The Sunshop Campaign Continues

We recently detected what we believe is a continuation of the Sunshop campaign that we first revealed on May 20, 2013.

This follow-on to the Sunshop campaign started on July 17, 2013. In this latest wave the attackers inserted malicious redirects into a number of websites – at least two of which were also compromised in the May 2013 edition of this campaign. The most prominent sites compromised in this round of the campaign were maintained by a Human Rights organization and an organization involved in science and technology policy development.

The compromised websites redirected victims to www[.]vwalls[.]com/maxi/enough/wildpost/files/2977.html. This page was last modified on July 17, 2013 at 09:51:01 GMT and contained the following code:

<applet archive="MnDK6AQJbV9qSo15.jar" code="Xxploit.class" width="1" height="1">

Payloads

A .jar file with the same filename and md5 hash of 8b88de786a219340ff04bc53de196f46 was uploaded to VirusTotal.com on July 19, 2013. This malicious .jar exploited CVE-2013-2423 and dropped an interesting variant of Trojan.APT.9002.

The dropped payload had a md5 hash of f4ba5fd0a4f32f92aef6d5c4d971bf14 and was compiled on June 25, 2013. This Trojan.APT.9002 variant called back to appupdate[.]myvnc[.]com. This domain resolved to 58.64.205.53 – one of the same command and control IP address used in the Sunshop campaign.

A related .jar file with the filename fiUJ3OTjBWZEUH8H.jar (md5: 04ad4f479997ca7bf8de216a67e23972) was also found. This jar file was first uploaded to VirusTotal.com on July 17, 2013. This malicious jar also exploited CVE-2013-2423 and dropped a modified 9002 RAT payload with the md5 53c5570178403b6fbb423961c3831eb2. This variant called back to intelupdate[.]hopto[.]org which resolved to 58.64.205.52. It is possible that fiUJ3OTjBWZEUH8H.jar was used first then swapped out for MnDK6AQJbV9qSo15.jar for this instantiation of the Sunshop campaign.

Evasion

The typical 9002 variant sends the ascii characters ‘9002’ as the first 4-bytes of its communications back to the command and control server. In contrast, this modified variant sent the ascii characters ‘0113’ as the first 4-bytes back to its command and control server.

Variant Hex encoded Beacon between Victim and C2
9002 9002 39 30 30 32 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00 39 30 30 32 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00
0113 0113 30 31 31 33 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00 30 31 31 33 0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00

This change, while seemingly minor, would evade signatures that looked for the entire 24-byte string of the beacon packet. Bytes 5 through 24 are constant across both variants and are therefore better candidates for signatures. FireEye detects both variants as Trojan.APT.9002.

Conclusion

We are almost certain that the same actors responsible for the original Sunshop campaign executed these most recent attacks. We observed the following commonalities between the two attack cycles:

- At least two of the same strategic websites were compromised

- A variant of the same Trojan.APT.9002 malware was dropped

- The same c2 IP, 58.64.205.53, was used in both attacks

While it is unclear what prompted the modification of the Trojan.APT.9002 backdoor, it is possible that the adversary felt this modification would increase the attacks chances of success.

It is also unclear how easy it is for the adversary to implement this change in the network protocol. This change could in theory be enabled through an easy to use GUI builder or it could as complex as making changes to the source code. The level of complexity of this change and availability of either a builder or the source code will dictate how often we would expect to see similar changes in this tool.

This example of evasion at the network level also demonstrates the importance of crafting robust signatures that will survive the changes in techniques, tactics and procedures made by the adversary.