in APT

Analyzing The Malware Used In Apt Attack Targeting Several Government Organizations In Vietnam

Analyzing dropper:

A fake email attached a document containing code to exploit the vulnerability software (MIME-version: 1.0). This document used CVE-2012-0158 to install malware into a computer.

conmaz_01

Figure 1. A document in the email was encrypted by base64

The shellcode decoded itself and saved “xpsfiltsvcs.tmp” file in the %TEMP% folder. Then, it added a “Software\Microsoft\Windows\CurrentVersion\Run\” Regedit key of a “rundll32.exe %TEMP%\ xpsfiltsvcs.tmp,XpsRegisterServer” value to execute the malware when the computer started.

conmaz_02

Figure 2. The shellcode decoded itself by the XOR algorithm.

Analyzing payload:

A payload was decrypted repeatedly by the XOR algorithm with different decoding keys corresponding to each values that malware required as the information of the infected computer, the version of operation system, the IP address, the information of user, the address of control server, the version of downloaded malware…

conmaz_03

Figure 3. The XOR decryption function

The link and the URL address of this malware were XOR with 0x3D value.

conmaz_07

Figure 4. The URL address of this malware

This malware decrypted part of itself on the memory while it was executed. These codes weren’t detected by AV and made difficult for the analysts. These executed code were decrypted by XOR with 0x2F value.

conmaz_08

Figure 5. These code were obfuscated.

conmaz_09

Figure 6. After decrypting the obfuscated code.

After decrypting, this code downloaded file from http://xxsbea.padazusu.com:8080/bin/0423y/2.tmp, decrypted functions and saved it into the disk. Its name is “~DF[random]”. This is probably a latest version and it use rundll32.exe to execute the same as like older versions.

conmaz_10

Figure 7. The new payload was downloaded and executed.

The attacker was seemingly wrong when he tried to execute “RegisterServer” function, but in fact, this function wasn’t exist in the new downloaded payload. Therefore, when the new payload was executed, an error message appeared.

conmaz_11

Figure 8. An error message appeared when executing the new payload.

Analyzing the new payload and comparing it with the older payload

The new payload was download when analyzing, and the contact server was used in this attack was still active.

 Compare to the old payload, the new payload was completely rewritten. It changed completely functions, made them become more complex. Besides, it made a faked file named “MSOProtect.acl”. (ACL is a file extension for a list file used by Microsoft Office. ACL stands for AutoCorrect List. ACL files contain a list of corrections used across all applications of the Microsoft Office Suite. ACL files are used for automated spelling and grammar corrections. ACL files can be edited from within the Microsoft Office suite, but are not intended to be edited directly). For normal users, this file look like a part of Microsoft Office software.

conmaz_12

Figure 9. The new payload has an icon the same as a Microsoft Office software.

conmaz_13

Figure 10. Comparing the old payload (right) to the new payload (left).

Contact addresses in the new payload were decrypted by XOR with 0x45 value. This malware connected to 3 domains following:

  • oberusa.com
  • puzunkan.com
  • weiwugi.com

These domains refer to the same IP address: 128.199.226.124.

The information were send to a server including: the name of computer, the using MAC address and the IP address in the LAN network. Then, the data was encrypted by XOR with 0x45 value.

conmaz_15

Figure 11. The information of computer was encrypted.

These information was saved at %TEMP%\ ~DF5P0YUTQ1YI016U42.TMP folder. Then, they were sent to a server by the POST method.

conmaz_16

This malware found the .TMP and tmp[random].VBS files in %TEMP% folder to delete. For payloads which we have or track, we don’t found signs of .VBS file.

Conclusion:

This malware was designed to attack computers installing the Microsoft Word software of the old version or not be patched since 2012. The attack via email was commonly used.

Advices:

  • Install the Microsoft Word software of the newer version (Microsoft Word 2013) and update the patch of software.
  • Not open documents at unknown You should view directly contents on your browser to prevent malware install into your computer.

 

Related information:

  • The information of control server:
Domain gobox.oberusa.com
updown.puzunkan.com
billbuy.weiwugi.com
xxsbea.padazusu.com
IP 128.199.226.124

 

  Filename HASH (md5)
1 BCAn 13.5.doc ee645914522c87a90306394cbd77abca
2 xpsfiltsvcs.dll efdfe9f3e406764da61bd8b91d94c911
3 MSOProtect.acl 0d45259218493b2c8b7f783a3043a2e2

 

Write a Comment

Comment