Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that deliver them. The group behind these attacks is the same we have been tracking for a while:
- http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] AlienVault Tibet related Research now used to target Tibetan non-governmental organizations
The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver Malware on Mac OS X.
http://technet.microsoft.com/en-us/security/bulletin/MS09-027
A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file with the following content:
The first stage copies the payload to the __IMPORT section of dyld using memcpy:
push dword 0x1be #Payload size
push edx
push dword 0x8fe6f318
push dword 0x8fe6f318 ## dyld __IMPORT (rwx) mov ebx,0x8fe2e130 #memcpy
jmp ebx
The second stage writes necessary files to /tmp/ (bash file, benign doc file, binary) and then executes the bash script (/tmp/launch-hs):
fstat(0x2, 0xBFFF4CD0, 0x200)
...
fstat(0x24, 0xBFFF4CD0, 0x200)
lseek(0x24, 0x6600, 0x0) #File Offset on the doc file
open(”/tmp/launch-hs”, 0x602, 0x1FF)
open(”/tmp/launch-hse”, 0x602, 0x1FF)
open(”/tmp/file.doc”, 0x602, 0x1FF)
read(0x24, “#!/bin/sh /tmp/launch-hse & open /tmp/file.doc & ”, 0x32)
write(0x26, “#!/bin/sh /tmp/launch-hse & open /tmp/file.doc & ”, 0x32) ...
...
...
close(0x28)
vfork()
execve(0x28, 0xBFFF4B80, 0x0)
Bash file: /tmp/launch-hs:
#!/bin/sh /tmp/launch-hse & open /tmp/file.doc &
The only difference is the .pslist used:
The C&C server this time is:
- 2012.slyip.net : 173.255.160.234
173.255.160.128 - 173.255.160.255
Black Oak Computers Inc - New York - 75 Broad Street
New York, NY, US
The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols:
/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/ppc/Foundation_Hello.o
/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/i386/Foundation_Hello.o
So the group seems to have a project called “longgege” and the actual trojan is named “MacControl” by them.
The trojan performs the following actions:
- Copies itself into /Library/launched
- Creates /Users/{User}/Library/LaunchAgents/com.apple.FolderActionxsl.pslist
This is the way to maintain persistence. The trojan will be executed when the computer starts.
- It then reads the configuration parameters that are at the end of the binary file:
- - domain: freetibet2012.xicp.net - port: 80
- Establishes a connection to the host present in the configuration parameters.
-Sends some information about the victim, username, hostname, system version…
- The trojan will then wait for commands from the C&C.
The attackers can then send commands to the victim to open a remote shell, send files, receive files, delete files….
The C&C domain resolves to freetibet2012.xicp.net: 114.249.207.194
114.240.0.0 - 114.255.255.255
China Unicom Beijing province network
China Unicom
All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files.
We will publish a technical analysis of the trojan capabilities and some tips to detect these threats. Stay tuned!
Thanks to Rubén Santamarta @reversemode for his help during the analysis.
