During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here.
The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ [no longer available] exploit used in other attacks we discovered in the past.
During the last year we reported a couple of attacks targeting Uyghurs:
- http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/ [no longer available] New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT
Similar attacks have been reported against various ethnic groups like the Tibetan people and other NGOs and human rights organizations:
- http://labs.alienvault.com/labs/index.php/2012/targeted-attacks-against-tibet-organizations/ [no longer available] Targeted attacks against Tibet organizations
- http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ [no longer available] MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT
They have even http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] used our research as lure to target non-governmental organizations.
Some of the filenames used in this campaign are:
- WUC Hacking Emails.doc
- Concerns over Uyghur People.doc
- Hosh Hewer.doc
- Jenwediki yighingha iltimas qilish Jediwili.doc
- Jenwediki yighingha iltimas qilish Jediwili.doc
- list.doc
- Press Release on Commemorat the Day of Mourning.doc
- The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
- Uyghur Political Prisoner.doc
- Deported Uyghurs.doc
- Kadeer Logistics detail.doc
- Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc
The following yara rule can be used to identify those files:
rule CaptainWord { strings: $header = {D0 CF 11 E0 A1 B1 1A E1} $author = {00 00 00 63 61 70 74 61 69 6E 00} condition: $header at 0 and $author }
Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory (”/tmp/):
1154/0x2610: fstat(0x26, 0xBFFF4CD0, 0x200) = 0 0 1154/0x2610: lseek(0x26, 0x6600, 0x0) = 26112 0 1154/0x2610: open("/tmp/l.sh\0", 0x602, 0x1FF) = 40 0 1154/0x2610: open("/tmp/l\0", 0x602, 0x1FF) = 41 0 1154/0x2610: open("/tmp/l.doc\0", 0x602, 0x1FF) = 42 0 1154/0x2610: read(0x26, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44) = 68 0 1154/0x2610: write(0x28, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44) = 68 0 1154/0x2610: read(0x26, "\312\376\272\276\0", 0x100) = 256 0 1154/0x2610: write(0x29, "\312\376\272\276\0", 0x100) = 256 0 ... 1188/0x2731: open("/tmp/l\0", 0x0, 0x0) = 4 0 1188/0x2731: open("/tmp/m\0", 0x401, 0x0) = 19 0 …
Then the bash file is executed opening both the trojan and a lure document. There are several lure documents all related with Uyghur activities, an example is:
It is also funny that one of the lure documents talks about the “Rise in possible State-Sponsored hacking”.
Once executed the malware will try to write both the pslist and the backdoor itself under the LaunchAgents directory. This folder is used by MacOSX to store the configuration files that define the parameters of services run by launchd. It will try both under the system and the current user directory:
Then the command “launchctl load” is used to register the new new daemon. The contents of the apple.pslist file are as follow:
The backdoor contains code from a tool called “Tiny SHell”. You can download the source code of “Tiny SHell” here. You will recognize some of the function names from the source code:
The configuration values are hardcoded in the binary including the encryption key and the C&C address/port:
“Tiny SHell” uses AES encryption for the C&C communications and as we can see the attackers are using “12345678” as the AES secret key:
On the other hand they decided to use the original challenge responses that can be found in the original pel.c file:
The backdoor has only a couple of functionalities:
- Remote shell execution
- File transfers (get/put)
Most of the binaries we obtained were compiled using debug symbols so we were able to obtain some debug paths from the machine where the files were compiled:
/Users/cbn/Documents/WorkSpace/design/server/aes.c
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/shell.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/shell.o
/Users/cbn/Documents/WorkSpace/design/server/pel.c
/Users/cbn/Documents/WorkSpace/design/server/server.m
/Users/cbn/Documents/WorkSpace/design/server/sha1.c
/Users/cbn/Documents/WorkSpace/design/server/shell.c
Where “cbn” is the username of the user who compiled those files in the attacker’s system.
The backdoor also writes a VCard containing the data about the current user. The purpose of this is not clear.
Network activity
The attackers are using two different C&C domains:
- apple12[.]crabdance[.]com
- update[.]googmail[.]org
The domain crabdance[.]com is a well known free Dynamic DNS provider. We have been monitoring the second domain googmail[.]org for a while. It has been used by a group we internally named as “xsldmt” due to the mail address they use to register most of their domain names the use.
Domain Name:GOOGMAIL.ORG
Created On:16-Dec-2011 03:01:13 UTC
Last Updated On:20-Nov-2012 04:46:22 UTC
Expiration Date:16-Dec-2013 03:01:13 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:4jyn2c9u84snj4
Registrant Name:su guang
Registrant Organization:su guang
Registrant Street1:mi quannanguoxiang1hao
Registrant Street2:
Registrant Street3:
Registrant City:changjihuizuzizhizhou
Registrant State/Province:xinjiangweiwuerzizhiqu
Registrant Postal Code:830000
Registrant Country:CN
Registrant Phone:+86.013579984824
Registrant Phone Ext.:
Registrant FAX:+86.09914682953
Registrant FAX Ext.:
Registrant Email:xsldmt@xj163.cn
The following graph represents the passive DNS data we collected from the ip addresses involved including other potential domains that are probably being used by the same group.
Indicators of compromise
Apart from the domain names and ip addresses we released that can be used to check your logs for connections to those addresses, here is a list of file paths that can be checked in your systems to find activity related to these attacks:
/tmp/l /tmp/m /tmp/l.sh /tmp/l.doc /tmp/systm /tmp/.systm /tmp/__system /tmp/__system* /tmp/tmpAddressbook.vcf /Library/LaunchDaemons/systm /Library/LaunchDaemons/.systm /Library/LaunchDaemons/apple.plist /Users/[CurrentUser]/Library/LaunchAgents/systm /Users/[CurrentUser]/Library/LaunchAgents/.systm /Users/[CurrentUser]/Library/LaunchAgents/apple.plist