Incidents

Abused Update of GOM Player Poses a Threat

Several media reported the news on January 7th, 2014, that a PC associated with “Monju” (the Fast Breeder Reactor of the Japan Atomic Energy Agency) was infected by malware and there was a suspicion of information leaks. Some pointed out that the infection had possibly been led by the abuse of the legitimate update of “GOM Player”, which made it big news. GOM Player is a free media player with popular video/audio codecs built-in, favored by many Japanese people. It is different from similar free media players in some notable points: it supports major file formats such as AVI, DAT, DivX, MPEG, WMV to name just some; and it officially deploys a Japanese version. Its users are said to be more than 6 million in Japan.

We received the sample file named “GoMPLAYER_JPSETUP.EXE”:

208216056

The sample is an executable file compressed in RAR format. When it is executed, it unpacks itself and runs the executable file included in the archive. Fig1 shows the files included in the RAR archive:

Fig1: Files within “GoMPLAYER_JPSETUP.EXE”

208216058

Two files are included in the archive:

208216059

“GOMPLAYERJPSETUP_JP.EXE” is a legitimate update file of the GOM Player. “GOMPLAYERBETASETUP_JP.EXE” is another executable file in RAR format. Fig2 shows the files included in”GOMPLAYERBETASETUP_JP.EXE”.

Fig2: Files within “GOMPLAYERBETASETUP_JP.EXE”

208216059

“GOMPLAYERBETASETUP_JP.EXE” has five files which include malicious code. Among them is “install.exe”, which runs from “GOMPLAYERBETASETUP_JP.EXE”.

208216061

The “install.exe” checks which environment it is running in, 32bit or 64bit, using IsWow64Process function (Fig3):

Fig3: Estimation process by the “install.exe”

208216065

Based on the result of the estimation process, it reads “dll.tmp /dll64.tmp” (based on the environment) and xor-decrypts it with “x14”, then generates “install.ocx” in “%windir%temp”. Fig4 shows the xor decryption process.

Fig4: xor decryption process of “dll.tmp/dll64.tmp” using “x14”

208216063-1

Then it copies “instructions.pdf /instructions64.pdf” (based on the environment) to the same folder as “install.ocx”.

208216064

It creates two values “Default”=”%windir%install.ocx” and “ThreadingModel”=”Apartment” in the following parts of the registry:

“HKEY_CLASSES_ROOTCLSID{ECD4FC4D-521C-11D0-B792-00A0C90312E1}InProcServer32” “HKEY_CURRENT_USERSoftwareClassesCLSID{ECD4FC4D-521C-11D0-B792-00A0C90312E1}InProcServer32” “HKEY_USERS2S-1-5-21-1439904799-1247934098-3846997294-1000SoftwareClassesCLSID{ECD4FC4D-521C-11D0-B792-00A0C90312E1}InProcServer32” “HKEY_USERSS-1-5-21-1439904799-1247934098-3846997294-1000_ClassesCLSID{ECD4FC4D-521-11D0-B792-00A0C90312E1}InProcServer32”

After registration, it restarts “explorer.exe” to load “install.ocx” into the process of “explorer.exe” to infect it. The “install.ocx” loads “instrucsion.pdf/instructions64.pdf” in memory, xor-decrypts it with “x14”. Then it jumps to the decrypted entry point to execute the malware.

208216066

In the memory of the decrypted “instruction.pdf/instruction64.pdf”, it reads the 0x400byte data at the foot of the file. It searches strings such as “AAAAAAAA”, “PPPPPPPP”, and “BBBBBBBB” from the data, then extracts the data which follows them. Finally, it decodes base64 and calculates “add x7a” and “xor x19″(Fig5).

Fig5: Decryption process

208216067

The table below shows the name of the data before/after decryption:

208216068

These strings are used in the domain name and the connection port for the C and C server.

 

Kaspersky products detect the malware as “Backdoor.Win32.Miancha.*” (Fig6).

Fig6:Kaspersky products detected “Backdoor.Win32.Miancha.b” in the sample

208216069

The reason why this free software has been installed in Monju remains unclear. The details remain hidden since its investigation by the law enforcement is ongoing. We will keep a close eye on the situation.

Abused Update of GOM Player Poses a Threat

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox