Gong Da / Gondad Exploit Pack Add Java CVE-2012-5076 support

You may have read my first blog post regarding the evolutions of Gong Da exploit kit, who has involve in a more complex EK by supporting most of the latest Oracle Java vulnerabilities like CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (Oracle Java August 0day), CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services). Some previous versions of Gong Da EK had also support for CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Media), but it seem that the new version don’t use them anymore.

After Cool EK and BlackHole EK, Gong Da EK has integrate the exploitation of the Java vulnerability aka CVE-2012-5076 (Java Applet JAX-WS). This vulnerability, patched in version 7U9 of Oracle Java is affecting all version of Oracle Java from 7 to 7U7.

This new version was discovered on “hxxp://rdp.nhgdeerw.com/rdp/index.html” a web site how is actually still online.

rdp.nhgdeerw.com” is hosted on 173.208.189.170, AS32097, in US and “wangmazz.com” domain name was created the 2012-11-17, through name.com registrar, for “tao we ([email protected])“.

The “index.html” file containing JavaScript code obfuscated by “JSXX VIP JS Obfuscator“ is recognized only by 8 on 44 anti-viruses on VirusTotal.com.

/*Encrypt By ndtw.wmdottw.com’s JSXX 0.44 VIP*/

After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.

Here under some information s regarding the different files:

  • MWCxT0.jpg (aka CVE-2012-5076) : 2/44 on VirusTotal.com
  • aWxsX0.jpg (aka CVE-2011-3544) : 7/44 on VirusTotal.com
  • kCyrwe1.jpg (aka CVE-2012-0507) : 10/44 on VirusTotal.com
  • RQnRD3.jpg (aka CVE-2012-1723) : 21/44 on VirusTotal.com
  • pujF8.jpg (aka CVE-2012-4681) : 28/44 on VirusTotal.com

Gong Da / Gondad Exploit Pack Evolutions

You maybe remind end of August Java 0day, aka CVE-2012-4681. This 0day was found in an html page containing obfuscated JavaScript. The obfuscation was made by a tool initially called “Dadong’s JS Obfuscator“.

/*Encrypt By Dadong’s JSXX 0.44 VIP*/

This obfuscator was used, in the Java 0day case, to hide the presence of Chinese Gong Da Pack (aka Gondad).

The August version of Gong Da Pack was exploiting CVE-2012-4681 regarding the following diagram, but previous studies, in March, have reveal that this Pack was also dealing with CVE-2011-2140 (Adobe Flash Player), CVE-2012-0003 (Windows Multimedia Library) and CVE-2011-3544 (Oracle Java Rhino exploit).

A new version of Gong Da Pack is emerging, and is getting more complex. This version was discovered on “hxxp://qq.wangmazz.com/xx/index.html” a web site how is actually no more accessible.

qq.wangmazz.com” was hosted on 210.56.55.106, AS38197, in Hong Kong and “wangmazz.com” domain name was created the 2012-10-19, through name.com registrar, for “jie jiu ([email protected])“.

The “index.html” file was containing JavaScript code obfuscated by the same obfuscator as for the Java 0day, but with a different name. I think we could simply rename “Dadong’s JS Obfuscator” to “JSXX VIP JS Obfuscator“. It seem that “Dadong’s” or “xx.xiamaqq.com” are the name of the campaigns. “index.html” file was recognized only by 9 on 44 anti-viruses on VirusTotal.com.

/*Encrypt By xx.xiamaqq.com’s JSXX 0.44 VIP*/

After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.

Gong Da Pack is still dealing with CVE-2011-3544 (Oracle Java Rhino exploit) and CVE-2012-4681 (Oracle Java August 0day), has add CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services), but has removed CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Multimedia Library) for this campaign.

An interesting part discovered in the code is that the bad guys were trying to target Internet Explorer browsers with korean language support for CVE-2012-1889.

Here under some information s regarding the different files:

“qaz2.exe” PE32 executable is recognized as a trojan by 23/44 anti-viruses targeting online gamers. This file is downloaded from “xx.xiamaqq.com“, located on 210.56.55.161, , AS38197, in Hong Kong. “xiamaqq.com” domain name was also created the 2012-10-19, through name.com registrar, for “jie jiu ([email protected])“.

After installed “qaz2.exe” is connecting to “o108.cvnieksff.com” on 111.68.8.254, in Hong Kong. “cvnieksff.com” domain name was created the 2012-05-11, through enom.com registrar, for “Yu Yuming ([email protected])“. The first connection is HTTP GET method to “/jc/post.asp?d10=MACADDRESS&d11=ver-jc-119xx&d21=56&d22=OSTYPE“. Response to this method is:

In conclusion, Gong Da Pack (aka Gondad) seem to continue to target asian countries, and has involve in order to mostly use latest Oracle Java exploits. As you can see this campaign has target online gamers, what is steal not clear is when and how the August Java 0day has been pushed into Gong Da Pack.

Oracle Java 0day and the Myth of a Targeted Attack

FireEye (@fireeye) were the first to speak around the Oracle Java 0day in a nice blog post “Zero-Day Season is Not Over Yet“. As they mentioned in the blog post it was just a matter of time that a PoC will be released. The tweet was dated from 9:26 PM – 26 August, 2012.

@jduck member of Metasploit team had sufficient information’s contained in this blog post to seek the mentioned infected domain “ok.xx4.net“, how was hosted in China with “59.xxx.xxx.62” IP address and running on “IceWarp/4.1” web server port 80/TCP or 443/TCP. A scan of around 20K servers and the juicy “applet.jar” was found 🙂 Less than 5 hours (2:01 AM – 27 August, 12) later a PoC was available, and less 24 hours later (11:36 AM – 27 August, 2012) the fully functional exploit was added to Metasploit. This exploit is working on Microsoft Windows with Internet Explorer, Firefox & Chrome, but also under Linux with Firefox running the latest version of Java SE 7.0.

https://twitter.com/_juan_vazquez_/status/240020063460143104

Lot of medias, antivirus companies have then try to sold us that this 0day was found in a “targeted” attack, you known the APT stuff.

etc.

But just a moment, why should all new discovered 0day be a part of a “targeted” attacks ? Just do some researches on the Oracle Java 0day origin.

The infected web server is “ok.aa24.net” with “59.120.154.62” IP address. If you take a look on robtex, you can see that the domain name is hosted by afraid.org, a free DNS hoster, involved in many past attacks. First fact, why a “targeted” attack will use a well-known domain name malware hoster ?

The IP address is hosting other domain names and this IP is also known as malware spreader since May 2012 (check SCUMWARE.ORG for all results for 59.120.154.62). Second fact, why a “targeted” attack will use a will know IP address as source of the attack ? You know that all security vendors are selling “reputation” blacklists stuff ?

If you take a look at all the results of SCUMWARE.ORG you can see well-known Trojan and downloaders (Trojan.Win32.Agent.srjf, Win32/Agent.PBJ trojan, Win32/Spindest.A trojan), etc. Third fact, why a “targeted” attack will use so bad malwares to infect a “targeted” target 🙂

Now we will take a look at the source code of “/meeting/index.html” page. Ok, ok, I admit the page is containing an obfuscated JavaScript 🙂 Then just deobfuscate this JavaScript (My pastebin deobfuscated code). We can find some interesting patterns in the JavaScript code like “xiaomaolv“, “woyouyizhixiaomaolv” and “conglaiyebuqi“. All these patterns are Mandarin and Putonghua transliterated pronunciation.

  • woyouyizhixiaomaolv – ??????? – I have a small donkey
  • conglaiyebuqi – ????? – Never played

If you do a simple search on Google, you will find that these stuff were presented at BlackHat USA 2010 in “Balancing the Pwn Trade Deficit“. So these patterns are known since 2 years minimum. Fourth fact, why a “targeted” attack will use known patterns, aren’t anti viruses only good to detect static patterns ? Also guys, not everything how is coming from China is a part of a big conspiracy against the world.

Ok, let continue to analyze the deobfuscated JavaScript code. We can find other interesting patterns like “Gondvv.class“, “gondady” and “gondad“. Here also a simple search on Google and you will find that this code is part a well-known exploit kit, “Gondad Exploit Kit“. Fifth fact, is a “targeted” attack using popular exploit kits ?

Now we will continue with the “hi.exe” file, located in “/meeting/hi.exe” folder. Through malwr.com malware service analysis, you can see that the malware is requesting for “hello.icon.pk” domain name, how is hosted on IP 223.25.233.244 located in Singapore. This malware is catched by 30 of 41 anti viruses on VirusTotal and the domain name is also hosted on afraid.org …. Still a “targeted” attack ?

Just a moment, shouldn’t we not try to download other potential malware hosted on this server ? For example “antivirus.exe“, “officeupdate.exe” and “upgrade.exe” discovered with SCUMWARE.ORG. All these malwares are still available on the infected server and are all detected by a minimum of 25 VirusTotal anti viruses. Still a “targeted” attack ?

Also, what is surprising is that the infected server is still online, shouldn’t a server involved in a “targeted” attack been shutdown by they’re sponsors if they are catched (remember Stuxnet, Flame, etc.) ?

Should I continue with the C&C server how is also known since some months ? I think I will stop here.

What I think, is that cve2012xxxx.Gondvv.class exploit is unique, that the time frame between the discovery and the weaponization of the 0day is also unique. But what I really don’t believe is that this 0day was used in targeted attacks…

More references on the doubt of this “targeted” attack:

Trend Micro – Java Runtime Environment 1.7 Zero-Day Exploit Delivers Backdoor

While some reports have gone on to say that this particular zero-day exploit might be used in targeted attacks, our analysis showed that this may not be the case. The sites where the exploit is hosted are known distributors of various malware. The server that BKDR_POISON.BLW connects to is also a known C&C used by malware. Targeted attacks are known to stay under the radar to successfully operate. The domains/IPs this attack use alone say that there was no intention of staying hidden.