FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China's five-year development plan [1].
The email contains a weaponized attachment that utilizes the Windows Office CVE-2012-0158 exploit to drop the benign payload components and decoy document. The Remote Access Tool (RAT) PlugX itself is known as a combination of benign files that build the malicious execution. The Microsoft file OInfoP11.exe also known as “Office Data Provider for WBEM” is a certified file found in the National Software Reference Library (NIST) and is a component from Microsoft Office 2003 suite. For integrity checking endpoint protection, this file would be deemed as a valid clean file. In Windows 7+ distributions, the svchost.exe will require user interaction by displaying a UAC prompt only if UAC is enabled. Although in Windows XP distributions, this attack does not require user interaction. The major problem is that this file is subject to DLL Sideloading. In previous cases, PlugX has been utilizing similar DLL Sideloading prone files such as a McAfee binary called mcvsmap.exe [2], Intel’s hkcmd.exe [3], and NVIDIA’s NvSmart.exe [4]. In this case, OInfoP11.exe loads a DLL file named OInfo11.ocx (payload loader posing as an ActiveX DLL) that decompresses and decrypts the malicious payload OInfo11.ISO. This technique can be used to evade endpoint security solution that relies on binary signing. Traditional anti-virus (AV) solutions will have a hard time to identify the encrypted and compressed payload. At the time of writing of this blog, there is only 1 out of 46 AV vendors can detect the OInfo11.ocx file.
The diagram in figure 1 shows the behavior and relationship of these files.
Figure 1: Attack Diagram
Infiltration
In Figure 2, the targeted email advertises a suffrage movement seminar event. Figure 3 is the contents of the Google document form link that contains the same information as in the email. In figure 4, the decoy document contains the details of the particular seminar section mentioned in the Google document link.
Figure 2: Original Email
Below is the English translation of the email in figure 2.
Figure 3: Google Form
Decoy Document
Figure 4: Decoy Document
Below is the translation to the document shown above.
Attack Analysis
The XLS file (1146fdd6b579ac7144ff575d4d4fa28d) utilizes the CVE-2012-1058 Windows Office exploit to drop the “ews.exe” payload and the decoy document shown in figure 4. This payload extracts the Microsoft file OINFOP11.exe, the benign DLL OInfo11.ocx and encoded and compressed shellcode sections from Oinfo11.ISO. OInfoP11.exe will load OInfo11.ocx as a DLL and once loaded will decompress using RTLDecompressBuffer and decrypt the Oinfo11.ISO to run in memory. The malicious execution is never dropped to the file-system and is therefore not seen by filesystem-based anti-virus detectors. Figure 5 shows the high level view of the relationship of the dropped files.
Figure 5: Payload Relationship
Summary of Dropped Files
| Name | Md5 | Locations | Type | Encoded/Encrypted | Compressed |
|---|---|---|---|---|---|
| Ews.exe Ews.exe | 721cca40df0f7eab5b5cb069ee8fda9d 721cca40df0f7eab5b5cb069ee8fda9d | %TEMP% %TEMP% | Exe Exe | ||
| OINFOP11.EXE OINFOP11.EXE | a31cad2960a660cb558b32ba7236b49e a31cad2960a660cb558b32ba7236b49e | %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ | Exe (clean) Exe (clean) | ||
| OInfo11.ocx OInfo11.ocx | b355dedbabb145bbf8dd367adac4f8c5 b355dedbabb145bbf8dd367adac4f8c5 | %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ | Binary File Binary File | Yes Yes | |
| OInfo11.ISO OInfo11.ISO | 128e3fc5ffba06abdd3edab2aff3753f 128e3fc5ffba06abdd3edab2aff3753f | %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ | Binary File Binary File | Yes Yes | Yes Yes |
Exploit Details
This malware uses CVE-2012-0158 to drop the payload from the section shown in Figure 6.
Figure 6: Exploit Payload Section
Shellcode can be found in the first few bytes of this section. Figure 7 shows the disassembly of the code found at the 0x1de0b offset shown in figure 6.
Figure 7: Payload Shellcode
Campaign Characteristics
OInfoP11.exe is a valid Microsoft file and its certificate is shown in figure 8.
Figure 8: Signature Usage
When the OInfop11.exe is called with the following arguments as C:\Documents and Settings\All Users\SxS\OINFOP11.EXE" 200 0, it will begin the loading of the file OInfo11.ocx.
Figure 10: Loader Entrypoint
The arrow shows the exact jump point where the entrypoint to where the shellcode begins for the decompression and decryption of the ISO file.
Figure 11: Shellcode Example
This is an example of the memory space of the loaded benign DLL OInfo11.ocx. The functionality of OInfo11.ocx is essentially a loader in which this section decompresses and decrypts the malicious payload in memory.
Figure 12: Decryption of the ISO file
This is the decryption loop used through out the sample. In this instance, it is used to decrypt the ISO shellcode in memory.
Figure 13: DLL location in memory
This is an example of the complete malicious DLL address space in memory.
Entrenchment
Artifacts to watch for:
| Mutex | \BaseNamedObjects\oleacc-msaa-loaded DoInstPrepare |
|
|---|---|---|
| Registry Key Adds | Adds Adds | \REGISTRY\MACHINE\Software\CLASSES\FAST \REGISTRY\MACHINE\Software\CLASSES\FAST |
| Registry Key Registry Key | Adds Adds | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform |
| Registry Key Registry Key | Sets Value Sets Value | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000 |
| Folders and Files Folders and Files | Hides Hides | %ALLUSERS PROFILE%\SXS\ %ALLUSERS PROFILE%\SXS\OInfo11.ocx %ALLUSERS PROFILE%\SXS\OInfo11.ISO %ALLUSERS PROFILE%\SXS\OINFOP11.EXE |
Injection
The DLL injects code into svchost using the VirtualAllocEx call then uses WriteProcessMemory to write into the memory space of svchost.exe. The thread is then resumed to run the injected code. This injection process is used for both svchost.exe and msiexec.exe. When svchost.exe spawns msiexec.exe it calls the CreateEnvironmentBlock and the CreateProcessesUser so that the svchost service can launch a user session.
Keylogging Activity
Creates a kellogging file in %ALLUSERS PROFILE%\SXS\ as NvSmart.hlp. Below is an example of the content of this file.
Proxy Establishment
This sample can communicate using ICMP, UDP, HTTP and TCP. In this situation the sample is using the string Protocol:[ TCP], Host: [202.69.69.41:90], Proxy: [0::0::] to establish the proxy for the C&C communication.
Figure 14: Communication Options
Modes of Operation Overview The table below outlines some of the functionality that this variant uses. The options have not changed so therefore this table is used as a refresher. Figure 15 shows an example of how these functions are called by the sample.
| Mode | Description |
|---|---|
| Disk Disk | Access disk drives to modify the files Access disk drives to modify the files |
| Nethood Nethood | List shares List shares |
| Netstat Netstat | List TCP/UDP connections List TCP/UDP connections |
| Option Option | Send system commands to the workstation such as screen lock Send system commands to the workstation such as screen lock |
| PortMap PortMap | Port mapping Port mapping |
| Process Process | Modify the state of processes Modify the state of processes |
| RegEdit RegEdit | Modify registry keys Modify registry keys |
| Service Service | Modify services Modify services |
| Shell Shell | Communicate through the established name pipe to the C&C server Communicate through the established name pipe to the C&C server |
| SQL SQL | SQL database queries SQL database queries |
| Telnet Telnet | Startup telnet server on the victim Startup telnet server on the victim |
Figure 15: Functionality Example
C&C Details and Communication
In figure 16, the sample is communicating to 202.69.69.41 over port 90. The C&C node is down in this case, but the communication is dynamic non-http communication. An example of the callback content is shown in figure 17. This sample will also try to communicate with other instances laterally in the same network. An example of this traffic and content can be seen in figure 18 and figure 19.
Figure 16: PCAP of C&C communication
Figure 17: Callback Traffic
Figure 18: UDP Beacon
Figure 19: UDP packet content
Whois Information on the IP 202.69.69.41
inetnum: 202.69.68.0 - 202.69.71.255
netname: NEWTT-AS-AP
descr: Wharf T&T
Limited descr: 11/F, Telecom Tower,
descr: Wharf T&T Square, 123 Hoi Bun Road
descr: Kwun Tong, Kowloon country: HK
admin-c: EN62-AP
tech-c: BW128-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-NEWTT
mnt-routes: MAINT-HK-NEWTT
mnt-irt: IRT-NEWTT-HK
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20120725
source: APNIC
person: Eric Ng
nic-hdl: EN62-AP
remarks: please report spam or abuse to abuse@wharftt.com
e-mail: abuse@wharftt.com
e-mail: ericng@wharftt.com
address: 11/F Telecom Tower, Wharf T&T Square
address: 123 Hoi Bun Road, Kwun Tong,'
phone: +852-2112-2653 fax-no: +852-2112-7883
country: HK changed: ericng@wharftt.com 20070716
mnt-by: MAINT-NEW source: APNIC
person: Benson Wong
nic-hdl: BW128-AP
e-mail: abuse@wharftt.com
address: 5/F, Harbour City, Kowloon,
address: Hong Kong
phone: +852-21122651
fax-no: +852-21127883
country: HK
changed: bensonwong@wharftt.com 20070420
mnt-by: MAINT-HK-NEWTT
source: APNIC
I want to thank the FireEye Labs Team.
[1] http://rmqlxk.blogspot.com/2013/03/blog-post_15.html
[2] http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
[3] http://lastline.com/an-analysis-of-plugx.php
[4] http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/
