Targeted attacks against Tibet organizations

March 13, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

We recently detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others. We believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.

The attacks begin with a simple spear phishing campaign that uses a contaminated Office file to exploit a known vulnerability in Microsoft. The information in the spear phishing email is related to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. After further investigation, we discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone. Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.

It is no surprise that Tibetan organizations are being targeted - they have been for years - and we continue to see Chinese actors breaking into numerous organizations with impunity. Unfortunately, in this particular case, these attacks may have a direct impact on the abuse of human rights in these regions.

Below is a detailed analysis of one of the dozens of campaigns that we’ve been tracking, which illustrates the method used by the attackers and the possible connection to the Nitro attacks.

These latest attacks are linked to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The spear phishing emails are not that sophisticated and feature a Microsoft attachment ( Camp information at Bodhgaya.doc) that exploits a known Office stack overflow vulnerability (CVE-2010-3333).

Here is one of the mails detected:

The malicious document uses a staged XOR loader, which then resolves imports by hashes (a common technique), with the embedded payload encrypted using a 256-byte XOR key. This allows the payload to obfuscate itself from most security systems and software, including IDS appliances.

To extract the embedded executable we have used a tool that we are writing (and we will release soon) that automatically tries to detect embedded executables on PDF/OFFICE files guessing XOR/ROL/ROR ciphers:

jaimes-MacBook-Pro:test jaime$ python findexec.py tibet/Camp\ information\ at\ Bodhgaya.doc OFFICE

Analyzing Office file

One Byte distributionAverage 476

Best Value 77 number of ocurrences 21565

[‘w’]

Best Value 77

Performing XOR/ROL

Average Entropy 6

6.0

Average 6

Detected possible cyphered data on position 3072 of length 94208

Best Val num ocurrences 256

Guessed key length 256

Calculating calculateOccurencesBySize

Done

hFileBuffersSetFilePointerMCreateFileA?GetCPInfo?GetACP?GetOEMCP?GetProcAddressHLoadLibraryASetEndOfFile?ReadFilekMultiByteToWideChar:LCMapStringA;LCMapStringW?Ge

Key found 92adacafaea9a8abaaa5a4a7a6a1a0a3a2bdbcbfbeb9b8bbbab5b4b7b6b1b0b3b2cdcccfcec9c8cbcac5c4c7c6c1c0c3c2dddcdfded9d8 dbdad5d4d7d6d1d0d3d2edecefeee9e8ebeae5e4e7e6e1e0e3e2fdfcfffef9f8fbfaf5f4f7f6f1f0f3f20d0c0f0e09080b0a05040706010003 021d1c1f1e19181b1a15141716111013122d2c2f2e29282b2a25242726212023223d3c3f3e39383b3a35343736313033324d4c4f4e494 84b4a45444746414043425d5c5f5e59585b5a55545756515053526d6c6f6e69686b6a65646766616063627d7c7f7e79787b7a757477 76717073728d8c8f8e89888b8a85848786818083829d9c9f9e99989b9a95949796919093

Found

Found executable at offset 1752

File saved on 1329392127.exe

Just for good measure, the malware is digitally signed, giving it an extra layer of authenticity - even though the certificate is valid as the root authority is not present on the Trusted Root Certification Authorities store of the computer.

NB: The common name of `Root Agency’ is often used during development to create temporary certificates.

The file was detected only by two AV vendors:

https://www.virustotal.com/file/b23333a2c1dbbf106bd9b185f6fe938883fe96e25bad071ae8bb05010ed4b194/analysis/

The binary drops a couple of files under:

  • C:\Documents and Settings\Administrator\temp.dat
  • C:\WINDOWS\fxsst.dll

The file fxsst.dll is also digitally signed but this time it is more interesting:

The certificate was issued to “Qingdao Ruanmei Network Technology Co., Ltd.” by Verisign. Let’s get more information:

We check that the certificate has been revoked by VeriSign on 12th Dec:

$ openssl crl -in CSC3-2010.crl -noout -text -inform DER|grep 6E1C4 -A1

Serial Number: 6E1C43A41D4DDC805A8561C69CEDA182

Revocation Date: Dec 12 06:13:08 2011 GMT

This file has 0/0 ratio on VirusTotal:

https://www.virustotal.com/file/5df6084462bad851c6a7de5e73ebb61ef2679a02a5d66034eea923da3ba63438/analysis/

The file temp.dat is obfuscated but after deobfuscation we can see that a PE File is generated to inject it into svchost:

To extract the injected code, we run the malware and using “User Mode Process Dumper” we can get a copy of svchost on the infected host. Using WinDBG we can easily find the injected code and extract it.

https://www.virustotal.com/file/41c865f2c419f3ee25fb87e79904a5b2a612d14d26bc435eb9436f0b18e60750/analysis/

Once injected, it will beacon the C&C using the following request (port 8080)

[ GET / HTTP/1.0

Accept: */*

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 6.0)

Host: update.microsoft.com/windowsupdate/v7/default.aspx?ln=zh-cn

Connection: Keep-Alive]

Here is the list of C&C ips referenced:

  • 218.106.193.184 - China Unicom IP network
  • 218.61.72.178 - China Unicom Liaoning province network
  • 59.44.49.88 - CHINANET liaoning province network

We can use this Snort rule to detect this kind of traffic:

alert tcp any any -> any any (msg:“MALWARE WUpdater checkin”; content:”|20|GET”; depth:4; content:“Host|3a| update|2e|microsoft|2e|com”; distance:106; within:30; http_header; classtype:trojan-activity; sid:3000055; rev:1;)

Unfortunately, we discovered that the port was not open on the hacker’s command-and-control server at the time of tests, but examining the code reveals that the sample is waiting to receive an obfuscated binary from the remote server and then load it on the system.

Apart from the first spearphished message we mentioned and the beginning of the article, we detected other messages being sent:
The exploit/shellcode is the same, using the tool we previously used we extract the payload:

$ python findexec.py kalachakra32.doc OFFICE

Analyzing Office file

One Byte distributionAverage 1181

Best Value 77 number of ocurrences 21912

[‘w’]

Best Value 77

Performing XOR/ROL

Average Entropy 7

7.0

Average 7

Detected possible cyphered data on position 3072 of length 273408

Best Val num ocurrences 256

Guessed key length 256

Calculating calculateOccurencesBySize

Done

GetACPkMultiByteToWideCharInterlockedExchangeiGetLastError?lstrcmpiA?GetThreadLocaleHLoadLibraryANLocalAlloc?GetVersionExA?GetVersionRLocalFreeKLoadLibraryW?OutputDebugS

Key found f20d0c0f0e09080b0a05040706010003021d1c1f1e19181b1a15141716111013122d2c2f2e29282b2a25242726212023223d3c3f3e39 383b3a35343736313033324d4c4f4e49484b4a45444746414043425d5c5f5e59585b5a55545756515053526d6c6f6e69686b6a65646 766616063627d7c7f7e79787b7a75747776717073728d8c8f8e89888b8a85848786818083829d9c9f9e99989b9a9594979691909 392adacafaea9a8abaaa5a4a7a6a1a0a3a2bdbcbfbeb9b8bbbab5b4b7b6b1b0b3b2cdcccfcec9c8cbcac5c4c7c6c1c0c3c2dddcdfded9d 8dbdad5d4d7d6d1d0d3d2edecefeee9e8ebeae5e4e7e6e1e0e3e2fdfcfffef9f8fbfaf5f4f7f6f1f0f3

Found executable at offset 1752

File saved on 1329479062.exe

https://www.virustotal.com/file/f2d33e730feba021b2f68ff5c224672fc984c4fb5cde718db6a5fd1fa6084d55/analysis/1329479226/

The executable contains an gzip embedded resource:

The resource is dropped and unzipped and contains the code for the service that will be installed on the system:

The service is then started using:

C:\WINDOWS\system32\rundll32.exe “C:\Archivos de programa\Archivos comunes\Microsoft Shared\Triedit\5a1bcffe.dll”,ServiceEntry”

During the infection, the executable writes a log file where we can check all the behaviour (DebugLog.log):

.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-56:    Installer Hello!

.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-75:    dwConfigDataSize = [40]

.\InstallerMFC.cpp-CInstallerMFCApp::InitInstance-171:    ReleaseResource done!

.\install.cpp-InstallSrvPlugin-51:    InstallSrvPlugin!

.\install.cpp-InstallSrvPlugin-125:    szHost = [218.106.193.184] szPort = [81]

.\install.cpp-InstallSrvPlugin-261:    Install Service by WinAPI!

.\install.cpp-InstallSrvPlugin-295:    StartServiceEx!

.\SrvPlugin.cpp-ServiceMain-291:    g_szServiceName = [5a1bcffe]

.\SrvPlugin.cpp-ConnectClientThread-528:    ConnectClientThread

.\SrvPlugin.cpp-ConnectClientThread-638:    szHost = [218.106.193.184] szPort = [81]

Before installing the service, the malware does some verifications in order to detect present AVs:

    • Check for kisknl.sys (Kingsoft Antivirus)
      • Look for KSafeTray.exe and disable it: OpenThread -> SuspendThread
    • Check for TmComm.sys (TrendMicro)
    • Check for HookPort.sys (QQ 360)
    • Depending of the AV present use the native API to install the service or the following method:
      • FindWindowA(“CabinetWClass”, WindowName);
      • FindWindowExA(v15, 0, “WorkerW”, 0);
      • SendMessageA, RegOpenKeyExA, SYSTEM\\CurrentControlSet\\Services\\

The service then opens a connection to  218.106.193.184 (port 81) :

Request:

Response:

Examining the resultant traffic confirms the code to be a variant of the Gh0st RAT (remote access trojan) using a data string of  `ByShe’ in place of the more usual `Gh0st.’

Security admins can use the following rule(s) to detect the command-and-control IP traffic:

alert tcp $HOME_NET any -> $EXTERNAL_NET 81,8000,53 (msg:“MALWARE ByShe outbound traffic detected”; flow:to_server,established; content:“ByShe”; depth:5; classtype:trojan-activity; sid:100000000000; rev:1)

alert tcp $EXTERNAL_NET 81,8000,53 -> $HOME_NET any (msg:“MALWARE ByShe inbound traffic detected”; flow:to_server,established; content:“ByShe”; depth:5; classtype:trojan-activity; sid:100000000000; rev:1)

We have found more samples using this modified header (“ByShe”):

http://www.threatexpert.com/report.aspx?md5=e4e64d365844dc7294e4a553fed7501f

http://www.threatexpert.com/report.aspx?md5=4A35488762F70170DC0D3F46F94A7BCB

It is worth noting that the sample - 4a35488762f70170dc0d3f46f94a7bcb - connects to jericho.3322.org using the `ByShe’ protocol, which was seen during the Nitro attacks we saw between April and November of last year.

This sample was used during the NitroAttacks  last year, a targeted attack against chemical and defense companies that was traced to China. In the following weeks we will disclose more information about these attacks.
Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL