New Uyghur and Tibetan Themed Attacks Using PDF Exploits

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware "ItaDuke" because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri's "Divine Comedy".

Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same "Divine Comedy" PDF exploits.

In the meantime, we've come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.

Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC's, please read [here]. For our analysis, please read below.

The new attacks

A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:

7005e9ee9f673edad5130b3341bf5e5f 2013-Yilliq Noruz Bayram Merik isige Teklip.pdf
d00e4ac94f1e4ff67e0e0dfcf900c1a8 .pdf (joint_letter.pdf)
ad668992e15806812dd9a1514cfc065b arp.pdf

The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.

If the exploit is successful, the PDFs show a clean, "lure" document to the user:

The first document (2013-Yilliq Noruz Bayram Merik isige Teklip.pdf) refers to a New Years party invitation. The second one, "arp.pdf", is an authorization to request a reimbursement, for a Tibetan activist group.

The Javascript exploit code has a large comment block prepended, which was probably included to avoid detection by certain anti-malware programs.

The comment block and the exploit is exactly the same among all analyzed PDF files. Interestingly, the "sHOGG" string obfuscation function from Itaduke has been removed. In addition, some of the obfuscation for variable initialization has been removed as well:

All documents drop the same malware, detected by Kaspersky as Trojan.Win32.Agent.hwoo and Trojan.Win32.Agent.hwop, which is interesting: this is one of the rare cases when the same threat actor hits both Tibet and Uyghur activists at exactly the same time. It is possible this was done in regards to a human rights conference which is taking place in Geneva between 11-13 March, 2013.

The backdoor

The PDF malware dropper creates a file named "C:Documents and SettingsAdministratorLocal SettingsTempAcroRd32.exe" and runs it. AcroRd32.exe has a PE compilation timestamp of "Wed Jul 11 05:39:45 2012".

"AcroRd32.exe" contains an encrypted block with the final payload, an 8KB backdoor, which is dropped as "clbcatq.dll" and run via Windows Update. The block can be easily noticed inside the backdoor by a trained eye:

The block is encrypted with a simple xor + add algorithm. Here's the decryption algorithm for the final payload:

char key[]="0l23kj@nboxu";

a=key[i&7] + 6;
buf[i]=(buf[i]^a) + a;

The final backdoor (clbcatq.dll) is 9728 bytes in size. It was compiled on "Wed Jul 11 05:39:39 2012". The backdoor connects to its C&C server and requests further data using HTTP GET requests. The response from the server is expected to be a slightly encrypted DLL, which is then loaded and called by exports "InfectFile" and "GetWorkType".

For all the servers, the malware makes a request to "/news/show.asp", using a custom agent string of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)".

At the moment, all the domains point to the same IP address: 60.211.253.28. The server is located in China, in Shandong province:

The domains "micrsofts.com" and "hotmal1.com" appear to have been registered by the same person, although with very small differences in the registration data:

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
jiningshi, shandongsheng, cn 272000
P: +86.05372178000 F: +86.05372178000

Registrant Contact:
GW SY
li wen li wen (lcb_jn@sina.com)
zq dj
shixiaqu, beijingshi, cn 272000
P: +86.02227238836601 F: +86.02227238836601

Stage 2

The command and control server will reply with a 300K backdoor, which is sent in encrypted form. Here's how it looks as sent by server:

The encryption is a sub 0x11 followed by a xor 0x11. Once decrypted, we get the malware dropper, which was compiled on "Wed Jul 11 06:52:48 2012". This "stage 2" malware dropper is heuristically detected by Kaspersky products as HEUR:Trojan.Win32.Generic.

The stage 2 dropper will install two files in system32wbem:

4BA5E980.PBK - 204,932 bytes (MD5 varies)
MSTD32.DLL - 31,880 bytes (MD5: 92f15c2b82e81e8ae47e361b3ecb5add)

MSTD32.DLL is signed by "YNK JAPAN Inc", with a certificate that was revoked by the issuer:

This technique reminds us of the method used by the malware from the Tilded platform (Duqu, Stuxnet) for starting up. (small signed loader which reads and executes main body kept in encrypted form)

Our colleagues from Norman have previously written about this compromised certificate in relation to Hupigon and other malware.

The final stage malware is known by our products as Trojan.Win32.Swisyn and has pretty extensive functionality for data stealing.

Conclusions

We have previously published blogs about targeted attacks against Tibetan and Uyghur activists.

The threat actors behind these attacks are very active and continuously use new methods and new exploits to attack their victims. We have previously seen the use of CVE-2013-0158 or CVE-2010-3333, in addition to exploits for Mac OS X, taking advantage of CVE-2009-0563.

The PDF exploit originally discovered by FireEye is the first known exploit capable of bypassing the Adobe Reader X sandbox. Due to this advanced capability, it is extremely valuable to any attacker. Although it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *