# The MsnMM Campaigns **The Earliest Naikon APT Campaigns** **Introduction** Over time, the Naikon APT appears to have used specific toolsets against organizations within a designated country, as though each campaign was focused on one country. There is sometimes crossover between campaigns in several ways: the backdoors they deliver, the infiltration techniques, and the overall infrastructure. Backdoor functionality can also cross campaigns and tools. For example, sometimes we see an “inject” variant dropping a “sys10” backdoor. Or a naikon backdoor dropping a rarstone backdoor. Again, this particular actor is responsible for the MsnMM and Naikon campaigns deploying the following backdoors and tools: - sslMM - winMM - exe_exchange - wininetMM/sakto - inject - sys10 - xsControl/naikon and plugins - rarstone - second stage tools The Naikon group also deployed a lesser-known set of second stage tools. They mixed together legitimate system administration tools with offensive network reconnaissance tools, including a custom network and service scanner and an attack codeset based on old Honker Union codebase shared on Chinese-speaking forums. See “Second Stage Tools”. For years, Naikon downloaders/backdoors were delivered to victim systems with kit-produced CVE-2012-0158 spear-phish. This exploit builder kit was shared amongst multiple APTs, because we see the same exploits dropping tools from various groups. Many of these exploit attachments were blocked by our advanced exploit protection (AEP) on customer systems in Vietnam, Myanmar, the Philippines, and organizations related to the energy sector in these and other ASEAN nations. Some of these backdoors and spear-phish activities also showed up in the Hardore Charlie CEIEC dump. In Jan 2014, we observed in some targets the increase of “right-to-left-override” (RTLO) naming schemes for initial payload delivery. In addition to its custom toolset, it appears to test freely-distributed tools - in December 2013, it pushed out “Everything32” to victim systems, and TeamViewer was used as well. It is likely that the group faced difficulties when it came up against anti-malware products and tried abusing legitimate tools for anti-malware evasion. Finally, this threat actor deploys a custom pdf binding tool, to add to its effective but low-tech toolset. ----- The Naikon attackers can be, and in fact have been precise in social-engineering their targets. Data collection prior to an attack may have included the following data points: - full names - email addresses and status (active or inactive) - date of birth and age - interests in current events - nationality - gender - previous email and social network communications to and from a target - language spoken Victims of the early campaigns were located mostly throughout Myanmar, Vietnam, Singapore, Laos, Malaysia, and the Philippines. There are other locations where Naikon’s victims can be found, but these countries stand out. To get in to target networks, the Naikon APT relied on email as an attack vector. It first compromised victim systems using common spear-phishing techniques, Such as cve-2012-0158 exploit attachments, attachments altered with RTLO techniques, and a combination of icon-spoofing and name padding for executables. The MsnMM campaigns featured ripped images and documents re-used for spear-phish decoys, and we see that technique reapplied throughout other Naikon APT campaigns. The winMM components were also delivered to Myanmar victims throughout mid-2013 using RTLO and icon-spoofing techniques and sometimes even simpler icon spoofing+double extension+extra spacing in attachment filenames. For example, many of the Backdoor.Win32.MsnMM.i (winMM) executable filenames maintained almost 200 spaces, looking like this: “letter to Gov office.doc .exe” The Naikon APT used multiple backdoors presenting a variety of behaviors over time, but clusters of indicators were fairly consistent into 2015. **Shared Exploit Generation Kit** It’s interesting that what appear to be multiple campaigns and crews all use a kit that generates CVE-2012-0158 exploits embedded with arbitrary backdoors for spear-phishing. One of the interesting characteristics of the Naikon APT’s kit-produced shellcode is its runtime function offset calculations and control flow are built to jump past behavior-based protection and sandbox analysis. Each of the win32 api shellcode calls are carefully executed to land just past function hot patch space and prologues, evading user mode trampolines and hooks. MsnMM, Naikon and Rarstone backdoors were generally delivered with stock 0158 exploits. Some dropped iph.bat and an “iExplorer.exe” that began with a “WMcal” parameter and profile.dat executable blob loaded into a running IE process. Other APTs use this kit as well. We found Stone Panda Poison Ivy samples delivered with the same CVE-2012-0158 exploits, ----- dropping iph.bat and iExplorer.exe, and running the “iExplorer.exe WMcal” executable filename and parameter. Finally, we found another exploit builder’s template used to attack Korean-speaking targets. It was used across this group and others for building CVE-2012-0158 files, sharing the common author “Tran Duy Linh”. **Shared Strings, Functionality, Targets, and Infrastructure across Campaigns** Multiple Naikon tools used in multiple campaigns shared strings, functionality, a deployment and content focus on ASEAN organizations and other organizations doing business with them, and the infrastructure itself. Let’s examine some of the toolset’s shared strings and functionality, then move on to shared infrastructure. **Similar strings** While the Naikon backdoor maintained the user-agent string “NOKIAN95/WEB”, it also maintained a debug path f:\MyProjects\xServer\Release\xServer.pdb Also, the Naikon backdoor’s matching management software is called “xsControl”. Plugins for the Naikon backdoor included a screenshot grabber named xsAdv.dll, and a single export “XS_Screencap”. This debug path in Naikon backdoors is very similar to the debug path maintained in Rarstone backdoors: g:\MyProjects\xsFunction\Release\DLL.pdb The MsnMM campaign backdoors all maintain an “MM” internal name, and the functionality changes when comparing them: WinMM WininetMM SslMM A more recent oddity from this group includes a WinMM dropper with the internal name “Zhixin”, creating a recently compiled Sys10 backdoor. Some “MM” executables maintained debug strings across versions and families: J:\chong\new\Release\SslMM.exe and J:\chong\nod\Release\SslMM.exe **Shared infrastructure** ----- Now, let’s take a look at some of the shared infrastructure that helps to tie all of these campaigns together. MsnMM backdoors and naikon backdoors share portions of infrastructure across campaigns. For a quick example, early msnMM backdoors like sslMM, and one of the later tools, exe_exchange, share some domains with the nokian95 (naikon) and sys10 backdoors. There is much crossover: Here, you can see a table recording domains that are shared across the backdoors for command and control infrastructure. exe_exchang sys10 winMM sslMM wininetMM/ xsPlus/naikon e sakto ahzx.eicp.net yes yes yes mncgn.51vip. yes yes yes biz bkav.imshop.i yes yes n ubaoyouxiang yes yes yes yes .gicp.net googlemm.vic yes yes p.net myanmartech yes yes yes .vicp.net **Correlating Target Profiles with Spearphish and Decoy Content** One of the most striking characteristics of this APT is that its targeting interest is revealed by its spear-phish and decoy content. Malicious actors of all stripes, including cybercriminals, have for at least the last ten years abused “hot topics” in their social-engineering content to better attract and mass-exploit victim systems. It’s a pretty worn-out discussion. What is different about the Naikon APT’s use of hot topics in spear-phish and decoy content is that reveals its specific victims and how these change over time. Precision social engineering seems to be an elevated skill set for the group. A few of the most interesting examples of such content include: a UN discussion and vote on nuclear proliferation and disarmament, the MH370 flight, and construction on the Raytheon-built National Coast Watch Center in PH. For example, in the second week of October 2012, during the gang’s intense ongoing focus on SE Asian countries like Cambodia and its diplomats, we find a winMM backdoor detected as "Trojan.Win32.Agent.udtc" in New York City. This verdictidentified the Naikon APT’s backdoor |Col1|exe_exchang e|sys10|winMM|sslMM|wininetMM/ sakto|xsPlus/naikon| |---|---|---|---|---|---|---| |ahzx.eicp.net|yes|yes|yes|||| |mncgn.51vip. biz|yes|yes|yes|||| |bkav.imshop.i n||yes||||yes| |ubaoyouxiang .gicp.net|yes|||yes|yes|yes| |googlemm.vic p.net|||yes||yes|| |myanmartech .vicp.net|||yes|yes||yes| ----- on the victim system. The timing is uncanny because, in that same week speeches and views on nuclear disarmament and non-proliferation were presented by SE Asian country delegates to the United Nations in New York City. An example of such a [talk is here; a naikon decoy’s](http://www.un.org/disarmament/special/meetings/firstcommittee/67/pdfs/11%20Oct%20GD%20Cambodia.pdf) content was strikingly similar: MsnMM campaigns most commonly presented spear-phish exploits targeting CVE-2012-0158. A listing of screenshots in Appendix A reveals the variety of content and themes, all related to events and topics in the ASEAN region. Example titles include: |Letpadaung copper mine.doc|Myanmar Wanbao to commence construction of Letpadaung project|December 2014| |---|---|---| |nuclear agreement burma.doc|Burma Signs New Nuclear Deal With IAEA|September 2013| |ALP Statement on Present Illegal Bangali Problem inside Arakan.doc|ALP statement on present illegal Bangali problems inside Arakan [pdf]|December 2012| |Calendar Misslao 2013 Free.doc|Miss Lao Calendars|January 2014| |ASEAN and Partners Firmly Committed to Narrowing the Development Gap.doc|ASEAN and Partners Firmly Committed to Narrowing the Development Gap|April 2013| |refer to the 11th ACD Ministerial Meeting.doc|Asia Co-operation Dialogue eyes peace|December 2013| |Asia’s Military Developments.doc|Asia’s military developments|November 2013| ----- The following example’s content was crafted to appear like a legitimate international agreement discussion. After the malicious document is opened and successfully exploits CVE-2012-0158 on the victim workstation, the exploit code drops and opens this decoy Word document: This next example is written with the Laotian Phetsarath OT font, a decoy attempt to be a legitimate Daily News Brief from the Laotian Foreign Ministry of Affairs. It demonstrates the group’s intentions to hit targets in Laos: ----- Appendix A contains many more example document titles and screenshots. The themes and content that would appeal to politically-interested individuals in various parts of the world quickly become obvious. In addition to a high volume of files exploiting CVE-2012-0158, the MsnMM attackers for a brief period used RTLO (right to left override) techniques, and then attachments exploiting CVE2010-3333. An example of RTLO that creates and opens this decoy document to camouflage its malicious background activity, then dropping and executing MsnMM backdoors on its victim system: UNFC_Statement_final_rcs.pdf ----- **Naikon APT MsnMM Campaign Backdoors and Lateral Movement Toolset** **SslMM** |MD5 – Filename|File Size|Compilation date|Linker version| |---|---|---|---| |7b1199523a662a3844ba590f83b56dae - %temp%\conime.exe|77,824 bytes|2013:01:31 01:25:38+00:00|6.0| ----- The MsnMM gang built and released many more variants of their sslMM creation. The code is a full-featured backdoor. Each variant of this tool starts by attempting to create a socket, and then creates a new thread implementing a fairly complicated keylogging facility not often seen, using Windows Keyboard Accelerators. Online code demonstrates the technique here: http://thronic.com/Win32%20Keylogging/ The backdoor retrieves a large number of victim system data points, which it then uses to check in to its hardcoded C2. The backdoor reports system identification information both to present the victim’s identifying information and to fingerprint the system for asset management: - OS version - Service pack information - Processor speed - System name - Logged-on user name - OS install date One of its more interesting features is the ability to fetch and use certificates from the “My” store on Windows systems. The “My” certificate store is created on a per-user basis, and this is where users’ certificates are stored. It is reserved for each user for signing and decrypting data and encrypting network communications. Feature list: - Victim fingerprinting and performance sensitivity - system configuration collection - Persistence - immediately identifying the Start Menu Startup directory and dropping a LNK to its own executable disguised as a “Office Start”, “Yahoo Talk”, “MSN Gaming Z0ne”, or “MSN Talk” shortcut - Configurable network settings - both a primary and backup C2 string is hard-coded in each backdoor. At this point, we are aware of almost 50 domains and unique IP addresses used to host C2 - Keylogging facility - Windows Accelerators with hidden window and lengthy Accelerator table - Flexible network connectivity - proxy support for use with victim systems situated behind isolated networks - GET and POST network code for exfiltrating system information - Log file capabilities - File search and file write primitives - identifying and collecting sensitive ondisk information - Download and execute further arbitrary downloads - Arbitrary inter-process launch and communication through named pipes - Process privilege and token adjustments - Anti-malware kill-process identification and termination - Digital Certificate stealing and reuse for stealth SSL communications - Network server listener ----- **WinMM** **MD5 - Filename** **File Size** **Compilation date** **Linker** **version** c8c81cca4645e71213f2310cec6c277d - 118,784 2012.11.01 6.0 %temp%\wuauc1t.exe bytes 00:53:49 WinMM is a full-featured, simple backdoor. Its first actions upon installation are to collect user and system data and report them back to the C2 over http. It uses NetUserGetInfo to identify that it is running under an “Admin” account on the local system, then retrieves the system name and the version of the operating system that is running, including its service pack, and collects the system install date from the registry: \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate. These values are built into a single string for reporting. SslMM also maintains this code chunk and functionality but does not immediately invoke it like winMM. Also interesting and different from sslMM, are the decoy Word documents dropped by many of the winMM droppers. Images of these documents are shown in the Appendix. The documents are all written and formatted with a specially developed Myanmar2 True Type font, demonstrating the focus on politically-connected, native Myanmar speakers as targets. This font is not delivered by default with Microsoft Office. Instead, it must have been specifically installed by the attackers and then by the victims, otherwise the documents would not have displayed properly. The backdoor maintains multiple primitive functionalities: Setting a WH_CBT Windows hook for full activity spying (sslMM does not maintain this hooking functionality): - File search and capture - Process creation - Keystroke capture The backdoor is usually configured with primary and backup domains for C2 communications, although there are multiple known samples that maintain an IP address or only a single domain for communications with no backup. Communication is built to appear as though a web browser is simply making a request to a remote web server. Some of these backdoors are configured to use an unusual port for encrypted communications. **exe_exchange (used in attacks prior to ~2012)** |MD5 - Filename|File Size|Compilation date|Linker version| |---|---|---|---| |c8c81cca4645e71213f2310cec6c277d - %temp%\wuauc1t.exe|118,784 bytes|2012.11.01 00:53:49|6.0| ----- |MD5 – Filename|File Size|Compilation date|Linker version| |---|---|---|---| |6a82c153bd370250cc2fed89f1bb5c91 - %temp%\services.exe|69,632 bytes|2012-03-13 07:54:19|6.0| **INJECTv1/INJECTRESOURCE** **MD5 – Filename** **File Size** **Compilation date** **Linker** **version** b295274423c91ad9e254475bf8edd459 159,744 May 27, 2013 - wmiprive.exe bytes **The xsPlus/nokian backdoor and keylogger** **MD5 – Filename** **File Size** **Compilation date** **Linker** **version** d86106faaa398b8d83437176bf5e39c4 281,624 2011.12.19 6.0 bytes 08:06:30 In 2014 the Naikon gang was found to be using another tool that maintains an internal name “xsPlus” and “xsControl”. This builder and its backdoors produce components with the “NOKIAN95/WEBx” user-agent strings, for which there are multiple versions. Its functionality is covered in our previous Naikon APT post. **Naikon and minor links with APT30** Another interesting aspect of the backdoor builder is that it also provides a keylogger plugin that is used on specific victim systems. And here there are minor, but striking, similarities with the APT30 tools. Callback sessions for stolen data include these URLs: ``` POST /stonehoof.rar/user=xxx&password=xxx GET /stonehoof.rar/user=xxx&password=xxx ``` |MD5 – Filename|File Size|Compilation date|Linker version| |---|---|---|---| |b295274423c91ad9e254475bf8edd459 - wmiprive.exe|159,744 bytes|May 27, 2013|| |MD5 – Filename|File Size|Compilation date|Linker version| |---|---|---|---| |d86106faaa398b8d83437176bf5e39c4|281,624 bytes|2011.12.19 08:06:30|6.0| ----- Some of the collector components upload data in SQLite3 format, while earlier versions of the tool upload xml formatted data. Presenting a similarity with the APT30 artifacts, their callback domains included stonehoof.com, hosted on several IPs during the naikon campaigns. This name is very unusual, and it is an odd coincidence that it is shared by two geopolitically-focused cyber-espionage groups, both targeting the South China Sea region. APT30 - stonehoof.com 2012-10-07 208.77.46.251 174.36.159.165 2013-04-03 174.36.159.165 219.90.115.251 2013-04-14 219.90.115.251 174.36.159.164 While the MsnMM components include the unusual “MM” in internal names sslMM, winMM, and wininetMM, some of the strings in the APT30 GEMSTONE software include the same – search and retrieval of the registry key “Software\Microsoft\GetMM”, and three function names “MicrosoftGMMExit, MicrosoftGMMHaveExit, MicrosoftGMMZJ”. The APT30 BACKSPACE backdoor also contains a similar potential target reference, as discussed in the FireEye paper. “BACKSPACE Variant Path Possible Target ZJ Auto (version 1.4) /autoMM/ Myanmar” So, the “MM” shared by both of these may be a simple reference to Myanmar, the starting target for these Naikon APT attacks. APT30 backdoors also add “MSN.lnk” shortcuts to the Start Menu Startup location for persistence, just like the MsnMM components spoof “Msn Gaming Zone.lnk” and “Msn Talk.lnk” for persistence. **Sys10** **MD5 - Filename** **File Size** **Compilation date** **Linker** **version** c58df5892700ac3f467524f86bf325c0 - 116.5 kb 2013.02.01 9.0 update.exe 07:39:12 Yet another backdoor was used throughout 2013 by Naikon. Several of the C2 domains are shared with either Naikon or MsnMM infrastructure. This backdoor is a very basic initial component. To give an idea of the sophistication of its development, one of the decryption schemes it uses is an xor 0x1 loop on the very beginning of its .data section to decrypt its C2 domain. In this case, 6C 6C 6A 62 66 2F 74 68 62 71 2F 6F 64 75 01 (lljbf/thbq/odu) → mmkcg.uicp.net. |MD5 - Filename|File Size|Compilation date|Linker version| |---|---|---|---| |c58df5892700ac3f467524f86bf325c0 - update.exe|116.5 kb|2013.02.01 07:39:12|9.0| ----- This weak level of encryption is odd, because other strings, like the unicode version of the callback url “s.y.s.t.e.n.&.c.p.=.%.s.&.l.o.g.=.%.s.&.i.n.d.e.x.=.%.d.”, are maintained in plaintext in the .rdata section. Perhaps the authors thought xor’ing the domains would hide their infrastructure for as long as needed, or they were working with others who didn’t understand automated sandboxes and tracing but didn’t want the dns strings present in the binary. It doesn’t seem to make sense, but it appears to have been effective enough to leave in the executables. For all of the “Sys10” backdoors, URL parameters were used consistently for the initial C2 callback: systen&cp=&log=&index= where: **cp = system computername** **log = signed decimal integer representation of the OS InstallDate** **index = simply the return value from a GetTickCount call** The backdoor collects several bits of identifying information to send to the C2: - computer name - account name of logged-in user - group name of logged-in user - local IP address - OS versioning information - OS install date The backdoor maintains a simple set of primitives: - http-based communications with hardcoded C2 - download additional components - start a new process - terminate a running process - find files and copy them - delete files - create files We detected this backdoor on multiple victim workstations with the following verdicts: Trojan.Win32.Agentb.hyb Trojan.Win32.Agentb.iqj Backdoor.Win32.MsnMM.p UDS:DangerousObject.Multi.Generic Trojan.Win32.Agentb.jwp According to KSN (Kaspersky Security Network) data, almost all of the victims attacked with this backdoor are based in Myanmar, or were Myanmar delegates travelling through the other countries like the US, for example. Some of the victims were located in Vietnam and Singapore. Victim profiles range from global political representatives and local IT service companies, to ----- government ministries controlling media and news content, university students, and local law enforcement agencies. **WininetMM/Sakto** ## MD5 - Filename File Size Compilation date Linker version 516f64dd4fce3b9a325ea8501f97a88a 95,744 2014.11.03 9.0 bytes 07:59:14 **Second stage tools** Most of the Naikon APT’s second stage tools detected on victim networks are publicly-available. Some are very common system administration tools and utilities, and some are less publiclyavailable custom written scanners and tools available through Chinese hacking forums. Their ability to move through networks undisturbed appears to have matured over time, demonstrating that they are a seasoned team: - Windows system utilities: ftp.exe, systeminfo.exe, ipconfig, net view, ping, netstat -ano, net use, quser, tasklist, netsh interface ip, netsh interface show, netsh advfirewall firewall, reg export, AT - Sysinternals: procmon.exe, tcpview.exe, procexep.exe, psexec - Prosolve: winscan.exe - Rarlabs: rar.exe - Other: procex.exe, nc.exe, xscan.exe, winscanx.exe, hscan120.rar package (includes mysql.exe and sqlcmd.exe), cutfile.exe, tftp.exe, Win7 elevation of privilege and UAC |MD5 - Filename|File Size|Compilation date|Linker version| |---|---|---|---| |516f64dd4fce3b9a325ea8501f97a88a|95,744 bytes|2014.11.03 07:59:14|9.0| ----- bypass, ReadPSW.exe (password stealer) The Naikon APT frequently used a custom backdoor that appears to be an HDoor variant, based on old “Honker Union” code like “hscan v120”. For example, once on a victim network, one of the first steps is to run the hdoor -hbs scan to identify target local network hosts. Alternatively, it may show up on victim networks and be run with a long list of parameters: “lms.dat -hscan 192.168.0.1-192.168.0.254 /a” **Custom HDoor** **MD5 – Filename** **File** **Compilation** **Detection Name** **Size** **date** bf6d3f52ab8176122be858ddccc2214 56 kb 2015.05.20 HackTool.Win32.Agent.whj 8 - lms.dat The Naikon APT’s custom-built HDoor tool is a robust reconnaissance tool for lateral movement, supporting the identification of, interfacing with and attacking of multiple technologies and resources: - host, user, group, and related authentication resources and cracking/brute forcing capabilities - network asset scanning and identification, including SQL database, embedded network devices like home or SMB routers, and other common network services - fake service listener to sniff traffic - disk wiping - safe delete with multiple overwrites - process management - local filetime modifier - SQL administration toolset - SOCKS5 proxy service - banner-based scanner - AV killer Publicly-available hd.exe (40138f3db14e6e137f8d0bdcbb5851d8), as posted by NCPH: |MD5 – Filename|File Size|Compilation date|Detection Name| |---|---|---|---| |bf6d3f52ab8176122be858ddccc2214 8 - lms.dat|56 kb|2015.05.20|HackTool.Win32.Agent.whj| ----- The corresponding hbs.txt output file content that is sometimes left behind on victim systems: The operator’s scanning is somewhat inconsistent. They will scan for a specific set of ports that include 21,22,80,3389,1433,3306, and 389. Sometimes, they add 139 and 445 to the end of that list. Often, they check for a “PortString”, or banner, which is output to a txt file: [10.1.1.2 ]: Port 22 Open!!! SSH-1.99-Cisco-1.25 [10.1.1.3 ]: Port 21 Open!!! 220-FileZilla Server version 0.9.41 beta [10.1.1.4 ]: Port 21 Open!!! 220 Lexmark X860de FTP Server NP.APS.N332a ready. [10.1.1.5 ]: Port 22 Open!!! SSH-2.0-OpenSSH_5.8 [10.1.1.6 ]: Port 22 Open!!! SSH-2.0-dropbear_0.48 [10.1.1.7 ]: Port 21 Open!!! 220 Service ready for new user [10.1.1.8 ]: Port 21 Open!!! 220 Microsoft FTP Service (Version 5.0). [10.1.1.8 ]: Port 80 Open!!! [10.1.1.8 ]: Port 3389 Open!!! [10.1.1.8 ]: Port 139 Open!!! [10.1.1.9 ]: Port 21 Open!!! 220 fima FTP server (SunOS 5.8) ready. [10.1.1.10 ]: Port 21 Open!!! 220 (vsFTPd 2.0.5) [10.1.1.13 ]: Port 21 Open!!! 220 EthernetBoard OkiLAN 8100e Ver 02.15 FTP server. [10.1.1.15 ]: Port 22 Open!!! SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 [10.1.1.21 ]: Port 80 Open!!! http://10.1.1.21/cgi-bin/webproc Dlink WIRELESS AP **Target and Victim Profiles** ----- Target profiles included high profile government and military agencies around the South China Sea: - Law enforcement - Government - executive, administrative, regulatory - Military - operations centers - Economic administration - State media - Public/Private energy **Shared Victims with Cycldek and Comparing Lateral Movement with Cycldek** The Cycldek APT appeared to follow an operational script across victim systems. It created or used c:\intel on the victim hard disk to unpack tools and compress/archive stolen victim files and data with Winrar, like "c:\intel\1.rar". Some of these victim systems were occupied by both the Cycldec and Naikon attackers. The Cycldek attackers maintained this c:\intel directory and its subdirectories as a sort of staging point. This mirrors what we have seen with Naikon directory setup on some victims. - a set of subdirectories - stolen files for exfiltration - operational logs - process logs - Cycldek tools and their config files The Naikon APT and Cycldek APT also share a common attraction to Honker Union codebase. **Spear-phish, dropped files, web browser injection** The common sequence of events on a vulnerable system falling for related spear-phish attacks led to a newly-created Internet Explorer process running with execution transferred to additionally loaded executable code, usually profile.dat, maintaining the connectback C2 communication code and data. In this instance, a “naikon backdoor” was delivered initially as a part of a small package of objects. The exploit attachment dropped iph.bat, iExplorer.exe, and a clean decoy document. The exploit executed this batch file, which in turn executed iExplorer.exe and opened a decoy document from %temp%. The iExplorer.exe process wrote out a profile.dat file, launched the legitimate Internet Explorer, and injected the .dat file into this newly created browser process. It transfered control to the injected .dat code and terminated itself. The .dat code then connected with a hardcoded C2 from within Internet Explorer, a common technique for evading any ----- outbound traffic firewall issues. The full email spear-phish and other decoy documents’ content presented here display the campaigns’ focus on ASEAN targets that line up with the MsnMM campaigns: Example spear-phish and dropped sequence for NOKIAN95/WEB sent to web email service provider users in the US and Southeastern Asian region: Example Word document decoy Example details, exhibiting the “common” sequence of events on systems: c334737ea5e8f74567bfdc2fce6717b9,2 SpecialServices.doc Drops → %temp%\iph.bat c8ed40879e1e3352692fe8c765294955,%temp%\svchost.exe c8ed40879e1e3352692fe8c765294955,C:\WINDOWS\system32\ymsgr_tray.exe c2: frankhere.oicp.net:443 1b37457632840b04bf03e0745e51e573,readme.rtf Drops → %temp%\iph.bat → %temp%\iExplorer.exe WMcal 6cbc73fae7118dbd0fae328ce8ee6050,iExplorer.exe,Trojan-Downloader.Win32.Cordmix.cu C2: phsenator.vicp.net C2: goihang.vicp.net:443 ----- Example decoy Word document cb72e70378755f1e8ab744a5b5e692bd,Asia’s Military Developments.doc (ripped from “Australian Strategic Policy Institute” blog post located here http://www.aspistrategist.org.au/asias-military-developments/) 638c119a82a1b1d470e42e2e9712f3fb,iph.bat 79de618615e139053ad92ca1e7bb7456,C:\Documents and Settings\user\Local Settings\Temp\mshtml.dat 4299846c34fddda2f5a75239f8aca424,C:\DOCUME~1\user\LOCALS~1\Temp\upd.exe Rpcss a3b3a32b6f67e4629133cc4578230efe,C:\WINDOWS\system32\msictl.exe c2: us.googlereader.pw:443 ----- Example decoy pdf targeting Myanmar government 5f1f6fb3cea3e9c3bd84909b7d37aa8d, ”knu president speech on 65th anniversary of karen resistance day _burmese language_?fdp.scr” ← indicates RTLO naming, appeared to the target as pdf “knu president speech on 65th anniversary of karen resistance day _burmese language_rcs.pdf” 55b8b8779001b7e78a6adc55fb546401,C:\DOCUME~1\user\LOCALS~1\Temp\update.exe 8660193a90e70f19a4419ae09306761f,C:\DOCUME~1\user\LOCALS~1\Temp\adobe.pdf C2: ubaoyouxiang.gicp.net ----- Example decoy Word document targeting PH gov 27ed7c7dd840ff7936418cf029d56603, AFP Summary.doc  %temp%\iph.bat ceb6e4499cfd8650f3e94fbcf7de48f6,%temp%\iExplorer.exe WMcal b6424852dd0187ea554a1cbc4e3490f3,%temp%\profile.dat C2: ttteco.vicp.net ----- Many of these backdoors were delivered by simply binding decoy pdfs to a Naikon backdoor and sending this bundle to target addresses. Here is a March 2014 spear-phish email with the subject line “Fw: Fw: tape transcript for mh370” (3bed6788753690762c7d15a3247d8301): The “tape transcript.zip” (5de5aa40eb3d30df2053a38bc26963b5) file contains both a pdf file and a Naikon dropper name “24march_final_TAPE TRANSC~1” detected as “TrojanDropper.Win32.Injector.kasl” (4972c7205e3279322637f609b9199e97). The dropper maintains a clean copy of this decoy pdf that opens on execution, [as well as?] the Naikon backdoor (ab0185f3dc730af754559297f6f47492) and accompanying mshtml.dat component (03A3251BDE74DF30AB5BF0B730E08C8D) that communicates with C2 xl.findmy.pw. This dropper is built with the attackers’ “pdfBind 2012” tool. Once extracted to disk, you can see that the icon was replaced for the executable with an Adobe pdf icon. Lots of users fall for this sort of trick when file extensions are not visible: ----- **Appendix A: MsnMM Spearphish and Decoy Content** Image 1. “ICJ’s verdict owed respect 17 Apr 2013.doc” Image 2. “FDI Law Weeding Menu.doc” ----- Image 3. “Danh sach dai bieu HNHTDMNC tai TPHCM.doc” Image 4. “Thein Sein first European tour.doc” Image 5. “ASEAN and Partners Firmly Committed To Narrowing Development Gap.doc” ----- Image 6. “ALP Statement on Present Illegal Bangali Problem inside Arakan.doc” Image 7. “ISEAS Perspective 29nov12.doc” ----- Image 8. [“Learning Journal ASC 13-1_1.doc” (related to http://www.apcss.org/wp-](http://www.apcss.org/wp-content/uploads/2013/01/finalfinalhandbookJan13.pdf) [content/uploads/2013/01/finalfinalhandbookJan13.pdf, http://www.apcss.org/](http://www.apcss.org/wp-content/uploads/2013/01/finalfinalhandbookJan13.pdf) Image 9. unnamed.jpg ----- 48c2d02c443d70fe004a2d6fb9439f76, cve-2012-0158, “mau van ban.doc” or “2013_ thong tin gia dinh.doc”, delivered to VN targets ## winMM-related Dropped Decoy Documents Image 1. “book form for naning 30-8.doc” (dropped by 448cd7c3ae0ae445d805a4849fe5e120) ----- Image 2: Unknown. Dropped by 748c4761822dc7076399922df58551ae ----- Image 3. “fact sheet asean-us ( president office format).doc” Dropped by “fact sheet asean-us ( president office format).doc .exe” 6803bd509d36d2b99049fcc9d975a21c ----- ## Image 4. Trade and Investment (english).doc Dropped by b049fdeeb707e86e5e334f72cd50ffd8 “trade and investment (english).doc .exe” ----- Image 5. List of Attendance.doc Dropped by F14C42765F130EE6DEC3A87DC50A47E1 ----- Image 6. “talking point english(english).doc” Dropped by “talking point english(english).doc .exe”, 800116c4fe842768a0e1acbc72c8cd62 Image 7. talking point myanmar (21-3-2013).docx Dropped by “talking point myanmar (21-3-2013).docx .exe” 416e6c9105139080310984ed06f6a57b ----- Image 8. Unknown. Dropped by 6758fc7e483ad9cd6280bcc3f4d85222 ----- Image 9. tp for vp with swiss_myanmar[1].doc Dropped by “tp for vp with swiss_myanmar[1].doc .exe” 90E9BDFC1FC6FE5999B047880C7445AE Image 10. Unknown. Dropped by 7F422B43EEB93B230FF7553C841C4785 ----- Image 11. Unknown. Dropped by 1d6258bc3688226e7cb56fb821215a8b Image 12. ----- Unknown. Dropped by 7a9712cbb3e340e577ce0320cceeb05f ----- ## Image 13. “tp for ec (myanmar).doc” Dropped by “tp for ec (myanmar).doc .exe”, 9f23c0aed27f0874308bbd5f173ed85b ----- Image 14. “trade and investment (english).doc” Dropped by “trade and investment (english).doc .exe”, dabba458b13cb676406c2bb219af9f81 ----- Image 15. “11th bcim fapc memo.doc” Dropped by “11th bcim fapc memo.doc .exe”, d57a7369d79467d7c768bb08febcc6a2 Image 16. “(r) final - h.e remarks.doc” Dropped by “(r) final - h.e remarks.doc .exe”, 7c0676d950a1443e98b7d5b4727923ea ----- Image 17. lo list(26-8-2013).docx Dropped by “lo list(26-8-2013).docx .exe”, 55048b78e9549c462c1463f7648454a5 Image 18. ----- “company lists.doc” Dropped by “company lists.doc .exe”, 113822c9bfeed38c099ae9004f1d8404 Image 19. “sightseeing tour in bagan.doc” Dropped by “sightseeing tour in bagan.doc .exe”, 21119ddd01694bb9181286b52cf1203c ----- Image 20. Ns admin.docx Dropped by “ns admin.docx .exe”, 6f9b6adbb33b7c8912aa2e5ae1c39f7a ----- **Appendix B: Kaspersky Lab Verdict Names** Components related to the Naikon APT are detected under a range of verdict names. Below is a listing of the most common: Backdoor.Win32.MsnMM.* Backdoor.Win32.MsnMM.a - .af Backdoor.Win32.Sakto.* Backdoor.Win32.Sakto.a - .ct Trojan-Downloader.Win32.Cordmix.* Trojan-Downloader.Win32.Cordmix.b Trojan-Downloader.Win32.Cordmix.ch Trojan-Downloader.Win32.Cordmix.cs Trojan-Downloader.Win32.Cordmix.ds HackTool.Win32.Agent.* HackTool.Win32.Agent.whj ----- Exploit.MSWord.CVE-2012-0158.* Exploit.MSWord.CVE-2012-0158.cb Exploit.MSWord.CVE-2012-0158.ci Exploit.MSWord.CVE-2012-0158.di Exploit.MSWord.CVE-2012-0158.dj Exploit.MSWord.CVE-2012-0158.du Exploit.MSWord.CVE-2012-0158.eb Exploit.Win32.CVE-2012-0158.* Exploit.Win32.CVE-2012-0158.a Exploit.Win32.CVE-2012-0158.aw Exploit.Win32.CVE-2012-0158.j Trojan-Dropper.MSWord.Agent.* Trojan-Dropper.MSWord.Agent.hc Exploit.OLE2.CVE-2012-1856.a HEUR:Exploit.MSWord.CVE-2012-0158.gen Exploit.OLE2.Toolbar.a Backdoor.Win32.Agent.* Backdoor.Win32.Agent.bjer Backdoor.Win32.Agent.dcyv Backdoor.Win32.Agent.dfbk Backdoor.Win32.Agent.dgpd Backdoor.Win32.Zegost.* Backdoor.Win32.Zegost.aekr Trojan.Win32.Agent.* Trojan.Win32.Agent.acflt Trojan.Win32.Agent.acfma Trojan.Win32.Agent.adddt Trojan.Win32.Agent.hofz Trojan.Win32.Agent.siai Trojan.Win32.Agent.spde Trojan.Win32.Agent.tlhi Trojan.Win32.Agent.tpbo Trojan.Win32.Agent.unhn Trojan.Win32.Agent.xikp ----- Trojan.Win32.Agentb.* Trojan.Win32.Agentb.bbca Trojan.Win32.Agentb.bphx Trojan.Win32.Agentb.iqj Trojan.Win32.Agentb.jwp Trojan-Downloader.Win32.Agent.* Trojan-Downloader.Win32.Agent.gxqe Trojan-Downloader.Win32.Agent.zzrd Trojan-Spy.Win32.Agent.* Trojan-Spy.Win32.Agent.chrj Trojan-Spy.Win32.Agent.chuq Trojan-Spy.Win32.Agent.cibn Trojan-Spy.Win32.Agent.cicz Trojan-Spy.Win32.Agent.ciet Trojan-Spy.Win32.Agent.cifj Trojan-Spy.Win32.Agent.ciry Trojan-Spy.Win32.Agent.ciiu Trojan-Spy.Win32.Agent.cita Trojan-Spy.Win32.Agent.cjez Trojan-Spy.Win32.Agent.cjkg Trojan-Spy.Win32.Agent.cjmv Trojan.Win32.Pincav.* Trojan.Win32.Pincav.cngx Trojan.Win32.Sasfis.* Trojan.Win32.Sasfis.dmmt Trojan-Dropper.MSIL.Agent.* Trojan-Dropper.MSIL.Agent.aidh Trojan-Dropper.Win32.Dycler.* Trojan-Dropper.Win32.Dycler.ssr Trojan-Dropper.Win32.Dycler.sss Trojan-Dropper.Win32.Injector.* Trojan-Dropper.Win32.Injector.jujl Trojan-Dropper.Win32.Injector.kblf Trojan-Dropper.Win32.Injector.kbre Trojan.Win32.Zapchast.* Trojan.Win32.Zapchast.aerr ----- Trojan.Win32.Zapchast.aest Trojan.Win32.Zapchast.aetr Trojan.Win32.Zapchast.aety Trojan.Win32.Zapchast.aevb Trojan.Win32.Zapchast.aevg Trojan.Win32.Zapchast.afma Trojan.Win32.Zapchast.afcz HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.Invader **Appendix C: Md5 Reference Set** **SslMM** 469ca0c73398903908babcad14300d8d 95c4a236faa65b75dbb0076d8248584c **WinMM** c8c81cca4645e71213f2310cec6c277d 45a99f60654f22b671aec980687d0f15 **WininetMM/Sakto** 9883abc829870478ce6f3cfddbcbbaf2 a5721c5e7f2b49df82595819b5a49c0c **Injectv1/InjectResource** 5c04904a50f0285851fb7292c13858ec **Exe_Exchange** 6a82c153bd370250cc2fed89f1bb5c91 48fb78e8ba531505e246760c0d02d6b0 **Sys10** c58df5892700ac3f467524f86bf325c0 33d388c6e841ede3920f79516b5da032 **xsPlus (nokian) and plugin** ----- d86106faaa398b8d83437176bf5e39c4 041436594c1ce9e99c569fb7402fe0c7 d0fba5db608ac8f5a3d05a71ceb0eca1 **Appendix D: C2 (Domain) Reference Set** ahzx.eicp.net bkav.imshop.in googlemm.vicp.net mncgn.51vip.biz myanmartech.vicp.net thailand.vicp.net ubaoyouxiang.gicp.net vietnam.gnway.net For full indicator and other details, please contact intelreports@kaspersky.com -----