Tuesday, December 23, 2014

Operation Mangal - Win32 / Syndicasec Used In Targeted Attacks Against Indian Government Organizations - Part-2 : Demystifying The Malware And Its Network Communications


In the previous blog on this campaign , I walked through the exploit , the timeline and the possible attack targets . Out here , I'll take a more deeper look into the malware family dropped and its communication to the command and control servers.

Dropped Malware family : Win32 / Syndicasec :

dw20.exe, 1st stage dropper executable dropped by all  the RTF exploits involved in this a attack, is a malware family dubbed as Win32/Syndicasec by ESET. This malware was identified back in March 2013 during which it was used in the cyber espionage attempt against the Tibetian activist and was also used in multiple other targeted campaigns. Previous versions of this threat was also discovered way back in July 2010 during which it was active in Nepal and China, as I indicated earlier.However, the payload and the mechanism of this malware has evolved since then.

I have uncovered that this threat is now also being currently used in the espionage attempt against the Indian government organizations. We can very well confirm the threat similarity based on the behavioural pattern on the system during the execution. 

It tries to determine the presence of sysprep.exe in the system32 and sysnative directory and then it goes to extract the embedded executable from the resource section , drops it in the %Temp% directory with the name gupdate.exe










Subsequently , it reads the Cabinet file embedded in the resource section , into the memory , extracts it into the /sysprep directory with the name cryptbase.dll , using the Windows Update Standalone Agent ( wusa.exe ).The technique used here to load the custom cryptbase.dll is what we call as DLL Load Order Hijacking . Sysprep.exe usually loads the cryptbase.dll, which is directly under the system32 and is not in the OS’s  Known_DLLs list . If the malware drops the DLL with the same name in the system32/sysprep/ directory , then the dropped dll would be loaded instead of the one directly under the system32 , because of the DLL search order. Further, it exploits the vulnerability in the Microsoft UAC whitelist process allowing it to run the arbitrary command with the elevated privileges.








Below are all the hashes of the 1st stage dropper along with the compile time which would give the fair enough idea of the timeline of the attack.

MD5s Compile time
1B83B315B7A729CB685270496AE68802 August 12, 2014
68BFA1B82DC0E2DE10D0CF8551938DEA August 12, 2014
C249CB532699E15B3CB6E9DEB6264240 August 12, 2014
5A80F6F6D75FD8D95D7EC830DC669129 August 12, 2014
2881F3EA27802FD9C1ED08C767083D12 Feb 27, 2014
391552FB8DE3F45FB7DD9EF7B9CAA4BB Septr 5, 2014
13C4D1CA7256B1FBEEEE9DE532097A94 August 12, 2014
7F5F57DE1734CC20D915AF68CC2821F2 Feb 27, 2014
0E7DB6B6A6E4993A01A01DF578D65BF0 Sept 5, 2014




The second-stage dropped file, gupdate.exe, connects to the command and control server. This communication is done in stages as well and uses the uncommon Windows Management Instrumentation system to register the JavaScript that connects to the first-stage URLs. The XOR routine for JavaScript follows:















Looking at the previous versions of this threat, JavaScript versions have changed every time this malware was used.















Command and Control communications :

The JavaScript is primarily responsible for connecting to the first- and second-stage URLs, which leads to the control server. Examining the multiple variants of the RTF exploits and the dropped binaries, we’ve found the following fake blogs with which variants of gupdate.exe communicate. All of the URLs point to the blogs’ RSS feeds, from which the encoded Stage 2 (control server) URL is fetched.

Stage 1 URL pointing to the RSS feeds of the fake blogs:
hxxp://kumar807.blogspot.com/feeds/posts/default
hxxp://kumar807.wordpress.com/feed/
hxxp://kumar807.livejournal.com/data/rss
hxxp://blogs.rediff.com/kumar807/feed/
hxxp://kumar807.thoughts.com/feed
hxxp://kumar807.tumblr.com/rss
hxxp://www.blogster.com/kapoorsunil09/profile/rss
hxxp://kumarsingh1976.wordpress.com/feed/
hxxp://musictelevision.blogspot.com/feeds/posts/default

Next we see the format of the encoded Stage 2 URL found on the fake blog. Note that the URL is within the the "title" tag with the “@” delimiter: tag with the “@” delimiter:</div> <div class="MsoNormal">  </div> <div class="MsoNormal"> <br></div> </div> </div>

 

Encoded stage 2 URLs ( Command and Control servers ) found on the fake blog sites.



















Once the response is received, the "title" tag is parsed out of the response and the decoding function in the JavaScript is applied to expose the control servers. Decoding algorithm has remained same in the previous versions of the javascript as well.















Below are the stage 2 URLs found to be connected by the variants of the gupdate.exe

www.asiasky.tk
kumarsingh.tk
zz13572.0023.jxwb2.com
hidimovie.tk
www.pattanasettyraju.org











The parameters sent in the POST request are formed by executing the WMI queries from the JavaScript. This image shows the functions of this operation:











While the malware executes, all of the control servers are live but with an empty command array. Examining the JavaScript, we see the command decoding is done with the eval() function, which leads us to believe there could be another JavaScript embedded:









Hashes for the RTF exploits involved in this attack:

598d9b335cec4e3ae6bd87d2c9734a1a
82440b92ddfccbd9645227c71df04db6
6b3700048ef7224f1d0efe1b33bab957
84cef2b4e9cc92533717919aefb55e3e
57679deaf8b39bbee00ac001c7eede81
cc3d7699838bcd434a2c3a804c4a196c
0a81badaf590ad6a9c6bd2f6edbb5f37
bd95cd9a058a267486ee8dbf44c3a757
6122d3fb69e9d3d7f93116eb8fbbf1ef
7772021f3883fd9f0b470387d46ae775
719db97a61e24b2619759ed054c06308
b908156a3fed1db5593c2ea730158f91
c10ffafcc7f44265c7f40d00bdbf5f73
2ed5a096825b7f7a147441d35ec28f10
e73ea3c88a89ef3ed2f4f8acacd048eb
077eaae040cbe7b35e4d2064cb75efe1
b2dfb6007c385414b6dcbb7a69c1ca2c
43c872c4b31c9e6de976e198639a390f
d8ef8fbb9689127b30229659fc091738

I've been tracking this threat since quite some time now . I'll keep posting any interesting updates and details on this campaign as and when I discover ..stay tuned !!..



Monday, December 1, 2014

Operation Mangal - Win32 / Syndicasec Used In Targeted Attacks Against Indian Government Organizations - Part-1 : Exploits, Attack Timeline And Targets


During the period of last couple of months, we’ve observerd several RTF exploits floating around in the wild, targeting multiple Indian government organizations. Series of RTF exploits , first of which was found to be around by on 21st August 2014 , subsequently, multiple variants of the same exploit has been seen until end of September and through October . Contents of the documents are politically themed , targetting multiple local and overseas Indian government establishments.

Recent political reforms undertaken by the new Indian government, Prime Minister’s visit to Japan and United States as well as meeting with the Chinese president, recent UNSC reforms and series of the other similar political events has generated quite a movement within the APT actors. I believe this could be a part of a possible campaign, involving a group of APT actors, targeting positive political movements and disrupting the intent of developing and strengthening the bilateral ties with the neighbouring countries and United States.

I've decided to dub this wave of attack as "Operation Mangal" based on the original name of the APT and ISRO's recent MangalYaan's success that has distinguished India as a whole from the rest of the world.

Vulnerability :

All the RTF exploits has been found to be exploiting the old and already patched Microsoft Word ActiveX control vulnerability CVE-2012-0158. It has already been used in several targeted campaigns in the past and continues to be popular in ongoing targeted attack campaigns. Exploit laden doc files has been found in the wild with the following filenames:

Modi’s foreign policy agenda.rtf
ASEAN-India Agreemnet On Investment.doc
Planning Commission Reform Note FINAL.doc
High Speed Railways.doc
ASEAN-India Comprehensive Brief 2014.doc
Bilateral.doc

Attack vector :

Attack is believed to be carried out via the RTF exploit ( CVE-2012-0158) as an attachment to the possible spear phishing emails targeting Indian organizations. On launching the exploit , it drops the executable with the filename dw20.exe in the %temp% directory following the drop of gupdate.exe at the same location which connects to the multiple C&C in the staged fashion. Following is the high level picture of how the attack works :

Overall working of the attack
















Below is the visualization of the timeline of this attack over the period of last 3 months :














Exploit Analysis :

All the RTF exploits used in this campaign uses the staged shellcode . However , noticing the shellcode in the exploit is fairly straightforward and uses the known technique of resolving the API names from its hashes.












Once the APIs are resolved , it tries to locate itself in the memory by enumerating the file handles and then reads the 1st stage shellcode in the allocated virtual memory which is then used to decrypt the 2nd stage shellcode.




















Below is the routine from the 1st stage shellcode that decrypts to the 2nd stage and then jumps to it.














"Datastore" of the RTF exploit contains the embedded XORed executable which is accessed by 2nd stage shellcode .












2nd stage shellcode then decrypts the embedded binary and the embedded decoy document using the same decryption algorithm , eventually droping them in the %Temp% directory with the name dw20.exe , executing it.

















Here is how the complete shellcode looks like :























Some of the other decoy documents that has been found in the ongoing campaign : 













Based on the further research on the origin of this targeted attacks against India , I believe , this campaign had been going on since 2010 during which this threat was active in the limited geographical location in Nepal and China. Subsequently,during this span of 4 years, several different families of malware could have been used to exfilterate the information from multiple compromised machines within targeted Indian organizations . 

Based on the nature and theme of the exploits used in the attack, it leads me to believe that this could be a continued attempt of cyber espionage against India with the intent to steal the confidential data and documents that could be of the national interest.

In this wave , I believe the following organization were targeted using multiple variants of RTF exploits taking advantage of the same vulnerability.

  • Indian embassies in United States and China
  • Military / Defence educational institutions in India
  • Institute of Defence Analysis and Studies , India
  • Defence Intelligence Agency under Ministry of Defence in India
A while back when taking a closer look at this attack, I came across a very interesting paper that was published way back in 2010 , elucidating similar espionage attempt against India and very closely relating to this ongoing attack with the similar targets . It perhaps clears out the way to perceive that this is a closely knit group of APT authors focusing on this locality . 


In the next part , I would take a deep dive into the family of malware dropped by these exploits and its network communications to get the better visualization of the techniques used and how this threat works as a whole.