Unveiling a spearphishing campaign and possible ramifications

June 12, 2012 | Jaime Blasco

A few days ago, DigitalBond published information about an ongoing spearphishing campaign that affected one of their employees.

The attackers were using a pdf document related to ICS (Industrial Control Systems) security as a lure to compromise potential targets within the ICS community.

After analyzing the initial information provided, my friend Rubén Santamarta from IOActive and I investigated further on the binaries and the involved infrastructure.

Analysis of the malware

As described in this analysis done by the DigitalBond folks, the mail contained a link to a zip file hosted on hxxp://research.digitalvortex.com/

Once uncompressed, the file Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe (c6b95b178188b8c35d14bed40520e685)


The file is a WinRAR SFX archive that will unpack the malware files to the user’s Temp folder as well as showing the benign PDF file Lev​era​gin​g_E​the​rne​t_C​ard​_Vu​lne​rab​ili​tie​s_i​n_F​iel​d_D​evi​ces​.pd​f.

C:DOCUME~1ADMINI~1LOCALS~1Tempspoolsvr.exe (md5: 5ff3269faca4a67d1a4c537154aaad4b)


The dropped file spoolsvr.exe,



The malware also creates a registry key to maintain persistence:


load = C:DOCUME~1ADMINI~1LOCALS~1Tempspoolsvr.exe

The file is a downloader that reads the configuration file from a remote server, in this case:

hxxp://hint.happyforever.com/logo.html -


Korea Network Information Center

As described in the DigitalBond’s analysis, the html file contains configuration values within the html tags. The config values are encoded with base64 and then XORED with the key 0x42.

In this file, the values are as follow:



and the body contains a PE File with a new malware.

You can use a small script I created to automatically extract http://alienvault-labs-garage.googlecode.com/files/parse_html_content.py [no longer available] the config values and the binary file from the html content giving the XOR key used. Example:

$ python parse_html_content.py logo.html 42



Binary file logo.html.exe saved

The downloaded file tanghl.exe, is only detected by 3 AV engines:


This file is a RAT (Remote Access Tool) known as Backdoor:Win32/Dalbot.gen

This particulary sample connects to the C&C server -

SK Broadband Co Ltd

Jung-gu SK NamsanGreen Bldg,Namdaemunno 5(o)-ga, Seoul

The communication between the malware and the C&C is done using HTTP requests to random numeric .asp files  . The RAT communication is present on the Cookie header of the request and base64/xor encoded.

GET /8223.asp HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)


Connection: Keep-Alive


If we decode the value of the Cookie header (decode base64 and XOR and 1 byte XOR 0x6b) we can see the actual checkin:


Further investigations of the campaign

Using the information extracted from the binaries and the servers involved on the attack, we were able to identified more files and campaigns launched by this group during the last months.

The following binary (Romneys_Partner_Choice.exe, md5: 6306364c58f31a711c410c9a874f103c) downloads the config file from:


The server update.slowblog.com was pointing to the same ip as hint.happyforever.com ( and drops the following benign PDF file, Romneys_Partner_Choice.pdf.

Another file is f77852b73dfde33ea248df7087671f53 that downloads the config file from

httpx://report.rawcomp.com/images/wait.png that also points to

and drops China’s_Rare-Earth_Industry.pdf.

Looking for other binaries connecting to the C&C ip address we found the following:

53ae642408aaf6cfed016422b394b32a whose filename is the_list_of_staff_changes_in_anakam.exe

It downloads the config file from

hxxp://report.crabdance.com/report/news.html -

Japan Network Information Center

The following files were getting the config file from the same server (report.crabdance.com):

MD5 (New_Chertoff_Group_Q1_2012_Report.zip) = e7b5596a08bda3592ed3978ef8d5bcdd

MD5 (Speeches_For_IT-SCC_Meeting.zip) = 094c72273d716302705218eea8b7829e

MD5 (Staff_Changes(URI).zip) = 6725ea60e45b85a63e0dd35f50b50a24

MD5 (Staff_Changes(cmu).zip) = cae33614eb014ed50ab5e1381547bd4a

MD5 (Staff_Changes(purdue).zip) = f108cacaaae8295d9fc602c51bef59cf

MD5 (New_NJVC_First_Half_2012_Report.zip) = 8f26609c275e0262b4833ccc7909779c

dropping the following exes:

MD5 (New NJVC First Half 2012 Report.exe) = f7aa931de0564f77b27c2f5d1d9bc532

MD5 (Any_Staff_Changes_About_Carnegie_Mellon_University.exe) = 8873f6d3ea123708615e72fe357808e5

MD5 (Any_Staff_Changes_About_Purdue_University.exe) = 8873f6d3ea123708615e72fe357808e5

MD5 (Any_Staff_Changes_About_University_of_Rhode_Island.exe) = 8873f6d3ea123708615e72fe357808e5

MD5 (New_Chertoff_Group_Q1_2012_Report.exe) = 59e74b14f5edee8d38eba74a8000fb18

MD5 (Speeches_For_IT-SCC_Meeting.exe) = 59e74b14f5edee8d38eba74a8000fb18

This downloaders obtain the config file from




All of them obtain the same RAT and the following C&C ip addresses were present on the binaries: -

Hong Kong University of Science and Technology

sql1.be.udel.edu ( -

Information Technologies

192 South Chapel Street

Newark, DE


More binaries were found connecting to the ip address

1d8ff16257181562aec3a74ca79ce092 that drops the following doc file:


and gets the config file from release.pornandpot.com (


hxxp://www.doversolutions.co.in/images/title.png (


hxp:// (


hxp:// (




 and use as the C&C server.



Other files connecting to the C&C server


Using the script to extract the information from the html config files, we found the following different configuration values:



















Final notes

We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files. Based on the networks hosting the C&C ips (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server. This can be easily achieve using HTran or other similar software commonly used by Chinese hacker groups in this kind of campaigns.

If we take a look at the name of the identified files, we can build a short list of likely targets and/or their customers:

- Universities (Carnegie Mellon, Purdue University, Rhode Island)

- ICS related organizations (DigitalBond, NEMA [National Electrical Manufacturers Association])

- Government contractors (NJVC, Chertoff Group)

- Two-Factor Authentication technology (Anakam).

The usage of configuration values inside HTML content is somehow similar to what attackers used during the Operation Shady RAT.

Apart from the modus operandi, we identified the C&C server Based on the information provided on the following links:



It seems that ip is somehow related to the group behind the RSA breach.

If you remember, a month ago, the ICS-CERT published a note warning on a series of cyber intrusions targeting natural gas pipeline companies. Some days after that, information about a link between this attacks and the RSA breach was published. “The indicators DHS provided to hunt for the gas-pipeline attackers included several that, when we checked them, turned out to be related to those used by the perpetrators of the RSA attack,”  you can read on the article.

One way or another, it seems that ICS companies are beginning to be included in the shopping list of these kind of groups.

You can also use the following OpenIOC file http://alienvault-labs-garage.googlecode.com/files/d3b52fea-5020-469c-97f8-b23bf4954751.ioc [no longer available] that contains the indicators of compromise related to the data presented:

You can find more information  at  IOActive blog 

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get the latest security news in your inbox.

Subscribe via email


Get price Free trial