Blog

More on the IE 0-day – Hupigon Joins The Party

It was just a few days ago when Symantec disclosed a new 0-day vulnerability in Microsoft's Internet Explorer (versions 6, 7, and 8). They found at least one malware called 'Backdoor.Pirpi' that is actively exploiting this vulnerability in targeted email attacks posing as hotel reservation notifications. 

Here at FireEye labs, we have identified another type of Modern Malware called 'Hupigon' exploiting the same IE zero-day vulnerability. This malware looks to be more successful/reliable at infecting systems than Pirpi.

It is increasingly common that cyber criminals 'upgrade' Modern Malware with newly uncovered zero-day exploits. Now the question is, are the criminal masterminds behind this second wave of attacks the same as those behind the first wave?  In this article I will try to answer this question.

In order to find a link, let's compare these attacks side-by-side.

1. Hupigon

The initial attack was seen hidden inside the compromised web site www.[XX]box.com. The unfortunate visitors to this web site were redirected to www.[XX]box.com/1.htm which contained the actual exploit.  After a successful exploitation, the shellcode would fetch a GIF file named '[XXX]hack.gif'. This GIF "file" is actually an obfuscated command (with fake GIF header) containing the URL of the second stage binary '1.exe' (Hupigon).

Here is the screen shot of this end to end attack.

  Hupigon

I tested this exploit many times and found it to be very reliable!

 

2. Backdoor.Pirpi

Now, back to the original malware that exploited the IE zero-day recently uncovered. The initial attack was seen hidden inside another compromised web site named www.[XX]unclub.com. After successful exploitation, the shellcode would fetch a GIF file named 'lin[X]bl.gif'. This GIF is actually an obfuscated executable binary (also utilizing a fake GIF header) called 'alg.exe' (a.k.a. Backdoor.Pirpi).

Here is a screen shot of the end-to-end attack.

Pirpi

Based on my lab results , I did not find this exploit to be particularly reliable. Most of the time, it would simply crash Internet Explorer. That's good news and can be considered a mitigating factor of why this attack using a zero-day vulnerability hasn't been more successful.

Here are a few more details on how Backdoor Pirpi communicates with its CnC infrastructure.  At the moment, it's communicating to a command server with IP 195.178.114.26 located in Poland.  In the past, other Pirpi variants have been seen talking to 69.60.106.176 and www.twadcorp.com.

Part of these URIs are randomly generated to fool signature based IDS (intrusion detection systems).  Please note here that the response to these .GIF object requests return similarly obfuscated command objects(!) as we now see in the case of Hupigon.

 

Pirpi_cnc

When both attacks are analyzed side-by-side, there are enough similarities to assume that the cyber criminals behind both of these Modern Malware attacks are closely linked.

Here's a summary of the similarities:

1. BOTH Pirpi and Hupigon are using the same IE 0-day at almost within the same time frame.

2. BOTH are using the fake GIF format to conceal their second stage malware binaries.  In the case of Pirpi, the complete binary was obfuscated within a fake GIF file. Similarly, in the case of Hupigon, the URL to the second stage binary was obfuscated in a similar fashion.

3. BOTH the malware Pirpi and Hupigon are very powerful backdoors and provide full access to the vulnerable system.

4. Although both of the malware are using the same 0-day vulnerability, neither malware should be considered "New". Pirpi has its roots back in mid-2009 and Hupigon back in 2007-2008.

At this time it appears that the majority of cyber criminals do not have access to this exploit.  But in the coming days, as the research community releases more and more details, other groups will likely come into play and start using this vulnerability as a powerful vehicle to launch new cyber attacks.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM

3 thoughts on “More on the IE 0-day – Hupigon Joins The Party

  1. Both pieces of malware are of Chinese descent and or Operational use. The domains are known domains used in state sponsored espionage attacks with the expressed goal of draining the US of their intellectual property due to the fact that they are either unwill or unable to build their own stuff. After they have what they want, they will eject Western companies out of their markets and challenge us with our own weapons.
    I would challenge any malware analysts to find malware used in cybercrime with similar C2 mechanisms. Props to Fireeye for investigating this.
    Additionally it would be nice if people quit using obfuscated terminology such as TARGETED and called it was it is. Hostile cyber espionage attacks that deserve aggressive and forceful diplomatic/economic/and cyber military responses until the message is sent that red lines have been crossed.
    These groups have launched and been directly responsible for operationally useing and deploying / releasing the past 10 Odayz that have made their way into criminal and public use, thus achieving a secondary collateral damage/victim. The public to the tune of billions of dollars a year.
    In fact, one useful way to identify these types of weapons of malice is to peel back the layers of the Caro naming convention. I believe the AV community DELIBRATELY obfuscates the names of these very specific tools under terms like Generic.Trojan Generic.Backdoor which in effect gives clueless responders know true informational value of knowing what is really going on when they come across it in Incident response situations.
    The difference is wow, should I wipe a machine and go about my day, or should I go oh shi# I we are owned by a nation state and our shiny ideas/plans are now gone and being actively reviewed by technical exploitation experts with Doctorates. I guess the next step is when they find out whenever the FBI or another organization gets around to notifying them that they are EFFed. BTW. That notification does not happen immediately. Could be months if at all. Your lucky if they do knock on your door.
    Whats absolutely HILARIOUS is that Symantec rates this malware risk as VERY LOW. They are unwilling to say which site was used in the attack, which hop point was used in the US and which victims were targeted, and effectively what the damage impact was of the Incident Response efforts or the intrinsic or strategic value of the information exfiltrated. Good Risk evaluation Symantec.
    Additionally the snippets of commands that Symantec included in their blog is only part of the picture, what they fail to show is the thousands of commandlineFu that is used to move and exploit laterally invasion style at rapid speed through the network after initial compromise.
    Better call Mandiant IR team in at 450dollars an hour Multiplied by 6 FTEs, and add about a half mil in capitol costs to buy securty equipment. O yea thats over 6 months, IF you are successfull, and thats a maybe.
    If you want to figure out how to change the game, read more on real response options to cyber attacks.
    diocyde.wordpress.com

Comments are closed.