When we think of Advanced Persistent Threats (APT), we often associate APT intrusion vectors with spearphishing email messages that contain either a malicious attachment or link to a malicious website location. Many enterprise security teams often overlook, or fail to consider, how online profiles within social networking sites (SNS) can be leveraged as an initial attack vector and how online profiles can be used to enable follow on targeting of key personnel. As part of Cyber Squared’s focused pursuit of sophisticated threats, we have identified an example of this targeted attack technique staged through the malicious Twitter account @hahadaxiao1 and used against Chinese political activists and affiliates. We found that this user intentionally sent tweets to three specific Twitter users on February 28, 2013 that contained links to two compromised targeted download sites, a Chinese language forum and a Tibet related WordPress blog. The websites loaded CVE-2013-0634 Adobe Flash SWF exploits with embedded DLL payloads.
Operational Caveat: On 2 March, Cyber Squared notified Twitter Security of the malicious @hahadaxiao1 account and the associated targeted attacks.
As we can see in the screenshot below, @hahadaxiao1 sent three tweets to three different Twitter users on February 28th.
The targeted Twitter accounts were associated with:
- An individual affiliated with a Tibetan independence movement
- A Chinese language blog related account.
- A Chinese language political activism related account.
All of the tweet recipients share characteristics that would be of interest for Chinese government sponsored cyber espionage actors, and are related to entities that are known targets of Chinese APT.
The Flash Exploit Drivebys:
The link sent to the two Chinese language users redirected them to a Chinese language blog page at hXXp://forum[.]dwnews[.]com/threadshow.php?tid=1034399
This page was compromised to serve a CVE-2013-0634 Flash SWF exploit found at hXXp://web[.]vxea[.]com/my.swf
The following HTML code was used to load the SWF exploit:
Meanwhile, the link sent to the Tibet affiliated individual went to a WordPress blog webpage at hXXp://www[.]nyamdel[.]com/wp-includes/theme-compat/Full-list-of-self-immolations-in-Tibet.htm.
In this watering hole, the SWF exploit was located at hXXp://www[.]nyamdel[.]com/wp-includes/theme-compat/qz.swf.
We also identified a second exploit on the WordPress site that was not used by @hahadaxiao1. This exploit was found at hXXp://www[.]nyamdel[.]com/wp-includes/theme-compat/uoc.swf and loaded from the webpage at hXXp://www[.]nyamdel[.]com/wp-includes/theme-compat/DUQ-ning-Jenwede-chaqiridighan-Ikki-chong-yighini-heqqidiki-Uxturushi.htm.
This second exploit appears to be targeting Uighur members or sympathizers. The Uighurs are a heavily persecuted ethnic group located in Northwest China who have been continuously targeted by Chinese APT groups.
Picking Apart the Payloads:
Doing a static analysis of the uncompressed SWF exploits, we were able to extract the payload DLL files using 7-Zip.
There were actually two DLL files embedded into the exploit. One has already been sent to VirusTotal and appears to be a 64-bit DLL. This 64-bit payload is the same in all the SWF exploits, while the second 32-bit DLL is different for each SWF file.
Once the payload is extracted from the SWF file using 7-Zip, the file contains null bytes at the beginning offset that must be deleted to produce the valid DLL payload.
Command and Control:
All of the observed payloads have the same callbacks and command and control (C2) operations. When executed, the DLL drops 2 exe files, “seccenter.xxx” and “~uz[RandomChars].tmp”. This appears to be a newer type of Chinese Remote Access Tool (RAT) malware that operates primarily over HTTP. It first requests an XML file from the legitimate Chinese website at http://blog.sina.com[.]cn/rss/2050950612.xml.
When viewed in Firefox, we can see that the file is an RSS feed with title “Udate KEY” and a hex string “7e160a0a0e4451510909095008061b1f501d1113510a161b131b0d510c0d0d500e160e”.
This hex string is the XOR 0x7E encoded callback URL at hXXp://www.vxea[.]com/themes/rss.php. The malware requests this PHP page and sends certain parameters.
Some of the parameters requested include:
This web activity indicates that the malware has the ability to download and execute extensible plugins that can be customized by the attackers for whatever purpose, while simultaneously retrieving and uploading information on the infected system.
The malware also requests Base 64 encoded data from hXXp://www.bluemsn[.]tk/images/bits.xml. The malware then sends more parameters to rss.php:
This activity shows that the malware reads the XML file and installs the backdoor. This indicates that the backdoor has persistence and can be customized/modified on the server side to provide different functionality or avoid antivirus detection.
While social networking sites have their benefits, it is important to consider how they can also enable a focused threat actor to sneak targeted attacks into an enterprise without using traditional email spearphishing techniques. Individuals with secondary affiliations, or who may be sympathetic to political movements, are also subject to online targeting. Often sophisticated threat groups will not discriminate between their target’s personal and professional profiles, which may subsequently introduce additional risks to enterprise networks.
Cyber Squared continues to monitor and expand our understanding of the threat group responsible for this activity. We have made details of this incident (20130408A: Twitter Threats Blog) and others available to members of the ThreatConnect.com community. If your organization has been targeted online because of political or religious affiliations or if your organization has been targeted through social network sites and you would like to obtain regular updates of targeted attacks, please register here.