Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments using a malware called MiniDuke.
Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and human rights organizations.
Together with our partner Kaspersky Labs we are releasing an analysis of this campaign. You can read his report here.
Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim. Some of the PDF lures we have found are:
Some of the exploit filenames:
- 2013-Yilliq Noruz Bayram Merikisige Teklip.pdf
Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.
The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “0l23kj@nboxu”.
The malicious payload will perform the following operations:
- Copy WINDOWSsystem32wuauclt.exe to %APPDATA%wuaucltwuauclt.exe
- Drop a malicious DLL under %APPDATA%wuaucltclbcatq.dll
- Execute %APPDATA%wuaucltwuauclt.exe
Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.
The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code:
Original DLL Malicious DLL
Once the malicious DLL is loaded, the malicious code will generate the following HTTP request:
The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:
The payload will drop the following files:
The InfectFile function will modify some code in the system library WINDOWSsystem32mswsock.dll. If we take a look at the patched DLL:
If we take a look at WSPStartup_0:
We can see how the malicious DLL mstd32.dll will be loaded everytime the system library mswsock.dll is loaded by a program.
The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.
Then the malicious code will perform the following HTTP request every few seconds:
The final payload is detected as Trojan.Win32.Swisyn and it has a lot of functionality to monitor and steal data from the infected system.
We have identified the following C&C servers for both payloads:
Both domains have been registered using the same mail address:
Created: 2008-05-12 01:51:10
Expires: 2013-05-12 01:51:10
Last Modified: 2012-05-02 13:26:38
li wen li wen (email@example.com)
jiningshi, shandongsheng, cn 272000
P: +86.05372178000 F: +86.05372178000
Created: 2008-12-30 03:53:18
Expires: 2013-12-30 03:53:18
Last Modified: 2012-12-26 15:32:15
li wen li wen (firstname.lastname@example.org)
shixiaqu, beijingshi, cn 272000
P: +86.02227238836601 F: +86.02227238836601
Profile of the user on 20cn.net
You can use the following Yara rule to match the malicious binaries:
And this one to detect the malicious PDF files:
Finally, we are releasing some OpenIOC indicators as well:
You can find all the content in our GitHub repository.