Looking at the human aspect of offensive cyber operations is one of the most interesting parts of a malware analyst’s day. Malware that was generated by an algorithm, such as a polymorphic PDF, is a little boring because you know you aren’t fighting against a human on the other side of the keyboard. However, when dealing with nation-state sponsored intrusions, or at least deliberate attacks against a specific group of people, it’s interesting to look at the different stages of the attack, from victim selection, to attack method, to what kind of data is exfiltrated. We recently discovered an attack that appeared to be against primarily Russian targets.
The malicious MS Word document sample that kicked this off was 338d0b855421867732e05399a2d56670. The behavior of the exploit is fairly standard—it drops an executable, which drops another .EXE and two .DLLs, and generally creates multiple components that aggravate AV detection and cleanup. We named this malware “Sanny” after one of the email addresses (jbaksanny AT yahoo.com) used by the attacker. The screenshot (Figure 1) is provided for analysts who want to make sure we’re all looking at the same sample.
One thing that is true in nearly all targeted attacks is that there is an aspect baked in which the cybercriminal gives the victim a “decoy document.” As a result, the victim is dissuaded from calling the computer helpdesk, thinking he/she got legitimate content. This attack is no different, as can be seen in Figure 2. To be clear, this clean, legitimate document is embedded inside the malicious document, and launched after the exploit is successful.
As can be seen in the figure above, the document was clearly targeting users whose language is in the Cyrillic character set.
Another interesting aspect of this attack is the command and control (CnC). The CnC channel is embedded on a legitimate page, a Korean message board called "nboard.net." Figure 3 shows the malware CnC communication. One can easily look at the HTTP POST and notice that the password for the database is 1917qaz.
The malware also contains a fallback mechanism such that if the message board is unavailable, it tries to check mail connectivity via a Korean Yahoo mail server.
Following are the email addresses it uses for email communication:
mailboote AT yahoo.co.kr
jbaksanny AT yahoo.com
The POST is sent to a simple web form shown in Figure 5 below.
But the backend is the interesting piece. The data is sent to a public message board that does not require authentication, so all of the victims are visible.
As an analyst can see, the compromised systems are a mix of malware analysts and legitimate users.
The stolen data is encoded. Upon a quick look at the malware components, we find out that it is stealing lots of different kinds of passwords/credentials from the victim’s machine. Figure 7 shows the malware code extracting the list of MS Outlook accounts and accounts data from the following registry keys:
Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts
Software\\Microsoft\\Internet Account Manager\\Accounts
At another segment we observed malware stealing username/passwords that Firefox remembers for different online services like Hotmail, Facebook, etc. under C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\k9fjylx4.default\.
Apart from stealing different types of credentials, it also profiles the victims, e.g., collecting the victim_locale, victim_region, and other relevant information. Figure 8 below shows malware collecting the victim’s information and then storing it in a parameterized format to be later sent via HTTP POST to the CnC.
On the CnC, each victim’s information is clickable; the following screenshot (Figure 9) shows one example of this.
As can be seen above, the victim was coming from 220.127.116.11.
% Information related to '18.104.22.168 - 22.214.171.124'
inetnum: 126.96.36.199 - 188.8.131.52
descr: Russian Space Science Internet
descr: People's Friendship University of Russia
Another victim’s IP recorded on the server is 184.108.40.206
inetnum: 220.127.116.11 - 18.104.22.168
descr: ITAR-TASS State Enterprise
Interesting targets, for sure. Looking at the rest of the victims, there are a number of other Russian targets as well. We went through the full list of IPs scraped from the victim logs. Some of them are AV companies or security researchers, but the majority, we believe, are real victims in Russia. The following are the major industries we believe are impacted:
- Russian Space Research Industry
- Russian Information Industry
- Russian Education Industry
- Russian Telecommunication Industry
Who is behind this attack?
Though we don’t have full concrete evidence, we have identified many indicators leading to Korea as a possible origin of attack. The following are the indicators we have so far:
- The SMTP mail server and CnC are in Korea
- The fonts "Batang" and "KP CheongPong" used in the document are Korean
- The fact that the attacker chose a Korean message board as the CnC shows that either he/she is a native speaker or is at least very comfortable with the Korean language
- Some searching on "jbaksanny" (the Yahoo email used) leads to a Korean Wikipedia page created by the user named Jbaksan. The page is auto-filled and has nothing in the edit history except the creation of this user
The attacker is continuously monitoring the CnC to check new victims and their stolen data. It looks like the attacker has a two-day cycle, i.e., after every two days, he/she collects the stolen data and deletes it from the CnC server. In the last five days, the attacker collected and deleted the data three times approximately after every two days.
At the time of writing this blog, the CnC server was up and receiving data from different victims. We will continue to analyze this threat and update as more information becomes available.
This post was written by FireEye researchers Alex Lanstein and Ali Islam.