Jump to content

Blog

Shield

Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick

FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People’s Congress and the 12th National Committee of the Chinese People’s Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China’s five-year development plan [1].

The email contains a weaponized attachment that utilizes the Windows Office CVE-2012-0158 exploit to drop the benign payload components and decoy document. The Remote Access Tool (RAT) PlugX itself is known as a combination of benign files that build the malicious execution. The Microsoft file OInfoP11.exe also known as “Office Data Provider for WBEM” is a certified file found in the National Software Reference Library (NIST) and is a component from Microsoft Office 2003 suite. For integrity checking endpoint protection, this file would be deemed as a valid clean file. In Windows 7+ distributions, the svchost.exe will require user interaction by displaying a UAC prompt only if UAC is enabled. Although in Windows XP distributions, this attack does not require user interaction. The major problem is that this file is subject to DLL Sideloading. In previous cases, PlugX has been utilizing similar DLL Sideloading prone files such as a McAfee binary called mcvsmap.exe [2], Intel’s hkcmd.exe [3], and NVIDIA’s NvSmart.exe [4]. In this case, OInfoP11.exe loads a DLL file named OInfo11.ocx (payload loader posing as an ActiveX DLL) that decompresses and decrypts the malicious payload OInfo11.ISO. This technique can be used to evade endpoint security solution that relies on binary signing. Traditional anti-virus (AV) solutions will have a hard time to identify the encrypted and compressed payload. At the time of writing of this blog, there is only 1 out of 46 AV vendors can detect the OInfo11.ocx file.

The diagram in figure 1 shows the behavior and relationship of these files.

5132013image001Figure 1: Attack Diagram

Infiltration

In Figure 2, the targeted email advertises a suffrage movement seminar event. Figure 3 is the contents of the Google document form link that contains the same information as in the email. In figure 4, the decoy document contains the details of the particular seminar section mentioned in the Google document link.

5132013image003

Figure 2: Original Email

Below is the English translation of the email in figure 2.

Li Ping

5132013image005Figure 3: Google Form

Decoy Document

5132013image007Figure 4: Decoy Document

Below is the translation to the document shown above.

The seminar

Attack Analysis

The XLS file (1146fdd6b579ac7144ff575d4d4fa28d) utilizes the CVE-2012-1058 Windows Office exploit to drop the “ews.exe” payload and the decoy document shown in figure 4. This payload extracts the Microsoft file OINFOP11.exe, the benign DLL OInfo11.ocx and encoded and compressed shellcode sections from Oinfo11.ISO. OInfoP11.exe will load OInfo11.ocx as a DLL and once loaded will decompress using RTLDecompressBuffer and decrypt the Oinfo11.ISO to run in memory. The malicious execution is never dropped to the file-system and is therefore not seen by filesystem-based anti-virus detectors. Figure 5 shows the high level view of the relationship of the dropped files.

5132013BLOG2

Figure 5: Payload Relationship

Summary of Dropped Files

Name

Exploit Details
This malware uses CVE-2012-0158 to drop the payload from the section shown in Figure 6.

5132013_image012

Figure 6: Exploit Payload Section

Shellcode can be found in the first few bytes of this section. Figure 7 shows the disassembly of the code found at the 0x1de0b offset shown in figure 6.

5132013image014

Figure 7: Payload Shellcode

Campaign Characteristics

OInfoP11.exe is a valid Microsoft file and its certificate is shown in figure 8.

5132013_image016

Figure 8: Signature Usage

When the OInfop11.exe is called with the following arguments as C:\Documents and Settings\All Users\SxS\OINFOP11.EXE” 200 0, it will begin the loading of the file OInfo11.ocx.

5132013image019

Figure 10: Loader Entrypoint

The arrow shows the exact jump point where the entrypoint to where the shellcode begins for the decompression and decryption of the ISO file.

5132013_image021

Figure 11: Shellcode Example

This is an example of the memory space of the loaded benign DLL OInfo11.ocx. The functionality of OInfo11.ocx is essentially a loader in which this section decompresses and decrypts the malicious payload in memory.

5132013image023

Figure 12: Decryption of the ISO file

This is the decryption loop used through out the sample. In this instance, it is used to decrypt the ISO shellcode in memory.

5132013image025

Figure 13: DLL location in memory

This is an example of the complete malicious DLL address space in memory.

Entrenchment

Artifacts to watch for:Mutex

5132013image027

Injection

The DLL injects code into svchost using the VirtualAllocEx call then uses WriteProcessMemory to write into the memory space of svchost.exe. The thread is then resumed to run the injected code. This injection process is used for both svchost.exe and msiexec.exe. When svchost.exe spawns msiexec.exe it calls the CreateEnvironmentBlock and the CreateProcessesUser so that the svchost service can launch a user session.

Keylogging Activity

Creates a kellogging file in %ALLUSERS PROFILE%\SXS\ as NvSmart.hlp. Below is an example of the content of this file.

2013

Proxy Establishment

This sample can communicate using ICMP, UDP, HTTP and TCP. In this situation the sample is using the string Protocol:[ TCP], Host: [202.69.69.41:90], Proxy: [0::0::] to establish the proxy for the C&C communication.

5132013image029

Figure 14: Communication Options

Modes of Operation Overview The table below outlines some of the functionality that this variant uses. The options have not changed so therefore this table is used as a refresher. Figure 15 shows an example of how these functions are called by the sample.

Mode

5132013image031
Figure 15: Functionality Example

C&C Details and Communication

In figure 16, the sample is communicating to 202.69.69.41 over port 90. The C&C node is down in this case, but the communication is dynamic non-http communication. An example of the callback content is shown in figure 17. This sample will also try to communicate with other instances laterally in the same network. An example of this traffic and content can be seen in figure 18 and figure 19.

5132013image033
Figure 16: PCAP of C&C communication

5132013image035

Figure 17: Callback Traffic 

5132013image037

Figure 18: UDP Beacon

5132013image30
Figure 19: UDP packet content

Whois Information on the IP 202.69.69.41
inetnum: 202.69.68.0 – 202.69.71.255
netname: NEWTT-AS-AP
descr: Wharf T&T
Limited descr: 11/F, Telecom Tower,
descr: Wharf T&T Square, 123 Hoi Bun Road
descr: Kwun Tong, Kowloon country: HK
admin-c: EN62-AP
tech-c: BW128-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-NEWTT
mnt-routes: MAINT-HK-NEWTT
mnt-irt: IRT-NEWTT-HK
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20120725
source: APNIC
person: Eric Ng
nic-hdl: EN62-AP
remarks: please report spam or abuse to abuse@wharftt.com
e-mail: abuse@wharftt.com
e-mail: ericng@wharftt.com
address: 11/F Telecom Tower, Wharf T&T Square
address: 123 Hoi Bun Road, Kwun Tong,’
phone: +852-2112-2653 fax-no: +852-2112-7883
country: HK changed: ericng@wharftt.com 20070716
mnt-by: MAINT-NEW source: APNIC
person: Benson Wong
nic-hdl: BW128-AP
e-mail: abuse@wharftt.com
address: 5/F, Harbour City, Kowloon,
address: Hong Kong
phone: +852-21122651
fax-no: +852-21127883
country: HK
changed: bensonwong@wharftt.com 20070420
mnt-by: MAINT-HK-NEWTT
source: APNIC

I want to thank the FireEye Labs Team.

[1] http://rmqlxk.blogspot.com/2013/03/blog-post_15.html
[2] http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
[3] http://lastline.com/an-analysis-of-plugx.php
[4] http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/