

Two days later, FireEyeInvicia and AlienVault concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as they originally reported but a new Internet Explorer 8 vulnerability identified as CVE-2013-1347. This turnaround had unfortunately occur to late. Casual attacker, chaotic actors, organized crime and potentially other states involved in sponsored espionage had the opportunity to study the attack and recover the evidences.

Microsoft has acknowledge the vulnerability in a Microsoft Security Advisory published on May 3rd and identified as MSA-2847140 and has provide a “Fix it” solution to mitigate Internet Explorer 8 vulnerability.

Also, Adobe has announce through APSA13-03 that a critical vulnerability (CVE-2013-3336) is actually exploited against ColdFusion. This vulnerability could permit an unauthorized user to remotely retrieve files stored on the server, through “CFIDE/administrator“, “CFIDE/adminapi” and “CFIDE/gettingstarted*” directories. Adobe ColdFusion is used by DOL and this vulnerability has surely be used in order to compromise the server.

Possible Causes of Confusion between CVE-2012-4792 and CVE-2013-1347

Confusions with CVE-2012-4792 was possible due to similarities in used code and technics:

Usage of widely used JavaScript functions and variables

function getCookieVal(offset)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
function GetCookie(name)“, widely used,  is also present in original CVE-2012-4792 exploit and other forks.
function SetCookie(name,value)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
var ua = window.navigator.userAgent.toLowerCase()“, widely used, is also present in original CVE-2012-4792 exploit and other forks.

Usage of particular JavaScript functions also present in previous watering hole campaigns

function DisplayInfo()” also seen in CVE-2012-4792 & CVE-2011-0611 exploits.
function download()” & “function callback()” also seen in CVE-2012-4792 exploit.

Usage of Ajax XMLHttpRequest

This JavaScript object is used to download “bookmark.png” file and was also used to download  “xsainfo.jpg” file in CVE-2012-4792.

Similarities in the JavaScript code structure

If you compare the original CVE-2012-4792 JavaScript code and Exodus Intel fork, with this new exploit, the code structure is very similar in many aspects.

Usage of HTML+TIME technic

HTML+TIME, which is based on the Synchronized Multimedia Integration Language (SMIL), was also used in certain CVE-2012-4792. This technic was explained by Exodus Intel beginning January 2013.

Target selection

Parts of the code targets only Windows XP, Internet Explorer 8 and certain languages, like CVE-2012-4792.

Differences between CVE-2012-4792 and CVE-2013-1347, and Particularities

Some new particularities were present in the exploit and associated watering hole campaign:

Usage of PHP files

All previous watering hole attacks have use HTML or JavaScript files. PHP usage naturally limit the number of potential servers who could be used to start the exploitation and spread the malware. This approach increasingly the technic used by Exploit Kits, maybe a source of inspiration and effectiveness for states involved in sponsored espionage.

Usage of Base64 obfuscation

Obfuscation with base64 encoding (“base64.js” file) was used to hide parts of the exploit. CVE-2012-4792 was using “robots.txt” obfuscated with substitutions and HEX encoding.

Use-After-Free type

As mentioned by sinn3r of Metasploit team, CVE-2012-4792 was a CButton object use-after-free and CVE-2013-1347 is a CGenericElement object use-after-free.

dol[.]ns01[.]us Exploit Hosting Domain Evolutions

Invicia and AlienVault have report that the browser was redirected to the content hosted at dol[.]ns01[.]us which lead to the infection. A urlQuery, of 2013-05-01, is mentioned and refer to dol[.]ns01[.]us on port 8081/TCP. One hit related to the information gathering script is mentioning a last modified date of Thu, 14 Mar 2013 20:06:36 GMT. You can also observe in the executed JavaScript that the hxxp://dol[.]ns01[.]us:8081/web/js.php and hxxp://dol[.]ns01[.]us:8081/web/css.js URL’s are present in the code.

96.44.136.115-3

But if you take a look to a previous urlQuery report of 2013-04-29, hxxp://96[.]44[.]136[.]115/web/js.php, hxxp://96[.]44[.]136[.]115/web/css.js and hxxp:///web/xss.php are mentioned and coded in the executed JavaScript. 96[.]44[.]136[.]115 IP address is mentioned by AlienVault as the IP address behind dol[.]ns01[.]us. As you can see no specific destination port is present and the last modified date is the same. So we can conclude that the guys behind this campaign have change the malicious code during this interval.

urlquery-dol-1

You can observe this evolution with the urlQuery submission of 2013-04-30.

urlquery-2

All these urlQuery submission’s were done with a non Internet Explorer 8 user agent, and as the exploit malicious code was designed to only target Windows XP and Internet Explorer 8, part of the redirection were not present as evidences.

If you observe “/scripts/textsize.js” JavaScript code hosted on DOL website, you can see a first JavaScript inclusion to “hxxp://dol[.]ns01[.]us:8081/web/xss.php” and a second one to “hxxp://dol[.]ns01[.]us:8081/update/index.php“.

The first inclusion “/web/xss.php” was used in order to gather information’s on the DOL website visitors and the second inclusion “/update/index.php” was used to start the exploitation of CVE-2013-1347.

Information Gathering Scripts

As described by AlienVault, the information gathering code “/web/xss.php” on dol[.]ns01[.]us use different JavaScript functions to collect information’s from the system and upload the result to the malicious server.

I found that the information’s gathering script was different depending on the used browser. Here under a description of the JavaScript functions involved in information’s gathering depending on used browsers.

DOL Information Gathering Functions

JavaScript Function(s)Targeted Browser(s)Function Description
jstocreate()Internet ExplorerTest the presence of the Avira, Bitdefender 2013, McAfee VirusScan Enterprise, AVG Secure Search, ESET NOD32, Dr.Web, Microsoft Security Essentials, Sophos, F-Secure Antivirus 2011, Kaspersky 2012, Kaspersky 2013 anti-viruses.
flashver()Internet Explorer & Firefox & ChromeTest the presence and version of Adobe Flash, and supported OS.
officever()Internet ExplorerTest the presence and version of Microsoft Office
plugin_pdf_ie()Internet ExplorerTest the presence of Adobe Reader
bitdefender2012check()Internet Explorer & Firefox & ChromeTest the presence of BitDefender 2012 and try to disable it through disabledbitdefender_2012() function.
java()Internet Explorer & Firefox & ChromeTest the presence and version of Oracle Java plug-in
xunleicheck()Firefox & ChromeTest the presence of xThunder Chrome extension, an extension managing popular downloaders.
kavcheck()Firefox & ChromeTest the presence of Kaspersky Chrome extension
fiddlercheck()Firefox & ChromeTest the presence of Fiddler Chrome extension. Fiddler is an HTTP debugging proxy server application
liveheadercheck()Firefox & ChromeTest the presence of Live HTTP Header Chrome extension
webdevelopercheck()Firefox & ChromeTest the presence of Web Developer Chrome extension
avg2012check()Firefox & ChromeTest the presence of AVG 2012 Chrome extension
tamperdatacheck()Firefox & ChromeTest the presence of Tamper data Chrome extension
adblockcheck()Firefox & ChromeTest the presence of Adblocker Chrome extension
avastcheck()Firefox & ChromeTest the presence of Avast! Chrome extention
pluginverother()Firefox & ChromeTest the presence of all installed modules
All functions used by the information gathering script involved in the DOL watering hole campaign.

Also a specific information gathering technic was triggered when Internet Explorer was used. This technic is related to a non patched vulnerability in Internet Explorer 8, discovered by NSFOCUS and reported to Microsoft in 2011. The vulnerability could allow user information and even local file content leakage if a user views a specially crafted webpage using Internet Explorer.

SA2012-02

Once all information’s gathered, the script send all data’s on a specific URL “hxxp://dol[.]ns01[.]us:8081/web/js.php” and also call “hxxp://dol[.]ns01[.]us:8081/web/css.js” when the information’s are collected.

infogath-inclusions

infogath-js

An interesting information regarding “/web/css.js“, is that the “Last Modified” date reported by “dol[.]ns01[.]us” server is Thu, 14 Mar 2013 20:06:36 GMT. This is reporting that the information gathering infrastructure was in place since mid-March minimum.

dol.ns01.us-8081-1

Interesting facts regarding these information gathering scripts are:

  • Scripts “xss.php“, “js.php” & “css.js” have move from IP 96[.]44[.]136[.]115 on port 80/TCP to domain dol[.]ns01[.]us port 8081/TCP. Move from port 80/TCP to 8081/TCP doesn’t seem to be logic, most of time outgoing connexion’s authorized on Firewalls, for corporate Web surfing, are 80/TCP and 443/TCP.
  • Different types of information gathering scripts were in place, and all users who have visit DOL website were affected by this information gathering campaign.
  • Usage of a specific information leakage vulnerability present in Internet Explorer 8 and not fixed by Microsoft.
  • BitDefender 2012 deactivation attempt is confusing. Why trying to deactivate an anti-virus, this will surely generate an alert.
Information Gathered on dol[.]ns01[.]us

As described in the previous chapter, the information gathering code send a lot of information’s to the backend. Hopefully for security researchers, the backend wasn’t very well protected and all collected information’s were accessible without any restrictions in different web folders. You can find here under some statistics related to the gathered information’s.

TOP-10-TARGETED-COUNTRIES

Complete geolocation of the targeted source IPs

GEO-LOCALISATION

By analyzing the information’s sent to the backend, we can also see that DOL (www.sem.dol.gov) wasn’t the only compromised website:

  • From 2013-03-15 to 2013-04-29 : University Research Co. Cambodia website (www.urccambodia.org) was the first target .This explain the high number of distinct IP addresses from Cambodia.
  • From 2013-04-08 to 2013-04-24 : Awards for Excellence in Education website (www.forexcellenceineducation.org), a program of Fraser Institute, was the second target.
  • From 2013-04-08 to 2013-04-24 : ElectionGuide website (www.electionguide.org), provided by the International Foundation for Electoral Systems (IFES), was the third target.
  • From 2013-04-09 to 2013-04-30 : French Institute of International Relations website (www.ifri.org), was the fourth target.
  • From 2013-04-09 to 2013-04-24 : The Working for America Institute website (www.workingforamerica.org), was the fifth target.
  • From 2013-04-09 to 2013-04-10 : The Project 2049 Institute website (www.project2049.net), was the sixth target.
  • From 2013-04-10 to 2013-04-10 : The Union Label and Service Trades Department website (www.unionlabel.org), was the seventh target.
  • From 2013-04-11 to 2013-04-30 : Thales Catalogue website (components-subsystems.thales-catalogue.com), was the eighth target.
  • From 2013-04-23 to 2013-05-01 : United States Department of Labor (DOL) Site Exposure Matrices (SEM) website (www.sem.dol.gov), was the ninth target.

Here under the hits by browsers and Internet Explorer 8 hits by OS.

Hits-by-Browsers

IE8-Hits-os2

Others Information’s Gathered

As you have read in the previous chapter, ElectionGuide website (www.electionguide.org) was also targeted during this watering hole campaign. As you can see in the following urlQuery submission, dating from 2013-05-01, 96[.]44[.]136[.]115 is also present but don’t respond any more. Also if you observe the urlQuery submission of 2013-05-0396[.]44[.]136[.]115 is still present, but a new backend server has been setup in order replace the once deactivated.

electionguide-both

electionguide-info-gath-inclusions

If you observe the “Last Modified” date of “css.js” file, the installation date of these files is at least the 2013-05-03.

electionguide-css

Also, by researching some patterns matching the information’s gathering script on Google you can find some previous unknown campaigns, that were using the same code.

56go-google

56go-google-cache

Dark South Korea and Discovered PuTTY Tools Behaviours

By analyzing one of the Dark South Korea dropper, I discovered interesting behaviours associated with the PuTTY binaries installed in “%TMP%” Windows folder. These behaviours could be considered as expected, but they could be used more efficiently in the future.

The two installed binaries are “alg.exe“ and “conime.exe“ used to upload “~pr1.tmp” bash file to *NIX targets discovered in configuration files of mRemote and SecureCRT.

alg.exe“ is “plink.exe“ a PuTTY tool acting as a command-line interface to the PuTTY back ends, and “conime.exe” is “pscp.exe” PuTTY tool acting as a SCP client, i.e. command-line secure file copy. These two binaries are legit and don’t contain any associated malwares, they are only used by a malware as support tools.

If mRemote is installed, the dropper extract all required information’s (credentials, ports, ip/domain) from “confCons.xml” configuration file, and use an encryption method vulnerability in mRemote to decrypt it the stored password. After exploitation of the vulnerability, “conime.exe” is used to drop the bash file on the targeted servers.

If the latest version of SecureCRT is installed, the dropper extract all required information’s (credentials, ports, ip/domain) present in “*.ini” configuration files. Each saved connection in SecureCRT use it ones “*.ini”. It seem that an unknown vulnerability was present in previous versions of SecureCRT in order to decrypt the stored password. But in the latest version of SecureCRT, this vulnerability don’t seem to be present. So when “conime.exe” try to connect to the targeted servers the authentication fails due to a bad password.

SecureCRT-2

During my research on the potential SecureCRT vulnerability, I was intrigued by “conime.exe” by access tentatives to the registry keys of PuTTY software “HKCU\Software\SimonTatham\PuTTY\Sessions” and “HKCU\Software\SimonTatham\PuTTY\SshHostKeys“.

PuTTY-1

I decided to install PuTTY, like a majority of sysadmin’s, and create an entry corresponding to potential server also recorded in SecureCRT software.

PuTTY-2

SecureCRT-1

Then I execute the dropper one more time and discovered that “conime.exe“, as expected, has access the PuTTY registry keys related to the targeted server “HKCU\Software\SimonTatham\PuTTY\Sessions\192.168.178.54“. The dropper authentication tentative was still unsuccessful, du to the wrong password.

PuTTY-3

But I also observed that “conime.exe” was also trying to access another registry key of PuTTY “HKCU\Software\SimonTatham\PuTTY\SshHostKeys\rsa2@22:192.168.178.54“.

PuTTY-4

I decided then to create a private and public SSH key, and to configure my putty session to support this SSH private key authentication. The private key wasn’t protected by a passphrase.

PuTTY-5

I execute the dropper one more time and observed a successfull authentication on the targeted server. “conime.exe” was using the private key path present in PuTTY registry key.

PuTTY-6

My final test was to remove the private key from the PuTTY configuration and use “pageant.exe“, an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink. I loaded my private key in “pageant.exe” and executed the dropper one more time. Same result as the previous one, a successfull authentication on the targeted server.

Conclusions

  1. By analyzing one of the Dark South Korea dropper, with associated vulnerabilities in mRemote and SecureCRT, we can observ that the “bad guys” have use old vulnerabilities in old softwares in order to infect *NIX servers. Why use these old vulnerabilities, if you can simply target PuTTY when it is used with private keys.
  2. Never generate a private key without a passphrase
  3. Don’t let PuTTY Pageant run with charged private keys.