In light of all the buzz around the “APT1” aka “Comment Group” threat that has ensued from Mandiant’s recent finding, we need to remain vigilant and remember that there are many other sophisticated threat groups that still pose a risk to global enterprises. We can’t become complacent, and overlook the numerous other harder-to-find targeted threats that also have a Chinese nexus. These threats that fly under the radar can be just as damaging to corporate enterprises, and are equally effective in obtaining intellectual property. Retrospective analysis is a critical step in conducting cyber threat analytics, and is one that Cyber Squared consistently exercises.
Through the use of ThreatConnect.com, open source and crowd-analytics, Cyber Squared has conducted retrospective analysis of a series of associated “drive by downloads” (often referenced as “watering holes” by the security industry). These targeted attacks were observed in late September 2012, in correlation with the CVE-2012-4969 IE zero-day that was discovered in the wild. Through prolonged analysis that included the use of indicators gathered by ThreatConnect.com, Cyber Squared was able to associate multiple incidents. This suggests that it is highly likely a single Chinese threat group was responsible for a series of attacks.
Drive by Download Site 1: Malaysian Travel Website
In early October 2012, we uncovered the first “drive by download” site. It was in the form of tandem Internet Explorer and Java exploits on a compromised Malaysian travel website. The attackers implemented a CVE-2012-4969 IE exploit using a Grumgog.swf Flash heap spray, as well as a CVE-2012-4681 Java class exploit with a hardcoded payload URL.
The Java exploit was present as a Java class file at /cve2012_java_0day/Gondvv.class. When exploited, it created a VBScript that downloaded an executable payload from a hardcoded URL, and executed it as “calc.exe” from the TEMP folder. In this attack, the payload executable was found at hxxp://news.etrustalive[.]com/mstcinits.exe.
In this case, the executable then dropped a smaller main module executable in the System folder, and ran it. The final stage of the malware connected back to the server at blog.symantecservice37[.]com via TCP/80. This exploit was present from at least early October until mid-November 2012. Although the exact target is unknown, the nature of the affected site indicates that the attackers may have been targeting individuals with interests in Malaysia, or persons of interest who were planning to travel there.
The Java exploit present on the Malaysian travel website was removed sometime in November. However, the attackers were clearly not finished, because on January 29, 2013, Cyber Squared identified a new Java class exploit present on the travel website. This time the attackers hosted a CVE-2013-0422 exploit. This particular exploit contained an interesting payload mechanism. When exploited, the Java code sends Windows system commands to the command line, calling the Windows command line FTP client (ftp.exe).
Command line arguments were then passed to the program to authenticate with an FTP server in China (with hardcoded login credentials), and download the file “dwin.exe” from the FTP server. Interestingly, although only one executable file was downloaded by the Java exploit, the attackers had actually staged two executables on the FTP server. This second payload executable indicates that there is a yet undiscovered second exploit server somewhere in the wild that leads to the download of this second payload,or that the attackers were simply careless and unintentionally left a second executable. The payload downloaded by this java exploit, dwin.exe, then downloads an encrypted backdoor file component from hxxp://117.55.241[.]58/indexs.zip (Ghaziabad, India). This file is most likely an encrypted backdoor that is injected into memory. The second executable file that was present on the FTP server downloaded its encrypted payload from hxxp://www.amazombuy[.]us/winsever.dat. This second file was of interest to us because the www.amazombuy[.]us domain had been previously identified and classified as a threat indicator within ThreatConnect. Also, as we will see with the next drive by download site, this file provided a clear link between the two download sites, and allows us to deduce that these drive-by download sites are the work of a single threat group.
Download Site Cluster: A Series of Connected Malicious Websites
Going back to October 2012, Cyber Squared also uncovered another download site, in this case a WordPress powered site at www.heavengameshow[.]com. This particular site had three exploits present: a Grumgog.swf CVE-2012-4969 IE exploit, a CVE-2011-3544 Java exploit, and a Gondvv.class CVE-2012-4681 Java exploit. Here, the exploit payloads were hosted on another download site, with the exception of the CVE-2011-3544 JAR exploit, which used an embedded payload. The download site hosting the payloads was found at hxxp://www.everesume[.]info/ConnieEvans/. This site, when displayed normally, had an interesting decoy page consisting of a fake employee resume and contact page for a certain Connie Evans.
As we can see from the screenshot, this download site appears to be aimed at human resources or an employer within either the petroleum or maritime industries. This may suggest the type of individuals or organizations that the attackers were targeting. The CVE-2012-4969 exploits downloaded a custom XOR 0x70 obfuscated executable from hxxp://www.everesume[.]info/connieevans/download/realupgrades.exe, with the Gondvv.class payload at hxxp://www.everesume[.]info/connieevans/download/test.exe.
All of these different executable payloads appear to be a related type of custom backdoor. They all drop a DLL file named “winsever.dll” that connects to a command and control (C2) server on TCP/80 or TCP/443. The C2 servers observed were qozo[.]info, www.adobeupdate[.]us, and an IP address at 184.22.42[.]167. Of note, some anti-virus vendors detect the DLL dropped by realupgrades.exe as a variant of PlugX / Korplug, a well-known advanced persistent remote admin tool (RAT). With this knowledge, the threat actors may have access to code from the PlugX / Korplug (formerly Sogu) family of backdoors which have been seen in use with other Chinese APT campaigns. Since malware can be easily shared among these hacking groups, we cannot say with certainty that there is a direct relationship between this threat group and the identified developer of PlugX.
Later in October, the everesume[.]info drive by download site went offline, and the payload for the heavengameshow[.]com drive by download shifted to a new site at hxxp://news.gallupdesign[.]us. This newly observed drive-by download site had Gondvv.class and CVE-2011-3544 Java exploits with the exact same exploit code and redirected to the legitimate www.gallup.com from a META REFRESH in the webpage’s HTML code. The timing of this drive-by download site was interesting. It was observed in late October, shortly before the 2012 presidential election, at a time in which Gallup’s Polling and Statistics would be a significant topic for many people of interest to APT attackers. Once again, the payload was a “winsever.dll” backdoor dropper.
On October 20, 2012, before the heavengameshow[.]com drive by download site went offline, we discovered an executable on the server that we could not match to any specific exploit. The executable was also different from the other winsever.dll backdoor droppers. This file, which still has very low anti-virus detection, requests a webpage from imap.labscore[.]info. This domain was registered with the email address eunigeria [at] yahoo.com, which we have seen with other domains from within the common drive by download cluster and C2 infrastructure.
We also discovered evidence of other related malware, which we believe is tied to this group of threats. A file submitted to ThreatExpert on October 31, 2012 appears to be linked to this group. This malware is of a goofy sort as indicated by its icon and behavior. The malware drops a decoy picture of a Halloween themed animated GIF, as well as two binaries (msginit.exe and msgs.exe) that connect to blog.etrustalive[.]com via TCP/80, in a similar manner to the malware payload present with the hacked Malaysian website seen in October.
We are unsure of who this binary was targeting, or whether it was delivered via spearphishing email or targeted drive by download site. Nonetheless, it does seem to tie in with the other malware due to the related C2 domain.
Finally, Cyber Squared found a separate drive by download in late December 2012 that we believe is also being used by the same threat actor. This “drive by download” site was submitted to Jsunpack on December 18th, and appears to be a webpage that loads an iframe to a Java exploit, and then refreshes to the legitimate nasa.gov webpage. Again, this domain uses the /cve2012_java_0day/Gondvv.class exploit as well as a CVE-2011-3544 exploit with an embedded payload (card3987.jar). The malware binaries from this attack appear to be similar, though not exactly alike, to the winsever.dll dropper payloads found with the sites. They inject their code into iexplore.exe, and connect to a command and control IP at 184.22.41[.]124. This IP is also used for amazombuy[.]us, which also ties this malware to the trulyasia[.]tv exploit and FTP server.
Timeline of Attacks
As we consider the repeated use of the unique “winsever” file naming convention within implants that used similar Java exploits, and that many of the malicious C2 domains used were registered with one of three malicious registrant email addresses seen in other targeted attacks. The totality of the information available, and associations observed within ThreatConnect.com suggests that these drive by download sites are the work of a single, Chinese APT threat group. We believe that these attackers will continue to target their victims with either targeted spearphishing messages and or targeted drive by download style attacks into the future. Cyber Squared Threat Intelligence team continues our targeted pursuit of this and other threat groups in an effort to collect analyze and share actionable threat intelligence with our customers and partners. We have compiled the indicators associated with these incidents and shared them under Incident “20130311: Hipster-Analytics” within the ThreatConnect.com community. If you are part of an organization who wishes to obtain realtime threat intelligence of sophisticated cyber threats, register here.