INSIGHTS | June 13, 2012

Old Tricks, New Targets

Just a few days ago, Digitalbond announced that they had been victims of a spear phishing attack. An employee received an email linking to a malicious zip file, posing as a legitimate .pdf paper related to industrial control systems security. Therefore, the bait used by the attackers was supposedly attracting targets somehow involved with the ICS community.

During these days, Jaime Blasco from AlienVault and I (Ruben Santamarta) have been monitoring the situation, finallly uncovering a broader ongoing campaign which is targeting US defense contractors, universities, and security companies. Moreover, this attack has strong similarities with other campaigns which were successfully compromising important US targets.
We are providing a comprehensive analysis of this threat by explaining malware, methodology and infrastructure used.
Malware
The trick used is nothing new or exciting but unfortunately, sometimes is enough to trick the victim
into running the malware because the file poses as a .pdf file. This is how the file looks from the victim’s point of view (under certain systems and configurations):
 
 
Behind the scenes
 
 
It’s actually a Rar SFX file which, once executed, will show the mentioned paper but will also drop and run a malicious downloader.
 
 
The requested html document contains an ‘interesting’ body: an executable xored and then encoded in base64. Head and title tags contain the command and the executable name to be used, also encoded in base64.
 
 
This new executable is in charge of calling home to receive orders from the C&C server located at hxxp://1.234.1.68
By using the characteristics found in these files, we were able to identify similar files- almost identical except for 2 main differences:
·      File names used to deliver the malicious payload.
·      IP addresses for C&C and downloaders.
Thus, we identified several compromised servers containing the following files ready to be deployed. The name clearly exposes the different kind of victims this group is targeting.
·      Staff_Changes(cmu).zip
◦      Any_Staff_Changes_About_Carnegie_Mellon_University.exe  (SFXRAR)
▪      MD5: 8873f6d3ea123708615e72fe357808e5
▪      Extract: svchost.exe
·      MD5: 9675827a495f4ba6a4efd4dd70932b7c
·      Download from : hxxp://report.crabdance.com/report/news.html
▪      MD5: bda5ac3747234a073e4290b2352cbba0
·      C&C: hxxp://1.234.1.68:80
·      Staff_Changes(purdue).zip
◦      Any_Staff_Changes_About_Purdue_University.exe (SFXRAR)
▪      MD5: 8873f6d3ea123708615e72fe357808e5
▪      Extract: svchost.exe
·      MD5: 9675827a495f4ba6a4efd4dd70932b7c
·      Download from : hxxp://report.crabdance.com/report/news.html
▪      MD5: bda5ac3747234a073e4290b2352cbba0
·      C&C: hxxp://1.234.1.68:80
·      Staff_Changes(URI).zip
◦      Any_Staff_Changes_About_University_of_Rhode_Island.exe (SFXRAR)
▪      MD5: 8873f6d3ea123708615e72fe357808e5
▪      Extract: svchost.exe
·      MD5: 9675827a495f4ba6a4efd4dd70932b7c
·      Download from : hxxp://report.crabdance.com/report/news.html
▪      MD5: bda5ac3747234a073e4290b2352cbba0
·      C&C: hxxp://1.234.1.68:80
·      Speeches_For_IT-SCC_Meeting.zip
◦      Speeches_For_IT-SCC_Meeting.exe (SFXRAR)
▪      MD5: 59e74b14f5edee8d38eba74a8000fb18
▪      Extract:
·      wins.exe
◦      MD5: 1ea61a0945bde3c6f41e12bc01928d37
◦      Download from : hxxp://203.200.205.245/java/careers.html
▪      MD5: 882066feaade34ebe38618d389c40f2a
·      C&C: hxxp://128.175.21.189:80
·      Doc1.doc
·      2.ico
·      New_Chertoff_Group_Q1_2012_Report.zip
▪      New_Chertoff_Group_Q1_2012_Report.exe (SFXRAR)
▪      MD5: 59e74b14f5edee8d38eba74a8000fb18
▪      Extract:
·      wins.exe
◦      MD5: 1ea61a0945bde3c6f41e12bc01928d37
◦      Download from : hxxp://203.200.205.245/java/careers.html
▪      MD5: 882066feaade34ebe38618d389c40f2a
·      C&C: hxxp://128.175.21.189:80
·      Doc1.doc
·      2.ico
·      New_NJVC_First_Half_2012_Report.zip
▪      New NJVC First Half 2012 Report.exe (SFXRAR)
▪      MD5: f7aa931de0564f77b27c2f5d1d9bc532
▪      Extract:
·      hkcmd.exe
◦      MD5: d8238e950608e5aba3d3e9e83e9ee2cc
◦      Download from : hxxp://203.200.205.245/css/style.html
▪      MD5: 69385589903fc576e06893ef965fce01
·      C&C: hxxp://143.89.35.7:80
·      Doc1.doc
·      2.ico
·      the_list_of_staff_changes_in_anakam.exe
▪      MD5: 53ae642408aaf6cfed016422b394b32a
▪      Extract:
·      svchost.exe
◦      MD5: 9675827a495f4ba6a4efd4dd70932b7c
◦      Download from : hxxp://report.crabdance.com/report/news.html
▪      MD5: bda5ac3747234a073e4290b2352cbba0
·      C&C: hxxp://1.234.1.68:80
·      AcroRd32_5.ico
These files contain either an icon folder or a .doc/.pdf icon in order to trick the target into double-clicking the malicious file.
TARGETS
According to the information collected, the targets of these campaigns are somehow related with the US goverment or US Defense contractors directly, providing different services such as authentication software/hardware, Industrial Control Systems security, or strategic consulting.
·        NJVC
As a leading Department of Defense contractor, we are the ideal partner for intelligence, military and federal agencies and commercial entities with highly-secure IT requirements” www.nvjc.com
·       Chertoff Group
◦       Consulting & business development. Chertoff Group. Our senior officials are experienced with deep, operational leadership at the highest levels of government www.chertoffgroup.com
·      Unidentified customers of Equifax’s Anakam two factor authentication
·      Unidentified attendees of the IT SCC meeting www.it-scc.org
·      Carnegie Mellon University
·      Purdue University
·      University of Rhode Island
·      Digitalbond
ATTRIBUTION
Despite the fact that attribution is the most polemic task nowdays, we would like to note that code, tricks and certain infrastructure usually present in the Chinese hacking scene have been identified in this campaign.
Additional information can be found at AlienVault Labs blog.