**Go to…** **▼** **[Home » Malware » IXESHE Derivative IHEATE Targets Users in America](http://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## IXESHE Derivative IHEATE Targets Users in America The Panamanian Shell Game: Cybercriminals WithOffshore Bank Accounts? **[Posted on: May 27, 2016](http://blog.trendmicro.com/trendlabs-security-intelligence/2016/05/)** **at 7:13** **[Posted in: Malware,](http://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** **[Targeted Attacks](http://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** **Author: Trend** **Dark Motives Online: An Analysis of Overlapping** **am** **Micro** **[Technologies Used by Cybercriminals and Terrorist](http://blog.trendmicro.com/trendlabs-security-intelligence/dark-motives-online-an-analysis-of-overlapping-technologies-used-by-cybercriminals-and-terrorist-organizations/)** **Organizations** **2** **3** **Crypto-ransomware Gains Footing in Corporate** **Grounds, Gets Nastier for End Users** **Since 2012, we’ve been keeping an eye on the** **[IXESHE targeted attack campaign. Since its inception](http://blog.trendmicro.com/trendlabs-security-intelligence/taking-a-bite-out-of-ixeshe/)** **in 2009, the campaign has primarily targeted governments and companies in East Asia and Germany.** **SpyEye Creator Sentenced to 9 Years in Federal** **Prison** **However, the campaign appears to have shifted tactics and is once again targeting users in the United** **States.** **[Indian Military Personnel Targeted by “Operation C-](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/)** **Major” Information Theft Campaign** **We also noticed that there were some changes to the underlying behavior of the malware used. While** **there were some incremental improvements in the observed behavior of the new sample, the** #### Recent Posts **underlying pattern of behavior is similar to what we observed earlier from IXESHE.** **These attacks targeting users in the United States used a variant of IXESHE which has been seen in** **IXESHE Derivative IHEATE Targets Users in** **America** **Taiwan since 2009 named IHEATE. These showed some differences from known IXESHE variants:** **they had a different command-and-control (C&C) communication model and encryption methods.** **[Say No to Ransomware With These Trend Micro](http://blog.trendmicro.com/trendlabs-security-intelligence/say-no-to-ransomware-with-these-trend-micro-free-tools/)** **Free Tools** **One IHEATE sample we found contains the string “EMC112” as part of the C&C traffic. Such strings are** **frequently used to identify different campaigns. In this particular case, the 112 part of the string matched** **[Fake Bank App Ramps Up Defensive Measures](http://blog.trendmicro.com/trendlabs-security-intelligence/fake-bank-app-phishes-credentials-locks-users-out/)** **the malware sample’s compilation date of January 12.** **[High-Profile Cyber Theft Against Banks Targeted](http://blog.trendmicro.com/trendlabs-security-intelligence/high-profiled-cyber-theft-against-banks-targeted-swift-systems/)** **The sample we acquired connects to a C&C server whose domain was first registered in 2004, but** **SWIFT Systems** **whose information was modified in December 2015. This suggests that threat actors were able to pose** **as the original registrant and modify the information for their own needs.** **[Will CryptXXX Replace TeslaCrypt After](http://blog.trendmicro.com/trendlabs-security-intelligence/will-cryptxxx-replace-teslacrypt-ransomware-shakedown/)** **Ransomware Shakeup?** **_Technical Analysis_** **IXESHE is a well-known targeted attack campaign which has mainly targeted East Asian governments,** **Cybercrime Across the Globe: What** **electronics manufacturers, and a telecommunications company in Germany. Other targets include G20** **Makes Each Market Unique?** **government officials as well as the New York Times. The campaign is known for targeting users with** **fake documents using exploits and right-to-left override (RTLO) techniques.** **The particular sample we found has a SHA1 hash of 3de8ef34fb98ce5d5d0ec0f46ff92319a5976e63.** **We detect it as BKDR_IHEATE. Unlike common IXESHE variants which usually communicate with** **C&C servers via HTTP and a customized Base64-ecoded payload, IHEATE communicates with C&C** **servers in the TCP layer. (HEATE is a command that is sent by some members of this family to servers** **that acts as a notice that it’s still online; we derived the name IHEATE from this command and its ties to** **This interactive map shows how diverse** **the cybercriminal underground economy** **the IXESHE family.)** **is, with different markets that are as** **unique as the country or region that it** **We have learned from IXESHE variants that even though the encryption routine changed in different** **caters to.** **variants but the decrypted messages are almost similar.** **[Read more](http://www.trendmicro.com/vinfo/us/security/special-report/cybercrime-and-the-deep-web/global-cybercrime-map/)** **_Information gathering_** #### Business Email Compromise **Once the backdoor is installed, it collects information on the victim’s system and sends it to C&C server** **with the following format :** **| [Computer name] | [User name] | [IP] | [OS version] | [Process ID or Tag]** **Not all samples include a tag in their message. This tag could be a process ID, victim information, or** **A sophisticated scam has been targeting** **the date when the malware was compiled. In this IHEATE sample, the tag is “EMC112”. The 112 portion** **businesses that work with foreign** **may refer to when the malware was compiled, as its compile date/time is 2016/01/12 03:22:27.** **partners, costing US victims $750M since** **2013.** **The threat actors behind IHEATE could use these tags to manage victims. The traffic back to their C&C** **[How do BEC scams work?](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes)** **servers could easily be sorted using these tags.** **Sometime they slightly change the feedback format, such as** **Popular Posts** **Removing spaces:“[Computer name]|[User name]|[IP]|[OS version]|[Tag]”** **[Flashlight App Spews Malicious Ads](http://blog.trendmicro.com/trendlabs-security-intelligence/flashlight-app-spews-malicious-ads/)** ----- **[Hacking Team Flash Zero Day Integrated Into](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/)** **New Crypto-Ransomware JIGSAW Plays Nasty** **[Pawn Storm Targets German Christian Democratic](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-german-christian-democratic-union/)** **Fight the good fight against #ransomware** **[bit.ly/1TZHWis](https://t.co/b8XNaIrfgn)** **New post: IXESHE Derivative IHEATE** **[bit.ly/1THcWt8](https://t.co/u1CAYpkA0X)** **Cerber #ransowmare gets #DDoS** **[bit.ly/1WZ2Q7W #cybersecurity](https://t.co/VHedRXA7ij)** **Email Subscription** **Your email here** # bb **IHEATE provides a similar set of commands as most IXESHE variants. Note that the following list is** **Exploit Kits** **case insensitive:** **New Crypto-Ransomware JIGSAW Plays Nasty** **/WINCMD %s – Launch command and get the output** **Games** **/GETCMD %s – copy cmd.exe and rename** **[Pawn Storm Targets German Christian Democratic](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-german-christian-democratic-union/)** **/DISK – List all disks** **Union** **/CD – get current directory** **/CD %s – change directory** **Latest Tweets** **/DIR %s – browse directory** **Fight the good fight against #ransomware** **/DEL %s – delete file** **[with these tools: bit.ly/1TZHWis](https://t.co/b8XNaIrfgn)** **[about 59 mins ago](http://twitter.com/TrendLabs/status/736210360764661760)** **/GETFILE %s – upload file** **/PUTFILE %s – download file** **New post: IXESHE Derivative IHEATE** **[Targets Users in America bit.ly/1THcWt8](https://t.co/u1CAYpkA0X)** **/TASKLIST – list running processes** **[@TrendMicro](https://www.twitter.com/TrendMicro)** **[about 2 hours ago](http://twitter.com/TrendLabs/status/736198645364760576)** **/TASKKILL %s – kill a running process** **/SHUTDOWN – shut down the malware** **Cerber #ransowmare gets #DDoS** **[component: bit.ly/1WZ2Q7W #cybersecurity](https://t.co/VHedRXA7ij)** **/SLEEP %s – sleep for specific period** **[about 5 hours ago](http://twitter.com/TrendLabs/status/736149957397368832)** **_Encryption_** **While IXESHE variants have fairly similar phone-home and backdoor routines, they have a wide variety** #### Stay Updated **of encryption routines. IHEATE is no different, and has its own unique behavior.** **The traffic below simulates the traffic between a IHEATE-affected machine and its C&C server. Traffic** **Email Subscription** **from the client to the server is in red; traffic from the server to the client is in blue. The C&C server has** **Your email here** **sent a /DISK command to the machine.** **_Figure 1. Captured IHEATE network traffic_** **The first part of the network traffic is from the client to the C&C server. It is as follows:** **1. The first six bytes make up the hardcoded portion of the encryption key. In this case, it is “36 59 6d** **56 7c 22”. We have seen different encryption keys in other IHEATE variants; in some variants this** **part is ten bytes long.** **2. The following eight bytes make up the randomly generated portion of the encryption key. Here it is** **“b0 84 e8 44 a4 55 85 c7”. In some samples, this portion is ten bytes long.** **3. The next two bytes say how long the encrypted data is, here it is “61 8a”. The contents are** **encrypted with RC4, using the randomly generated encryption key.** **4. Last is the data itself. This is also encrypted using RC4, with the hardcoded and randomly** **generated portions of the encryption key concatenated together.** **The second part is the response of the server to the client. It is described as follows:** **1. The encryption procedure is identical to that used by the client to talk to the server.** **2. The six-bit hardcoded portion of the encryption key** **_must be identical to the one used by the client_** **earlier. Otherwise, if the keys do not match, the connection is dropped.** **However, some newer IHEATE samples use yet another technique. These use asymmetric encryption:** **1. Before communicating with C&C server, the malware client generates a random session key.** **2. The client encrypts the session key using RSA-1024, using a public key hardcoded inside of** **malware.** **3. The client encrypts the data to be sent using a custom encryption routine.** **4. On top of this, the data sent to the C&C server is encrypted with RC4, using the previously** **generated session key,** ----- **_File properties_** **The IHEATE sample with the “EMC112” identifier passes itself off as legitimate Media Player-related** **.DLL file, as can be seen below:** **_Figure 3. IHEATE pretending to be a Media Player .DLL file_** **_C&C Servers_** **IXESHE was known for using compromised hosts for its C&C servers, and IHEATE behaves similarly.** **The IHEATE sample with the “EMC112” identifier used the subdomain cknew[.]{abused domain}** **_[.]com as the location of its C&C server. This domain appears to contain the personal blog of the_** **original registrant, who has been using it since the domain was registered in 2004. We do not believe** **that the registrant is tied to IHEATE; instead we believe that his credentials were compromised so that** **threat actors could set up subdomains. This site was active briefly in the middle of 2015, but came back** **online at the start of 2016.** **Other IHEATE samples showed interesting behavior as well. In one case, the attackers planted a fake** **C&C server address in the code:** **_Figure 4. Fake C&C server in code_** **The address here is not an actual C&C address; instead it is used to calculate the port that the client** **will use (in this case, 443: (24*18)+11.) Other attacks are known to have used similar tactics as well.** **Other domains used by IHEATE also overlapped with servers used by IXESHE. Two domains** **(ipv6pro[.]root[.]sx and gimeover[.]psp-moscow[.]com) were used by IHEATE and resolved to the IP** **address 200[.]93[.]193[.]163. At approximately the same time, IXESHE also used the same server –** **except it did so by accessing the domain skype[.]silksky[.]com.** **_Conclusions_** **IXESHE and associated threats like IHEATE have not gone away, and they continue to evolve and** **change with the times. We will continue to monitor this threat and apprise our readers of any future** **developments.** ----- ### Related Posts: **[Shadow Force Uses DLL Hijacking, Targets South Korean Company](http://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/)** **[DYRE Banking Malware Upsurges; Europe and North America Most Affected](http://blog.trendmicro.com/trendlabs-security-intelligence/old-banking-malware-resurfaces-europe-north-america-most-affected/)** **[Pawn Storm Targets German Christian Democratic Union](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-german-christian-democratic-union/)** **“Operation C-Major” Actors Also Used Android, BlackBerry Mobile Spyware Against** **Targets** **[ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html)** **»** **[SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html)** **»** **[CONSUMER](http://www.trendmicro.com/us/home/consumer-ransomware/index.html)** **»** **Tags:** **[IHEATE](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/iheate/)** **[IXESHE](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/ixeshe/)** **[targeted attacks](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/targeted-attacks/)** #### 0 Comments TrendLabs 1 Login **Recommend** **Share** **Sort by Best** ### Start the discussion… **Subscribe** **Add Disqus to your site** **�** **Privacy** **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, 中国, ⽇本, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, 台灣](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2016 Trend Micro Incorporated. All rights reserved.** -----