## ELISE: Security Through Obesity

**23 December 2015**

**By Michael Yip**

## Executive Summary 

**Taiwan has long been subjected to persistent targeting from espionage motivated threat actors. This blog presents our**
**analysis of one of the latest malware variants targeting individuals in Taiwan, which exhibits some interesting**
**characteristics that can be useful for detecting and defending against the threat – including the creation of an obese**
**file, weighing in at 500MB, as part of its execution.**

## Malware Analysis

**The sample which caught our attention for this analysis is a PowerPoint slideshow file named台灣[學⽣網路援交觀]**

**察.pps (translation: “Observations on cyber compensated dating among Taiwanese students”). The sample was**
**submitted to VirusTotal on 3rd December 2015 from Taiwan and at the time was only detected by 3 out of 54 antivirus**
**vendors as malicious. An exploit for CVE-2014-4114 is also detected and tagged by VirusTotal.**

**Figure 1: The sample is a PowerPoint file with exploit for CVE-2014-4114 embedded.**

## The initial lure

**The figures below show some of the slides from the slideshow. All the contents in the slideshow are written in**
**Traditional Chinese, which is typically used in provinces in Southern China such as Guangdong and Hong Kong, as**
**well as Taiwan. Since the topic of the slideshow relates explicitly to Taiwanese and the submission was from Taiwan,**
**we assess the attacker was likely targeting Taiwanese individuals.**

**Figure 2: The lure document is a Powerpoint (.pps) slideshow on “Observations into cyber compensated**
**dating (援交) among Taiwanese students”.**

**Given the use of a malicious document as the initial lure, the delivery method in this campaign is almost certainly**
**spear-phishing.**

## Exploitation

**Once the slideshow file is opened, whilst the slides are displayed in full screen mode, the malware is dropped in the**
**background. Specifically, two files are dropped into the %TEMP% directory: hlwyss.jpg and hlwyss.inf.**


### Email alerts

**[Join today to receive email alerts when we](http://image.edistribution.pwc.com/lib/fe9d13707566057876/m/1/email-alerts-cyber.html)**
**publish new articles**

**Search the site**

**Search our archive**

**_Articles by category_**

**_Articles by month_**

**Latest posts from Cyber security**
**updates**

**_ELISE: Security Through Obesity_**

**_Why 2015 was the tipping point for_**
**_cybersecurity_**

**_#PrivateBizChat: Cybersecurity - 15_**
**_December, 12.30pm - 1.30pm_**

**_[We are not one, we are many](http://pwc.blogs.com/cyber_security_updates/2015/11/we-are-not-one-we-are-many.html)_**

**_[Ingredients for Consumer Security](http://pwc.blogs.com/cyber_security_updates/2015/11/ingredients-for-consumer-security.html)_**

**_It won’t happen to us: An optimistic_**
**_outlook on breaches_**

**_Is threat intelligence the key to realising_**
**_cyber insurance potential?_**

**_[UnityGhost: the ghost adventure continues](http://pwc.blogs.com/cyber_security_updates/2015/10/unityghost-the-adventure-continues.html)_**

**_Cyber security in engineering and_**
**_construction_**

**_[A tale of Pirpi, Scanbox & CVE-2015-3113](http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html)_**

### Cyber security

**[Building confidence in your digital future](http://www.pwc.co.uk/cyber-security/cyber-security.jhtml)**

### Breach aid

**[Are you suffering a cyber, privacy or data](http://www.pwc.co.uk/en_UK/uk/breach-aid/index.html)**
**breach?**

### Data protection and privacy

 global insights blog

 2015 Information security


-----

**Figure 3: File header of hlwyss.jpg shows it's an MS-DOS executable.**

**[The hlwyss.inf is an INF file which specifies file system operations required to install the malware (as shown in](https://msdn.microsoft.com/en-us/library/windows/desktop/aa376858(v=vs.85).aspx)**

**Figure 4). The use of an embedded INF file for malware installation is consistent with the Metasploit implantation of**
**[CVE-2014-4114, better known as the ‘Sandworm’ vulnerability.](http://www.rapid7.com/db/modules/exploit/windows/fileformat/ms14_060_sandworm)**

**Figure 4: Contents of the hlwyss.inf which shows the renaming of hlwyss.jpg to hlwyss.dll and installation of**
**the RunOnce key for malware execution.**

**As indicated in the INF file, the installation script renames** **hlwyss.jpg to hlwyss.dll and sets up the malware**

**through the creation of two RunOnce keys to ensure the execution of the malicious DLL using** **rundll32.exe, with**

**the entry point Setting.**

## Installation and execution

**On examining logs produced during execution by** **[ProcessMonitor, we find that aside from following the instructions](https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx)**
**outlined in the INF file, the malware proceeds to perform additional operations to complete its installation. In particular,**
**the malware replicates itself in the %AppData%\Roaming\Programs folder and names its cloned copy**

**‘Syncmgr.dll’ (see Figure 5).**

**Figure 5: As part of the installation, another DLL called Syncmgr.dll is also created.**

**To ensure persistence on future restarts a** **Run key is also installed, however, the** **Run key points to the newly created**

**Syncmgr.dll rather than the original** **hlwyss.dll.**


-----

**Figure 6: Run and RunOnce keys installed to ensure malware execution on boot up.**

**Planting the malware in the user’s** **AppData\Roaming folder is also a sign that the attacker was likely to be targeting**

**corporate users as corporate users often possess roaming user profiles, a Windows feature that allows users to**
**access their customised Windows environment from different machines.**

**As Syncmgr.dll is the main malicious payload, we took a closer look at the file. The malware was compiled on 24** **[th]**

**November 2015 and it is a 32-bit DLL. This shows that the sample is recent and indicates the threat actor is currently**
**active.**

**Examining the PE structure of** **Syncmgr.dll shows a hidden executable embedded as one of the resources:**

**Figure 7: Executable embedded in resource.**

**[Once SyncManager.dll is executed, an iexplore.exe process is spawned:](https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf)**

**Figure 8: A malicious iexplore.exe process spawned.**

**Unsurprisingly, the strings of the** **iexplore.exe process reveals that the malware has injected itself into the process.**

**Figure 9: Malware injected into iexplore.exe.**

**By visualising the ProcessMonitor logs in** **[ProcDOT, we see that two more files are created by the malware:](http://www.procdot.com/faqs.htm)**
**WEB2013BW6.DAT and 60HGBC00.DAT.**


-----

**Figure 10: Malware creates two addition .DAT files.**

**By comparing the code constructs between the embedded resource** **ASDASDASDASDSAD and WEB2013BW6.DAT, we**

**see that they contain the identical code, as shown below:**

**Figure 11: The embedded resource (left) and WEB2013BW6.DAT have similar code constructs.**

**However, WEB2013BW6.DAT is over 500MB in size which is significantly larger than** **ASDASDASDASDSAD which is only**

**51KB in size:**

**Figure 12: Dropped files in AppData\Roaming\Programs folder.**

**An examination into the PE structure of** **WEB2013BW6.DAT shows that a significant amount of junk characters are**

**appended to the foot of the file:**

**Figure 13: Padding towards the end of WEB2013BW6.DAT.**

**Based on its contents, the .DAT file is likely a component responsible for network communication. ProcMon logs also**
**show that only once the iexplore.exe process is spawned, that the .DAT file is loaded into the process. Our current**

**hypothesis is that this is component of the malware often triggers antivirus signatures, and its huge size is an effort by**
**the authors to evade detection.**

## Network communications

**Once the malware is executed, a HTTP GET request is sent to** **showip[.]net in an attempt to find out the victim’s**

**external IP address.**


-----

**Figure 14: HTTP GET request to showip[.]net.**

**After obtaining the IP address, the malware then sends out a HTTP GET request to one of three command & control**
**(C2) servers configured in the malware, such as ustar5.PassAs[.]us. The full HTTP headers are as shown in the**

**figure below:**

**Figure 15: Network traffic to ustar5.PassAs[.]us generated after the malware is executed.**

**There are two interesting aspects to the observed HTTP traffic. Firstly, the user-agent is hardcoded in the malware**
**and as shown in the above figures, the same user-agent is used in both GET requests. Secondly, the victim IP is**
**stored as the SHO value in the cookie field in the HTTP GET request to the C2 server. Both characteristics are useful**
**for detection the presence of this particular malware.**

**The malware is configured to use the following hosts for c2 servers:**

**Domain** **IP** **Last seen**

**203.124.14[.]241** **03/12/2015**

**ustar5.PassAs[.]us**

**103.193.150[.]33** **15/12/2015**

**dnt5b.myfw[.]us** **127.0.0.1** **15/12/2015**

**-** **203.124.14[.]241** **-**

**As the malware attempts to establish contact with each of the designated C2 server, the malware also logs the errors**
**in a .tmp log file stored in the** **%TEMP% directory:**

**Figure 16: Log file generated by the malware during execution logging failed attempts at establishing contact**
**with configured C2s.**

## Functionalities

**By examining the code constructs in the malware, we found evidence of the following functions:**

**File upload – upload file to server**

**File download – download file to victim machine**

**Remote shell – spawn remote shell**

**File system reconnaissance – obtain file metadata data**

**Process enumeration – enumerate running processes**

**Some of these functionalities are visible in the ASCII strings from the embedded payload** **ASDASDASDASDSAD:**


-----

**Figure 17: Strings from the malware show hints on the functionalities offered by the malware.**

## Association with LOTUS BLOSSOM

**Our first step in attempting to tie activity to known campaigns is to look for any infrastructure overlaps between the**
**domains used and those used previously by known threat actors, however we were unable to identify any**
**infrastructure overlap in this case.**

**However, network infrastructure is not the only method for attribution. Other useful methods include common tools and**
**techniques used by threat actors, as well as any other behavioural patterns in the modus operandi associated with**
**specific threat actors.**

**In this case, we believe the sample analysed is associated with the ‘Lotus Blossom’ threat** **[actor based on the](http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/ and https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf )**
**following characteristics which are also seen in other samples associated with the actor:**

**The use of Microsoft Office document with content in Traditional Chinese as initial lure and exploit;**

**The targeting of Taiwanese individuals (Taiwan is often the target of the Lotus Blossom group) ;**

**The malware is written in C++ (like most other malware used by the Lotus Blossom threat actor);**

**The mention of Loader.dll (a filename referenced in other Elise samples);**

**The use of dynamic DNS domains, including use of the same providers;**

**The fixed user-agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1** **) ;**

**Mutex string Global\{7BDACDEE-8BF6-4664-B946-D00FCFF1FFBA};**

**The format of the configuration for the C2 servers (e.g.** **Server1=%s) ; and;**

**The presence of a JSON-like string within the malware matching the following regular expression: \**

**{\"r\":\"[0-9]{12}\",\"l\":\"[0-9]{12}\",\"u\":\"[0-9]{7}\",\"m\":\"[0-9]**

**{12}\"\}.**

**These relationships are displayed graphically in the Maltego graph below:**


-----

**Figure 18: Some overlapping features among related samples, including the sample analysed in this blog-**
**c205fc5ab1c722bbe66a4cb6aff41190.**

## Conclusion

**Taiwan has long been heavily targeted by espionage threat actors and ‘Lotus Blossom’ is one of the most active threat**
**actors currently targeting the country. The analysis presented in this blog provides an overview of one of their latest**
**malware variants and new network infrastructure associated with the group. The compile time of the sample shows**
**that the malware was compiled in November which indicates that the group is still actively targeting Taiwanese**
**victims.**

## Recommendation

**To help detect the presence of the malware described in this blog, we have included both network and host based**
**signatures in the Appendix.**

## Further Information

**We specialise in providing the services required to help clients resist, detect and respond to advanced cyber attacks.**
**This includes crisis events such as data breaches, economic espionage and targeted intrusions, including those**
**commonly referred to as APTs. If you would like more information on any of the threats discussed in this alert please**
**feel free to get in touch, by e-mailing threatintelligence@uk.pwc.com.**


**Michael Yip | Cyber Threat Detection & Response**
**+44 (0)20 78043900**


# Appendix File descriptions

**Below table shows the metadata of the file(s) referenced in this blog:**

**Sample 1**

**Filename** **台灣[學⽣網路援交觀察].pps**

**Filesize (bytes)** **24,1504**

**MD5** **c205fc5ab1c722bbe66a4cb6aff41190**

**Last saved** **2015-12-03 03:45:11**

**Architecture Type** **-**

**Packer** **None**

**Comments** **This is the initial lure document.**

**Sample 2**


-----

**MD5** **353fc24939bb5db003097a8dd3c0ee7b**

**File PE Compile Time** **2015-11-24 04:57:52**

**Architecture Type** **32-bit**

**Packer** **None**

**Comments** **This is the Elise variant.**

**Sample 3**

**Filename** **hlwyss.inf**

**Filesize (bytes)** **1,136**

**MD5** **bc179ebf3ca089dc9f3596beea38ab27**

**File PE Compile Time** **-**

**Architecture Type** **-**

**Packer** **None**

**Comments** **This is the INF file used as part of the exploit code.**

**Sample 4**

**Filename** **WEB2013BW6.DAT**

**Filesize (kilobytes)** **512,051**

**MD5** **3940a839c8f933cbdc17a50d164186fa**

**File PE Compile Time** **-**

**Architecture Type** **-**

**Packer** **None**

**Comments** **This is the malware packed with junk code.**

**Sample 5**

**Filename** **60HGBC00.DAT**

**Filesize (bytes)** **1292**

**MD5** **6fcdc554b71db3f0b46c7722c2a08285**

**File PE Compile Time** **-**

**Architecture Type** **-**

**Packer** **None**

**Comments** **This is an encrypted file object.**

# Indicators

**Below are the network indicators referenced in this blog:**


-----

**Domain** **dnt5b.myfw[.]us**

**IP** **203.124.14[.]241**

**IP** **103.193.150[.]33**

# Detection signatures

### Yara

**rule Lightserver_variant_B : Red_Salamander**

**{**

**meta:**

**description = "Elise lightserver variant."**

**author = "PwC Cyber Threat Operations :: @michael_yip"**

**version = "1.0"**

**created = "2015-12-16"**

**exemplar_md5 = "c205fc5ab1c722bbe66a4cb6aff41190"**

**strings:**

**$json = /\{\"r\":\"[0-9]{12}\",\"l\":\"[0-9]{12}\",\"u\":\"[0-9]**
**{7}\",\"m\":\"[0-9]{12}\"\}/**

**$mutant1 = "Global\\{7BDACDEE-8BF6-4664-B946-D00FCFF1FFBA}"**

**$mutant2 = "{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}"**

**$serv1 = "Server1=%s"**

**$serv2 = "Server2=%s"**

**$serv3 = "Server3=%s"**

**condition:**

**uint16(0) == 0x5A4D and ($json or $mutant1 or $mutant2 or all of ($serv*))**

**}**

**import "pe"**

**rule Elise_lstudio_variant_B_resource**

**{**

**meta:**

**description = "Elise lightserver variant."**

**author = "PwC Cyber Threat Operations :: @michael_yip"**

**version = "1.0"**

**created = "2015-12-16"**

**exemplar_md5 = "c205fc5ab1c722bbe66a4cb6aff41190"**

**condition:**

**uint16(0) == 0x5A4D and for any i in (0..pe.number_of_resources - 1) :**
**(pe.resources[i].type_string ==**
**"A\x00S\x00D\x00A\x00S\x00D\x00A\x00S\x00D\x00A\x00S\x00D\x00S\x00A\x00D\x00")**

**}**

### 58 0

**[ShareShare](javascript:void(0);)**

**[« Why 2015 was the tipping point for cybersecurity |](http://pwc.blogs.com/cyber_security_updates/2015/12/why-2015-was-the-tipping-point-for-cybersecurity.html)** **[Main](http://pwc.blogs.com/cyber_security_updates/)**

**Comments**


### 58


**[ShareShare](javascript:void(0);)**


-----

**[If you have a TypeKey or TypePad account, please Sign in](https://www.typekey.com/t/typekey/login?v=1.0&t=37a600cca8f2adc2c9f33712edb70d5741b2d731&lang=en_US&_return=http%3A%2F%2Fpwc.blogs.com%2Fcyber_security_updates%2F2015%2F12%2Felise-security-through-obesity.html&_portal=typepad)**

**Name***

**Email***


**Website**


**© 2012-2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.**

**[Privacy Statement |](http://www.pwc.co.uk/en/who-we-are/privacy-statement.jhtml)** **[Cookies info |](http://www.pwc.co.uk/en/who-we-are/cookies.jhtml)** **[Legal Disclaimer |](http://www.pwc.co.uk/en/who-we-are/legal-disclaimer.jhtml)** **[Provision of Services |](http://www.pwc.co.uk/en/who-we-are/provision-of-services.jhtml)** **[Diversity](http://www.pwc.co.uk/en/corporate-sustainability/workforce-diversity.jhtml)**


-----