In the past, hackers have attempted to compromise targeted organizations by sending phishing email directly to their users. However, there seems to be a shift away from this trend in the recent years. Hackers were observed to conduct multi-prong approaches to targeting the organization of interest and their affiliated companies. For example, in July 2011, ESTsoft’s ALZip update server was compromised in an attack on CyWorld and Nate users.1
In one of our investigations, a malicious email was found to be targeting a Taiwanese technology company that deals heavily with the finance services industry (FSI) and the government in Taiwan (see Figure 1 below). To trick the user into opening the malicious document, the attacker made use of an announcement by the Taiwanese Ministry of Finance (see Figure 2).
The malicious document was password-protected using an auspicious number "888888." In Chinese, the number eight (pinyin "BA") is auspicious because it sounds like "FA" (发) which means gaining wealth. By encrypting the malicious payload using the default Word protection mechanism, it would effectively evade pattern-matching detection without using a zero-day exploit. In this case, the attacker has exploited the vulnerability (CVE-2012-0158) in "MSCOMCTL.ocx." The technical analysis will be detailed in the following sections: Protected Document Analysis, Shellcode Analysis, Payload Analysis, and Indicators of Compromise.
As shown in Figure 3, the ExifTool indicates that the hacker was using a simplified Chinese environment. This is interesting because it contradicts the email content that was written in traditional Chinese, which is the language mainly used in Taiwan.
It was also observed that the malicious Word document loaded "MSCOMCTL.ocx" prior exploiting the application as depicted in Figure 4.
The attacker leveraged CVE-2012-0158 to exploit unpatched Microsoft Word. The vulnerable code inside the MSCOMCTL copied the malicious data into the stack with the return pointer overwritten with 0x27583C30 (see Figure 5). The purpose of overwriting the return pointer is to control the EIP in order to execute the malicious shellcode that is loaded into the stack. The instruction that is disassembled from 0x27583C30 is JMP ESP, which effectively executes the shellcode in the stack (see Figure 6).
The shellcode was analyzed to perform the following tasks:
- Decrypt and copy the malicious executable (payload) to the temp folder as "A.tmp"
- Launch "A.tmp" with WinExec
- Delete Word Resiliency registry key (using Shlwapi.SHDeleteKeyA) to prevent Word application from performing recovery
- Decrypt and copy the decoy Word document into the temp folder
- Launch decoy document using the WinExec command.
Command line is as follows: cmd.exe /c tasklist&"C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" "%temp\%<name of the malicious document> " /q
- Terminate compromised Word application
The hook-hopping technique was used heavily by the shellcode to bypass inline-hooking codes patched by API monitoring software such as host-based IPS and AV (see Figure 7). By doing so, the shellcode would be able to invoke the API without the knowledge of the monitoring software. This same technique was also used in the Operation Aurora attack against Google.
The body of the shellcode was encrypted using a simple XOR key 0x70 to deter analysis (see Figure 8).
The encrypted executable and decoy files were embedded within the malicious document at offset 0x10000 and 0x48000 respectively. It was observed that both payloads were encrypted using the same algorithm "counter based XOR with ROR" (see below).
This APT malware was stealthy and complex due a number of anti-analysis techniques deployed. It made use of multi-staging, hook-hopping, encryption, anti-sandboxing, and anti-disassembly techniques to deter both behavioral and (dynamic/static) code analysis. It is obvious that the attacker took deliberate effort to evade both automated (using signature and sandbox) and manual analysis of the malware to delay or evade detection.
After the shellcode extracted the malicious payload "A.tmp" and the decoy document, "A.tmp" was executed. When "A.tmp" was first executed, it duplicated itself with the filename generated using "GetTempFileName" API with "Del" as prefix. An example of the generated filename is "DelA.tmp." Before "A.tmp" terminates, it executed its duplicate with the following command line parameters: "<process handle> <module path>." The spawned duplicate used the process handle to wait for the termination of "A.tmp" and deleted it using the module path before continuing to execute the rest of the malicious codes.
While debugging "DelA.tmp," it is interesting to note that the anti-sandbox technique is used. The anti-sandbox technique depicted in Figure 10 checks whether the "Sleep" API is manipulated by a sandbox. For example, the Sleep API call could be skipped by a sandbox without accounting for the "accelerated" time. Hence, when the malware tries to get "System Time" interleaved with a Sleep API call, the time difference could be less than a second. In this case, if the time difference before and after sleeping for two seconds is not more than a second, it would then assume to be running inside a sandbox and terminate itself.
Before continuing to the next stage of infection, "DelA.tmp" decrypted a resource and injected it into the memory space of the suspended "C:/Windows/Notepad.exe" process that was launched by "DelA.tmp." Before the process was resumed, EAX of the thread context was updated with the starting address of the injected malicious code (see Figure 11). This is because when a process starts, EAX is referenced for the starting address. By doing so, it disrupts debugging. As a counter-measure for analysis, we could make use of memory-modifying software to modify the memory content of Notepad.exe at the address indicated by EAX (0x0100 1130) to become "EB FE" (opcode for JMP -2). By this way, the process would be resumed in a spin-lock manner which allows the analyst to attach a debugger to the process and continue debugging injected malicious code.
To further complicate the situation, the injected code dropped a DLL named "irron.dll" and registered it as a windows service. While debugging this DLL inside "ServiceMain," it was observed that the section named "test" was decrypted. This decrypted content was run as code in a separate thread to deter static code analysis. Inside this newly spawned thread, all the secrets were encrypted and anti-disassembling tricks were used to counter-reverse engineering. For example, strings are deliberately placed in between codes to confuse disassembler due to the code-data duality property (see Figure 12).
This Windows service was analyzed to be an information stealer, which has the capability to allow remote control by the attacker with the CnC Server domain as ftp.skydnastwm.com over port 15836 using TCP communication. The figure below reveals how this multi-staged infection was conducted.
Taking a deeper look into the registered domain, it is interesting to see that this domain was registered on September 2012, which was not too long before the attack against the Taiwanese company (see figure below). Additionally, this domain was registered with Shanghai Yovole Networks, Inc. based in China; this could imply that this attack could have originated from China. Additionally, it is observed that the registrar did not validate the name that was used by the attacker. "William" should be read as a name rather as separated first and last name.
The presence of the following file, system, and network artifacts (generated by the shellcode and dropped executable payload) could indicate that a computer is compromised.
- %temp%/<filename of malicious document>
- %temp%/Del%c.tmp (It may in the form of "DelA.tmp" and etc.)
- Event name "DragonOK"
- Registered service "irmon" with description, "The irmon service monitors for infrared devices such as mobile phones, and initiates the file transfer wizard."
- Resolving to "ftp.skydnastwm.com" and connects to "15836"
Targeted attacks are continuing to be real threats where one incident is considered too many. In this example, we can see that the attack plan was deliberated. Hackers attempt to hit their target by phishing companies that are affiliated with them. This could be even more effective than spear phishing their well-defended targets. Hence, it is recommended that organizations ensure that all their closely affiliated companies are at least equally protected.
Additionally, a number of tell-tale signs indicate that this malware could have originated from China. Firstly, the Word document was created in a simplified Chinese environment despite the use of traditional Chinese inside the email body. Secondly, the domain was registered with a company located in Shanghai. Thirdly, the malware used the event name "DragonOK," where Dragon is an auspicious creature in Chinese mythology and folklore.
Lastly, we observed that APT malware is becoming increasingly complex with the use of anti-analysis techniques. Hence, it is important to defend the organization against traditional and modern threats through policy, awareness programs, and technologies.
1 Command Five Pty Ltd. (September, 2011). SK Hack by an Advanced Persistent Threat. Retrieved from http://www.commandfive.com/papers/C5_APT_SKHack.pdf
2 Radio Taiwan International. (28 11, 2012). Retrieved from http://news.rti.org.tw