FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China's five-year development plan [1].

The email contains a weaponized attachment that utilizes the Windows Office CVE-2012-0158 exploit to drop the benign payload components and decoy document. The Remote Access Tool (RAT) PlugX itself is known as a combination of benign files that build the malicious execution. The Microsoft file OInfoP11.exe also known as “Office Data Provider for WBEM” is a certified file found in the National Software Reference Library (NIST) and is a component from Microsoft Office 2003 suite. For integrity checking endpoint protection, this file would be deemed as a valid clean file. In Windows 7+ distributions, the svchost.exe will require user interaction by displaying a UAC prompt only if UAC is enabled. Although in Windows XP distributions, this attack does not require user interaction. The major problem is that this file is subject to DLL Sideloading. In previous cases, PlugX has been utilizing similar DLL Sideloading prone files such as a McAfee binary called mcvsmap.exe [2], Intel’s hkcmd.exe [3], and NVIDIA’s NvSmart.exe [4]. In this case, OInfoP11.exe loads a DLL file named OInfo11.ocx (payload loader posing as an ActiveX DLL) that decompresses and decrypts the malicious payload OInfo11.ISO. This technique can be used to evade endpoint security solution that relies on binary signing. Traditional anti-virus (AV) solutions will have a hard time to identify the encrypted and compressed payload. At the time of writing of this blog, there is only 1 out of 46 AV vendors can detect the OInfo11.ocx file.

The diagram in figure 1 shows the behavior and relationship of these files.

Figure 1: Attack Diagram

Infiltration

In Figure 2, the targeted email advertises a suffrage movement seminar event. Figure 3 is the contents of the Google document form link that contains the same information as in the email. In figure 4, the decoy document contains the details of the particular seminar section mentioned in the Google document link.

Figure 2: Original Email

Below is the English translation of the email in figure 2.

Figure 3: Google Form

Decoy Document

Figure 4: Decoy Document

Below is the translation to the document shown above.

Attack Analysis

The XLS file (1146fdd6b579ac7144ff575d4d4fa28d) utilizes the CVE-2012-1058 Windows Office exploit to drop the “ews.exe” payload and the decoy document shown in figure 4. This payload extracts the Microsoft file OINFOP11.exe, the benign DLL OInfo11.ocx and encoded and compressed shellcode sections from Oinfo11.ISO. OInfoP11.exe will load OInfo11.ocx as a DLL and once loaded will decompress using RTLDecompressBuffer and decrypt the Oinfo11.ISO to run in memory. The malicious execution is never dropped to the file-system and is therefore not seen by filesystem-based anti-virus detectors. Figure 5 shows the high level view of the relationship of the dropped files.

Figure 5: Payload Relationship

Summary of Dropped Files

Exploit Details

This malware uses CVE-2012-0158 to drop the payload from the section shown in Figure 6.

Figure 6: Exploit Payload Section

Shellcode can be found in the first few bytes of this section. Figure 7 shows the disassembly of the code found at the 0x1de0b offset shown in figure 6.

Figure 7: Payload Shellcode

Campaign Characteristics

OInfoP11.exe is a valid Microsoft file and its certificate is shown in figure 8.

Figure 8: Signature Usage

When the OInfop11.exe is called with the following arguments as C:\Documents and Settings\All Users\SxS\OINFOP11.EXE" 200 0, it will begin the loading of the file OInfo11.ocx.

Figure 10: Loader Entrypoint

The arrow shows the exact jump point where the entrypoint to where the shellcode begins for the decompression and decryption of the ISO file.

Figure 11: Shellcode Example

This is an example of the memory space of the loaded benign DLL OInfo11.ocx. The functionality of OInfo11.ocx is essentially a loader in which this section decompresses and decrypts the malicious payload in memory.

Figure 12: Decryption of the ISO file

This is the decryption loop used through out the sample. In this instance, it is used to decrypt the ISO shellcode in memory.

Figure 13: DLL location in memory

This is an example of the complete malicious DLL address space in memory.

Entrenchment

Artifacts to watch for:

Injection

The DLL injects code into svchost using the VirtualAllocEx call then uses WriteProcessMemory to write into the memory space of svchost.exe. The thread is then resumed to run the injected code. This injection process is used for both svchost.exe and msiexec.exe. When svchost.exe spawns msiexec.exe it calls the CreateEnvironmentBlock and the CreateProcessesUser so that the svchost service can launch a user session.

Keylogging Activity

Creates a kellogging file in %ALLUSERS PROFILE%\SXS\ as NvSmart.hlp. Below is an example of the content of this file.

Proxy Establishment

This sample can communicate using ICMP, UDP, HTTP and TCP. In this situation the sample is using the string Protocol:[ TCP], Host: [202.69.69.41:90], Proxy: [0::0::] to establish the proxy for the C&C communication.

Figure 14: Communication Options

Modes of Operation Overview The table below outlines some of the functionality that this variant uses. The options have not changed so therefore this table is used as a refresher. Figure 15 shows an example of how these functions are called by the sample.

Figure 15: Functionality Example

C&C Details and Communication

In figure 16, the sample is communicating to 202.69.69.41 over port 90. The C&C node is down in this case, but the communication is dynamic non-http communication. An example of the callback content is shown in figure 17. This sample will also try to communicate with other instances laterally in the same network. An example of this traffic and content can be seen in figure 18 and figure 19.

Figure 16: PCAP of C&C communication

Figure 17: Callback Traffic 

Figure 18: UDP Beacon

Figure 19: UDP packet content

Whois Information on the IP 202.69.69.41

inetnum: 202.69.68.0 - 202.69.71.255

netname: NEWTT-AS-AP

descr: Wharf T&T

Limited descr: 11/F, Telecom Tower,

descr: Wharf T&T Square, 123 Hoi Bun Road

descr: Kwun Tong, Kowloon country: HK

admin-c: EN62-AP

tech-c: BW128-AP

mnt-by: APNIC-HM

mnt-lower: MAINT-HK-NEWTT

mnt-routes: MAINT-HK-NEWTT

mnt-irt: IRT-NEWTT-HK

status: ALLOCATED PORTABLE

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: hm-changed@apnic.net 20120725

source: APNIC

person: Eric Ng

nic-hdl: EN62-AP

remarks: please report spam or abuse to abuse@wharftt.com

e-mail: abuse@wharftt.com

e-mail: ericng@wharftt.com

address: 11/F Telecom Tower, Wharf T&T Square

address: 123 Hoi Bun Road, Kwun Tong,'

phone: +852-2112-2653 fax-no: +852-2112-7883

country: HK changed: ericng@wharftt.com 20070716

mnt-by: MAINT-NEW source: APNIC

person: Benson Wong

nic-hdl: BW128-AP

e-mail: abuse@wharftt.com

address: 5/F, Harbour City, Kowloon,

address: Hong Kong

phone: +852-21122651

fax-no: +852-21127883

country: HK

changed: bensonwong@wharftt.com 20070420

mnt-by: MAINT-HK-NEWTT

source: APNIC

I want to thank the FireEye Labs Team.

[1] http://rmqlxk.blogspot.com/2013/03/blog-post_15.html

[2] http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

[3] http://lastline.com/an-analysis-of-plugx.php

[4] http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/