Exploits targeting zero day vulnerabilities delivered via spear phishing emails is one of the most successful attack combinations used by threat actors. It has been proven method of infiltrating the target organization in an attempt to gain access to the confidential information.
Recently, over the period of last month, We have uncovered another targeted attacks being carried out via spear phishing emails against the European Aviation company. We have observed the emails being sent to the larger group of individuals in the target organization with the attachments exploiting recently patched RTF vulnerability CVE-2014-1761 and previously patched CVE-2012-0158 ActiveX control vulnerability. Both of these vulnerabilities has been predominantly used in several ongoing targeted attacks.
Both of these spear phishing emails are observed to be coming from French actors using the French Yahoo and Laposte email services and possibly impersonating the employee of the target organization.
RTF Vulnerability : CVE-2014-1761
As indicated above, both these exploits targets recently patched RTF vulnerability CVE-2014-1761. Precise reason for triggering this vulnerability is the value of the “ListOverrideCount” which is set to 25.
Which according to MS RTF specifications should be either 1 or 9 . This eventually causes the out of bounds array overwrite subsequently resulting into incorrect handling of the structure by Microsoft word leading to control of the EIP.
Shellcode:
Interesting aspect of this vulnerability is that all the byte of the shellcode ( ROP chain ) are directly controlled by the attacker and comes straight from the RTF structure. Here is the high level view of how the ROP chain is formed directly out of the structure.
Below is the memory snapshot of the parsed RTF structure in the memory leading to the control of the EIP:
Successful execution of the shellcode opens the decoy document and drops the malware svohost.exe in %TEMP% which then connects back to the C&C server ( C&C details provided later )
Compelete Technical details of the vulnerability and the shellcode has been blogged here
In the same cycle of spear phishing attacks we’ve also got the hold of the mails targeting the same organization with the attachments exploiting old CVE -2012-0158 vulnerability. Exploit laden doc files are found to be with the file name: article.doc
Following API trace shows gives the fair enough idea of the sequence of activities once the exploit is launched on the system :
Payload Analysis:
Analysis of the dropped binary reveals that it is specifically written to gather information about the network of the target organization as well as the configuration of the endpoint leading us to believe that this could be spear phishing reconnaissance attack.Payload seems to have been compiled on 9th April, 2014 :
Malware initially starts with retrieving the %Temp% path and prepares to log the communication with the C&C server in the file %Temp%explorer.exe
Subsequently , it starts collecting following information about the system configuration,registered organization and network:
- Hostname
- Username
- System type by resolving IsWOW64Process API
- Existing TCP and UDP connections and open ports on the System
- Organization information from the Registry key :
--- HKLM/Software/Microsoft/WindowsNT/CurrentVersion
Productname
CSDVersion
CurrentVersion
CurrentBuildNumber
RegisteredOrganization
RegisteredOwner
- Current running system services
- Installed softwares from the registry key:
--- HKLM/Software/Microsoft/Windows/CurrentVersion/Uninstall
- Information about Network Adapters , IP Configuration , Netcard Numbers , IP Mask,Gateway , DHCP Server , DHCP Host , WINS server ,WINS host.
Here is the high level snapshot of the malware’s information gathering code:
Encryption at the high level is primarily done using the SYSTEMTIME structure. It forms the repetitive 256 byte key using the SYSTEMTIME information as shown below:
And then further converts the key into 16 byte to finally start encrypting the information.
Once the buffer has been encrypted , it connects to the C&C sophos.skypetm.com.tw posting all the collected information in an encrypted format.
Command and Control Research:
During the time of analysis of this exploit, sophos.skypetm.com.tw was found to be resolving to the IP 66.220.4.100 located in the Fremont City, USA. First instance of outbound traffic to this domain was seen on 27th January 2014 during which it resolved to the IP 198.100.113.27 located in Los Angeles City, USA.
From our passive DNS data , we’ve found following MD5s connecting to the same domain :
Whois record reveals that the TLD (skypetm.com.tw) domain has been registered under the email ID: longsa33@yahoo.com Which is also found to have registered another domain “avstore.com.tw” used actively as the C&C server.
While several other malware binaries has been observed to be communicating to the various subdomains of skypetm.com.tw and avstore.com.tw , all of them are identified as “PittyTiger” malware that has been implanted in numerous CVE- 2012-0158 exploits used in recent targeted attacks . Same payload was also used in the “Tomato Garden” APT Campaign targeting Tibetian and Chinese democracy activist uncovered in June 2013.
Additional Domains related to this attack :
· 63.251.83.36
· 64.74.96.242
· 69.251.142.1
· 218.16.121.32
· 61.145.112.78
· star.yamn.net
· 216.52.184.230
· 212.118.243.118
· bz.kimoo.com.tw
· mca.avstore.com.tw