Yesterday Adobe issued a security update to address CVE-2012-1535 that was being exploited in the wild.
The sample that we analyzed is a Microsoft Office Word document with an embedded malicious Flash file.
The name of the malicious doc file is iPhone 5 Battery.doc, md5: 7e3770351aed43fd6c5cab8e06dc0300
The doc file contains an uncompressed flash file at offset 13832. The file contains the code to do the heap spraying.
The shellcode uses a XOR loader to decrypt and execute the embedded payload encrypted using a 256-byte XOR key within the DOC file.
We can easily extract the payload using our findexec.py script.
$python findexec.py “iPhone 5 Battery.doc” OFFICE
Analyzing Office file
One Byte distributionAverage 1166
Detected possible cyphered data on position 67584 of length 135168
Best Val num ocurrences 256
Guessed key length 256
Key found c4c5c6c7d8d9dadbdcdddedfd0d1d2d3d4d5d6d728292a2b2c2d2e2f202122232425262738393a3b3c3d3e3f3031
Found executable at offset 3264
File saved on 1345068027.exe
Found executable at offset 27936
File saved on 1345068028.exe
Once the document is open and the vulnerability is exploited, the shellcode opens a benign doc file with the following content:
Once the payload is executed, the following dll is dropped on the system:
C:\Documents and Settings\Administrator\Application Data\taskman.dll
And executed using rundll32:
rundll32.exe C:\Documents and Settings\Administrator\Application Data\taskman.dll start
This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting CVE-2012-0779 among others during the past few months.
The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request:
It also tries to download the following file:
publicnews.mooo.com points to:
22.214.171.124 - 126.96.36.199
Psychz Networks PSYCHZ-NETWORKS (NET-108-171-240-0-1) 188.8.131.52 - 184.108.40.206
The server is not responding anymore but based on the VirusTotal report it seems the logo.gif is a zip file that contains an executable that is dropped on the system:
C:\Documents and Settings\<USER>\Application Data\TASKMAN_16vtn.exe
The executable drops another DLL that is called using rundll32:
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe” /c rundll32.exe “C:\Documents and Settings\All Users\Application Data\XpsFilter.dll” (successful)
That process performs HTTP POST requests to the following url:
hxxp://publicupdate[.]mooo[.]com / index000000001.asp
That resolves to:
220.127.116.11 - 18.104.22.168
Rua de Lagos, Telecentro
P.O. Box 868
The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network, you can use the following snort rule to detect hosts contacting mooo.com subdomains:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:“ET INFO DYNAMIC_DNS Query to mooo.com Domain *.mooo.com”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10; offset:2; content:”|04|mooo|03|com|00|”; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:1111111113; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“INFO DYNAMIC_DNS HTTP Request to a *.mooo.com Domain”; flow:established,to_server; content:”.mooo.com|0D 0A|”; http_header; classtype:bad-unknown; sid:1111111112; rev:3;)
The following rule is also useful to detect the presence of Backdoor.Briba:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“TROJAN Backdoor.Briba Checkin”; flow:to_server,established; content:“POST”; nocase; http_method; content:“loginmid=”; http_client_body; content:“nickid=”; http_client_body; classtype:trojan-activity; sid:1111111114; rev:1;)
And of course, remember to patch your systems!
We have found another sample of Backdoor.Briba related with the same campaign. This sample connects to the C&C publicdocs.mooo.com. In this case the server is running. The sample downloads the file hxxp://publicdocs[.]mooo[.]com / docs / help.gif
The file contains a GIF header followed by a password protected zip file. It is easy to extract the password from the original sample (password123).
It drops and executes XpsFilter.dll that we previously mentioned. This file has a low Antivirus detection rate: