Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC.
While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.
The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)
Source code of business-principles.html
Decoy webpage loaded
The second webpage, “sidebar.html” contains 88 lines, mostly JavaScript code, and works as a primitive exploit pack. Its code identifies the victim’s browser and then serves one of two exploits. It also sends collected browser data to another script by sending a POST request to “hxxp://[c2_hostname]/groups/count/write.php”.
The exploits are located in separate web pages. Clients using Internet Explorer version 8 are served with “about.htm”, for other versions of the browser and for any other browser capable of running Java applets, the JavaScript code loads “JavaApplet.html”.
JavaScript code inside sidebar.html page
Java exploit
The web page “JavaApplet.html” loads “JavaApplet.class” that implements a Java exploit for the recently discovered vulnerability CVE-2013-0422. The code of the exploit is very similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently, most likely to avoid detection. According to HTTP headers of the server, the applet was uploaded on February 11, 2013, one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability.
1 2 3 4 5 6 7 8 9 10 11 12 |
HEAD /groups/JavaApplet.class HTTP/1.1 Host: [c2_hostname] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Fri, 08 Mar 2013 06:18:04 GMT Content-Type: application/octet-stream Accept-Ranges: bytes <strong>Last-Modified: Mon, 11 Feb 2013 09:50:31 GMT</strong> ETag: "f794173b3d8ce1:e96" Content-Length: 52408 |
The Java shellcode contains the complete payload, a Win32 DLL file encoded in hex. It decodes the binary and writes it to a Java temporary directory with name “ntuser.bin”. Then, it copies the system file “rundll32.exe” to the same directory with name “ntuser.exe” and runs it with “ntuser.bin” as a parameter, effectively loading the malicious DLL file. That DLL file is the main module of Miniduke, and it uses the URL http://twitter.com/TamicaCGerald to fetch commands.
Tweet with an encoded MiniDuke command
(decoded command URL: hxxp://www.artas.org/web/)
IE8 exploit
The web page “about.htm” implements an exploit for Microsoft Internet Explorer 8. It uses a vulnerability discovered at the end December 2012, CVE-2012-4792. The code is also very similar to the Metasploit version of the exploit, while the payload part of the shellcode has been written by the Miniduke authors re-using the backdoor’s code. The Metasploit code was released on December 29, 2012 and the vulnerability was officialy fixed on January 14, 2013 (MS13-008) while the page with the exploit was uploaded on February 11, 2013.
1 2 3 4 5 6 7 8 9 10 11 12 |
HEAD /groups/about.htm HTTP/1.1 Host: [c2_hostname] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Fri, 08 Mar 2013 06:49:33 GMT Content-Type: text/html Accept-Ranges: bytes <strong>Last-Modified: Mon, 11 Feb 2013 09:50:47 GMT</strong> ETag: "b98150443d8ce1:e96" Content-Length: 3842 |
The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups/pic.gif, then search for and decrypt the hidden PE file inside of it. The PE file also appeared to be a modification of the Miniduke’s main backdoor module that uses the same Twitter URL as the Java payload.
Conclusions
We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks. Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks. Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate.
Miniduke: Web Based Infection Vector