In the past few weeks, we have received several reports of targeted attacks that exploited various application vulnerabilities to infiltrate various organizations. Similar to the Safe Campaign, the campaigns we noted went seemingly unnoticed and under the radar. The attackers orchestrating the campaign we call the Siesta Campaign used multicomponent malware to target certain institutions that fall under the following industries:

• Consumer goods and services
• Energy
• Finance
• Healthcare
• Media and telecommunications
• Public administration
• Security and defense
• Transport and traffic

Threat actors don’t always rely on complex attack vectors to infiltrate an organization’s network. Attackers can also make use of basic social engineering techniques for their victims to take the bait, such as in our case study below. Read the rest of this entry »

Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.

Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.

Arrival and Installation

In one case, we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493, that has been exploited since February 2013. It was patched in March.

The exploit is used to download an installer (saved as ~tmp{random values}.tmp), which is responsible for downloading and installing the main BLYPT component onto the affected system. It is named logo32.png or logo64.png, depending on whether the user is running a 32-bit or 64-bit version of Windows, respectively. The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up.

We have identified two BLYPT variants, which can be identified based on the file name used to save the main BLYPT component. In both cases, they are saved in the %App Data%\Microsoft\Crypto\RSA directory. One variant is saved as NTCRYPT{random values}.TPL; the second variant is saved as CERTV{random values}.TPL. Both variants have 32- and 64-bit versiosons, and their behavior is mostly identical. (We detect these variants as BKDR_BLYPT.A, BKDR_BLYPT.B and BKDR64_BLYPT.B.)

Figure 1. Infection diagram for BKDR_BLYPT

One difference between the two is where their C&C server information is stored. The NTCRYPT{random values}.TPL variants do not actually contain any C&C information on their own; the installer instead saves C&C information in the registry that the BLYPT backdoor uses. The CERTV{random values}.TPL variants have their C&C server information embedded in the file itself. In both cases, the C&C information is stored in the registry under the HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\
5A82739996ED9EBA18F1BBCDCCA62D2C1D670C\Blob key.

While the C&C server information is stored in the same key, their formatting is different. For the first variant, once decoded, the information is in plain text and in the following format:

<ip1>#:<port1>#:#:<server page1>#;<ip2>#:<port2>#:#:<server page2 >#;<ipN>#:<portN>#:#:<server pageN>#;

The second variant stores its information in binary format, and once decoded has the following format:

struct
{
DWORD ip;
WORD  port;
} cncServer;

cncServer cncList[];

Raw Data Format Example:
<(DWORD)ip1><(WORD)port1><(DWORD)ip2><(WORD)port2><(DWORD)ipN><(WORD)portN>

Both variants encrypt their information using alleged (arc4) and use “http://microsoft.com” as the decryption key.

One more note about the installer: it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report. The URL would be: http://{malicious server}/index.aspx?info=<status keyword>. The status keyword can be any of the following:

• startupkey_%d where %d = RegCreateKeyW return
• reuse
• configkey_%d where %d = RegCreateKeyA return
• configkeyvalue_%d where %d = RegSetValueExA return
• tserror_4_%d where %d = GetLastError from call to connect
• createproc_%d where %d = GetLastError from call to CreateProcessW
• reusereboot_%d_%d_%d

C&C Server Attribution

By decoding the configuration files used by this malware, we were able to determine the distribution of the C&C servers used by this threat, as seen in the chart below:

Figure 2. Location of BLYPT C&C Servers

Other Behavior

In addition to the C&C info mentioned earlier, BLYPT stores other information in the registry in the form of embedded “blobs”. These are as follows:

Table 1. Blobs used by BLYPT

As a backdoor, BLYPT also allows an attacker to send commands to an affected system. Among the commands than can be executed are:

• Receive updated DLL binary
• Receive updated configuration
• Receive HTTP request commands, such as:
  • Send GET request to http://103.31.186.19:1000/FetchIP.aspx to retrieve public IP of affected machine

Trend Micro Smart Protection Network protects users from this threat by blocking the related sites and detecting the malware. In addition, Deep Discovery protects users by detecting the downloaded files from the malicious C&C servers, while Deep Security covers the related vulnerability via DPI rule 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493).

With additional information from Darin Dutcher and Jayronn Christian Bucu. 

Update as of September 26, 2013

The SHA1 hashes of the BLYPT samples are:

• 0d1b43e7bce02a90350881f98a6b124b7bd2b62c
• 10c70cfc19e7b26193c30dd4b02adfa316c4ef4c
• 50b5d5707b3891dfb53041e79844b64f40b6d807
• 572343b7021f53d8a9acd726dea677dfe606f5b2
• 84ab637055892f8b237e9af51337a0e2c7d9e36b
• 8c11ce39f88012dbf00d9e4ef24f47af7f319db5
• c43c84480f672212181e24a70247982d60efcac5
• f14d9a11b193b7a2e59f160d42bde2b55a92b945

ONLINEG, a spyware known to steal online gaming credentials, appears to be adding backdoors to its resume. We found a variant (specifically TSPY_ONLINEG.OMU) that aside from the usual data theft routine, also downloads a backdoor onto the infected system, making it vulnerable to more damage.

TSPY_ONLINEG.OMU was recently found on certain South Korean websites, which were compromised to host the said malicious file. Based on our analysis, the spyware is possibly an updated version of an old variant detected as TSPY_ONLINEG.ASQ, which first existed about a year ago.

Like any online gaming spyware, TSPY_ONLINEG.OMU steals user accounts and credentials of specific online games. But in addition to this, if the user visits the login pages for the administrator consoles of websites that are part of certain industries, it downloads a keylogger/backdoor (BKDR_TENPEQ.SM). This allows the attacker to steal the credentials used for these portals.

The companies targeted by these attack are all based in South Korea and belong to the following industries:

• News
• TV
• Radio
• Finance
• Shopping
• Gaming
• Advertising

Online gaming’s popularity in South Korea is well-known, thus it is no surprising that the people behind this attack used TSPY_ONLINEG.OMU. However, the use of ONLINEG may also have been an attempt to disguise the actual intent of the malware. Because this particular malware family is “known” to be focused on online gaming theft, without looking into the actual code people may underestimate its potential threat.

This incident is also another example of the online bad guys’ continuous efforts to revamp and improve old but reliable threats. Thus it is important for users to stay updated with the latest developments in online security.

As of this writing, the affected South Korean sites are now clean and no longer host the said malware.

With additional insights from Threat researcher Eruel Ramos

From the arrest of one of the head members of the ransomware gang to the successful Rove Digital takedown, coordination between law enforcement agencies and security groups has time and again yielded positive results. This time, the Taiwan Criminal Investigation Bureau (CIB), in cooperation with Trend Micro, resolved a targeted attack involving the notorious Ghost RAT family. One person was arrested by the CIB.

BKDR_GHOST (aka Gh0st RAT or TROJ_GHOST), a well-known remote access Trojan (RAT) is commonly used in targeted attacks and is widely available to both threat actors and cybercriminals alike.

In this specific targeted attack, the attackers delivered BKDR_GHOST to unsuspecting targets via custom spear phishing emails which contained a link where the malware is automatically downloaded. It poses as the Taiwan Bureau of National Health Insurance which makes the email convincing enough to lure the targets into clicking and eventually executing the malware.

To avoid easy detection, the attackers designed these emails to contain a link, which redirects users to a specific site and automatically download an official-looking RAR archive file. Moreover, to further persuade users to open a document file inside the archived file, the attacker made use of an old but effective file naming trick- appending multiple spaces in between the document extension (in this case, .DOC) and an executable extensions (in this case, .EXE). This is still an effective technique because putting multiple spaces will hide the real file extension because of the small RAR window. Our threat discovery solutions detects malware with this trait as HEUR_NAMETRICK.A in ATSE 9.740.1046.

BKDR_GHOST infection chain

Once the user opens the disguised malware, which is an executable archived file itself, the following are dropped and executed:

• %windir%\addins\ACORPORATION.VBS (detected as VBS_GHOST) – executes Gh0st RAT installation script (AMICROSOFT.VBS)
• %windir%\addins\AMICROSOFT.VBS (detected as VBS_GHOST) – extracts password protected Gh0st RAT archive (f2o.zip)
• %windir%\addins\Atask.bat (detected as BAT_GHOST) – searches for and overwrites the following files with the extracted Gh0st RAT components:
  • AdobeARM.exe
  • jusched.exe
  • Reader_sl.exe
• %windir%\addins\f2o.zip – contains 2 BKDR_GHOST variants performing similar malicious behaviors:
  • put.exe (Detected as BKDR_GHOST)
  • cd.exe (Detected as BKDR_GHOST)

In another attempt to be inconspicuous, the final BKDR_GHOST payloads are stored in a password-protected archived file (f2o.zip), the passwords of which can be found inside the installation script AMICROSOFT.VBS. Once these BKDR_GHOST malware are executed, the attackers gain full access onto the infected system to perform their malicious deeds, navigating through the system and exfiltrating valuable data such as personal information.

Figure 1: Flow of the targeted attack

Figure 2: Detailed malware execution flow

To avoid falling prey to these attacks, we highly encourage users to be always cautious before opening any attachments or clicking links contained in email messages. It is fairly common for attackers to spoof government agencies and other institutions, thus users must verify the legitimacy of the email they receive. For more information about how targeted attacks work, you may read our paper Targeted Attack Entry Points: Are Your Business Communications Secure?

Earlier in February we blogged about RARSTONE, a Remote Access Tool (RAT) that we discovered having some similar characteristics to PlugX, an older and more well-known RAT. In April, the same malware family used the Boston Marathon bombing as part of its social engineering bait.

Since then, we’ve been looking out for further attacks using RARSTONE. We’ve seen it used in targeted attacks across Asia, hitting several industries like telecommunications, oil and gas, governments, media, and others. The said targets are located in various countries including India, Malaysia, Singapore, and Vietnam. To better identify this campaign, we are calling this Naikon, based on the common useragent strings found in related attacks (NOKIAN95/WEB).

These attacks were carried out using spear-phishing attacks against the target organizations, using messages related to diplomatic discussions in the Asia-Pacific region.

The spear-phishing email contains a malicious document as an attachment, which exploits CVE-2012-0158, a dated vulnerability in Windows common control. This vulnerability was also used in other targeted attacks, most recently the “Safe” campaign that compromised several government agencies, media outlets and other institutions.

When the target opens the attachment, a decoy document is dropped into the system, so as to make the victim think that the decoy document is the file they opened. However, in reality, opening the attachment also triggers the dropping of BKDR_RARSTONE. The malware downloads its backdoor component from a C&C server and loads it directly into memory. This behavior makes RARSTONE difficult to detect using ordinary, file-based scanning technologies.

What makes RARSTONE unique from PlugX – and other RATs – is its ability to get installer properties from Uninstall Registry Keys. This is so that it knows what applications are installed in the system and how to uninstall them, in the case that these applications inhibit RARSTONE’s functions. It also uses SSL to encrypt its communication with its C&C server, which not only protects that connection but also making it blend in with normal traffic.

The attackers behind Naikon clearly tried to make the work of security researchers more difficult. The domains used by this campaign used either dynamic DNS domains, or used registrars with privacy protection.

Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities. Traditional technologies like blacklisting and perimeter controls are not enough to detect or block the components of these campaigns. Instead, enterprises need to increase their visibility and control over their networks in order to identify dubious network traffic.

Tools like Trend Micro Deep Discovery can help IT admins accomplish this, in the broader context of a custom defense necessary to detect intrusions in the network. Deep Security also protects users from exploits using CVE-2012-0158 via DPI rule 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158).

With additional insights by Senior threat researcher Jessa dela Torre