GongDa vs. Korean News

On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit (EK), potentially exposing them to malware infection. We will be referring to this site as KNS.

GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful malware to be installed on the system. While GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK’s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively.

ATTACK CHAIN

The attack chain is no different than previous GongDa attacks we’ve seen in the past. A compromised page on the site loads a .js file that redirects to the EK’s landing page.

Figure 1: GongDa EK attack chain

Where the initial page is at the first highlighted request shown in Figure 1. The second request is the .js file jquery-1.3.2.min.js. It has script code injected at the bottom that loads an iframe to sekielec[.]co[.]kr/m/et/ad.html, the EK’s landing page as shown in Figure 2.

Figure 2: Injected script in the .js leading to GongDa

We observed a number of KNS owned pages loading the malicious .js redirecting to the GongDa landing page “/ad.html”.

From here, “ad.html” loaded:

sekielec.co.kr/m/et/swfobject.js
sekielec.co.kr/m/et/PnNxKk.html

sekielec.co.kr/m/et/jquery.js

EXPLOITS

GongDa has been observed serving the following CVE exploits in recent attacks:

2011-3544, 2011-2140, 2012-0507, 2012-1723, 2012-1889,
2012-4681, 2012-5076, 2013-0422, 2013-0634 and 2014-6332.

In this particular attack, the landing page probes the target machine and selects an exploit page to deliver to the victim. The exploit page observed in this attack was sekielec.co.kr/m/et/PnNxKk.html. It attempts to trigger CVE-2014-6332, “Windows OLE Automation Array Remote Code Execution Vulnerability”. This is a vulnerability that was patched by Microsoft Security Bulletin MS14-064 in November of 2014. It is a commonly used and dangerous vulnerability that can give an attacker arbitrary command execution on a target system.

The exploit page begins by reversing a string of script code used to start the exploitation process.

Figure 3 shows the before:

Figure 3: Reversed initiation code

And Figure 4 shows the after:

Figure 4: Initiation code

A call to the Create() function leads to a function call to the trigger function Over(), which is shown in Figure 5.


Figure 5: Trigger function Over()

The Over() function is responsible for setting up conditions and corrupting an OLE Automation array object, thus triggering the vulnerability.

Once the vulnerability is triggered, the attacker code can execute commands on the system.

Three variables are assigned, as shown in Figure 6.


Figure 6: Command variables

The first variable (nburl) is a URL to the attacker malware. The second variable (nbExE) is a randomly generated name for the malware that is placed on the system. The third variable (nbnurl) is simply the first variable enclosed in quotes.

nburl: http://smsforu.co.kr/RAD/stat/at.exe

Finally, the attacker code uses these variables and executes the following commands, as shown in Figure 7.

Figure 7: Command beginning

The nbnurl and the nbExE variable are used in the execution of the commands shown in Figure 8.

Figure 8: Command ending

The malicious file is placed in the “%SystemRoot%\system\” directory using the nbExE variable described above as a filename.

PAYLOADS

During this GongDa attack we saw the payloads being served from a domain within Korea:

smsforu[.]co[.]kr

With the following filename:

/rad/stat/at.exe

In recent GongDa attacks, we’ve observed payloads such as backdoors, RATs, Trojans, and downloaders.

Some of the MD5’s observed include the following:

  • aac178f775588ca1d42c00d4d95604bd
  • 3d58f4b2008f6d87cab9166c09e513b5
  • a18d1bce5618b23f592dae9133c25229
  • 40be7c9424c6c6de0d560d358a020a5c
  • 808e27fd120ade3ecfb2b21aeda8bc58
  • ed751ce651d685100e00ed133e4e5018
ADDITIONAL INFO

Attacks involving the GongDa Exploit Kit are not new and are fairly common in the APAC region. While it’s not the most cutting edge EK in the wild, it is still effective because many systems in the region seem to remain unpatched and defenseless against antiquated vulnerabilities such as those used by GongDa.

Additionally, GongDa consistently leverages infrastructure hosted on one of China’s largest ISP’s, China Telecom, operators of AS4134. China Telecom hosts the domain 51yes[.]com, a web traffic statistics service.

One of GongDa’s telltale behaviors is the use of stat counters, presumably for tracking the EK’s traffic and infection statistics. In this case they most always come from countX[.]51yes[.]com, based out of China. Figure 9 shows the GET requests for these stat counters.


Figure 9: Stat counter request

FireEye’s Dynamic Threat Intelligence shows that count7[.]51yes[.].com has been used in multiple GongDa EK attacks in January 2016 alone.

Referering GongDa URL

bose.co.kr/shop/img/click/ad1.html

bose.co.kr/shop/img/click/as1.html

bose.co.kr/shop/img/naver/ad.html

edresearch.co.kr/PEG/click/ad.html

edresearch.co.kr/PEG/click1/ad.html

nstory.com/tmp/click/ad1.html

nstory.com/vars/ad/ad1.html

nstory.com/vars/cache/click/ad1.html

odbike.co.kr/w3c/cdn/ad1.html

odbike.co.kr/shop/skin/click/ad1.html

odbike.co.kr/shop/temp/click/ad1.html

odbike.co.kr/w3c/cdn/ad1.html

poption.kr/gnu/cdn1/ad.html

poption.kr/gnu/click/ad.html

poption.kr/gnu/extend/ad/ad.html

poption.kr/w3c/click/ad.html

sekielec.co.kr/m/et/ad.html

smsmaster.co.kr/docs/click1/ad.html

smsmaster.co.kr/docs/click3/ad.html

www.poption.kr/gnu/js/click/ad.html

Checking other countX[.]51yes[.]com hits with GongDa referrer’s, we saw hundreds of domains affected by the GongDa EK activity.

It is believed that the GongDa Exploit Kit has Chinese origins. The hypothesis is derived from capabilities, usage, and the infrastructure used to target various APAC region entities.

Interestingly, the registrant for the sekielec.co[.]kr GongDa landing page domain, “rhhan AT sekihe.co[.]kr”, also registered a number of other domains that have been observed as being GongDa landing pages as well.

CONCLUSION

With a name reminiscent of a creature straight out of Monster Island, GongDa may not be the new kid on the block; however, as demonstrated, it is still active and capable of wreaking havoc. Network defenders in the APAC region should be aware of this EK and take steps to ensure this “monster” never enters their network.

ACKNOWLEDGEMENTS

The authors and FireEye Labs would like to thank Dan Perez for his contribution to this blog.