On July 14, FireEye researchers discovered attacks exploiting the Adobe Flash vulnerability CVE-2015-5122, just four days after Adobe released a patch. CVE-2015-5122 was the second Adobe Flash zero-day revealed in the leak of HackingTeam’s internal data. The campaign targeted Japanese organizations by using at least two legitimate Japanese websites to host a strategic web compromise (SWC), where victims ultimately downloaded a variant of the SOGU malware.
Strategic Web Compromise
At least two different Japanese websites were compromised to host the exploit framework and malicious downloads:
- Japan’s International Hospitality and Conference Service Association (IHCSA) website (hxxp://www.ihcsa[.]or[.]jp) in Figure 1
Figure 1: IHCSA website
- Japan’s Cosmetech Inc. website (hxxp://cosmetech[.]co[.]jp)
The main landing page for the attacks is a specific URL seeded on the IHCSA website (hxxp://www.ihcsa[.]or[.]jp/zaigaikoukan/zaigaikoukansencho-1/), where users are redirected to the HackingTeam Adobe Flash framework hosted on the second compromised Japanese website. We observed in the past week this same basic framework across several different SWCs exploiting the “older” CVE-2015-5119 Adobe Flash vulnerability in Figure 2.
Figure 2: First portion of exploit chain
The webpage (hxxp://cosmetech[.]co[.]jp/css/movie.html) is built with the open source framework Adobe Flex and checks if the user has at least Adobe Flash Player version 11.4.0 installed. If the victim has the correct version of Flash, the user is directed to run a different, more in-depth profiling script (hxxp://cosmetech.co.jp/css/swfobject.js), which checks for several more conditions in addition to their version of Flash. If the conditions are not met then the script will not attempt to load the Adobe Flash (SWF) file into the user’s browser. In at least two of the incidents we observed, the victims were running Internet Explorer 11 on Windows 7 machines.
The final component is delivering a malicious SWF file, which we confirmed exploits CVE-2015-5122 on Adobe Version 220.127.116.11 for Windows in Figure 3.
Figure 3: Malicious SWF download
SOGU Malware, Possible New Variant
After successful exploitation, the SWF file dropped a SOGU variant—a backdoor widely used by Chinese threat groups and also known as “Kaba”—in a temporary directory under “AppData\Local\”. The directory contains the properties and configuration in Figure 4.
Size: 413696 bytes
Compile Time: 2015-07-13 08:11:01
Import Hash: ae984e4ab41d192d631d4f923d9210e4
C2 Password: gogogod<
Process Inject Targets: %windir%\system32\svchost.exe
Sogu Config Encoder: sogu_20140307
Mutex Name: ZucFCoeHa8KvZcj1FO838HN&*wz4xSdmm1
Figure 4: SOGU Binary ‘Rdws.exe’
The compile timestamp indicates the malware was assembled on July 13, less than a day before we observed the SWC. We believe the time stamp in this case is likely genuine, based on the time line of the incident. The SOGU binary also appears to masquerade as a legitimate Trend Micro file named “VizorHtmlDialog.exe” in Figure 5.
LegalCopyright: Copyright (C) 2009-2010 Trend Micro Incorporated. All rights reserved.
CompanyName: Trend Micro Inc.
PrivateBuild: Build 1303 - 8/8/2010
LegalTrademarks: Trend Micro Titanium is a registered trademark of Trend Micro Incorporated.
ProductName: Trend Micro Titanium
FileDescription: Trend Titanium
Figure 5: Rdws.exe version information
The threat group likely used Trend Micro, a security software company headquartered in Japan, as the basis for the fake file version information deliberately, given the focus of this campaign on Japanese organizations.
SOGU Command and Control
The SOGU variant calls out to a previously unobserved command and control (CnC) domain, “amxil[.]opmuert[.]org” over port 443 in Figure 6. It uses modified DNS TXT record beaconing with an encoding we have not previously observed with SOGU malware, along with a non-standard header, indicating that this is possibly a new variant.
Figure 6: SOGU C2 beaconing
The WHOIS registrant email address for the domain did not indicate any prior malicious activity, and the current IP resolution (18.104.22.168) is for an Amazon Web Services IP address.
Another Quick Turnaround on Leveraging HackingTeam Zero-Days
Similar to the short turnaround time highlighted in our blog on the recent APT3/APT18 phishing attacks, the threat actor quickly employed the leaked zero-day vulnerability into a SWC campaign. The threat group appears to have used procured and compromised infrastructure to target Japanese organizations. In two days we have observed at least two victims related to this attack.
We cannot confirm how the organizations were targeted, though similar incidents involving SWC and exploitation of the Flash vulnerability CVE-2015-5119 lured victims with phishing emails. Additionally, the limited popularity of the niche site also contributes to our suspicion that phishing emails may have been the lure, and not incidental web browsing.
Malware Overlap with Other Chinese Threat Groups
We believe that this is a concerted campaign against Japanese companies given the nature of the SWC. The use of SOGU malware and dissemination method is consistent with the tactics of Chinese APT groups that we track. Chinese APT groups have previously targeted the affected Japanese organizations, but we have yet to confirm which group is responsible for this campaign.
In this case, we do not have enough information to discern specifically what the threat actors may have been pursuing. The Japanese economy’s technological innovation and strengths in high-tech and precision goods have attracted the interest of multiple Chinese APT groups, who almost certainly view Japanese companies as a rich source of intellectual property and competitive intelligence. The Japanese government and military organizations are also frequent targets of cyber espionage. Japan’s economic influence, alliance with the United States, regional disputes, and evolving defense policies make the Japanese government a dedicated target of foreign intelligence.
FireEye maintains endpoint and network detection for CVE-2015-5122 and the backdoor used in this campaign. FireEye products and services identify this activity as SOGU/Kaba within the user interface. Additionally, we highly recommend:
- Applying Adobe’s newest patch for Flash immediately;
- Querying for additional activity by the indicators from the compromised Japanese websites and the SOGU malware callbacks;
- Blocking CnC addresses via outbound communications; and
- Scope the environment to prepare for incident response.
 Humber, Yuriy and Gearoid Reidy. “Yahoo Hacks Highlight Cyber Flaws Japan Rushing to Twart.” BloombergBusiness. 8 July 2014. http://www.bloomberg.com/news/articles/2014-07-08/yahoo-hacks-highlight-cyber-flaws-japan-rushing-to-thwart
Japanese Ministry of Defense. “Trends Concerning Cyber Space.” Defense of Japan 2014. http://www.mod.go.jp/e/publ/w_paper/pdf/2014/DOJ2014_1-2-5_web_1031.pdf
LAC Corporation. “Cyber Grid View, Vol. 1.” http://www.lac.co.jp/security/report/pdf/apt_report_vol1_en.pdf
Otake, Tomoko. “Japan Pension Service hack used classic attack method.” Japan Times. 2 June 2015. http://www.japantimes.co.jp/news/2015/06/02/national/social-issues/japan-pension-service-hack-used-classic-attack-method/