AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Cyber espionage campaign against the Uyghur community, targeting MacOSX systems

February 13th, 2013 | Posted by jaime.blasco in APT | Attacks | Blog | Code | Exploits | Malware | News - (Comments Off)

During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here.

The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same exploit used in other attacks we discovered in the past.

During the last year we reported a couple of attacks targeting Uyghurs:

- New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

Similar attacks have been reported against various ethnic groups like the Tibetan people and other NGOs and human rights organizations:

Targeted attacks against Tibet organizations

MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT

They have even used our research as lure to target non-governmental organizations.

Some of the filenames used in this campaign are:

  • WUC Hacking Emails.doc
  • Concerns over Uyghur People.doc
  • Hosh Hewer.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • list.doc
  • Press Release on Commemorat the Day of Mourning.doc
  • The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
  • Uyghur Political Prisoner.doc
  • Deported Uyghurs.doc
  • Kadeer Logistics detail.doc
  • Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc
An easy way to identify the documents is looking for the “author” of the document that is always “captain”. This author has been used several times in the past to perform similar attacks.

 

 

 

 

 

 

 

 

 

The following yara rule can be used to identify those files:

rule CaptainWord {
    strings:
         $header = {D0 CF 11 E0 A1 B1 1A E1}
         $author = {00 00 00 63 61 70 74 61 69 6E 00}
    condition:
         $header at 0 and $author
}

Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory (“/tmp/):

1154/0x2610:  fstat(0x26, 0xBFFF4CD0, 0x200)            = 0 0
1154/0x2610:  lseek(0x26, 0x6600, 0x0)          = 26112 0
1154/0x2610:  open("/tmp/l.sh\0", 0x602, 0x1FF)                 = 40 0
1154/0x2610:  open("/tmp/l\0", 0x602, 0x1FF)            = 41 0
1154/0x2610:  open("/tmp/l.doc\0", 0x602, 0x1FF)                = 42 0
1154/0x2610:  read(0x26, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)            = 68 0
1154/0x2610:  write(0x28, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)           = 68 0
1154/0x2610:  read(0x26, "\312\376\272\276\0", 0x100)           = 256 0
1154/0x2610:  write(0x29, "\312\376\272\276\0", 0x100)          = 256 0
...
1188/0x2731:  open("/tmp/l\0", 0x0, 0x0)                = 4 0
1188/0x2731:  open("/tmp/m\0", 0x401, 0x0)              = 19 0
…

Then the bash file is executed opening both the trojan and a lure document. There are several lure documents all related with Uyghur activities, an example is:

 

 

 

 

 

 

 

 

 

It is also funny that one of the lure documents talks about the “Rise in possible State-Sponsored hacking”.

Once executed the malware will try to write both the pslist and the backdoor itself under the LaunchAgents directory. This folder is used by MacOSX to store the configuration files that define the parameters of services run by launchd. It will try both under the system and the current user directory:

 

 

 

 

 

 

 

 

 

Then the command “launchctl load” is used to register the new new daemon. The contents of the apple.pslist file are as follow:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>apple</string>
<key>Program</key>
<string>/Users/operator1/library/launchagents/.systm</string>
<key>ProgramArguments</key>
<array>
<string>/Users/operator1/library/launchagents/.systm</string>
<string>1</string>
<string>2</string>
<string>3</string>
<string>4</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

The backdoor contains code from a tool called “Tiny SHell”. You can download the source code of “Tiny SHell” here. You will recognize some of the function names from the source code:

 

 

 

 

 

 

The configuration values are hardcoded in the binary including the encryption key and the C&C address/port:

 

“Tiny SHell” uses AES encryption for the C&C communications and as we can see the attackers are using “12345678″ as the AES secret key:

On the other hand they decided to use the original challenge responses that can be found in the original pel.c file:

The backdoor has only a couple of functionalities:

- Remote shell execution

- File transfers (get/put)

Most of the binaries we obtained  were compiled using debug symbols so we were able to obtain some debug paths from the machine where the files were compiled:

/Users/cbn/Documents/WorkSpace/design/server/aes.c
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/shell.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/shell.o
/Users/cbn/Documents/WorkSpace/design/server/pel.c
/Users/cbn/Documents/WorkSpace/design/server/server.m
/Users/cbn/Documents/WorkSpace/design/server/sha1.c
/Users/cbn/Documents/WorkSpace/design/server/shell.c

Where “cbn” is the username of the user who compiled those files in the attacker’s system.

The backdoor also writes a VCard containing the data about the current user. The purpose of this is not clear.

Network activity

The attackers are using two different C&C domains:

- apple12[.]crabdance[.]com

- update[.]googmail[.]org

The domain crabdance[.]com is a well known free Dynamic DNS provider. We have been monitoring the second domain googmail[.]org for a while. It has been used by a group we internally named as “xsldmt” due to the mail address they use to register most of their domain names the use.

Domain Name:GOOGMAIL.ORG
Created On:16-Dec-2011 03:01:13 UTC
Last Updated On:20-Nov-2012 04:46:22 UTC
Expiration Date:16-Dec-2013 03:01:13 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:4jyn2c9u84snj4
Registrant Name:su guang
Registrant Organization:su guang
Registrant Street1:mi quannanguoxiang1hao
Registrant Street2:
Registrant Street3:
Registrant City:changjihuizuzizhizhou
Registrant State/Province:xinjiangweiwuerzizhiqu
Registrant Postal Code:830000
Registrant Country:CN
Registrant Phone:+86.013579984824
Registrant Phone Ext.:
Registrant FAX:+86.09914682953
Registrant FAX Ext.:
Registrant Email:xsldmt@xj163.cn

The following graph represents the passive DNS data we collected from the ip addresses involved including other potential domains that are probably being used by the same group.

 

Indicators of compromise

Apart from the domain names and ip addresses we released that can be used to check your logs for connections to those addresses, here is a list of file paths that can be checked in your systems to find activity related to these attacks:

/tmp/l
/tmp/m
/tmp/l.sh
/tmp/l.doc
/tmp/systm
/tmp/.systm
/tmp/__system
/tmp/__system*
/tmp/tmpAddressbook.vcf
/Library/LaunchDaemons/systm
/Library/LaunchDaemons/.systm
/Library/LaunchDaemons/apple.plist
/Users/[CurrentUser]/Library/LaunchAgents/systm
/Users/[CurrentUser]/Library/LaunchAgents/.systm
/Users/[CurrentUser]/Library/LaunchAgents/apple.plist

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,

MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT

March 27th, 2012 | Posted by jaime.blasco in APT | Exploits | Malware | News - (11 Comments)

Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that  deliver them. The group behind these attacks is the same we have been tracking for a while:

AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

We believe this group is also the same as the group TrendMicro uncovered some days ago:

Malicious Email Campaign Uses Current Socio-Political Events as Lure for Targeted Attack

The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver Malware on Mac OS X.

http://technet.microsoft.com/en-us/security/bulletin/MS09-027

A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file with the following content:

 

The first stage copies the payload to the __IMPORT section of dyld using memcpy:

push dword 0x1be #Payload size
push edx
push dword 0x8fe6f318
push dword 0x8fe6f318 ## dyld __IMPORT (rwx) mov ebx,0x8fe2e130 #memcpy

jmp ebx

The second stage writes necessary files to /tmp/ (bash file, benign doc file, binary) and then executes the bash script (/tmp/launch-hs):

fstat(0×2, 0xBFFF4CD0, 0×200)

fstat(0×24, 0xBFFF4CD0, 0×200)
lseek(0×24, 0×6600, 0×0) #File Offset on the doc file
open(“/tmp/launch-hs\0″, 0×602, 0x1FF)
open(“/tmp/launch-hse\0″, 0×602, 0x1FF)
open(“/tmp/file.doc\0″, 0×602, 0x1FF)

read(0×24, “#!/bin/sh\n/tmp/launch-hse &\nopen /tmp/file.doc &\n\n\0″, 0×32)
write(0×26, “#!/bin/sh\n/tmp/launch-hse &\nopen /tmp/file.doc &\n\n\0″, 0×32) …


close(0×28)
vfork()
execve(0×28, 0xBFFF4B80, 0×0)

Bash file: /tmp/launch-hs:

#!/bin/sh /tmp/launch-hse & open /tmp/file.doc &

A couple of doc files drop the previous Mac Trojan we reported last week.

The only difference is the .pslist used:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http:// www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>

<key>Label</key> <string>com.apple.docserver</string> <key>Program</key>

<string> /Applications/Automator.app/Contents/MacOS/DockLight </string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

The C&C server this time is:

- 2012.slyip.net : 173.255.160.234

173.255.160.128 – 173.255.160.255

Black Oak Computers Inc – New York – 75 Broad Street

New York, NY, US

 

The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols:

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/ppc/Foundation_Hello.o

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/Foundation_Hello.build/ Release/Foundation_Hello.build/Objects-normal/i386/Foundation_Hello.o

So the group seems to have a project called “longgege” and the actual trojan is named “MacControl” by them.

The trojan performs the following actions:

- Copies itself into /Library/launched
- Creates /Users/{User}/Library/LaunchAgents/com.apple.FolderActionxsl.pslist

This is the way to maintain persistence. The trojan will be executed when the computer starts.

- It then reads the configuration parameters that are at the end of the binary file:

  • - domain: freetibet2012.xicp.net – port: 80

- Establishes a connection to the host present in the configuration parameters.

-Sends some information about the victim, username, hostname, system version…


 

 


 

 

 

 

 

 

- The trojan will then wait for commands from the C&C.

The attackers can then send commands to the victim to open a remote shell, send files, receive files, delete files….

The C&C domain resolves to freetibet2012.xicp.net: 114.249.207.194

114.240.0.0 – 114.255.255.255
China Unicom Beijing province network

China Unicom

All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files.

We will publish a technical analysis of the trojan capabilities and some tips to detect these threats. Stay tuned!

Thanks to Rubén Santamarta @reversemode for his help during the analysis.

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , ,

Office pics, update

August 13th, 2008 | Posted by DK in Alienvault OSSIM - (Comments Off)

Remember the pictures I posted some months ago while we were moving in ? Well, office looks much better now, so I decided to bring the cam along and take some pictures. Our office is situated between two emblematic building in Madrid, the Torres Blancas and the Puerta de America hotel.

AV Office 2008/08

In the meantime we’re still working on the 1.0.6 updater, which will feature, among others:

  • Antivirus (clamav)
  • Mod-security
  • GLPI
  • The new nessus feed
  • System upgrade
  • Security fixes
  • Automatic Nagios config
  • Bugfixes and more…

    • The directive editor and reporting probably won’t make it into this release, since we want to release before we merge all of the GSoC 2008 data into the main CVS.

    DK

    Mr Wolf Wannabe.

    More Posts - Website

    ,