Yesterday Adobe issued a security update to address CVE-2012-1535 that was being exploited in the wild.
The sample that we analyzed is a Microsoft Office Word document with an embedded malicious Flash file.
The name of the malicious doc file is iPhone 5 Battery.doc, md5: 7e3770351aed43fd6c5cab8e06dc0300
The doc file contains an uncompressed flash file at offset 13832. The file contains the code to do the heap spraying.
The shellcode uses a XOR loader to decrypt and execute the embedded payload encrypted using a 256-byte XOR key within the DOC file.
We can easily extract the payload using our findexec.py script.
$python findexec.py “iPhone 5 Battery.doc” OFFICE
Analyzing Office file
One Byte distributionAverage 1166
Detected possible cyphered data on position 67584 of length 135168
Best Val num ocurrences 256
Guessed key length 256
Calculating calculateOccurencesBySize
Done
GetVolumeInformationA?GetWindowsDirectoryA?GetSystemDirectoryA.CloseHandleiGetLastErrorHLoadLibraryA?Process32Next?Process32FirstlCreateToolhelp32Snapshot?ExitProcess?GetVersi
Key found c4c5c6c7d8d9dadbdcdddedfd0d1d2d3d4d5d6d728292a2b2c2d2e2f202122232425262738393a3b3c3d3e3f3031
32333435363708090a0b0c0d0e0f000102030405060718191a1b1c1d1e1f101112131415161768696a6b6c6d6e6f6
06162636465666778797a7b7c7d7e7f707172737475767748494a4b4c4d4e4f404142434445464758595a5b5c5d5e
5f5051525354555657a8a9aaabacadaeafa0a1a2a3a4a5a6a7b8b9babbbcbdbebfb0b1b2b3b4b5b6b788898a8b8c8d
8e8f808182838485868798999a9b9c9d9e9f9091929394959697e8e9eaebecedeeefe0e1e2e3e4e5e6e7f8f9fafbfcf
dfefff0f1f2f3f4f5f6f7c8c9cacbcccdcecfc0c1c2c3
Found
Found executable at offset 3264
File saved on 1345068027.exe
Found executable at offset 27936
File saved on 1345068028.exe
Once the document is open and the vulnerability is exploited, the shellcode opens a benign doc file with the following content:
Once the payload is executed, the following dll is dropped on the system:
C:Documents and SettingsAdministratorApplication Data askman.dll
md5: fe7e03f7f62f2d65c5b8e233300a373c
And executed using rundll32:
rundll32.exe C:Documents and SettingsAdministratorApplication Data askman.dll start
This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting CVE-2012-0779 among others during the past few months.
The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request:
It also tries to download the following file:
publicnews.mooo.com points to:
unassigned.psychz.net (108.171.240.86)
108.171.240.0 - 108.171.255.255
Psychz Networks PSYCHZ-NETWORKS (NET-108-171-240-0-1) 108.171.240.0 - 108.171.255.255
The server is not responding anymore but based on the VirusTotal report it seems the logo.gif is a zip file that contains an executable that is dropped on the system:
C:Documents and Settings<USER>Application DataTASKMAN_16vtn.exe
The executable drops another DLL that is called using rundll32:
C:WINDOWSsystem32cmd.exe C:WINDOWSsystem32cmd.exe” /c rundll32.exe “C:Documents and SettingsAll UsersApplication DataXpsFilter.dll” (successful)
That process performs HTTP POST requests to the following url:
hxxp://publicupdate[.]mooo[.]com / index000000001.asp
That resolves to:
n122z183l230.bb122100.ctm.net (122.100.183.230)
122.100.128.0 - 122.100.255.255
CTM
Anita Che
CTM
P.O.Box 868
+853 891-3880
+853 891-3111
anita@macau.ctm.net
Rua de Lagos, Telecentro
P.O. Box 868
Taipa
Macau
The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network, you can use the following snort rule to detect hosts contacting mooo.com subdomains:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:“ET INFO DYNAMIC_DNS Query to mooo.com Domain *.mooo.com”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10; offset:2; content:”|04|mooo|03|com|00|”; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:1111111113; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“INFO DYNAMIC_DNS HTTP Request to a *.mooo.com Domain”; flow:established,to_server; content:”.mooo.com|0D 0A|”; http_header; classtype:bad-unknown; sid:1111111112; rev:3;)
The following rule is also useful to detect the presence of Backdoor.Briba:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“TROJAN Backdoor.Briba Checkin”; flow:to_server,established; content:“POST”; nocase; http_method; content:“loginmid=”; http_client_body; content:“nickid=”; http_client_body; classtype:trojan-activity; sid:1111111114; rev:1;)
And of course, remember to patch your systems!
Update:
We have found another sample of Backdoor.Briba related with the same campaign. This sample connects to the C&C publicdocs.mooo.com. In this case the server is running. The sample downloads the file hxxp://publicdocs[.]mooo[.]com / docs / help.gif
The file contains a GIF header followed by a password protected zip file. It is easy to extract the password from the original sample (password123).
It drops and executes XpsFilter.dll that we previously mentioned. This file has a low Antivirus detection rate:
https://www.virustotal.com/file/4a03c174c247a86501889baca416811fd794fa4cef501121ba0be8bc78964d4d/analysis/