Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments  using a malware called MiniDuke.

Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and human rights organizations.

Together with our partner Kaspersky Labs we are releasing an analysis of this campaign. You can read his report here.

Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim. Some of the PDF lures we have found are:

 

 

 

 

Some of the exploit filenames:

• 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf
• 联名信.pdf
• arp.pdf

Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.

The Javascript code inside the PDF files is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “0l23kj@nboxu”.

The malicious payload will perform the following operations:

- Copy WINDOWSsystem32wuauclt.exe to %APPDATA%wuaucltwuauclt.exe

- Drop a malicious DLL under %APPDATA%wuaucltclbcatq.dll

- Execute %APPDATA%wuaucltwuauclt.exe

Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.

The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code:

Original DLL                                                                       Malicious DLL

 

 

 

 

Once the malicious DLL is loaded, the malicious code will generate the following HTTP request:

 

 

The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:

• GetWorkType
• InfectFile

The payload will drop the following files:

• WINDOWSsystem32wbemBA5E980.PBK
• WINDOWSsystem32wbemmstd32.dll

The InfectFile function will modify some code in the system library WINDOWSsystem32mswsock.dll. If we take a look at the patched DLL:

Original version

Modified version:

If we take a look at WSPStartup_0:

We can see how the malicious DLL mstd32.dll will be loaded everytime the system library mswsock.dll is loaded by a program.

The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.

 

 

Then the malicious code will perform the following HTTP request every few seconds:

The final payload is detected as Trojan.Win32.Swisyn and it has a lot of functionality to monitor and steal data from the infected system.

We have identified the following C&C servers for both payloads:

• ly.micorsofts.net
• ip.micrsofts.com
• xdx.hotmal1.com
• hy.micrsofts.com

Both domains have been registered using the same mail address:

micorsofts.net

Created: 2008-05-12 01:51:10

Expires: 2013-05-12 01:51:10

Last Modified: 2012-05-02 13:26:38

Registrant Contact:

GW SY

li wen li wen (lcb_jn@sina.com)

zq dj

jiningshi, shandongsheng, cn 272000

P: +86.05372178000 F: +86.05372178000

hotmal1.com

Created: 2008-12-30 03:53:18

Expires: 2013-12-30 03:53:18

Last Modified: 2012-12-26 15:32:15

Registrant Contact:

GW SY

li wen li wen (lcb_jn@sina.com)

zq dj

shixiaqu, beijingshi, cn 272000

P: +86.02227238836601 F: +86.02227238836601

Profile of the user on 20cn.net

We - Alienvault Labs- have written some Snort rules to match the network behavior:

 

 

 

 

You can use the following Yara rule to match the malicious binaries:

 

 

And this one to detect the malicious PDF files:

 

 

Finally, we are releasing some OpenIOC indicators as well:

You can find all the content in our GitHub repository.