### Attackers That Target Critical Infrastructure Providers in Japan

## VOL.2 [2 0 1 6]


-----

-----

##### Attackers That Target Critical Infrastructure Providers in Japan

###### T A B L E O F C O N T E N T S

Introduction--------------------------------------------------------------------------------------------4

Daserf: What is it and how is it being used in targeted attacks?--------------5

Daserf: Operating environment and overview-------------------------------------------------------------------------------------------6

Characteristics of Daserf traffic----------------------------------------------------------------------------------------------------------------6

Detecting Daserf---------------------------------------------------------------------------------------------------------------------------------------8

Daserf: Who uses it?-----------------------------------------------------------------------------10


-----

# I N T R O D U C T I O N

######  This report provides information on the results of analysis regarding

 Daserf (a type of malware that is used in targeted attacks aimed at

 critical infrastructure providers in Japan) and the attackers using it.

  Japan has seen an increase in targeted attacks that use

 sophisticated methods to relentlessly attack the companies targeted.

 Especially, in June 2015, the Japan Pension Service sustained a

 targeted attack, resulting in the leakage of a huge amount of personal

 information. Thereafter, similar attacks against many organizations

 and companies in Japan, including local governments and universities,

 have been exposed, and the term "targeted attack" became widely

 known to the public. At the time of writing (June 2016), a large travel

 agency had sustained damage due to a targeted attack, announcing

 that it was very possible that personal information was leaked. The

 methods used in these targeted attacks have become more and

 more sophisticated. Thus, there is not just the risk that information is

 stolen from the company—there is also the serious risk of increased

 repercussions affecting business continuity.

  NISC[i] has reported that the number of attacks against critical

 infrastructure providers, including those related to information

 communication, finance, aviation, and electric power, has increased

 significantly from 124 in FY2014 to 401 in FY2015. As the Tokyo

 Olympics and Paralympics are scheduled for 2020, it is more likely

 that attacks against critical infrastructure providers and infrastructure
 related companies will further increase. Under these circumstances,

 through this report, more or less, we hope to contribute to the

 consideration of countermeasures against Daserf attacks.


-----

###### Daserf: What is it and how is it being used in targeted attacks?

Daserf is a type of malware that features a backdoor which is also known as a "Nioupale."

Although Symantec made a report on Daserf in May 2016 in its blog,[ii] until then, Daserf was

not widely known, as it had rarely been reported by security vendors. On the other hand, we

confirmed the presence of Daserf in targeted attack incidents from around January 2013, and

we have been continuing to analyze those incidents. Our analysis has revealed that Daserf

was being used by attackers targeting critical infrastructure in Japan and that there is a high

possibility that Daserf has been active while hiding in target organizations for a long period of

time.

**Figure 1 shows a graph that classifies the industries where Daserf was used in LAC-handled**

incidents. The right frame indicates critical infrastructure-related industries,[iii] accounting for

the majority, at 56%. The left frame indicates the manufacturers of equipment used in critical

infrastructure, and the graph shows that all the incidents are directly or indirectly related to

critical infrastructure. Furthermore, this shows a high possibility that, at least in Japan, attackers

have used Daserf to target critical infrastructure and their related companies.

**Transportation●** **●Electric power, gas,**

**22%** **23%** **and energy**

**Critical infrastructure-related** **44%** **56%** **Critical infrastructure provider**
**equipment vendors** **11%**

**22%**

**11%** **●Aviation and railroads**

**Machinery●** **11%**

**●Public administration**

**●Information communication**

**Figure 1 Organizations in LAC-handled targeted attack incidents**

**Figure 2 shows a timeline of Daserf-related incidents. In the timeline, the upper figure (in black)**

indicates a date (year and month) that an incident was handled, and the lower figure (in red)

indicates a date (year and month) when the malware was compiled or when the starting time of

the malware activities was recorded in the communications log. That is, the figure at the bottom

indicates an estimated date when the intrusion occurred. By comparing these two rows of dates,

it shows that it took a much longer time, from several months to approximately two and a half

years, for the targeted companies to identify any damage caused by the Daserf.


-----

The reason why it took a longer time to identify any damage is because Daserf disguised itself

(via a file name) as an official Windows program (such as msupdata.exe or mshelp.exe) or as an

Adobe product program (such as AdobeARM.exe or reader_sl.exe). It is difficult to distinguish such

programs running on a PC from illegitimate programs. For all the incidents detected, we found

RAR compressed files[1] containing confidential information, and attackers seemed to attempt to

steal confidential information from companies before any attacks are revealed.

###### Daserf: Operating environment and overview

Daserf runs on the Windows OS. As it features a variety of functions, such as file operations

(creation, deletion, search, etc.) and command prompt (cmd.exe) operation, it can perform any

operation on the infected PC. These capabilities are represented by file names (xxxxx.asp) hard
coded into the malware, and the operation performed depends on the instructions from the

attacker’s Command & Control (C2) server.

**Figure 3 File names hard-coded into malware**

###### Characteristics of Daserf traffic

Daserf mainly uses the HTTP POST request for communication with the C2 server, and it also

uses an HTTP GET request to establish a session. The procedure, from establishing a session

to starting communication, is as follows. First, Daserf uses an HTTP GET request to download a

GIF file from the C2 server (Figure 4). In reality, this GIF file does not contain any image that the

extension implies. Instead, it contains an XOR-encoded (exclusive OR) URL[2] using one byte.

**Figure 4 HTTP GET request used by Daserf to establish a session with a C2 server**

**1 Data compression file format  2 The XOR key depends on the type of malware used.**


-----

Then, it sends data to the C2 server by combining the URL with a file name hard-coded into the

malware (Figure 5).


###### 05


**Decoded URL** **File name**


**Figure 5 Destination of a C2 server communication identified by the decoded URL**


**Figure 6 shows the first HTTP POST traffic that occurs after the HTTP GET request in Figure**

**4. The sent data contains the ID of the infected PC and the Base64-encoded infected PC**

information (boxed text). By decoding the sent data, we can see that the character string includes

specific information, such as the host name and the IP address of the infected PC (Figure 7). The

character string contains an OS version of 6.1, which indicates Windows 7, and a locale ID of

1041, which indicates use of the Japanese language.


###### 06


**Figure 6 First Daserf HTTP POST traffic that occurred after establishing a session**


**Host name** **IP address** **OS version Locale ID** **Daserf version**


As LAC investigates several Daserf incidents, a special feature has emerged. Figure 8 (next

page) represents an excerpt from the results of Maltego[iv]-based analysis by identifying the IP

addresses of the Daserf traffic destination based on the domain names. It shows that multiple

arrows are directed toward two ellipses.[3] Both of the ellipses indicate an IP addresses managed

by South Korean carriers. The left one is managed by LG DACOM Corporation, and the right

one is managed by Korea Telecom. As far as LAC has confirmed, approximately 65% of the IP

addresses of C2 servers that Daserf communicates with, including this case, are owned by South

Korean companies. Based on this, there is a high possibility that the attackers using Daserf

utilized South Korean Internet service providers as their C2 server infrastructure. In addition, it

has been confirmed that there were a few IP addresses involving Japanese VPS (virtual private

server) service providers that were also used as C2 servers.

**3 The IP addresses identified at the time of the investigation may be different from the IP addresses being used**
**currently.**


-----

In addition, it was confirmed that there is a possibility that some of the C2 servers are likely

to have been designed to return contents only to users with the IP addresses that are being

targeted. As shown in Figure 9, a LAC PC intentionally infected with Daserf could resolve the C2

server domain name into an IP address, but it could not establish a TCP connection with the C2

server via C2 traffic (HTTP GET request). The attacker might have denied a connection request

from any non-target IP address on the C2 server to prevent contents from being downloaded so

that the C2 server was not easily recognized.


###### 09


Figure 9 C2 server name resolution


###### Detecting Daserf

A PC or server infected with Daserf can be relatively easily identified. Daserf generates HTTP

POST traffic to a specific ASP file on the C2 server approximately once every 10 seconds, in

order to establish a connection with a C2 server.[4] This results in a large amount of POST traffic

being generated from the same PC and being recorded in the proxy log, thus the infected PC,

etc., can be easily identified by periodically checking the proxy log for such traffic.


-----

A user agent assigned to the HTTP header for communication is hard-coded into the malware,

and a recent Daserf version uses "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)."[5] It

appears to be an official user agent for Internet Explorer (IE) 8, but if closely examined, it does not

have a character string of "Trident 4" assigned to it when IE8 is used.[v] Checking the proxy log for

the presence of such a user agent is another effective method.

If a PC that generates traffic to the C2 server is successfully identified, traces of Daserf could

possibly be detected by using the following means; that is, to use Autoruns[6] etc., in order to

check the registry values for startups[7] and the services[8] automatically executed upon Windows

startup. Figure 10 shows that Daserf uses a file name of Adobe ARM to execute AdobeARM.exe

upon startup.

Figure 10 Registry checking via Autoruns

**4 If a GIF file containing a URL is not obtained from the C2 server, Daserf will generate an HTTP GET request to the**

**GIF file approximately once every minute. The frequency of traffic generation depends on the type of malware used.**

**5 An older Daserf version uses “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).”**

**6 Autoruns is a tool used to display a list of programs automatically executed when Windows starts up, and it is**

**distributed as part of Windows Sysinternals.**

**(https://technet.microsoft.com/ja-jp/sysinternals/default)**

**7 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\**

**Run**

**8 HKLM\SYSTEM\CurrentControlSet\Services**


-----

###### Daserf: Who uses it?

The iDefence Research Report (Wicked Rose and the NCPH Hacking Group)[vi] of 2007 from

VeriSign iDefense is only one of very few reports on Daserf. The report identifies Daserf (Daserf. A)

as one of the malware types used in a targeted attack in June 2006 by a Chinese hacking group

known as the "Network Crack Program Hacker (NCPH) Hacking Group," and the report suggests

that the hacking group is involved in creating Daserf.

Some of our investigations also revealed a vague image of who is attacking. Figure 11 shows

an official website of an overseas trading company that handles LED products, and it was used

as a C2 server by an attacker using Daserf. The displayed list of files in a CSS directory at the

website contains CSS files as well as PHP files. The attacker was able to somehow penetrate into

the trading company's Web server and install one or more files that the server administrator did

not intend to install.

Figure 11 List of files in the mentioned CSS directory

Our investigation showed that the feedcom.php file in the CSS directory was actually an

encrypted file, not a PHP file. In addition, decoding the encrypted file revealed that it was an

executable file, as shown in Figure 12.


###### Decoded


-----

The executable file that was decoded from the PHP file was not a malicious program such as

a malware, it was simply Notepad, which is included as standard (5.1.2600.5512 (xpsp.080413
2105)) in the Chinese version of Windows OS (Figure 13). We don't know the reason why the

attacker put the encrypted Notepad on the C2 server.

It should be noted that the comment.php file in the same CSS directory was likely to have been

used as some type of an access log, as it recorded dates and times, IP addresses, and user agents.


###### 13


Figure 13 Chinese version of Notepad


Next, let’s look at an overview of the attacker based on suspicious traffic that has been

infected with malware, including Daserf and Daserf-related malware. Figure 14 shows a summary

of the unauthorized communication in chronological order between September 15 and October

16, 2015. Of the two rows of arrows, the upper row indicates Japanese holidays, and the lower

row indicates Chinese holidays. The graph shows that an almost constant and small amount of

traffic occurred between September 28 and October 9, 2015. The period corresponds to the

2015 National Day of the People's Republic of China (October 1 to October 7), and the attacker

might have taken days off during that period, following Chinese culture and customs. We assume

the constant and small amount of traffic was caused by some beacon traffic generated by the

malware even though the infected PC was not controlled by the attacker during that period.


Japanese holiday

Chinese holiday

**Number of times that**
**suspicious traffic occurred**


###### 14

|Col1|Col2|Col3|
|---|---|---|
||||
|National Day o|f the||
|People's Republic of C|hina||
||||
||||
||||


Figure 14 Number of times infected traffic occurred between
the middle of September and the middle of October 2015

Up to here, we have focused on how the trends in traffic infected with Daserf-type malware

have changed over time. Next, look at how such infected traffic changed, depending on the

hour of day. Figure 15 (next page) shows a graph indicating how the amount of traffic changed,

depending on the hour of day, [9] between September 15 and October 16, 2015. The amount

of traffic was remarkably higher during the hours between 9:00 and 17:00 (enclosed in lines),

and the attacker is likely to have been operating the infected PC during that period. The hours

enclosed in lines are from 8:00 to 16:00, China Standard Time, and this almost corresponds to

work hours for general workers in China.

For the hours during which the attacker was active, the attacker might have adapted to

Japanese work hours. However, considering that days with a very small amount of traffic

correspond to Chinese holidays, the attacker is likely to have been following the local schedule.


-----

In addition, as will be mentioned in a later section, "Types of malware used by attackers," some

malware types used by attackers for a series of attacks are encrypted with a tool released

via a Chinese site. Although this is only speculative, we can say that such an accumulation of

fragmentary evidence provides a glimpse of who is attacking with Daserf.

###### Daserf: Modus operandi of attackers

In a targeted attack, the attacker uses various attack methods to penetrate a target

organization. An attacker sends an e-mail attaching Daserf disguised as a seasonal greeting to a

target and tricks the recipient to open the e-mail, thus causing an infection with malware. If the

e-mail recipient opens the attached file, a Flash animation as shown in Figure 16 will appear, and

behind the scenes, the malware (downloader type) will be executed.

Some of our investigations have revealed that the files attached to the e-mails are most

commonly a .zip file, which is uncompressed into an .exe file. The .exe file is disguised as a Flash

icon file for a New Year greeting, named " 新年アニメーション.exe" (Figure 17 on the next page).

If the file is executed, a Flash animation will appear, and behind the scenes, Daserf or another

different type of malware will be downloaded from a C2 server and executed (Figure 18, CASE A,

on the next page).

For all cases, the e-mail body text is unknown.

Largely, the downloader was compiled in late December. It is possible that the attackers sent

targeted e-mails, taking advantage of events like Christmas or New Years.


###### 16


**Figure 16 will appear, and behind the scenes, the malware (downloader type) will be executed.**


-----

###### 17


**Figure 17 Executable file named “新年アニメーション.exe”**


Malware infection is not limited to the method of sending a .zip file with a compressed .exe to

targeted users. We consider it likely that attackers also use a method of exploiting CVE-2015
2545, a Microsoft Office vulnerability (Figure 18, CASE B). This is because Gofarer, which

Symantec Corporation reported as a type of malware for downloading Daserf, is similar to the

type of malware (downloader) dropped after exploiting the CVE-2015-2545 vulnerability. Figure

**19 shows the results of comparison between Gofarer and the code that creates a Mutex of**

the dropped malware type. The Mutex naming conventions are similar. In addition, each type of

malware uses code to obtain access to the startup folder via the SHGetSpecialFolderPathAv[iii]

Windows API for obtaining a special folder path, and creates malware in the startup folder, as

shown in Figure 20 (next page). Therefore, these two different downloaders seem to have likely

been used by the same attackers.


**Gofarer**

**Downloder after application of CVE-2015-2545**


-----

###### 20


**Figure 20 Obtaining access to the startup folder via SHGetSpecialFolderPathA**


Kaspersky Lab[ix] reported that the attacking code exploiting the CVE-2015-2545 vulnerability

was used by more than one attacker. As reported by FireEye,[x] also in Japan, an Office document

file exploiting the vulnerability was confirmed at the end of November 2015. LAC also confirmed

that an organization of a specific industry received a copy of the same Office document file at the

same time, and most likely, it’s a targeted attack against a specific industry.

###### Types of malware used by attackers

An attacker using Daserf uses more than one type of malware, downloader, or hacking tool for

command control. DATPER, [xi] which is a type of malware for command control, uses an HTTP

GET request for communication with a C2 server. Command execution results and information

about infected PCs are encrypted, and then the data is sent as a query string to the C2 server

(Figure 21).


###### 21


**Figure 21 HTTP GET request from DATPER**


DATPER encodes the data to be sent with XOR encoding and custom Base64 encoding, and

then compresses the data via the RtlCompressBuffer[xii] Windows API used for data compression.

The XOR encoding uses a key[10] based on data (enclosed in lines in the figure), as shown in

**Figure 22, and the custom Base64 encoding uses the Base64 conversion table shown in Figure**

**23. Depending on the type of malware, the data to be sent may only be encoded with XOR**

encoding and custom Base64 encoding, without being compressed with RtlCompressBuffer.

**Figure 22 XOR key table**

**10 This may vary, depending on the type of malware.**


-----

**Figure 24 shows the result of decoding a portion of the character string as shown enclosed in**

lines in Figure 21. The VMPC-123 that appears in the portion enclosed in lines within the figure

indicates the host name of an infected PC.

**Figure 23 Custom Base64 conversion table**

**Figure 24 Result of decoding the sent data**

For downloaders, in addition to Gofarer, a VB script-based malware type has also been

confirmed. This malware type is encrypted as shown in Figure 25, with an encryption tool

released at a sitexiii in China. Figure 26 on the next page shows part of the result of decoding

the VB script, and it indicates that an Internet Explorer object is used to generate traffic.


-----

For hacking tools, in addition to a publicly available tools such as mimikatz and gsecdump, there

is also the possibility of upload or tunnel tools being independently created by the attacker.

Such an upload tool, as per our confirmation, searches the current directory for files with the

.rar extension. The upload tool uploads a found .rar file to a URL (www.lac.co.jp, in this example)

specified for an argument (Figure 27).


###### 27


**Figure 27 Execution of upload tools independently created by an attacker**


The upload tool uses HTTP POST traffic to upload data to www.lac.co.jp (Figure 28). The sent

data consists of "file name###file contents" and is encoded with both XOR encoding and custom

Base64 encoding. The decoded data is "lac.rar###lac". The attacker is likely to have used Daserf

in combination with their own tool and to have sent an RAR file containing stolen confidential

information to a C2 server managed by the attacker.


###### 28


**Figure 28 HTTP POST traffic used by an upload tool**


-----

#### Conclusion

As described above, an attacker using Daserf uses multiple malware types including Daserf itself

and can continue to be active while hiding for a long period of time, in order to steal confidential

information from a target organization. As far as we can guess, based on Daserf incidents

handled by LAC, attackers have launched attacks against critical infrastructure at least once a

year, and will not stop attacking in the future. We hope that this report helps our customers to

consider future countermeasures under these circumstances.

You can identify the scope of damage and leaked data caused by Daserf. We recommend that

you make daily records of the logs of proxy server traffic and DNS server traffic[xiv], etc., as these

are needed to analyze the malware type for which a trace can be identified in incident handling

and to decode the traffic encrypted by the malware type being used. In addition, traffic packets

should also be logged via a switching hub or router port mirroring, although there are disk space

and system load concerns.

LAC will continue to investigate the attackers behind Daserf and will widely share helpful

information with our customers.

###### Indicator of Compromise（IOC）

 MD5


11c5664bb5ea536676735efff333e2e2

27ad4f54563038b7a90e66444bf7146e

422450b14ad728a3b40dee3c4a48b53f

48efa1dbc5dfc59df0c34b13a96cbd5c

491b4a8912cf5c1554ce8807f7889d4b

5c242fab2d222848755dadfbd29f7176

5dd701d2df35c2a75d1ed5ad75ded06d

765017e16842c9eb6860a7e9f711b0db

7c91dcc66f6d0c31d6e36bb2869c0622

80cc4ac026fa5d5b6f0ae82d19126ea4

8979b840eb5a9a5d84f3da7843859bd5

975f512e59ae2e592ba8e2c657bcb3fc

9b7ccca8af5fd30e8e3706fdf4419653

###### Traffic destinations


9be919143ed3d33e713242ebe5923a89

9faf0d22bbb0e837ed750435d4c01431

a77a25fb8112dc5f8a2feac0413d5f58

b2ef0baef194f5c0044cfe5b6c5f321b

bbd6fceba90efdbdbe22f11af9199321

c35e99e48a4e81d43e66355a202f8902

caafc4b6154022e7d50869d50d67148a

d3031438d80913f21ec6d3078dc77068

dbb4415b7ba646fd6272e18311f43c10

df44fab5096630133b4159e5c196e9b4

f4ab35f4f8569a446eba63df68ab8d97


-----

###### Sources

**[i… ……… http://www.nisc.go.jp/active/kihon/pdf/jseval_2015.pdf](http://www.nisc.go.jp/active/kihon/pdf/jseval_2015.pdf)**

**[ii………… http://www.symantec.com/connect/ja/blogs/tick](http://www.symantec.com/connect/ja/blogs/tick)**

**[iii………… http://www.nisc.go.jp/active/infra/pdf/cc_ceptoar.pdf](http://www.nisc.go.jp/active/infra/pdf/cc_ceptoar.pdf)**

**[iv………… https://www.paterva.com/web7/buy/maltego-clients.php](https://www.paterva.com/web7/buy/maltego-clients.php)**

**[v………… https://msdn.microsoft.com/ja-jp/library/dd371735%28v=vs.85%29.aspx](https://msdn.microsoft.com/ja-jp/library/dd371735%28v=vs.85%29.aspx)**

**[vi………… http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf](http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf)**

**[vii… …… https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2545](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2545)**

**[viii……… https://msdn.microsoft.com/en-us/library/windows/desktop/bb762204(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/bb762204(v=vs.85).aspx)**

**[ix………… https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/)**

**[threats/](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/)**

**[x………… https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html)**

**[xi………… http://about-threats.trendmicro.com/Malware.aspx?name=BKDR_DATPER.A](http://about-threats.trendmicro.com/Malware.aspx?name=BKDR_DATPER.A)**

**[xii… …… https://msdn.microsoft.com/en-us/library/windows/hardware/ff552127(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/hardware/ff552127(v=vs.85).aspx)**

**[xiii……… http://www.52pojie.cn/thread-147071-1-1.html](http://www.52pojie.cn/thread-147071-1-1.html)**

**[xiv……… http://www.lac.co.jp/blog/category/security/20160316.html](http://www.lac.co.jp/blog/category/security/20160316.html)**


-----

-----

###### LAC Co., Ltd. CYBER GRID Laboratory


-----