On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri’s “Divine Comedy”.
Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same “Divine Comedy” PDF exploits.
In the meantime, we’ve come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.
Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC’s, please read [here]. For our analysis, please read below.
The new attacks
A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:
d00e4ac94f1e4ff67e0e0dfcf900c1a8 .pdf (joint_letter.pdf)
The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.
If the exploit is successful, the PDFs show a clean, “lure” document to the user:
The first document (2013-Yilliq Noruz Bayram Merik isige Teklip.pdf) refers to a New Years party invitation. The second one, “arp.pdf”, is an authorization to request a reimbursement, for a Tibetan activist group.
The comment block and the exploit is exactly the same among all analyzed PDF files. Interestingly, the “sHOGG” string obfuscation function from Itaduke has been removed. In addition, some of the obfuscation for variable initialization has been removed as well:
All documents drop the same malware, detected by Kaspersky as Trojan.Win32.Agent.hwoo and Trojan.Win32.Agent.hwop, which is interesting: this is one of the rare cases when the same threat actor hits both Tibet and Uyghur activists at exactly the same time. It is possible this was done in regards to a human rights conference which is taking place in Geneva between 11-13 March, 2013.
The PDF malware dropper creates a file named “C:Documents and SettingsAdministratorLocal SettingsTempAcroRd32.exe” and runs it. AcroRd32.exe has a PE compilation timestamp of “Wed Jul 11 05:39:45 2012”.
“AcroRd32.exe” contains an encrypted block with the final payload, an 8KB backdoor, which is dropped as “clbcatq.dll” and run via Windows Update. The block can be easily noticed inside the backdoor by a trained eye:
The block is encrypted with a simple xor + add algorithm. Here’s the decryption algorithm for the final payload:
a=key[i&7] + 6;
buf[i]=(buf[i]^a) + a;
The final backdoor (clbcatq.dll) is 9728 bytes in size. It was compiled on “Wed Jul 11 05:39:39 2012”. The backdoor connects to its C&C server and requests further data using HTTP GET requests. The response from the server is expected to be a slightly encrypted DLL, which is then loaded and called by exports “InfectFile” and “GetWorkType”.
For all the servers, the malware makes a request to “/news/show.asp”, using a custom agent string of “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”.
At the moment, all the domains point to the same IP address: 126.96.36.199. The server is located in China, in Shandong province:
The domains “micrsofts.com” and “hotmal1.com” appear to have been registered by the same person, although with very small differences in the registration data:
li wen li wen (email@example.com)
jiningshi, shandongsheng, cn 272000
P: +86.05372178000 F: +86.05372178000
li wen li wen (firstname.lastname@example.org)
shixiaqu, beijingshi, cn 272000
P: +86.02227238836601 F: +86.02227238836601
The command and control server will reply with a 300K backdoor, which is sent in encrypted form. Here’s how it looks as sent by server:
The encryption is a sub 0x11 followed by a xor 0x11. Once decrypted, we get the malware dropper, which was compiled on “Wed Jul 11 06:52:48 2012”. This “stage 2” malware dropper is heuristically detected by Kaspersky products as HEUR:Trojan.Win32.Generic.
The stage 2 dropper will install two files in system32wbem:
MSTD32.DLL – 31,880 bytes (MD5: 92f15c2b82e81e8ae47e361b3ecb5add)
MSTD32.DLL is signed by “YNK JAPAN Inc”, with a certificate that was revoked by the issuer:
This technique reminds us of the method used by the malware from the Tilded platform (Duqu, Stuxnet) for starting up (small signed loader which reads and executes main body kept in encrypted form).
Our colleagues from Norman have previously written (http://blogs.norman.com/2011/security-research/invisible-ynk-a-code-signing-conundrum) about this compromised certificate in relation to Hupigon and other malware.
The final stage malware is known by our products as Trojan.Win32.Swisyn and has pretty extensive functionality for data stealing.
We have previously published blogs about targeted attacks against Tibetan and Uyghur activists.
The threat actors behind these attacks are very active and continuously use new methods and new exploits to attack their victims. We have previously seen the use of CVE-2013-0158 or CVE-2010-3333, in addition to exploits for Mac OS X, taking advantage of CVE-2009-0563.
The PDF exploit originally discovered by FireEye is the first known exploit capable of bypassing the Adobe Reader X sandbox. Due to this advanced capability, it is extremely valuable to any attacker. Although it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.