More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

June 11, 2018 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Written By Chris Doman and Jaime Blasco

Introduction

Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea.

Below we’ve shared our brief analysis of of the attack.

Profiling Script

The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ.

This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit.

Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time:

Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.

This script is similar to typical exploit kits - it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components:

  • EasyPayPlugin.EPplugin.
  • ACUBEFILECTRL.AcubeFileCtrlCtrl.1
  • DUZONERPSSO.DUZONERPSSOCtrl.1

Results are sent to http://alphap1[.]com/hdd/images/image.php?id=ksjdnks. An example execution URL stored in OTX is:

http://alphap1.com/hdd/images/image.php?id=ksjdnks&w=c2Vqb25n&r=PD89JHJlZmVyZXI/Pg==&o=V2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgU0xDQzI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy41LjMwNzI5OyAuTkVUIENMUiAzLjAuMzA3Mjk7IE1lZGlhIENlbnRlciBQQyA2LjA7IC5ORVQ0LjBDOyAuTkVUNC4wRTsgcnY6MTEuMA==&lv=KO&bt=-1&bv=&bdv=undefined&fv=MjksMCwwLDE3MQ==&silv=NSwxLDUwOTA3LDA=&ez=false&ac=false&si=false&du=false&iw=false  

Other Profiling Scripts

It’s easy to find other similar looking scripts with the same obfuscation techniques.

One sends results to http://aega.co[.]kr/mall/skin/skin.php?id=ksjdnks

It’s possible this site was compromised some time ago, as it’s a recorded as a command and control server for related Lazarus malware back in 2015 named Waketagat.

ActiveX Exploit and Delivery

The ActiveX exploit was also shared by issumakerslabs on Twitter:

Javascript to execute the ActiveX exploit

VBScript written to temp.vbs to download and install the malware (splwow32.exe)

If successful, it downloads malware from: http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php

To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable.

The Malware

Whilst we can’t be certain, based on the rare filename, date and context the delivered malware is likely this file. The malware, detected as Akdoor.R228914 by Ahnlab, is a simple backdoor that executes commands over the command prompt. It has a distinctive command and control protocol.

When the malware communication is decoded, the victim machine sends a status such as:

And the server responds with:

We were able to find two other samples of Akdoor.R228914 and a different C&C that we share in the appendix.

Appendix

Yara rules

rule ActiveXSejongInstitute {

        strings:

                $a1 = "EasyPayPlugin.EPplugin.1"

                $a2 = "ACUBEFILECTRL.AcubeFileCtrlCtrl.1"

                $a3 = "DUZONERPSSO.DUZONERPSSOCtrl.1"

                $a4 = "\\x45\\x61\\x73\\x79\\x50\\x61\\x79\\x50\\x6c\\x75\\x67\\x69\\x6e\\x2e\\x45\\x50\\x70\\x6c\\x75\\x67\\x69\\x6e\\x2e\\x31"

                $a5 = "\\x41\\x43\\x55\\x42\\x45\\x46\\x49\\x4c\\x45\\x43\\x54\\x52\\x4c\\x2e\\x41\\x63\\x75\\x62\\x65\\x46\\x69\\x6c\\x65\\x43\\x74\\x72\\x6c\\x43\\x74\\x72\\x6c\\x2e\\x31"

                $a6 = "\\x44\\x55\\x5a\\x4f\\x4e\\x45\\x52\\x50\\x53\\x53\\x4f\\x2e\\x44\\x55\\x5a\\x4f\\x4e\\x45\\x52\\x50\\x53\\x53\\x4f\\x43\\x74\\x72\\x6c\\x2e\\x31"

                $a7 = "SIClientAccess.SIClientAccess.1"

                $a8 = "INIWALLET61.INIwallet61Ctrl.1"

        condition:

                any of them

}

rule splwow32LazarusPayload {

        strings:

                $resp = "TG9naW4gU3VjY2VzcyFcclxuV2VsY29tZSE="

        condition:

                uint16(0) == 0x5a4d and all of them

}       

Profiling Script URLs

http://aega[.]co.kr/mall/skin/skin.php?id=ksjdnks

http://alphap1[.]com/hdd/images/image.php?id=ksjdnks

http://www.peaceind[.]co.kr/board/icon/image.php?id=ksjdnks

https://www.srider[.]net/www/custom.asp?id=sj

http://www.peaceind[.]co.kr/board/skin_poll/gallery/result.php                         

http://www.sejong[.]org/_lib/conf/conf.php                         

http://www.sejong[.]org/js/jquery-1.5.3.min.js                         

http://www.sejong[.]org/pub/inc/config.php                 

Akdoor.R228914 Download URL

http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php                         

Akdoor.R228914 File-Hashes

9d3fd05a6f31cf4b7ab858825e58d8008d446fad9fddb03aeb8ee107bceb3641

bcec9c6ff39106505c472c38c94e32773c03facda2e1064c20e3905894e9529e

bf4a0fcfe8ef5205d1ca13c5040335df11daebee45c994bd7504f19937d8da20

Akdoor.R228914 Command and Control Servers

176.223.112[.]74

164.132.209[.]191

Akdoor.R228914 Network Detection (Suricata)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"AV TROJAN Lazarus Akdoor.R228914 Response"; flow:established,from_server; dsize:38; content:"TG9naW4gU3VjY2VzcyFcclxuV2VsY29tZSE=|0d 0a|"; depth:38; reference:md5,8796fda0510420f6a1daff6ed89851ab; classtype:trojan-activity; sid:xxx; rev:1;)

OTX Pulse

You can find additional indicators in OTX.

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT