Written By Chris Doman and Jaime Blasco
Introduction
Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea.
Below we’ve shared our brief analysis of of the attack.
Profiling Script
The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ.
This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit.
Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time:
Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.
This script is similar to typical exploit kits - it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components:
- EasyPayPlugin.EPplugin.
- ACUBEFILECTRL.AcubeFileCtrlCtrl.1
- DUZONERPSSO.DUZONERPSSOCtrl.1
Results are sent to http://alphap1[.]com/hdd/images/image.php?id=ksjdnks. An example execution URL stored in OTX is:
http://alphap1.com/hdd/images/image.php?id=ksjdnks&w=c2Vqb25n&r=PD89JHJlZmVyZXI/Pg==&o=V2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgU0xDQzI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy41LjMwNzI5OyAuTkVUIENMUiAzLjAuMzA3Mjk7IE1lZGlhIENlbnRlciBQQyA2LjA7IC5ORVQ0LjBDOyAuTkVUNC4wRTsgcnY6MTEuMA==&lv=KO&bt=-1&bv=&bdv=undefined&fv=MjksMCwwLDE3MQ==&silv=NSwxLDUwOTA3LDA=&ez=false&ac=false&si=false&du=false&iw=false
Other Profiling Scripts
It’s easy to find other similar looking scripts with the same obfuscation techniques.
One sends results to http://aega.co[.]kr/mall/skin/skin.php?id=ksjdnks
It’s possible this site was compromised some time ago, as it’s a recorded as a command and control server for related Lazarus malware back in 2015 named Waketagat.
ActiveX Exploit and Delivery
The ActiveX exploit was also shared by issumakerslabs on Twitter:
Javascript to execute the ActiveX exploit
VBScript written to temp.vbs to download and install the malware (splwow32.exe)
If successful, it downloads malware from: http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php
To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable.
The Malware
Whilst we can’t be certain, based on the rare filename, date and context the delivered malware is likely this file. The malware, detected as Akdoor.R228914 by Ahnlab, is a simple backdoor that executes commands over the command prompt. It has a distinctive command and control protocol.
When the malware communication is decoded, the victim machine sends a status such as:
And the server responds with:
We were able to find two other samples of Akdoor.R228914 and a different C&C that we share in the appendix.
Appendix
Yara rules
rule ActiveXSejongInstitute { strings: $a1 = "EasyPayPlugin.EPplugin.1" $a2 = "ACUBEFILECTRL.AcubeFileCtrlCtrl.1" $a3 = "DUZONERPSSO.DUZONERPSSOCtrl.1" $a4 = "\x45\x61\x73\x79\x50\x61\x79\x50\x6c\x75\x67\x69\x6e\x2e\x45\x50\x70\x6c\x75\x67\x69\x6e\x2e\x31" $a5 = "\x41\x43\x55\x42\x45\x46\x49\x4c\x45\x43\x54\x52\x4c\x2e\x41\x63\x75\x62\x65\x46\x69\x6c\x65\x43\x74\x72\x6c\x43\x74\x72\x6c\x2e\x31" $a6 = "\x44\x55\x5a\x4f\x4e\x45\x52\x50\x53\x53\x4f\x2e\x44\x55\x5a\x4f\x4e\x45\x52\x50\x53\x53\x4f\x43\x74\x72\x6c\x2e\x31" $a7 = "SIClientAccess.SIClientAccess.1" $a8 = "INIWALLET61.INIwallet61Ctrl.1" condition: any of them } rule splwow32LazarusPayload { strings: $resp = "TG9naW4gU3VjY2VzcyFcclxuV2VsY29tZSE=" condition: uint16(0) == 0x5a4d and all of them }
Profiling Script URLs
http://aega[.]co.kr/mall/skin/skin.php?id=ksjdnks
http://alphap1[.]com/hdd/images/image.php?id=ksjdnks
http://www.peaceind[.]co.kr/board/icon/image.php?id=ksjdnks
https://www.srider[.]net/www/custom.asp?id=sj
http://www.peaceind[.]co.kr/board/skin_poll/gallery/result.php
http://www.sejong[.]org/_lib/conf/conf.php
http://www.sejong[.]org/js/jquery-1.5.3.min.js
http://www.sejong[.]org/pub/inc/config.php
Akdoor.R228914 Download URL
http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php
Akdoor.R228914 File-Hashes
9d3fd05a6f31cf4b7ab858825e58d8008d446fad9fddb03aeb8ee107bceb3641
bcec9c6ff39106505c472c38c94e32773c03facda2e1064c20e3905894e9529e
bf4a0fcfe8ef5205d1ca13c5040335df11daebee45c994bd7504f19937d8da20
Akdoor.R228914 Command and Control Servers
176.223.112[.]74
164.132.209[.]191
Akdoor.R228914 Network Detection (Suricata)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"AV TROJAN Lazarus Akdoor.R228914 Response"; flow:established,from_server; dsize:38; content:"TG9naW4gU3VjY2VzcyFcclxuV2VsY29tZSE=|0d 0a|"; depth:38; reference:md5,8796fda0510420f6a1daff6ed89851ab; classtype:trojan-activity; sid:xxx; rev:1;)
OTX Pulse
You can find additional indicators in OTX.