We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across is that these malware hide their configuration files. These JPEGs are located on sites hosted in the Asia-Pacific region, and we believe that these malware families are used in targeted attacks in the region as well.
Analysis of the JPEG updates
While the contents of the JPEG file are encrypted, we were able to decrypt and analyze the contents of these files. We can divide these into three groups:
- configuration file (Type A)
- configuration file (Type B)
- binary content (either DLL or EXE files)
The first kind of configuration file (Type A) is similar to what we’ve seen with other malware. It contains information that allows the malware to process commands from an attacker, change settings/modules, and update itself. Among these settings are URLs where other malicious JPEG files are hosted. In addition, these files indicates that the attacker may have already compromised the targeted organization(s), as some of the information pertains to specific machines or individuals within.
The second kind of configuration (Type B) file appears to be related to antivirus software. It contains the process names of multiple AV products from various vendors, as well as information about hostnames within the target network. Here is a portion of a Type B file, after decoding:
This configuration is much shorter than Type A configuration. There are also values in this configuration that is evidence that the infection is already in the stage 2 of the attack.
In addition to configuration files, the JPEG files can also contain executable files which can either be updates for the malware itself or new malware that well be installed on affected systems.
JPEG File Hosting and Appearance
These JPEG files are hosted on various websites mostly located in the Asia-Pacific region. At least some of these sites appear to have legitimate content, meaning they were compromised to host thsese files.
Here are some screenshots of the JPEG files we’ve seen:
We have obtained multiple samples of these JPEG files, and based on these, we believe that this method of updates was first used in June 2010, and is still in use today. The frequency of updates varies wildly: at times there were periods with near-daily updates, and at other times months went by between updates.
Using the information from the decrypted configuration files, we were able to retrieve emails sent by this malware. These contain an encrypted attachment named tplink2.bin. This file includes the following information:
- Hostnames and IP addresses on the infected machine’s network
- List of JPEG files already accessed by the malware
- Detailed OS version information, including security updates installed
With additional analysis from Adam Sun