AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Cyber espionage campaign against the Uyghur community, targeting MacOSX systems

February 13th, 2013 | Posted by jaime.blasco in APT | Attacks | Blog | Code | Exploits | Malware | News - (Comments Off)

During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here.

The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same exploit used in other attacks we discovered in the past.

During the last year we reported a couple of attacks targeting Uyghurs:

- New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

Similar attacks have been reported against various ethnic groups like the Tibetan people and other NGOs and human rights organizations:

Targeted attacks against Tibet organizations

MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT

They have even used our research as lure to target non-governmental organizations.

Some of the filenames used in this campaign are:

  • WUC Hacking Emails.doc
  • Concerns over Uyghur People.doc
  • Hosh Hewer.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • list.doc
  • Press Release on Commemorat the Day of Mourning.doc
  • The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
  • Uyghur Political Prisoner.doc
  • Deported Uyghurs.doc
  • Kadeer Logistics detail.doc
  • Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc
An easy way to identify the documents is looking for the “author” of the document that is always “captain”. This author has been used several times in the past to perform similar attacks.

 

 

 

 

 

 

 

 

 

The following yara rule can be used to identify those files:

rule CaptainWord {
    strings:
         $header = {D0 CF 11 E0 A1 B1 1A E1}
         $author = {00 00 00 63 61 70 74 61 69 6E 00}
    condition:
         $header at 0 and $author
}

Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory (“/tmp/):

1154/0x2610:  fstat(0x26, 0xBFFF4CD0, 0x200)            = 0 0
1154/0x2610:  lseek(0x26, 0x6600, 0x0)          = 26112 0
1154/0x2610:  open("/tmp/l.sh\0", 0x602, 0x1FF)                 = 40 0
1154/0x2610:  open("/tmp/l\0", 0x602, 0x1FF)            = 41 0
1154/0x2610:  open("/tmp/l.doc\0", 0x602, 0x1FF)                = 42 0
1154/0x2610:  read(0x26, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)            = 68 0
1154/0x2610:  write(0x28, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)           = 68 0
1154/0x2610:  read(0x26, "\312\376\272\276\0", 0x100)           = 256 0
1154/0x2610:  write(0x29, "\312\376\272\276\0", 0x100)          = 256 0
...
1188/0x2731:  open("/tmp/l\0", 0x0, 0x0)                = 4 0
1188/0x2731:  open("/tmp/m\0", 0x401, 0x0)              = 19 0
…

Then the bash file is executed opening both the trojan and a lure document. There are several lure documents all related with Uyghur activities, an example is:

 

 

 

 

 

 

 

 

 

It is also funny that one of the lure documents talks about the “Rise in possible State-Sponsored hacking”.

Once executed the malware will try to write both the pslist and the backdoor itself under the LaunchAgents directory. This folder is used by MacOSX to store the configuration files that define the parameters of services run by launchd. It will try both under the system and the current user directory:

 

 

 

 

 

 

 

 

 

Then the command “launchctl load” is used to register the new new daemon. The contents of the apple.pslist file are as follow:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>apple</string>
<key>Program</key>
<string>/Users/operator1/library/launchagents/.systm</string>
<key>ProgramArguments</key>
<array>
<string>/Users/operator1/library/launchagents/.systm</string>
<string>1</string>
<string>2</string>
<string>3</string>
<string>4</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

The backdoor contains code from a tool called “Tiny SHell”. You can download the source code of “Tiny SHell” here. You will recognize some of the function names from the source code:

 

 

 

 

 

 

The configuration values are hardcoded in the binary including the encryption key and the C&C address/port:

 

“Tiny SHell” uses AES encryption for the C&C communications and as we can see the attackers are using “12345678″ as the AES secret key:

On the other hand they decided to use the original challenge responses that can be found in the original pel.c file:

The backdoor has only a couple of functionalities:

- Remote shell execution

- File transfers (get/put)

Most of the binaries we obtained  were compiled using debug symbols so we were able to obtain some debug paths from the machine where the files were compiled:

/Users/cbn/Documents/WorkSpace/design/server/aes.c
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/shell.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/shell.o
/Users/cbn/Documents/WorkSpace/design/server/pel.c
/Users/cbn/Documents/WorkSpace/design/server/server.m
/Users/cbn/Documents/WorkSpace/design/server/sha1.c
/Users/cbn/Documents/WorkSpace/design/server/shell.c

Where “cbn” is the username of the user who compiled those files in the attacker’s system.

The backdoor also writes a VCard containing the data about the current user. The purpose of this is not clear.

Network activity

The attackers are using two different C&C domains:

- apple12[.]crabdance[.]com

- update[.]googmail[.]org

The domain crabdance[.]com is a well known free Dynamic DNS provider. We have been monitoring the second domain googmail[.]org for a while. It has been used by a group we internally named as “xsldmt” due to the mail address they use to register most of their domain names the use.

Domain Name:GOOGMAIL.ORG
Created On:16-Dec-2011 03:01:13 UTC
Last Updated On:20-Nov-2012 04:46:22 UTC
Expiration Date:16-Dec-2013 03:01:13 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:4jyn2c9u84snj4
Registrant Name:su guang
Registrant Organization:su guang
Registrant Street1:mi quannanguoxiang1hao
Registrant Street2:
Registrant Street3:
Registrant City:changjihuizuzizhizhou
Registrant State/Province:xinjiangweiwuerzizhiqu
Registrant Postal Code:830000
Registrant Country:CN
Registrant Phone:+86.013579984824
Registrant Phone Ext.:
Registrant FAX:+86.09914682953
Registrant FAX Ext.:
Registrant Email:xsldmt@xj163.cn

The following graph represents the passive DNS data we collected from the ip addresses involved including other potential domains that are probably being used by the same group.

 

Indicators of compromise

Apart from the domain names and ip addresses we released that can be used to check your logs for connections to those addresses, here is a list of file paths that can be checked in your systems to find activity related to these attacks:

/tmp/l
/tmp/m
/tmp/l.sh
/tmp/l.doc
/tmp/systm
/tmp/.systm
/tmp/__system
/tmp/__system*
/tmp/tmpAddressbook.vcf
/Library/LaunchDaemons/systm
/Library/LaunchDaemons/.systm
/Library/LaunchDaemons/apple.plist
/Users/[CurrentUser]/Library/LaunchAgents/systm
/Users/[CurrentUser]/Library/LaunchAgents/.systm
/Users/[CurrentUser]/Library/LaunchAgents/apple.plist

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,