Some hours ago my friend PhysicalDrive0 pointed me to a new version of Moh2010.swf that was found in the wild as part of some content exploiting the last Internet Explorer Zeroday.
The exploit code was being served on www.nod32XX.com hosted on:
The exploit scheme is the same one, the original vector is hosted under /Exploit.html. It setups the img content and load the Moh2010.swf file:
- The file Moh2010.swf is a bit different than the previous one. It is also encrypted using DoSWF but the encrypted content is different:
We can also check that DoSWF is licensed to [email protected]:
Once the SWF file is executed it loads a new iframe:
evalRdocument.body.innerHTML=“x<iframe src=Eternalian.html width=10 height=1></iframe>”
This file is very similar to the Protect.html one that we described in our report yesterday.
It triggers the actual vulnerability. The swf file has sprayed the heap and the shellcode is in charge of downloading, decrypting and executing the payload.
The HTTP headers on the server indicates that the files have been created four days ago meaning that the Zeroday vulnerability wasn’t mainstream yet:
last-modified: Fri, 14 Sep 2012 05:29:51 GMT
Last-Modified: Fri, 14 Sep 2012 05:30:07 GMT
Due to the encryption of the SWF file using DoSWF the easiest way to obtain the original file is attaching to Internet Explorer and dumping the decrypted SWF file:
On the decrypted SWF file we found a Bytearray:
If we apply a base64 decode and then we apply a XOR E2 operation we obtain the URL of the malicious payload:
www.nod32XX.com/test.exe (md5: fef2d60ec7ec015f1e119dc469b14f59)
As we can see the content is obfuscated somehow. If we apply a XOR 70 operation on the bytes which value differs from 00 or 70 we obtain the original payload md5: 00fdb6ad7345c0912ea9d2fa4c49950e.
The malicious payload contains several resources that are decompressed (Winrar) during execution:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Nv.exe MD5: 09B8B54F78A10C435CD319070AA13C28
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Nv.mp3 MD5: B29265A6932E1FC4DEE6FA6908413A50
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\NvSmartMax.dll MD5: 0B21678ED8E2B117344CFCEBA8F097DD
The file NvSmartMax.dll is familiar, isn’t it? We described this technique
http://labs.alienvault.com/labs/index.php/2012/tracking-down-the-author-of-the-plugx-rat/ [no longer available] some days ago. The file Nv.exe algo known as NvSmart.exe is a benign file signed by Nvidia and used widely by Nvidia in several applications.
Once Nv.exe is executed it loads NvSmartMax.dll that has been modified to execute the binary content present on Nv.mp3.
Due to the fact that Nv.exe is digitally signed with a valid certificate it can bypass some of the Operating System restrictions and this technique is used to execute the malicious payload every time the system is booted.
Surprise!. The actual payload present on Nv.mp3 is a version of the PlugX RAT that we uncovered a few days ago. Do you remember WHG, the guy behind it?.
We can find the same debug path that we found in our previous blog post:
The RAT connect to the C&C server on exchange.likescandy.com currently pointing to 188.8.131.52:
The RAT uses the well know Update Protocol, example:
We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay days before it was uncovered. Due tot he similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances.
They are using the PlugX RAT as well as the NvSmart technique found in previous targeted attacks in the past. In our previous post we were able to identify the author of this RAT and due to the similarities of the attacks it is very likely that the guy is involved somehow in this code.
We’ve identify several ip addresses and domains that are currently used by this gang including:
I recommend you to check your logs for connections to those IPs/Domains to identify if your systems are targeted by them.
More information regarding WHG
After some research on Whg we were able to get some new information about him:
- Whg went to Xihua (Sichuan province) University as revealed by other mail adress ([email protected])
. You can find references on Baidu/others where he talks about the university as well as source code written when he was a student.
Then, under the pseudonym Wicked Rose, he formed the Network Crack Program Hacker (NCPH) Groupand recruited other talented hackers from his school. He found a funding source (an unknown benefactor) and started attacking US sites. After an initial round of successful attacks, his funding was tripled. All through 2006, NCPH built sophisticated rootkits and launched a barrage of attacks against multiple US government agencies. By the end of July, 2006, NCPH had created some 35 different attack variants for one MS Office vulnerability. During the testing phase, NCPH used Word document vulnerabilities. They switched to Excel and later to PowerPoint vulnerabilities. The result of all of this activity is that the NCPH group siphoned thousands, if not millions, of unclassified US government documents back to China.”
WHG is not a core member of NCPH but a close affiliate of Wicked Rose. WHG appears to be central to development of the NCPH rootkit, aka GinWui. WHG is credited by Wicked Rose as one of the authors of this malicious code. WHG is an experienced malicious code author with the following contact information:
Warlock: Master of the Arcane game
After reviewing the files used to exploit the Internet Explorer vulnerability we’ve identified that those guys are fans of a game called “Warlock: Master of the Arcane”. The are using several variables inside the code that refers to Warlock’s Great Mages names. Some examples are:
King Lich V inside the decrypted SWF file
<body onload=’Elpiritster();‘onselect=‘TestArray()’> on the Eternalian.html file.
I hope you enjoyed this blog post!
During the last few hours we found two more sites that were serving the Zeroday exploit in the past.
The first file we found was a version of Protect.html that was being served in the webpage of one of the main Defense News Portal in India. It contains code to trigger the Internet Explorer vulnerability and it was being served four days ago. We couldn’t retrieve the actual payload and it seems the malicious content is not there anymore.
The second server that was serving the exploit seems to be a fake domain of the 2nd International LED professional Symposium +Expo and it was taken down a few hours ago:
Created On:06-Jul-2012 07:04:31 UTC
Last Updated On:18-Sep-2012 17:08:27 UTC
Expiration Date:06-Jul-2013 07:04:31 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant Name:Gexin sun
Registrant Street1:Yaroslaviv Val Street, Kyiv, 01034,
Registrant Postal Code:03022
Registrant Email:[email protected]
The first vector was hosted under led.html:
The code is very similar to the previous ones. Notice that the name of the swf used is different Grumgog.swf. Also notice that Grumgog is also a term used in the “Warlock: Master of the Arcane game”
The flash file is also encrypted with DoSWF using the license key issued to “[email protected]” as in the previous version.
Once decrypted we identified that an iframe is loaded (Dodge.html). We couldn’t retrieve the original content.
Once the vulnerability is triggered, the malicious payload is downloaded from update.exe (the file was removed at the time of the analysis).
It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.