posted by: Ruben Santamarta
Just a few days ago, Digitalbond announced that they had been victims of a spear phishing attack. An employee received an email linking to a malicious zip file, posing as a legitimate .pdf paper related to industrial control systems security. Therefore, the bait used by the attackers was supposedly attracting targets somehow involved with the ICS community.
During these days, Jaime Blasco from
AlienVault and I (Ruben Santamarta) have been monitoring the situation, finallly uncovering a
broader ongoing campaign which is targeting US defense contractors,
universities, and security companies. Moreover, this attack has strong
similarities with other campaigns which were successfully compromising
important US targets.
We are providing a comprehensive analysis of
this threat by explaining malware, methodology and infrastructure used.
Malware
The trick used is nothing new or exciting but
unfortunately, sometimes is enough to trick the victim
into running the malware because the file poses
as a .pdf file. This is how the file looks from the victim's point of view
(under certain systems and configurations):
Behind the scenes
It's actually a Rar SFX file which, once
executed, will show the mentioned paper but will also drop and run a
malicious downloader.
The requested html document contains an
'interesting' body: an executable xored and then encoded in base64. Head and
title tags contain the command and the executable name to be used, also encoded
in base64.
This new executable is in charge of calling
home to receive orders from the C&C server located at hxxp://1.234.1.68
By using the characteristics found in these
files, we were able to identify similar files- almost identical except
for 2 main differences:
·
File names used to deliver the
malicious payload.
·
IP addresses for C&C and
downloaders.
Thus, we identified several compromised servers containing the following files ready to be deployed. The name clearly exposes
the different kind of victims this group is targeting.
·
Staff_Changes(cmu).zip
◦
Any_Staff_Changes_About_Carnegie_Mellon_University.exe (SFXRAR)
▪
MD5:
8873f6d3ea123708615e72fe357808e5
▪
Extract: svchost.exe
·
MD5:
9675827a495f4ba6a4efd4dd70932b7c
·
Download from :
hxxp://report.crabdance.com/report/news.html
▪
MD5: bda5ac3747234a073e4290b2352cbba0
·
C&C: hxxp://1.234.1.68:80
·
Staff_Changes(purdue).zip
◦
Any_Staff_Changes_About_Purdue_University.exe
(SFXRAR)
▪
MD5:
8873f6d3ea123708615e72fe357808e5
▪
Extract: svchost.exe
·
MD5:
9675827a495f4ba6a4efd4dd70932b7c
·
Download from : hxxp://report.crabdance.com/report/news.html
▪
MD5:
bda5ac3747234a073e4290b2352cbba0
·
C&C: hxxp://1.234.1.68:80
·
Staff_Changes(URI).zip
◦
Any_Staff_Changes_About_University_of_Rhode_Island.exe
(SFXRAR)
▪
MD5:
8873f6d3ea123708615e72fe357808e5
▪
Extract: svchost.exe
·
MD5: 9675827a495f4ba6a4efd4dd70932b7c
·
Download from :
hxxp://report.crabdance.com/report/news.html
▪
MD5:
bda5ac3747234a073e4290b2352cbba0
·
C&C: hxxp://1.234.1.68:80
·
Speeches_For_IT-SCC_Meeting.zip
◦
Speeches_For_IT-SCC_Meeting.exe
(SFXRAR)
▪
MD5: 59e74b14f5edee8d38eba74a8000fb18
▪
Extract:
·
wins.exe
◦
MD5:
1ea61a0945bde3c6f41e12bc01928d37
◦
Download from :
hxxp://203.200.205.245/java/careers.html
▪
MD5:
882066feaade34ebe38618d389c40f2a
·
C&C: hxxp://128.175.21.189:80
·
Doc1.doc
·
2.ico
·
New_Chertoff_Group_Q1_2012_Report.zip
▪
New_Chertoff_Group_Q1_2012_Report.exe
(SFXRAR)
▪
MD5:
59e74b14f5edee8d38eba74a8000fb18
▪
Extract:
·
wins.exe
◦
MD5:
1ea61a0945bde3c6f41e12bc01928d37
◦
Download from :
hxxp://203.200.205.245/java/careers.html
▪
MD5:
882066feaade34ebe38618d389c40f2a
·
C&C: hxxp://128.175.21.189:80
·
Doc1.doc
·
2.ico
·
New_NJVC_First_Half_2012_Report.zip
▪
New NJVC First Half 2012
Report.exe (SFXRAR)
▪
MD5:
f7aa931de0564f77b27c2f5d1d9bc532
▪
Extract:
·
hkcmd.exe
◦
MD5:
d8238e950608e5aba3d3e9e83e9ee2cc
◦
Download from :
hxxp://203.200.205.245/css/style.html
▪
MD5: 69385589903fc576e06893ef965fce01
·
C&C: hxxp://143.89.35.7:80
·
Doc1.doc
·
2.ico
·
the_list_of_staff_changes_in_anakam.exe
▪
MD5:
53ae642408aaf6cfed016422b394b32a
▪
Extract:
·
svchost.exe
◦
MD5:
9675827a495f4ba6a4efd4dd70932b7c
◦
Download from :
hxxp://report.crabdance.com/report/news.html
▪
MD5:
bda5ac3747234a073e4290b2352cbba0
·
C&C: hxxp://1.234.1.68:80
·
AcroRd32_5.ico
These files contain either an icon folder or a .doc/.pdf icon in order to trick the target into double-clicking the malicious
file.
TARGETS
According to the information collected, the
targets of these campaigns are somehow related with the US goverment or US Defense contractors directly, providing different services such as
authentication software/hardware, Industrial Control Systems security, or
strategic consulting.
·
NJVC
“As a leading
Department of Defense contractor, we are the ideal partner for intelligence,
military and federal agencies and commercial entities with highly-secure IT
requirements” www.nvjc.com
·
Chertoff Group
◦ Consulting & business development. Chertoff
Group. Our senior officials are
experienced with deep, operational leadership at the highest levels of
government www.chertoffgroup.com
·
Unidentified customers of
Equifax's Anakam two factor authentication
·
Unidentified attendees of the IT
SCC meeting www.it-scc.org
·
Carnegie Mellon University
·
Purdue University
·
University of Rhode Island
·
Digitalbond
ATTRIBUTION
Despite the fact that attribution is the most
polemic task nowdays, we would like to note that code, tricks and certain
infrastructure usually present in the Chinese hacking scene have been
identified in this campaign.
Additional information can be found at AlienVault
Labs blog here: http://labs.alienvault.com/labs/
Nice article.
ReplyDeleteGame over chinese hackers!
ReplyDeleteEsperamos mas posts, un saludo!