Analysis of Malware Page

Target and Delivery Method

Malware Page employs the vulnerability in PDFs and has been seen to be delivered via email. Agenda_Web_(8-24-12).pdf is one of the names this malicious sample uses. Per our logs this sample has been seen to target the aviation defense industry, making this malware a critical limited edition threat. When the malicious PDF file is opened, it infects the victim’s machine and a decoy document is generated. When the decoy PDF file is opened in Acrobat Reader, as shown in Figure 1, the victim finds an invitation to an actual defense industry event.

Image2.jpg

Figure 1. Contents of the decoy PDF file

The purpose of this blog is to share the technical details about this critical limited edition malware.

Vulnerability Employed

Image2

Figure 2. showing the presence of JavaScript inside the PDF file.

As shown in Figure 2, the malicious PDF file contains the JavaScript in the 17th Object.

Image2

Figure 3. The JavaScript code inside the PDF file

From the static analysis of the JavaScript at Object 17, as shown in Figure 3, it can be inferred that the malware is exploiting the vulnerability in Collab.getIcon (). This is a known vulnerability and has been assigned CVE-2009-0927.

Technical Analysis

When the malicious PDF file is opened, the JavaScript code performs two main actions.

Image4.jpg

Figure 4. Shellcode creating the executable file evtmgr.exe

As shown in Figure 4, the shellcode first creates the file evtmgr.exe in the folder C:\DOCUME~1\ADMIN~1\LOCALS~1\Temp\ and then, as shown in Figure 5, the shellcode makes a call to WinExec to execute the evtmgr.exe.

Image6

Figure 5. Shellcode executing evtmgr.exe

When executed, evtmgr.exe further performs two actions. First, it creates a DLL file called mssrt726.dll.

Image7

Figure 6. Code of evtmgr.exe which makes changes in the registry key

After creating mssrt.dll, evtmgr.exe makes changes in the service registry key. These

changes are as follows:

HKLM\SYSTEM\ControlSet001\services\PeerDistSvc\”start”=0x0000002

HKLM\SYSTEM\COntrolSet001\services\PeerDistSvc\parameters\”ServiceMain”=EsEntry

HKLM\SYSTEM\ControlSet001\services\PeerDistSvc\parameters\”ServiceDll”= path to mssrt726.dll

These changes in the registry keys ensure that mssrt726.dll automatically gets loaded in memory by svchost.exe.

Image8

Figure 7. Svchost.exe loading malicious mssrt726.dll

A quick look inside the APIs imported by mssrt726.dll shows that it imports APIs to perform HTTP communication.

Image6

Figure 7.1 APIs imported by MSSRT726.dll

When mssrt726.dll gets executed, as expected, it performs network communication and opens the backdoor at TCP port 49163. Legitimate applications do not open Port 49163 for listening. The outbound GET request is shown in Figure 8.

Image9

Figure 8. The GET request generated by the malware

This GET request is sent to the following domains:

Domain IP Address Location
cuteoverload.dydns.org cuteoverload.dydns.org 208.87.33.151 208.87.33.151 Bahamas Bahamas
kingbruce.dydns.org kingbruce.dydns.org 208.87.33.151 208.87.33.151 Bahamas Bahamas
tunnel.dydns.info tunnel.dydns.info 82.98.86.173 82.98.86.173 Germany Germany

As shown in Figure 9, detailed log of the network communication is also maintained. The log is in the folder C:\Windows\Temp\.  In my setup, the name of the log file is ~00ELISE1D797.TMP.

Image10

Figure 9. Log of the network communication

To summarize, when the malicious PDF file is opened, it employs the vulnerability in collab.getIcon(), creating an executable file and then executing it. The executable file drops a DLL which in turn performs network communication and opens a backdoor at TCP port 49163. A decoy PDF document also gets dropped on the disk. The decoy document contains the details of an actual defense industry event which is going to happen. Armed with a known PDF vulnerability, the authors of Page seem to be targeting our defense industry.