Cyber espionage campaign against the Uyghur community, targeting MacOSX systems

February 13, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here.

The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ [no longer available] exploit used in other attacks we discovered in the past.

During the last year we reported a couple of attacks targeting Uyghurs:

- http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/ [no longer available] New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

Similar attacks have been reported against various ethnic groups like the Tibetan people and other NGOs and human rights organizations:

- http://labs.alienvault.com/labs/index.php/2012/targeted-attacks-against-tibet-organizations/ [no longer available] Targeted attacks against Tibet organizations

- http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ [no longer available] MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT

They have even http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] used our research as lure to target non-governmental organizations.

Some of the filenames used in this campaign are:

  • WUC Hacking Emails.doc
  • Concerns over Uyghur People.doc
  • Hosh Hewer.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • list.doc
  • Press Release on Commemorat the Day of Mourning.doc
  • The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
  • Uyghur Political Prisoner.doc
  • Deported Uyghurs.doc
  • Kadeer Logistics detail.doc
  • Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc
An easy way to identify the documents is looking for the “author” of the document that is always “captain”. This author has been used several times in the past to perform similar attacks.
 

The following yara rule can be used to identify those files:

rule CaptainWord {

    strings:

         $header = {D0 CF 11 E0 A1 B1 1A E1}

         $author = {00 00 00 63 61 70 74 61 69 6E 00}

    condition:

         $header at 0 and $author

}

Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory (”/tmp/):

1154/0x2610:  fstat(0x26, 0xBFFF4CD0, 0x200)            = 0 0

1154/0x2610:  lseek(0x26, 0x6600, 0x0)          = 26112 0

1154/0x2610:  open("/tmp/l.sh\0", 0x602, 0x1FF)                 = 40 0

1154/0x2610:  open("/tmp/l\0", 0x602, 0x1FF)            = 41 0

1154/0x2610:  open("/tmp/l.doc\0", 0x602, 0x1FF)                = 42 0

1154/0x2610:  read(0x26, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)            = 68 0

1154/0x2610:  write(0x28, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)           = 68 0

1154/0x2610:  read(0x26, "\312\376\272\276\0", 0x100)           = 256 0

1154/0x2610:  write(0x29, "\312\376\272\276\0", 0x100)          = 256 0

...

1188/0x2731:  open("/tmp/l\0", 0x0, 0x0)                = 4 0

1188/0x2731:  open("/tmp/m\0", 0x401, 0x0)              = 19 0

…

Then the bash file is executed opening both the trojan and a lure document. There are several lure documents all related with Uyghur activities, an example is:

 

 

It is also funny that one of the lure documents talks about the “Rise in possible State-Sponsored hacking”.

Once executed the malware will try to write both the pslist and the backdoor itself under the LaunchAgents directory. This folder is used by MacOSX to store the configuration files that define the parameters of services run by launchd. It will try both under the system and the current user directory:

Then the command “launchctl load” is used to register the new new daemon. The contents of the apple.pslist file are as follow:

<?xml version=“1.0” encoding=“UTF-8”?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=“1.0”>

<dict>

<key>KeepAlive</key>

<true/>

<key>Label</key>

<string>apple</string>

<key>Program</key>

<string>/Users/operator1/library/launchagents/.systm</string>

<key>ProgramArguments</key>

<array>

<string>/Users/operator1/library/launchagents/.systm</string>

<string>1</string>

<string>2</string>

<string>3</string>

<string>4</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

The backdoor contains code from a tool called “Tiny SHell”. You can download the source code of “Tiny SHell” here. You will recognize some of the function names from the source code:

 

 

 

 

 

 

The configuration values are hardcoded in the binary including the encryption key and the C&C address/port:

“Tiny SHell” uses AES encryption for the C&C communications and as we can see the attackers are using “12345678” as the AES secret key:

 

 

On the other hand they decided to use the original challenge responses that can be found in the original pel.c file:

The backdoor has only a couple of functionalities:

- Remote shell execution

- File transfers (get/put)

Most of the binaries we obtained  were compiled using debug symbols so we were able to obtain some debug paths from the machine where the files were compiled:

/Users/cbn/Documents/WorkSpace/design/server/aes.c

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/aes.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/pel.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/server.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/sha1.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/shell.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/aes.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/pel.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/server.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/sha1.o

/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/shell.o

/Users/cbn/Documents/WorkSpace/design/server/pel.c

/Users/cbn/Documents/WorkSpace/design/server/server.m

/Users/cbn/Documents/WorkSpace/design/server/sha1.c

/Users/cbn/Documents/WorkSpace/design/server/shell.c

Where “cbn” is the username of the user who compiled those files in the attacker’s system.

The backdoor also writes a VCard containing the data about the current user. The purpose of this is not clear.

Network activity

The attackers are using two different C&C domains:

- apple12[.]crabdance[.]com

- update[.]googmail[.]org

The domain crabdance[.]com is a well known free Dynamic DNS provider. We have been monitoring the second domain googmail[.]org for a while. It has been used by a group we internally named as “xsldmt” due to the mail address they use to register most of their domain names the use.

Domain Name:GOOGMAIL.ORG

Created On:16-Dec-2011 03:01:13 UTC

Last Updated On:20-Nov-2012 04:46:22 UTC

Expiration Date:16-Dec-2013 03:01:13 UTC

Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)

Status:OK

Registrant ID:4jyn2c9u84snj4

Registrant Name:su guang

Registrant Organization:su guang

Registrant Street1:mi quannanguoxiang1hao

Registrant Street2:

Registrant Street3:

Registrant City:changjihuizuzizhizhou

Registrant State/Province:xinjiangweiwuerzizhiqu

Registrant Postal Code:830000

Registrant Country:CN

Registrant Phone:+86.013579984824

Registrant Phone Ext.:

Registrant FAX:+86.09914682953

Registrant FAX Ext.:

Registrant Email:[email protected]

The following graph represents the passive DNS data we collected from the ip addresses involved including other potential domains that are probably being used by the same group.

Indicators of compromise

Apart from the domain names and ip addresses we released that can be used to check your logs for connections to those addresses, here is a list of file paths that can be checked in your systems to find activity related to these attacks:

/tmp/l

/tmp/m

/tmp/l.sh

/tmp/l.doc

/tmp/systm

/tmp/.systm

/tmp/__system

/tmp/__system*

/tmp/tmpAddressbook.vcf

/Library/LaunchDaemons/systm

/Library/LaunchDaemons/.systm

/Library/LaunchDaemons/apple.plist

/Users/[CurrentUser]/Library/LaunchAgents/systm

/Users/[CurrentUser]/Library/LaunchAgents/.systm

/Users/[CurrentUser]/Library/LaunchAgents/apple.plist
Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL