In our first analysis we reported that the exploited vulnerability was CVE-2012-4792 . Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new zeroday vulnerability affecting Internet Explorer 8 (CVE-2013-1347). It was confirmed by Microsoft that released a Security Advisory on Friday and also FireEye and Invincea.

In addition we have found that the U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time. The list of affected sites includes several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Finally we detected several redirections to another malicious server located at www[.]sellagreement[.]com (198.96.92.107) that was serving parts of the malicious payloads found on dol[.]ns01[.]us.

We recommend you to search your logs for connections to those domains and IP addresses.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website 

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:

The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=96.44.136.115

The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:

flashver(): This function will collect information about the Flash software running on the system, including versions and OS details

bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.

avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:

aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:

java(): It collects information about Java versions running on the system

officever(): It collects information about Microsoft Office versions installed on the system

plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:

jstocreate(): It detects if the system is running one of the following Antivirus:

• avira
• bitdefender_2013
• mcafee_enterprise
• avg2012
• eset_nod32
• Dr.Web
• Mse
• sophos
• f-secure2011
• Kaspersky_2012
• Kaspersky_2013

Once all the information has been collected it sends the data to the following URL using a POST request:

dol[.]ns01[.]us:8081/web/js[.]php

An example of the information collected is as follow:

Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})

Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website:

Thailand NGO site hacked and serving malware

After sending the information about the system the following request is also made:

dol[.]ns01[.]us:8081/update/index.php

After analyzing that file we found the following function:

If we decode the eval string we find:

After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.

Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:

After fixing the PE header we obtained the following PE file:

https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/

It has a detection rate of 2 / 46 at the time of writing this blog post.

Once the payload is executed:

- The malware will create a copy of itself in Documents and Settings\[CURRENT_USER]\Application Data\conime.exe

- It will create a registry key pointing to conime.exe on HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run conime to maintain persistence

- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.

An available on malwr.com shows that that the DNS name was previously pointing to:

173.254.229.176

https://malwr.com/analysis/YzUyMDk4M2M5YmM4NDgzNDllMDE5MWE1MDY4Y2I1MGM/

An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:

/Photos/Query.cgi?loginid=[RANDOM_NUMBER]

The C&C protocol matches with a backdoor used by a known chinese actor called DeepPanda and described by CrowdStrike in the following analysis:

http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf

We are still investigating this attack and we will update the blog post if we obtain more information about it.

Happy hunting!

The extension adds a new option to the contextual menu. This option sends the link under the cursor to urlQuery.

It opens a new tab with the url added to the url’s queue. You have to wait a few seconds, while the url is being scanned, and then the full report is shown.

As urlQuery webpage, this extension has an options page where you can configure the User Agent, Refer, Acrobat Reader and Java versions. Unfortunately, a few options are provided by the original page, but we expect some more parameters in the future.

You can get it from Chome Web Store or from our github repository:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/urlquery-chrome

Bitcoin is an online descentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution.

If you haven’t heard about Bitcoin I recommend you watch the following video:

Both the Bitcoin creation and transfer is performed by computers called “miners” that confirm the bitcoin’s creation by adding the information to a descentralized database.  Bitcoins get harder to generate all the time. There are more that 10 million bitcoins in circulation today. The Bitcoin design only lets the creation of 21 millions and that limit will be reached during the year 2140.

The Bitcoin wallet is what gives you ownership of  one or more Bitcoin addresses. You can use those addresses to send and receive coins from other users.

Due to the complexity of mining bitcoins if you mine on your own it may be a long time until you can make some return. Bitcoin pools are places where multiple users can work together to make bitcoins and share benefits in a fair way.

Finally, you can buy and sell bitcoins using several real world currencies (EUR, USD ..) using several exchanges such as:

- MtGox

- BTC-E

- Virtex

Threat Landscape

Due to the growing popularity of the Bitcoin it has become an attractive and profitable target for cybercriminals. During the last few years we have seen an increase in the number of attacks and threats involving the virtual currency. The bad guys have adapted their tools to steal bitcoins from victims, use compromised systems to mine bitcoins and obtain benefit from it. On the other hand virtual exchanges are also victims and we have seen how the attackers have phished the users of those exchanges and how they have performed Denial of Service attacks to destabilize the exchange rate and profit.

Wallet stealing

During the last few years the capability of stealing the wallet.dat file has been added to several malware families. In addition, new malware families have appeared with the objective of stealing the wallet file from the infected machines.

For example, a version of the Khelios malware that has been used to send Spam and steal data from infected systems added the capability to steal the wallet.dat file some time ago:

As a result if a Bitcoin’s user gets infected, the file containing the keys to use your bitcoin addresses will be stolen. The wallet file can be protected by a password but most of the malwares we have found have keylogging capabilities that could steal the wallet password as well.

Another example are several IRC botnets that are running based on the “AthenaIRCBot” source code that has the capability of stealing the wallet file as well:

Example: 08a9b6a933c8eac7919355d47a811aa2752df74473b8789bcfd567fb779708cd

- Bitcoin mining

Apart from stealing the Bitcoin wallet the number of malware families that can use the victim’s computer power to mine Bitcoins is getting bigger and bigger.

We have found samples that install the Bitcoin daemon in the victim but the most frequently used technique is adding a piece of code that connects to a mining pool (public or private) to mine bitcoins.

You can find variants of very well known malware families such as Zeus/Zbot that added this capability. As an example, we found a Zeus variant more than a year ago that had intalled the Bitcoin daemon to mine bitcoins using the infected systems.

That specific variant was distributed using Fake e-mail messages containing a link to the malicious file.

Once the system got infected the Bitcoin client bitcoind was installed in the system. The Zeus variant was using the configuration file from:

http://www[.]anshaa[.]com/z/config.bin

In the last few months several Dorkbot variants including one that was using Skype to spread added the capability of mining bitcoins.

Once the system gets compromised, a version of the Ufasoft Bitcoin miner is started. In this case the attacker is running his own pooling server.

The Ufasoft software contacts the mining pool server via HTTP:

We have seen samples contacting the following servers that are owned by the same guys behind the botnet:

suppp[.]cantvenlinea[.]biz:1942

ahora[.]revisiondelpc[.]ru:2142

xhuehs[.]cantvenlinea[.]ru:1942

keep[.]hustling4life[.]biz:2142

That infrastructure has been running for at least 5 months.

Another gang has been running several Bitcoin mining servers for more than a year now. They have used Dorkbot as well as other malicious software to infect systems and use their computer power to mine bitcoins. Following is the list of malicious servers they have been using:

m1[.]m94vo3[.]com
xxa[.]m94vo3[.]com
pool[.]dload[.]asia
abcpool[.]dload[.]asia
thehood[.]k4912m[.]com
abc[.]dload[.]asia
paljacinke[.]aquarium-stakany[.]org
entropy[.]k4912m[.]com
xxx[.]z0k3[.]org
xdx[.]8xx5[.]org
xd[.]x1x9[.]asia
xD[.]x3x9[.]asia
www[.]ewgtr[.]us
www[.]btcminers[.]biz
sfx[.]dload[.]asia
thehood[.]k4912m[.]com

We have found instances where the malicious actors are also mining Litecoins that is another virtual currency similar to Bitcoin.

During the analysis of one of the malicious servers that was used to compromise users we found a GUI application that the attackers are using to build “Silent Miners” that are basically processes that run on the background, connect to the server pool that you configure and mine Litecoins/Bitcoins for you:

The program will generate an executable file prepared to run in the background. It makes it very easy for the attackers to include or distribute the executable in the botnets they are already running.

Apart from the infrastructure we have unveiled, we have found many different malwares with Bitcoin mining capabilities in the last few weeks. Some of them are distributed as fake software in P2P networks, using malicious web redirects (Blackhole Exploit Kit), Fake AV’s, etc.

A lot of them also use public mining pools that are also used by regular users to mine bitcoins. Following is a list of malicious binaries we have found as well as the pool server and username they use:

Hash	Server	Username
b21183ebee87ea86acd11e25a3a3b0d1	notroll.in:6332	tromm.5
7fdf03f888932a384b0089d391f01b2e	mining.eligius.st:8337	1663o1jPydX5fgTNsAW33owbsyC1gpwbvn
544b1a3b310ebb9dc9a9d3858c8c7fe4	pool.50btc.com:8332	169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi
9b7a5ab5e06c46b88e3182457b1e9a0f	pool.50btc.com:8332	17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST
6ba659c9f3de5b5d45a77b12c5ca1e7b	mining.eligius.st:8337	17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
e26686c56297f259e936454e4ea3f7ae	mining.eligius.st:8337	17VJ4nebUbfBoydRC7vLynQruXyqMCDY1W
ae1350e85fb01777d6b5f93384f23bdc	mining.eligius.st: 8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d770554455a70f3a3ad8e3326ddca765	mining.eligius.st:8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
d911d82dc184bbfc952b77cb4cb1b743	mining.eligius.st:8337	1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX
2f0312e6c46cd6e045f3be88e16ecb74	pool.50btc.com:8332	1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
e64d98da86cf03ff6088b48612870f83	pool.50btc.com:8332	1Dt8Ai9uNhupwxejr8PN631XTpbECTfQ2y
20d5c788a075113145261ee5dfab0fa0	mining.eligius.st:8337	1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
500d53fbf363ce31d75447a7ac335516	mining.eligius.st:8337	1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fA
e61b38b75d1cfefe9f631231666a9211	mining.eligius.st:8337	1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW
1a155713d6ff01a3e949730d6fe868d9	mining.eligius.st:8337	1HH1Geovwhxq2UnNt6tiscF2kMsxYEVCRM
d726542997e8aaca1c8c2809cc859f04	pool.50btc.com:8332	1Hy8HbYrLPrXhGko2SmkUtMjBvBpVDEeMh
974b155cef5cb549dcd81b62d26a7d7e	mining.eligius.st:8337	1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH
9384cb2d2b69d4023dbe2260b789c509	mining.eligius.st:8337	1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM
9f878f2f555e690d447060bff7856dac	mining.eligius.st:8337	1NqV1Dy7jH4SLXgbihQDRYA9qKgqnSfaVJ
bfe45e910c94c49e63e969cc2dd8c806	mining.eligius.st:8337	1PyoNmwdNP7PQWQwjCLiK8Av5V9eAGhKcL:x
bb0449dcb53723f6cb58d7024c16f887	mining.eligius.st:8337	1Q3TM64corp7BCYY98pa88w9RoZSfxrH8
9a48fe740b8feff35b1dbc07ab99d949	pool.50btc.com:8332	1qGYbXUe48RjdAoHuRhs4vvm118XMY6e3
35c3c3506064dbad08ba3a8a1ccd742b	eiswoj.uktop40chart.co.uk:80	2thread
e32caa62ef6e67e82c2b95c3b2b66db4	litecoinpool.org:3333	8r9di23217.97123y92
13052239a6a852a4eee3febe10268e25	notroll.in:6332	appap.6
6111ebdfcf7c58c953271dcbd594a417	litecoinpool.org:9332	aspen.4
1c5458ed87729b711310b6f0baf270bf	pool.50btc.com:8332	blackweader@hotmail.com_dodi
5271a38bd18c8ad51d5e3b158db11b38	eu.triplemining.com:8344	Bool_Bool
49d8ce6f361cc87f85fe12f4df73bda5	us2.eclipsemc.com:8337	cartoon1996_hm9gjp
815ccc9f6a48cab368e41647c8f81722	us2.eclipsemc.com:8337	cartoon1996_server
2a79e90f44bd136b3a977fe9fc93c1e0	pool.50btc.com:8332	cbargas3443@outlook.com
0eece32d0d55449366eae4462a4781c7	eu.triplemining.com:8344	comp_pony
cc3dc3b176bbc34444117057659e9e14	de.btcguild.com:8332	cviper_1
75bd6e532370c06c567718d68e551647	pool.50btc.com:8332	edwardpafford220@outlook.com
20c05310dc8bb6dd2cf0e4c642e475a1	uscentral.btcguild.com:8332	epix6_datacenter1
4decdf42f9eaf230768220edb361a0e0	uscentral.btcguild.com:8332	epix6_datacenter1
8c5fd67f62fbccf02f8e0e306341713d	uscentral.btcguild.com:8332	epix6_datacenter1
38831b2e4e6ead08c23f7387919999af	pool.50btc.com:8332	franklinandrus99@outlook.com
44ab7103e31a41b53401cedcabf9de6f	us2.eclipsemc.com:8337	happyworld_3
b08ef6df987e03e86cc9af30942e8fd2	us2.eclipsemc.com:8337	happyworld_3
2d150ca060ed2d89ff031c0060275c99	notroll.in:6332	happyworld3000.1
d1cc70aa60e76879da80303f0f79a894	dns.domain-crawlers.com:8332	haqidodges@gmail.com
135cbc204145e63f7af441fff85f4ec7	pool.50btc.com:8332	i0nn@mail.ru_4
854387049a16de49fc6a02655c38c4eb	eu.triplemining.com:8344	IamX_Worker1
a401a4a5051feb11fe594aad9b4bdf95	pool.50btc.com:8332	Jasoncharles848@outlook.com
4b8ad799881c4a79a32ea2a6576a8037	mine3.btcguild.com:8332	JennyEsta_666fuckerhead
ff925fbce01271e6a033febc27703762	gief3.25u.com:8332	jowsie_cheap2
3e4ef7f6727217b01c38ffcab91ef3c9	pool.50btc.com:8332	jrodriguez442@outlook.com
add443fe32e35fb4a46e35ed2052b6f6	miningpool.com:9350	koji35.3
4d4fa3c12eb5f77529e08bb9873e54e1	eu.triplemining.com:8344	lezoum2010_pocket
3f5589b0c8fc9b049e5fde81a642db6c	eu.triplemining.com:8344	loadrs2009_1
1fc06c8cdcbcff1fd5ecf07ded4bed93	us2.eclipsemc.com:8337	m1nd_jorgee
ae08c3c4ab1e43ce8201b572b0b45115	eu.triplemining.com:8344	madhav007_pudge007
47d21779b4e1d7195ae3eceafa1b163d	ltcmine.ru:3333	MinerG_0
ae03b006bb3eb6dcb2a64e3533862367	ltcmine.ru:3333	MinerG_17
c3f67b7b4d3d5152757fd71bca6fbbfe	ltcmine.ru:3333	MinerG_18
202dfdf0ced47d213e833d8a92012d90	ltcmine.ru:3333	MinerG_26
0ed23a28270a27e5a4332ae521ee70b8	ltcmine.ru:3333	MinerG_34
3e348e07f5d98929baa0cb88f00cd8cf	ltcmine.ru:3333	MinerG_7
eb375ba9447d20401ee17192c2f9010d	ltcmine.ru:3333	MinerG_8
c1d4410b41ed7f534457f077370067a6	us2.eclipsemc.com:8337	moi_worker
20c258e021449365a42f9b2fc7d0d4c8	us2.eclipsemc.com:8337	Mystical_pike
2164bd712071628549a25f5eb97a5f35	us2.eclipsemc.com:8337	N785O1c_3cxQO9S
2bab5ce7b48baea90b11244278bd6d57	mine2.btcguild.com:8332	o2521666_1
92b4c95a10d12132138ef15f44c9b9fc	pool.50btc.com:8332	pinkywesen@secure-mail.biz
86ac869662e4b8f0422fb9cbca77d72e	pool.50btc.com:8332	popa_zade@yahoo.com
c6cf7161100ff107b59b7b07db6	pool.50btc.com:8332	popa_zade@yahoo.com
b7752d762c5a9ac883caaefd1cc19c1b	eu.triplemining.com:8344	pr3m1era_Bossnigger
67e591f09ae0cea47f920878f100baa8	pool.50btc.com:8332	rainbow101@outlook.com
3b6c8728ac3ee82a06bca7096265d666	pool.50btc.com:8332	rthrockmorton212@outlook.com
3eb76d2427c283d2c4b9b396bef275a2	pool.50btc.com:8332	ryancaswell772@outlook.com
8f4ad4c95adef240f8edb5f3da09f164	us2.eclipsemc.com:8337	shrooms_mining
da99275413845905166e8470980a155f	eu.triplemining.com:8344	Sisocviper_siso
7f1ef23a0076cedaeec0b7bb55b9702d	eu.triplemining.com:8344	smackos_aliens
1f85e27b2bd33c4d0ca377ad696fa563	us2.eclipsemc.com:8337	SSnack_worker
bbfe230a8471e2b5d807df3368836bce	eu.triplemining.com:8344	Strick3n_stricken
0b04c1538e5f3a37a81ec2086810b8e1	pool.50btc.com:8332	svintaz@mail.ru_7
b51128a0d8626a9b36f25679854d137e	uswest.btcguild.com:8332	tester20122_3
ccf5f50c9f919dbd9c0cc9a313ef5a2d	pool.50btc.com:8332	titorjohn@rocketmail.com
3d31545f1889fa7593defb5f8bbc915a	pool.50btc.com:8332	TOGRI2012@hotmail.com
43cc15d6178c0fa7845fe257a58f5e0b	notroll.in:6332	tophosts.1
9425c6b7654e8e9ceba5894862e28970	notroll.in:6332	tromm.14
865341e5ae9e6fd01eca8e6bb31b4e5d	us2.eclipsemc.com:8337	vapor_worker
ce38c3479d126c80298e0fe76e73e8e5	pool.50btc.com:8332	victory2egy@yahoo.com
d20be24e318844a56d3f38f2d1061dde	pool.50btc.com:8332	victory2egy@yahoo.com
c24700038e25f4ed1aea01bc374ed5a1	pool.50btc.com:8332	victory2egy@yahoo.com_v
d11b21251ef6f8f84efc7130525a4785	pool.50btc.com:8332	vincentbaty87@outlook.com

Show me the money

As you can see in the previous table some of the bad guys were using Bitcoin addresses instead of usernames to connect to the pool servers.

Due to the openness of the Bitcoin’s protocol we can access the information and the transactions done by those accounts.

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi, 91.39938806 BTC ,$ 8,317.34

17F8N9AvEWSWRMgfR2WncDxhHCm2zLMgST, 20.89356766 BTC , $ 1,901.31

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX, 420.81569559 BTC, $ 38,294.23

1ES11Ke5mxgz9MYiJ2Pb1MgY2FFYnfs5fAm 52.33521919 BTC , $ 4,762.50

1H1xa5PV522hUKfBqvfXPqu7buS5q9ckiW, 31.00274179 BTC , $ 2,821.25

1Kjvxd9CbnYbigcC13gS5VAd2asNcdVSyH, 88.99839055 BTC , $ 8,098.85

1KyxrBp8mJRt3U6Q12LfuNLonZ9JHLYnbM, 77.55520657 BTC , $ 7,057.52

1Q3TM64corp7BCYY98pa88w9RoZSfxrH8, 48.69058357 BTC , $ 4,430.84

For instance we can see these two Bitcoin addresses probably belong to the same bad actors:

169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi

1ASNjJjUou6RPkmP81nJUuhbZDkxAaHQhX

Those two accounts sent most of the money to the following account:

1827x95K36G3NFxDqiNwo6aE1rH55Ua3p5

That Bitcoin address received a total amount of  1050.21 BTC in the last few months. If the bad guys sold that amount of bitcoins some days ago when a single Bitcoin was worth $265 they could have made $278k. Not bad for a small Botnet!

MtGox Fake sites

Mtgox is the largest Bitcoin exchange where you can trade Bitcoins for EUR/US, etc. In the last few weeks the increased popularity of both Bitcoin and Mtgox has made it an attractive target for attackers.

Last week, we detected several websites that were attempting to target Mtgox users. An attacker set up the fake website www[.]mtgox-chat[.]info:

The malicious server looks like an official Mtgox website with a chat on it. Once the user enters the site it will try to load a malicious Java applet:

The Java applet will download and execute a binary file from a remote site.

Once the file is executed the victim gets infected and the system will contact the C&C server on:

tamere123[.]no-ip[.]org

Having access to the victim’s system the attacker can now get the Mtgox’s credentials and steal the money/bitcoins from the victim.

Impact on the enterprise

The detection of mining software in your network could indicate either a misuse of resources by your employees or an infection that could lead to financial losses.

The following best practices will help you prevent these threats:

- Keep software up to date

- Update your Antivirus signatures

- Run a Vulnerability Assessment Program

- Monitor your networks to detect suspicious network behaviors.

AlienVault Unified Security Management (USM) will detect all the threats mentioned on the blog post (and it’s available as a Free 30 day trial download):

If you want to increase your network visibility you can try  our Unified Security Management solution or download the Open Source version.

During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations:

- Another Sykipot sample likely targeting US federal agencies

- Are the Sykipot’s authors obsessed with next generation US drones?

- Sykipot variant hijacks DOD and Windows smart cards

- Sykipot is back

Sykipot are a  highly skilled group of individuals who have exploited a wide range of zeroday vulnerabilities in the last few years including:

CVE	Date	Product
CVE-2007-0671	2007-02-02	Microsoft Excel
CVE-2009-3957	2010-12-01	Adobe Reader
CVE-2010-0806	2010-05-04	Internet Explorer
CVE-2010-2883	2010-09-08	Adobe Reader
CVE-2010-3654	2010-10-28	Adobe Flash Player
CVE-2011-2462	2011-12-06	Adobe Reader

In this blog post we will unveil the new vulnerabilities that this group have used using during the last 8 months and we will publish the new infrastructure they have used. We will expose several examples of the campaigns they have launched and new versions of the Sykipot backdoor they have used to access the compromised systems. We have found evidences that show they have exploited at least the following vulnerabilities during the last few months:

CVE	Date	Product
CVE-2012-1889	06/13/2012	MSXML/Internet Explorer
CVE-2012-1723	06/12/2012	Java 7
CVE-2012-4969	09/16/2012	Microsoft Internet Explorer
CVE-2013-0640	02/12/2012	Adobe Acrobat Reader

Several times the date of the exploit was a few days after the vulnerability had been disclosed and there wasn’t a patch released by the vendor.

Campaigns

In the past most of the campaigns which we found related to the Sykipot actors were based on SpearPhishing mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and some times Internet Explorer. During the last 8-10 months we have seen a change and the number of SpearPhishing campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system.

Some examples of the campaigns they have launched are detailed below.

gsasmartpay.org – 2012-06-20

The last summer, we found a malicious site that the Sykipot actors set up to try and phish government employees. When the victim visited the link the following page appeared:

As we can see it shows the information present in https://smartpay.gsa.gov/cardholders.

“The GSA SmartPay program, established in 1998, is the largest charge card program in the world serving more than 350 federal agencies, organizations, and Native American tribal governments. In FY10, approximately 98.9M transactions were made and $30.2B were charged using the GSA SmartPay charge cards, creating $325.9M in refunds.”

“Eligibility for the program is determined by the GSA SmartPay Contracting Officer. Federal agencies, departments, tribal organizations, and approved non-federal entities can apply to obtain charge card services under the GSA SmartPay program.”

If we take a look at the malicious files we will find that it was exploiting CVE-2012-1889 in the background:

During the exploitation it will load the following files as well:

www[.]gsasmartpay[.]org/cardholders/login/movie[.]swf?apple=AA969692D8CDCD959595CC859183918F83909692839BCC8D9085CD83868D808784CC919584E2E2E2E2
www[.]gsasmartpay[.]org/cardholders/login/deployJava[.]js
www[.]gsasmartpay[.]org/cardholders/login/faq[.]htm

We are not going to show how this vulnerability is exploited since we have showed it in previous blog posts, you can find a good description here.

searching-job.net is another domain registered by the Sykipot actors (registered by thomas7610@yahoo.com on 06-20-2012) that was also serving the same exploit at that time:

www[.]searching-job[.]net/list/verification/deployJava[.]js
www[.]searching-job[.]net/list/verification/faq[.]htm
www[.]searching-job[.]net/list/verification/index[.]htm
www[.]searching-job[.]net/list/verification/movie[.]swf?apple=AA969692D8CDCD959595CC91878390818A8B8C85CF888D80CC8C8796CD848B8E878E8B9196CC868396E2E2E2E2
www[.]searching-job[.]net/account_list/verification/index[.]htm

Apart from gsasmartpay.org we have found several domains registered by the Sykipot actors that they have probably used to phish users in the last few months. Some of the most suspicious ones are detailed below:

- dfasonline.com registered by alcott.churchill@yahoo.com on 06-19-2012

Probably related to Defense Finance and Accounting Service – DFAS - http://www.dfas.mil/

 - aafbonus.com registered by janagreen2000@yahoo.com on 06-19-2012

Probably related to American Advertising Federation – http://www.aaf.org/ 

 - nceba.org registered by jimgreen200088@yahoo.com on 07-24-2012

Probably related to U.S. BANKRUPTCY ADMINISTRATOR - http://www.nceba.uscourts.gov/

 - pdi2012.org registered by alcott.churchill@yahoo.com on 08-18-2011

Probably related to PDI 2012, the premier training event hosted by the American Society of Military Comptrollers

- hudsoninst.com registered by alcott.churchill@yahoo.com on 11-26-2012

Probably related to the Hudson Institute – http://www.hudson.org/ 

Hudson Institute is a nonpartisan, independent policy research organization dedicated to innovative research and analysis that promotes global security, prosperity, and freedom.

CVE-2012-4969 – Internet Explorer

In September last year, the Sykipot actors registered several domains to exploit a vulnerability in Internet Explorer (CVE-2012-4969).

 - resume4jobs.net registered by james.wade1@yahoo.com on 03-08-2012

URL’s involved:

http://www[.]resume4jobs[.]net/account/1024486[.]html

http://www[.]resume4jobs[.]net/account/embed[.]htm

http://www[.]resume4jobs[.]net/jobs[.]exe Sykipot malware that uses info[.]resume4jobs[.]net as the C&C

- paypal1.dns1.us – Dynamic DNS provider

URL’s involved:

http://paypal1[.]dns1[.]us/account/1024486[.]html

http://paypal1[.]dns1[.]us/account/embed[.]htm

- pollingvoter.org registered by jimgreen200088@yahoo.com on 06-11-2012

URL’s involved:

http://www[.]pollingvoter[.]org/ne2012/vote/embed[.]htm

http://www[.]pollingvoter[.]org/life[.]exe Sykipot malware that uses www[.]betterslife[.]com as the C&C

- skyruss.net registered by joneluxara@yahoo.com on 04-17-2012

URL’s involved:

http://social[.]sns[.]skyruss[.]net/variety/index[.]html

http://forum[.]skyruss[.]net/articles/embed[.]htm

CVE-2012-1723 – Java 7

In August, they were exploiting a vulnerability in Java (CVE-2012-1723) to gain access to the victim’s systems. It seems they were using the Metasploit version of the exploit.

Some examples are:

- slashdoc.org registered by jessantt@gmail.com on 05-21-2012

URL’s involved:

http://www[.]slashdoc[.]org/default[.]jar

http://www[.]slashdoc[.]org/index[.]html

The index.html page loads the malicious Java applet and it passes the payload they want to execute using the data parameter (the value is hex encoded):

Based on the content of the lure document the potential victims seem to be somehow related to the Japanese Ministry of Health, Labour and Welfare

Once the infection takes place the following fiels are created on the system:

\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfilede.dat 5ED3A94354F27BC7AF0FEF04F89D8EB8
\DOCUME~1\ADMINI~1\LOCALS~1\mpr.dll 84EFAFF343CF7A34D2A0D847A1E5FD50
\DOCUME~1\ADMINI~1\LOCALS~1\setm.ini 00051F392350128BA4DD4CA10F44DDEF
\DOCUME~1\ADMINI~1\LOCALS~1\temp.dll BEA84BE4BFE236652F6A4E382B21A96F

The file setm.ini contains the configuration of Sykipot in this case:

[srv_info]
sleeptime=3600000
url=bassball[.]peocity[.]com (C&C server)
scexe=rsvp.exe
scdll=mpr.dll
runexe=run.exe
mark=0304adbh

The following actions take place in the system:

cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v start /t REG_SZ /d [sykipot_payload_file].exe -startup /f (persistence)

Several functions are called within the Sykipot’s DLL:

[sykipot_payload_file].exe -startupEx
[sykipot_payload_file].exe -startup1
cmd /c [sykipot_payload_file].exe -startup

Then the malicious payload will be injected into Internet Explorer.

The malware will communicate with the C&C server once in a while using SSL and the well known communication paths of previous Sykipot payloads:

/kys_allow_put.asp?type=
/kys_allow_get.asp?name=

As we showed in the past most of the Sykipot samples used the key “19990817″ for encryption.In this sample we have found a new key “20120709″ that is also a date.

Infrastructure

Along with the blog post we are making a list of new domains public that weren’t mentioned in previous Sykipot research:

Unique malicious domains:

• peocity.com
• rusview.net
• skyruss.net
• commanal.net
• natareport.com
• photogellrey.com
• photogalaxyzone.com
• insdet.com
• creditrept.com
• pollingvoter.org
• dfasonline.com
• hudsoninst.com
• wsurveymaster.com
• nhrasurvey.org
• pdi2012.org
• nceba.org
• linkedin-blog.com
• aafbonus.com
• milstars.org
• vatdex.com
• insightpublicaffairs.org
• applesea.net
• appledmg.net
• appleintouch.net
• seyuieyahooapis.com
• appledns.net
• emailserverctr.com
• dailynewsjustin.com
• hi-tecsolutions.org
• slashdoc.org
• photosmagnum.com
• resume4jobs.net
• searching-job.net
• servagency.com
• gsasmartpay.org
• tech-att.com

We are releasing Snort rules to detect queries to the malicious domains in your network:

Thanks to EmergingThreats for the help. You will find the rules in its ruleset update today as well.

Based in our research, below is the list of unique e-mail addreses used to registered malicious domains:

• 233@lao.com
• Joneluxara@yahoo.com
• alcott.churchill@yahoo.com
• b@bvc.com
• calvin.kliff@yahoo.com
• carrier.fisher@hotmail.com
• conan0557@126.com
• james.wade1@yahoo.com
• janagreen2000@yahoo.com
• jessantt@gmail.com
• jimgreen200088@yahoo.com
• jimgreen20008@yahoo.com
• marialreyna11211919@yahoo.com
• morgan.wale1@yahoo.com
• mskinner62@yahoo.com
• myhog@hotmail.com
• parviz7415@yahoo.com
• slyan8024@gmail.com
• thomas7610@yahoo.com

Apart from the list of new domains you should check out the domains mentioned in the following articles that all related to previous Sykipot’s activity but some of them are still being used in Sykipot’s operations:

- Sykipot is back - Alienvault Labs

- The Sykipot Attacks - Symantec

- The Sykipot Campaign – TrendMicro

- Hurricane Sandy serves as lure to deliver Sykipot - Verizon

- Insight into Sykipot Operations - Symantec

- Medical Industry A CYBER VICTIM: BILLIONS STOLEN AND LIVES AT RISK - Cyber Squared

We have published earlier today a quick blog post about how the wiper payload works. It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot.

Other companies have published information about the wiper payloads but anyone is giving information about how the attackers gained access to the affected networks. To execute that payload they had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computers.

If the goal of the attackers was to create panic it means they hadn’t to have a specific list of victims, had they?.  From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be:

- Buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure.

or even better:

- Rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets.

We have seen in the past that large botnets like Zeus or other financial driven botnets had access to systems within the networks of large organizations such as Bank of America, Amazon and NASA.

Therefore, finding infected systems in Broadcasting & Cable companies in South Korea like KBS, MBC and YTN (victims of the attacks) inside fraud botnets wouldn’t be unusual, would it be?.

The fact is that after reading some of the Korean news about the attacks:

- http://m.kukinews.com/view.asp?gCode=news&arcid=0007006484&code=41121111

- http://www.zdnet.co.kr/news/news_view.asp?artice_id=20130320185309

I found they mentioned several filenames that were involved on the attacks such as apcruncmd.exe, imbc.exe, sbs.exe, kbs.exe, Bull.exe, Sun.exe, asd.exe, 38.exe, 39.exe, Sad.exe, down.exe, v3lite.exe.

We’ve only analyzed ApcRunCmd.exe  that is the payload that overwrites the MBR. If the information about the filenames is accurate enough, what about the other filenames?.

Armed with patience we began the search of pieces of malware that could generate those filenames and also be related to South Korea.

The first file we found was b7c6caddb869d8c64e34478223108c605c28c7b725f4d1f79e19064cffca74fa that was submitted to VirusTotal two days ago from South Korea.

When the binary is executed, it creates the following files in the system:

- \Local Settings\Temp\1.tmp\bat.bat

- \WINDOWS\Temp\125.exe

- \Temp\imbc.exe

The content of the bat file is:

Basically it clears the DNS cache for Internet Explorer and modifies the etc/hosts file adding new entries.When the victim resolves the South Korean bank’s domain names included in the modified “etc/hosts” file, the domains will point to 103.14.114.156.

It seems the malware is also starting the Task Scheduler service using the command “net start Task Scheduler” probably to create some tasks with malicious purposes.Finally it creates an autostart registry key to maintain persistence.

The malware connects to the host home1[.]hades08[.]com (126.7.217.163)

We have found several samples with the same behavior and using the same filename (imbc.exe) and connecting to similar C&C servers, examples:

- home2[.]hades08[.]com (126.7.217.163)

- home3[.]hades08[.]com (126.7.217.163)

Other suspicious binaries matching the patterns we were looking for and submitted from South Korean in the last few days were:

11f6569e3453dbf2c8c392a1bf653c84e7b2dbc6d90a22936c95bf843bfcda73 -

Filename: kbs.exe

Sigcheck:

publisher…………….: nhncorp
product………………: nhncorp
internal name…………: nhncorp
file version………….: 1,0,0,0
copyright…………….: nhncorp
description…………..: nhncorp

0b445a03690cd857079577da29860c8b036f084a09885bb01499df553e3640c5

Filename: v3lite.exe

Connects to 121.156.58.135

All the files we mentioned are from the same malware family for sure, they have very similar behaviours with some slightly differences and their filenames match with the list we found in the South Korean news. Some vendors call this family Win32.Morix.

Chinese packer/language

The domain hades08[.]com was registered by smokeno@163.com a week ago.

We found the following subdomain:

ddd[.]hades08[.]com that seems to be serving a version of the Chinese Exploit Kit named GonDad:

http://urlquery.net/report.php?id=1528549

According to Google it infected the domain blogermoney[.]com

We found another website, d41[.]asdasd2012[.]com serving the GonDad exploit kit.

http://urlquery.net/report.php?id=1528774

The domain registrant for asdasd2012[.]com is also smokeno@163.com and it was registered a day after hades08[.].com

The relationship is obvious because dl[.]hades08[.]com is know pointing to the same IP address as mb[.]asdasd2012[.]com (126.7.217.163)

According to Google, the domain asdasd2012[.]com has infected 4 domains in the past 90 days including a South Korean website, appstory.co.kr.

On the other hand if we get the IP address of the C&C server for the sample with filename v3lite.exe we previously mentioned, 121.156.58.135.

Using passive DNS we can found the following subdomains of frcvb[.]com pointed to that IP in the last few days:

tt[.]frcvb[.]com A 121[.]156[.]58[.]135
aaa[.]frcvb[.]com A 121[.]156[.]58[.]135
qqq[.]frcvb[.]com A 121[.]156[.]58[.]135
ttt[.]frcvb[.]com A 121[.]156[.]58[.]135
zzz[.]frcvb[.]com A 121[.]156[.]58[.]135

The domain frcvb[.]com was registered less that a month ago.

According to Google, the domain frcvb[.]com has infected 18 domains in the past 90 days including several South Korean websites:

koreanmovie.com/

chinawoo.kr/

Other domain that we have detected in the same infrastructure is frcob[.]com and it is being used as C&C server for the same malware we previously mentioned

http://www.threatexpert.com/report.aspx?md5=1b40b1ff80738ec2fe5747a28d9726a1

As another example the following SK websites were also affected by the GonDad exploit kit hosted on frcob[.]com and frcvb[.]com:

www.knbox.com
www.keduac.co.kr
raya.co.kr
chinawoo.kr
goam.co.kr
bohumbest.net

Summary

The fact is we could probably show you dozens of domains hosting versions of the GonDad exploit kit, affecting South Korean websites and related with the malware  family we have been talking about.

It seems the South Korean security company Nshc has published more details on his Facebook Page

Based on the samples we collected, the malware overwrites the MBR (Master Boot Record) of the system. After reboot the system can’t boot anymore.

The samples use the word “HASTATI” to overwrite the MBR data:

And then shuts down the system using:

shutdown -r -t 0

We have seen that the samples checks for the presence of several security tools:

AhnLab Policy Agent - pasvc.exe

Hauri ViRobot - clisvc.exe

And tries to kill them using taskkill:

taskkill /F /IM pasvc.exe
taskkill /F /IM clisvc.exe

Within the samples we found references to three words:

PRINCPES
HASTATI.
NCPES

According to Wikipedia. “Hastati (singular: Hastatus) were a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment—light armour and a large shield, in their service as the lighter infantry of the legion. Later, the hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the first battle line. They fought in a quincunx formation, supported by light troops. They were eventually done away with after the Marian reforms of 107 BC”

Related samples:

ApcRunCmd.exe db4bbdc36a78a8807ad9b15a562515c4

OthDown.exe 5fcd6e1dace6b0599429d913850f0364

0a8032cd6b4a710b1771a080fa09fb87

f0e045210e3258dad91d7b6b4d64e7f3

Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and human rights organizations.

Together with our partner Kaspersky Labs we are releasing an analysis of this campaign. You can read his report here.

Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim. Some of the PDF lures we have found are:

Some of the exploit filenames:

• 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf
• 联名信.pdf
• arp.pdf

Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.

The Javascript code inside the PDF files is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “0l23kj@nboxu”.

The malicious payload will perform the following operations:

- Copy \WINDOWS\system32\wuauclt.exe to %APPDATA%\wuauclt\wuauclt.exe
- Drop a malicious DLL under %APPDATA%\wuauclt\clbcatq.dll
- Execute %APPDATA%\wuauclt\wuauclt.exe

Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.

The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code:

Original DLL                                                                       Malicious DLL

Once the malicious DLL is loaded, the malicious code will generate the following HTTP request:

The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:

• GetWorkType
• InfectFile

The payload will drop the following files:

• \WINDOWS\system32\wbem\4BA5E980.PBK
• \WINDOWS\system32\wbem\mstd32.dll

The InfectFile function will modify some code in the system library WINDOWS\system32\mswsock.dll. If we take a look at the patched DLL:

Original version

Modified version:

If we take a look at WSPStartup_0:

We can see how the malicious DLL mstd32.dll will be loaded everytime the system library mswsock.dll is loaded by a program.

The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.

Then the malicious code will perform the following HTTP request every few seconds:

The final payload is detected as Trojan.Win32.Swisyn and it has a lot of functionality to monitor and steal data from the infected system.

We have identified the following C&C servers for both payloads:

• ly.micorsofts.net
• ip.micrsofts.com
• xdx.hotmal1.com
• hy.micrsofts.com

Both domains have been registered using the same mail address:

micorsofts.net

Created: 2008-05-12 01:51:10
Expires: 2013-05-12 01:51:10
Last Modified: 2012-05-02 13:26:38

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
jiningshi, shandongsheng, cn 272000
P: +86.05372178000 F: +86.05372178000

hotmal1.com

Created: 2008-12-30 03:53:18
Expires: 2013-12-30 03:53:18
Last Modified: 2012-12-26 15:32:15

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
shixiaqu, beijingshi, cn 272000
P: +86.02227238836601 F: +86.02227238836601

Profile of the user on 20cn.net

We – Alienvault Labs- have written some Snort rules to match the network behavior:

You can use the following Yara rule to match the malicious binaries:

And this one to detect the malicious PDF files:

Finally, we are releasing some OpenIOC indicators as well:

You can find all the content in our GitHub repository.

The rules have been included in the EmergingThreats ruleset as well as in our Open Source SIEM.

- Win32/Coswid

- Unveiling a spearphishing campaign and possible ramifications

During the last few years we have been producing content that we have used to track and detect Comment Crew’s artifacts such as Snort rules, Yara rules and IOCs. We have decided to publish some of this content and we’ve completed our information with the great intel Mandiant published.  The first package we are releasing is a set of 81 Yara rules that will help malware analysts and incident responders to detect, classify and track the malware arsenal used by Comment Crew.

Some of these rules have been built to specifically detect Comment Crew’s tools and others are more generic.

You can download the rules from here.

How can I use the rules?

The easiest way to use this content is installing Yara (http://code.google.com/p/yara-project/). Once installed you can use the cmd tool yara to  detect and classify files in your dataset. Example:

$ ../yara-1.6/yara apt1-2.yara files/
APT1_WEBC2_CLOVER files//01114c2b1212524c550bbae7b2bf9750aba70c7c98e2fda13970e05768d644cf
EclipseSunCloudRAT files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_TARSIP_ECLIPSE files//021b4ce5c4d9eb45ed016fe7d87abe745ea961b712a08ea4c6b1b81d791f1eca
APT1_WEBC2_Y21K files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_CSON files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_b64_cnc_commands files//02601a267fe980aed4db8ac29336f7ecf1e06f94e9ac0714e968b64586624898
APT1_WEBC2_Y21K files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
APT1_b64_cnc_commands files//060764506ad9134d5900fc0cd160fc14de80682f1861a3ef084c7c91a734881f
STARSYPOUND_APT1 files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_SY files//082323fd0f3d24f8fe31895ad1246ae2116aee78d01be83a28c3cbb856541003
APT1_WARP files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_points files//08af44d381df5250323cf196444aa90597f8049dad55712fe45e80b1a8d8cded
APT1_readynewcmd files//0963ba541d56b9805713aa13d955b91f6bb875318698ba6119d5944d68c45afb
HACKSFASE2_APT1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
ccrewSSLBack1 files//0b9ca6fb32fcde1e6e55e8874982a2a921e73c6ebdf7246177fecf63542a4a83
APT1_WEBC2_YAHOO files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_uagent_iphone85 files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_letusgo files//0c50ddf7295d4ddfafae479e7c3ce21ca6416442c0c8c5e90aedbb3e583a8b20
APT1_WEBC2_QBP files//0c8ad4824264dd09b3be02f462f968729bf7339438bf5fa69af9ca995353f6df
APT1_WEBC2_GREENCAT files//0e829513658a891006163ccbf24efc292e42cc291af85b957c1603733f0c99d4

On the other hand there are several projects and products that support Yara as a format. Here are some examples:

- JSUnpack

- Virustotal VTMIS

- Volatility, example of using the Yara plugin in Volatility

- Fireeye

We’ve reviewed the rules to minimize false positives but please send us your feedback and we will improve the Yara rules with that information.

Here is the complete list of Yara rules released:

LIGHTDART_APT1
AURIGA_APT1
AURIGA_driver_APT1
BANGAT_APT1
BISCUIT_GREENCAT_APT1
BOUNCER_APT1
BOUNCER_DLL_APT1
CALENDAR_APT1
COMBOS_APT1
DAIRY_APT1
GLOOXMAIL_APT1
GOGGLES_APT1
HACKSFASE1_APT1
HACKSFASE2_APT1
KURTON_APT1
LONGRUN_APT1
MACROMAIL_APT1
MANITSME_APT1
MINIASP_APT1
NEWSREELS_APT1
SEASALT_APT1
STARSYPOUND_APT1
SWORD_APT1
thequickbrow_APT1
TABMSGSQL_APT1
CCREWBACK1
TrojanCookies_CCREW
GEN_CCREW1
Elise
EclipseSunCloudRAT
MoonProject
ccrewDownloader1
ccrewDownloader2
ccrewMiniasp
ccrewSSLBack2
ccrewSSLBack3
ccrewSSLBack1
ccrewDownloader3
ccrewQAZ
metaxcd
MiniASP
DownloaderPossibleCCrew
APT1_MAPIGET
APT1_LIGHTBOLT
APT1_GETMAIL
APT1_GDOCUPLOAD
APT1_WEBC2_Y21K
APT1_WEBC2_YAHOO
APT1_WEBC2_UGX
APT1_WEBC2_TOCK
APT1_WEBC2_TABLE
APT1_WEBC2_RAVE
APT1_WEBC2_QBP
APT1_WEBC2_KT3
APT1_WEBC2_HEAD
APT1_WEBC2_GREENCAT
APT1_WEBC2_DIV
APT1_WEBC2_CSON
APT1_WEBC2_CLOVER
APT1_WEBC2_BOLID
APT1_WEBC2_ADSPACE
APT1_WEBC2_AUSOV
APT1_WARP
APT1_TARSIP_ECLIPSE
APT1_TARSIP_MOON
APT1_aspnetreport
APT1_Revird_svc
APT1_letusgo
APT1_dbg_mess
APT1_known_malicious_RARSilent

Update (02/22/2013): We have improved the ruleset, update to the latest version!

The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same exploit used in other attacks we discovered in the past.

During the last year we reported a couple of attacks targeting Uyghurs:

- New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

Similar attacks have been reported against various ethnic groups like the Tibetan people and other NGOs and human rights organizations:

- Targeted attacks against Tibet organizations

- MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT

They have even used our research as lure to target non-governmental organizations.

Some of the filenames used in this campaign are:

• WUC Hacking Emails.doc
• Concerns over Uyghur People.doc
• Hosh Hewer.doc
• Jenwediki yighingha iltimas qilish Jediwili.doc
• Jenwediki yighingha iltimas qilish Jediwili.doc
• list.doc
• Press Release on Commemorat the Day of Mourning.doc
• The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
• Uyghur Political Prisoner.doc
• Deported Uyghurs.doc
• Kadeer Logistics detail.doc
• Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc

The following yara rule can be used to identify those files:

rule CaptainWord {
    strings:
         $header = {D0 CF 11 E0 A1 B1 1A E1}
         $author = {00 00 00 63 61 70 74 61 69 6E 00}
    condition:
         $header at 0 and $author
}

Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory (“/tmp/):

1154/0x2610:  fstat(0x26, 0xBFFF4CD0, 0x200)            = 0 0
1154/0x2610:  lseek(0x26, 0x6600, 0x0)          = 26112 0
1154/0x2610:  open("/tmp/l.sh\0", 0x602, 0x1FF)                 = 40 0
1154/0x2610:  open("/tmp/l\0", 0x602, 0x1FF)            = 41 0
1154/0x2610:  open("/tmp/l.doc\0", 0x602, 0x1FF)                = 42 0
1154/0x2610:  read(0x26, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)            = 68 0
1154/0x2610:  write(0x28, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)           = 68 0
1154/0x2610:  read(0x26, "\312\376\272\276\0", 0x100)           = 256 0
1154/0x2610:  write(0x29, "\312\376\272\276\0", 0x100)          = 256 0
...
1188/0x2731:  open("/tmp/l\0", 0x0, 0x0)                = 4 0
1188/0x2731:  open("/tmp/m\0", 0x401, 0x0)              = 19 0
…

Then the bash file is executed opening both the trojan and a lure document. There are several lure documents all related with Uyghur activities, an example is:

It is also funny that one of the lure documents talks about the “Rise in possible State-Sponsored hacking”.

Once executed the malware will try to write both the pslist and the backdoor itself under the LaunchAgents directory. This folder is used by MacOSX to store the configuration files that define the parameters of services run by launchd. It will try both under the system and the current user directory:

Then the command “launchctl load” is used to register the new new daemon. The contents of the apple.pslist file are as follow:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>apple</string>
<key>Program</key>
<string>/Users/operator1/library/launchagents/.systm</string>
<key>ProgramArguments</key>
<array>
<string>/Users/operator1/library/launchagents/.systm</string>
<string>1</string>
<string>2</string>
<string>3</string>
<string>4</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

The backdoor contains code from a tool called “Tiny SHell”. You can download the source code of “Tiny SHell” here. You will recognize some of the function names from the source code:

The configuration values are hardcoded in the binary including the encryption key and the C&C address/port:

“Tiny SHell” uses AES encryption for the C&C communications and as we can see the attackers are using “12345678″ as the AES secret key:

On the other hand they decided to use the original challenge responses that can be found in the original pel.c file:

The backdoor has only a couple of functionalities:

- Remote shell execution

- File transfers (get/put)

Most of the binaries we obtained  were compiled using debug symbols so we were able to obtain some debug paths from the machine where the files were compiled:

/Users/cbn/Documents/WorkSpace/design/server/aes.c
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/shell.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/shell.o
/Users/cbn/Documents/WorkSpace/design/server/pel.c
/Users/cbn/Documents/WorkSpace/design/server/server.m
/Users/cbn/Documents/WorkSpace/design/server/sha1.c
/Users/cbn/Documents/WorkSpace/design/server/shell.c

Where “cbn” is the username of the user who compiled those files in the attacker’s system.

The backdoor also writes a VCard containing the data about the current user. The purpose of this is not clear.

Network activity

The attackers are using two different C&C domains:

- apple12[.]crabdance[.]com

- update[.]googmail[.]org

The domain crabdance[.]com is a well known free Dynamic DNS provider. We have been monitoring the second domain googmail[.]org for a while. It has been used by a group we internally named as “xsldmt” due to the mail address they use to register most of their domain names the use.

Domain Name:GOOGMAIL.ORG
Created On:16-Dec-2011 03:01:13 UTC
Last Updated On:20-Nov-2012 04:46:22 UTC
Expiration Date:16-Dec-2013 03:01:13 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:4jyn2c9u84snj4
Registrant Name:su guang
Registrant Organization:su guang
Registrant Street1:mi quannanguoxiang1hao
Registrant Street2:
Registrant Street3:
Registrant City:changjihuizuzizhizhou
Registrant State/Province:xinjiangweiwuerzizhiqu
Registrant Postal Code:830000
Registrant Country:CN
Registrant Phone:+86.013579984824
Registrant Phone Ext.:
Registrant FAX:+86.09914682953
Registrant FAX Ext.:
Registrant Email:xsldmt@xj163.cn

The following graph represents the passive DNS data we collected from the ip addresses involved including other potential domains that are probably being used by the same group.

Indicators of compromise

Apart from the domain names and ip addresses we released that can be used to check your logs for connections to those addresses, here is a list of file paths that can be checked in your systems to find activity related to these attacks:

/tmp/l
/tmp/m
/tmp/l.sh
/tmp/l.doc
/tmp/systm
/tmp/.systm
/tmp/__system
/tmp/__system*
/tmp/tmpAddressbook.vcf
/Library/LaunchDaemons/systm
/Library/LaunchDaemons/.systm
/Library/LaunchDaemons/apple.plist
/Users/[CurrentUser]/Library/LaunchAgents/systm
/Users/[CurrentUser]/Library/LaunchAgents/.systm
/Users/[CurrentUser]/Library/LaunchAgents/apple.plist