With 2013 coming to a close, many of us within the security industry take the time to reflect on the notable events that occurred over the past year. It is often in these quiet times of contemplation that we find clarity and carry forward the lessons learned into the next year.
Unfortunately, with the complexities of modern enterprise security, there is far too much for us to remember individually. It is the day-to-day, “in the trenches”, tactical fight that distracts many professionals from focusing on the strategic planning that serves as a guidepost for executing our longer term objectives. Because of the amount of data to keep up with, key pieces of information slip through our fingers like sand.
Fortunately, the members of the ThreatConnect community have one less thing to commit to memory. All of our users benefit from a shared perspective and ThreatConnect’s ability to retain and automate associations of related security events.
The following use case highlights how previous Adobe Flash driveby targeting campaigns, directed against Tibetan, Uyghur, and Chinese dissident victims in the Spring of 2013, have been automatically associated to a newly related security event which occured in mid-December, nearly eight months later.
Operational Caveat: At the time of this writing ThreatConnect Research is currently working with Adobe and Microsoft to validate the specific nature of the exploit being leveraged. ThreatConnect Research will update Incident 20131216A: TibetOnline Flash Driveby as new information becomes available.
On December 16, 2013, the ThreatConnect Research Team identified an Adobe Flash Player SWF heap spray component on a Tibetan website. The SWF file was found at the URL hXXp://www.tibetonline[.]info/test.swf, and may have been active since September 1, 2013 according to the “Last Modified” field within the HTTP response.
This Flash file, MD5: 4C37EC9F600AD90381DF2CCDCB00B0E6, is not actually the entire exploit; it is merely a heap spray shellcode component that also contains an embedded XOR 0x95 encoded payload executable. ThreatConnect Research has been able to confirm that the exploit is not leveraging a vulnerability in Adobe Flash Player. At the time of reporting, the exact application being exploited or initial exploitation vector is unknown. The XOR 0x95 executable embedded within test.swf decodes to the MD5: 26E442AA18FCEA38E4C652D346627238. It is worth noting that as of December 18, 2013, this malicious binary is only detected generically by 2 of 49 antivirus vendors in VirusTotal.
The binary is a backdoor implant which begins its routine by connecting to a Yahoo! blog found at the URL hXXp://blog.yahoo[.]com/_JV67DRO5Y3JCOEVLMA5HXTNZT4/ and checking for the XOR 0x7E encoded hex string “7e160a0a0e4451511c1f1d15500c11110a1b0c500a1551=”.
This string is decoded to form the second stage command and control (C2) URL at hXXp://back.rooter[.]tk/script. This URL returns XML script containing version information and returning the client (victim) IP address.
The rooter[.]tk domain connects this recent exploit activity to a CVE-2013-0634 Flash exploit campaign from the spring of 2013 that ThreatConnect Research reported within APT #TargetedAttacks within @SocialMedia. Although the rooter[.]tk domain was not specifically highlighted in this blog post, ThreatConnect Research included it within ThreatConnect Incident 20130408A: Twitter Threats Blog and shared the incident with the ThreatConnect Community on April 8th 2013. ThreatConnect Research observed this domain as a CVE-2013-0634 driveby location with the URL hXXp://www.rooter[.]tk/my.swf.
Later in mid-May 2013, security researcher and contributor to the ThreatConnect Community Clement Lecigne, shared details of a CVE-2013-1347 Internet Explorer (IE) exploit he found on the Voice of Tibet (VoT) website which downloaded in a payload executable from hXXp://www.rooter[.]tk/calc.exe, as seen in Incident 20130516A: Voice of Tibet Incident. It is clear that the rooter[.]tk domain has been used consistently to target individuals and organizations associated with the Tibetan independence movement and continues to be active even as 2013 draws to a close.
As of mid-December, ThreatConnect Research has discovered a new exploit component that correlates with legacy “driveby” infrastructure previously identified in targeted exploitation campaigns directed against Tibetan interests. While this shows how little these persistent attackers have changed over the course of a year. It also highlights how without ThreatConnect and the value of a shared community, security professionals can potentially overlook key observations while they drown under the volume of meaningless data feeds.
Overwhelmed net defense teams are often challenged in identifying and correlating previous activity with current activity in a timely manner. Without ThreatConnect’s automated associations capabilities, the memorialization of indicators, collaborative analytics and detailed context, the malicious rooter[.]tk domain may have been long forgotten.
The incident associated with the latest rooter[.]tk activity has been shared across all ThreatConnect Communities as Incident 20131216A: TibetOnline Flash Driveby. ThreatConnect Research will continue to provide dynamic updates to this incident within ThreatConnect as additional details become available.
If you or your enterprise security team are overwhelmed by feeds of meaningless data, and are unable to quickly contextualize or automate associations of activity, contact us for support. Take control of your data, make sense of complex security events, and privately collaborate with other industry experts.