Target and Delivery Method
Malware Page employs the vulnerability in PDFs and has been seen to be delivered via email. Agenda_Web_(8-24-12).pdf is one of the names this malicious sample uses. Per our logs this sample has been seen to target the aviation defense industry, making this malware a critical limited edition threat. When the malicious PDF file is opened, it infects the victim’s machine and a decoy document is generated. When the decoy PDF file is opened in Acrobat Reader, as shown in Figure 1, the victim finds an invitation to an actual defense industry event.
The purpose of this blog is to share the technical details about this critical limited edition malware.
As shown in Figure 4, the shellcode first creates the file evtmgr.exe in the folder C:\DOCUME~1\ADMIN~1\LOCALS~1\Temp\ and then, as shown in Figure 5, the shellcode makes a call to WinExec to execute the evtmgr.exe.
When executed, evtmgr.exe further performs two actions. First, it creates a DLL file called mssrt726.dll.
After creating mssrt.dll, evtmgr.exe makes changes in the service registry key. These
changes are as follows:
HKLM\SYSTEM\ControlSet001\services\PeerDistSvc\parameters\”ServiceDll”= path to mssrt726.dll
These changes in the registry keys ensure that mssrt726.dll automatically gets loaded in memory by svchost.exe.
A quick look inside the APIs imported by mssrt726.dll shows that it imports APIs to perform HTTP communication.
When mssrt726.dll gets executed, as expected, it performs network communication and opens the backdoor at TCP port 49163. Legitimate applications do not open Port 49163 for listening. The outbound GET request is shown in Figure 8.
This GET request is sent to the following domains:
|cuteoverload.dydns.org cuteoverload.dydns.org||126.96.36.199 188.8.131.52||Bahamas Bahamas|
|kingbruce.dydns.org kingbruce.dydns.org||184.108.40.206 220.127.116.11||Bahamas Bahamas|
|tunnel.dydns.info tunnel.dydns.info||18.104.22.168 22.214.171.124||Germany Germany|
As shown in Figure 9, detailed log of the network communication is also maintained. The log is in the folder C:\Windows\Temp\. In my setup, the name of the log file is ~00ELISE1D797.TMP.
To summarize, when the malicious PDF file is opened, it employs the vulnerability in collab.getIcon(), creating an executable file and then executing it. The executable file drops a DLL which in turn performs network communication and opens a backdoor at TCP port 49163. A decoy PDF document also gets dropped on the disk. The decoy document contains the details of an actual defense industry event which is going to happen. Armed with a known PDF vulnerability, the authors of Page seem to be targeting our defense industry.