Cedric PERNET - Forensics, Malware & Cybercrime

Aller au contenu | Aller au menu | Aller à la recherche

Mot-clé - analysis

Fil des billets - Fil des commentaires

jeudi 29 août 2013

More on the G20 Summit Espionage Operation

On a recent blog post, Claudio Guarnieri analyzes an APT attack campaign launched by the "Calc Group".

This group of attackers used the soon-coming "G20 Summit" to spear phish their targets. which are mostly financial institutions and governments. The attack in itself is really not sophisticated, it is just made of an archive file (.ZIP) containing a malicious executable file (.EXE).

The names of the zip files are:

  • G20 Briefing Papers.zip
  • G20 Summit Paper.zip

These archives contains the following files:

  • G20 Discussion Paper.exe
  • GPFI Work Plan 2013.exe
  • G20 Summit Improving global confidence and support the globa.EXE
  • Improving global confidence and support.pdf.exe
  • The list of NGOs representatives accredited at the Press Center of The G20 Leaders' Summit 2013.pdf.exe

One might be surprised that people really do open such zip files and click on these executables, but believe me, some people still do. Once again, it shows us that it is not necessary to deploy brilliant strategies to infect people with targeted malware.

Claudio makes a great analyse of these attacks in his blog post, so I won't write about it and let you read it instead. Now what I wanted to know was what happened next. I was especially interested in the second attack, because it had been submitted to Virus Total (VT) from France.

To summarize Claudio's analysis, the attack scheme goes like this :

  • The victim gets the zip file, opens it, and executes the malicious executable.
  • The executable shows a decoy document (PDF) about the G20 or such.
  • The executable starts keylogging and downloads more malware.

This last point is very important to me: what malware is downloaded, and why? (the "why" can be expected though...)

To quote Claudio, "these samples are just an initial stage of a larger suite of malware, possibly including Aumlib and Ixeshe, which it will try to download from a fixed list of URLs embedded in the binary".

Luckily enough, the second stage malware was still available and I could download it for analysis. It turns out that it is not an "AumLib" or an "Ixeshe", but a variant of a less known malware, called "Bisonha" by the malware researcher's community.

To bypass anti-virus and IDS/IPS products, it is downloaded "upside down" (the first byte becomes the last byte, etc.) and written locally as a regular executable once it is downloaded successfully, then executed.

The file shows a "Java" icon, to try to look more "legitimate" to users. At the time of writing, the sample I downloaded had not been submitted to Virus Total, so I did. The detection rate for this sample is 12/46.

This malware has no persistence mechanism (the first stage downloader makes it persistent), and once executed starts communicating with an IP address on port 443:

/300100000000F0FD1F003746374637433731333433363334333600484F4D45000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070155736572000000000000000000000000000000000000000000000000000000000000000000006444000000000000000000000000000000000000000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Connection: Keep-Alive
Cache-Control: no-cache

As you can see, the network traffic is on port 443 (HTTPS) but it is definitely no HTTPS traffic, rather hex-encoded data:

0000000: 0000 0000 f0fd 1f00 3746 3746 3743 3731  ........7F7F7C71
0000010: 3334 3336 3334 3336 0048 4f4d 4500 0000  34363436.HOME...
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0007 0155 7365 7200  ...........User.
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0064 4400 0000 0000 0000 0000 0000 0000  .dD.............
0000090: 0000 0000 0000 0000                      ........

My reverse engineering rockstar friend Fabien Perigaud had a closer look at the malware and provided me with more information:

Offset: 0x4: RAM size in kilobytes
Offset: 0x8: Hard-drive ID, xored with the machine name then hex-encoded
Offset: 0x19: Machine name
Offset: 0x59: Operating system version (in malware author's writing)
Offset: 0x60: Number of processors
Offset: 0x61: User name
Offset: 0x81: A unique identifier (probably used as a campaign identifier?) - Here it is "dD" but other two characters identifiers have been witnessed in the wild.

The commands which can be sent to the malware are sent in answer:

3004: File writing
3005: File reading
3006: Writing and execution of a file

3115 : provide a shell

3222 : write a new ID in %APPDATA%\recycle.ini 
3223 : auto deletion of the malware
3224 : update

This quick analysis shows us that no matter how deep your knowledge is about an attacker, you're never safe from seeing him change his methods completely. That is why APT attacks attribution is such a hard task.

Thanks to Fabien, Jesse, Brian and Ned for the help while writing this small post ;-)

EDIT: (2013/09/04) Satnam Narang from Symantec just posted interesting material about the same APT campaign. You can read it here. In few words, Poison Ivy RAT is also in the game ;)

vendredi 23 décembre 2011


MISC 59 vient de sortir et le magazine fête sa 10ème année.


Vous y trouverez notamment un article de mon cru : "Analyse de malware avec Cuckoo Sandbox".

Bonne lecture, feedback apprécié :-)

samedi 19 janvier 2008

Saturday Night Fever... And Win32.Agent.dwd malware analysis :-p

Well, it's about noon here, on saturday night, and I should be away with friends, drinking a bit, having fun, meeting new people... But things are a bit different this saturday night. Yes, I'm stuck home, being sick. Just like a malware, flue has spread amongst co-workers, and it finally struck me yesterday.

What could I do then, except spending some time on my laptop, lying in my bed ?

As the "social monster" I am supposed to be, like one of my co-worker has called me, I thought I would spend some time talking with one or two friends on IRC or MSN (well, I'm using "pidgin" under my Linux for MSN protocol, of course).

So I've been chatting a bit, and then, suddenly, a friend asked me :

"hey, is this you ? http://members.lycos.co.uk/xxxx/?=myemailaddress"

I immediately tried to tell her that she was having a malware on her computer, but it seems that she didn't get my message. Luckily enough, I had her phone-number so I called her and explained her some things ;-)

Now as curious as I can be, I got to this url and of course, it opened a window asking me if I wanted to download a file called "naked0453.com" , which I did.

I immediately sent this file for analysis to virustotal.com (Hi Julio ;-)) and got this result:

So now I could have googled around to find more information about this Trojan.Win32.Agent.dwd, but it would have been no fun.

Instead, I decided to launch the naked0453.com file ... Of course, under a special environment : a Windows XP SP2 in a VirtualBox. My sniffer (Wireshark) already on of course, to check for the network communication.

Well as soon as I ran the binary, it opened a window containing the "supposed" me :

Ok, it definitely is not me, I feel better, none of my ex-girlfriend has sent naked pics of me through Internet ;-P

Anyway, some files have been dropped on my system when I launched the binary:

* a file "services.exe" in my C:\Documents and Settings\user\localsettings\temp.
* some temporary files (image.jpg for example)

The services.exe binary is immediately run by the "naked" binary.

Once again, I ran the binary on virustotal.com, obtaining the following results:

As you can see, the malware itself is less detected than his dropper, which is usual. And oh, Armadillo is there... But I don't have reversing skills anyway :-p

Of course, the malware has also added himself in Windows registry, so that it will restart when Windows reboots.

Another funny thing is that services.exe (I'll call it the malware from now on) has been reading my autoexec.bat file, but I don't know why.

A remote thread is also injected in c:\windows\explorer.exe

I'm hushing through all these files manipulation because I'm not finding it so sexy : my main interest is to check what the malware has done on the network.

Letting Wireshark run for some time, I see there is quite an amount of communication. After some ten minutes, I stopped it, and put my Windows XP in my VirtualBox in his precedent state. (uninfected)

The first packets sent by the malware are DNS requests :

1 0.000000 192.168.x.x 192.168.x.x DNS Standard query A james.ccpower.ru
2 0.003170 192.168.x.x 192.168.x.x DNS Standard query response A
3 3.848609 192.168.x.x 192.168.x.x DNS Standard query A asl.aldanma.net
4 3.852151 192.168.x.x 192.168.x.x DNS Standard query response A

james.ccpower.ru points to, being useless. But we see that asl.aldanma.net is resolved to

Immediately afterwards (5th packet) the malware establishes a connection to a IRC server at asl.aldanma.net :

NICK FQ[FRA-0H-hebxpefcz
USER heh heh heh :kakap
:log.on.sys 001 FQ[FRA-0H-hebxpefcz :Cisco
:log.on.sys 005 FQ[FRA-0H-hebxpefcz

:log.on.sys 422 FQ[FRA-0H-hebxpefcz :
:FQ[FRA-0H-hebxpefcz MODE FQ[FRA-0H-hebxpefcz :+i
JOIN #.niw
:FQ[FRA-0H-hebxpefcz!heh@AFontenayssB-x-x-x-x.wx-x.abo.wanadoo.fr JOIN :#.niw
:log.on.sys 353 FQ[FRA-0H-hebxpefcz @ #.niw :FQ[FRA-0H-hebxpefcz @abc
:log.on.sys 366 FQ[FRA-0H-hebxpefcz #.niw :End of /NAMES list.
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ a7d10aaf0e52b98963bc13232d4e88f1 .................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................

As we can see, the malware connects to the IRC server using a nick "FQ[FRA-0H-hebxpefcz" which at least contains a country reference.It also uses a user name "heh heh heh :kakap"
The answer from the server, the MOTD, is "Cisco".
The bot (malware) then joins the secret channel #.niw on the server.

We see only one user on the channel, with operator rights, called "abc". I would have liked seeing all bots connected at the same time but it seemed that the server was configured to hide everything. Even whois'ing was forbidden on the server.

After that, my machine started to connect to a lot of different web servers, getting hundreds of files (porn, affiliation, more malware...) but I had no time to keep digging, and furthermore I have to write another post on this blog about "Solutions Linux 2008" ... :-p

So this fast funny analysis is over, and as you can see it took me quite some time to publish it (mainly because I was away on hollidays) ;-)