In the previous blog on this campaign , I walked through the exploit , the timeline and the possible attack targets . Out here , I'll take a more deeper look into the malware family dropped and its communication to the command and control servers.
Dropped Malware family : Win32 / Syndicasec :
dw20.exe, 1st stage dropper executable dropped by all the RTF exploits involved in this a attack, is a malware family dubbed as Win32/Syndicasec by ESET. This malware was identified back in March 2013 during which it was used in the cyber espionage attempt against the Tibetian activist and was also used in multiple other targeted campaigns. Previous versions of this threat was also discovered way back in July 2010 during which it was active in Nepal and China, as I indicated earlier.However, the payload and the mechanism of this malware has evolved since then.
I have uncovered that this threat is now also being currently used in the espionage attempt against the Indian government organizations. We can very well confirm the threat similarity based on the behavioural pattern on the system during the execution.
It tries to determine the presence of sysprep.exe in the system32 and sysnative directory and then it goes to extract the embedded executable from the resource section , drops it in the %Temp% directory with the name gupdate.exe
Subsequently , it reads the Cabinet file embedded in the resource section , into the memory , extracts it into the /sysprep directory with the name cryptbase.dll , using the Windows Update Standalone Agent ( wusa.exe ).The technique used here to load the custom cryptbase.dll is what we call as DLL Load Order Hijacking . Sysprep.exe usually loads the cryptbase.dll, which is directly under the system32 and is not in the OS’s Known_DLLs list . If the malware drops the DLL with the same name in the system32/sysprep/ directory , then the dropped dll would be loaded instead of the one directly under the system32 , because of the DLL search order. Further, it exploits the vulnerability in the Microsoft UAC whitelist process allowing it to run the arbitrary command with the elevated privileges.
Below are all the hashes of the 1st stage dropper along with the compile time which would give the fair enough idea of the timeline of the attack.
| |||||||||||||||||||||
The second-stage dropped file, gupdate.exe, connects to the command and control server. This communication is done in stages as well and uses the uncommon Windows Management Instrumentation system to register the JavaScript that connects to the first-stage URLs. The XOR routine for JavaScript follows:
Looking at the previous versions of this threat, JavaScript versions have changed every time this malware was used.
Command and Control communications :
The JavaScript is primarily responsible for connecting to the first- and second-stage URLs, which leads to the control server. Examining the multiple variants of the RTF exploits and the dropped binaries, we’ve found the following fake blogs with which variants of gupdate.exe communicate. All of the URLs point to the blogs’ RSS feeds, from which the encoded Stage 2 (control server) URL is fetched.
Stage 1 URL pointing to the RSS feeds of the fake blogs:
hxxp://kumar807.blogspot.com/feeds/posts/default
hxxp://kumar807.wordpress.com/feed/
hxxp://kumar807.livejournal.com/data/rss
hxxp://blogs.rediff.com/kumar807/feed/
hxxp://kumar807.thoughts.com/feed
hxxp://kumar807.tumblr.com/rss
hxxp://www.blogster.com/kapoorsunil09/profile/rss
hxxp://kumarsingh1976.wordpress.com/feed/
hxxp://musictelevision.blogspot.com/feeds/posts/default
Next we see the format of the encoded Stage 2 URL found on the fake blog. Note that the URL is within the the "title" tag with the “@” delimiter: tag with the “@” delimiter:
Encoded stage 2 URLs ( Command and Control servers ) found on the fake blog sites.
Once the response is received, the "title" tag is parsed out of the response and the decoding function in the JavaScript is applied to expose the control servers. Decoding algorithm has remained same in the previous versions of the javascript as well.
Below are the stage 2 URLs found to be connected by the variants of the gupdate.exe
www.asiasky.tk
kumarsingh.tk
zz13572.0023.jxwb2.com
hidimovie.tk
www.pattanasettyraju.org
The parameters sent in the POST request are formed by executing the WMI queries from the JavaScript. This image shows the functions of this operation:
While the malware executes, all of the control servers are live but with an empty command array. Examining the JavaScript, we see the command decoding is done with the eval() function, which leads us to believe there could be another JavaScript embedded:
Hashes for the RTF exploits involved in this attack:
598d9b335cec4e3ae6bd87d2c9734a1a
82440b92ddfccbd9645227c71df04db6
6b3700048ef7224f1d0efe1b33bab957
84cef2b4e9cc92533717919aefb55e3e
57679deaf8b39bbee00ac001c7eede81
cc3d7699838bcd434a2c3a804c4a196c
0a81badaf590ad6a9c6bd2f6edbb5f37
bd95cd9a058a267486ee8dbf44c3a757
6122d3fb69e9d3d7f93116eb8fbbf1ef
7772021f3883fd9f0b470387d46ae775
719db97a61e24b2619759ed054c06308
b908156a3fed1db5593c2ea730158f91
c10ffafcc7f44265c7f40d00bdbf5f73
2ed5a096825b7f7a147441d35ec28f10
e73ea3c88a89ef3ed2f4f8acacd048eb
077eaae040cbe7b35e4d2064cb75efe1
b2dfb6007c385414b6dcbb7a69c1ca2c
43c872c4b31c9e6de976e198639a390f
d8ef8fbb9689127b30229659fc091738
I've been tracking this threat since quite some time now . I'll keep posting any interesting updates and details on this campaign as and when I discover ..stay tuned !!..
No comments:
Post a Comment