# 2015 2015 Insight in to a strategic web compromise and attack campaign against Hong Kong infrastructure. Revealing an attacker’s persistence, sophistication and aggression. |Col1|January 12 2015 2015| |---|---| ## January 12 # 2015 2015 D r a g o n T h r e a t L a b s H o n g K o n g Author: Dan ----- ### Contents Introduction ........................................................................................................................................ 2 Strategic web compromise ................................................................................................................. 2 First stage malware (Dropper component – “Swisyn” part 1) ............................................................ 4 Second stage (Decoder and loader – “Swisyn” part 2) ....................................................................... 6 Final stage (RAT – “PCClient”) ............................................................................................................. 7 Infrastructure & associations .............................................................................................................. 9 Detection & mitigation ..................................................................................................................... 11 Appendix ........................................................................................................................................... 14 Contact .............................................................................................................................................. 15 D r a g o n T h r e a t L a b s H o n g K o n g Page 1 ----- #### Introduction Over the past several months an increasing number of strategic web compromises (“wateringholes”) have been discovered on websites in Hong Kong. This rise in activity coincides with the Occupy Central protests. In this post we will talk about a single attack, whilst not trying to distract attention from the vast number of attacks and subsequent compromises that remain persistent in Hong Kong. Whilst going about our daily business we were alerted to a website that began serving a malicious payload alongside its usual web page. The initial investigation revealed that the attack and associated payloads are part of an ongoing attack campaign by an Advanced Persistent Threat group that is known to target various sectors of industry and Government in Hong Kong. In this instance we have chosen to obfuscate details of the compromised website to protect the identity of the victim. This website belongs to a private educational institution who, since being notified about the compromise, has removed the malicious executable and remediated the compromised of their server, thus breaking a crucial link in the chain of this attack. #### Strategic web compromise The website in question was implanted with some HTML code that simply reaches out to a secondary website and downloads malware. Whilst this in itself is not interesting the methodology used to obfuscate code and evade detection are. The underlying code in the first page that loads [exploits a vulnerability in Internet Explorer (CVE-2014-6332) and runs several scripts, each with](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332) support for different operating systems and methods of downloading and executing a file from a website. The first script is obfuscated Visual Basic Script (“VBS”) By decoding this we can see the true intentions of the script – which opens a whole new can of worms. D r a g o n T h r e a t L a b s H o n g K o n g Page 2 ----- This code is extremely interesting because not only does it contain VBScript but also contains PowerShell script. Once running it uses an elaborate way to detect the operating system version and then selects whether to use VBScript or Powershell based on the result; VBScript for Windows XP and Powershell for newer versions of Windows. The Powershell script is compressed and Base64 encoded. By decoding this script we can determine its nature As you can see this powershell script simply extracts another VBScript and executes it. The VBScript then downloads the first binary payload into the user’s temporary directory and names it ‘plug.exe’. If the operating system version is too old to support Powershell then the script will attempt to use VBScript. This VBScript downloads the primary payload to the temporary directory and names it “z1.exe”. D r a g o n T h r e a t L a b s H o n g K o n g Page 3 ----- #### First stage malware (Dropper component – “Swisyn” part 1) The first binary payload that lands on the system is relatively simple and serves as a method of yet again detecting the operating system version and where to drop a secondary payload file. Whilst this binary is not complicated by nature it has been designed to masquerade as a legitimate application and contains functionality to evade anti-virus. This malware implant is commonly detected by anti[virus as Swisyn.](https://www.virustotal.com/en/file/143b17615314b43c3fd1b26d9432ce58298bec96981186023540670203b0b8d4/analysis/) Upon running this malware determines the operating system version, but only delineating between Windows XP, Visa and above. It appears that this functionality is included because the secondary payload comes in both 32bit and 64bit versions. Both of these second stage payloads are obfuscated but decoded with a simple bitwise operation as per below D r a g o n T h r e a t L a b s H o n g K o n g Page 4 ----- In this scenario, the secondary payloads can be decoded using a simple subtraction of 3 followed by an XOR of 3 from each byte. This file is then written to %User%\Application Data\Microsoft in a newly created folder name ‘wuauclt’. The filename depends on the operating system version, for Windows XP it is “clbcatq.dll”, for Windows Vista and above it is “profapi.dll”. Once this file has been written to disk a file from the Windows System32 folder is copied into the directory. This file, named ‘wuauclt.exe’, is the Windows update client interface and it a standard windows file. By executing this file in a specific manner it will load the freshly dropped DLL file – affectively this is known as DLL hijacking. Following this action another file, named ‘wuauclt.dat’, is written on to the disk under the same directory. This file is encoded and not decoded at this stage of the attack. To complete the file drop wuauclt.exe is executed. The 64bit version of this dropper is vastly similar in functionality although it offers slightly more efficiency in the code. The decoding routine is more simplified than its 32bit counterpart and the decoding key is hardcoded D r a g o n T h r e a t L a b s H o n g K o n g Page 5 ----- The following pseudo-code can decode both 32bit and 64bit versions of the DLL stored in ‘wuauclt.dat’ Not to dwell on a dropper, let’s move on to the second stage malware. #### Second stage (Decoder and loader – “Swisyn” part 2) The malware second stage is now loaded and running. Interestingly, this payload is also detected by [anti-virus as Swisyn. This DLL is again fairly simple and acts as a secondary dropper. It primarily](https://www.virustotal.com/en/file/f79392364595487a049d9ebce118781063225af00a57e80c6591c01a5ccc5b21/analysis/1420727554/) serves as a method of decoding one of the files dropped by the previous malware stage and creating a method to start the malware on system boot-up or user login. In order to do this the malware firstly decodes a file that was dropped by the previous stage – in this case it is “wuauclt.dat”. The decoding routine is again overly complex but ultimately amounts to a simple subtraction and XOR, again both of these operations are performed by the number 3, thus each byte is subtracted by 3 and then XOR’d with 3 D r a g o n T h r e a t L a b s H o n g K o n g Page 6 ----- Once this file has been decoded it is loaded into memory and executed. This file, once decoded is the third and final payload. The method of leaving the encoded file on disk and only decoding it in memory is to thwart poorly configured anti-virus or disk surface heuristic scanners. Finally to wrap up, an entry is created in the registry named ‘wuauclt’ is created under ‘HKCU\Software\Microsoft\Windows\Current Version\Run’ to ensure that this file is executed upon user-login. #### Final stage (RAT – “PCClient”) Finally we are left with a full payload. Unsurprisingly the 3[rd] and final stage of this part of the attack [is a fully fledged RAT (Remote Administration Tool), which is detected by anti-virus as PCClient. This](https://www.virustotal.com/en/file/debabe7707040b16172545fc174bd4ded36599ebd032a6f09baa2653b32e4f21/analysis/1420727848/) RAT allows the attacker to control the infected workstation and perform a vast array of administrative functions such as: - Downloading files to the infected workstation - Uploading from the infected workstation files to the attackers - Enumerate/list all connected drives such as network shares or external devices - Search the infected workstations hard drive for files - Deleting, copying and moving files on the infected workstation - Executing commands on the infected workstation A high-level view of the command structure gives us an idea as to how simple this functionality can seem, but does not turn away from how damaging the affects can be: D r a g o n T h r e a t L a b s H o n g K o n g Page 7 ----- Once the RAT has been loaded on the infected machine it begins calling out to the command and control server (“phoning home”) and waits for the attackers to issue one of the above commands to the victim. As we usually see with APT attacks the malware controllers use a specific ID to code their attack campaign, which in this case is ‘C00BBB’. Information about the victim system is collected and posted off to the command and control server. This information gives the attacker a brief description about the machine. The information consists of: - Machine hostname - Total amount of RAM memory - Operating system and service pack level - Attack campaign code This information is encoded using a simple bitwise operation and then sent to the command and control server. For example: **Unencoded data** **Encoded data** 44 45 4C 4C 2D 31 37 38 DELL-178 **BA B9 B2 B2 51 4D 47 46 º¹²²QMGF** 44 33 43 00 00 00 00 00 D3C..... **BA 4B BB 7E 7E 7E 7E 7E ºK»~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 35 31 32 4D 42 00 00 00 512MB... **49 4D 4C B1 BC 7E 7E 7E IML±¼~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 57 69 6E 20 58 50 20 53 Win XP S **A7 95 90 5E A6 AE 5E AB §••^¦®^«** 50 33 20 28 42 75 69 6C P3 (Buil **AE 4B 5E 56 BC 89 95 92 ®K^V¼‰•’** |44 45 4C 4C 2D 31 37 38 DELL-178 44 33 43 00 00 00 00 00 D3C..... 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 35 31 32 4D 42 00 00 00 512MB... 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 57 69 6E 20 58 50 20 53 Win XP S 50 33 20 28 42 75 69 6C P3 (Buil|BA B9 B2 B2 51 4D 47 46 º¹²²QMGF BA 4B BB 7E 7E 7E 7E 7E ºK»~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 49 4D 4C B1 BC 7E 7E 7E IML±¼~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ A7 95 90 5E A6 AE 5E AB §••^¦®^« AE 4B 5E 56 BC 89 95 92 ®K^V¼‰•’| |---|---| D r a g o n T h r e a t L a b s H o n g K o n g Page 8 ----- 64 20 32 36 30 30 29 00 d 2600). **9A 5E 4C 48 4E 4E 55 7E š^LHNNU~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 00 00 00 00 00 00 00 00 ........ **7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~** 43 30 30 42 42 42 00 00 C00BBB.. **BB 4E 4E BC BC BC 7E 7E »NN¼¼¼~~** Whilst this may seem to make the data harder to recover it actually makes detection of the traffic easier. To decode the traffic a simple calculation can be performed by reversing the encoding operations. In this case the malware simply increases the initial encoding key by 1, then adds this value to each byte in the buffer and finally XOR’s each byte. Once again, the following pseudo-code can decode this data #### Infrastructure & associations During in the investigation we performed analysis of the infrastructure that this malware communicates with. On this occasion we have not been able to gain physical access to the command and control server as it is legitimate, but compromised production infrastructure. The graph below shows the flow in which various parts of the attack are loaded and how they chain together. |64 20 32 36 30 30 29 00 d 2600). 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 43 30 30 42 42 42 00 00 C00BBB..|9A 5E 4C 48 4E 4E 55 7E š^LHNNU~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ 7E 7E 7E 7E 7E 7E 7E 7E ~~~~~~~~ BB 4E 4E BC BC BC 7E 7E »NN¼¼¼~~| |---|---| D r a g o n T h r e a t L a b s H o n g K o n g Page 9 ----- D r a g o n T h r e a t L a b s H o n g K o n g Page 10 ----- #### Detection & mitigation This attack can be detected and/or mitigated at each stage. In order to help organisations protect themselves we have created a number of network IDS rules and disk-scan rules that can be used with Snort and Yara. Rules are provided in a best-effort basis and we cannot vouch for their efficiency in your environment. **Wateringhole code** ``` rule apt_win_wateringhole { meta: author = "@dragonthreatlab " description = "Detects code from APT wateringhole" strings: $str1 = "function runmumaa()" $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(NewObject IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(" $str3 = "function MoSaklgEs7(k)" condition: any of ($str*) } ``` **Swisyn** ``` rule apt_win_swisyn { meta: author = "@dragonthreatlab" md5 = "a6a18c846e5179259eba9de238f67e41" description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." strings: $mz = {4D 5A} $str1 = "/ShowWU" ascii $str2 = "IsWow64Process" $str3 = "regsvr32 " $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10} condition: $mz at 0 and all of ($str*) } ``` **Malware dropper 32bit** ``` rule apt_win32_dropper { meta: author = "@dragonthreatlab" md5 = "ad17eff26994df824be36db246c8fb6a" description = "APT malware used to drop PcClient RAT" strings: $mz = {4D 5A} $str1 = "clbcaiq.dll" ascii $str2 = "profapi_104" ascii $str3 = "/ShowWU" ascii $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii ``` D r a g o n T h r e a t L a b s H o n g K o n g Page 11 ----- ``` $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E} condition: $mz at 0 and all of ($str*) } ``` **Malware dropper 64bit** ``` rule apt_win64_dropper { meta: author = "@dragonthreatlab" md5 = "ad17eff26994df824be36db246c8fb6a" description = "APT malware used to drop PcClient RAT" strings: $mz = {4D 5A} $str1 = "clbcaiq.dll" ascii $str2 = "profapi_104" ascii $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii $str4 = {0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC} condition: $mz at 0 and all of ($str*) } ``` **Encoded version of PcClient** ``` rule apt_win_disk_pcclient { meta: author = "@dragonthreatlab " md5 = "55f84d88d84c221437cd23cdbc541d2e" description = "Encoded version of pcclient found on disk" strings: $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06} condition: $header at 0 } ``` D r a g o n T h r e a t L a b s H o n g K o n g Page 12 ----- **In-memory version on PcClient** ``` rule apt_win_memory_pcclient { meta: author = "@dragonthreatlab " md5 = "ec532bbe9d0882d403473102e9724557" description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." strings: $str1 = "Kill You" ascii $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii $str3 = "%4.2f KB" ascii $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4} condition: all of them } ``` **PcClient malware beaconing** ``` alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"MALWARE – DTL ID 12012015 - PcClient beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; classtype:trojan-activty; sid:YOUR_SID; rev:20122014;) ``` **Malware domain** ``` alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE - DTL ID 12012015 - C2 Domain"; content:"|06|aoemvp|03|com"; classtype:trojan-activity; sid:YOUR_SID; rev: 20122014;) ``` **C2 server IP #1** ``` alert ip $HOME_NET any <> 45.64.74.101 any (msg:"MALWARE - DTL ID 12012015 – C2 IP Address"; classtype:trojan-activity; sid:YOUR_SID; rev: 20122014;) ``` **C2 server IP #2** ``` alert ip $HOME_NET any <> 103.229.127.104 any (msg:"MALWARE - DTL ID 12012015 - C2 IP Address "; classtype:trojan-activity; sid:YOUR_SID; rev: 20122014;) ``` D r a g o n T h r e a t L a b s H o n g K o n g Page 13 ----- #### Appendix The following artefacts were found during the investigation **MD5s** **Network artefacts** ``` a6a18c846e5179259eba9de238f67e41 c.aoemvp.com 55f84d88d84c221437cd23cdbc541d2e aoemvp.com a6a18c846e5179259eba9de238f67e41 lim.kiu@hotmail.com 279ef79f904476ba0f9f44c87358bb1f 45.64.74.101 42b76c0503a6bf21f1ea86e0b14d67ea 103.229.127.104 cff25fe24a90ef63eaa168c07008c2bb ad17eff26994df824be36db246c8fb6a f66b64ef984ac46ac7395358059979bc efd9dc39682312d6576468f5c0eb6236 ``` |a6a18c846e5179259eba9de238f67e41 55f84d88d84c221437cd23cdbc541d2e a6a18c846e5179259eba9de238f67e41 279ef79f904476ba0f9f44c87358bb1f 42b76c0503a6bf21f1ea86e0b14d67ea cff25fe24a90ef63eaa168c07008c2bb ad17eff26994df824be36db246c8fb6a f66b64ef984ac46ac7395358059979bc efd9dc39682312d6576468f5c0eb6236|c.aoemvp.com aoemvp.com lim.kiu@hotmail.com 45.64.74.101 103.229.127.104| |---|---| D r a g o n T h r e a t L a b s H o n g K o n g Page 14 ----- #### Contact For all questions relating to the publication or specifics in this document please contact us via one of the following methods: [Twitter: @dragonthreatlab](https://twitter.com/DragonThreatLab) [Website: http://dragonthreat.blogspot.hk](http://dragonthreat.blogspot.hk/) [Email: dragonthreatlabs@gmail.com](mailto:dragonthreatlabs@gmail.com) Kind regards, Dan Dragon Threat Labs D r a g o n T h r e a t L a b s H o n g K o n g Page 15 -----